clang 20.0.0git
TestAfterDivZeroChecker.cpp
Go to the documentation of this file.
1//== TestAfterDivZeroChecker.cpp - Test after division by zero checker --*--==//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This defines TestAfterDivZeroChecker, a builtin check that performs checks
10// for division by zero where the division occurs before comparison with zero.
11//
12//===----------------------------------------------------------------------===//
13
14#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
15#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
16#include "clang/StaticAnalyzer/Core/Checker.h"
17#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
18#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
19#include "llvm/ADT/FoldingSet.h"
20#include <optional>
21
22using namespace clang;
23using namespace ento;
24
25namespace {
26
27class ZeroState {
28private:
29 SymbolRef ZeroSymbol;
30 unsigned BlockID;
31 const StackFrameContext *SFC;
32
33public:
34 ZeroState(SymbolRef S, unsigned B, const StackFrameContext *SFC)
35 : ZeroSymbol(S), BlockID(B), SFC(SFC) {}
36
37 const StackFrameContext *getStackFrameContext() const { return SFC; }
38
39 bool operator==(const ZeroState &X) const {
40 return BlockID == X.BlockID && SFC == X.SFC && ZeroSymbol == X.ZeroSymbol;
41 }
42
43 bool operator<(const ZeroState &X) const {
44 if (BlockID != X.BlockID)
45 return BlockID < X.BlockID;
46 if (SFC != X.SFC)
47 return SFC < X.SFC;
48 return ZeroSymbol < X.ZeroSymbol;
49 }
50
51 void Profile(llvm::FoldingSetNodeID &ID) const {
52 ID.AddInteger(BlockID);
53 ID.AddPointer(SFC);
54 ID.AddPointer(ZeroSymbol);
55 }
56};
57
58class DivisionBRVisitor : public BugReporterVisitor {
59private:
60 SymbolRef ZeroSymbol;
61 const StackFrameContext *SFC;
62 bool Satisfied;
63
64public:
65 DivisionBRVisitor(SymbolRef ZeroSymbol, const StackFrameContext *SFC)
66 : ZeroSymbol(ZeroSymbol), SFC(SFC), Satisfied(false) {}
67
68 void Profile(llvm::FoldingSetNodeID &ID) const override {
69 ID.Add(ZeroSymbol);
70 ID.Add(SFC);
71 }
72
73 PathDiagnosticPieceRef VisitNode(const ExplodedNode *Succ,
74 BugReporterContext &BRC,
75 PathSensitiveBugReport &BR) override;
76};
77
78class TestAfterDivZeroChecker
79 : public Checker<check::PreStmt<BinaryOperator>, check::BranchCondition,
80 check::EndFunction> {
81 const BugType DivZeroBug{this, "Division by zero"};
82 void reportBug(SVal Val, CheckerContext &C) const;
83
84public:
85 void checkPreStmt(const BinaryOperator *B, CheckerContext &C) const;
86 void checkBranchCondition(const Stmt *Condition, CheckerContext &C) const;
87 void checkEndFunction(const ReturnStmt *RS, CheckerContext &C) const;
88 void setDivZeroMap(SVal Var, CheckerContext &C) const;
89 bool hasDivZeroMap(SVal Var, const CheckerContext &C) const;
90 bool isZero(SVal S, CheckerContext &C) const;
91};
92} // end anonymous namespace
93
94REGISTER_SET_WITH_PROGRAMSTATE(DivZeroMap, ZeroState)
95
96PathDiagnosticPieceRef
97DivisionBRVisitor::VisitNode(const ExplodedNode *Succ, BugReporterContext &BRC,
98 PathSensitiveBugReport &BR) {
99 if (Satisfied)
100 return nullptr;
101
102 const Expr *E = nullptr;
103
104 if (std::optional<PostStmt> P = Succ->getLocationAs<PostStmt>())
105 if (const BinaryOperator *BO = P->getStmtAs<BinaryOperator>()) {
106 BinaryOperator::Opcode Op = BO->getOpcode();
107 if (Op == BO_Div || Op == BO_Rem || Op == BO_DivAssign ||
108 Op == BO_RemAssign) {
109 E = BO->getRHS();
110 }
111 }
112
113 if (!E)
114 return nullptr;
115
116 SVal S = Succ->getSVal(E);
117 if (ZeroSymbol == S.getAsSymbol() && SFC == Succ->getStackFrame()) {
118 Satisfied = true;
119
120 // Construct a new PathDiagnosticPiece.
121 ProgramPoint P = Succ->getLocation();
122 PathDiagnosticLocation L =
123 PathDiagnosticLocation::create(P, BRC.getSourceManager());
124
125 if (!L.isValid() || !L.asLocation().isValid())
126 return nullptr;
127
128 return std::make_shared<PathDiagnosticEventPiece>(
129 L, "Division with compared value made here");
130 }
131
132 return nullptr;
133}
134
135bool TestAfterDivZeroChecker::isZero(SVal S, CheckerContext &C) const {
136 std::optional<DefinedSVal> DSV = S.getAs<DefinedSVal>();
137
138 if (!DSV)
139 return false;
140
141 ConstraintManager &CM = C.getConstraintManager();
142 return !CM.assume(C.getState(), *DSV, true);
143}
144
145void TestAfterDivZeroChecker::setDivZeroMap(SVal Var, CheckerContext &C) const {
146 SymbolRef SR = Var.getAsSymbol();
147 if (!SR)
148 return;
149
150 ProgramStateRef State = C.getState();
151 State =
152 State->add<DivZeroMap>(ZeroState(SR, C.getBlockID(), C.getStackFrame()));
153 C.addTransition(State);
154}
155
156bool TestAfterDivZeroChecker::hasDivZeroMap(SVal Var,
157 const CheckerContext &C) const {
158 SymbolRef SR = Var.getAsSymbol();
159 if (!SR)
160 return false;
161
162 ZeroState ZS(SR, C.getBlockID(), C.getStackFrame());
163 return C.getState()->contains<DivZeroMap>(ZS);
164}
165
166void TestAfterDivZeroChecker::reportBug(SVal Val, CheckerContext &C) const {
167 if (ExplodedNode *N = C.generateErrorNode(C.getState())) {
168 auto R = std::make_unique<PathSensitiveBugReport>(
169 DivZeroBug,
170 "Value being compared against zero has already been used "
171 "for division",
172 N);
173
174 R->addVisitor(std::make_unique<DivisionBRVisitor>(Val.getAsSymbol(),
175 C.getStackFrame()));
176 C.emitReport(std::move(R));
177 }
178}
179
180void TestAfterDivZeroChecker::checkEndFunction(const ReturnStmt *,
181 CheckerContext &C) const {
182 ProgramStateRef State = C.getState();
183
184 DivZeroMapTy DivZeroes = State->get<DivZeroMap>();
185 if (DivZeroes.isEmpty())
186 return;
187
188 DivZeroMapTy::Factory &F = State->get_context<DivZeroMap>();
189 for (const ZeroState &ZS : DivZeroes) {
190 if (ZS.getStackFrameContext() == C.getStackFrame())
191 DivZeroes = F.remove(DivZeroes, ZS);
192 }
193 C.addTransition(State->set<DivZeroMap>(DivZeroes));
194}
195
196void TestAfterDivZeroChecker::checkPreStmt(const BinaryOperator *B,
197 CheckerContext &C) const {
198 BinaryOperator::Opcode Op = B->getOpcode();
199 if (Op == BO_Div || Op == BO_Rem || Op == BO_DivAssign ||
200 Op == BO_RemAssign) {
201 SVal S = C.getSVal(B->getRHS());
202
203 if (!isZero(S, C))
204 setDivZeroMap(S, C);
205 }
206}
207
208void TestAfterDivZeroChecker::checkBranchCondition(const Stmt *Condition,
209 CheckerContext &C) const {
210 if (const BinaryOperator *B = dyn_cast<BinaryOperator>(Condition)) {
211 if (B->isComparisonOp()) {
212 const IntegerLiteral *IntLiteral = dyn_cast<IntegerLiteral>(B->getRHS());
213 bool LRHS = true;
214 if (!IntLiteral) {
215 IntLiteral = dyn_cast<IntegerLiteral>(B->getLHS());
216 LRHS = false;
217 }
218
219 if (!IntLiteral || IntLiteral->getValue() != 0)
220 return;
221
222 SVal Val = C.getSVal(LRHS ? B->getLHS() : B->getRHS());
223 if (hasDivZeroMap(Val, C))
224 reportBug(Val, C);
225 }
226 } else if (const UnaryOperator *U = dyn_cast<UnaryOperator>(Condition)) {
227 if (U->getOpcode() == UO_LNot) {
228 SVal Val;
229 if (const ImplicitCastExpr *I =
230 dyn_cast<ImplicitCastExpr>(U->getSubExpr()))
231 Val = C.getSVal(I->getSubExpr());
232
233 if (hasDivZeroMap(Val, C))
234 reportBug(Val, C);
235 else {
236 Val = C.getSVal(U->getSubExpr());
237 if (hasDivZeroMap(Val, C))
238 reportBug(Val, C);
239 }
240 }
241 } else if (const ImplicitCastExpr *IE =
242 dyn_cast<ImplicitCastExpr>(Condition)) {
243 SVal Val = C.getSVal(IE->getSubExpr());
244
245 if (hasDivZeroMap(Val, C))
246 reportBug(Val, C);
247 else {
248 SVal Val = C.getSVal(Condition);
249
250 if (hasDivZeroMap(Val, C))
251 reportBug(Val, C);
252 }
253 }
254}
255
256void ento::registerTestAfterDivZeroChecker(CheckerManager &mgr) {
257 mgr.registerChecker<TestAfterDivZeroChecker>();
258}
259
260bool ento::shouldRegisterTestAfterDivZeroChecker(const CheckerManager &mgr) {
261 return true;
262}
P
StringRef P
Definition: ASTMatchersInternal.cpp:573
E
Expr * E
Definition: CheckExprLifetime.cpp:198
X
#define X(type, name)
Definition: Value.h:143
REGISTER_SET_WITH_PROGRAMSTATE
#define REGISTER_SET_WITH_PROGRAMSTATE(Name, Elem)
Declares an immutable set of type NameTy, suitable for placement into the ProgramState.
Definition: ProgramStateTrait.h:112
clang::APIntStorage::getValue
llvm::APInt getValue() const
Definition: APNumericStorage.h:53
clang::BinaryOperator
A builtin binary operation expression such as "x + y" or "x <= y".
Definition: Expr.h:3860
clang::BinaryOperator::getLHS
Expr * getLHS() const
Definition: Expr.h:3910
clang::BinaryOperator::isComparisonOp
static bool isComparisonOp(Opcode Opc)
Definition: Expr.h:3960
clang::BinaryOperator::getRHS
Expr * getRHS() const
Definition: Expr.h:3912
clang::BinaryOperator::getOpcode
Opcode getOpcode() const
Definition: Expr.h:3905
clang::Expr
This represents one expression.
Definition: Expr.h:110
clang::ImplicitCastExpr
ImplicitCastExpr - Allows us to explicitly represent implicit type conversions, which have no direct ...
Definition: Expr.h:3675
clang::ReturnStmt
ReturnStmt - This represents a return, optionally of an expression: return; return 4;.
Definition: Stmt.h:3029
clang::SourceLocation::isValid
bool isValid() const
Return true if this is a valid SourceLocation object.
Definition: SourceLocation.h:113
clang::StackFrameContext
It represents a stack frame of the call stack (based on CallEvent).
Definition: AnalysisDeclContext.h:299
clang::Stmt
Stmt - This represents one statement.
Definition: Stmt.h:84
clang::UnaryOperator
UnaryOperator - This represents the unary-expression's (except sizeof and alignof),...
Definition: Expr.h:2188
clang::ento::BugReporterContext::getSourceManager
const SourceManager & getSourceManager() const
Definition: BugReporter.h:737
clang::ento::BugReporterVisitor
BugReporterVisitors are used to add custom diagnostics along a path.
Definition: BugReporterVisitors.h:49
clang::ento::BugReporterVisitor::Profile
virtual void Profile(llvm::FoldingSetNodeID &ID) const =0
clang::ento::BugReporterVisitor::VisitNode
virtual PathDiagnosticPieceRef VisitNode(const ExplodedNode *Succ, BugReporterContext &BRC, PathSensitiveBugReport &BR)=0
Return a diagnostic piece which should be associated with the given node.
clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:204
clang::ento::ConstraintManager::assume
ProgramStateRef assume(ProgramStateRef state, DefinedSVal Cond, bool Assumption)
Definition: ConstraintManager.cpp:110
clang::ento::ExplodedNode::getLocation
ProgramPoint getLocation() const
getLocation - Returns the edge associated with the given node.
Definition: ExplodedGraph.h:145
clang::ento::ExplodedNode::getStackFrame
const StackFrameContext * getStackFrame() const
Definition: ExplodedGraph.h:151
clang::ento::ExplodedNode::getSVal
SVal getSVal(const Stmt *S) const
Get the value of an arbitrary expression at this node.
Definition: ExplodedGraph.h:176
clang::ento::ExplodedNode::getLocationAs
std::optional< T > getLocationAs() const &
Definition: ExplodedGraph.h:171
clang::ento::PathDiagnosticLocation::create
static PathDiagnosticLocation create(const Decl *D, const SourceManager &SM)
Create a location corresponding to the given declaration.
Definition: PathDiagnostic.h:248
clang::ento::SVal
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:55
clang::ento::SVal::getAsSymbol
SymbolRef getAsSymbol(bool IncludeBaseRegions=false) const
If this SVal wraps a symbol return that SymbolRef.
Definition: SVals.cpp:104
clang::ento::SymExpr
Symbolic value.
Definition: SymExpr.h:30
clang::api_notes::BlockID
BlockID
The various types of blocks that can occur within a API notes file.
Definition: APINotesFormat.h:42
clang::ento::PathDiagnosticPieceRef
std::shared_ptr< PathDiagnosticPiece > PathDiagnosticPieceRef
Definition: PathDiagnostic.h:492
clang
The JSON file list parser is used to communicate input to InstallAPI.
Definition: CalledOnceCheck.h:17
clang::BinaryOperatorKind
BinaryOperatorKind
Definition: OperationKinds.h:25
clang::operator==
bool operator==(const CallGraphNode::CallRecord &LHS, const CallGraphNode::CallRecord &RHS)
Definition: CallGraph.h:207
clang::operator<
bool operator<(DeclarationName LHS, DeclarationName RHS)
Ordering on two declaration names.
Definition: DeclarationName.h:550
false
#define false
Definition: stdbool.h:26
Generated on Fri Nov 15 2024 16:44:46 for clang by doxygen 1.9.6