clang  14.0.0git
TestAfterDivZeroChecker.cpp
Go to the documentation of this file.
1 //== TestAfterDivZeroChecker.cpp - Test after division by zero checker --*--==//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This defines TestAfterDivZeroChecker, a builtin check that performs checks
10 // for division by zero where the division occurs before comparison with zero.
11 //
12 //===----------------------------------------------------------------------===//
13 
14 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
15 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
16 #include "clang/StaticAnalyzer/Core/Checker.h"
17 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
18 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
19 #include "llvm/ADT/FoldingSet.h"
20 
21 using namespace clang;
22 using namespace ento;
23 
24 namespace {
25 
26 class ZeroState {
27 private:
28  SymbolRef ZeroSymbol;
29  unsigned BlockID;
30  const StackFrameContext *SFC;
31 
32 public:
33  ZeroState(SymbolRef S, unsigned B, const StackFrameContext *SFC)
34  : ZeroSymbol(S), BlockID(B), SFC(SFC) {}
35 
36  const StackFrameContext *getStackFrameContext() const { return SFC; }
37 
38  bool operator==(const ZeroState &X) const {
39  return BlockID == X.BlockID && SFC == X.SFC && ZeroSymbol == X.ZeroSymbol;
40  }
41 
42  bool operator<(const ZeroState &X) const {
43  if (BlockID != X.BlockID)
44  return BlockID < X.BlockID;
45  if (SFC != X.SFC)
46  return SFC < X.SFC;
47  return ZeroSymbol < X.ZeroSymbol;
48  }
49 
50  void Profile(llvm::FoldingSetNodeID &ID) const {
51  ID.AddInteger(BlockID);
52  ID.AddPointer(SFC);
53  ID.AddPointer(ZeroSymbol);
54  }
55 };
56 
57 class DivisionBRVisitor : public BugReporterVisitor {
58 private:
59  SymbolRef ZeroSymbol;
60  const StackFrameContext *SFC;
61  bool Satisfied;
62 
63 public:
64  DivisionBRVisitor(SymbolRef ZeroSymbol, const StackFrameContext *SFC)
65  : ZeroSymbol(ZeroSymbol), SFC(SFC), Satisfied(false) {}
66 
67  void Profile(llvm::FoldingSetNodeID &ID) const override {
68  ID.Add(ZeroSymbol);
69  ID.Add(SFC);
70  }
71 
72  PathDiagnosticPieceRef VisitNode(const ExplodedNode *Succ,
73  BugReporterContext &BRC,
74  PathSensitiveBugReport &BR) override;
75 };
76 
77 class TestAfterDivZeroChecker
78  : public Checker<check::PreStmt<BinaryOperator>, check::BranchCondition,
79  check::EndFunction> {
80  mutable std::unique_ptr<BuiltinBug> DivZeroBug;
81  void reportBug(SVal Val, CheckerContext &C) const;
82 
83 public:
84  void checkPreStmt(const BinaryOperator *B, CheckerContext &C) const;
85  void checkBranchCondition(const Stmt *Condition, CheckerContext &C) const;
86  void checkEndFunction(const ReturnStmt *RS, CheckerContext &C) const;
87  void setDivZeroMap(SVal Var, CheckerContext &C) const;
88  bool hasDivZeroMap(SVal Var, const CheckerContext &C) const;
89  bool isZero(SVal S, CheckerContext &C) const;
90 };
91 } // end anonymous namespace
92 
93 REGISTER_SET_WITH_PROGRAMSTATE(DivZeroMap, ZeroState)
94 
95 PathDiagnosticPieceRef
96 DivisionBRVisitor::VisitNode(const ExplodedNode *Succ, BugReporterContext &BRC,
97  PathSensitiveBugReport &BR) {
98  if (Satisfied)
99  return nullptr;
100 
101  const Expr *E = nullptr;
102 
103  if (Optional<PostStmt> P = Succ->getLocationAs<PostStmt>())
104  if (const BinaryOperator *BO = P->getStmtAs<BinaryOperator>()) {
105  BinaryOperator::Opcode Op = BO->getOpcode();
106  if (Op == BO_Div || Op == BO_Rem || Op == BO_DivAssign ||
107  Op == BO_RemAssign) {
108  E = BO->getRHS();
109  }
110  }
111 
112  if (!E)
113  return nullptr;
114 
115  SVal S = Succ->getSVal(E);
116  if (ZeroSymbol == S.getAsSymbol() && SFC == Succ->getStackFrame()) {
117  Satisfied = true;
118 
119  // Construct a new PathDiagnosticPiece.
120  ProgramPoint P = Succ->getLocation();
121  PathDiagnosticLocation L =
122  PathDiagnosticLocation::create(P, BRC.getSourceManager());
123 
124  if (!L.isValid() || !L.asLocation().isValid())
125  return nullptr;
126 
127  return std::make_shared<PathDiagnosticEventPiece>(
128  L, "Division with compared value made here");
129  }
130 
131  return nullptr;
132 }
133 
134 bool TestAfterDivZeroChecker::isZero(SVal S, CheckerContext &C) const {
135  Optional<DefinedSVal> DSV = S.getAs<DefinedSVal>();
136 
137  if (!DSV)
138  return false;
139 
140  ConstraintManager &CM = C.getConstraintManager();
141  return !CM.assume(C.getState(), *DSV, true);
142 }
143 
144 void TestAfterDivZeroChecker::setDivZeroMap(SVal Var, CheckerContext &C) const {
145  SymbolRef SR = Var.getAsSymbol();
146  if (!SR)
147  return;
148 
149  ProgramStateRef State = C.getState();
150  State =
151  State->add<DivZeroMap>(ZeroState(SR, C.getBlockID(), C.getStackFrame()));
152  C.addTransition(State);
153 }
154 
155 bool TestAfterDivZeroChecker::hasDivZeroMap(SVal Var,
156  const CheckerContext &C) const {
157  SymbolRef SR = Var.getAsSymbol();
158  if (!SR)
159  return false;
160 
161  ZeroState ZS(SR, C.getBlockID(), C.getStackFrame());
162  return C.getState()->contains<DivZeroMap>(ZS);
163 }
164 
165 void TestAfterDivZeroChecker::reportBug(SVal Val, CheckerContext &C) const {
166  if (ExplodedNode *N = C.generateErrorNode(C.getState())) {
167  if (!DivZeroBug)
168  DivZeroBug.reset(new BuiltinBug(this, "Division by zero"));
169 
170  auto R = std::make_unique<PathSensitiveBugReport>(
171  *DivZeroBug, "Value being compared against zero has already been used "
172  "for division",
173  N);
174 
175  R->addVisitor(std::make_unique<DivisionBRVisitor>(Val.getAsSymbol(),
176  C.getStackFrame()));
177  C.emitReport(std::move(R));
178  }
179 }
180 
181 void TestAfterDivZeroChecker::checkEndFunction(const ReturnStmt *,
182  CheckerContext &C) const {
183  ProgramStateRef State = C.getState();
184 
185  DivZeroMapTy DivZeroes = State->get<DivZeroMap>();
186  if (DivZeroes.isEmpty())
187  return;
188 
189  DivZeroMapTy::Factory &F = State->get_context<DivZeroMap>();
190  for (llvm::ImmutableSet<ZeroState>::iterator I = DivZeroes.begin(),
191  E = DivZeroes.end();
192  I != E; ++I) {
193  ZeroState ZS = *I;
194  if (ZS.getStackFrameContext() == C.getStackFrame())
195  DivZeroes = F.remove(DivZeroes, ZS);
196  }
197  C.addTransition(State->set<DivZeroMap>(DivZeroes));
198 }
199 
200 void TestAfterDivZeroChecker::checkPreStmt(const BinaryOperator *B,
201  CheckerContext &C) const {
202  BinaryOperator::Opcode Op = B->getOpcode();
203  if (Op == BO_Div || Op == BO_Rem || Op == BO_DivAssign ||
204  Op == BO_RemAssign) {
205  SVal S = C.getSVal(B->getRHS());
206 
207  if (!isZero(S, C))
208  setDivZeroMap(S, C);
209  }
210 }
211 
212 void TestAfterDivZeroChecker::checkBranchCondition(const Stmt *Condition,
213  CheckerContext &C) const {
214  if (const BinaryOperator *B = dyn_cast<BinaryOperator>(Condition)) {
215  if (B->isComparisonOp()) {
216  const IntegerLiteral *IntLiteral = dyn_cast<IntegerLiteral>(B->getRHS());
217  bool LRHS = true;
218  if (!IntLiteral) {
219  IntLiteral = dyn_cast<IntegerLiteral>(B->getLHS());
220  LRHS = false;
221  }
222 
223  if (!IntLiteral || IntLiteral->getValue() != 0)
224  return;
225 
226  SVal Val = C.getSVal(LRHS ? B->getLHS() : B->getRHS());
227  if (hasDivZeroMap(Val, C))
228  reportBug(Val, C);
229  }
230  } else if (const UnaryOperator *U = dyn_cast<UnaryOperator>(Condition)) {
231  if (U->getOpcode() == UO_LNot) {
232  SVal Val;
233  if (const ImplicitCastExpr *I =
234  dyn_cast<ImplicitCastExpr>(U->getSubExpr()))
235  Val = C.getSVal(I->getSubExpr());
236 
237  if (hasDivZeroMap(Val, C))
238  reportBug(Val, C);
239  else {
240  Val = C.getSVal(U->getSubExpr());
241  if (hasDivZeroMap(Val, C))
242  reportBug(Val, C);
243  }
244  }
245  } else if (const ImplicitCastExpr *IE =
246  dyn_cast<ImplicitCastExpr>(Condition)) {
247  SVal Val = C.getSVal(IE->getSubExpr());
248 
249  if (hasDivZeroMap(Val, C))
250  reportBug(Val, C);
251  else {
252  SVal Val = C.getSVal(Condition);
253 
254  if (hasDivZeroMap(Val, C))
255  reportBug(Val, C);
256  }
257  }
258 }
259 
260 void ento::registerTestAfterDivZeroChecker(CheckerManager &mgr) {
261  mgr.registerChecker<TestAfterDivZeroChecker>();
262 }
263 
264 bool ento::shouldRegisterTestAfterDivZeroChecker(const CheckerManager &mgr) {
265  return true;
266 }
clang::ento::PathDiagnosticPieceRef
std::shared_ptr< PathDiagnosticPiece > PathDiagnosticPieceRef
Definition: PathDiagnostic.h:494
clang::BinaryOperator::isComparisonOp
static bool isComparisonOp(Opcode Opc)
Definition: Expr.h:3902
clang::ento::ProgramStateRef
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
Definition: ProgramState_Fwd.h:37
AttributeLangSupport::C
@ C
Definition: SemaDeclAttr.cpp:54
clang::ento::SymbolRef
const SymExpr * SymbolRef
Definition: SymExpr.h:110
llvm::Optional
Definition: LLVM.h:40
clang::UnaryOperator
UnaryOperator - This represents the unary-expression's (except sizeof and alignof),...
Definition: Expr.h:2157
clang::StackFrameContext
It represents a stack frame of the call stack (based on CallEvent).
Definition: AnalysisDeclContext.h:295
clang::tooling::X
static ToolExecutorPluginRegistry::Add< AllTUsToolExecutorPlugin > X("all-TUs", "Runs FrontendActions on all TUs in the compilation database. " "Tool results are stored in memory.")
clang::BinaryOperator::getOpcode
Opcode getOpcode() const
Definition: Expr.h:3847
CallEvent.h
U
clang::IntegerLiteral
Definition: Expr.h:1488
BuiltinCheckerRegistration.h
clang::BinaryOperator
A builtin binary operation expression such as "x + y" or "x <= y".
Definition: Expr.h:3803
clang::ento::PathDiagnosticLocation::create
static PathDiagnosticLocation create(const Decl *D, const SourceManager &SM)
Create a location corresponding to the given declaration.
Definition: PathDiagnostic.h:250
clang::api_notes::BlockID
BlockID
The various types of blocks that can occur within a API notes file.
Definition: APINotesFormat.h:38
REGISTER_SET_WITH_PROGRAMSTATE
#define REGISTER_SET_WITH_PROGRAMSTATE(Name, Elem)
Declares an immutable set of type NameTy, suitable for placement into the ProgramState.
Definition: ProgramStateTrait.h:109
clang::APIntStorage::getValue
llvm::APInt getValue() const
Definition: Expr.h:1472
clang::PostStmt
Definition: ProgramPoint.h:311
P
StringRef P
Definition: ASTMatchersInternal.cpp:563
false
#define false
Definition: stdbool.h:17
BugType.h
clang::BinaryOperator::getLHS
Expr * getLHS() const
Definition: Expr.h:3852
State
LineState State
Definition: UnwrappedLineFormatter.cpp:986
clang::BinaryOperatorKind
BinaryOperatorKind
Definition: OperationKinds.h:25
CheckerContext.h
Checker.h
clang::Builtin::ID
ID
Definition: Builtins.h:48
clang
Definition: CalledOnceCheck.h:17
clang::Stmt
Stmt - This represents one statement.
Definition: Stmt.h:69
clang::BinaryOperator::getRHS
Expr * getRHS() const
Definition: Expr.h:3854
clang::operator<
bool operator<(DeclarationName LHS, DeclarationName RHS)
Ordering on two declaration names.
Definition: DeclarationName.h:540
clang::ImplicitCastExpr
ImplicitCastExpr - Allows us to explicitly represent implicit type conversions, which have no direct ...
Definition: Expr.h:3618
clang::Expr
This represents one expression.
Definition: Expr.h:109
clang::ProgramPoint
Definition: ProgramPoint.h:59
clang::operator==
bool operator==(const CallGraphNode::CallRecord &LHS, const CallGraphNode::CallRecord &RHS)
Definition: CallGraph.h:207
clang::ReturnStmt
ReturnStmt - This represents a return, optionally of an expression: return; return 4;.
Definition: Stmt.h:2760
Generated on Sat Oct 16 2021 11:41:14 for clang by   doxygen 1.8.17