//== DivZeroChecker.cpp - Division by zero checker --------------*- C++ -*--==// // // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // See https://llvm.org/LICENSE.txt for license information. // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // //===----------------------------------------------------------------------===// // // This defines DivZeroChecker, a builtin check in ExprEngine that performs // checks for division by zeros. // //===----------------------------------------------------------------------===// #include "Taint.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" using namespace clang; using namespace ento; using namespace taint; namespace { class DivZeroChecker : public Checker< check::PreStmt > { mutable std::unique_ptr BT; void reportBug(const char *Msg, ProgramStateRef StateZero, CheckerContext &C, std::unique_ptr Visitor = nullptr) const; public: void checkPreStmt(const BinaryOperator *B, CheckerContext &C) const; }; } // end anonymous namespace static const Expr *getDenomExpr(const ExplodedNode *N) { const Stmt *S = N->getLocationAs()->getStmt(); if (const auto *BE = dyn_cast(S)) return BE->getRHS(); return nullptr; } void DivZeroChecker::reportBug( const char *Msg, ProgramStateRef StateZero, CheckerContext &C, std::unique_ptr Visitor) const { if (ExplodedNode *N = C.generateErrorNode(StateZero)) { if (!BT) BT.reset(new BuiltinBug(this, "Division by zero")); auto R = std::make_unique(*BT, Msg, N); R->addVisitor(std::move(Visitor)); bugreporter::trackExpressionValue(N, getDenomExpr(N), *R); C.emitReport(std::move(R)); } } void DivZeroChecker::checkPreStmt(const BinaryOperator *B, CheckerContext &C) const { BinaryOperator::Opcode Op = B->getOpcode(); if (Op != BO_Div && Op != BO_Rem && Op != BO_DivAssign && Op != BO_RemAssign) return; if (!B->getRHS()->getType()->isScalarType()) return; SVal Denom = C.getSVal(B->getRHS()); Optional DV = Denom.getAs(); // Divide-by-undefined handled in the generic checking for uses of // undefined values. if (!DV) return; // Check for divide by zero. ConstraintManager &CM = C.getConstraintManager(); ProgramStateRef stateNotZero, stateZero; std::tie(stateNotZero, stateZero) = CM.assumeDual(C.getState(), *DV); if (!stateNotZero) { assert(stateZero); reportBug("Division by zero", stateZero, C); return; } bool TaintedD = isTainted(C.getState(), *DV); if ((stateNotZero && stateZero && TaintedD)) { reportBug("Division by a tainted value, possibly zero", stateZero, C, std::make_unique(*DV)); return; } // If we get here, then the denom should not be zero. We abandon the implicit // zero denom case for now. C.addTransition(stateNotZero); } void ento::registerDivZeroChecker(CheckerManager &mgr) { mgr.registerChecker(); } bool ento::shouldRegisterDivZeroChecker(const LangOptions &LO) { return true; }