Home | History | Annotate | Download | only in Checkers 
      1 //== DivZeroChecker.cpp - Division by zero checker --------------*- C++ -*--==//
      2 //
      3 //                     The LLVM Compiler Infrastructure
      4 //
      5 // This file is distributed under the University of Illinois Open Source
      6 // License. See LICENSE.TXT for details.
      7 //
      8 //===----------------------------------------------------------------------===//
      9 //
     10 // This defines DivZeroChecker, a builtin check in ExprEngine that performs
     11 // checks for division by zeros.
     12 //
     13 //===----------------------------------------------------------------------===//
     14 
     15 #include "ClangSACheckers.h"
     16 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
     17 #include "clang/StaticAnalyzer/Core/Checker.h"
     18 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
     19 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
     20 
     21 using namespace clang;
     22 using namespace ento;
     23 
     24 namespace {
     25 class DivZeroChecker : public Checker< check::PreStmt<BinaryOperator> > {
     26   mutable OwningPtr<BuiltinBug> BT;
     27   void reportBug(const char *Msg,
     28                  ProgramStateRef StateZero,
     29                  CheckerContext &C) const ;
     30 public:
     31   void checkPreStmt(const BinaryOperator *B, CheckerContext &C) const;
     32 };
     33 } // end anonymous namespace
     34 
     35 void DivZeroChecker::reportBug(const char *Msg,
     36                                ProgramStateRef StateZero,
     37                                CheckerContext &C) const {
     38   if (ExplodedNode *N = C.generateSink(StateZero)) {
     39     if (!BT)
     40       BT.reset(new BuiltinBug("Division by zero"));
     41 
     42     BugReport *R = new BugReport(*BT, Msg, N);
     43     bugreporter::trackNullOrUndefValue(N, bugreporter::GetDenomExpr(N), *R);
     44     C.emitReport(R);
     45   }
     46 }
     47 
     48 void DivZeroChecker::checkPreStmt(const BinaryOperator *B,
     49                                   CheckerContext &C) const {
     50   BinaryOperator::Opcode Op = B->getOpcode();
     51   if (Op != BO_Div &&
     52       Op != BO_Rem &&
     53       Op != BO_DivAssign &&
     54       Op != BO_RemAssign)
     55     return;
     56 
     57   if (!B->getRHS()->getType()->isScalarType())
     58     return;
     59 
     60   SVal Denom = C.getState()->getSVal(B->getRHS(), C.getLocationContext());
     61   Optional<DefinedSVal> DV = Denom.getAs<DefinedSVal>();
     62 
     63   // Divide-by-undefined handled in the generic checking for uses of
     64   // undefined values.
     65   if (!DV)
     66     return;
     67 
     68   // Check for divide by zero.
     69   ConstraintManager &CM = C.getConstraintManager();
     70   ProgramStateRef stateNotZero, stateZero;
     71   llvm::tie(stateNotZero, stateZero) = CM.assumeDual(C.getState(), *DV);
     72 
     73   if (!stateNotZero) {
     74     assert(stateZero);
     75     reportBug("Division by zero", stateZero, C);
     76     return;
     77   }
     78 
     79   bool TaintedD = C.getState()->isTainted(*DV);
     80   if ((stateNotZero && stateZero && TaintedD)) {
     81     reportBug("Division by a tainted value, possibly zero", stateZero, C);
     82     return;
     83   }
     84 
     85   // If we get here, then the denom should not be zero. We abandon the implicit
     86   // zero denom case for now.
     87   C.addTransition(stateNotZero);
     88 }
     89 
     90 void ento::registerDivZeroChecker(CheckerManager &mgr) {
     91   mgr.registerChecker<DivZeroChecker>();
     92 }
     93