1 //== TestAfterDivZeroChecker.cpp - Test after division by zero checker --*--==// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This defines TestAfterDivZeroChecker, a builtin check that performs checks 10 // for division by zero where the division occurs before comparison with zero. 11 // 12 //===----------------------------------------------------------------------===// 13 14 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" 15 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 16 #include "clang/StaticAnalyzer/Core/Checker.h" 17 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 18 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 19 #include "llvm/ADT/FoldingSet.h" 20 #include <optional> 21 22 using namespace clang; 23 using namespace ento; 24 25 namespace { 26 27 class ZeroState { 28 private: 29 SymbolRef ZeroSymbol; 30 unsigned BlockID; 31 const StackFrameContext *SFC; 32 33 public: 34 ZeroState(SymbolRef S, unsigned B, const StackFrameContext *SFC) 35 : ZeroSymbol(S), BlockID(B), SFC(SFC) {} 36 37 const StackFrameContext *getStackFrameContext() const { return SFC; } 38 39 bool operator==(const ZeroState &X) const { 40 return BlockID == X.BlockID && SFC == X.SFC && ZeroSymbol == X.ZeroSymbol; 41 } 42 43 bool operator<(const ZeroState &X) const { 44 return std::tie(BlockID, SFC, ZeroSymbol) < 45 std::tie(X.BlockID, X.SFC, X.ZeroSymbol); 46 } 47 48 void Profile(llvm::FoldingSetNodeID &ID) const { 49 ID.AddInteger(BlockID); 50 ID.AddPointer(SFC); 51 ID.AddPointer(ZeroSymbol); 52 } 53 }; 54 55 class DivisionBRVisitor : public BugReporterVisitor { 56 private: 57 SymbolRef ZeroSymbol; 58 const StackFrameContext *SFC; 59 bool Satisfied; 60 61 public: 62 DivisionBRVisitor(SymbolRef ZeroSymbol, const StackFrameContext *SFC) 63 : ZeroSymbol(ZeroSymbol), SFC(SFC), Satisfied(false) {} 64 65 void Profile(llvm::FoldingSetNodeID &ID) const override { 66 ID.Add(ZeroSymbol); 67 ID.Add(SFC); 68 } 69 70 PathDiagnosticPieceRef VisitNode(const ExplodedNode *Succ, 71 BugReporterContext &BRC, 72 PathSensitiveBugReport &BR) override; 73 }; 74 75 class TestAfterDivZeroChecker 76 : public Checker<check::PreStmt<BinaryOperator>, check::BranchCondition, 77 check::EndFunction> { 78 const BugType DivZeroBug{this, "Division by zero"}; 79 void reportBug(SVal Val, CheckerContext &C) const; 80 81 public: 82 void checkPreStmt(const BinaryOperator *B, CheckerContext &C) const; 83 void checkBranchCondition(const Stmt *Condition, CheckerContext &C) const; 84 void checkEndFunction(const ReturnStmt *RS, CheckerContext &C) const; 85 void setDivZeroMap(SVal Var, CheckerContext &C) const; 86 bool hasDivZeroMap(SVal Var, const CheckerContext &C) const; 87 bool isZero(SVal S, CheckerContext &C) const; 88 }; 89 } // end anonymous namespace 90 91 REGISTER_SET_WITH_PROGRAMSTATE(DivZeroMap, ZeroState) 92 93 PathDiagnosticPieceRef 94 DivisionBRVisitor::VisitNode(const ExplodedNode *Succ, BugReporterContext &BRC, 95 PathSensitiveBugReport &BR) { 96 if (Satisfied) 97 return nullptr; 98 99 const Expr *E = nullptr; 100 101 if (std::optional<PostStmt> P = Succ->getLocationAs<PostStmt>()) 102 if (const BinaryOperator *BO = P->getStmtAs<BinaryOperator>()) { 103 BinaryOperator::Opcode Op = BO->getOpcode(); 104 if (Op == BO_Div || Op == BO_Rem || Op == BO_DivAssign || 105 Op == BO_RemAssign) { 106 E = BO->getRHS(); 107 } 108 } 109 110 if (!E) 111 return nullptr; 112 113 SVal S = Succ->getSVal(E); 114 if (ZeroSymbol == S.getAsSymbol() && SFC == Succ->getStackFrame()) { 115 Satisfied = true; 116 117 // Construct a new PathDiagnosticPiece. 118 ProgramPoint P = Succ->getLocation(); 119 PathDiagnosticLocation L = 120 PathDiagnosticLocation::create(P, BRC.getSourceManager()); 121 122 if (!L.isValid() || !L.asLocation().isValid()) 123 return nullptr; 124 125 return std::make_shared<PathDiagnosticEventPiece>( 126 L, "Division with compared value made here"); 127 } 128 129 return nullptr; 130 } 131 132 bool TestAfterDivZeroChecker::isZero(SVal S, CheckerContext &C) const { 133 std::optional<DefinedSVal> DSV = S.getAs<DefinedSVal>(); 134 135 if (!DSV) 136 return false; 137 138 ConstraintManager &CM = C.getConstraintManager(); 139 return !CM.assume(C.getState(), *DSV, true); 140 } 141 142 void TestAfterDivZeroChecker::setDivZeroMap(SVal Var, CheckerContext &C) const { 143 SymbolRef SR = Var.getAsSymbol(); 144 if (!SR) 145 return; 146 147 ProgramStateRef State = C.getState(); 148 State = 149 State->add<DivZeroMap>(ZeroState(SR, C.getBlockID(), C.getStackFrame())); 150 C.addTransition(State); 151 } 152 153 bool TestAfterDivZeroChecker::hasDivZeroMap(SVal Var, 154 const CheckerContext &C) const { 155 SymbolRef SR = Var.getAsSymbol(); 156 if (!SR) 157 return false; 158 159 ZeroState ZS(SR, C.getBlockID(), C.getStackFrame()); 160 return C.getState()->contains<DivZeroMap>(ZS); 161 } 162 163 void TestAfterDivZeroChecker::reportBug(SVal Val, CheckerContext &C) const { 164 if (ExplodedNode *N = C.generateErrorNode(C.getState())) { 165 auto R = std::make_unique<PathSensitiveBugReport>( 166 DivZeroBug, 167 "Value being compared against zero has already been used " 168 "for division", 169 N); 170 171 R->addVisitor(std::make_unique<DivisionBRVisitor>(Val.getAsSymbol(), 172 C.getStackFrame())); 173 C.emitReport(std::move(R)); 174 } 175 } 176 177 void TestAfterDivZeroChecker::checkEndFunction(const ReturnStmt *, 178 CheckerContext &C) const { 179 ProgramStateRef State = C.getState(); 180 181 DivZeroMapTy DivZeroes = State->get<DivZeroMap>(); 182 if (DivZeroes.isEmpty()) 183 return; 184 185 DivZeroMapTy::Factory &F = State->get_context<DivZeroMap>(); 186 for (const ZeroState &ZS : DivZeroes) { 187 if (ZS.getStackFrameContext() == C.getStackFrame()) 188 DivZeroes = F.remove(DivZeroes, ZS); 189 } 190 C.addTransition(State->set<DivZeroMap>(DivZeroes)); 191 } 192 193 void TestAfterDivZeroChecker::checkPreStmt(const BinaryOperator *B, 194 CheckerContext &C) const { 195 BinaryOperator::Opcode Op = B->getOpcode(); 196 if (Op == BO_Div || Op == BO_Rem || Op == BO_DivAssign || 197 Op == BO_RemAssign) { 198 SVal S = C.getSVal(B->getRHS()); 199 200 if (!isZero(S, C)) 201 setDivZeroMap(S, C); 202 } 203 } 204 205 void TestAfterDivZeroChecker::checkBranchCondition(const Stmt *Condition, 206 CheckerContext &C) const { 207 if (const BinaryOperator *B = dyn_cast<BinaryOperator>(Condition)) { 208 if (B->isComparisonOp()) { 209 const IntegerLiteral *IntLiteral = dyn_cast<IntegerLiteral>(B->getRHS()); 210 bool LRHS = true; 211 if (!IntLiteral) { 212 IntLiteral = dyn_cast<IntegerLiteral>(B->getLHS()); 213 LRHS = false; 214 } 215 216 if (!IntLiteral || IntLiteral->getValue() != 0) 217 return; 218 219 SVal Val = C.getSVal(LRHS ? B->getLHS() : B->getRHS()); 220 if (hasDivZeroMap(Val, C)) 221 reportBug(Val, C); 222 } 223 } else if (const UnaryOperator *U = dyn_cast<UnaryOperator>(Condition)) { 224 if (U->getOpcode() == UO_LNot) { 225 SVal Val; 226 if (const ImplicitCastExpr *I = 227 dyn_cast<ImplicitCastExpr>(U->getSubExpr())) 228 Val = C.getSVal(I->getSubExpr()); 229 230 if (hasDivZeroMap(Val, C)) 231 reportBug(Val, C); 232 else { 233 Val = C.getSVal(U->getSubExpr()); 234 if (hasDivZeroMap(Val, C)) 235 reportBug(Val, C); 236 } 237 } 238 } else if (const ImplicitCastExpr *IE = 239 dyn_cast<ImplicitCastExpr>(Condition)) { 240 SVal Val = C.getSVal(IE->getSubExpr()); 241 242 if (hasDivZeroMap(Val, C)) 243 reportBug(Val, C); 244 else { 245 SVal Val = C.getSVal(Condition); 246 247 if (hasDivZeroMap(Val, C)) 248 reportBug(Val, C); 249 } 250 } 251 } 252 253 void ento::registerTestAfterDivZeroChecker(CheckerManager &mgr) { 254 mgr.registerChecker<TestAfterDivZeroChecker>(); 255 } 256 257 bool ento::shouldRegisterTestAfterDivZeroChecker(const CheckerManager &mgr) { 258 return true; 259 } 260