//== TestAfterDivZeroChecker.cpp - Test after division by zero checker --*--==// // // The LLVM Compiler Infrastructure // // This file is distributed under the University of Illinois Open Source // License. See LICENSE.TXT for details. // //===----------------------------------------------------------------------===// // // This defines TestAfterDivZeroChecker, a builtin check that performs checks // for division by zero where the division occurs before comparison with zero. // //===----------------------------------------------------------------------===// #include "ClangSACheckers.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "llvm/ADT/FoldingSet.h" using namespace clang; using namespace ento; namespace { class ZeroState { private: SymbolRef ZeroSymbol; unsigned BlockID; const StackFrameContext *SFC; public: ZeroState(SymbolRef S, unsigned B, const StackFrameContext *SFC) : ZeroSymbol(S), BlockID(B), SFC(SFC) {} const StackFrameContext *getStackFrameContext() const { return SFC; } bool operator==(const ZeroState &X) const { return BlockID == X.BlockID && SFC == X.SFC && ZeroSymbol == X.ZeroSymbol; } bool operator<(const ZeroState &X) const { if (BlockID != X.BlockID) return BlockID < X.BlockID; if (SFC != X.SFC) return SFC < X.SFC; return ZeroSymbol < X.ZeroSymbol; } void Profile(llvm::FoldingSetNodeID &ID) const { ID.AddInteger(BlockID); ID.AddPointer(SFC); ID.AddPointer(ZeroSymbol); } }; class DivisionBRVisitor : public BugReporterVisitorImpl<DivisionBRVisitor> { private: SymbolRef ZeroSymbol; const StackFrameContext *SFC; bool Satisfied = false; public: DivisionBRVisitor(SymbolRef ZeroSymbol, const StackFrameContext *SFC) : ZeroSymbol(ZeroSymbol), SFC(SFC) {} void Profile(llvm::FoldingSetNodeID &ID) const override { ID.Add(ZeroSymbol); ID.Add(SFC); } PathDiagnosticPiece *VisitNode(const ExplodedNode *Succ, const ExplodedNode *Pred, BugReporterContext &BRC, BugReport &BR) override; }; class TestAfterDivZeroChecker : public Checker<check::PreStmt<BinaryOperator>, check::BranchCondition, check::EndFunction> { mutable std::unique_ptr<BuiltinBug> DivZeroBug; void reportBug(SVal Val, CheckerContext &C) const; public: void checkPreStmt(const BinaryOperator *B, CheckerContext &C) const; void checkBranchCondition(const Stmt *Condition, CheckerContext &C) const; void checkEndFunction(CheckerContext &C) const; void setDivZeroMap(SVal Var, CheckerContext &C) const; bool hasDivZeroMap(SVal Var, const CheckerContext &C) const; bool isZero(SVal S, CheckerContext &C) const; }; } // end anonymous namespace REGISTER_SET_WITH_PROGRAMSTATE(DivZeroMap, ZeroState) PathDiagnosticPiece *DivisionBRVisitor::VisitNode(const ExplodedNode *Succ, const ExplodedNode *Pred, BugReporterContext &BRC, BugReport &BR) { if (Satisfied) return nullptr; const Expr *E = nullptr; if (Optional<PostStmt> P = Succ->getLocationAs<PostStmt>()) if (const BinaryOperator *BO = P->getStmtAs<BinaryOperator>()) { BinaryOperator::Opcode Op = BO->getOpcode(); if (Op == BO_Div || Op == BO_Rem || Op == BO_DivAssign || Op == BO_RemAssign) { E = BO->getRHS(); } } if (!E) return nullptr; ProgramStateRef State = Succ->getState(); SVal S = State->getSVal(E, Succ->getLocationContext()); if (ZeroSymbol == S.getAsSymbol() && SFC == Succ->getStackFrame()) { Satisfied = true; // Construct a new PathDiagnosticPiece. ProgramPoint P = Succ->getLocation(); PathDiagnosticLocation L = PathDiagnosticLocation::create(P, BRC.getSourceManager()); if (!L.isValid() || !L.asLocation().isValid()) return nullptr; return new PathDiagnosticEventPiece( L, "Division with compared value made here"); } return nullptr; } bool TestAfterDivZeroChecker::isZero(SVal S, CheckerContext &C) const { Optional<DefinedSVal> DSV = S.getAs<DefinedSVal>(); if (!DSV) return false; ConstraintManager &CM = C.getConstraintManager(); return !CM.assume(C.getState(), *DSV, true); } void TestAfterDivZeroChecker::setDivZeroMap(SVal Var, CheckerContext &C) const { SymbolRef SR = Var.getAsSymbol(); if (!SR) return; ProgramStateRef State = C.getState(); State = State->add<DivZeroMap>(ZeroState(SR, C.getBlockID(), C.getStackFrame())); C.addTransition(State); } bool TestAfterDivZeroChecker::hasDivZeroMap(SVal Var, const CheckerContext &C) const { SymbolRef SR = Var.getAsSymbol(); if (!SR) return false; ZeroState ZS(SR, C.getBlockID(), C.getStackFrame()); return C.getState()->contains<DivZeroMap>(ZS); } void TestAfterDivZeroChecker::reportBug(SVal Val, CheckerContext &C) const { if (ExplodedNode *N = C.generateSink(C.getState())) { if (!DivZeroBug) DivZeroBug.reset(new BuiltinBug(this, "Division by zero")); BugReport *R = new BugReport(*DivZeroBug, "Value being compared against zero has " "already been used for division", N); R->addVisitor(new DivisionBRVisitor(Val.getAsSymbol(), C.getStackFrame())); C.emitReport(R); } } void TestAfterDivZeroChecker::checkEndFunction(CheckerContext &C) const { ProgramStateRef State = C.getState(); DivZeroMapTy DivZeroes = State->get<DivZeroMap>(); if (DivZeroes.isEmpty()) return; DivZeroMapTy::Factory &F = State->get_context<DivZeroMap>(); for (llvm::ImmutableSet<ZeroState>::iterator I = DivZeroes.begin(), E = DivZeroes.end(); I != E; ++I) { ZeroState ZS = *I; if (ZS.getStackFrameContext() == C.getStackFrame()) DivZeroes = F.remove(DivZeroes, ZS); } C.addTransition(State->set<DivZeroMap>(DivZeroes)); } void TestAfterDivZeroChecker::checkPreStmt(const BinaryOperator *B, CheckerContext &C) const { BinaryOperator::Opcode Op = B->getOpcode(); if (Op == BO_Div || Op == BO_Rem || Op == BO_DivAssign || Op == BO_RemAssign) { SVal S = C.getSVal(B->getRHS()); if (!isZero(S, C)) setDivZeroMap(S, C); } } void TestAfterDivZeroChecker::checkBranchCondition(const Stmt *Condition, CheckerContext &C) const { if (const BinaryOperator *B = dyn_cast<BinaryOperator>(Condition)) { if (B->isComparisonOp()) { const IntegerLiteral *IntLiteral = dyn_cast<IntegerLiteral>(B->getRHS()); bool LRHS = true; if (!IntLiteral) { IntLiteral = dyn_cast<IntegerLiteral>(B->getLHS()); LRHS = false; } if (!IntLiteral || IntLiteral->getValue() != 0) return; SVal Val = C.getSVal(LRHS ? B->getLHS() : B->getRHS()); if (hasDivZeroMap(Val, C)) reportBug(Val, C); } } else if (const UnaryOperator *U = dyn_cast<UnaryOperator>(Condition)) { if (U->getOpcode() == UO_LNot) { SVal Val; if (const ImplicitCastExpr *I = dyn_cast<ImplicitCastExpr>(U->getSubExpr())) Val = C.getSVal(I->getSubExpr()); if (hasDivZeroMap(Val, C)) reportBug(Val, C); else { Val = C.getSVal(U->getSubExpr()); if (hasDivZeroMap(Val, C)) reportBug(Val, C); } } } else if (const ImplicitCastExpr *IE = dyn_cast<ImplicitCastExpr>(Condition)) { SVal Val = C.getSVal(IE->getSubExpr()); if (hasDivZeroMap(Val, C)) reportBug(Val, C); else { SVal Val = C.getSVal(Condition); if (hasDivZeroMap(Val, C)) reportBug(Val, C); } } } void ento::registerTestAfterDivZeroChecker(CheckerManager &mgr) { mgr.registerChecker<TestAfterDivZeroChecker>(); }