[cfe-commits] r148566 - in /cfe/trunk: lib/StaticAnalyzer/Checkers/DivZeroChecker.cpp test/Analysis/taint-generic.c

Fri Jan 20 12:28:31 PST 2012

Author: zaks
Date: Fri Jan 20 14:28:31 2012
New Revision: 148566

URL: http://llvm.org/viewvc/llvm-project?rev=148566&view=rev
Log:
[analyzer] Add taint awareness to DivZeroChecker.

Modified:
    cfe/trunk/lib/StaticAnalyzer/Checkers/DivZeroChecker.cpp
    cfe/trunk/test/Analysis/taint-generic.c

Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/DivZeroChecker.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/DivZeroChecker.cpp?rev=148566&r1=148565&r2=148566&view=diff
==============================================================================

--- cfe/trunk/lib/StaticAnalyzer/Checkers/DivZeroChecker.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Checkers/DivZeroChecker.cpp Fri Jan 20 14:28:31 2012
@@ -24,11 +24,31 @@
 namespace {
 class DivZeroChecker : public Checker< check::PreStmt<BinaryOperator> > {
   mutable llvm::OwningPtr<BuiltinBug> BT;
+  void reportBug(const char *Msg,
+                 const ProgramState *StateZero,
+                 CheckerContext &C) const ;
 public:
   void checkPreStmt(const BinaryOperator *B, CheckerContext &C) const;
 };  
 } // end anonymous namespace
 
+void DivZeroChecker::reportBug(const char *Msg,
+                               const ProgramState *StateZero,
+                               CheckerContext &C) const {
+  if (ExplodedNode *N = C.generateSink(StateZero)) {
+    if (!BT)
+      BT.reset(new BuiltinBug(Msg));
+
+    BugReport *R =
+      new BugReport(*BT, BT->getDescription(), N);
+
+    R->addVisitor(bugreporter::getTrackNullOrUndefValueVisitor(N,
+                                 bugreporter::GetDenomExpr(N)));
+
+    C.EmitReport(R);
+  }
+}
+
 void DivZeroChecker::checkPreStmt(const BinaryOperator *B,
                                   CheckerContext &C) const {
   BinaryOperator::Opcode Op = B->getOpcode();
@@ -57,18 +77,13 @@
 
   if (!stateNotZero) {
     assert(stateZero);
-    if (ExplodedNode *N = C.generateSink(stateZero)) {
-      if (!BT)
-        BT.reset(new BuiltinBug("Division by zero"));
-
-      BugReport *R = 
-        new BugReport(*BT, BT->getDescription(), N);
-
-      R->addVisitor(bugreporter::getTrackNullOrUndefValueVisitor(N,
-                                   bugreporter::GetDenomExpr(N)));
+    reportBug("Division by zero", stateZero, C);
+    return;
+  }
 
-      C.EmitReport(R);
-    }
+  bool TaintedD = C.getState()->isTainted(*DV);
+  if ((stateNotZero && stateZero && TaintedD)) {
+    reportBug("Division by a tainted value, possibly zero", stateZero, C);
     return;
   }
 

Modified: cfe/trunk/test/Analysis/taint-generic.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/taint-generic.c?rev=148566&r1=148565&r2=148566&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/taint-generic.c (original)
+++ cfe/trunk/test/Analysis/taint-generic.c Fri Jan 20 14:28:31 2012
@@ -1,4 +1,4 @@
-// RUN: %clang_cc1  -analyze -analyzer-checker=experimental.security.taint,experimental.security.ArrayBoundV2 -Wno-format-security -verify %s
+// RUN: %clang_cc1  -analyze -analyzer-checker=experimental.security.taint,core,experimental.security.ArrayBoundV2 -Wno-format-security -verify %s
 
 int scanf(const char *restrict format, ...);
 int getchar(void);
@@ -49,7 +49,7 @@
 void bufferScanfArithmetic2(int x) {
   int n;
   scanf("%d", &n);
-  int m = 100 / (n + 3) * x;
+  int m = 100 - (n + 3) * x;
   Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
 }
 
@@ -64,7 +64,7 @@
 }
 
 void scanfArg() {
-  int t;
+  int t = 0;
   scanf("%d", t); // expected-warning {{conversion specifies type 'int *' but the argument has type 'int'}}
 }
 
@@ -171,3 +171,8 @@
   execl(buffer, "filename", 0); // no-warning
 }
 
+int testDivByZero() {
+  int x;
+  scanf("%d", &x);
+  return 5/x; // expected-warning {{Division by a tainted value, possibly zero}}
+}



