[cfe-commits] r47547 - in /cfe/trunk: Analysis/GRExprEngine.cpp include/clang/Analysis/PathSensitive/GRExprEngine.h

Ted Kremenek kremenek at apple.com
Mon Feb 25 09:51:31 PST 2008 

Author: kremenek
Date: Mon Feb 25 11:51:31 2008
New Revision: 47547

URL: http://llvm.org/viewvc/llvm-project?rev=47547&view=rev
Log:
Added transfer function support for checking for divide-by-zero errors.

Modified:
    cfe/trunk/Analysis/GRExprEngine.cpp
    cfe/trunk/include/clang/Analysis/PathSensitive/GRExprEngine.h

Modified: cfe/trunk/Analysis/GRExprEngine.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/Analysis/GRExprEngine.cpp?rev=47547&r1=47546&r2=47547&view=diff

==============================================================================
--- cfe/trunk/Analysis/GRExprEngine.cpp (original)
+++ cfe/trunk/Analysis/GRExprEngine.cpp Mon Feb 25 11:51:31 2008
@@ -850,6 +850,33 @@
 
       BinaryOperator::Opcode Op = B->getOpcode();
       
+      if (Op == BinaryOperator::Div) { // Check for divide-by-zero.
+        
+        // First, "assume" that the denominator is 0.
+        
+        bool isFeasible = false;
+        StateTy ZeroSt = Assume(St, RightV, false, isFeasible);
+        
+        if (isFeasible) {
+          NodeTy* DivZeroNode = Builder->generateNode(B, ZeroSt, N2);
+          
+          if (DivZeroNode) {
+            DivZeroNode->markAsSink();
+            DivZeroes.insert(DivZeroNode);
+          }
+        }
+        
+        // Second, "assume" that the denominator cannot be 0.
+        
+        isFeasible = false;
+        St = Assume(St, RightV, true, isFeasible);
+        
+        if (!isFeasible)
+          continue;
+        
+        // Fall-through.  The logic below processes the divide.
+      }
+      
       if (Op <= BinaryOperator::Or) {
         
         // Process non-assignements except commas or short-circuited
@@ -964,8 +991,35 @@
           RightV = EvalCast(RightV, CTy);
           
           // Evaluate operands and promote to result type.
+
+          if (Op == BinaryOperator::Div) { // Check for divide-by-zero.
+                        
+            // First, "assume" that the denominator is 0.
+            
+            bool isFeasible = false;
+            StateTy ZeroSt = Assume(St, RightV, false, isFeasible);
+            
+            if (isFeasible) {
+              NodeTy* DivZeroNode = Builder->generateNode(B, ZeroSt, N2);
+              
+              if (DivZeroNode) {
+                DivZeroNode->markAsSink();
+                DivZeroes.insert(DivZeroNode);
+              }
+            }
+            
+            // Second, "assume" that the denominator cannot be 0.
+            
+            isFeasible = false;
+            St = Assume(St, RightV, true, isFeasible);
+            
+            if (!isFeasible)
+              continue;
+            
+            // Fall-through.  The logic below processes the divide.
+          }
+
           RVal Result = EvalCast(EvalBinOp(Op, V, RightV), B->getType());
-          
           St = SetRVal(SetRVal(St, B, Result), LeftLV, Result);
         }
       }

Modified: cfe/trunk/include/clang/Analysis/PathSensitive/GRExprEngine.h
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/Analysis/PathSensitive/GRExprEngine.h?rev=47547&r1=47546&r2=47547&view=diff

==============================================================================
--- cfe/trunk/include/clang/Analysis/PathSensitive/GRExprEngine.h (original)
+++ cfe/trunk/include/clang/Analysis/PathSensitive/GRExprEngine.h Mon Feb 25 11:51:31 2008
@@ -114,18 +114,30 @@
   ///  taking a branch based on an uninitialized value.
   typedef llvm::SmallPtrSet<NodeTy*,5> UninitBranchesTy;
   UninitBranchesTy UninitBranches;
+
+  typedef llvm::SmallPtrSet<NodeTy*,5> UninitStoresTy;
+  typedef llvm::SmallPtrSet<NodeTy*,5> BadDerefTy;
+  typedef llvm::SmallPtrSet<NodeTy*,5> DivZerosTy;
   
   /// UninitStores - Sinks in the ExplodedGraph that result from
   ///  making a store to an uninitialized lvalue.
-  typedef llvm::SmallPtrSet<NodeTy*,5> UninitStoresTy;
   UninitStoresTy UninitStores;
   
   /// ImplicitNullDeref - Nodes in the ExplodedGraph that result from
-  ///  taking a dereference on a symbolic pointer that may be NULL.
-  typedef llvm::SmallPtrSet<NodeTy*,5> BadDerefTy;
+  ///  taking a dereference on a symbolic pointer that MAY be NULL.
   BadDerefTy ImplicitNullDeref;
+    
+  /// ExplicitNullDeref - Nodes in the ExplodedGraph that result from
+  ///  taking a dereference on a symbolic pointer that MUST be NULL.
   BadDerefTy ExplicitNullDeref;
+  
+  /// UnitDeref - Nodes in the ExplodedGraph that result from
+  ///  taking a dereference on an uninitialized value.
   BadDerefTy UninitDeref;
+
+  /// DivZeroes - Nodes in the ExplodedGraph that result from evaluating
+  ///  a divide-by-zero.
+  DivZerosTy DivZeroes;
   
   bool StateCleaned;

More information about the cfe-commits mailing list