[cfe-commits] r148566 - in /cfe/trunk: lib/StaticAnalyzer/Checkers/DivZeroChecker.cpp test/Analysis/taint-generic.c
Anna Zaks
ganna at apple.com
Fri Jan 20 12:28:31 PST 2012
Author: zaks
Date: Fri Jan 20 14:28:31 2012
New Revision: 148566
URL: http://llvm.org/viewvc/llvm-project?rev=148566&view=rev
Log:
[analyzer] Add taint awareness to DivZeroChecker.
Modified:
cfe/trunk/lib/StaticAnalyzer/Checkers/DivZeroChecker.cpp
cfe/trunk/test/Analysis/taint-generic.c
Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/DivZeroChecker.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/DivZeroChecker.cpp?rev=148566&r1=148565&r2=148566&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Checkers/DivZeroChecker.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Checkers/DivZeroChecker.cpp Fri Jan 20 14:28:31 2012
@@ -24,11 +24,31 @@
namespace {
class DivZeroChecker : public Checker< check::PreStmt<BinaryOperator> > {
mutable llvm::OwningPtr<BuiltinBug> BT;
+ void reportBug(const char *Msg,
+ const ProgramState *StateZero,
+ CheckerContext &C) const ;
public:
void checkPreStmt(const BinaryOperator *B, CheckerContext &C) const;
};
} // end anonymous namespace
+void DivZeroChecker::reportBug(const char *Msg,
+ const ProgramState *StateZero,
+ CheckerContext &C) const {
+ if (ExplodedNode *N = C.generateSink(StateZero)) {
+ if (!BT)
+ BT.reset(new BuiltinBug(Msg));
+
+ BugReport *R =
+ new BugReport(*BT, BT->getDescription(), N);
+
+ R->addVisitor(bugreporter::getTrackNullOrUndefValueVisitor(N,
+ bugreporter::GetDenomExpr(N)));
+
+ C.EmitReport(R);
+ }
+}
+
void DivZeroChecker::checkPreStmt(const BinaryOperator *B,
CheckerContext &C) const {
BinaryOperator::Opcode Op = B->getOpcode();
@@ -57,18 +77,13 @@
if (!stateNotZero) {
assert(stateZero);
- if (ExplodedNode *N = C.generateSink(stateZero)) {
- if (!BT)
- BT.reset(new BuiltinBug("Division by zero"));
-
- BugReport *R =
- new BugReport(*BT, BT->getDescription(), N);
-
- R->addVisitor(bugreporter::getTrackNullOrUndefValueVisitor(N,
- bugreporter::GetDenomExpr(N)));
+ reportBug("Division by zero", stateZero, C);
+ return;
+ }
- C.EmitReport(R);
- }
+ bool TaintedD = C.getState()->isTainted(*DV);
+ if ((stateNotZero && stateZero && TaintedD)) {
+ reportBug("Division by a tainted value, possibly zero", stateZero, C);
return;
}
Modified: cfe/trunk/test/Analysis/taint-generic.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/taint-generic.c?rev=148566&r1=148565&r2=148566&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/taint-generic.c (original)
+++ cfe/trunk/test/Analysis/taint-generic.c Fri Jan 20 14:28:31 2012
@@ -1,4 +1,4 @@
-// RUN: %clang_cc1 -analyze -analyzer-checker=experimental.security.taint,experimental.security.ArrayBoundV2 -Wno-format-security -verify %s
+// RUN: %clang_cc1 -analyze -analyzer-checker=experimental.security.taint,core,experimental.security.ArrayBoundV2 -Wno-format-security -verify %s
int scanf(const char *restrict format, ...);
int getchar(void);
@@ -49,7 +49,7 @@
void bufferScanfArithmetic2(int x) {
int n;
scanf("%d", &n);
- int m = 100 / (n + 3) * x;
+ int m = 100 - (n + 3) * x;
Buffer[m] = 1; // expected-warning {{Out of bound memory access }}
}
@@ -64,7 +64,7 @@
}
void scanfArg() {
- int t;
+ int t = 0;
scanf("%d", t); // expected-warning {{conversion specifies type 'int *' but the argument has type 'int'}}
}
@@ -171,3 +171,8 @@
execl(buffer, "filename", 0); // no-warning
}
+int testDivByZero() {
+ int x;
+ scanf("%d", &x);
+ return 5/x; // expected-warning {{Division by a tainted value, possibly zero}}
+}
More information about the cfe-commits
mailing list