diff options
| author | Arseniy Zaostrovnykh <necto.ne@gmail.com> | 2025-06-17 13:07:44 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-06-17 13:07:44 +0200 |
| commit | 2d336e7c5e821383816a9dca080f713747cc9e1e (patch) | |
| tree | 04214ff6d254bef8cd30160da0a3a2f2b04e30bb /clang/lib/StaticAnalyzer/Checkers | |
| parent | 49c6235d1fb3bcecfe37a8e41bec69d6c7dc86ff (diff) | |
| download | llvm-2d336e7c5e821383816a9dca080f713747cc9e1e.zip llvm-2d336e7c5e821383816a9dca080f713747cc9e1e.tar.gz llvm-2d336e7c5e821383816a9dca080f713747cc9e1e.tar.bz2 | |
[analyzer] Avoid contradicting assumption in tainted div-by-0 error node (#144491)
This patch corrects the state of the error node generated by the
core.DivideZero checker when it detects potential division by zero
involving a tainted denominator.
The checker split in
https://github.com/llvm/llvm-project/pull/106389/commits/91ac5ed10a154410c246d985752c1bbfcf23b105
started to introduce a conflicting assumption about the denominator into
the error node:
Node with the Bug Report "Division by a tainted value, possibly zero"
has an assumption "denominator != 0".
This has been done as a shortcut to continue analysis with the correct
assumption *after* the division - if we proceed, we can only assume the
denominator was not zero. However, this assumption is introduced
one-node too soon, leading to a self-contradictory error node.
In this patch, I make the error node with assumption of zero denominator
fatal, but allow analysis to continue on the second half of the state
split with the assumption of non-zero denominator.
---
CPP-6376
Diffstat (limited to 'clang/lib/StaticAnalyzer/Checkers')
| -rw-r--r-- | clang/lib/StaticAnalyzer/Checkers/DivZeroChecker.cpp | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/clang/lib/StaticAnalyzer/Checkers/DivZeroChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/DivZeroChecker.cpp index 15d73fb..ab90615 100644 --- a/clang/lib/StaticAnalyzer/Checkers/DivZeroChecker.cpp +++ b/clang/lib/StaticAnalyzer/Checkers/DivZeroChecker.cpp @@ -69,7 +69,7 @@ void DivZeroChecker::reportTaintBug( llvm::ArrayRef<SymbolRef> TaintedSyms) const { if (!TaintedDivChecker.isEnabled()) return; - if (ExplodedNode *N = C.generateNonFatalErrorNode(StateZero)) { + if (ExplodedNode *N = C.generateErrorNode(StateZero)) { auto R = std::make_unique<PathSensitiveBugReport>(TaintedDivChecker, Msg, N); bugreporter::trackExpressionValue(N, getDenomExpr(N), *R); @@ -113,9 +113,9 @@ void DivZeroChecker::checkPreStmt(const BinaryOperator *B, if ((stateNotZero && stateZero)) { std::vector<SymbolRef> taintedSyms = getTaintedSymbols(C.getState(), *DV); if (!taintedSyms.empty()) { - reportTaintBug("Division by a tainted value, possibly zero", stateNotZero, - C, taintedSyms); - return; + reportTaintBug("Division by a tainted value, possibly zero", stateZero, C, + taintedSyms); + // Fallthrough to continue analysis in case of non-zero denominator. } } |