This is an archive of the discontinued LLVM Phabricator instance.

Differential D10145

[analyzer] Fix a crash by division by zero
ClosedPublic

Authored by takeshi-yoshimura on May 30 2015, 12:16 AM.

Details

Reviewers
danielmarjamaki
Commits
rG0dadfa8d0544: Fix a crash by division by zero in analyzer
rC240643: Fix a crash by division by zero in analyzer
rL240643: Fix a crash by division by zero in analyzer
Summary

When I conducted static analysis without core checkers, clang encountered
a crash by division by zero. The cause of the division-by-zero is
that BasicValueFactory::evalAPSInt() blindly operates divisions with
*any* known values. It means the SVal builder operates divisions even if
RHS value is zero. My fix is simply adding a RHS check before performing
the division in BasicValueFactory::evalAPSInt().

Diff Detail

Repository
rL LLVM

Event Timeline

takeshi-yoshimura updated this revision to Diff 26843.May 30 2015, 12:16 AM
takeshi-yoshimura retitled this revision from to [analyzer] Fix a crash by division by zero.
takeshi-yoshimura updated this object.
takeshi-yoshimura edited the test plan for this revision. (Show Details)
takeshi-yoshimura added a subscriber: Unknown Object (MLST).
takeshi-yoshimura updated this revision to Diff 26844.May 30 2015, 12:26 AM
takeshi-yoshimura updated this revision to Diff 26845.May 30 2015, 12:31 AM
danielmarjamaki added a subscriber: danielmarjamaki.May 31 2015, 11:51 PM

I can reproduce using your testcode. It's a good catch. And the fix looks good to me. Does anybody else have any opinions?

danielmarjamaki accepted this revision.May 31 2015, 11:51 PM
danielmarjamaki added a reviewer: danielmarjamaki.
This revision is now accepted and ready to land.May 31 2015, 11:51 PM
takeshi-yoshimura updated this revision to Diff 26965.Jun 2 2015, 5:03 AM
takeshi-yoshimura edited edge metadata.

Thanks, danielmarjamaki. I found llvm-lit fails with the test code, so I updated it.

takeshi-yoshimura set the repository for this revision to rL LLVM.Jun 2 2015, 5:16 AM
danielmarjamaki added a comment.Jun 23 2015, 3:34 AM

Thanks!

Do you need help to commit this?

Does anybody else have comments?

takeshi-yoshimura added a comment.Jun 23 2015, 3:45 AM

Yes, could you commit this?

Closed by commit rL240643: Fix a crash by division by zero in analyzer (authored by danielmarjamaki). · Explain WhyJun 25 2015, 7:06 AM
This revision was automatically updated to reflect the committed changes.
danielmarjamaki added a comment.Jun 25 2015, 7:08 AM

Thanks! I committed the changes with 240643.

Revision Contents

PathSize
cfe/
trunk/
lib/
StaticAnalyzer/
Core/
4 lines
test/
Analysis/
7 lines

Diff 28462

cfe/trunk/lib/StaticAnalyzer/Core/BasicValueFactory.cpp

Show First 20 LinesShow All 148 Lines▼ Show 20 LinesBasicValueFactory::evalAPSInt(BinaryOperator::Opcode Op,
switch (Op) { switch (Op) {
default: default:
assert (false && "Invalid Opcode."); assert (false && "Invalid Opcode.");
case BO_Mul: case BO_Mul:
return &getValue( V1 * V2 ); return &getValue( V1 * V2 );
case BO_Div: case BO_Div:
if (V2 == 0) // Avoid division by zero
return nullptr;
return &getValue( V1 / V2 ); return &getValue( V1 / V2 );
case BO_Rem: case BO_Rem:
if (V2 == 0) // Avoid division by zero
return nullptr;
return &getValue( V1 % V2 ); return &getValue( V1 % V2 );
case BO_Add: case BO_Add:
return &getValue( V1 + V2 ); return &getValue( V1 + V2 );
case BO_Sub: case BO_Sub:
return &getValue( V1 - V2 ); return &getValue( V1 - V2 );
▲ Show 20 LinesShow All 121 LinesShow Last 20 Lines

cfe/trunk/test/Analysis/division-by-zero.c

// RUN: %clang_cc1 -analyze -analyzer-checker=unix.Malloc %s
// Do not crash due to division by zero
int f(unsigned int a) {
if (a <= 0) return 1 / a;
return a;
}