This is an archive of the discontinued LLVM Phabricator instance.

[clang] [StaticAnalyzer] DivZeroChecker: possibly zero non-tainted state should not transition to non-zero state directly.
AbandonedPublic

Authored by Ustchcs_Bugfinder on Nov 4 2020, 11:39 PM.

Details

Summary

We are trying to write checkers to catch possibly zero state. core.DivideZero transitioning to non-zero state directly leaves no space for other checkers to do anything else any more.

Diff Detail

Event Timeline

Ustchcs_Bugfinder requested review of this revision.Nov 4 2020, 11:39 PM
Ustchcs_Bugfinder edited the summary of this revision. (Show Details)Nov 4 2020, 11:42 PM
martong requested changes to this revision.Nov 5 2020, 8:20 AM

We are trying to write checkers to catch possibly zero state.

IMO, that should be handled with taint analysis, i.e. when the value's provenance is untrusted we should warn. I don't see any other cases when we'd like to warn about a possible 0 denominator because that would cause false positives.

... core.DivideZero transitioning to non-zero state directly leaves no space for other checkers to do anything else any more.

To meaningfully continue the path sensitive analysis, we must assume that the value cannot be 0, otherwise the program would be illformed (undefined behaviour), thus it would not make any sense to continue the analysis on the path where the denom can also be 0.
Actually, this is a recurring pattern we do all over the a static analyzer in many checkers, checkout e.g. the DereferenceChecker and you will see the same pattern.

This revision now requires changes to proceed.Nov 5 2020, 8:20 AM
Ustchcs_Bugfinder abandoned this revision.Nov 23 2020, 6:30 AM