NagyDonat wrote: Unfortunately "strict" logic like this does not work in practice, it would flood the user with too many false positives.
The analyzer works on many small fragments of the code separately (without knowledge about the context): practically any function can act as an "entrypoint" of analysis (not just `main()`) and there are many situations where it doesn't follow a function call (and just says "this function returns some unknown value"). (These are not avoidable problems – the algorithms would be exponential and hopelessly slow without many heuristic cut-offs.) These imply that "the analyzer cannot determine the value of X" is a very common occurrence (even on perfectly valid code), so it must not trigger report creation. However, the static analyzer is capable of doing "taint analysis" where it recognizes that certain functions (the so-called _taint sources_) read values from untrusted sources, and their output must be handled with strict logic (until it is sanitized/validated). In particular, the checker [optin.taint.TaintedDiv](https://clang.llvm.org/docs/analyzer/checkers.html#optin-taint-tainteddiv-c-c-objc) implements strict handling of division _when the denominator is tainted_. For more information about the taint analysis, see the documentation of [optin.taint.GenericTaint](https://clang.llvm.org/docs/analyzer/checkers.html#optin-taint-generictaint-c-c). Note that taint analysis checkers are placed in the `optin` checker group because they are more noisy than the typical checkers in the analyzer (and the "strict" behavior = "everything is tainted" would be much more noisy than that). https://github.com/llvm/llvm-project/pull/176727 _______________________________________________ cfe-commits mailing list [email protected] https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
