[Bug analyzer/106225] New: False positives from -Wanalyzer-tainted-divisor

[dmalcolm at gcc dot gnu.org via Gcc-bugs]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106225

            Bug ID: 106225
           Summary: False positives from -Wanalyzer-tainted-divisor
           Product: gcc
           Version: 12.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: dmalcolm at gcc dot gnu.org
  Target Milestone: ---

-Wanalyzer-tainted-divisor seems to be using the wrong logic for determining if
a value has been checked for zeroness; consider:

#include <stdio.h>

struct st1
{
  int a;
  int b;
};

int test_checked_ne_zero (FILE *f)
{
  struct st1 s;
  fread (&s, sizeof (s), 1, f);
  if (s.b)
    return s.a / s.b;
  else
    return 0;
}

for which (with -fanalyzer -fanalyzer-checker=taint) trunk and gcc 12.1
erroneously emit:

<source>: In function 'test_checked_ne_zero':
<source>:14:16: warning: use of attacker-controlled value 's.b' as divisor
without checking for zero [CWE-369] [-Wanalyzer-tainted-divisor]
   14 |     return s.a / s.b;
      |            ~~~~^~~~~
  'test_checked_ne_zero': events 1-3
    |
    |   13 |   if (s.b)
    |      |      ^
    |      |      |
    |      |      (1) following 'true' branch...
    |   14 |     return s.a / s.b;
    |      |            ~~~~~~~~~
    |      |             |  |
    |      |             |  (3) use of attacker-controlled value 's.b' as
divisor without checking for zero
    |      |             (2) ...to here
    |

despite the check for zero at line 13.

https://godbolt.org/z/KK4K8h9z3

Reduced from false positive seen on Linux kernel in drivers/tty/vt/vt_ioctl.c:
(function vt_resizex).