https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106225
Bug ID: 106225 Summary: False positives from -Wanalyzer-tainted-divisor Product: gcc Version: 12.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: dmalcolm at gcc dot gnu.org Target Milestone: --- -Wanalyzer-tainted-divisor seems to be using the wrong logic for determining if a value has been checked for zeroness; consider: #include <stdio.h> struct st1 { int a; int b; }; int test_checked_ne_zero (FILE *f) { struct st1 s; fread (&s, sizeof (s), 1, f); if (s.b) return s.a / s.b; else return 0; } for which (with -fanalyzer -fanalyzer-checker=taint) trunk and gcc 12.1 erroneously emit: <source>: In function 'test_checked_ne_zero': <source>:14:16: warning: use of attacker-controlled value 's.b' as divisor without checking for zero [CWE-369] [-Wanalyzer-tainted-divisor] 14 | return s.a / s.b; | ~~~~^~~~~ 'test_checked_ne_zero': events 1-3 | | 13 | if (s.b) | | ^ | | | | | (1) following 'true' branch... | 14 | return s.a / s.b; | | ~~~~~~~~~ | | | | | | | (3) use of attacker-controlled value 's.b' as divisor without checking for zero | | (2) ...to here | despite the check for zero at line 13. https://godbolt.org/z/KK4K8h9z3 Reduced from false positive seen on Linux kernel in drivers/tty/vt/vt_ioctl.c: (function vt_resizex).