CPP : Ill-defined for-loop (C6293)

raulgarciamsft · raulgarciamsft · commit 739804acb218 · 2018-10-17T16:24:34.000-07:00
Superset of C6293, it looks for a mismatch between the initialization statement &amp;&amp; condition and the direction of the iteration expression in a for loop.
diff --git a/.gitignore b/.gitignore
@@ -13,3 +13,6 @@
 /.vs/ql/v15/Browse.VC.db
 /.vs/ProjectSettings.json
 
+/.vs/slnx.sqlite-journal
+/.vs/ql_6293a/v15/Browse.VC.opendb
+/.vs/ql_6293a/v15/Browse.VC.db
diff --git a/cpp/ql/src/Likely Bugs/Likely Typos/illDefinedForLoop.c b/cpp/ql/src/Likely Bugs/Likely Typos/illDefinedForLoop.c
@@ -0,0 +1,7 @@
+void f()
+{
+    for (signed char i = 0; i < 100; i--)
+    {
+        // code ...
+    }
+}
diff --git a/cpp/ql/src/Likely Bugs/Likely Typos/illDefinedForLoop.qhelp b/cpp/ql/src/Likely Bugs/Likely Typos/illDefinedForLoop.qhelp
@@ -0,0 +1,27 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+  <p>A <code>for-loop</code> iteration expression goes backwards with respect of the initialization statement and condition expression.</p>
+  <p>This warning indicates that a <code>for-loop</code> might not function as intended.</p>
+</overview>
+
+<recommendation>
+<p>Verify the iteration expression on the <code>for-loop</code> and make sure the direction of the iteration expression is correct.</p>
+</recommendation>
+
+<example>
+<p>In the following example, the initialization statement (<code>i = 0</code>) and the condition expression (<code>i < 100</code>) indicate that the intended iteration expression should have been incrementing, but instead a postfix decrement operator is used (<code>i--</code>).</p>
+<sample src="illDefinedForLoop.c" />
+
+<p>To fix this issue, change the iteration expression to match the direction of the initialization statement and the condition expression: <code>i++</code>.</p>
+</example>
+
+<references>
+  <li><a href="https://docs.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2012/58teb7hd(v=vs.110)">warning C6293: Ill-defined for-loop: counts down from minimum</a>
+  </li>
+</references>
+
+</qhelp>
diff --git a/cpp/ql/src/Likely Bugs/Likely Typos/illDefinedForLoop.ql b/cpp/ql/src/Likely Bugs/Likely Typos/illDefinedForLoop.ql
@@ -0,0 +1,102 @@
+/**
+ * @name Ill-defined for loop
+ * @description A for-loop iteration expressions goes backward with respect of the initialization statement and condition expression.
+ * @id cpp/ill-defined-for-loop
+ * @kind problem
+ * @problem.severity warning
+ * @precision high
+ * @tags external/microsoft/6293
+ * @msrc.severity important
+ */
+import cpp
+import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
+
+predicate illDefinedDecrForStmt( ForStmt forstmt, Variable v, Expr initialCondition, Expr terminalCondition ) { 
+  v.getAnAssignedValue() = initialCondition 
+  and
+  exists( 
+    RelationalOperation rel, Expr e |
+    rel = forstmt.getCondition() |
+    e = rel.getGreaterOperand()
+    and v.getAnAccess() = rel.getLesserOperand()
+    and terminalCondition = e
+  )
+  and
+  (
+    exists( 
+      PostfixDecrExpr pdec |
+      pdec = forstmt.getUpdate().(PostfixDecrExpr)
+      and pdec.getAnOperand() = v.getAnAccess()
+    ) or 
+    exists( 
+      PrefixDecrExpr pdec |
+      pdec = forstmt.getUpdate().(PrefixDecrExpr)
+      and pdec.getAnOperand() = v.getAnAccess()
+    )
+  )
+  and
+  upperBound(initialCondition) < lowerBound(terminalCondition)
+}
+
+predicate illDefinedIncrForStmt( ForStmt forstmt, Variable v, Expr initialCondition, Expr terminalCondition ) { 
+  v.getAnAssignedValue() = initialCondition 
+  and
+  exists( 
+    RelationalOperation rel, Expr e |
+    rel = forstmt.getCondition() |
+    e = rel.getLesserOperand()
+    and v.getAnAccess() = rel.getGreaterOperand()
+    and terminalCondition = e
+  )
+  and
+  ( exists( PostfixIncrExpr pincr |
+      pincr = forstmt.getUpdate().(PostfixIncrExpr)
+      and
+      pincr.getAnOperand() = v.getAnAccess()
+    ) or 
+    exists( PrefixIncrExpr pincr |
+      pincr = forstmt.getUpdate().(PrefixIncrExpr)
+      and
+      pincr.getAnOperand() = v.getAnAccess()
+    )
+  )
+  and
+  upperBound(terminalCondition) < lowerBound(initialCondition)
+}
+ 
+predicate illDefinedForStmtWrongDirection( ForStmt forstmt, Variable v, Expr initialCondition, Expr terminalCondition
+  , boolean isIncr ) {
+  ( illDefinedDecrForStmt( forstmt, v, initialCondition, terminalCondition) and isIncr = false )
+  or
+  ( illDefinedIncrForStmt( forstmt, v, initialCondition, terminalCondition) and isIncr = true)
+}
+ 
+bindingset[b]
+private string forLoopdirection(boolean b){
+  if( b = true ) then  result = "upward" 
+  else result = "downward"
+}
+
+bindingset[b]
+private string forLoopTerminalConditionRelationship(boolean b){
+  if( b = true ) then  result = "lower" 
+  else result = "higher"
+}
+
+ predicate illDefinedForStmt( ForStmt for, string message ) {
+  exists( 
+    boolean isIncr, 
+    Variable v,
+    Expr initialCondition,
+    Expr terminalCondition |
+    illDefinedForStmtWrongDirection(for, v, initialCondition, terminalCondition, isIncr)
+    and
+    message = "Ill-defined for-loop: a loop using variable \"" + v + "\" counts " 
+      + forLoopdirection(isIncr) + " from a value ("+ initialCondition +"), but the terminal condition is "
+      + forLoopTerminalConditionRelationship(isIncr) + " (" + terminalCondition + ")."
+  )
+}
+ 
+from ForStmt forstmt, string message 
+ where illDefinedForStmt(forstmt, message)
+select forstmt, message
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/illDefinedForLoop/illDefinedForLoop.c b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/illDefinedForLoop/illDefinedForLoop.c
@@ -0,0 +1,89 @@
+void Signed()
+{
+    signed char i;
+
+    for (i = 0; i < 100; i--)   //BUG
+    {
+    }
+
+    for (i = 0; i < 100; i++)
+    {
+    }
+
+    for (i = 100; i >= 0; i++)   //BUG
+    {
+    }
+
+    for (i = 100; i >= 0; i--)
+    {
+    }
+
+}
+
+void Unsigned()
+{
+    unsigned long i;
+
+    for (i = 0; i < 100; i--)   //BUG
+    {
+    }
+
+    for (i = 0; i < 100; i++)
+    {
+    }
+
+    for (i = 100; i >= 0; i++)   //BUG
+    {
+    }
+
+    for (i = 100; i >= 0; i--)
+    {
+    }
+}
+
+void InitializationOutsideLoop()
+{
+    signed char i = 0;
+
+    for (; i < 100; i--)   //BUG
+    {
+    }
+
+    i = 0;
+    for (; i < 100; i++)
+    {
+    }
+
+    i = 100;
+    for (; i >= 0; i++)   //BUG
+    {
+    }
+
+    i = 100;
+    for (; i >= 0; i--)
+    {
+    }
+}
+
+void NegativeTestCase()
+{
+    int i;
+    for (i = 0; (200 - i) < 100; i--)
+    {
+        // code ...
+    }
+}
+
+void NegativeTestCaseNested()
+{
+    int k;
+    int i;
+
+    for (k = 200; k < 300; k++)
+    {
+        for (i = 0; (k - i) < 100; i--)
+        {
+            // code ...
+        }
+    }
+}
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/illDefinedForLoop/illDefinedForLoop.cpp b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/illDefinedForLoop/illDefinedForLoop.cpp
@@ -0,0 +1,128 @@
+void Signed()
+{
+    signed char i;
+
+    for (i = 0; i < 100; i--)   //BUG
+    {
+    }
+
+    for (i = 0; i < 100; i++)
+    {
+    }
+
+    for (i = 100; i >= 0; i++)   //BUG
+    {
+    }
+
+    for (i = 100; i >= 0; i--)
+    {
+    }
+
+}
+
+void Unsigned()
+{
+    unsigned long i;
+
+    for (i = 0; i < 100; i--)   //BUG
+    {
+    }
+
+    for (i = 0; i < 100; i++)
+    {
+    }
+
+    for (i = 100; i >= 0; i++)   //BUG
+    {
+    }
+
+    for (i = 100; i >= 0; i--)
+    {
+    }
+}
+
+void DeclarationInLoop()
+{
+    for (signed char i = 0; i < 100; i--)   //BUG
+    {
+    }
+
+    for (signed char i = 0; i < 100; i++)
+    {
+    }
+
+    for (unsigned char i = 100; i >= 0; i++)   //BUG
+    {
+    }
+
+    for (unsigned char i = 100; i >= 0; i--)
+    {
+    }
+}
+
+void SignedWithVariables()
+{
+    signed char i;
+    signed char min = 0;
+    signed char max = 100;
+
+    for (i = min; i < max; i--)   //BUG
+    {
+    }
+
+    for (i = min; i < max; i++)
+    {
+    }
+
+    for (i = max; i >= min; i++)   //BUG
+    {
+    }
+
+    for (i = max; i >= min; i--)
+    {
+    }
+
+}
+
+void InitializationOutsideLoop()
+{
+    signed char i = 0;
+
+    for (; i < 100; i--)   //BUG
+    {
+    }
+
+    i = 0;
+    for (; i < 100; i++)
+    {
+    }
+
+    i = 100;
+    for (; i >= 0; i++)   //BUG
+    {
+    }
+
+    i = 100;
+    for (; i >= 0; i--)
+    {
+    }
+}
+
+void NegativeTestCase()
+{
+    for (int i = 0; (200 - i) < 100; i--)
+    {
+        // code ...
+    }
+}
+
+void NegativeTestCaseNested()
+{
+    for (int k = 200; k < 300; k++)
+    {
+        for (int i = 0; (k - i) < 100; i--)
+        {
+            // code ...
+        }
+    }
+}
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/illDefinedForLoop/illDefinedForLoop.expected b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/illDefinedForLoop/illDefinedForLoop.expected
@@ -0,0 +1,16 @@
+| illDefinedForLoop.c:5:5:7:5 | for(...;...;...) ... | Ill-defined for-loop: a loop using variable "i" counts downward from a value (0), but the terminal condition is higher (100). |
+| illDefinedForLoop.c:13:5:15:5 | for(...;...;...) ... | Ill-defined for-loop: a loop using variable "i" counts upward from a value (100), but the terminal condition is lower (0). |
+| illDefinedForLoop.c:27:5:29:5 | for(...;...;...) ... | Ill-defined for-loop: a loop using variable "i" counts downward from a value (0), but the terminal condition is higher (100). |
+| illDefinedForLoop.c:35:5:37:5 | for(...;...;...) ... | Ill-defined for-loop: a loop using variable "i" counts upward from a value (100), but the terminal condition is lower (0). |
+| illDefinedForLoop.c:48:5:50:5 | for(...;...;...) ... | Ill-defined for-loop: a loop using variable "i" counts downward from a value (0), but the terminal condition is higher (100). |
+| illDefinedForLoop.c:58:5:60:5 | for(...;...;...) ... | Ill-defined for-loop: a loop using variable "i" counts upward from a value (100), but the terminal condition is lower (0). |
+| illDefinedForLoop.cpp:5:5:7:5 | for(...;...;...) ... | Ill-defined for-loop: a loop using variable "i" counts downward from a value (0), but the terminal condition is higher (100). |
+| illDefinedForLoop.cpp:13:5:15:5 | for(...;...;...) ... | Ill-defined for-loop: a loop using variable "i" counts upward from a value (100), but the terminal condition is lower (0). |
+| illDefinedForLoop.cpp:27:5:29:5 | for(...;...;...) ... | Ill-defined for-loop: a loop using variable "i" counts downward from a value (0), but the terminal condition is higher (100). |
+| illDefinedForLoop.cpp:35:5:37:5 | for(...;...;...) ... | Ill-defined for-loop: a loop using variable "i" counts upward from a value (100), but the terminal condition is lower (0). |
+| illDefinedForLoop.cpp:46:5:48:5 | for(...;...;...) ... | Ill-defined for-loop: a loop using variable "i" counts downward from a value (0), but the terminal condition is higher (100). |
+| illDefinedForLoop.cpp:54:5:56:5 | for(...;...;...) ... | Ill-defined for-loop: a loop using variable "i" counts upward from a value (100), but the terminal condition is lower (0). |
+| illDefinedForLoop.cpp:69:5:71:5 | for(...;...;...) ... | Ill-defined for-loop: a loop using variable "i" counts downward from a value (min), but the terminal condition is higher (max). |
+| illDefinedForLoop.cpp:77:5:79:5 | for(...;...;...) ... | Ill-defined for-loop: a loop using variable "i" counts upward from a value (max), but the terminal condition is lower (min). |
+| illDefinedForLoop.cpp:91:5:93:5 | for(...;...;...) ... | Ill-defined for-loop: a loop using variable "i" counts downward from a value (0), but the terminal condition is higher (100). |
+| illDefinedForLoop.cpp:101:5:103:5 | for(...;...;...) ... | Ill-defined for-loop: a loop using variable "i" counts upward from a value (100), but the terminal condition is lower (0). |
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/illDefinedForLoop/illDefinedForLoop.qlref b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/illDefinedForLoop/illDefinedForLoop.qlref
@@ -0,0 +1 @@
+Likely Bugs/Likely Typos/illDefinedForLoop.ql

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Likely Bugs/Likely Typos/illDefinedForLoop.ql`