Merge pull request #332 from raulgarciamsft/users/raulga/c6293a

Approved by dave-bartolomeo
2025-12-18 01:33:15 +01:00 · 2018-10-25 00:59:35 +01:00
parent 292189c1e0 e1efcb0b26
commit cfe0b8803a
7 changed files with 442 additions and 0 deletions
--- a/Typos/inconsistentLoopDirection.c
+++ b/Typos/inconsistentLoopDirection.c
@@ -0,0 +1,7 @@
+void f()
+{
+    for (signed char i = 0; i < 100; i--)
+    {
+        // code ...
+    }
+}
--- a/Typos/inconsistentLoopDirection.qhelp
+++ b/Typos/inconsistentLoopDirection.qhelp
@@ -0,0 +1,27 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+  <p>A <code>for-loop</code> iteration expression goes backwards with respect of the initialization statement and condition expression.</p>
+  <p>This warning indicates that a <code>for-loop</code> might not function as intended.</p>
+</overview>
+
+<recommendation>
+<p>To fix this issue, check that the loop condition is correct and change the iteration expression to match.</p>
+</recommendation>
+
+<example>
+<p>In the following example, the initialization statement (<code>i = 0</code>) and the condition expression (<code>i &lt; 100</code>) indicate that the intended iteration expression should have been incrementing, but instead a postfix decrement operator is used (<code>i--</code>).</p>
+<sample src="inconsistentLoopDirection.c" />
+
+<p>To fix this issue, change the iteration expression to match the direction of the initialization statement and the condition expression: <code>i++</code>.</p>
+</example>
+
+<references>
+  <li><a href="https://docs.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2012/58teb7hd(v=vs.110)">warning C6293: Ill-defined for-loop: counts down from minimum</a>
+  </li>
+</references>
+
+</qhelp>
--- a/Typos/inconsistentLoopDirection.ql
+++ b/Typos/inconsistentLoopDirection.ql
@@ -0,0 +1,116 @@
+/**
+ * @name Inconsistent direction of for loop
+ * @description A for-loop iteration expression goes backward with respect of the initialization statement and condition expression.
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @id cpp/inconsistent-loop-direction
+ * @tags correctness
+ *       external/cwe/cwe-835 
+ *       external/microsoft/6293
+ * @msrc.severity important
+ */
+import cpp
+import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
+import semmle.code.cpp.dataflow.DataFlow
+
+predicate illDefinedDecrForStmt( ForStmt forstmt, Variable v, Expr initialCondition, Expr terminalCondition ) { 
+  v.getAnAssignedValue() = initialCondition
+  and
+  exists( 
+    RelationalOperation rel |
+    rel = forstmt.getCondition() |
+    terminalCondition = rel.getGreaterOperand()
+    and v.getAnAccess() = rel.getLesserOperand()
+    and
+    DataFlow::localFlowStep(DataFlow::exprNode(initialCondition), DataFlow::exprNode(rel.getLesserOperand()))
+    )
+  and
+  exists( 
+    DecrementOperation dec |
+    dec = forstmt.getUpdate().(DecrementOperation)
+    and dec.getAnOperand() = v.getAnAccess()
+  )
+  and
+  ( 
+    ( upperBound(initialCondition) < lowerBound(terminalCondition) )
+    or
+    ( forstmt.conditionAlwaysFalse() or forstmt.conditionAlwaysTrue() )
+  )
+}
+
+predicate illDefinedIncrForStmt( ForStmt forstmt, Variable v, Expr initialCondition, Expr terminalCondition ) { 
+  v.getAnAssignedValue() = initialCondition 
+  and
+  exists( 
+    RelationalOperation rel |
+    rel = forstmt.getCondition() |
+    terminalCondition = rel.getLesserOperand()
+    and v.getAnAccess() = rel.getGreaterOperand()
+    and
+    DataFlow::localFlowStep(DataFlow::exprNode(initialCondition), DataFlow::exprNode(rel.getGreaterOperand()))
+  )
+  and
+  exists( IncrementOperation incr |
+    incr = forstmt.getUpdate().(IncrementOperation)
+    and
+    incr.getAnOperand() = v.getAnAccess()
+  )
+  and
+  ( 
+    ( upperBound(terminalCondition) < lowerBound(initialCondition))
+    or
+    ( forstmt.conditionAlwaysFalse() or forstmt.conditionAlwaysTrue())
+  )
+}
+ 
+predicate illDefinedForStmtWrongDirection( ForStmt forstmt, Variable v, Expr initialCondition, Expr terminalCondition
+  , boolean isIncr ) {
+  ( illDefinedDecrForStmt( forstmt, v, initialCondition, terminalCondition) and isIncr = false )
+  or
+  ( illDefinedIncrForStmt( forstmt, v, initialCondition, terminalCondition) and isIncr = true)
+}
+ 
+bindingset[b]
+private string forLoopdirection(boolean b){
+  if( b = true ) then  result = "upward" 
+  else result = "downward"
+}
+
+bindingset[b]
+private string forLoopTerminalConditionRelationship(boolean b){
+  if( b = true ) then  result = "lower" 
+  else result = "higher"
+}
+
+ predicate illDefinedForStmt( ForStmt for, string message ) {
+  exists( 
+    boolean isIncr, 
+    Variable v,
+    Expr initialCondition,
+    Expr terminalCondition |
+    illDefinedForStmtWrongDirection(for, v, initialCondition, terminalCondition, isIncr)
+    and
+    if( for.conditionAlwaysFalse() ) then 
+    (
+      message = "Ill-defined for-loop: a loop using variable \"" + v + "\" counts " 
+      + forLoopdirection(isIncr) + " from a value ("+ initialCondition +"), but the terminal condition is always false."
+    ) 
+    else if 
+    ( 
+      for.conditionAlwaysTrue() ) then (
+      message = "Ill-defined for-loop: a loop using variable \"" + v + "\" counts " 
+      + forLoopdirection(isIncr) + " from a value ("+ initialCondition +"), but the terminal condition is always true."
+    ) 
+    else 
+    (
+      message = "Ill-defined for-loop: a loop using variable \"" + v + "\" counts " 
+        + forLoopdirection(isIncr) + " from a value ("+ initialCondition +"), but the terminal condition is "
+        + forLoopTerminalConditionRelationship(isIncr) + " (" + terminalCondition + ")."
+    )
+  )
+}
+ 
+from ForStmt forstmt, string message 
+ where illDefinedForStmt(forstmt, message)
+select forstmt, message