Merge pull request #332 from raulgarciamsft/users/raulga/c6293a

Approved by dave-bartolomeo

Author: semmle-qlci

cpp/ql/src/Likely Bugs/Likely Typos/inconsistentLoopDirection.c

@@ -0,0 +1,7 @@
+void f()
+{
+    for (signed char i = 0; i < 100; i--)
+    {
+        // code ...
+    }
+}

cpp/ql/src/Likely Bugs/Likely Typos/inconsistentLoopDirection.qhelp

@@ -0,0 +1,27 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+  <p>A <code>for-loop</code> iteration expression goes backwards with respect of the initialization statement and condition expression.</p>
+  <p>This warning indicates that a <code>for-loop</code> might not function as intended.</p>
+</overview>
+
+<recommendation>
+<p>To fix this issue, check that the loop condition is correct and change the iteration expression to match.</p>
+</recommendation>
+
+<example>
+<p>In the following example, the initialization statement (<code>i = 0</code>) and the condition expression (<code>i &lt; 100</code>) indicate that the intended iteration expression should have been incrementing, but instead a postfix decrement operator is used (<code>i--</code>).</p>
+<sample src="inconsistentLoopDirection.c" />
+
+<p>To fix this issue, change the iteration expression to match the direction of the initialization statement and the condition expression: <code>i++</code>.</p>
+</example>
+
+<references>
+  <li><a href="https://docs.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2012/58teb7hd(v=vs.110)">warning C6293: Ill-defined for-loop: counts down from minimum</a>
+  </li>
+</references>
+
+</qhelp>

cpp/ql/src/Likely Bugs/Likely Typos/inconsistentLoopDirection.ql

@@ -0,0 +1,116 @@
+/**
+ * @name Inconsistent direction of for loop
+ * @description A for-loop iteration expression goes backward with respect of the initialization statement and condition expression.
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @id cpp/inconsistent-loop-direction
+ * @tags correctness
+ *       external/cwe/cwe-835 
+ *       external/microsoft/6293
+ * @msrc.severity important
+ */
+import cpp
+import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
+import semmle.code.cpp.dataflow.DataFlow
+
+predicate illDefinedDecrForStmt( ForStmt forstmt, Variable v, Expr initialCondition, Expr terminalCondition ) { 
+  v.getAnAssignedValue() = initialCondition
+  and
+  exists( 
+    RelationalOperation rel |
+    rel = forstmt.getCondition() |
+    terminalCondition = rel.getGreaterOperand()
+    and v.getAnAccess() = rel.getLesserOperand()
+    and
+    DataFlow::localFlowStep(DataFlow::exprNode(initialCondition), DataFlow::exprNode(rel.getLesserOperand()))
+    )
+  and
+  exists( 
+    DecrementOperation dec |
+    dec = forstmt.getUpdate().(DecrementOperation)
+    and dec.getAnOperand() = v.getAnAccess()
+  )
+  and
+  ( 
+    ( upperBound(initialCondition) < lowerBound(terminalCondition) )
+    or
+    ( forstmt.conditionAlwaysFalse() or forstmt.conditionAlwaysTrue() )
+  )
+}
+
+predicate illDefinedIncrForStmt( ForStmt forstmt, Variable v, Expr initialCondition, Expr terminalCondition ) { 
+  v.getAnAssignedValue() = initialCondition 
+  and
+  exists( 
+    RelationalOperation rel |
+    rel = forstmt.getCondition() |
+    terminalCondition = rel.getLesserOperand()
+    and v.getAnAccess() = rel.getGreaterOperand()
+    and
+    DataFlow::localFlowStep(DataFlow::exprNode(initialCondition), DataFlow::exprNode(rel.getGreaterOperand()))
+  )
+  and
+  exists( IncrementOperation incr |
+    incr = forstmt.getUpdate().(IncrementOperation)
+    and
+    incr.getAnOperand() = v.getAnAccess()
+  )
+  and
+  ( 
+    ( upperBound(terminalCondition) < lowerBound(initialCondition))
+    or
+    ( forstmt.conditionAlwaysFalse() or forstmt.conditionAlwaysTrue())
+  )
+}
+ 
+predicate illDefinedForStmtWrongDirection( ForStmt forstmt, Variable v, Expr initialCondition, Expr terminalCondition
+  , boolean isIncr ) {
+  ( illDefinedDecrForStmt( forstmt, v, initialCondition, terminalCondition) and isIncr = false )
+  or
+  ( illDefinedIncrForStmt( forstmt, v, initialCondition, terminalCondition) and isIncr = true)
+}
+ 
+bindingset[b]
+private string forLoopdirection(boolean b){
+  if( b = true ) then  result = "upward" 
+  else result = "downward"
+}
+
+bindingset[b]
+private string forLoopTerminalConditionRelationship(boolean b){
+  if( b = true ) then  result = "lower" 
+  else result = "higher"
+}
+
+ predicate illDefinedForStmt( ForStmt for, string message ) {
+  exists( 
+    boolean isIncr, 
+    Variable v,
+    Expr initialCondition,
+    Expr terminalCondition |
+    illDefinedForStmtWrongDirection(for, v, initialCondition, terminalCondition, isIncr)
+    and
+    if( for.conditionAlwaysFalse() ) then 
+    (
+      message = "Ill-defined for-loop: a loop using variable \"" + v + "\" counts " 
+      + forLoopdirection(isIncr) + " from a value ("+ initialCondition +"), but the terminal condition is always false."
+    ) 
+    else if 
+    ( 
+      for.conditionAlwaysTrue() ) then (
+      message = "Ill-defined for-loop: a loop using variable \"" + v + "\" counts " 
+      + forLoopdirection(isIncr) + " from a value ("+ initialCondition +"), but the terminal condition is always true."
+    ) 
+    else 
+    (
+      message = "Ill-defined for-loop: a loop using variable \"" + v + "\" counts " 
+        + forLoopdirection(isIncr) + " from a value ("+ initialCondition +"), but the terminal condition is "
+        + forLoopTerminalConditionRelationship(isIncr) + " (" + terminalCondition + ")."
+    )
+  )
+}
+ 
+from ForStmt forstmt, string message 
+ where illDefinedForStmt(forstmt, message)
+select forstmt, message

cpp/ql/test/query-tests/Likely Bugs/Likely Typos/inconsistentLoopDirection/inconsistentLoopDirection.c

@@ -0,0 +1,89 @@
+void Signed()
+{
+    signed char i;
+
+    for (i = 0; i < 100; i--)   //BUG
+    {
+    }
+
+    for (i = 0; i < 100; i++)
+    {
+    }
+
+    for (i = 100; i >= 0; i++)   //BUG
+    {
+    }
+
+    for (i = 100; i >= 0; i--)
+    {
+    }
+
+}
+
+void Unsigned()
+{
+    unsigned long i;
+
+    for (i = 0; i < 100; i--)   //BUG
+    {
+    }
+
+    for (i = 0; i < 100; i++)
+    {
+    }
+
+    for (i = 100; i >= 0; i++)   //BUG
+    {
+    }
+
+    for (i = 100; i >= 0; i--)
+    {
+    }
+}
+
+void InitializationOutsideLoop()
+{
+    signed char i = 0;
+
+    for (; i < 100; i--)   //BUG
+    {
+    }
+
+    i = 0;
+    for (; i < 100; i++)
+    {
+    }
+
+    i = 100;
+    for (; i >= 0; i++)   //BUG
+    {
+    }
+
+    i = 100;
+    for (; i >= 0; i--)
+    {
+    }
+}
+
+void NegativeTestCase()
+{
+    int i;
+    for (i = 0; (200 - i) < 100; i--)
+    {
+        // code ...
+    }
+}
+
+void NegativeTestCaseNested()
+{
+    int k;
+    int i;
+
+    for (k = 200; k < 300; k++)
+    {
+        for (i = 0; (k - i) < 100; i--)
+        {
+            // code ...
+        }
+    }
+}