Merge pull request #10550 from d10c/cpp/comma-before-misleading-indentation

Author: d10c

cpp/ql/src/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation.cpp

@@ -0,0 +1,32 @@
+/*
+ * In this example, the developer intended to use a semicolon but accidentally used a comma:
+ */
+
+enum privileges entitlements = NONE;
+
+if (is_admin)
+    entitlements = FULL, // BAD
+
+restrict_privileges(entitlements);
+
+/*
+ * The use of a comma means that the first example is equivalent to this second example:
+ */
+
+enum privileges entitlements = NONE;
+
+if (is_admin) {
+    entitlements = FULL;
+    restrict_privileges(entitlements);
+}
+
+/*
+ * The indentation of the first example suggests that the developer probably intended the following code:
+ */
+
+enum privileges entitlements = NONE;
+
+if (is_admin)
+    entitlements = FULL; // GOOD
+
+restrict_privileges(entitlements);

cpp/ql/src/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation.qhelp

@@ -0,0 +1,39 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+If the expression after the comma operator starts at an earlier column than the expression before the comma, then
+this suspicious indentation possibly indicates a logic error, caused by a typo that may escape visual inspection.
+</p>
+<warning>
+This query has medium precision because CodeQL currently does not distinguish between tabs and spaces in whitespace.
+If a file contains mixed tabs and spaces, alerts may highlight code that is correctly indented for one value of tab size but not for other tab sizes.
+</warning>
+</overview>
+
+<recommendation>
+<p>
+To ensure that your code is easy to read and review, use standard indentation around the comma operator. Always begin the right-hand-side operand at the same level of
+indentation (column number) as the left-hand-side operand. This makes it easier for other developers to see the intended behavior of your code.
+</p>
+<p>
+Use whitespace consistently to communicate your coding intentions. Where possible, avoid mixing tabs and spaces within a file. If you need to mix them, use them consistently.
+</p>
+</recommendation>
+
+<example>
+<p>
+This example shows three different ways of writing the same code. The first example contains a comma instead of a semicolon which means that the final line is part of the <code>if</code> statement, even though the indentation suggests that it is intended to be separate. The second example looks different but is functionally the same as the first example. It is more likely that the developer intended to write the third example.
+</p>
+<sample src="CommaBeforeMisleadingIndentation.cpp" />
+</example>
+
+<references>
+<li>Wikipedia: <a href="https://en.wikipedia.org/wiki/Comma_operator">Comma operator</a></li>
+<li>Wikipedia: <a href="https://en.wikipedia.org/wiki/Indentation_style#Tabs,_spaces,_and_size_of_indentations">Indentation style &mdash; Tabs, spaces, and size of indentations</a></li>
+</references>
+
+</qhelp>

cpp/ql/src/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation.ql

@@ -0,0 +1,53 @@
+/**
+ * @name Comma before misleading indentation
+ * @description If expressions before and after a comma operator use different indentation, it is easy to misread the purpose of the code.
+ * @kind problem
+ * @id cpp/comma-before-misleading-indentation
+ * @problem.severity warning
+ * @security-severity 7.8
+ * @precision medium
+ * @tags maintainability
+ *       readability
+ *       security
+ *       external/cwe/cwe-1078
+ *       external/cwe/cwe-670
+ */
+
+import cpp
+import semmle.code.cpp.commons.Exclusions
+
+/** Gets the sub-expression of 'e' with the earliest-starting Location */
+Expr normalizeExpr(Expr e) {
+  result =
+    min(Expr child |
+      child.getParentWithConversions*() = e.getFullyConverted() and
+      not child.getParentWithConversions*() = any(Call c).getAnArgument()
+    |
+      child order by child.getLocation().getStartColumn(), count(child.getParentWithConversions*())
+    )
+}
+
+predicate isParenthesized(CommaExpr ce) {
+  ce.getParent*().(Expr).isParenthesised()
+  or
+  ce.isUnevaluated() // sizeof(), decltype(), alignof(), noexcept(), typeid()
+  or
+  ce.getParent*() = [any(IfStmt i).getCondition(), any(SwitchStmt s).getExpr()]
+  or
+  ce.getParent*() = [any(Loop l).getCondition(), any(ForStmt f).getUpdate()]
+  or
+  ce.getEnclosingStmt() = any(ForStmt f).getInitialization()
+}
+
+from CommaExpr ce, Expr left, Expr right, Location leftLoc, Location rightLoc
+where
+  ce.fromSource() and
+  not isFromMacroDefinition(ce) and
+  left = normalizeExpr(ce.getLeftOperand()) and
+  right = normalizeExpr(ce.getRightOperand()) and
+  leftLoc = left.getLocation() and
+  rightLoc = right.getLocation() and
+  not isParenthesized(ce) and
+  leftLoc.getEndLine() < rightLoc.getStartLine() and
+  leftLoc.getStartColumn() > rightLoc.getStartColumn()
+select right, "The indentation level may be misleading for some tab sizes."

cpp/ql/src/change-notes/2022-09-30-comma-before-missing-indentation.md

@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* Added a new medium-precision query, `cpp/comma-before-misleading-indentation`, which detects instances of whitespace that have readability issues.

cpp/ql/test/query-tests/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation/CommaBeforeMisleadingIndentation.expected

@@ -0,0 +1,5 @@
+| test.cpp:49:2:49:8 | (void)... | The indentation level may be misleading for some tab sizes. |
+| test.cpp:52:2:52:15 | (void)... | The indentation level may be misleading for some tab sizes. |
+| test.cpp:160:3:160:9 | (void)... | The indentation level may be misleading for some tab sizes. |
+| test.cpp:166:5:166:7 | ... ++ | The indentation level may be misleading for some tab sizes. |
+| test.cpp:176:6:178:6 | ... ? ... : ... | The indentation level may be misleading for some tab sizes. |

cpp/ql/test/query-tests/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation/CommaBeforeMisleadingIndentation.qlref

@@ -0,0 +1 @@
+Best Practices/Likely Errors/CommaBeforeMisleadingIndentation.ql

cpp/ql/test/query-tests/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation/test.cpp

@@ -0,0 +1,208 @@
+// clang-format off
+
+typedef unsigned size_t;
+
+struct X {
+	int foo(int y) { return y; }
+} x;
+
+#define FOO(x) ( \
+   (x),          \
+  (x)            \
+)
+
+#define BAR(x, y) ((x), (y))
+
+#define BAZ //printf
+
+struct Foo {
+	int i, i_array[3];
+	int j;
+	virtual int foo(int) = 0;
+	virtual int bar(int, int) = 0;
+	int test(int (*baz)(int));
+
+	struct Tata {
+		struct Titi {
+			void tutu() {}
+			long toto() { return 42; }
+		} titi;
+
+		Titi *operator->() { return &titi; }
+	} *tata;
+};
+
+int Foo::test(int (*baz)(int))
+{
+	// Comma in simple if statement (prototypical example):
+
+	if (i)
+		(void)i,	// GOOD
+		j++;
+
+	if (i)
+		this->foo(i),	// GOOD
+		foo(i);
+
+	if (i)
+		(void)i,	// BAD
+	(void)j;
+
+	if (1) FOO(i),
+	(void)x.foo(j); // BAD
+
+	// Parenthesized comma (borderline example):
+
+	foo(i++), j++;   // GOOD
+	(foo(i++), j++); // GOOD
+	(foo(i++),       // GOOD
+	 j++);
+	(foo(i++),
+	 foo(i++),
+	j++,             // GOOD (?) -- Currently explicitly excluded
+	j++);
+
+	x.foo(i++), j++;   // GOOD
+	(x.foo(i++), j++); // GOOD
+	(x.foo(i++),       // GOOD
+	 j++);
+	(x.foo(i++),
+	 x.foo(i++),
+	j++,               // GOOD (?) -- Currently explicitly excluded
+	j++);
+
+	FOO(i++), j++;   // GOOD
+	(FOO(i++), j++); // GOOD
+	(FOO(i++),       // GOOD
+	 j++);
+	(FOO(i++),
+	 FOO(i++),
+	j++,             // GOOD (?) -- Currently explicitly excluded
+	j++);
+
+	(void)(i++), j++;   // GOOD
+	((void)(i++), j++); // GOOD
+	((void)(i++),       // GOOD
+	 j++);
+	((void)(i++),
+	 (void)(i++),
+	j++,                // GOOD (?) -- Currently explicitly excluded
+	j++);
+
+	// Comma in argument list doesn't count:
+
+	bar(i++, j++); // GOOD
+	bar(i++,
+	    j++);      // GOOD
+	bar(i++
+	  , j++);      // GOOD
+	bar(i++,
+	j++);          // GOOD: common pattern and unlikely to be misread.
+
+	BAR(i++, j++); // GOOD
+	BAR(i++,
+	    j++);      // GOOD
+	BAR(i++
+	  , j++);      // GOOD
+	BAR(i++,
+	j++);          // GOOD: common pattern and unlikely to be misread.
+
+	using T = decltype(x.foo(i++), // GOOD
+	                   j++);
+	(void)sizeof(x.foo(i++), // GOOD
+	             j++);
+	using U = decltype(x.foo(i++), // GOOD? Unlikely to be misread
+				j++);
+	(void)sizeof(x.foo(i++), // GOOD? Unlikely to be misread
+				j++);
+
+	BAZ("%d %d\n", i,
+		j); // GOOD -- Currently explicitly excluded
+
+	// Comma in loops
+
+    while (i = foo(j++), // GOOD
+           i != j && i != 42 &&
+               !foo(j)) {
+        i = j = i + j;
+    }
+
+    while (i = foo(j++), // GOOD??? Currently ignoring loop heads
+        i != j && i != 42 && !foo(j)) {
+        i = j = i + j;
+    }
+
+	for (i = 0,         // GOOD? Currently ignoring loop heads.
+	    j = 1;
+		i + j < 10;
+		i++, j++);
+
+	for (i = 0,
+         j = 1; i < 10; i += 2, // GOOD? Currently ignoring loop heads.
+        j++) {}
+
+	// Comma in if-conditions:
+
+	if (i = foo(j++),
+		i == j)	// GOOD(?) -- Currently ignoring if-conditions for the same reason as other parenthesized commas.
+		i = 0;
+
+    // Mixed tabs and spaces (ugly case):
+
+    for (i = 0,         // GOOD if tab >= 4 spaces else BAD -- Currently ignoring loop heads.
+		 j = 0;
+		 i + j < 10;
+         i++,           // GOOD if tab >= 4 spaces else BAD -- Currently ignoring loop heads.
+		 j++);
+
+	if (i)
+	    (void)i,	    // GOOD if tab >= 4 spaces else BAD -- can't exclude w/o source code text :/
+		(void)j;
+
+	// LHS ends on same line RHS begins on:
+
+	if (1) foo(
+		i++
+	), j++; // GOOD? [FALSE POSITIVE]
+
+	if (1) baz(
+		i++
+	), j++; // GOOD... when calling a function pointer..!?
+
+	// Weird cases:
+
+	if (foo(j))
+		return i++
+			, i++ // GOOD(?) [FALSE POSITIVE] -- can't exclude w/o source code text :/
+			? 1
+			: 2;
+
+    int quux =
+      (tata->titi.tutu(),
+       foo(tata->titi.toto())); // GOOD
+
+	(*tata)->toto(), // GOOD
+	i_array[i] += (int)(*tata)->toto();
+
+	return quux;
+}
+
+// Comma in variadic template splice:
+
+namespace std {
+	template <size_t... Is>
+	struct index_sequence {};
+}
+
+template <size_t I>
+struct zip_index {};
+
+template <size_t I>
+int& at(zip_index<I>) { throw 1; }
+
+template <class Fn, class At, size_t... Is>
+void for_each_input(Fn&& fn, std::index_sequence<Is...>) {
+	(fn(zip_index<Is>{}, at(zip_index<Is>{})), ...); // GOOD
+}
+
+// clang-format on