C++: Fix edge case.

geoffw0 · geoffw0 · commit b3f3f6d95ac2 · 2020-08-06T19:03:43.000+01:00
diff --git a/cpp/ql/src/Likely Bugs/Likely Typos/inconsistentLoopDirection.ql b/cpp/ql/src/Likely Bugs/Likely Typos/inconsistentLoopDirection.ql
@@ -54,9 +54,11 @@ predicate illDefinedDecrForStmt(
       or
       (forstmt.conditionAlwaysFalse() or forstmt.conditionAlwaysTrue())
     )
-  ) and
-  // exclude cases where the loop counter is `unsigned` (where wrapping behaviour can be used deliberately)
-  not v.getUnspecifiedType().(IntegralType).isUnsigned()
+  ) and (
+    // exclude cases where the loop counter is `unsigned` (where wrapping behaviour can be used deliberately)
+    v.getUnspecifiedType().(IntegralType).isSigned() or
+    initialCondition.getValue().toInt() = 0
+  )
 }
 
 pragma[noinline]
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/inconsistentLoopDirection/inconsistentLoopDirection.c b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/inconsistentLoopDirection/inconsistentLoopDirection.c
@@ -24,7 +24,7 @@ void Unsigned()
 {
     unsigned long i;
 
-    for (i = 0; i < 100; i--)   //BUG [NOT DETECTED]
+    for (i = 0; i < 100; i--)   //BUG
     {
     }
 
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/inconsistentLoopDirection/inconsistentLoopDirection.cpp b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/inconsistentLoopDirection/inconsistentLoopDirection.cpp
@@ -130,7 +130,7 @@ void InvalidConditionUnsignedCornerCase()
     unsigned char min = 0;
     unsigned char max = 100;
 
-    for (i = 100; i < 0; i--)   //BUG
+    for (i = 100; i < 0; i--)   //BUG [NOT DETECTED]
     {
     }
 
@@ -185,13 +185,13 @@ void IntendedOverflow()
     unsigned char i;
     signed char s;
 
-    for (i = 63; i < 64; i--) {} // GOOD (legitimate way to count down with an unsigned) [FALSE POSITIVE]
+    for (i = 63; i < 64; i--) {} // GOOD (legitimate way to count down with an unsigned)
     for (i = 63; i < 128; i--) {} // DUBIOUS (could still be a typo?)
-    for (i = 63; i < 255; i--) {} // GOOD [FALSE POSITIVE]
+    for (i = 63; i < 255; i--) {} // GOOD
 
-    for (i = m - 1; i < m; i--) {} // GOOD [FALSE POSITIVE]
+    for (i = m - 1; i < m; i--) {} // GOOD
     for (i = m - 1; i < m; i--) {} // DUBIOUS
-    for (i = m - 1; i < m; i--) {} // GOOD [FALSE POSITIVE]
+    for (i = m - 1; i < m; i--) {} // GOOD
 
     for (s = 63; s < 64; s--) {} // BAD (signed numbers don't wrap at 0 / at all)
 }
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/inconsistentLoopDirection/inconsistentLoopDirection.expected b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/inconsistentLoopDirection/inconsistentLoopDirection.expected
@@ -1,10 +1,12 @@
 | inconsistentLoopDirection.c:5:5:7:5 | for(...;...;...) ... | Ill-defined for-loop: a loop using variable "i" counts downward from a value (0), but the terminal condition is higher (100). |
 | inconsistentLoopDirection.c:13:5:15:5 | for(...;...;...) ... | Ill-defined for-loop: a loop using variable "i" counts upward from a value (100), but the terminal condition is lower (0). |
+| inconsistentLoopDirection.c:27:5:29:5 | for(...;...;...) ... | Ill-defined for-loop: a loop using variable "i" counts downward from a value (0), but the terminal condition is higher (100). |
 | inconsistentLoopDirection.c:35:5:37:5 | for(...;...;...) ... | Ill-defined for-loop: a loop using variable "i" counts upward from a value (100), but the terminal condition is lower (0). |
 | inconsistentLoopDirection.c:48:5:50:5 | for(...;...;...) ... | Ill-defined for-loop: a loop using variable "i" counts downward from a value (0), but the terminal condition is higher (100). |
 | inconsistentLoopDirection.c:58:5:60:5 | for(...;...;...) ... | Ill-defined for-loop: a loop using variable "i" counts upward from a value (100), but the terminal condition is lower (0). |
 | inconsistentLoopDirection.cpp:5:5:7:5 | for(...;...;...) ... | Ill-defined for-loop: a loop using variable "i" counts downward from a value (0), but the terminal condition is higher (100). |
 | inconsistentLoopDirection.cpp:13:5:15:5 | for(...;...;...) ... | Ill-defined for-loop: a loop using variable "i" counts upward from a value (100), but the terminal condition is lower (0). |
+| inconsistentLoopDirection.cpp:27:5:29:5 | for(...;...;...) ... | Ill-defined for-loop: a loop using variable "i" counts downward from a value (0), but the terminal condition is higher (100). |
 | inconsistentLoopDirection.cpp:35:5:37:5 | for(...;...;...) ... | Ill-defined for-loop: a loop using variable "i" counts upward from a value (100), but the terminal condition is lower (0). |
 | inconsistentLoopDirection.cpp:46:5:48:5 | for(...;...;...) ... | Ill-defined for-loop: a loop using variable "i" counts downward from a value (0), but the terminal condition is higher (100). |
 | inconsistentLoopDirection.cpp:54:5:56:5 | for(...;...;...) ... | Ill-defined for-loop: a loop using variable "i" counts upward from a value (100), but the terminal condition is lower (0). |

Original file line number	Diff line number	Diff line change
`@@ -54,9 +54,11 @@ predicate illDefinedDecrForStmt(`
`54`	`54`	`or`
`55`	`55`	`(forstmt.conditionAlwaysFalse() or forstmt.conditionAlwaysTrue())`
`56`	`56`	`)`
`57`		`- ) and`
`58`		- // exclude cases where the loop counter is `unsigned` (where wrapping behaviour can be used deliberately)
`59`		`- not v.getUnspecifiedType().(IntegralType).isUnsigned()`
	`57`	`+ ) and (`
	`58`	+ // exclude cases where the loop counter is `unsigned` (where wrapping behaviour can be used deliberately)
	`59`	`+ v.getUnspecifiedType().(IntegralType).isSigned() or`
	`60`	`+ initialCondition.getValue().toInt() = 0`
	`61`	`+ )`
`60`	`62`	`}`
`61`	`63`
`62`	`64`	`pragma[noinline]`
Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ void Unsigned()`
`24`	`24`	`{`
`25`	`25`	`unsigned long i;`
`26`	`26`
`27`		`- for (i = 0; i < 100; i--) //BUG [NOT DETECTED]`
	`27`	`+ for (i = 0; i < 100; i--) //BUG`
`28`	`28`	`{`
`29`	`29`	`}`
`30`	`30`