added FLP30-C

Author: s-samadi

c/cert/src/rules/FLP30-C/FloatingPointLoopCounters.md

@@ -0,0 +1,106 @@
+# FLP30-C: Do not use floating-point variables as loop counters
+
+This query implements the CERT-C rule FLP30-C:
+
+> Do not use floating-point variables as loop counters
+
+
+## Description
+
+Because floating-point numbers represent real numbers, it is often mistakenly assumed that they can represent any simple fraction exactly. Floating-point numbers are subject to representational limitations just as integers are, and binary floating-point numbers cannot represent all real numbers exactly, even if they can be represented in a small number of decimal digits.
+
+In addition, because floating-point numbers can represent large values, it is often mistakenly assumed that they can represent all significant digits of those values. To gain a large dynamic range, floating-point numbers maintain a fixed number of precision bits (also called the significand) and an exponent, which limit the number of significant digits they can represent.
+
+Different implementations have different precision limitations, and to keep code portable, floating-point variables must not be used as the loop induction variable. See Goldberg's work for an introduction to this topic \[[Goldberg 1991](https://www.securecoding.cert.org/confluence/display/java/Rule+AA.+References#RuleAA.References-Goldberg91)\].
+
+For the purpose of this rule, a *loop counter* is an induction variable that is used as an operand of a comparison expression that is used as the controlling expression of a `do`, `while`, or `for` loop. An *induction variable* is a variable that gets increased or decreased by a fixed amount on every iteration of a loop \[[Aho 1986](https://wiki.sei.cmu.edu/confluence/display/c/AA.+Bibliography#AA.Bibliography-Aho1986)\]. Furthermore, the change to the variable must occur directly in the loop body (rather than inside a function executed within the loop).
+
+## Noncompliant Code Example
+
+In this noncompliant code example, a floating-point variable is used as a loop counter. The decimal number `0.1` is a repeating fraction in binary and cannot be exactly represented as a binary floating-point number. Depending on the implementation, the loop may iterate 9 or 10 times.
+
+```cpp
+void func(void) {
+  for (float x = 0.1f; x <= 1.0f; x += 0.1f) {
+    /* Loop may iterate 9 or 10 times */
+  }
+}
+```
+For example, when compiled with GCC or Microsoft Visual Studio 2013 and executed on an x86 processor, the loop is evaluated only nine times.
+
+## Compliant Solution
+
+In this compliant solution, the loop counter is an integer from which the floating-point value is derived:
+
+```cpp
+#include <stddef.h>
+ 
+void func(void) {
+  for (size_t count = 1; count <= 10; ++count) {
+    float x = count / 10.0f;
+    /* Loop iterates exactly 10 times */
+  }
+}
+```
+
+## Noncompliant Code Example
+
+In this noncompliant code example, a floating-point loop counter is incremented by an amount that is too small to change its value given its precision:
+
+```cpp
+void func(void) {
+  for (float x = 100000001.0f; x <= 100000010.0f; x += 1.0f) {
+    /* Loop may not terminate */
+  }
+}
+```
+On many implementations, this produces an infinite loop.
+
+## Compliant Solution
+
+In this compliant solution, the loop counter is an integer from which the floating-point value is derived. The variable `x` is assigned a computed value to reduce compounded rounding errors that are present in the noncompliant code example.
+
+```cpp
+void func(void) {
+  for (size_t count = 1; count <= 10; ++count) {
+    float x = 100000000.0f + (count * 1.0f);
+    /* Loop iterates exactly 10 times */
+  }
+}
+```
+
+## Risk Assessment
+
+The use of floating-point variables as loop counters can result in [unexpected behavior ](https://wiki.sei.cmu.edu/confluence/display/c/BB.+Definitions#BB.Definitions-unexpectedbehavior).
+
+<table> <tbody> <tr> <th> Rule </th> <th> Severity </th> <th> Likelihood </th> <th> Remediation Cost </th> <th> Priority </th> <th> Level </th> </tr> <tr> <td> FLP30-C </td> <td> Low </td> <td> Probable </td> <td> Low </td> <td> <strong>P6</strong> </td> <td> <strong>L2</strong> </td> </tr> </tbody> </table>
+
+
+## Automated Detection
+
+<table> <tbody> <tr> <th> Tool </th> <th> Version </th> <th> Checker </th> <th> Description </th> </tr> <tr> <td> <a> Astrée </a> </td> <td> 22.04 </td> <td> <strong>for-loop-float</strong> </td> <td> Fully checked </td> </tr> <tr> <td> <a> Axivion Bauhaus Suite </a> </td> <td> 7.2.0 </td> <td> <strong>CertC-FLP30</strong> </td> <td> Fully implemented </td> </tr> <tr> <td> <a> Clang </a> </td> <td> 3.9 </td> <td> <code>cert-flp30-c</code> </td> <td> Checked by <code>clang-tidy</code> </td> </tr> <tr> <td> <a> CodeSonar </a> </td> <td> 7.2p0 </td> <td> <strong>LANG.STRUCT.LOOP.FPC</strong> </td> <td> Float-typed loop counter </td> </tr> <tr> <td> <a> Compass/ROSE </a> </td> <td> </td> <td> </td> <td> </td> </tr> <tr> <td> <a> Coverity </a> </td> <td> 2017.07 </td> <td> <strong>MISRA C 2004 Rule 13.4</strong> <strong><strong>MISRA C 2012 Rule 14.1</strong></strong> </td> <td> Implemented </td> </tr> <tr> <td> <a> ECLAIR </a> </td> <td> 1.2 </td> <td> <strong>CC2.FLP30</strong> </td> <td> Fully implemented </td> </tr> <tr> <td> <a> Helix QAC </a> </td> <td> 2022.4 </td> <td> <strong>C3339, C3340, C3342</strong> <strong>C++4234</strong> </td> <td> </td> </tr> <tr> <td> <a> Klocwork </a> </td> <td> 2022.4 </td> <td> <strong>MISRA.FOR.COUNTER.FLT</strong> </td> <td> </td> </tr> <tr> <td> <a> LDRA tool suite </a> </td> <td> 9.7.1 </td> <td> <strong>39 S</strong> </td> <td> Fully implemented </td> </tr> <tr> <td> <a> Parasoft C/C++test </a> </td> <td> 2022.2 </td> <td> <strong>CERT_C-FLP30-a</strong> </td> <td> Do not use floating point variables as loop counters </td> </tr> <tr> <td> <a> PC-lint Plus </a> </td> <td> 1.4 </td> <td> <strong>9009</strong> </td> <td> Fully supported </td> </tr> <tr> <td> <a> Polyspace Bug Finder </a> </td> <td> R2022b </td> <td> <a> CERT C: Rule FLP30-C </a> </td> <td> Checks for use of float variable as loop counter (rule fully covered) </td> </tr> <tr> <td> <a> PRQA QA-C </a> </td> <td> 9.7 </td> <td> <strong>3339, 3340, 3342</strong> </td> <td> Partially implemented </td> </tr> <tr> <td> <a> PRQA QA-C++ </a> </td> <td> 4.4 </td> <td> <strong>4234 </strong> </td> <td> </td> </tr> <tr> <td> <a> PVS-Studio </a> </td> <td> 7.23 </td> <td> <strong><a>V1034</a></strong> </td> <td> </td> </tr> <tr> <td> <a> RuleChecker </a> </td> <td> 22.04 </td> <td> <strong>for-loop-float</strong> </td> <td> Fully checked </td> </tr> <tr> <td> <a> SonarQube C/C++ Plugin </a> </td> <td> 3.11 </td> <td> <strong><a>S2193</a></strong> </td> <td> Fully implemented </td> </tr> <tr> <td> <a> TrustInSoft Analyzer </a> </td> <td> 1.38 </td> <td> <strong>non-terminating</strong> </td> <td> Exhaustively detects non-terminating statements (see <a> one compliant and one non-compliant example </a> ). </td> </tr> </tbody> </table>
+
+
+## Related Vulnerabilities
+
+Search for [vulnerabilities](https://wiki.sei.cmu.edu/confluence/display/c/BB.+Definitions#BB.Definitions-vulnerability) resulting from the violation of this rule on the [CERT website](https://www.kb.cert.org/vulnotes/bymetric?searchview&query=FIELD+KEYWORDS+contains+FLP30-C).
+
+## Related Guidelines
+
+[Key here](https://wiki.sei.cmu.edu/confluence/display/c/How+this+Coding+Standard+is+Organized#HowthisCodingStandardisOrganized-RelatedGuidelines) (explains table format and definitions)
+
+<table> <tbody> <tr> <th> Taxonomy </th> <th> Taxonomy item </th> <th> Relationship </th> </tr> <tr> <td> <a> CERT C </a> </td> <td> <a> FLP30-CPP. Do not use floating-point variables as loop counters </a> </td> <td> Prior to 2018-01-12: CERT: Unspecified Relationship </td> </tr> <tr> <td> <a> CERT Oracle Secure Coding Standard for Java </a> </td> <td> <a> NUM09-J. Do not use floating-point variables as loop counters </a> </td> <td> Prior to 2018-01-12: CERT: Unspecified Relationship </td> </tr> <tr> <td> <a> ISO/IEC TR 24772:2013 </a> </td> <td> Floating-Point Arithmetic \[PLF\] </td> <td> Prior to 2018-01-12: CERT: Unspecified Relationship </td> </tr> <tr> <td> <a> MISRA C:2012 </a> </td> <td> Directive 1.1 (required) </td> <td> Prior to 2018-01-12: CERT: Unspecified Relationship </td> </tr> <tr> <td> <a> MISRA C:2012 </a> </td> <td> Rule 14.1 (required) </td> <td> Prior to 2018-01-12: CERT: Unspecified Relationship </td> </tr> </tbody> </table>
+
+
+## Bibliography
+
+<table> <tbody> <tr> <td> \[ <a> Aho 1986 </a> \] </td> <td> </td> </tr> <tr> <td> \[ <a> Goldberg 1991 </a> \] </td> <td> </td> </tr> <tr> <td> \[ <a> Lockheed Martin 05 </a> \] </td> <td> AV Rule 197 </td> </tr> </tbody> </table>
+
+
+## Implementation notes
+
+None
+
+## References
+
+* CERT-C: [FLP30-C: Do not use floating-point variables as loop counters](https://wiki.sei.cmu.edu/confluence/display/c)

c/cert/src/rules/FLP30-C/FloatingPointLoopCounters.ql

@@ -0,0 +1,30 @@
+/**
+ * @id c/cert/floating-point-loop-counters
+ * @name FLP30-C: Do not use floating-point variables as loop counters
+ * @description Loop counters should not use floating-point variables to keep code portable.
+ * @kind problem
+ * @precision very-high
+ * @problem.severity recommendation
+ * @tags external/cert/id/flp30-c
+ *       maintainability
+ *       readability
+ *       correctness
+ *       external/cert/obligation/rule
+ */
+
+import cpp
+import codingstandards.c.cert
+import codingstandards.cpp.Loops
+
+from Loop loop
+where
+  not isExcluded(loop, Statements4Package::floatingPointLoopCountersQuery()) and
+  exists(WhileStmt while |
+    while.getCondition().getType() instanceof FloatType and
+    loop = while
+  )
+  or
+  exists(ForStmt for, Variable counter |
+    isForLoopWithFloatingPointCounters(for, counter) and for = loop
+  )
+select loop, "Loop $@ has a floating-point type.", loop.getControllingExpr(), "counter"

c/cert/test/rules/FLP30-C/FloatingPointLoopCounters.expected

@@ -0,0 +1,2 @@
+| test.c:3:3:4:3 | for(...;...;...) ... | Loop $@ has a floating-point type. | test.c:3:18:3:26 | ... < ... | counter |
+| test.c:5:3:6:3 | while (...) ... | Loop $@ has a floating-point type. | test.c:5:10:5:17 | ... - ... | counter |

c/cert/test/rules/FLP30-C/FloatingPointLoopCounters.qlref

@@ -0,0 +1 @@
+rules/FLP30-C/FloatingPointLoopCounters.ql

c/cert/test/rules/FLP30-C/test.c

@@ -0,0 +1,15 @@
+void f1() {
+  float f = 0.0F;
+  for (f = 0.0F; f < 10.0F; f += 0.2F) { // NON_COMPLIANT
+  }
+  while (f - 0.0F) { // NON_COMPLIANT
+  }
+}
+
+void f2() {
+
+  for (int i = 0; i < 10; i++) { // COMPLIANT
+  }
+  while (4 - 4) { // COMPLIANT
+  }
+}

cpp/common/src/codingstandards/cpp/exclusions/c/RuleMetadata.qll

@@ -45,6 +45,7 @@ import SideEffects2
 import Statements1
 import Statements2
 import Statements3
+import Statements4
 import Strings1
 import Strings2
 import Strings3
@@ -95,6 +96,7 @@ newtype TCQuery =
   TStatements1PackageQuery(Statements1Query q) or
   TStatements2PackageQuery(Statements2Query q) or
   TStatements3PackageQuery(Statements3Query q) or
+  TStatements4PackageQuery(Statements4Query q) or
   TStrings1PackageQuery(Strings1Query q) or
   TStrings2PackageQuery(Strings2Query q) or
   TStrings3PackageQuery(Strings3Query q) or
@@ -145,6 +147,7 @@ predicate isQueryMetadata(Query query, string queryId, string ruleId, string cat
   isStatements1QueryMetadata(query, queryId, ruleId, category) or
   isStatements2QueryMetadata(query, queryId, ruleId, category) or
   isStatements3QueryMetadata(query, queryId, ruleId, category) or
+  isStatements4QueryMetadata(query, queryId, ruleId, category) or
   isStrings1QueryMetadata(query, queryId, ruleId, category) or
   isStrings2QueryMetadata(query, queryId, ruleId, category) or
   isStrings3QueryMetadata(query, queryId, ruleId, category) or

cpp/common/src/codingstandards/cpp/exclusions/c/Statements4.qll

@@ -0,0 +1,78 @@
+//** THIS FILE IS AUTOGENERATED, DO NOT MODIFY DIRECTLY.  **/
+import cpp
+import RuleMetadata
+import codingstandards.cpp.exclusions.RuleMetadata
+
+newtype Statements4Query =
+  TFloatingPointLoopCountersQuery() or
+  TForLoopNotWellFormedQuery() or
+  TNonBooleanIfConditionQuery() or
+  TNonBooleanIterationConditionQuery()
+
+predicate isStatements4QueryMetadata(Query query, string queryId, string ruleId, string category) {
+  query =
+    // `Query` instance for the `floatingPointLoopCounters` query
+    Statements4Package::floatingPointLoopCountersQuery() and
+  queryId =
+    // `@id` for the `floatingPointLoopCounters` query
+    "c/cert/floating-point-loop-counters" and
+  ruleId = "FLP30-C" and
+  category = "rule"
+  or
+  query =
+    // `Query` instance for the `forLoopNotWellFormed` query
+    Statements4Package::forLoopNotWellFormedQuery() and
+  queryId =
+    // `@id` for the `forLoopNotWellFormed` query
+    "c/misra/for-loop-not-well-formed" and
+  ruleId = "RULE-14-2" and
+  category = "required"
+  or
+  query =
+    // `Query` instance for the `nonBooleanIfCondition` query
+    Statements4Package::nonBooleanIfConditionQuery() and
+  queryId =
+    // `@id` for the `nonBooleanIfCondition` query
+    "c/misra/non-boolean-if-condition" and
+  ruleId = "RULE-14-4" and
+  category = "required"
+  or
+  query =
+    // `Query` instance for the `nonBooleanIterationCondition` query
+    Statements4Package::nonBooleanIterationConditionQuery() and
+  queryId =
+    // `@id` for the `nonBooleanIterationCondition` query
+    "c/misra/non-boolean-iteration-condition" and
+  ruleId = "RULE-14-4" and
+  category = "required"
+}
+
+module Statements4Package {
+  Query floatingPointLoopCountersQuery() {
+    //autogenerate `Query` type
+    result =
+      // `Query` type for `floatingPointLoopCounters` query
+      TQueryC(TStatements4PackageQuery(TFloatingPointLoopCountersQuery()))
+  }
+
+  Query forLoopNotWellFormedQuery() {
+    //autogenerate `Query` type
+    result =
+      // `Query` type for `forLoopNotWellFormed` query
+      TQueryC(TStatements4PackageQuery(TForLoopNotWellFormedQuery()))
+  }
+
+  Query nonBooleanIfConditionQuery() {
+    //autogenerate `Query` type
+    result =
+      // `Query` type for `nonBooleanIfCondition` query
+      TQueryC(TStatements4PackageQuery(TNonBooleanIfConditionQuery()))
+  }
+
+  Query nonBooleanIterationConditionQuery() {
+    //autogenerate `Query` type
+    result =
+      // `Query` type for `nonBooleanIterationCondition` query
+      TQueryC(TStatements4PackageQuery(TNonBooleanIterationConditionQuery()))
+  }
+}

rule_packages/c/Statements4.json

@@ -0,0 +1,81 @@
+{
+  "CERT-C": {
+    "FLP30-C": {
+      "properties": {
+        "obligation": "rule"
+      },
+      "queries": [
+        {
+          "description": "Loop counters should not use floating-point variables to keep code portable.",
+          "kind": "problem",
+          "name": "Do not use floating-point variables as loop counters",
+          "precision": "very-high",
+          "severity": "recommendation",
+          "short_name": "FloatingPointLoopCounters",
+          "tags": [
+            "maintainability",
+            "readability",
+            "correctness"
+          ]
+        }
+      ],
+      "title": "Do not use floating-point variables as loop counters"
+    }
+  },
+  "MISRA-C-2012": {
+    "RULE-14-2": {
+      "properties": {
+        "obligation": "required"
+      },
+      "queries": [
+        {
+          "description": "A well-formed for loop makes code easier to review.",
+          "kind": "problem",
+          "name": "A for loop shall be well-formed",
+          "precision": "very-high",
+          "severity": "recommendation",
+          "short_name": "ForLoopNotWellFormed",
+          "tags": [
+            "readability",
+            "maintainability"
+          ]
+        }
+      ],
+      "title": "A for loop shall be well-formed"
+    },
+    "RULE-14-4": {
+      "properties": {
+        "obligation": "required"
+      },
+      "queries": [
+        {
+          "description": "Non boolean conditions can be confusing for developers.",
+          "kind": "problem",
+          "name": "The condition of an if-statement shall have type bool",
+          "precision": "very-high",
+          "severity": "recommendation",
+          "short_name": "NonBooleanIfCondition",
+          "shared_implementation_short_name": "NonBooleanIfStmt",
+          "tags": [
+            "maintainability",
+            "readability"
+          ]
+        },
+        {
+          "description": "Non boolean conditions can be confusing for developers.",
+          "kind": "problem",
+          "name": "The condition of an iteration statement shall have type bool",
+          "precision": "very-high",
+          "severity": "recommendation",
+          "short_name": "NonBooleanIterationCondition",
+          "shared_implementation_short_name": "NonBooleanIterationStmt",
+          "tags": [
+            "maintainability",
+            "readability"
+          ]
+        }
+      ],
+      "title": "The controlling expression of an if statement and the controlling expression of an iteration-statement shall have essentially Boolean type"
+    }
+  }
+}

rules.csv

@@ -543,7 +543,7 @@ c,CERT-C,FIO44-C,Yes,Rule,,,Only use values for fsetpos() that are returned from
 c,CERT-C,FIO45-C,Yes,Rule,,,Avoid TOCTOU race conditions while accessing files,,IO4,Medium,
 c,CERT-C,FIO46-C,Yes,Rule,,,Do not access a closed file,FIO51-CPP,IO1,Hard,
 c,CERT-C,FIO47-C,Yes,Rule,,,Use valid format strings,,IO4,Hard,
-c,CERT-C,FLP30-C,Yes,Rule,,,Do not use floating-point variables as loop counters,,Statements,Easy,
+c,CERT-C,FLP30-C,Yes,Rule,,,Do not use floating-point variables as loop counters,,Statements4,Easy,
 c,CERT-C,FLP32-C,Yes,Rule,,,Prevent or detect domain and range errors in math functions,A0-4-4,Types,Medium,
 c,CERT-C,FLP34-C,Yes,Rule,,,Ensure that floating-point conversions are within range of the new type,,Types,Medium,
 c,CERT-C,FLP36-C,Yes,Rule,,,Preserve precision when converting integral values to floating-point type,,Types,Medium,
@@ -694,9 +694,9 @@ c,MISRA-C-2012,RULE-13-4,Yes,Advisory,,,The result of an assignment operator sho
 c,MISRA-C-2012,RULE-13-5,Yes,Required,,,The right hand operand of a logical && or || operator shall not contain persistent side effects,M5-14-1,SideEffects1,Import,
 c,MISRA-C-2012,RULE-13-6,Yes,Mandatory,,,The operand of the sizeof operator shall not contain any expressiosn which has potential side effects,M5-3-4,SideEffects1,Import,
 c,MISRA-C-2012,RULE-14-1,Yes,Required,,,A loop counter shall not have essentially floating type,FLP30-C A6-5-2,Types,Hard,
-c,MISRA-C-2012,RULE-14-2,Yes,Required,,,A for loop shall be well-formed,M6-5-1...M6-5-6,Statements,Medium,
+c,MISRA-C-2012,RULE-14-2,Yes,Required,,,A for loop shall be well-formed,M6-5-1...M6-5-6,Statements4,Medium,
 c,MISRA-C-2012,RULE-14-3,Yes,Required,,,Controlling expressions shall not be invariant,,Statements,Medium,
-c,MISRA-C-2012,RULE-14-4,Yes,Required,,,The controlling expression of an if statement and the controlling expression of an iteration-statement shall have essentially Boolean type,A5-0-2,Statements,Medium,
+c,MISRA-C-2012,RULE-14-4,Yes,Required,,,The controlling expression of an if statement and the controlling expression of an iteration-statement shall have essentially Boolean type,A5-0-2,Statements4,Medium,
 c,MISRA-C-2012,RULE-15-1,No,Advisory,,,The goto statement should not be used,A6-6-1,,Import,
 c,MISRA-C-2012,RULE-15-2,Yes,Required,,,The goto statement shall jump to a label declared later in the same function,M6-6-2,Statements2,Import,
 c,MISRA-C-2012,RULE-15-3,Yes,Required,,,"Any label referenced by a goto statement shall be declared in the same block, or in any block enclosing the goto statement",M6-6-1,Statements2,Import,