Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: wow, and changed from INT_MAX to SIZE_MAX.

C defines <, >, <=, and >= to be relational operators, and it defines == and != to be equality operators.

If a for or while statement uses a loop counter, than it is safer to use a relational operator (such as <) to terminate the loop than using to use an inequality equality operator (operator such as !=).

Anchor
nce_inequality_multistep
nce_inequality_multistep

Noncompliant Code Example (

...

Equality Operators)

This noncompliant code example may appear appears to have 5 have five iterations, but in fact, the loop never terminates.:

Code Block
bgColor#FFCCCC
langc
size_t
int i;
for (i = 1; i != 10; i += 2) {
  /* ... */
}

Anchor
cs_relational_multistep
cs_relational_multistep

Compliant Solution (

...

Relational Operators)

Using the relational operator <= instead of an inequality equality operator guarantees loop termination.:

Code Block
bgColor#ccccff
langc
size_t
int i;
for (i = 1; i <= 10; i += 2 ) {
  /* ... */
}

Anchor
nce_inequality
nce_inequality

Noncompliant Code Example (

...

Equality Operators)

It is also important to ensure termination of loops where the start and end values are variables that might not be properly ordered. The following function assumes that begin < end; if this is not the case, the loop will never terminate.:

Code Block
bgColor#ffcccc
langc

void f(intsize_t begin, intsize_t end) {
  intsize_t i;
  for (i = begin; i != end; ++i) {
    /* ... */
  }
}

Anchor
cs_relational
cs_relational

Compliant Solution (

...

Relational Operators)

Again, using a relational operator instead of inequality equivalence guarantees loop termination. If begin >= end, the loop never executes its body.

Code Block
bgColor#ccccff
langc

void f(intsize_t begin, intsize_t end) {
  intsize_t i;
  for (i = begin; i < end; ++i) {
    /* ... */
  }
}

Anchor
nce_boundary
nce_boundary

Noncompliant Code Example (

...

Boundary Conditions)

Numerical comparison operators do not always ensure loop termination when comparing against the minimum or maximum representable value of a type, such as INT_MIN or INTSIZE_MAX:

Code Block
bgColor#ffcccc
langc

void f(intsize_t begin, intsize_t step) {
  intsize_t i;
  for (i = begin; i <= INTSIZE_MAX; i += step) {
    /* ... */
  }
}

Anchor
cs_boundary
cs_boundary

Compliant Solution (

...

Boundary Conditions)

A compliant solution is to compare against the difference between the minimum or maximum representable value of a type and the increment.:

Code Block
bgColor#ccccff
langc

void f(intsize_t begin, intsize_t step) {
  if (0 < step) {
    intsize_t i;
    for (i = begin; i <= INTSIZE_MAX - step; i += step) {
      /* ... */
    }
  }
}

Anchor
MSC21-EX1
MSC21-EX1

Exceptions

MSC21-C-EX1: If the loop counter for a loop is 1is incremented by 1 on each iteration, and it is known that the starting value of a loop is less than or equal to the ending value, then the equals an equality operator may be used to terminate the loop. Likewise, if the loop counter is -1decremented by 1 on each iteration, and it is known that the starting value of the loop is greater than , or equal to the ending value, then the equals an equality operator may be used to terminate the loop.

Code Block
bgColor#ccccff
langc
size_t
int i;
for (i = 1; i !== 5; ++i) {
  /* ... */
}

Risk Assessment

Testing for exact values runs the risk of a loop terminating much longer than expected , or never terminating at all.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

MSC21-C

low

Low

unlikely

Unlikely

low

Low

P1

P3

L3

Automated Detection

Tool

Version

Checker

Description

Astrée
Include Page

...

Astrée_V
Astrée_V

Supported: Astrée reports potential infinite loops.
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

LANG.STRUCT.LOOP.HR
LANG.STRUCT.LOOP.UB

High risk loop
Potential unbounded loop

Compass/ROSE




LDRA tool suite
Include Page
LDRA_V
LDRA_V
510 SPartially implemented
PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

440, 442, 443,
444, 445, 2650

Partially supported

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rec. MSC21-C


Checks for loop bounded with tainted value (rec. partially covered)


PVS-Studio

Include Page
PVS-Studio_V
PVS-Studio_V

V621

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

Related Guidelines

...

...


...

Image Added Image Added

...

References

Wiki Markup
\[[MISRA 04|AA. References#MISRA 04]\]

Image Removed      49. Miscellaneous (MSC)      Image Modified