Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

If Unless coded properly, a while or for statement uses a loop counter, and increments or decrements the counter by more than one, it must use an inequality operator (that is, <, <=, >, or >=) to terminate the loop. This prevents the loop from executing indefinitely loop may execute forever or until the counter wraps around and reaches its final value. (See NUM00-J. Detect or prevent integer overflow.) This problem may result from incrementing or decrementing a loop counter by more than one and then testing for equality to a specified value to terminate the loop. In this case, it is possible that the loop counter will leapfrog the specified value and execute either forever or until the counter wraps around and reaches the its final value. (See rule NUM00-J. Detect or prevent integer overflow.)This problem may also be caused by naïve testing against limits—for example, looping while a counter is less than or equal to Integer.MAX_VALUE or greater than or equal to Integer.MIN_VALUE.

Noncompliant Code Example

This noncompliant code example appears to iterate five times. :

Code Block
bgColor#FFCCCC

for (i = 1; i != 10; i += 2) {
  // ...
}

However, the loop never terminates; successive . Successive values of i are 1, 3, 5, 7, 9 and , 11, allowing and so on; the comparison with 10 never evaluates to be skipped true. The value reaches the maximum representable positive number (Integer.MAX_VALUE), then wraps to the second-lowest negative number (Integer.MIN_VALUE + 1). It then works its way up to -1–1, then 1, and proceeds as described earlier.

Noncompliant Code Example

This noncompliant code example terminates , but performs more iterations than expected. :

Code Block
bgColor#FFCCCC

for (i = 1; i != 10; i += 5) {
  // ...
}

Successive values of i are 1, 6, and 11, skipping past 10. The value of i then wraps from near the maximum positive value to near the lowest negative value and works its way up toward zero0. It then assumes 2, 7, and 12, skipping past 10 again. After the value wraps from the high-positive to the low-negative side three more times, it finally reaches 0, 5, and 10, terminating the loop.

Compliant Solution

Using an inequality operator guarantees proper loop terminationOne solution is to simply ensure the loop termination condition is reached before the counter inadvertently wraps.

Code Block
bgColor#ccccff
for (i = 1; i == 11; i += 2) {
  // ...
}

This solution can be fragile when one or more of the conditions affecting the iteration must be changed. A better solution is to use a numerical comparison operator (that is, <, <=, >, or >=) to terminate the loop.

Code Block
bgColor#ccccff
for (i = 1; i <= 10; i += 2) {
  // ...
}

This latter solution can be more robust in the event of changes to the iteration conditions. However, this approach should never replace careful consideration regarding the intended and actual number of iterations.

Noncompliant Code Example

Inequality operators fail to ensure loop termination when comparing with A loop expression that tests whether a counter is less than or equal to Integer.MAX_VALUE or greater than or equal to Integer.MIN_VALUE will never terminate because the expression will always evaluate to true. For example, the following loop will never terminate because i can never be greater than Integer.MAX_VALUE:

Code Block
bgColor#FFCCCC
for (i = 1; i <= Integer.MAX_VALUE; i++) {
  // ...
}

Compliant Solution

The loop in this compliant solution terminates when i is equal to Integer.MAX_VALUE:

Code Block
bgColor#ccccff
for (i = 1; i != Integer.MAX_VALUE; i++ += 2) {
  // ...
}

This usually happens when the step size is more than one.

Compliant Solution

If the loop is meant to iterate for every value of i greater than 0, including Integer.MAX_VALUE, it can be implemented as follows:

Code Block
bgColor#ccccff
i = 0;
do {
  i++
  // ...
} while (i != Integer.MAX_VALUE);

Noncompliant Code Example

This noncompliant code example initializes the loop counter i to 0 and then increments it by 2 on each iteration, basically enumerating all the even, positive values. The loop is expected to terminate when i is greater than It is insufficient to compare with Integer.MAX_VALUE - 1 when the loop increment is greater than 1. To be compliant, ensure that the comparison is carried out with (, an even value. In this case, the loop fails to terminate because the counter wraps around before becoming greater than Integer.MAX_VALUE - 1.

Code Block
bgColor#FFCCCC
for (i = 0; i <= Integer.MAX_VALUE - 1; i += 2) {
  // ...
}

Compliant Solution

The loop in this compliant solution terminates when the counter i is greater than Integer.MAX_VALUE - counter's value)minus the step value as the loop-terminating condition.

Code Block
bgColor#ccccff
for (i = 10; i <= Integer.MAX_VALUE - 2; i += 2) {
  // ...
}

Risk Assessment

Applicability

Incorrect termination of loops Testing for exact values to terminate a loop may result in infinite loops, poor performance, incorrect results, and other problems. In any of the conditions used to terminate a loop can be influenced by an attacker, these errors can be exploited to cause a denial of service or other attack.

...

Automated Detection

Severity Tool Likelihood Version Remediation Cost Checker Priority Description Level
SonarQube

MSC15-J

low

unlikely

low

P3

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

This rule appears in the C Secure Coding Standard as rule MSC21-C. Use inequality to terminate a loop whose counter changes by more than one .

This rule appears in the C++ Secure Coding Standard as rule MSC21-CPP. Use inequality to terminate a loop whose counter changes by more than one.

Bibliography

Include Page
SonarQube_V
SonarQube_V
S2251 

 

Bibliography

[JLS 2013]

§15.20.1, "

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="12e5c430-c11f-473e-84ae-58222b0ac073"><ac:plain-text-body><![CDATA[

[[JLS 2005

AA. Bibliography#JLS 05]]

15.20.1 Numerical Comparison Operators <, <=, >, and >=

]]></ac:plain-text-body></ac:structured-macro>

"

 

...

Image Added Image Added Image AddedMSC09-J. Finish every set of statements associated with a case label with a break statement      49. Miscellaneous (MSC)      MSC16-J. Address the shortcomings of the Singleton design pattern