getAChild*() is the right tool here, but it must be coupled with an allow-list or we'll have FNs, because it's still casting a very very wide net.

We should ensure (either here, or reported as an error in the query) that loopCounterExpr is not any arbitrary type of expression.

The following should be non-compliant:

for (int i = 0; f(i) < 10; ++i) {}
for (int i = 0; i * i < 10; ++i) {}
for (int i = 0; i + f() < 10; ++i) {}
for (int i = 0; (i > other_var) < 1; ++i) {}
// etc

Basically, we probably just want an allow-list where every expr from loopCounterExpr to loopCounter is either loopCounter itself or an addition/subtraction with only constant values on one side and an allow-listed expression on the other.

for (int i = 0; i + 10 < 20; ++i) {} // OK, `i` is allowed and `ALLOWED + 10` is allowed
for (int i = 0; 10 - i < 20; ++i) {} // OK, `i` is allowed and  `10 - ALLOWED` is allowed
for (int i = 0; -i < 20; ++i) {} // OK, `i` is allowed and `-ALLOWED` is allowed
for (int i = 0; -i + 10 - < 20; ++i) {} // OK, `i` is allowed and  -ALLOWED is allowed
for (int i = 0; (i + 5) + 3 < 20; ++i) {} // OK, `i` is allowed, `ALLOWED + 5`, and `ALLOWED + 3` is allowed
for (int i = 0; i + (5 + 3) < 20; ++i) {} // OK, `i` is allowed, `ALLOWED + (5 + 3)` is allowed

for (int i = 0; i + i < 20; ++i) {} // BAD, `i` is allowed but `ALLOWED + ALLOWED` is not allowed
for (int i = 0; i + j < 20; ++j) {} // BAD, 'j' is not allowed
for (int i = 0; (i + 10) + (i + 10) < 20; ++i) {} // BAD, `i` and `ALLOWED + 10` is allowed, but `ALLOWED + ALLOWED` is not allowed

Hopefully that mostly makes sense.

I understand what you mean, I guess what you suggest is to define a allowed class of ASTs where:

• The base case is a VariableAccess or a unary operator application on it; and
• The recursive case is an application of addition or subtraction to the allowed class.

However, I think even these are non-compliant since the rules dictate that (paraphrased by me):

The comparison between the loop-counter and the loop-step is done in the condition by only using a relational operator

which is preceded by (also paraphrased and highlighted by me):

The only thing the init-statement does is declaring and initializing a loop-counter of integer type

From these two, we can infer that the rule implicitly wants (1) the loop counter to be a variable, and (2) the loop condition to be a direct comparison between the loop condition variable and some loop-bound expression. This reflected in the alert message we emit in case of a violation of this sub-rule: "The [loop condition] does not determine termination based only on a comparison against the value of the counter variable".

Then, one might ask, why do we distinguish loopCounterExpr from loopCounter in the characteristic predicate? That's for internal purposes only; we somehow need to distinguish which of the operands has loopCounter in it, so we dig into one of the expressions to find a variable whose target is the initialized counter variable. I'd say it's unfortunate but necessary.

Then, a follow-up objection might be: Why don't we demand that one of the operands to the relational operator is a variable access in the first place? That's because we don't want to tailor this code specifically to this rule, because it's library code. 9-5-1 wants one of the things compared is an access to the initialized variable, but other rules might not, and in those cases this class (LegacyForLoopCondition) can be used in other ways.

OK, I thought that this code was intended to handle the following case, based on real code examples in open pilot:

for (int i = 0; i + 10 < j; ++i) {}

I believe we have leeway to be able to interpret 9-5-1 to accept or reject this. It's trivially clear that i + 10 < j is equivalent to i < j + 10. It's fair to say that the MISRA team doesn't think of every edge case and that we have some discretion here. It's also fair to say that this violates the plain text of the rule.

I'm happy with us rejecting the above case if you think so. However, I don't think the query currently rejects it because of the .getAChild*(). Quickly looking for calls to getLoopCounter, I don't see anything that later checks that getLoopCounter() is a direct operand of the LegacyForLoopCondition.

I believe that 9-5-1 will also currently not flag

for (int i = 0; f(i) < j; ++i) {}

which is clearly intended to be non-compliant.

So we should add tests for these cases. We should test f(i) < j case is flagged as non compliant, and we should add a test for i + 10 < j with a comment about how we came to decide that it should or shouldn't be considered compliant.

My preference would be to remove getAChild*(), and either replace it with getAnOperand() or a predicate that finds a restricted set of operations. Currently LegacyForLoopCondition is only used here, and we can document its restrictions. If you would rather leave it as is and add checks in 9-5-1 that getLoopCounter() = loopCondition.getAnOperand(), that is reasonable too. But getAChild*() casts a very wide net that might not be expected in future queries, so I wouldn't say we need to have that behavior now.

Okay, I believe it is reasonable to do so. Thank you for your second opinion!