WIP: fix: address GCC -fanalyzer warnings #107
Closed
jabber.developer2
wants to merge 1 commits from
fix/analyzer-warnings into master
pull from: fix/analyzer-warnings
merge into: devs:master
devs:master
devs:feat/ai-api-type
devs:fix/editor-terminal-size
devs:ci/docker-hub-publishing
devs:feat/disco-ac
devs:feat/privacy-enhancements
devs:fix/clientid-regression
devs:fix/ai-chat-completions-followup
devs:feat/ai-custom
devs:fix/unencrypted-send
devs:rollback/pre-upstream-merge
devs:fix/autoping-warning-null-domain
devs:fix/pad-dead-space-reclaim
devs:feat/autoping-warning
devs:chore/untrack-gitversion
devs:fix/multiline-pad-clip
devs:fix/issue-112-followups
devs:fix/issue-128-migrate-v3-dedup
devs:fix/delay-timestamp-validation
devs:ref/light-cleanup
devs:fix/history-scroll-pad-redraw-storm
devs:fix/plugin-post-display-incoming-only
devs:merge/upstream-full
devs:merge-improve
devs:chore/remove-chatlog-stage-1
devs:fix/ai-json-encoding
devs:feat/no-db-backlog-114
devs:fix/scroll-non-chat-windows
devs:fix/paged-non-chat-windows
devs:fix/ai-leaks
devs:feat/ai
devs:fix/ai-followups
devs:test/ai-coverage-unit-only
devs:test/ai-coverage
devs:refactor/scroll-mechanism
devs:fix/verify-per-contact-context
devs:feat/no-db-mode
devs:feat/ai-json
devs:feat/pikaur-parity-arch
devs:fix-pikaur-build
devs:feat/upstream-sync
devs:feat/functest-speedup
devs:fix/cwe-134-format-string-audit
devs:ci/separate-build-step
devs:test/autoping-functional-tests
devs:test/db-functional-tests
devs:fix/arch-build
devs:fix/xep-0030-disco-items-error-handling
devs:fix/xep-0030-empty-disco-items
devs:playground/fix/src_refactoring
devs:tests/disco
devs:fix/test-CI-stability
devs:feat/parallel-tests-clean
devs:feat/parallel-functional-tests
devs:fix/functional_tests_v2
devs:fix/functional_tests
devs:fix/connect_max_args
devs:feat/extended_debug_info
devs:playground/fix/scroll-stuck
devs:build/multicore
devs:build/reenable-fedora
devs:build/autoupdate
No Reviewers
Labels
Clear labels
Compat/Breaking
Breaking change that won't be backward compatible
Kind/Bug
Something is not working
Kind/Documentation
Documentation changes
Kind/Enhancement
Improve existing functionality
Kind/Feature
New functionality
Kind/Security
This is security issue
Kind/Testing
Issue or pull request related to testing
Priority
Critical
1
The priority is critical
Priority
High
2
The priority is high
Priority
Low
4
The priority is low
Priority
Medium
3
The priority is medium
Reviewed
Confirmed
1
Issue has been confirmed
Reviewed
Duplicate
2
This issue or pull request already exists
Reviewed
Invalid
3
Invalid issue
Reviewed
Won't Fix
3
This issue won't be fixed
Status
Abandoned
3
Somebody has started to work on this but abandoned work
Status
Blocked
1
Something is blocking this issue or pull request
Status
Need More Info
2
Feedback is required to reproduce issue or to continue work
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: devs/cproof#107
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
No description provided.
Delete Branch "fix/analyzer-warnings"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
Re-enable the static-analysis warnings that were reverted in PR #105
(
a7ad9ac0a Revert build: enable -Wconversion/-Wsign-compare and add --enable-sanitizers), and ship the remaining-fanalyzernull-pointerguards that were not absorbed into master through other commits.
Goal: get back to a state where the next round of upstream-style refactors
can't silently re-introduce narrowing / sign / unsigned-overflow bugs.
Scope
1. Null-pointer guards (already present in this PR,
0ad7327fe)Found by GCC
-fanalyzer(GCC 15.2.1). Not covered by upstream.src/command/cmd_funcs.c: checkstrtok()return before use incmd_process_input.src/command/cmd_funcs.c: checkfdopen()return before use incmd_sendfile.src/omemo/omemo.c: initfingerprint_len = 0and check_omemo_fingerprint_decode()return inomemo_is_trusted_identity(CWE-457 / CWE-690).
src/omemo/omemo.c: early-NULL return in_omemo_fingerprint_decode()for NULL input.
2. Re-enable conversion / sign warnings (advisory)
configure.accurrently silences-Wsign-compareoutright and neverenables
-Wsign-conversionor-Wconversion. PR #105 (a7ad9ac0a)reverted the previous attempt to turn them on because the upstream merge
brought in ~230 sign warnings.
Now that PR #105's narrowing-conversion pass (
9feff00ea) has landedupstream-aligned types in the touched files, re-enable the flags in
advisory mode (warnings, not errors):
-Wno-sign-comparefrom the defaultAM_CFLAGS.-Wconversion -Wsign-conversion -Wsign-compareto the default flagset, gated by
-Wno-error=conversion -Wno-error=sign-conversion -Wno-error=sign-compareso existing builds stay green while thewarning floor surfaces the remaining hits.
-Werroronly for theunused-class warnings (current dev-modepolicy in
AS_IF([test "x$PACKAGE_STATUS" = xdevelopment], …)).This restores visibility of new offenders introduced by future merges
without breaking distro builds today.
3.
--enable-sanitizersopt-in switchRe-add the configure switch reverted in
a7ad9ac0a. When set:-fsanitize=address-fsanitize=undefined-fsanitize=unsigned-integer-overflow(specifically catches theunsigned-subtraction footguns the PR #105 review flagged in
statusbar.c/window.c).Off by default.
What's deliberately not in this PR
-Werrorfor the new sign/conversion warnings yet. That comesafter each subsystem-author has a chance to clean their files. Tracked
per-file in issue #112 (the "complete signed→unsigned hardening"
section).
src/tools/numutil.hhelpers. At present every existingunsigned subtraction in tree is protected by an explicit pre-check or
a comparison-rewrite, so YAGNI. Revisit if 3+ awkward sites accumulate.
PR contained
#pragma GCC diagnosticpairs aroundiq.ccallbackregistration sites; those were either absorbed into master via #2094
cleanups or proved unnecessary after subsequent refactors. Drop.
Acceptance criteria
0ad7327fe(null-pointer guards) compiles clean and tests pass onall four
ci-build.shconfigs.configure.acchanges:-Wno-sign-compareremoved fromAM_CFLAGS.-Wconversion -Wsign-conversion -Wsign-compareadded.-Wno-error=conversion -Wno-error=sign-conversion -Wno-error=sign-comparegating present.--enable-sanitizersswitch wires up-fsanitize=address,-fsanitize=undefined,-fsanitize=unsigned-integer-overflow.ci-build.shlog shows the new warning count (so we know thebaseline for follow-up cleanup); update issue #112's
"signed/unsigned hardening" section with that number.
Out of scope (issue #112 follow-up)
uncover.
-Wno-error=sign-*to-Werror=sign-*once the warningsare gone.
numutil.hif/when we accumulate enough awkward sites to justifythe abstraction.
d3ab7eb0e3to43aeaf6e3b43aeaf6e3bto0ad7327feaSuperseded — closing.
Re-checked against current master. The actual diff on this branch (commit
0ad7327fe) is four null-pointer guards; the -Wsign-compare/-Wconversion re-enable described above was never committed here (it belongs to the build-flags track, #109/#100, and master currently sets -Wno-sign-compare).Per-hunk status:
cmd_process_input strtok guard — already on master (identical).
cmd_sendfile fdopen guard — already on master, and more complete there (it also close(fd) to avoid an fd leak); this PR's version would regress that.
omemo_is_trusted_identity (fingerprint_len = 0 + if (!fingerprint_raw) return FALSE) — still valid, absorbed into #130.
_omemo_fingerprint_decode NULL-input guard — still valid, absorbed into #130.
The only unique, still-relevant content (the two OMEMO CWE-476/457 guards) has moved to #130, so closing this PR.
Pull request closed