From: Viktor Szakats Date: Thu, 28 Aug 2025 12:26:43 +0000 (+0200) Subject: clang-tidy: disable `clang-analyzer-security.ArrayBound` X-Git-Tag: curl-8_16_0~66 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7ceb9c54aa6bc25aa16416834d0fef6cbe51f432;p=thirdparty%2Fcurl.git clang-tidy: disable `clang-analyzer-security.ArrayBound` It's causing false-positives with clang-tidy v21, in cases in system headers (seen in `FD_ISSET()` with macOS SDK). In some cases in tests/server, there was no distinct source line that was triggering it. Example: ``` /Applications/Xcode_16.4.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX15.5.sdk/usr/include/sys/_types/_fd_def.h:83:10: error: Potential out of bound access to 'fds_read.fds_bits' with tainted index [clang-analyzer-security.ArrayBound,-warnings-as-errors] 83 | return _p->fds_bits[(unsigned long)_fd / __DARWIN_NFDBITS] & ((__int32_t)(((unsigned long)1) << ((unsigned long)_fd % __DARWIN_NFDBITS))); | ^ [...] /Users/runner/work/curl/curl/tests/server/socksd.c:679:5: note: Taking false branch 679 | if(rc < 0) { | ^ ``` Closes #18422 --- diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index 656851030b..c2f119099f 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -40,7 +40,7 @@ permissions: {} env: MAKEFLAGS: -j 5 CURL_CI: github - CURL_CLANG_TIDYFLAGS: '-checks=-clang-analyzer-security.insecureAPI.bzero,-clang-analyzer-security.insecureAPI.strcpy,-clang-analyzer-optin.performance.Padding,-clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling,-clang-analyzer-valist.Uninitialized' + CURL_CLANG_TIDYFLAGS: '-checks=-clang-analyzer-security.insecureAPI.bzero,-clang-analyzer-security.insecureAPI.strcpy,-clang-analyzer-optin.performance.Padding,-clang-analyzer-security.ArrayBound,-clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling,-clang-analyzer-valist.Uninitialized' # renovate: datasource=github-tags depName=libressl-portable/portable versioning=semver registryUrl=https://github.com LIBRESSL_VERSION: 4.1.0 # renovate: datasource=github-tags depName=wolfSSL/wolfssl versioning=semver extractVersion=^v?(?.+)-stable$ registryUrl=https://github.com diff --git a/CMakeLists.txt b/CMakeLists.txt index 81287f61aa..0265162e74 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -297,6 +297,7 @@ if(CURL_CLANG_TIDY) list(APPEND _tidy_checks "-clang-analyzer-security.insecureAPI.bzero") # for FD_ZERO() (seen on macOS) list(APPEND _tidy_checks "-clang-analyzer-security.insecureAPI.strcpy") list(APPEND _tidy_checks "-clang-analyzer-optin.performance.Padding") + list(APPEND _tidy_checks "-clang-analyzer-security.ArrayBound") # false positives with clang-tidy v21.1.0 list(APPEND _tidy_checks "-clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling") string(REPLACE ";" "," _tidy_checks "${_tidy_checks}") find_program(CLANG_TIDY NAMES "clang-tidy" REQUIRED) diff --git a/lib/Makefile.am b/lib/Makefile.am index f6ea5807d5..973876f501 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -174,7 +174,7 @@ $(UNITPROTOS): $(CSOURCES) $(UNIT_V)(cd $(srcdir) && @PERL@ ../scripts/extract-unit-protos $(CSOURCES) > $(top_builddir)/lib/$(UNITPROTOS)) # disable the tests that are mostly causing false positives -TIDYFLAGS := -checks=-clang-analyzer-security.insecureAPI.bzero,-clang-analyzer-security.insecureAPI.strcpy,-clang-analyzer-optin.performance.Padding,-clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling -quiet +TIDYFLAGS := -checks=-clang-analyzer-security.insecureAPI.bzero,-clang-analyzer-security.insecureAPI.strcpy,-clang-analyzer-optin.performance.Padding,-clang-analyzer-security.ArrayBound,-clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling -quiet if CURL_WERROR TIDYFLAGS += --warnings-as-errors=* endif diff --git a/src/Makefile.am b/src/Makefile.am index a25e84490b..c1bcf27359 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -220,7 +220,7 @@ endif endif # disable the tests that are mostly causing false positives -TIDYFLAGS := -checks=-clang-analyzer-security.insecureAPI.bzero,-clang-analyzer-security.insecureAPI.strcpy,-clang-analyzer-optin.performance.Padding,-clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling -quiet +TIDYFLAGS := -checks=-clang-analyzer-security.insecureAPI.bzero,-clang-analyzer-security.insecureAPI.strcpy,-clang-analyzer-optin.performance.Padding,-clang-analyzer-security.ArrayBound,-clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling -quiet if CURL_WERROR TIDYFLAGS += --warnings-as-errors=* endif