Skip to content

Fix various problems and bugs detected by cppcheck#3334

Merged
BsAtHome merged 17 commits intoLinuxCNC:masterfrom
BsAtHome:fix_cppcheck-various
Feb 26, 2025
Merged

Fix various problems and bugs detected by cppcheck#3334
BsAtHome merged 17 commits intoLinuxCNC:masterfrom
BsAtHome:fix_cppcheck-various

Conversation

@BsAtHome
Copy link
Copy Markdown
Contributor

@BsAtHome BsAtHome commented Feb 9, 2025

This PR has an assortment of fixes for cppcheck detected problems and some are real bugs. Fixes include:

  • The hal/drivers/mesa-hostmot2/sserial.c had a 5 year old warning "fix" that demoted 64-bit values to int. That fix ignored the actual use-case and resulted in a 32-bit value being shifted by 48 and failing the intended test.
  • Several instances had array index tests that were performed after the array index dereference. These tests needed to be reversed.
  • Pushing NULL as a (string list) terminating argument in an vararg function may fail because NULL is not guaranteed to be a pointer. It must be force-cast to pointer to become a proper terminator.
  • Multiple places where variables were not properly initialized.
  • realloc() can fail and it will leak memory if the argument pointer is reassigned before testing.
  • Several cppcheck false positives or intentional constructs were marked to have the message suppressed.
  • Limit sscanf %s format to the argument buffer size minus one (like in %255s).
  • A buffer free intended to clear the pointer variable but was missing a dereference.

BsAtHome added 17 commits February 9, 2025 12:56
@BsAtHome
Add missing initialization.
f741078
@BsAtHome
Cast via void to allow double cast.
8b3a6d0
@BsAtHome
Test the index before dereference not after.
ea5bea3
@BsAtHome
Use explicit length arrays to prevent ambiguity.
e0b2e75
@BsAtHome
Do explicit and exact range tests before indexing.
e7370ec
@BsAtHome
Suppress memleak message from cppcheck. It is a false positive.
6a39c1b
@BsAtHome
Prevent sscanf string reads beyond the supplied buffer.
fb62249
@BsAtHome
Ensure terminating NULL to be a pointer.
63d6c24
@BsAtHome
Method isInitialized() is used in an assert statement and must ensure…
e5ede22 
… no side-effects can occur.

Fix missing dereference in clearing pin reference.
@BsAtHome
Use stringsize-1 as max in format.
6b3e758
@BsAtHome
Cppcheck has a false positive on va_copy(). Ignore the message.
d269643
@BsAtHome
The 64-bit values must not be demoted in size or the shift by max 48 …
01826c7 
…will improperly clear the value entirely.

The abs() function must be promoted in size and use labs().
@BsAtHome
Suppress intentional NULL dereference.
68f432e
@BsAtHome
Function realloc() can fail. Don't leak memory if it does.
9a51ad8 
Fix wrong variable in NULL test (copy/paste error).
@BsAtHome
Don't test the loop variable for values not in the loop's range.
d833638
@BsAtHome
Cppcheck does not know how FormatMessage() works. Ignore the message.
a4c80fb 
Add LocalFree() to prevent leak.
@BsAtHome
Negative value shift is problematic. Force unsigned.
3a95ea0
@smoe
Copy link
Copy Markdown
Collaborator

smoe commented Feb 18, 2025

This is very nice work of yours, thank you tons for this.

smoe
smoe reviewed Feb 18, 2025
View reviewed changes
Copy link
Copy Markdown
Collaborator

@smoe smoe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My attempts to educate myself on this one have failed. My initial hunch was "alignment", but that should have happened right at the initialisiation of the char*? Maybe by introducing https://en.cppreference.com/w/cpp/language/alignas ?

The transition from the char* pByte to the double* could be more formally done by reinterpret_cast, but since the compiler already accepts this, I think this this just fine?

Comment thread src/hal/user_comps/xhc-whb04b-6/hal.cc
Comment thread src/emc/ini/initraj.cc
Comment thread src/hal/utils/scope_disp.c
@BsAtHome
Copy link
Copy Markdown
Contributor Author

BsAtHome commented Feb 18, 2025

The transition from the char* pByte to the double* could be more formally done by reinterpret_cast, but since the compiler already accepts this, I think this this just fine?

This is C-code, no reinterpret_cast available...

The problem with a char* to double* cast is alignment. It is a type-punned pointer and can fail dereference at runtime if not careful. However, the case here guarantees that the pointer is properly aligned.

The default trick is to cast twice, once over void*, to force the compiler to accept the type-pun.

@smoe
Copy link
Copy Markdown
Collaborator

smoe commented Feb 18, 2025
edited
Loading

The transition from the char* pByte to the double* could be more formally done by reinterpret_cast, but since the compiler already accepts this, I think this this just fine?

This is C-code, no reinterpret_cast available...

:-) And no alignas.

The problem with a char* to double* cast is alignment. It is a type-punned pointer and can fail dereference at runtime if not careful. However, the case here guarantees that the pointer is properly aligned.

The default trick is to cast twice, once over void*, to force the compiler to accept the type-pun.

You then tricked the compiler, but the cpu could then still not accept the double at that position? To avoid that, should then at

linuxcnc/src/hal/classicladder/arrays.c

Line 176 in 8b3a6d0

unsigned char *pByte;

the pByte be initialized as a double* ?

@BsAtHome
Copy link
Copy Markdown
Contributor Author

BsAtHome commented Feb 18, 2025

The default trick is to cast twice, once over void*, to force the compiler to accept the type-pun.

You then tricked the compiler, but the cpu could then still not accept the double at that position? To avoid that, should then at

[snip]
This code has never failed, so the alignment is probably fine. It is (very) ugly code when you need this extra casting at all, but fixing that is not an option.

On amd64 it does not fail because the pointer is 22 aligned. For arm64 it might be a problem when only on a 22 boundary, but that has not happened either yet. Therefore, I think we are safe here to silence the compiler warning.

@smoe
Copy link
Copy Markdown
Collaborator

smoe commented Feb 18, 2025

The default trick is to cast twice, once over void*, to force the compiler to accept the type-pun.

You then tricked the compiler, but the cpu could then still not accept the double at that position? To avoid that, should then at

[snip] This code has never failed, so the alignment is probably fine. It is (very) ugly code when you need this extra casting at all, but fixing that is not an option.

On amd64 it does not fail because the pointer is 22 aligned. For arm64 it might be a problem when only on a 22 boundary, but that has not happened either yet. Therefore, I think we are safe here to silence the compiler warning.

I agree. Maybe just leave a comment?

@BsAtHome BsAtHome merged commit ef152ae into LinuxCNC:master Feb 26, 2025
@BsAtHome BsAtHome mentioned this pull request May 6, 2025
Merged
@andypugh andypugh mentioned this pull request May 6, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@smoe smoe smoe approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BsAtHome @smoe