Skip to content

[runtime] Fix warnings#138

Merged
mbouaziz merged 12 commits into
SkipLabs:mainfrom
mbouaziz:runtime-warnings
Mar 4, 2024
Merged

[runtime] Fix warnings#138
mbouaziz merged 12 commits into
SkipLabs:mainfrom
mbouaziz:runtime-warnings

Conversation

@mbouaziz

@mbouaziz mbouaziz commented Mar 4, 2024

Copy link
Copy Markdown
Contributor

In #135, @jberdine found that we used pointer arithmetic on void. This could have been avoided by enabling compiler warnings. So let's do it and fix a few more oddities.

I've run

set -a; SKARGO_PROFILE=dev; STAGE=2; PATH=$PWD/compiler/stage$STAGE/bin:$PATH; set +a; make clean && make -C compiler clean test && make test

as suggested by @jberdine

mbouaziz added 11 commits March 4, 2024 08:50
My VSCode is configured with format-on-save and uses the standard Microsoft C/C++ Extension Pack.
The changes looks legit.
It should probably be enforced by the CI, not sure it's worth it at this time.
Apparently the noreturn attribute is not enough to silence this warning.
but I didn't get rid of them completely
(add -Wsign-conversion if you want to see them)

@jberdine jberdine left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall LGTM. There is one change noted inline that I don't know why the warning isn't pointing to a bug. It would be good to understand that before silencing the warning.

@@ -79,14 +79,15 @@ void sk_obstack_attach_page(char* lpage) {
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can't comment on the commit summary, but does "My VSCode is configured with format-on-save and uses the standard Microsoft C/C++ Extension Pack." mean that it runs clang-format, or does its own thing?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was too lazy to check...
Looks like it's indeed clang-format: https://code.visualstudio.com/docs/cpp/cpp-ide#_code-formatting and it's using the .clang-format file already present.

Comment thread compiler/runtime/runtime.c
Comment thread compiler/runtime/runtime.c
Comment thread compiler/runtime/runtime32_specific.c
@mbouaziz mbouaziz merged commit 0ff7841 into SkipLabs:main Mar 4, 2024
@mbouaziz mbouaziz deleted the runtime-warnings branch March 4, 2024 15:32
Comment thread compiler/runtime/Makefile
@@ -1,8 +1,12 @@
MEMSIZE32=1073741824

COMMONFLAGS=-Wall -Wextra -Wno-sign-conversion -Wno-sometimes-uninitialized -Wno-c2x-extensions -Wsign-compare -Wextra-semi-stmt

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would probably throw in -Wconversion too. That tends to catch a lot of useful things.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

I actually did -Weverything and looked at warnings that appeared and could be worth fixing later.

@gregsexton

Copy link
Copy Markdown
Contributor

This is great! I've wanted to do this for a long time :D. If you've got cycles and fancy it: I was also thinking of throwing in ubsan and asan for debug builds.

@mbouaziz

mbouaziz commented Mar 5, 2024

Copy link
Copy Markdown
Contributor Author

I was also thinking of throwing in ubsan and asan for debug builds.

Created https://intern.skiplabs.io/tasks/3bHdAtQiSR_wcnxJtJ9uX_XdsUC for it ;-)

@gregsexton

Copy link
Copy Markdown
Contributor

Do we have -werror somewhere? Or are these all just warnings?

@mbouaziz

mbouaziz commented Mar 5, 2024

Copy link
Copy Markdown
Contributor Author

They are just warnings for now. werror would be good if people agree.

@bennostein

Copy link
Copy Markdown
Contributor

They are just warnings for now. werror would be good if people agree.

Bring on the -Werror!

@jberdine

jberdine commented Mar 5, 2024

Copy link
Copy Markdown
Contributor

They are just warnings for now. werror would be good if people agree.

Bring on the -Werror!

At least for the release profile, but I have to manually set CXXFLAGS when iterating on the compiler anyhow so adding -Wno-error ought to work.

@mbouaziz mbouaziz mentioned this pull request Mar 7, 2024
mbouaziz added a commit that referenced this pull request Mar 8, 2024
Follow-up of #138:
- adds warnings to `runtime64_specific.cpp` that I forgot in #138 
- minor fixes in `SKIP_open_file` and `SKIP_notify`
- `-Werror`
mbouaziz added a commit that referenced this pull request Jul 10, 2026
Closes Dependabot alert #339 (GHSA-v6wh-96g9-6wx3 / CVE-2026-53632,
medium — launch-editor NTLMv2 hash disclosure via UNC path handling on
Windows). www had launch-editor@2.13.2 (vulnerable range <= 2.14.0).

launch-editor is a transitive dep of webpack-dev-server (^2.6.1), so a
plain `npm update launch-editor --package-lock-only` bumps it to 2.14.1
within range — no override needed. Single-package, 4-line diff.

No breaking changes: 2.14.1 is the UNC-path security fix itself
("fix: reject UNC paths", #138); 2.14.0 adds package types and editor-
path detection fixes (Trae casing, vscode path) — all additive. The
public API (launch an editor) is unchanged.

launch-editor is dev-only tooling — webpack-dev-server's click-to-open-
in-editor overlay during `docusaurus start`, and the vuln is
Windows/UNC-specific; it never runs in CI or the shipped static site.

Closes #339.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
mbouaziz added a commit that referenced this pull request Jul 10, 2026
## Summary
Closes Dependabot alert
[#339](https://github.com/SkipLabs/skip/security/dependabot/339) —
[GHSA-v6wh-96g9-6wx3](GHSA-v6wh-96g9-6wx3)
/ CVE-2026-53632 (**medium**: `launch-editor` NTLMv2 hash disclosure via
UNC path handling on Windows). `www` had `launch-editor@2.13.2`
(vulnerable range `<= 2.14.0`).

## Fix
`launch-editor` is a transitive dep of `webpack-dev-server` (`^2.6.1`),
so a plain `npm update launch-editor --package-lock-only` bumps it to
**2.14.1** within range — no override needed. Single-package, 4-line
diff.

## Breaking-change check
Changelog 2.13.2 → 2.14.1:
- **v2.14.1**: `fix: reject UNC paths` (#138) — the security fix itself
— plus non-major dep bumps.
- **v2.14.0**: `feat: add and improve package types` (additive),
editor-path detection fixes (Trae casing, vscode path).

No breaking changes; the public API (launch an editor) is unchanged.

## Verification
- Fresh `npm install` → single `launch-editor@2.14.1`; no copy `<=
2.14.0`.
- Diff scoped to the one package; no lockfile drift.

`launch-editor` is dev-only tooling — `webpack-dev-server`'s
click-to-open-in-editor overlay during `docusaurus start` — and the vuln
is Windows/UNC-specific. It never runs in CI or reaches the shipped
static site.

🤖 Generated with [Claude Code](https://claude.com/claude-code)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants