y2038: eliminate false positives with automatic build system detection #7631
Conversation
|
Thanks for you contribution. Please add Also please add yourself to |
Hiesx
force-pushed
the
feature/y2038_buildsystem_detection
branch
from
ba0a6d5 to
9edcaf2
Compare
|
Added the buildsystem.py to |
There was a problem hiding this comment.
I haven't really looked at the python code yet. Spontanously I feel this is very interesting and will make the y2038 more useful!
It's unfortunate that the doc/y2038.txt is a text document. It would probably make sense to switch to markdown. And I'm not sure why we don't have the info in the manual instead.
https://github.com/danmar/cppcheck/blob/main/man/manual.md#y2038py
I don't understand why the manual points at https://github.com/3adev/y2038
do you think that makes sense?
Hiesx
force-pushed
the
feature/y2038_buildsystem_detection
branch
from
9edcaf2 to
e84499e
Compare
|
I also moved from the |
Hiesx
force-pushed
the
feature/y2038_buildsystem_detection
branch
from
e84499e to
cf40a64
Compare
addons/README.md
Outdated
| @@ -16,6 +16,8 @@ Addons are scripts that analyses Cppcheck dump files to check compatibility with | |||
| Enforces naming conventions across the code. Enhanced version with support for type prefixes in variable and function names. | |||
| + [findcasts.py](https://github.com/danmar/cppcheck/blob/main/addons/findcasts.py) | |||
| Locates casts in the code. | |||
| + [y2038_buildsystem.py](https://github.com/danmar/cppcheck/blob/main/addons/y2038_buildsystem.py) | |||
There was a problem hiding this comment.
sorry.. but this is not a "addon" is it. So I would probably not mention this file here.
addons/doc/y2038.md
Outdated
| For standalone build system analysis, you can still use the helper script directly: | ||
|
|
||
| ```bash | ||
| python3 addons/y2038_buildsystem.py /path/to/your/project |
There was a problem hiding this comment.
what exactly does this command do? Does it execute cppcheck or are you supposed to execute cppcheck after this..
addons/doc/y2038.md
Outdated
| The Y2038 addon seamlessly integrates with your existing cppcheck workflow. Simply use the addon flag with cppcheck: | ||
|
|
||
| ```bash | ||
| cppcheck --addon=addons/y2038.py source_file.c |
There was a problem hiding this comment.
cppcheck reads the compile_commands.json and it feels redundant that addons would do that also. Can't cppcheck pass the interesting info in the dump file. which info from the compile_commands.json would you like?
Example command:
cppcheck --project=build/compile_commands.json --addon=y2038
9ff635b to
c3219bf
Compare
The Y2038 addon currently generates false positive warnings when scanning codebases that are properly configured for Y2038 safety through build system flags, making it impractical for comprehensive codebase analysis. This prevents teams from running Y2038 checks across entire projects in CI/CD pipelines due to noise from correctly configured code. Add automatic build system detection to discover Y2038-related compiler flags (_TIME_BITS=64, _FILE_OFFSET_BITS=64, _USE_TIME_BITS64) from: - Makefile variants (Makefile, makefile, GNUmakefile, *.mk) - CMake files (CMakeLists.txt, *.cmake) - Meson build files (meson.build) - Autotools scripts (configure, configure.ac, configure.in) - Compiler flags passed via cppcheck -D options When proper Y2038 configuration is detected (both _TIME_BITS=64 AND _FILE_OFFSET_BITS=64), suppress Y2038 warnings and display an informational message indicating the configuration source. Implement hierarchical directory search up to 5 levels from source files to locate relevant build files, with flag precedence: build system > compiler flags > source code #define directives. Add performance optimizations: - Intelligent file caching with TTL-based invalidation - UTF-8 BOM handling for cross-platform compatibility - Robust import fallback system Extend test suite with comprehensive coverage: - Compiler flag parsing edge cases (18 test scenarios) - Build system detection for all supported formats - Caching behavior and performance validation - Cross-platform file encoding handling This enables organizations to run comprehensive Y2038 analysis on entire codebases without false positives from properly configured projects, while maintaining detection of actual Y2038 safety issues.
Hiesx
force-pushed
the
feature/y2038_buildsystem_detection
branch
from
c3219bf to
a07154c
Compare
|
| In Linux, the current date and time is kept as the number of seconds elapsed | ||
| since the Unix epoch, that is, since January 1st, 1970 at 00:00:00 GMT. | ||
|
|
||
| Most of the time, this representation is stored as a 32-bit signed quantity. |
There was a problem hiding this comment.
hmm.. you did not write this.
But I am skeptic that it is still correct to say "Most of the time". On my computer, time_t is a 64-bit integer as far as I see. Do you know some common platform that uses 32-bit signed integer?
| @@ -7,7 +7,7 @@ Addons are scripts that analyses Cppcheck dump files to check compatibility with | |||
| + [misra.py](https://github.com/danmar/cppcheck/blob/main/addons/misra.py) | |||
| Used to verify compliance with MISRA C 2012 - a proprietary set of guidelines to avoid such questionable code, developed for embedded systems. Since this standard is proprietary, cppcheck does not display error text by specifying only the number of violated rules (for example, [c2012-21.3]). If you want to display full texts for violated rules, you will need to create a text file containing MISRA rules, which you will have to pass when calling the script with `--rule-texts` key. Some examples of rule texts files available in [tests directory](https://github.com/danmar/cppcheck/blob/main/addons/test/misra/). | |||
| + [y2038.py](https://github.com/danmar/cppcheck/blob/main/addons/y2038.py) | |||
| Checks Linux system for [year 2038 problem](https://en.wikipedia.org/wiki/Year_2038_problem) safety. This required [modified environment](https://github.com/3adev/y2038). See complete description [here](https://github.com/danmar/cppcheck/blob/main/addons/doc/y2038.txt). | |||
| Checks code for [year 2038 problem](https://en.wikipedia.org/wiki/Year_2038_problem) safety. Integrates with cppcheck's project parsing to automatically extract Y2038-related compiler flags from `compile_commands.json` and other build system configurations. See complete description [here](https://github.com/danmar/cppcheck/blob/main/addons/doc/y2038.md). | |||
There was a problem hiding this comment.
imho.. I don't know if "Integrates with cppcheck's project parsing to automatically extract Y2038-related compiler flags from compile_commands.json and other build system configurations." makes sense. this is a natural consequence of all cppcheck addons..
|
|
||
| ## Testing | ||
|
|
||
| The Y2038 addon includes comprehensive test suites to ensure reliability and correctness: |
There was a problem hiding this comment.
hmm imho user documentation should not say how it's tested.
| @@ -0,0 +1,228 @@ | |||
| #!/usr/bin/env python3 | |||
| @@ -1037,7 +1037,7 @@ Example configuration of naming conventions: | |||
|
|
|||
| ### y2038.py | |||
|
|
|||
| [y2038.py](https://github.com/danmar/cppcheck/blob/main/addons/y2038.py) checks Linux systems for [year 2038 problem](https://en.wikipedia.org/wiki/Year_2038_problem) safety. This required [modified environment](https://github.com/3adev/y2038). See complete description [here](https://github.com/danmar/cppcheck/blob/main/addons/doc/y2038.txt). | |||
| [y2038.py](../addons/doc/y2038.md) checks Linux systems for [year 2038 problem](https://en.wikipedia.org/wiki/Year_2038_problem) safety. | |||
There was a problem hiding this comment.
I don't know if it should point at "Linux". According to your tweaks it sounds like MSVC builds can be vulnerable.
|
I think it's great that you fix the y2038 addon! |
The Y2038 addon currently generates false positive warnings when scanning
codebases that are properly configured for Y2038 safety through build
system flags, making it impractical for comprehensive codebase analysis.
This prevents teams from running Y2038 checks across entire projects in
CI/CD pipelines due to noise from correctly configured code.
Add automatic build system detection to discover Y2038-related compiler
flags (_TIME_BITS=64, _FILE_OFFSET_BITS=64, _USE_TIME_BITS64) from:
When proper Y2038 configuration is detected (both _TIME_BITS=64 AND
_FILE_OFFSET_BITS=64), suppress Y2038 warnings and display an
informational message indicating the configuration source.
Implement hierarchical directory search up to 5 levels from source files
to locate relevant build files, with flag precedence: build system >
compiler flags > source code #define directives.
Add performance optimizations:
Extend test suite with comprehensive coverage:
This enables organizations to run comprehensive Y2038 analysis on entire
codebases without false positives from properly configured projects,
while maintaining detection of actual Y2038 safety issues.