Message ID | 20241206-pks-sign-compare-v4-1-0344c6dfb219@pks.im (mailing list archive) |
---|---|
State | Accepted |
Commit | 2121a76d71e6742fe9627289b45717663bcef832 |
Headers | show |
Series | Start compiling with `-Wsign-compare` | expand |
Patrick Steinhardt <ps@pks.im> writes: [snip] > diff --git a/git-compat-util.h b/git-compat-util.h > index a06d4f3809e5664863d4d0f312c88b3e1364ee74..e283c46c6fa06e4079851296a55c9bd5472a65b4 100644 > --- a/git-compat-util.h > +++ b/git-compat-util.h > @@ -44,6 +44,16 @@ struct strbuf; > #define GIT_GNUC_PREREQ(maj, min) 0 > #endif > > +#if defined(__GNUC__) || defined(__clang__) > +# define PRAGMA(pragma) _Pragma(#pragma) > +# define DISABLE_WARNING(warning) PRAGMA(GCC diagnostic ignored #warning) Seems like clang [1] also support `#pragma GCC diagnostic`, so this works with both. > +#else > +# define DISABLE_WARNING(warning) > +#endif > + > +#ifdef DISABLE_SIGN_COMPARE_WARNINGS > +DISABLE_WARNING(-Wsign-compare) > +#endif Looks good. Thanks [1]: https://clang.llvm.org/docs/UsersManual.html#controlling-diagnostics-via-pragmas
diff --git a/git-compat-util.h b/git-compat-util.h index a06d4f3809e5664863d4d0f312c88b3e1364ee74..e283c46c6fa06e4079851296a55c9bd5472a65b4 100644 --- a/git-compat-util.h +++ b/git-compat-util.h @@ -44,6 +44,16 @@ struct strbuf; #define GIT_GNUC_PREREQ(maj, min) 0 #endif +#if defined(__GNUC__) || defined(__clang__) +# define PRAGMA(pragma) _Pragma(#pragma) +# define DISABLE_WARNING(warning) PRAGMA(GCC diagnostic ignored #warning) +#else +# define DISABLE_WARNING(warning) +#endif + +#ifdef DISABLE_SIGN_COMPARE_WARNINGS +DISABLE_WARNING(-Wsign-compare) +#endif #ifndef FLEX_ARRAY /*
When compiling with DEVELOPER=YesPlease, we explicitly disable the "-Wsign-compare" warning. This is mostly because our code base is full of cases where we don't bother at all whether something should be signed or unsigned, and enabling the warning would thus cause tons of warnings to pop up. Unfortunately, disabling this warning also masks real issues. There have been multiple CVEs in the Git project that would have been flagged by this warning (e.g. CVE-2022-39260, CVE-2022-41903 and several fixes in the vicinity of these CVEs). Furthermore, the final audit report by X41 D-Sec, who are the ones who have discovered some of the CVEs, hinted that it might be a good idea to become more strict in this context. Now simply enabling the warning globally does not fly due to the stated reason above that we simply have too many sites where we use the wrong integer types. Instead, introduce a new set of macros that allow us to mark a file as being free of warnings with "-Wsign-compare". The mechanism is similar to what we do with `USE_THE_REPOSITORY_VARIABLE`: every file that is not marked with `DISABLE_SIGN_COMPARE_WARNINGS` will be compiled with those warnings enabled. These new markings will be wired up in the subsequent commits. Signed-off-by: Patrick Steinhardt <ps@pks.im> --- git-compat-util.h | 10 ++++++++++ 1 file changed, 10 insertions(+)