Inline suppressions for Cppcheck are possibly harmful #4419

the-risk-taker · 2024-07-15T12:51:16Z

the-risk-taker
Jul 15, 2024

Cppcheck has some nasty implications when encountering "breaking" issues like syntaxError - resulting in not performing analysis on every translation unit with "breaking" code. Which, as a result causes us to potentially have undetected problems in the code. Specially if somebody do:

cppcheck ... --suppress=*:*lib/*

Then, when we run the analysis we think that everything is ok, because Cppcheck does not report anything, but under the hood the analysis is not performed at all.

As an example project:

.
├── CMakeLists.txt
├── json
│   └── json.hpp
└── main.cpp

With CMake:

cmake_minimum_required(VERSION 3.21)
project(JsonAndCppcheck LANGUAGES CXX)

set(CMAKE_EXPORT_COMPILE_COMMANDS ON)

add_executable(example main.cpp json/json.hpp)

And program:

#include "json/json.hpp"

int main()
{
    int array[5] = {};
    array[5] = 5; // Cppcheck should report: Array 'array[5]' accessed at index 5, which is out of bounds. [arrayIndexOutOfBounds]
}

Calling:

cppcheck --check-level=exhaustive --project=build/compile_commands.json

we get:

$ cppcheck --check-level=exhaustive --project=build/compile_commands.json
Checking main.cpp ...
json/json.hpp:3409:49: error: syntax error [syntaxError]
    class BinaryType = std::vector<std::uint8_t>, // cppcheck-suppress syntaxError
                                                ^

which is fine - we see that the issue in in the lib, but then we probably do:

cppcheck --inline-suppr --check-level=exhaustive --project=build/compile_commands.json
or
cppcheck --suppress=*:*json/* --check-level=exhaustive --project=build/compile_commands.json

and finally we get:

$ cppcheck  --suppress=*:*json/* --check-level=exhaustive --project=build/compile_commands.json
Checking main.cpp ...

thinking that it's all fine but it's not.

I know that this is the Cppcheck issue not json code problem - but if here, in CI, similar steps as above are done, then probably the Cppcheck analysis is broken 🧐

After slightly breaking the code (removing the comma near the suppress comment - which is wrong, but keeps Cppcheck going) I get more expected results:

$ cppcheck --check-level=exhaustive --project=build/compile_commands.json
Checking main.cpp ...
main.cpp:6:10: error: Array 'array[5]' accessed at index 5, which is out of bounds. [arrayIndexOutOfBounds]
    array[5] = 5;
         ^
json/json.hpp:21253:13: error: Found an exit path from function with non-void return type that has missing return statement [missingReturn]
            }
            ^
json/json.hpp:21276:13: error: Found an exit path from function with non-void return type that has missing return statement [missingReturn]
            }
            ^

I went to the Cppcheck to submit the issue but already somebody has done that: https://trac.cppcheck.net/ticket/12923

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Inline suppressions for Cppcheck are possibly harmful #4419

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 0 comments

Select a reply

Inline suppressions for Cppcheck are possibly harmful #4419

the-risk-taker Jul 15, 2024

Replies: 0 comments

the-risk-taker
Jul 15, 2024