Issues with cppcheck 2.4.1, 2.5
cppcheck 2.4.1 is now available, but, while it fixes one of the issues with cppcheck 2.3, it also introduces a new set of false positives we would have to deal with. IMHO we should skip updating to this version for the time being.
cppcheck 2.4.1 triggers the following type of false positives:
lib/isc/netaddr.c:274:8: warning: The address of local variable 'in' might be accessed at non-zero index. [objectIndex]
if (p[i] != 0xFF) {
^
lib/isc/netaddr.c:263:30: note: Address of variable taken here.
p = (const unsigned char *)&s->type.in;
^
lib/isc/netaddr.c:274:8: note: The address of local variable 'in' might be accessed at non-zero index.
if (p[i] != 0xFF) {
^The affected files are:
bin/dnssec/dnssec-cds.clib/dns/ecs.clib/dns/resolver.clib/isc/netaddr.clib/ns/client.c
It seems that cppcheck gets confused about data sizes when structure pointers are explicitly cast.
Multiple upstream reports about similar issues are already opened:
- https://trac.cppcheck.net/ticket/10133
- https://trac.cppcheck.net/ticket/10213
- https://trac.cppcheck.net/ticket/10154
- https://trac.cppcheck.net/ticket/10156
None of the above problems have yet been resolved in cppcheck's main
branch, therefore I did not bother to create yet another upstream issue
for this. I suggest we wait and see what happens in future cppcheck
releases.
Upstream commit c267d85640523c045c7d43ba7ce9c0f305423c5d triggers the following type of false positives:
lib/isc/base64.c:119:10: warning: Either the condition 'ctx->digits==4' is redundant or the array 'ctx->val[4]' is accessed at index 4, which is out of bounds. [arrayIndexOutOfBoundsCond]
ctx->val[ctx->digits++] = (int)(s - base64);
^
lib/isc/base64.c:120:18: note: Assuming that condition 'ctx->digits==4' is not redundant
if (ctx->digits == 4) {
^
lib/isc/base64.c:119:10: note: Array index out of bounds
ctx->val[ctx->digits++] = (int)(s - base64);
^The affected files are:
lib/isc/base64.clib/isc/base32.clib/isc/hex.c
I reported this upstream because it is still not addressed in cppcheck's development branch.