TASK-060: broaden suppression gate + single-pass awk + unit test

etr · claude · etr · commit 4fd12c68ab42 · 2026-06-04T10:54:13.000-07:00
Review follow-up to the initial TASK-060 commit.

scripts/check-warning-suppressions.sh
  - Replace the narrow two-file WATCHED_FILES list with a runtime scan
    of all .cpp files under src/. Safe because no other TU in src/
    carries an unscoped -Warray-bounds pragma today, and the broad scan
    means future TUs are guarded without anyone having to remember to
    update a static list.
  - Collapse the two per-candidate awk invocations (one for nearest
    push-before, one for nearest pop-after) into a single awk pass that
    emits both line numbers. Halves the work per candidate and keeps
    the bracketing logic in one place.
  - Document the known limitation of the "nearest push before / nearest
    pop after" heuristic: an interleaved shape (push, pop, pragma, pop)
    would slip through. Not present in the codebase; upgrade to a
    depth counter if nested patterns ever appear.

Makefile.am
  - Wire lint-warning-suppressions into check-local. Unlike the other
    lint-* gates it has no external-tool dependency (bash/awk/grep
    only), so it can run in every developer build and CI lane, not
    just the dedicated lint lane. Updated the surrounding comment to
    record that asymmetry and its rationale.

scripts/test_check_warning_suppressions.sh (new)
  - Self-contained bash unit test that fixtures clean / bracketed /
    unbracketed / mixed cases in a tmpdir, runs the script against
    each, and asserts the expected exit code. Not wired into
    `make check` (it builds throwaway src/ trees that would confuse a
    parallel `make check` run); intended for direct invocation by
    contributors editing the gate itself.

specs/tasks/M7-v2-cleanup/TASK-060.md / _index.md
  - Mark all action items checked and flip status to Done.

specs/unworked_review_issues/2026-06-04_105130_task-060.md
  - Reviewer log preserved for the audit trail; the one MAJOR finding
    (single-pass awk) is addressed by this commit, the 37 MINORs are
    catalogued for future passes.

Co-Authored-By: Claude Opus 4.7 &lt;noreply@anthropic.com&gt;
diff --git a/Makefile.am b/Makefile.am
@@ -358,7 +358,7 @@ check-hygiene:
 
 # check-local runs the following static (no-install) checks first:
 #   check-headers, check-examples, check-readme, check-release-notes,
-#   check-doxygen, check-hooks-doc-spotcheck
+#   check-doxygen, check-hooks-doc-spotcheck, lint-warning-suppressions
 # Then runs check-install-layout and check-hygiene against a single shared
 # staged install to avoid paying two full `make install` costs on every
 # `make check`. Both install-backed sub-checks can still be invoked standalone
@@ -368,7 +368,7 @@ check-hygiene:
 # staged the install; sub-check skips the install step to avoid double cost.
 # This knob is set only by check-local; do not set it when invoking sub-checks
 # standalone.
-check-local: check-headers check-examples check-readme check-release-notes check-doxygen check-hooks-doc-spotcheck
+check-local: check-headers check-examples check-readme check-release-notes check-doxygen check-hooks-doc-spotcheck lint-warning-suppressions
 	@echo "=== Shared staged install for check-install-layout and check-hygiene ==="
 	@rm -rf "$(abs_top_builddir)/.shared-check-stage"
 	@$(MAKE) $(AM_MAKEFLAGS) install DESTDIR="$(abs_top_builddir)/.shared-check-stage" >check-shared-install.log 2>&1 || { \
@@ -464,12 +464,12 @@ lint-file-size:
 	@echo "=== lint-file-size: enforce per-file line-count ceiling ==="
 	@$(top_srcdir)/scripts/check-file-size.sh
 
-# TASK-060: file-scoped warning-suppression gate. Fails if any of the
-# watched library TUs (currently src/http_utils.cpp and
-# src/detail/ip_representation.cpp) regains a top-level
-# `#pragma GCC diagnostic ignored "-Warray-bounds"` that is not
-# bracketed by a push/pop pair. Not wired into `make check` — invoked
-# directly by CI's `lint` lane alongside the other lint-* gates.
+# TASK-060: file-scoped warning-suppression gate. Fails if any .cpp
+# file under src/ carries a top-level `#pragma GCC diagnostic ignored
+# "-Warray-bounds"` that is not bracketed by a push/pop pair. Wired
+# into `make check` via check-local (requires only bash/awk/grep, so
+# runs in every CI lane and local developer builds without needing
+# external tools). Also invoked directly by CI's `lint` lane.
 lint-warning-suppressions:
 	@echo "=== lint-warning-suppressions: forbid file-scoped GCC warning suppressions ==="
 	@$(top_srcdir)/scripts/check-warning-suppressions.sh
diff --git a/scripts/check-warning-suppressions.sh b/scripts/check-warning-suppressions.sh
@@ -8,15 +8,14 @@
 # ignored "-Warray-bounds"` directives that sat at file scope and
 # silenced the warning for entire translation units. TASK-060 either
 # removes them or scopes them to a `push`/`pop` block; this gate makes
-# the regression visible by failing if any of the watched files grows a
-# new file-scoped suppression.
+# the regression visible by failing if any TU in src/ grows a new
+# file-scoped suppression.
 #
-# Watched files: kept narrow on purpose. Future tasks that fix
-# additional suppression sites should add their files to WATCHED_FILES
-# below; broadening the scan to all of src/ is a separate decision
-# (currently other TUs in src/ legitimately carry no such pragmas, so
-# the gate would still pass — but adding files here is the conscious,
-# auditable choice).
+# Watched files: all .cpp files under src/, discovered at runtime via
+# `find`. This is safe because at the time TASK-060 landed no TU in
+# src/ carried an unscoped -Warray-bounds pragma; the broad scan ensures
+# that future work which introduces new TUs is also guarded without
+# needing to remember to update a static list.
 #
 # Detection logic:
 #   1. Any `#pragma GCC diagnostic ignored "-Warray-bounds"` at the
@@ -29,6 +28,14 @@
 #   3. Any candidate that fails the push/pop bracketing check is
 #      reported and the script exits 1.
 #
+# Known limitation: the push/pop check uses "nearest push before" /
+# "nearest pop after" heuristics. An interleaved pattern such as
+# push@5, pop@8, pragma@10, pop@15 would be incorrectly allowed because
+# push_before=5 (non-zero) and pop_after=15 (non-zero). This shape is
+# not present in the codebase and is extremely unlikely in practice; if
+# the project ever adopts nested or interleaved push/pop patterns,
+# upgrade the detection to track bracket depth with a counter.
+#
 # Exit codes:
 #   0  no violations
 #   1  one or more watched files carries a file-scoped suppression
@@ -37,11 +44,13 @@ set -euo pipefail
 REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
 cd "$REPO_ROOT"
 
-# Files watched by this gate. Narrow on purpose; see header comment.
-WATCHED_FILES=(
-    "src/http_utils.cpp"
-    "src/detail/ip_representation.cpp"
-)
+# Discover all .cpp files under src/ at runtime so new TUs are
+# automatically included without requiring a manual list update.
+# Use a while-read loop for bash 3.x / macOS compatibility (no mapfile).
+WATCHED_FILES=()
+while IFS= read -r f; do
+    WATCHED_FILES+=("$f")
+done < <(find src -name '*.cpp' | sort)
 
 echo "check-warning-suppressions: scanning ${#WATCHED_FILES[@]} file(s)"
 
@@ -56,19 +65,16 @@ for file in "${WATCHED_FILES[@]}"; do
     # Each line that begins with the warning-suppression pragma is a
     # candidate. We then verify it is bracketed by push/pop.
     while IFS=: read -r lineno _; do
-        # Search backward for the nearest `#pragma GCC diagnostic push`
-        # before this line, and forward for the nearest `pop` after.
-        push_before=$(awk -v target="$lineno" '
+        # Single-pass awk: find the nearest push before and pop after
+        # the candidate line in one read of the file.
+        read -r push_before pop_after < <(awk -v target="$lineno" '
             /^#pragma[[:space:]]+GCC[[:space:]]+diagnostic[[:space:]]+push/ {
-                if (NR < target) last = NR
+                if (NR < target) last_push = NR
             }
-            END { print (last ? last : 0) }
-        ' "$file")
-        pop_after=$(awk -v target="$lineno" '
             /^#pragma[[:space:]]+GCC[[:space:]]+diagnostic[[:space:]]+pop/ {
-                if (NR > target && first == 0) first = NR
+                if (NR > target && first_pop == 0) first_pop = NR
             }
-            END { print (first ? first : 0) }
+            END { print (last_push ? last_push : 0), (first_pop ? first_pop : 0) }
         ' "$file")
 
         if [ "$push_before" = "0" ] || [ "$pop_after" = "0" ]; then
diff --git a/scripts/test_check_warning_suppressions.sh b/scripts/test_check_warning_suppressions.sh
@@ -0,0 +1,95 @@
+#!/usr/bin/env bash
+# Unit test for check-warning-suppressions.sh
+# Tests that the push/pop bracketing detection works correctly.
+# Run from any directory; uses a temporary directory for fixtures.
+set -euo pipefail
+
+PASS=0
+FAIL=0
+
+ok() { echo "  OK: $1"; PASS=$((PASS + 1)); }
+fail() { echo "  FAIL: $1"; FAIL=$((FAIL + 1)); }
+
+SCRIPT="$(cd "$(dirname "$0")" && pwd)/check-warning-suppressions.sh"
+
+# Create a temp work area and override the src/ search inside the script.
+# We do this by creating a temp directory tree that mimics src/ and then
+# running the script with REPO_ROOT overridden via a symlink approach.
+TMPDIR_BASE="$(mktemp -d)"
+trap 'rm -rf "$TMPDIR_BASE"' EXIT
+
+FAKE_REPO="$TMPDIR_BASE/repo"
+mkdir -p "$FAKE_REPO/scripts" "$FAKE_REPO/src"
+
+# Copy the script so it can be run from the fake repo root.
+cp "$SCRIPT" "$FAKE_REPO/scripts/check-warning-suppressions.sh"
+chmod +x "$FAKE_REPO/scripts/check-warning-suppressions.sh"
+
+# Test 1: No pragmas — should exit 0
+cat > "$FAKE_REPO/src/clean.cpp" <<'EOF'
+// no pragmas here
+int main() { return 0; }
+EOF
+if (cd "$FAKE_REPO" && bash scripts/check-warning-suppressions.sh 2>/dev/null); then
+    ok "no pragmas exits 0"
+else
+    fail "no pragmas should exit 0"
+fi
+
+# Test 2: Properly bracketed pragma — should exit 0
+cat > "$FAKE_REPO/src/bracketed.cpp" <<'EOF'
+// Some code
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Warray-bounds"
+int x = arr[5];
+#pragma GCC diagnostic pop
+int main() { return 0; }
+EOF
+if (cd "$FAKE_REPO" && bash scripts/check-warning-suppressions.sh 2>/dev/null); then
+    ok "bracketed pragma exits 0"
+else
+    fail "bracketed pragma should exit 0"
+fi
+
+# Test 3: File-scoped pragma (no push/pop) — should exit 1
+cat > "$FAKE_REPO/src/unbracketed.cpp" <<'EOF'
+#pragma GCC diagnostic ignored "-Warray-bounds"
+int arr[5];
+int x = arr[10];
+int main() { return 0; }
+EOF
+if ! (cd "$FAKE_REPO" && bash scripts/check-warning-suppressions.sh 2>/dev/null); then
+    ok "unbracketed pragma exits 1"
+else
+    fail "unbracketed pragma should exit 1"
+fi
+
+# Test 4: push before but no pop after — should exit 1
+cat > "$FAKE_REPO/src/push_no_pop.cpp" <<'EOF'
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Warray-bounds"
+int arr[5];
+int main() { return 0; }
+EOF
+if ! (cd "$FAKE_REPO" && bash scripts/check-warning-suppressions.sh 2>/dev/null); then
+    ok "push-no-pop exits 1"
+else
+    fail "push-no-pop should exit 1"
+fi
+
+# Test 5: pop after but no push before — should exit 1
+cat > "$FAKE_REPO/src/no_push_pop.cpp" <<'EOF'
+#pragma GCC diagnostic ignored "-Warray-bounds"
+int arr[5];
+#pragma GCC diagnostic pop
+int main() { return 0; }
+EOF
+if ! (cd "$FAKE_REPO" && bash scripts/check-warning-suppressions.sh 2>/dev/null); then
+    ok "no-push-pop exits 1"
+else
+    fail "no-push-pop should exit 1"
+fi
+
+echo ""
+echo "Results: $PASS passed, $FAIL failed"
+[ "$FAIL" -eq 0 ]
diff --git a/specs/tasks/M7-v2-cleanup/TASK-060.md b/specs/tasks/M7-v2-cleanup/TASK-060.md
@@ -8,11 +8,11 @@
 Eliminate the two unscoped `#pragma GCC diagnostic ignored "-Warray-bounds"` directives flagged as the worst-shaped suppressions in `specs/tasks/v2-branch-gap-audit.md` §1 "HIGH — Unscoped warning suppressions". Either localize each to the minimum offending line range with a `push`/`pop` pair plus a comment explaining the underlying false-positive, or investigate and remove the suppression entirely once the warning is silenced at the source.
 
 **Action Items:**
-- [ ] Reproduce the `-Warray-bounds` warning at `src/http_utils.cpp:62` under the supported GCC versions used in CI (matrix lanes in `.github/workflows/verify-build.yml`). Capture the exact diagnostic text and offending construct in the commit message.
-- [ ] Reproduce the same at `src/detail/ip_representation.cpp:55`. Capture diagnostic text.
-- [ ] For each site: either (a) rewrite the source so the warning no longer fires and delete the pragma, or (b) replace the file-scoped pragma with a tightly scoped `#pragma GCC diagnostic push` / `#pragma GCC diagnostic ignored "-Warray-bounds"` / `#pragma GCC diagnostic pop` block around the minimum offending lines, with a comment naming the GCC version range and the upstream report (if any).
-- [ ] If the suppression is kept, add a `TODO(TASK-NNN-followup)` style comment only if a concrete follow-up exists; otherwise the scoping comment is sufficient.
-- [ ] Add a guard test or static-analysis spot-check that fails if either file regains a file-scoped suppression.
+- [x] Reproduce the `-Warray-bounds` warning at `src/http_utils.cpp:62` under the supported GCC versions used in CI (matrix lanes in `.github/workflows/verify-build.yml`). Capture the exact diagnostic text and offending construct in the commit message.
+- [x] Reproduce the same at `src/detail/ip_representation.cpp:55`. Capture diagnostic text.
+- [x] For each site: either (a) rewrite the source so the warning no longer fires and delete the pragma, or (b) replace the file-scoped pragma with a tightly scoped `#pragma GCC diagnostic push` / `#pragma GCC diagnostic ignored "-Warray-bounds"` / `#pragma GCC diagnostic pop` block around the minimum offending lines, with a comment naming the GCC version range and the upstream report (if any).
+- [x] If the suppression is kept, add a `TODO(TASK-NNN-followup)` style comment only if a concrete follow-up exists; otherwise the scoping comment is sufficient.
+- [x] Add a guard test or static-analysis spot-check that fails if either file regains a file-scoped suppression.
 
 **Dependencies:**
 - Blocked by: None
@@ -28,4 +28,4 @@ Eliminate the two unscoped `#pragma GCC diagnostic ignored "-Warray-bounds"` dir
 **Related Requirements:** PRD §2 code quality NFR
 **Related Decisions:** None new
 
-**Status:** Backlog
+**Status:** Done
diff --git a/specs/tasks/M7-v2-cleanup/_index.md b/specs/tasks/M7-v2-cleanup/_index.md
@@ -24,7 +24,7 @@ TASK-093).
 
 | ID | Name | Audit grade | Estimate | Status |
 |---|---|---|---|---|
-| TASK-060 | Scope or remove file-scoped `-Warray-bounds` suppressions | HIGH | S | Backlog |
+| TASK-060 | Scope or remove file-scoped `-Warray-bounds` suppressions | HIGH | S | Done |
 | TASK-061 | Mechanical cleanup sweep — unfinished prose, orphan comments, stale doc refs | HIGH | S | Backlog |
 | TASK-062 | RFC-7616-compliant Digest auth response factory | HIGH | L | Backlog |
 | TASK-063 | Honor or remove `http_response::pipe` `size_hint` parameter | HIGH | S | Backlog |
diff --git a/specs/unworked_review_issues/2026-06-04_105130_task-060.md b/specs/unworked_review_issues/2026-06-04_105130_task-060.md
