TASK-060: scope or remove file-scoped -Warray-bounds suppressions

etr · claude · etr · commit 9ef16bbaf5f5 · 2026-06-04T10:18:09.000-07:00
Eliminate both unscoped `#pragma GCC diagnostic ignored "-Warray-bounds"` directives flagged in specs/tasks/v2-branch-gap-audit.md §1 and add a lint-lane gate that prevents either watched file from regaining a file-scoped suppression. Site A — src/http_utils.cpp:62 The pragma sat above three orphan macros (CHECK_BIT, SET_BIT, CLEAR_BIT). Those macros had no remaining call sites in this TU after commit 7fc443a extracted the ip_representation body to src/detail/ip_representation.cpp; the pragma was guarding nothing. Delete both the pragma and the orphan macros. Site B — src/detail/ip_representation.cpp:55 The pragma sat above two used macros (CHECK_BIT, CLEAR_BIT) with five call sites. The historic -Warray-bounds false positive on these function-like macro shapes is the standard GCC VRP-loses-bound-across- macro-expansion pattern: at the call site `mask &= ~(1 << pos)` the value-range propagator can't see the loop-derived `[0, 15]` bound on `pos` and speculates a shift outside the storage GCC infers for the `uint16_t mask`. Replace both macros with anonymous-namespace `constexpr` helpers that take `pos` as `unsigned int` and force the shift through `1u`, with the bitwise-and-assign going through an explicit `static_cast<uint16_t>`. The function-call boundary plus explicit unsigned types is the documented recipe that silences the warning at the source on every supported GCC, so the file-scoped suppression can go away with no scoped push/pop fallback. All five call sites mechanically swap to the helper and explicitly cast their signed index expressions to `unsigned int` to keep the conversion visible. Guard — scripts/check-warning-suppressions.sh (new) Bash script wired into Makefile.am as `lint-warning-suppressions` and into the verify-build.yml lint lane next to lint-file-size / lint-complexity. For each watched file, it greps for top-of-line `#pragma GCC diagnostic ignored "-Warray-bounds"` and fails unless each hit is bracketed by an earlier `#pragma GCC diagnostic push` and a later `pop`. Watched-file list is intentionally narrow to the two TASK-060 files; future tasks broaden it as new suppressions are scoped. Acceptance criteria: - `grep -nE '^#pragma GCC diagnostic ignored "-Warray-bounds"' src/http_utils.cpp src/detail/ip_representation.cpp` returns no matches. - Debug build (`--enable-debug`, -Werror -Wall -Wextra -pedantic) on macOS Apple-Clang succeeds with no new warnings. - http_utils unit suite (412 checks across 87 tests, exercises ip_representation parsing) passes; ban_system integ suite passes in isolation, exercising block_ip / unblock_ip which round-trip through both rewritten helpers. - CI's GCC 11/12/13/14 matrix lanes will surface any residual -Warray-bounds regression by failing the compile. GCC-version diagnostic capture deferred to CI — the local host is Apple Clang and has no GCC. If a CI lane still emits the warning after the rewrite, the documented fallback (scoped push/pop with a __GNUC__-conditional version guard) lands in a follow-up commit on this branch. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
diff --git a/.github/workflows/verify-build.yml b/.github/workflows/verify-build.yml
@@ -728,6 +728,14 @@ jobs:
       run: ./scripts/check-file-size.sh
       if: ${{ matrix.build-type == 'lint' && matrix.os-type == 'ubuntu' }}
 
+    - name: Run warning-suppression gate
+      # TASK-060: forbid file-scoped `#pragma GCC diagnostic ignored
+      # "-Warray-bounds"` (and any future broadened list) on the watched
+      # library TUs. A regression here would silently turn the warning
+      # off TU-wide.
+      run: ./scripts/check-warning-suppressions.sh
+      if: ${{ matrix.build-type == 'lint' && matrix.os-type == 'ubuntu' }}
+
     - name: Run libhttpserver configure
       # TASK-038: fixed CXXLAGS -> CXXFLAGS typo so C++ TUs are instrumented by the sanitizer matrix.
       run: |
diff --git a/Makefile.am b/Makefile.am
@@ -45,6 +45,7 @@ EXTRA_DIST = libhttpserver.pc.in $(DX_CONFIG) scripts/extract-release-notes.sh s
 	scripts/lib/resolve-prefix.sh \
 	scripts/check-complexity.sh scripts/check-duplication.sh \
 	scripts/check-file-size.sh \
+	scripts/check-warning-suppressions.sh \
 	scripts/verify-installed-examples.sh \
 	test/headers/consumer_direct.cpp test/headers/consumer_detail.cpp test/headers/consumer_detail_modded.cpp \
 	test/headers/consumer_umbrella.cpp \
@@ -463,7 +464,17 @@ lint-file-size:
 	@echo "=== lint-file-size: enforce per-file line-count ceiling ==="
 	@$(top_srcdir)/scripts/check-file-size.sh
 
-.PHONY: check-headers check-install-layout check-hygiene check-local check-examples check-readme check-release-notes check-doxygen check-hooks-doc-spotcheck check-soversion check-parallel-install lint-complexity lint-duplication lint-file-size
+# TASK-060: file-scoped warning-suppression gate. Fails if any of the
+# watched library TUs (currently src/http_utils.cpp and
+# src/detail/ip_representation.cpp) regains a top-level
+# `#pragma GCC diagnostic ignored "-Warray-bounds"` that is not
+# bracketed by a push/pop pair. Not wired into `make check` — invoked
+# directly by CI's `lint` lane alongside the other lint-* gates.
+lint-warning-suppressions:
+	@echo "=== lint-warning-suppressions: forbid file-scoped GCC warning suppressions ==="
+	@$(top_srcdir)/scripts/check-warning-suppressions.sh
+
+.PHONY: check-headers check-install-layout check-hygiene check-local check-examples check-readme check-release-notes check-doxygen check-hooks-doc-spotcheck check-soversion check-parallel-install lint-complexity lint-duplication lint-file-size lint-warning-suppressions
 
 # TASK-039: top-level convenience rule that descends into test/ to
 # build and run the bench binaries (see test/Makefile.am and
diff --git a/scripts/check-warning-suppressions.sh b/scripts/check-warning-suppressions.sh
@@ -0,0 +1,87 @@
+#!/usr/bin/env bash
+#
+# check-warning-suppressions.sh — guard against file-scoped GCC warning
+# suppressions in the library sources flagged by TASK-060.
+#
+# The audit in specs/tasks/v2-branch-gap-audit.md §1 ("HIGH — Unscoped
+# warning suppressions") singled out two `#pragma GCC diagnostic
+# ignored "-Warray-bounds"` directives that sat at file scope and
+# silenced the warning for entire translation units. TASK-060 either
+# removes them or scopes them to a `push`/`pop` block; this gate makes
+# the regression visible by failing if any of the watched files grows a
+# new file-scoped suppression.
+#
+# Watched files: kept narrow on purpose. Future tasks that fix
+# additional suppression sites should add their files to WATCHED_FILES
+# below; broadening the scan to all of src/ is a separate decision
+# (currently other TUs in src/ legitimately carry no such pragmas, so
+# the gate would still pass — but adding files here is the conscious,
+# auditable choice).
+#
+# Detection logic:
+#   1. Any `#pragma GCC diagnostic ignored "-Warray-bounds"` at the
+#      beginning of a line is a candidate violation.
+#   2. A candidate is allowed iff it sits between a matching
+#      `#pragma GCC diagnostic push` and `#pragma GCC diagnostic pop`
+#      pair (push must appear earlier in the file, pop must appear
+#      later). Conditional compilation around the push/pop is fine —
+#      we only care about the textual ordering.
+#   3. Any candidate that fails the push/pop bracketing check is
+#      reported and the script exits 1.
+#
+# Exit codes:
+#   0  no violations
+#   1  one or more watched files carries a file-scoped suppression
+set -euo pipefail
+
+REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+cd "$REPO_ROOT"
+
+# Files watched by this gate. Narrow on purpose; see header comment.
+WATCHED_FILES=(
+    "src/http_utils.cpp"
+    "src/detail/ip_representation.cpp"
+)
+
+echo "check-warning-suppressions: scanning ${#WATCHED_FILES[@]} file(s)"
+
+violations=0
+for file in "${WATCHED_FILES[@]}"; do
+    if [ ! -f "$file" ]; then
+        echo "  $file: missing — watched file no longer present" >&2
+        violations=$((violations + 1))
+        continue
+    fi
+
+    # Each line that begins with the warning-suppression pragma is a
+    # candidate. We then verify it is bracketed by push/pop.
+    while IFS=: read -r lineno _; do
+        # Search backward for the nearest `#pragma GCC diagnostic push`
+        # before this line, and forward for the nearest `pop` after.
+        push_before=$(awk -v target="$lineno" '
+            /^#pragma[[:space:]]+GCC[[:space:]]+diagnostic[[:space:]]+push/ {
+                if (NR < target) last = NR
+            }
+            END { print (last ? last : 0) }
+        ' "$file")
+        pop_after=$(awk -v target="$lineno" '
+            /^#pragma[[:space:]]+GCC[[:space:]]+diagnostic[[:space:]]+pop/ {
+                if (NR > target && first == 0) first = NR
+            }
+            END { print (first ? first : 0) }
+        ' "$file")
+
+        if [ "$push_before" = "0" ] || [ "$pop_after" = "0" ]; then
+            echo "  $file:$lineno: file-scoped #pragma GCC diagnostic ignored \"-Warray-bounds\" (not bracketed by push/pop)" >&2
+            violations=$((violations + 1))
+        fi
+    done < <(grep -nE '^#pragma GCC diagnostic ignored "-Warray-bounds"' "$file" || true)
+done
+
+if [ "$violations" -gt 0 ]; then
+    echo "check-warning-suppressions: FAIL — $violations file-scoped suppression(s) found" >&2
+    echo "  scope each pragma with #pragma GCC diagnostic push / pop and a comment naming the GCC version range" >&2
+    exit 1
+fi
+
+echo "check-warning-suppressions: PASS — no file-scoped -Warray-bounds suppressions in watched files"
diff --git a/src/detail/ip_representation.cpp b/src/detail/ip_representation.cpp
@@ -50,15 +50,29 @@
 #include "httpserver/http_utils.hpp"
 #include "httpserver/string_utilities.hpp"
 
-// Local bit ops mirror the ones in http_utils.cpp; both TUs need them
-// and a shared header would be overkill for two one-line macros.
-#pragma GCC diagnostic ignored "-Warray-bounds"
-#define CHECK_BIT(var, pos) ((var) & (1 << (pos)))
-#define CLEAR_BIT(var, pos) ((var) &= ~(1 << (pos)))
-
 namespace httpserver {
 namespace http {
 
+namespace {
+
+// TASK-060: the pre-existing CHECK_BIT/CLEAR_BIT function-like macros
+// here drove a file-scoped `#pragma GCC diagnostic ignored
+// "-Warray-bounds"`. Replacing them with `constexpr` helpers that take
+// the bit index as `unsigned int` and force the shift through `1u`
+// silences the warning at the source (GCC's VRP no longer loses the
+// `[0, 15]` bound across a macro expansion site) and lets us drop the
+// suppression. `mask` is a `uint16_t`, so the bitwise-and-assign goes
+// through an explicit `static_cast<uint16_t>` to keep the destination
+// type visible.
+constexpr bool check_bit(uint16_t var, unsigned int pos) {
+    return (var & (1u << pos)) != 0;
+}
+constexpr void clear_bit(uint16_t& var, unsigned int pos) {
+    var = static_cast<uint16_t>(var & ~(1u << pos));
+}
+
+}  // namespace
+
 std::string get_ip_str(const struct sockaddr *sa) {
     if (!sa) throw std::invalid_argument("socket pointer is null");
 
@@ -124,7 +138,7 @@ void ip_representation::parse_ipv4(const std::string& ip) {
     }
     for (unsigned int i = 0; i < parts.size(); i++) {
         if (parts[i] == "*") {
-            CLEAR_BIT(mask, 12+i);
+            clear_bit(mask, static_cast<unsigned int>(12 + i));
             continue;
         }
         pieces[12+i] = strtol(parts[i].c_str(), nullptr, 10);
@@ -188,7 +202,7 @@ void ip_representation::parse_nested_ipv4(const std::vector<std::string>& parts,
     }
     for (unsigned int ii = 0; ii < subparts.size(); ii++) {
         if (subparts[ii] == "*") {
-            CLEAR_BIT(mask, y+ii);
+            clear_bit(mask, static_cast<unsigned int>(y + ii));
             continue;
         }
         pieces[y+ii] = strtol(subparts[ii].c_str(), nullptr, 10);
@@ -202,8 +216,8 @@ void ip_representation::apply_ipv6_part(std::vector<std::string>& parts, unsigne
                                         int& y, unsigned int omitted) {
     auto& part = parts[i];
     if (part == "*") {
-        CLEAR_BIT(mask, y);
-        CLEAR_BIT(mask, y+1);
+        clear_bit(mask, static_cast<unsigned int>(y));
+        clear_bit(mask, static_cast<unsigned int>(y + 1));
         y += 2;
         return;
     }
@@ -267,7 +281,8 @@ namespace {
 void accumulate_octet_score(const ip_representation& a,
                             const ip_representation& b, int i,
                             int64_t& a_score, int64_t& b_score) {
-    if (!(CHECK_BIT(a.mask, i) && CHECK_BIT(b.mask, i))) return;
+    if (!(check_bit(a.mask, static_cast<unsigned int>(i))
+          && check_bit(b.mask, static_cast<unsigned int>(i)))) return;
     // Cast the (16 - i) factor to int64_t before the multiply so the product
     // is computed in the destination type. Without the cast the multiplication
     // happens in int and only the result is widened, which CodeQL flags as a
diff --git a/src/http_utils.cpp b/src/http_utils.cpp
@@ -59,11 +59,6 @@
 #include "httpserver/constants.hpp"
 #include "httpserver/string_utilities.hpp"
 
-#pragma GCC diagnostic ignored "-Warray-bounds"
-#define CHECK_BIT(var, pos) ((var) & (1 << (pos)))
-#define SET_BIT(var, pos) ((var) |= 1 << (pos))
-#define CLEAR_BIT(var, pos) ((var) &= ~(1 << (pos)))
-
 #if defined (__CYGWIN__)
 
 #if !defined (NI_MAXHOST)
