Skip to content

feat: add GCC/Clang function attributes for compile-time bug detection#518

Closed
somethingwithproof wants to merge 5 commits intoCacti:developfrom
somethingwithproof:feat/gcc-function-attributes
Closed

feat: add GCC/Clang function attributes for compile-time bug detection#518
somethingwithproof wants to merge 5 commits intoCacti:developfrom
somethingwithproof:feat/gcc-function-attributes

Conversation

@somethingwithproof
Copy link
Copy Markdown
Contributor

@somethingwithproof somethingwithproof commented Mar 26, 2026

Summary

Add SPINE_ATTR_* compatibility macros for 6 GCC/Clang function attributes, applied across 30+ function declarations in 8 header files. Zero runtime cost; all checks happen at compile time. Gracefully compiles as no-ops on non-GCC/Clang compilers.

Attributes added

Attribute Purpose Applied to
SPINE_ATTR_FORMAT Validates printf format strings at compile time spine_log, die
SPINE_ATTR_NORETURN Enables dead code detection after fatal calls die()
SPINE_ATTR_WARN_UNUSED Catches ignored return values (memory leaks) db_query, exec_poll, php_cmd, snmp_get*
SPINE_ATTR_NONNULL Catches NULL passed to non-nullable parameters db_query, db_insert, strncopy, snmp_get*
SPINE_ATTR_PURE Optimizer can cache results of side-effect-free functions is_numeric, is_hexadecimal, validate_result, keyword parsers
SPINE_ATTR_COLD Branch prediction optimization for error paths die()

Bugs found and fixed

The warn_unused_result attribute on db_query() exposed 3 memory leaks in poller.c where DML queries (UPDATE/INSERT) ignored the MYSQL_RES* return value:

  • poller.c:1945 - host status update
  • poller.c:1965 - host polling time update
  • poller.c:1983 - poller items next step update

Fixed by wrapping with db_free_result(db_query(...)).

Files changed (8)

File Changes
spine.h SPINE_ATTR_* macro definitions
util.h format, noreturn, cold on die/spine_log; pure on is_numeric etc; nonnull on strncopy
sql.h nonnull + warn_unused on db_query, db_insert, db_escape, db_connect
poller.h nonnull + warn_unused on exec_poll; pure on validate_result, is_multipart_output
snmp.h nonnull + warn_unused on snmp_get*, snmp_getnext
php.h nonnull + warn_unused on php_cmd; warn_unused on php_readpipe
keywords.h pure on all 6 keyword parse/print functions
poller.c Fix 3 ignored db_query return values (memory leaks)

@somethingwithproof somethingwithproof force-pushed the feat/gcc-function-attributes branch from 67438d4 to 798deb1 Compare March 26, 2026 04:47
@somethingwithproof
security: fix SQL injection, buffer overflow, and input validation (C…
58f572f 
…RITICAL)

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
@somethingwithproof somethingwithproof force-pushed the feat/gcc-function-attributes branch from 798deb1 to a1fd731 Compare March 26, 2026 04:59
@somethingwithproof
fix: NULL checks, switch fall-through, thread safety, buffer bounds (…
205f522 
…HIGH)

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
@somethingwithproof
fix(ping): eliminate seteuid race by pre-opening ICMP socket at init
3dbc42f 
seteuid(0) is process-wide; the previous approach of acquiring
LOCK_SETEUID per-thread serialized the seteuid calls but left a window
where other threads inherited euid=0 while the mutex was held.

Open the ICMP raw socket once during single-threaded initialization in
spine.c main(), before any worker threads start. Store it as a global
(icmp_socket). ping_icmp() now dup()s that fd per call so each thread
has an independent fd for select()/setsockopt()/close() without
interfering with other threads.

All seteuid()/LOCK_SETEUID blocks are removed from ping_icmp(). If the
socket could not be opened at startup, icmp_avail is set to FALSE and
the poller falls back to UDP ping as before.

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
@somethingwithproof
fix: replace deprecated POSIX semaphores with pthread wrapper (Cacti#516
5b87916 
)

macOS deprecated unnamed POSIX semaphores (sem_init, sem_getvalue,
sem_trywait). Replace with a portable spine_sem_t wrapper using
pthread mutex + condition variable. Eliminates all 9 deprecation
warnings and works identically on Linux and macOS.

Changes:
- Add spine_sem.h with spine_sem_init/post/getvalue/wait/trywait/destroy
- Replace semaphore.h with spine_sem.h in common.h
- Update all sem_t/sem_* references in spine.c, poller.c, spine.h
- Add spine_sem.h to EXTRA_DIST

Build result: zero errors, zero warnings.

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
@somethingwithproof
feat: add GCC/Clang function attributes for compile-time bug detection
a5e235e 
Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
@somethingwithproof somethingwithproof force-pushed the feat/gcc-function-attributes branch from a1fd731 to a5e235e Compare March 26, 2026 06:35
@somethingwithproof somethingwithproof mentioned this pull request Mar 26, 2026
Closed
@somethingwithproof
Copy link
Copy Markdown
Contributor Author

somethingwithproof commented Mar 26, 2026

Consolidated into mega PR #522 for independent mergeability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@somethingwithproof