Open
Conversation
Tests cover bugs in Tuple, Result, Validator, Generic, Box, Ref, Field, TaggedUnion, Timestamp, FieldVariantParser, CamelCaseToSnakeCase, and CLI Reader. All tests intentionally fail to confirm bug presence.
- Tuple::operator<=>: fix inverted condition (!= → ==) - Result::operator=(const Result<U>&): properly update success_ flag - Validator::operator=(U&&): remove incorrect noexcept - Generic::to_int(): add range check for int64_t → int cast - Validator: remove mutable get()/value()/operator*()/operator()() - Box/Ref::operator<=>: compare values instead of pointers - Field cross-type move ctor: add std::move to avoid copy - Result::value_or: return T by value instead of T&& - TaggedUnion: fix typo discrimininator_ → discriminator_ - transform_camel_case: prevent leading underscore - Timestamp::to_time_t: remove double timezone correction - FieldVariantParser: fix error message for empty object - cli::Reader: reject negative values and check range for unsigned - Parser_tagged_union: fix discriminator typo in error message
Tests for bugs that could not be fixed (require third-party library changes or are design-level issues): - Result::error() && returns Error& instead of Error&& (2.4) - Object::difference_type is unsigned instead of signed (3.8) - Literal(const std::string&) is implicit, can throw unexpectedly (3.5) - Flatten/Skip cross-type move copies instead of moving (3.9) - Parser_string_view/Parser_span leak memory on every read (1.13) - cli::Reader std::stod is locale-dependent (2.7) Memory leak tests use a separate executable (json_alloc) with custom operator new[]/delete[] to track allocations without ASAN.
- Result::error() &&: return Error&& instead of Error& - Object::difference_type: use signed DataType::difference_type - Literal: make string constructor explicit - Flatten: std::move in cross-type move constructor - Skip: std::move in cross-type move constructor - cli::Reader: use std::from_chars instead of locale-dependent std::stod
- Disable alloc memory leak tests (detect known unfixed leaks in Parser_string_view and Parser_span) - Fix UB in test_pointer_fields: delete -> delete[] for memory allocated with new char[]
yyjson_mut_strcpy reads until '\0', but std::string_view::data() does not guarantee null-termination. Replace with yyjson_mut_strncpy which respects the explicit length. Add regression test.
Tests for: capnproto read(istream,schema) infinite recursion, avro SchemaImpl move-assignment double-free, xml Reader stoi truncation for 64-bit types, toml Writer at_path nullptr with dotted keys, msgpack read ignoring unpack errors, bson Reader rejecting ints for float fields, msgpack Writer storing uint64 as signed int64.
- avro: SchemaImpl move-assignment now releases old iface_ and nullifies source, preventing double-decrement/use-after-free - bson: Reader float branch accepts INT32/INT64/DATE_TIME BSON types, matching the error message and Writer behavior - capnproto: read(istream, schema) reads bytes from stream instead of calling itself recursively - msgpack: read() checks msgpack_unpack return value, returning early error instead of parsing uninitialized data - msgpack: Writer uses msgpack_pack_uint64 for unsigned types, preventing uint64 values above INT64_MAX from being stored as negative - toml: Writer uses operator[] instead of at_path() for key lookup, fixing nullptr dereference with dotted field names - xml: Reader uses stoll/stoull instead of stoi for 64-bit integer types, fixing truncation of values beyond INT32 range
- Flatten(U&&): use std::forward<U> instead of copying - Flatten::operator=(Flatten<U>&&): use std::move(_f.get()) instead of std::forward<U>(_f) - cli::Reader signed parse_value: add range check before static_cast<T>
Move 18 tests from monolithic test_regression_bugs.cpp into dedicated test files (test_tuple, test_result, test_validator, test_generic, test_field, test_skip, test_object) and existing component files (test_box, test_ref, test_flatten, test_literal, test_tagged_union). Extract shared helper types into test_helpers.hpp.
Summary of ChangesHello @Centimo, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request addresses and resolves 30 identified bugs across various core types and serialization modules including JSON, XML, TOML, MsgPack, BSON, Avro, and Cap'n Proto. The fixes enhance correctness, improve type safety, prevent undefined behavior, and ensure more robust data handling. Several changes also address potential breaking API behaviors, which are explicitly documented for review. Highlights
Changelog
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This is an excellent pull request that addresses a substantial number of bugs across the library. The detailed descriptions for each fix, complete with regression tests, are exemplary and make the changes easy to review and verify. The fixes themselves are well-implemented and address critical issues ranging from memory safety and correctness to API design. I have one suggestion for improvement in the XML reader to make the integer parsing more robust against narrowing conversion issues, consistent with similar fixes in this PR. Overall, this is a high-quality contribution that significantly improves the stability and safety of the library.
include/rfl/xml/Reader.hpp
Outdated
Comment on lines
102
to
107
| if constexpr (std::is_unsigned<std::remove_cvref_t<T>>()) { | ||
| return static_cast<T>(std::stoull(str)); | ||
| } | ||
| else { | ||
| return static_cast<T>(std::stoll(str)); | ||
| } |
There was a problem hiding this comment.
While this change correctly uses stoll and stoull to support 64-bit integers, it doesn't protect against silent truncation on narrowing conversions (e.g., parsing a value larger than INT_MAX into an int field). A similar fix for cli::Reader in this PR includes range checks before the static_cast. I recommend adding similar checks here to prevent potential data corruption and provide a more informative error.
if constexpr (std::is_unsigned<std::remove_cvref_t<T>>()) {
const auto val = std::stoull(str);
if (val > static_cast<unsigned long long>(std::numeric_limits<T>::max())) {
return error("Could not cast '" + str + "' to integer: value out of range.");
}
return static_cast<T>(val);
} else {
const auto val = std::stoll(str);
if (val < static_cast<long long>(std::numeric_limits<T>::min()) ||
val > static_cast<long long>(std::numeric_limits<T>::max())) {
return error("Could not cast '" + str + "' to integer: value out of range.");
}
return static_cast<T>(val);
}
Contributor
|
HI @Centimo , thanks for this PR. I will write a more comprehensive review tomorrow, but here are my first thoughts: Issue 1: You are right, I hadn't thought of that. But I think the right approach is to also validate the other operators (maybe with the exception of operator*), not to get rid of them altogether. Issue 2: I very consciously did not make it explicit. I want people to be able to set Literal fields like this: Issue 14: I am quite certain you are wrong about this one. timegm ignores the locale settings of your machine, but it also ignores the value of tm_gmtoff. It simply interprets the other fields as already being in UTC and sets tm_gmtoff and tm_isdst to zero. This is implied in here: https://ftp.gnu.org/old-gnu/Manuals/glibc-2.2.3/html_node/libc_425.html And here: https://nxmnpg.lemoda.net/3/timegm#google_vignette Furthermore, this specifies that timegm sets tm_gmtoff to zero: https://man.freebsd.org/cgi/man.cgi?gmtime(3) The most obvious apprach here would be to write a simple test. Most of the other things seem like common sense, but I have to take a closer look tomorrow. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix 30 bugs found during code review
Summary
This MR fixes 30 bugs across core types, JSON, XML, TOML, MsgPack, BSON, Avro, Cap'n Proto, and CLI modules. Each bug has a regression test that fails before the fix and passes after.
Stats: 39 files changed, 1197 insertions, 52 deletions.
Discussion: Breaking API Changes
The following 3 fixes change public API behavior. They are correct from a safety standpoint, but may break downstream code. Please review whether a deprecation period or alternative approach is preferred.
1.
Validator::get()/value()return mutable referenceFile:
include/rfl/Validator.hpp:98-99, 114-115Problem: Non-const
get(),value(),operator*(),operator()()returnT&, allowing direct write that bypasses validation.Test:
tests/generic/test_validator.cpp—validator_get_does_not_allow_invalid_mutation. Usesstd::is_assignable_vto verifyget()returnsconst T&.Fix: Removed all non-const overloads (
get(),value(),operator*(),operator()()).2.
Literal(const std::string&)is implicitFile:
include/rfl/Literal.hpp:46Problem: Non-explicit constructor allows implicit
std::string→Literalconversion, which throws on invalid input. Surprising for users.Test:
tests/generic/test_literal.cpp—literal_constructor_is_explicit. Usesstd::is_convertible_vto verify implicit conversion is disabled.Fix: Added
explicitkeyword.3.
TaggedUnion— typodiscrimininator_File:
include/rfl/TaggedUnion.hpp:15Problem: Extra 'n' —
discrimininator_instead ofdiscriminator_.Test:
tests/generic/test_tagged_union.cpp—tagged_union_discriminator_spelling. Uses concepts to check member name existence.Fix: Renamed to
discriminator_. Also fixed the typo in the error message string literal"discrimininator"→"discriminator"inParser_tagged_union.hpp:151.Bugs Fixed
4.
Tuple::operator<=>always returnsequivalentFile:
include/rfl/Tuple.hpp:107Problem: The condition
_ordering != equivalentis checked on first iteration where_orderingis initialized toequivalent— the body never executes. The operator returnsequivalentfor any two tuples.Test:
tests/generic/test_tuple.cpp—tuple_spaceship_not_always_equivalent,tuple_spaceship_less. VerifiesTuple<int>(1) <=> Tuple<int>(2)returnsless, notequivalent.Fix: Changed
!=to==so the comparison body executes when ordering is still undetermined.5.
Result::operator=(const Result<U>&)does not updatesuccess_File:
include/rfl/Result.hpp:210-216Problem: The converting assignment copies
t_or_err_but never updatessuccess_. After assigning an errorResult<U>into a valueResult<T>,success_remainstrue—.value()reads garbage.Test:
tests/generic/test_result.cpp—result_cross_type_assign_error_clears_success. Assigns errorResult<long>to valueResult<int>, checks the target is falsy.Fix: Replaced raw union copy with proper
destroy()+success_update +move_from_other().6.
Validator::operator=(U&&)isnoexceptbut throwsFile:
include/rfl/Validator.hpp:77Problem: The operator calls
.value()which throwsstd::runtime_erroron validation failure. Markednoexcept— any validation error callsstd::terminate.Test:
tests/generic/test_validator.cpp—validator_assign_rvalue_operator_is_noexcept_but_can_throw. Usesstd::is_nothrow_assignable_vto verify the operator is no longernoexcept.Fix: Removed
noexceptspecifier.7.
Generic::to_int()silently truncatesint64_ttointFile:
include/rfl/Generic.hpp:175-188Problem:
static_cast<int>(_v)with no range check. Values outside[INT_MIN, INT_MAX]are silently truncated.Test:
tests/generic/test_generic.cpp—generic_to_int_rejects_overflow,generic_to_int_rejects_underflow. PassesINT_MAX+1andINT_MIN-1, expects failure.Fix: Added range check before the cast, returning an error for out-of-range values.
8.
Box/Refoperator<=>compares pointer addressesFiles:
include/rfl/Box.hpp:130,include/rfl/Ref.hpp:118Problem:
_b1.ptr() <=> _b2.ptr()compares memory addresses instead of pointed-to values. TwoBox<int>(42)with different allocations compare as unequal.Test:
tests/generic/test_box.cpp—box_spaceship_compares_values_not_pointers.tests/generic/test_ref.cpp—ref_spaceship_compares_values_not_pointers.Fix: Changed to
*_b1 <=> *_b2(dereference before compare).9.
Field/Flatten/Skipcross-type move constructor copies instead of movingFiles:
include/rfl/Field.hpp:37,include/rfl/Flatten.hpp:32,include/rfl/internal/Skip.hpp:43Problem:
value_(_field.get())—get()returns lvalue reference, so the copy constructor is called instead of move.Test:
tests/generic/test_field.cpp—field_cross_type_move_does_not_copy.tests/generic/test_flatten.cpp—flatten_cross_type_move_does_not_copy.tests/generic/test_skip.cpp—skip_cross_type_move_does_not_copy. UseMoveTrackertypes that count copies vs moves.Fix: Changed to
value_(std::move(_field.get()))in all three types.10.
Result::value_or(T&&)returns dangling rvalue referenceFile:
include/rfl/Result.hpp:295Problem: Returns
T&&instead ofT. If the default argument is a temporary, the caller gets a dangling reference.Test:
tests/generic/test_result.cpp—result_value_or_returns_value_not_rvalue_ref. Checks return type isT, notT&&.Fix: Changed return type from
T&&toT.11.
Result::error() &&returnsError&instead ofError&&File:
include/rfl/Result.hpp:335Problem: The rvalue-qualified overload returns
Error&butget_err() &&returnsError&&. Prevents move semantics on rvalue Results.Test:
tests/generic/test_result.cpp—result_error_rvalue_qualified_returns_rvalue_ref. Checks return type isError&&.Fix: Changed return type from
Error&toError&&.12.
Object::difference_typeis unsignedFile:
include/rfl/Object.hpp:29Problem:
using difference_type = typename DataType::size_type—size_typeis unsigned, but the C++ standard requiresdifference_typeto be signed.Test:
tests/generic/test_object.cpp—object_difference_type_is_signed. Usesstd::is_signed_v.Fix: Changed to
typename DataType::difference_type.13.
transform_camel_caseprepends_to names starting with uppercaseFile:
include/rfl/internal/transform_case.hpp:60-73Problem: When
_i == 0and the first character is uppercase, the function unconditionally prepends'_'."MyField"becomes"_my_field"instead of"my_field".Test:
tests/json/test_regression_bugs.cpp—camel_case_to_snake_case_no_leading_underscore. Serializes a struct withCamelCaseToSnakeCaseand checks output.Fix: Added
sizeof...(chars) > 0guard so'_'is only inserted between characters, not at the beginning.14.
Timestamp::to_time_t()double-subtracts timezone offsetFile:
include/rfl/Timestamp.hpp:120Problem:
timegm(&tm) - tm_.tm_gmtoff—timegm()already returns UTC. Subtractingtm_gmtoffapplies the timezone correction twice. Non-Windows only.Test:
tests/json/test_regression_bugs.cpp—timestamp_to_time_t_no_double_timezone_correction. Setstm_gmtoff = 3600and verifiesto_time_t()returns the correct UTC epoch.Fix: Removed
- tm_.tm_gmtoff.15.
FieldVariantParser— wrong error messageFile:
include/rfl/parsing/FieldVariantParser.hpp:47-50Problem: When zero matching fields are found, the error says "found more than one" instead of "found none".
Test:
tests/json/test_regression_bugs.cpp—field_variant_empty_object_error_message. Parses"{}"and checks the error message does not contain "more than one".Fix: Changed message to "found none".
16.
json::Writerreads paststring_viewboundsFile:
src/rfl/json/Writer.cpp:68, :91, :113Problem:
yyjson_mut_strcpy(_name.data())reads until\0, butstring_view::data()is not null-terminated. Reads past buffer for substrings.Test:
tests/json/test_regression_bugs.cpp—json_writer_handles_non_null_terminated_field_names. Creates astring_viewsubstring and verifies the JSON key matches the view's length.Fix: Changed all three call sites from
yyjson_mut_strcpytoyyjson_mut_strncpywith explicit size.17.
cli::Reader—stoullaccepts negative numbers for unsigned typesFile:
include/rfl/cli/Reader.hpp:77Problem:
std::stoull("-1")wraps toULLONG_MAXwithout error.static_cast<uint16_t>wraps again to 65535.Test:
tests/cli/test_regression_bugs.cpp—cli_rejects_negative_for_unsigned. Passes--port=-1and expects failure.Fix: Added explicit check for leading
-character, returning an error for negative input.18.
cli::Reader— no range check on unsigned narrowing castFile:
include/rfl/cli/Reader.hpp:77Problem:
static_cast<T>(stoull(str))silently truncates.stoull("99999")foruint16_tproduces 34463.Test:
tests/cli/test_regression_bugs.cpp—cli_rejects_out_of_range_for_narrow_type. Passes--port=99999foruint16_tand expects failure.Fix: Added
std::numeric_limits<T>::max()bounds check before the cast.19.
cli::Reader— no range check on signed narrowing castFile:
include/rfl/cli/Reader.hpp:101-102Problem:
static_cast<T>(stoll(str))silently truncates forint8_t/int16_t/int32_t.stoll("200")cast toint8_twraps to -56.Test:
tests/cli/test_regression_bugs.cpp—cli_rejects_out_of_range_for_signed_narrow_type,cli_rejects_large_negative_for_signed_narrow_type. Passes--level=200and--level=-200forint8_tand expects failure.Fix: Added
std::numeric_limits<T>::min()/max()bounds check before the cast.20.
cli::Reader—std::stodis locale-dependentFile:
include/rfl/cli/Reader.hpp:64Problem:
std::stoduses the C locale. In locales with comma decimal separator (e.g.de_DE),"3.14"parses as3.0.Test:
tests/cli/test_regression_bugs.cpp—cli_float_parsing_ignores_locale. Setsde_DElocale, parses--rate=3.14, checks result is3.14.Fix: Replaced
std::stodwithstd::from_charswhich is locale-independent.21.
capnproto::read(istream, schema)— infinite recursionFile:
include/rfl/capnproto/read.hpp:79-82Problem: The overload
read(std::istream&, const Schema<T>&)callsread<T, Ps...>(_stream, _schema)— resolves to itself. Stack overflow.Test:
tests/capnproto/compile_fail/capnproto_read_istream_schema.cpp— instantiates the overload. Before the fix, GCC rejects it as "use of auto before deduction" (infinite recursion detected at compile time). After the fix, the file compiles successfully, verifying the overload resolves correctly.Fix: Read bytes from stream into a vector, then call
read(bytes.data(), bytes.size(), _schema).22.
avro::SchemaImplmove-assignment — double-decrement / use-after-freeFile:
src/rfl/avro/SchemaImpl.cpp:34-42Problem: Move-assignment neither releases the old
iface_(leak) nor nullifies_other.iface_(double-decrement when_other's destructor runs).Test:
tests/avro/test_regression_bugs.cpp—schema_impl_move_assignment_no_double_free. Move-assigns twoSchemaImplobjects, verifies sourceiface_is null after move.Fix: Added
avro_value_iface_decref/avro_schema_decreffor the old iface before reassignment, and_other.iface_ = nullptrafter.23.
xml::Readerusesstoifor all integer typesFile:
include/rfl/xml/Reader.hpp:99-105Problem:
std::stoireturnsint(32-bit). Forint64_t/uint64_tfields, values beyondINT_MAXthrowout_of_rangeor are silently truncated.Test:
tests/xml/test_regression_bugs.cpp—read_int64_above_int32_max,read_int64_large_negative,read_uint64_large_value. Parse XML with values exceeding 32-bit range.Fix: Use
std::stollfor signed types andstd::stoullfor unsigned types.24.
toml::Writer—at_path()dereferences as path, crashes on dotted keysFile:
src/rfl/toml/Writer.cpp:26, :40Problem: After
emplace("a.b", ...),at_path("a.b")interprets the dot as a path separator and looks fortable["a"]["b"]which doesn't exist — returns invalid node —as_table()/as_array()returns nullptr.Test:
tests/toml/test_regression_bugs.cpp—field_name_with_dot_does_not_crash,array_field_name_with_dot_does_not_crash. Userfl::Rename<"a.b", ...>to create dotted field names.Fix: Replaced
at_path(_name)withoperator[](_name)which does literal key lookup.25.
msgpack::readignoresmsgpack_unpackreturn valueFile:
include/rfl/msgpack/read.hpp:35-36Problem: If
msgpack_unpackfails, the return value is not checked.deserializedremains uninitialized — garbage is parsed, producing misleading downstream errors like "Could not cast to a map".Test:
tests/msgpack/test_regression_bugs.cpp—read_single_invalid_byte_returns_meaningful_error,read_truncated_data_returns_meaningful_error. Pass invalid/truncated data and verify the error doesn't mention "cast".Fix: Check return value; return
"Failed to unpack msgpack data."error on failure. Accept bothMSGPACK_UNPACK_SUCCESSandMSGPACK_UNPACK_EXTRA_BYTES.26.
msgpack::Writerstoresuint64_tas signedint64File:
include/rfl/msgpack/Writer.hpp:133-134Problem: All integers are packed via
msgpack_pack_int64(static_cast<int64_t>(...)). Foruint64_tvalues aboveINT64_MAX, the cast wraps to negative — msgpack stores them asNEGATIVE_INTEGER.Test:
tests/msgpack/test_regression_bugs.cpp—uint64_above_int64_max_stored_as_positive,uint64_max_stored_as_positive. Verify raw msgpack wire type isPOSITIVE_INTEGER.Fix: Added a separate
std::is_unsignedbranch that callsmsgpack_pack_uint64.27.
bson::Readerrejects integer BSON values for float fieldsFile:
include/rfl/bson/Reader.hpp:127-132Problem: The float branch checks
btype != BSON_TYPE_DOUBLEand rejects everything else — even though the error message claimsint32/int64/date_timeare valid.Test:
tests/bson/test_regression_bugs.cpp—read_int64_into_double_field,read_large_int64_into_double_field. Write an int struct, read it back as a double struct.Fix: Changed to a
switchacceptingBSON_TYPE_DOUBLE,INT32,INT64, andDATE_TIME.28.
delete/delete[]mismatch in testFile:
tests/json/test_pointer_fields.cppProblem: A raw pointer field allocated with
new[]was freed withdeleteinstead ofdelete[].Test: Pre-existing test; fix prevents undefined behavior under sanitizers.
Fix: Changed
deletetodelete[].29.
Flatten(U&&)universal reference constructor copies instead of forwardingFile:
include/rfl/Flatten.hpp:40Problem:
value_(_value)—_valueis a named parameter (lvalue), so the copy constructor is always called even when an rvalue is passed. Should bevalue_(std::forward<U>(_value)).Test:
tests/generic/test_flatten.cpp—flatten_universal_ref_ctor_forwards_rvalue. ConstructsFlatten<FlatBase>fromFlatDerived&&and verifies rvalue conversion is used.Fix: Changed to
value_(std::forward<U>(_value)).30.
Flatten::operator=(Flatten<U>&&)forwardsFlatten<U>instead ofUFile:
include/rfl/Flatten.hpp:103-105Problem:
std::forward<U>(_f)forwards theFlatten<U>object, notU. Assignmentvalue_ = Flatten<U>looks for implicit conversion which usesget()(lvalue ref) — copy instead of move. Causes hard compile error for types withoutFlatten<U>→Typeconversion.Test:
tests/generic/compile_fail/flatten_cross_type_move_assign.cpp— compile test that instantiates the cross-type move assignment. Verifies compilation succeeds after the fix.Fix: Changed to
value_ = std::move(_f.get()).