Polish CodeQL and do some chores

[thorstenhater]

Polish CodeQL integration:

• Fix C++ warnings.
• Ignore current Python warnings:
  • tsplot is not processing html
  • json/.../serve.py is not ours
• Add a status badge to README
• Bump GH Actions as required.
• Black was unhappy about our new type stubs?!

[halfflat]

I was wondering about some of these size_t casts in calls to std::vector::reserve(); they create an inconsistency with prior checks in arb_assert and the explicit casting here makes it look like we're working around some sort of range issue.

Are these there to avoid a potential int32_t overflow? If so, we should consider using different types (viz. std::size_t or std::ptrdiff_t) to represent quantities such as n_sample etc.

For the changes in modcc/io/prefixbuf.cpp, storing the unsigned values from the indent stack and iword-stored tabwidth as size_t is a bit misleading: they really are unsigned values. And while there is a potential unsigned wraparound from their multiplication if the indent code is somehow being abused, I'd assert that it's safer to let it wrap in an unsigned then to start allocating strings of length greater than 4GB.

[thorstenhater]

Hi @halfflat,

they're here to silence CodeQL static analysis. I agree, that was a unnecessarily lazy approach to the affair.
The question back is then: Why was sample_size_type chosen to be a signed type in the first place?
We can just accept a bad_alloc on prefixbuf and the analyser's warning; one might argue though that
width and count of tabs should fit in an unsigned char ;).

[halfflat]

I don't recall why it was signed; I'd have to go look at the git blame :) It might have been because we use them to store differences. It's possible but less likely they get SIMDed somewhere and we don't yet have unsigned SIMD in the library.

[halfflat]

But on the CodeQL front, what is its complaint? Potential signed overflow, or is it complaining about implicit conversion of signed to size_t in the reserve() calls? If the latter, I don't think that should be something that's flagged: it's a reasonable thing to allow if we are confident that the non-negative precondition is met, and casting to an unsigned type first doesn't fix the problem.

Is there some way of decorating arb_assert so as to make that assertion visible to CodeQL? E.g. if we had

    int n = something.last-something.first;
    arb_assert(n>=0); // macro includes some magic for CodeQL
    vec.reserve(n); // this is fine because we made an assertion that n>=0

it would all be fine?

[halfflat]

Argh! This is terribly misleading formatting.
Edit: what was so bad with unsigned tabs = (!stack_ptr || stack_ptr->empty())? 0: stack_ptr->top();?

[thorstenhater]

I knew you were going to love it. Isn't it beautiful how the second line of the condition and the first line of the body line up?

[halfflat]

It has a certain horrible charm to it.

[thorstenhater]

Fixed it.

[thorstenhater]

Possibly, but I do not think it's worth it even. CodeQL is technically correct in pointing out that possibility, but
it doesn't flag the project as endangered. It will complain, though, if a PR introduces new problems.

The urge to 'fix' this was merely my completionist attitude.

[halfflat]

Why not just size_t width = pp->width?

[halfflat]

Regarding the CodeQL flagging the size_t conversion, I'd say we should either ignore it or address it in a robust way (with actual range checks). My inclination is to ignore it.

[thorstenhater]

Dismissed.

[boeschf]

std::size_t?

[thorstenhater]

Yes and all other instance in that file.

[boeschf]

Suggested change

	std::size_t width = static_cast<size_t>(pp->width);
	auto width = static_cast<std::size_t>(pp->width);

[thorstenhater]

Yes, that's fine, too.

[boeschf]

where is this type actually used?

[thorstenhater]

It -- currently -- isn't, but it's useful when we are considering things like:

sample_size_type a = ..., b = ..., c = a - b;

due to the potential overflow.

[boeschf]

2 more std::size_ts

[halfflat]

One query and some requests for changing how we deal with the wrapping product warning. Generally, I suspect the cost of a range-checking assert is cheap and provides the guarantees we need while casting up and down the unsigned integer sizes keeps the potential bug while changing its clothes.

Currently arb_assert is a build-time option, and I'm wondering if we could perhaps split its functionality into asserts which should always be checked and those which are really there to be enabled when we're tracking down bugs in our code logic.

[halfflat]

Are these changes to make CodeQL happy, or just for readability?

[thorstenhater]

Readability. I can get behind a*b + c for similarities with mathematical notation, but =, ==, and especially - tend to merge visually into one token. Or: Too similar to snake_case for my liking.
As much of the code, especially newer parts is in this style, I tend to adjust these expression in passing when editing files. Same for removing redundant headers, which my IDE picks up on these days.

[halfflat]

We shouldn't change the (effective) maximum size of the gathered_spikes vector without also changing the range of the indices in the loop 35-37.

We ultimately make a partition of the indices into the variable partition which has count_type as its value type, and this vector is used to construct the gathered_vector return type, which also expects things in terms of count_type. I believe the correct fix is not to cast local_size or use std::size_t here but instead

1. Add an assertion which confirms that the local_size*num_ranks_ doesn't wrap in count_type, and
2. Uses std::size_t{local_size*num_ranks_} to keep CodeQL happy or else we tell CodeQL that this is not a bug (my preference).

[halfflat]

There's no point doing everything in size_t only to cast back down to count_type here; the alterations just make the potential bug more obscure. IMO the only correct resolution is to have an assert that checks that the product doesn't wrap and then to keep using count_type.