PVS-Studio Static Analysis #738
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: PVS-Studio Static Analysis | |
on: | |
# Automatically run at the end of every day. | |
schedule: | |
- cron: '0 0 * * *' | |
jobs: | |
build: | |
name: Static Analysis | |
runs-on: ubuntu-22.04 | |
env: | |
PVS_STUDIO_ANALYSIS_ARCH: x86_64 | |
if: always() && github.repository == 'SerenityOS/serenity' && github.ref == 'refs/heads/master' | |
steps: | |
- uses: actions/checkout@v4 | |
- name: "Configure PVS-Studio Repository" | |
run: | | |
wget -q -O - https://files.pvs-studio.com/beta/etc/pubkey.txt | sudo apt-key add - | |
sudo wget -O /etc/apt/sources.list.d/viva64.list https://files.pvs-studio.com/beta/etc/viva64.list | |
- name: "Install Ubuntu dependencies" | |
# These packages are already part of the ubuntu-22.04 image: | |
# cmake libgmp-dev npm shellcheck | |
# Packages below aren't. | |
# | |
run: | | |
wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | sudo apt-key add - | |
sudo add-apt-repository 'deb http://apt.llvm.org/jammy/ llvm-toolchain-jammy-16 main' | |
sudo apt-get update | |
sudo apt-get install -y clang-format-16 gcc-12 g++-12 libstdc++-12-dev libmpfr-dev libmpc-dev ninja-build unzip pvs-studio | |
- name: Check versions | |
run: set +e; g++ --version; g++-12 --version; ninja --version; | |
- name: Prepare useful stamps | |
id: stamps | |
shell: cmake -P {0} | |
run: | | |
string(TIMESTAMP current_date "%Y_%m_%d_%H_%M_%S" UTC) | |
# Output everything twice to make it visible both in the logs | |
# *and* as actual output variable, in this order. | |
message(" set-output name=time::${current_date}") | |
message("::set-output name=time::${current_date}") | |
message(" set-output name=libc_headers::${{ hashFiles('Userland/Libraries/LibC/**/*.h', 'Userland/Libraries/LibPthread/**/*.h', 'Toolchain/Patches/*.patch', 'Toolchain/Patches/gcc/*.patch', 'Toolchain/BuildGNU.sh') }}") | |
message("::set-output name=libc_headers::${{ hashFiles('Userland/Libraries/LibC/**/*.h', 'Userland/Libraries/LibPthread/**/*.h', 'Toolchain/Patches/*.patch', 'Toolchain/Patches/gcc/*.patch', 'Toolchain/BuildGNU.sh') }}") | |
- name: Toolchain cache | |
# This job should always read the cache, never populate it. | |
uses: actions/cache/restore@v4 | |
id: toolchain-cache | |
with: | |
path: ${{ github.workspace }}/Toolchain/Local/${{ env.PVS_STUDIO_ANALYSIS_ARCH }} | |
# This assumes that *ALL* LibC and LibPthread headers have an impact on the Toolchain. | |
# This is wrong, and causes more Toolchain rebuilds than necessary. | |
# However, we want to avoid false cache hits at all costs. | |
key: ${{ runner.os }}-toolchain-${{ env.PVS_STUDIO_ANALYSIS_ARCH }}-${{ steps.stamps.outputs.libc_headers }} | |
- name: Build toolchain | |
if: ${{ !steps.toolchain-cache.outputs.cache-hit }} | |
run: ARCH="${{ env.PVS_STUDIO_ANALYSIS_ARCH }}" ${{ github.workspace }}/Toolchain/BuildGNU.sh | |
- name: Create build directory | |
run: | | |
mkdir -p ${{ github.workspace }}/Build/${{ env.PVS_STUDIO_ANALYSIS_ARCH }} | |
mkdir -p ${{ github.workspace }}/Build/caches/TZDB | |
mkdir -p ${{ github.workspace }}/Build/caches/UCD | |
mkdir -p ${{ github.workspace }}/Build/caches/CLDR | |
- name: TimeZoneData cache | |
uses: actions/cache@v4 | |
with: | |
path: ${{ github.workspace }}/Build/caches/TZDB | |
key: TimeZoneData-${{ hashFiles('Meta/CMake/time_zone_data.cmake') }} | |
- name: UnicodeData cache | |
uses: actions/cache@v4 | |
with: | |
path: ${{ github.workspace }}/Build/caches/UCD | |
key: UnicodeData-${{ hashFiles('Meta/CMake/unicode_data.cmake') }} | |
- name: UnicodeLocale Cache | |
uses: actions/cache@v4 | |
with: | |
path: ${{ github.workspace }}/Build/caches/CLDR | |
key: UnicodeLocale-${{ hashFiles('Meta/CMake/locale_data.cmake') }} | |
- name: Create build environment | |
working-directory: ${{ github.workspace }} | |
run: | | |
cmake -S Meta/CMake/Superbuild -B Build/superbuild -GNinja \ | |
-DSERENITY_ARCH=${{ env.PVS_STUDIO_ANALYSIS_ARCH }} \ | |
-DSERENITY_TOOLCHAIN=GNU \ | |
-DCMAKE_C_COMPILER=gcc-12 \ | |
-DCMAKE_CXX_COMPILER=g++-12 \ | |
-DENABLE_PCI_IDS_DOWNLOAD=OFF \ | |
-DENABLE_USB_IDS_DOWNLOAD=OFF | |
- name: Build generated sources so they are available for analysis. | |
working-directory: ${{ github.workspace }} | |
# Note: The superbuild will create the Build/arch directory when doing the | |
# configure step for the serenity ExternalProject, as that's the configured | |
# binary directory for that project. | |
run: | | |
ninja -C Build/superbuild serenity-configure | |
cmake -B Build/${{ env.PVS_STUDIO_ANALYSIS_ARCH }} -DCMAKE_EXPORT_COMPILE_COMMANDS=ON | |
ninja -C Build/${{ env.PVS_STUDIO_ANALYSIS_ARCH }} all_generated | |
- name: Configure PVS-Studio License | |
env: | |
MAIL: ${{ secrets.PVS_STUDIO_MAIL }} | |
KEY: ${{ secrets.PVS_STUDIO_KEY }} | |
run: pvs-studio-analyzer credentials $MAIL $KEY | |
- name: Run PVS-Studio Analyzer | |
working-directory: ${{ github.workspace }}/Build/${{ env.PVS_STUDIO_ANALYSIS_ARCH }} | |
run: pvs-studio-analyzer analyze -o project.plog --compiler ${{ env.PVS_STUDIO_ANALYSIS_ARCH }}-pc-serenity-g++ --compiler ${{ env.PVS_STUDIO_ANALYSIS_ARCH }}-pc-serenity-gcc -j2 | |
# Suppress Rules: | |
# - v530: The return value of function 'release_value' is required to be utilized. | |
# Our TRY(..) macro seems to breaks this rule and trigger weird behavior in PVS Studio. | |
# | |
# - v677: Custom declaration of a standard '<example>' type. The declaration from system header files should be used instead. | |
# This rule doesn't make sense for Serenity, as we are the system headers. | |
# | |
# - v1061: Extending the 'std' namespace may result in undefined behavior. | |
# We have no choice, some features of C++ require us to. | |
# | |
# - V1052: Declaring virtual methods in a class marked as 'final' is pointless. | |
# This rule contradicts the serenity style rules. | |
# | |
# - False Positives: | |
# v591: Non-void function should return a value. | |
# v603: Object was created but is not being used. | |
# v1047: Lifetime of the lambda is greater than lifetime of the local variable captured by reference. | |
# v1076: Code contains invisible characters that may alter its logic. | |
# | |
- name: Filter PVS Log | |
working-directory: ${{ github.workspace }}/Build/${{ env.PVS_STUDIO_ANALYSIS_ARCH }} | |
run: | | |
pvs-studio-analyzer suppress -v530 -v591 -v603 -v677 -v1047 -v1052 -v1061 -v1076 project.plog | |
pvs-studio-analyzer filter-suppressed project.plog | |
- name: Print PVS Log | |
run: plog-converter -a 'GA:1,2;64:1;OP:1,2,3' -t errorfile ${{ github.workspace }}/Build/${{ env.PVS_STUDIO_ANALYSIS_ARCH }}/project.plog | GREP_COLOR='01;31' grep -E --color=always 'error:|$' | GREP_COLOR='01;33' grep -E --color=always 'warning:|$' | |
- name: Convert PVS Log to SARIF | |
run: plog-converter -a 'GA:1,2;64:1;OP:1,2,3' -o project.sarif -t sarif ${{ github.workspace }}/Build/${{ env.PVS_STUDIO_ANALYSIS_ARCH }}/project.plog | |
- uses: actions/upload-artifact@v4 | |
with: | |
path: ${{ github.workspace }}/Build/${{ env.PVS_STUDIO_ANALYSIS_ARCH }}/project.plog | |
- uses: actions/upload-artifact@v4 | |
with: | |
path: ${{ github.workspace }}/project.sarif | |
- name: Upload SARIF results file | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
# Path to SARIF file relative to the root of the repository | |
sarif_file: project.sarif |