ci: Add clang-analyze to GitHub actions.

This patch identifies new static analysis issues during a GitHub action run and reports them. The process involves analyzing the changes introduced in the current commit and comparing them to those in the preceding commit. However, there are two cases when the GitHub push action runner does not provide enough details to determine the preceding commit. These cases are a new branch or a forced push. The strategy for these exceptions is to find the first common commit on any upstream branch, and use that. An example error output might look like this: error level: +0 -0 no changes warning level: +2 +0 New issue "deadcode.DeadStores Value stored to 'remote' is never read" (1 occurrence) file:///home/runner/work/ovs/ovs/vswitchd/ovs-vswitchd.c:86 New issue "unix.Malloc Potential leak of memory pointed to by 'remote'" (1 occurrence) file:///home/runner/work/ovs/ovs/vswitchd/ovs-vswitchd.c:95 note level: +0 -0 no changes all levels: +2 +0 Acked-by: Simon Horman <[email protected]> Signed-off-by: Eelco Chaudron <[email protected]>
david-marchand · Jan 17, 2024 · d662eee · d662eee
1 parent ed738ec
commit d662eee
Show file tree

Hide file tree

Showing 3 changed files with 144 additions and 1 deletion.
diff --git a/.ci/linux-build.sh b/.ci/linux-build.sh
@@ -51,6 +51,31 @@ function build_ovs()
     make ${JOBS}
 }
 
+function clang_analyze()
+{
+    [ -d "./base-clang-analyzer-results" ] && cache_build=false \
+                                           || cache_build=true
+    if [ "$cache_build" = true ]; then
+        # If this is a cache build, proceed to the base branch's directory.
+        pushd base_ovs_main
+    fi;
+
+    configure_ovs $OPTS
+
+    make clean
+    scan-build -o ./clang-analyzer-results -sarif --use-cc=${CC} make ${JOBS}
+
+    if [ "$cache_build" = true ]; then
+        # Move results, so it will be picked up by the cache.
+        mv ./clang-analyzer-results ../base-clang-analyzer-results
+        popd
+    else
+        # Only do the compare on the none cache builds.
+        sarif --check note diff ./base-clang-analyzer-results \
+                                ./clang-analyzer-results
+    fi;
+}
+
 if [ "$DEB_PACKAGE" ]; then
     ./boot.sh && ./configure --with-dpdk=$DPDK && make debian
     mk-build-deps --install --root-cmd sudo --remove debian/control
@@ -118,6 +143,11 @@ fi
 
 OPTS="${EXTRA_OPTS} ${OPTS} $*"
 
+if [ "$CLANG_ANALYZE" ]; then
+    clang_analyze
+    exit 0
+fi
+
 if [ "$TESTSUITE" = 'test' ]; then
     # 'distcheck' will reconfigure with required options.
     # Now we only need to prepare the Makefile without sparse-wrapped CC.

diff --git a/.ci/linux-prepare.sh b/.ci/linux-prepare.sh
@@ -23,7 +23,7 @@ cd ..
 #     https://github.com/pypa/pip/issues/10655
 pip3 install --disable-pip-version-check --user wheel
 pip3 install --disable-pip-version-check --user \
-    flake8 'hacking>=3.0' netaddr pyparsing sphinx setuptools
+    flake8 'hacking>=3.0' netaddr pyparsing sarif-tools sphinx setuptools
 
 # Install python test dependencies
 pip3 install -r python/test_requirements.txt

diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml
@@ -254,6 +254,119 @@ jobs:
         name: logs-linux-${{ join(matrix.*, '-') }}
         path: logs.tgz
 
+  build-clang-analyze:
+    needs: build-dpdk
+    env:
+      dependencies: |
+        automake bc clang-tools libbpf-dev libnuma-dev libpcap-dev \
+        libunbound-dev libunwind-dev libssl-dev libtool llvm-dev
+      CC:   clang
+      DPDK: dpdk
+      CLANG_ANALYZE: true
+    name: clang-analyze
+    runs-on: ubuntu-22.04
+    timeout-minutes: 30
+
+    steps:
+    - name: checkout
+      uses: actions/checkout@v3
+      with:
+        fetch-depth: 0
+
+    - name: get base branch sha
+      id: base_branch
+      env:
+        BASE_SHA: ${{ github.event.pull_request.base.sha }}
+        EVENT_BEFORE: ${{ github.event.before }}
+        FORCED_PUSH: ${{ github.event.forced }}
+      run: |
+        if [ "$GITHUB_EVENT_NAME" = "pull_request" ]; then
+          echo "sha=$BASE_SHA" >> $GITHUB_OUTPUT
+        else
+          if [ "$EVENT_BEFORE" = "0000000000000000000000000000000000000000" ] \
+             || [ "$FORCED_PUSH" = true ]; then
+            BASE_SHA=HEAD~1
+            MIN_DISTANCE=1000
+            git remote add upstream https://github.com/openvswitch/ovs.git
+            git fetch upstream
+            for upstream_head in $(git ls-remote --heads upstream main master dpdk-latest branch-2.17 branch-[3456789]* | cut -f 1); do
+              CURR_BASE=$(git merge-base ${upstream_head} HEAD 2>/dev/null)
+              if [ ${CURR_BASE} ]; then
+                DISTANCE=$(git log --oneline ${CURR_BASE}..HEAD | wc -l);
+                if test ${MIN_DISTANCE} -gt ${DISTANCE}; then
+                  BASE_SHA=${CURR_BASE}
+                  MIN_DISTANCE=${DISTANCE}
+                fi
+              fi
+            done
+            echo "sha=$BASE_SHA" >> $GITHUB_OUTPUT
+          else
+            echo "sha=$EVENT_BEFORE" >> $GITHUB_OUTPUT
+          fi
+        fi
+
+    - name: checkout base branch
+      env:
+        BASE_SHA: ${{ steps.base_branch.outputs.sha }}
+      run: |
+        cp -r $(pwd)/. /tmp/base_ovs_main && mv /tmp/base_ovs_main ./
+        cd $(pwd)/base_ovs_main
+        git checkout ${BASE_SHA}
+
+    - name: update PATH
+      run: |
+        echo "$HOME/bin"        >> $GITHUB_PATH
+        echo "$HOME/.local/bin" >> $GITHUB_PATH
+
+    - name: generate cache key
+      id: cache_key
+      run: |
+        ver=$(${CC} -v 2>&1 | grep ' version ' | \
+              sed 's/.*version \([0-9]*\.[0-9]*\.[0-9]*\).*/\1/g')
+        echo "key=${CC}-${ver}-analyze-$(git -C base_ovs_main rev-parse HEAD)" \
+          >> $GITHUB_OUTPUT
+
+    - name: check for analyzer result cache
+      id: clang_cache
+      uses: actions/cache@v3
+      with:
+        path: base-clang-analyzer-results
+        key:  ${{ steps.cache_key.outputs.key }}
+
+    - name: set up python
+      uses: actions/setup-python@v4
+      with:
+        python-version: '3.9'
+
+    - name: get cached dpdk-dir
+      uses: actions/cache/restore@v3
+      with:
+        path: dpdk-dir
+        key:  ${{ needs.build-dpdk.outputs.dpdk_key }}
+
+    - name: update APT cache
+      run:  sudo apt update || true
+
+    - name: install common dependencies
+      run:  sudo apt install -y ${{ env.dependencies }}
+
+    - name: prepare
+      run:  ./.ci/linux-prepare.sh
+
+    - name: build base reference
+      if: steps.clang_cache.outputs.cache-hit != 'true'
+      run:  ./.ci/linux-build.sh
+
+    - name: save cache
+      uses: actions/cache/save@v3
+      if: steps.clang_cache.outputs.cache-hit != 'true'
+      with:
+        path: base-clang-analyzer-results
+        key:  ${{ steps.cache_key.outputs.key }}
+
+    - name: build
+      run:  ./.ci/linux-build.sh
+
   build-osx:
     env:
       CC:    clang