Configure Clang static analyzer CI

NWilson · NWilson · commit 9cbd605b084f · 2024-11-22T14:43:21.000Z
diff --git a/.github/workflows/clang-analyzer.yml b/.github/workflows/clang-analyzer.yml
@@ -0,0 +1,46 @@
+
+name: Clang Static Analyzer
+on: [push, pull_request]
+
+jobs:
+  linux:
+    name: Linux
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          submodules: true
+
+      - name: Prepare
+        run: |
+          sudo apt-get -qq update
+          sudo apt-get -qq install ninja-build clang-tools
+
+      - name: Configure
+        run: |
+          mkdir build
+          cd build
+          scan-build cmake -G Ninja -DPCRE2_SUPPORT_JIT=ON -DCMAKE_BUILD_TYPE=Debug ..
+
+      - name: Build
+        run: |
+          cd build
+          scan-build -o clang-report/ ninja
+
+          ninja clean
+          scan-build -o clang.sarif -sarif ninja
+
+      # Upload the browsable HTML report as an artifact.
+      - name: Upload report
+        uses: actions/upload-artifact@v4
+        with:
+          name: "Clang Static Analyzer report"
+          path: './build/clang-report'
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: build/clang.sarif
+          category: clang-analyzer
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -51,6 +51,7 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26
+        uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: results.sarif
+          category: ossf-scorecard
diff --git a/src/pcre2_compile.c b/src/pcre2_compile.c
@@ -2964,6 +2964,8 @@ ptrdiff_t parsed_pattern_extra_check = 0;
 PCRE2_SPTR ptr_check;
 #endif
 
+PCRE2_ASSERT(parsed_pattern != NULL);
+
 /* Insert leading items for word and line matching (features provided for the
 benefit of pcre2grep). */
 
@@ -7131,6 +7133,7 @@ for (;; pptr++)
     /* Save start of previous item, in case we have to move it up in order to
     insert something before it, and remember what it was. */
 
+    PCRE2_ASSERT(previous != NULL);
     tempcode = previous;
     op_previous = *previous;
 
@@ -10154,6 +10157,7 @@ PCRE2_ZERO_TERMINATED. Check for an overlong pattern. */
 
 if ((zero_terminated = (patlen == PCRE2_ZERO_TERMINATED)))
   patlen = PRIV(strlen)(pattern);
+(void)zero_terminated; /* Silence compiler; only used if Valgrind enabled */
 
 if (patlen > ccontext->max_pattern_length)
   {
diff --git a/src/pcre2_compile_class.c b/src/pcre2_compile_class.c
@@ -1103,7 +1103,7 @@ while (TRUE)
   int posix_class;
   int taboffset, tabopt;
   uint8_t pbits[32];
-  uint32_t escape, c, d;
+  uint32_t escape, c;
 
   /* Handle POSIX classes such as [:alpha:] etc. */
   switch (META_CODE(meta))
@@ -1408,7 +1408,7 @@ while (TRUE)
   characters are equal, and for hyphens that cannot indicate a range. At
   this point, therefore, no checking is needed. */
 
-  c = d = meta;
+  c = meta;
 
   /* Remember if \r or \n were explicitly used */
 
@@ -1418,6 +1418,8 @@ while (TRUE)
 
   if (*pptr == META_RANGE_LITERAL || *pptr == META_RANGE_ESCAPED)
     {
+    uint32_t d;
+
 #ifdef EBCDIC
     BOOL range_is_literal = (*pptr == META_RANGE_LITERAL);
 #endif
diff --git a/src/pcre2_match.c b/src/pcre2_match.c
@@ -5792,6 +5792,8 @@ fprintf(stderr, "++ %2ld op=%3d %s\n", Fecode - mb->start_code, *Fecode,
 
       /* Disable compiler warning. */
       offset = 0;
+      (void)offset;
+
       for (;;)
         {
         if (*ecode == OP_CREF)
diff --git a/src/pcre2_printint.c b/src/pcre2_printint.c
@@ -533,7 +533,6 @@ if (*code == OP_XCLASS)
     if (ch >= XCL_LIST)
       {
       ccode = print_char_list(f, ccode - 1, char_lists_end);
-      break;
       }
     switch(ch)
       {
@@ -567,6 +566,7 @@ if (*code == OP_XCLASS)
           }
         }
       break;
+
       default:
       ccode += 1 + print_char(f, ccode, utf);
       if (ch == XCL_RANGE)
diff --git a/src/pcre2_substitute.c b/src/pcre2_substitute.c
@@ -766,6 +766,7 @@ do
         }
 
       next = 0; /* not used or updated after this point */
+      (void)next;
 
       /* In extended mode we recognize ${name:+set text:unset text} and
       ${name:-default text}. */
diff --git a/src/pcre2grep.c b/src/pcre2grep.c
@@ -1539,12 +1539,13 @@ switch(endlinetype)
   for (;;)
     {
     while (p < endptr && *p != '\r') p++;
-    if (++p >= endptr)
+    if (p == endptr)
       {
       *lenptr = 0;
       return endptr;
       }
-    if (*p == '\n')
+    p++;
+    if (p < endptr && *p == '\n')
       {
       *lenptr = 2;
       return p + 1;
diff --git a/src/pcre2test.c b/src/pcre2test.c
@@ -8056,6 +8056,7 @@ for (gmatched = 0;; gmatched++)
   if ((dat_datctl.control & (CTL_FINDLIMITS|CTL_FINDLIMITS_NOHEAP)) != 0)
     {
     capcount = 0;  /* This stops compiler warnings */
+    (void)capcount;
 
     if ((dat_datctl.control & CTL_FINDLIMITS_NOHEAP) == 0 &&
         (FLD(compiled_code, executable_jit) == NULL ||

Original file line number	Diff line number	Diff line change
`@@ -5792,6 +5792,8 @@ fprintf(stderr, "++ %2ld op=%3d %s\n", Fecode - mb->start_code, *Fecode,`
`5792`	`5792`
`5793`	`5793`	`/* Disable compiler warning. */`
`5794`	`5794`	`offset = 0;`
	`5795`	`+ (void)offset;`
	`5796`	`+`
`5795`	`5797`	`for (;;)`
`5796`	`5798`	`{`
`5797`	`5799`	`if (*ecode == OP_CREF)`
Original file line number	Diff line number	Diff line change
`@@ -533,7 +533,6 @@ if (*code == OP_XCLASS)`
`533`	`533`	`if (ch >= XCL_LIST)`
`534`	`534`	`{`
`535`	`535`	`ccode = print_char_list(f, ccode - 1, char_lists_end);`
`536`		`- break;`
`537`	`536`	`}`
`538`	`537`	`switch(ch)`
`539`	`538`	`{`
`@@ -567,6 +566,7 @@ if (*code == OP_XCLASS)`
`567`	`566`	`}`
`568`	`567`	`}`
`569`	`568`	`break;`
	`569`	`+`
`570`	`570`	`default:`
`571`	`571`	`ccode += 1 + print_char(f, ccode, utf);`
`572`	`572`	`if (ch == XCL_RANGE)`
Original file line number	Diff line number	Diff line change
`@@ -766,6 +766,7 @@ do`
`766`	`766`	`}`
`767`	`767`
`768`	`768`	`next = 0; /* not used or updated after this point */`
	`769`	`+ (void)next;`
`769`	`770`
`770`	`771`	`/* In extended mode we recognize ${name:+set text:unset text} and`
`771`	`772`	`${name:-default text}. */`
Original file line number	Diff line number	Diff line change
`@@ -1539,12 +1539,13 @@ switch(endlinetype)`
`1539`	`1539`	`for (;;)`
`1540`	`1540`	`{`
`1541`	`1541`	`while (p < endptr && *p != '\r') p++;`
`1542`		`- if (++p >= endptr)`
	`1542`	`+ if (p == endptr)`
`1543`	`1543`	`{`
`1544`	`1544`	`*lenptr = 0;`
`1545`	`1545`	`return endptr;`
`1546`	`1546`	`}`
`1547`		`- if (*p == '\n')`
	`1547`	`+ p++;`
	`1548`	`+ if (p < endptr && *p == '\n')`
`1548`	`1549`	`{`
`1549`	`1550`	`*lenptr = 2;`
`1550`	`1551`	`return p + 1;`
Original file line number	Diff line number	Diff line change
`@@ -8056,6 +8056,7 @@ for (gmatched = 0;; gmatched++)`
`8056`	`8056`	`if ((dat_datctl.control & (CTL_FINDLIMITS\|CTL_FINDLIMITS_NOHEAP)) != 0)`
`8057`	`8057`	`{`
`8058`	`8058`	`capcount = 0; /* This stops compiler warnings */`
	`8059`	`+ (void)capcount;`
`8059`	`8060`
`8060`	`8061`	`if ((dat_datctl.control & CTL_FINDLIMITS_NOHEAP) == 0 &&`
`8061`	`8062`	`(FLD(compiled_code, executable_jit) == NULL \|\|`