[llvm] [workflows] Add post-commit job that periodically runs the clang static analyzer (PR #94106)
Artem Dergachev via llvm-commits
llvm-commits at lists.llvm.org
Wed Jun 5 12:42:31 PDT 2024
================
@@ -0,0 +1,69 @@
+name: Post-Commit Static Analyzer
+
+permissions:
+ contents: read
+
+on:
+ push:
+ branches:
+ - 'release/**'
+ paths:
+ - 'llvm/**'
+ - '.github/workflows/ci-post-commit-analyzer.yml'
+ pull_request:
+ paths:
+ - '.github/workflows/ci-post-commit-analyzer.yml'
+ schedule:
+ - cron: '30 0 * * *'
+
+concurrency:
+ group: >-
+ llvm-project-${{ github.workflow }}-${{ github.event_name == 'pull_request' &&
+ ( github.event.pull_request.number || github.ref) }}
+ cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}
+
+jobs:
+ post-commit-analyzer:
+ if: >-
+ github.repository_owner == 'llvm' &&
+ github.event.action != 'closed'
+ runs-on: ubuntu-22.04
+ env:
+ LLVM_VERSION: 18
+ steps:
+ - name: Checkout Source
+ uses: actions/checkout at b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+ - name: Install Dependencies
+ run: |
+ sudo echo "deb http://apt.llvm.org/jammy/ llvm-toolchain-jammy-18 main" | sudo tee -a /etc/apt/sources.list.d/llvm.list
+ wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | sudo apt-key add -
+ sudo apt-get update
+ sudo apt-get install \
+ cmake \
+ ninja-build \
+ perl \
+ clang-tools-$LLVM_VERSION \
+ clang-$LLVM_VERSION
+
+ - name: Configure
+ run: |
+ scan-build-$LLVM_VERSION \
+ --use-c++=clang++ \
+ --use-cc=clang \
+ cmake -B build -S llvm -G Ninja \
----------------
haoNoQ wrote:
> What would a custom CMAKE_CXX_COMPILER_LAUNCHER need to do? Just call clang to compile the object and then clang --analyze to analyze it?
Yes, something like this:
```sh
#!/bin/sh
"$@"
"$@" --analyze --analyzer-output html -o $OUTPUT_DIR \
-Xclang -analyzer-config -Xclang max-nodes=150000
```
> Also, would it be better to just compile the project normally and then use clang-tidy to run the analyzer using the compilation database?
This probably wouldn't be faster because you'll still need to regularly re-generate the compilation database. On a buildbot this implies "every time". Also clang-tidy doesn't know how to produce HTML output, and static analyzer reports are incredibly hard to read without a GUI that overlays them on top of your source code (even though technically they the CLI gives you all the same information).
But the upside would be that you'll get clang-tidy checks too, without the *third* recompilation. I wanted to properly "marry" them for a long time so that this wasn't a choice you had to make, but never got to finishing it :(
> If done this way, one would need to do some extra work to wrap up the analyze outputs and gather it all into a common report, like scan-build does, right?
Yes, you can bring `scan-build` back for this last part:
```sh
scan-build --generate-index-only $OUTPUT_DIR
```
Btw, this works because HTML reports are machine-readable due to nice magic comments:
```html
147 <!-- BUGDESC Dereference of null pointer (loaded from variable 'x') -->
148
149 <!-- BUGTYPE Dereference of null pointer -->
150
151 <!-- BUGCATEGORY Logic error -->
152
153 <!-- BUGFILE /Users/artemdergachev/test/test.c -->
154
155 <!-- FILENAME test.c -->
156
157 <!-- FUNCTIONNAME foo -->
158
159 <!-- ISSUEHASHCONTENTOFLINEINCONTEXT 9c4d6241eb00bff2310e3e3391b46023 -->
160
161 <!-- BUGLINE 83 -->
162
163 <!-- BUGCOLUMN 10 -->
164
165 <!-- BUGPATHLENGTH 2 -->
166
167 <!-- BUGMETAEND -->
168 <!-- REPORTHEADER -->
```
So `scan-build` doesn't need to talk to clang or observe analysis in real time in order to rebuild the index.
And if you like you can do a lot of custom post-processing on top of it, like filter out reports by some of these categories, or separate them into different directories to build a separate index file for each project.
https://github.com/llvm/llvm-project/pull/94106
More information about the llvm-commits
mailing list