christoph/wamr
1
Fork 0
Code Releases Activity

Refactor CodeQL CI (#3319)

Browse Source 
- Move CodeQL scripts to the scripts directory
- Only report error in CI if it's a CodeQL reported issue and was not dismissed
  before and is likely to be an actual error
This commit is contained in:
TianlongLiang
2024-04-16 16:32:47 +08:00
committed by GitHub
parent 42199f163e
commit 30426be82c
4 changed files with 134 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
.github/workflows/codeql.yml vendored
View File

@ -64,7 +64,7 @@ jobs:
# modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
- run: |
./.github/workflows/codeql_buildscript.sh
./.github/scripts/codeql_buildscript.sh
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
@ -110,5 +110,8 @@ jobs:
- name: Fail if an error is found
run: |
./.github/workflows/codeql_fail_on_error.py \
./.github/scripts/codeql_fail_on_error.py \
${{ steps.step1.outputs.sarif-output }}/cpp.sarif
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_REPOSITORY: ${{ github.repository }}

277
.github/workflows/codeql_buildscript.sh vendored
View File

@ -1,277 +0,0 @@
#!/usr/bin/env bash
sudo apt update
sudo apt install -y build-essential cmake g++-multilib libgcc-11-dev lib32gcc-11-dev ccache ninja-build ccache
WAMR_DIR=${PWD}
# TODO: use pre-built llvm binary to build wamrc to
# avoid static code analysing for llvm
: '
# build wamrc
cd ${WAMR_DIR}/wamr-compiler
./build_llvm.sh
rm -fr build && mkdir build && cd build
cmake ..
make -j
if [[ $? != 0 ]]; then
echo "Failed to build wamrc!"
exit 1;
fi
'
# build iwasm with default features enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -fr build && mkdir build && cd build
cmake ..
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with default features enabled!"
exit 1;
fi
# build iwasm with default features enabled on x86_32
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -fr build && mkdir build && cd build
cmake .. -DWAMR_BUILD_TARGET=X86_32
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with default features enabled on x86_32!"
exit 1;
fi
# build iwasm with classic interpreter enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_FAST_INTERP=0
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with classic interpreter enabled!"
exit 1;
fi
# build iwasm with extra features enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -fr build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug \
-DWAMR_BUILD_LIB_PTHREAD=1 -DWAMR_BUILD_LIB_PTHREAD_SEMAPHORE=1 \
-DWAMR_BUILD_MULTI_MODULE=1 -DWAMR_BUILD_SIMD=1 \
-DWAMR_BUILD_TAIL_CALL=1 -DWAMR_BUILD_REF_TYPES=1 \
-DWAMR_BUILD_CUSTOM_NAME_SECTION=1 -DWAMR_BUILD_MEMORY_PROFILING=1 \
-DWAMR_BUILD_PERF_PROFILING=1 -DWAMR_BUILD_DUMP_CALL_STACK=1 \
-DWAMR_BUILD_LOAD_CUSTOM_SECTION=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build wamrc iwasm with extra features enabled!"
exit 1;
fi
# build iwasm with global heap pool enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -fr build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug \
-DWAMR_BUILD_ALLOC_WITH_USER_DATA=1 \
-DWAMR_DISABLE_STACK_HW_BOUND_CHECK=1 \
-DWAMR_BUILD_GLOBAL_HEAP_POOL=1 \
-DWAMR_BUILD_GLOBAL_HEAP_SIZE=131072
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with global heap pool enabled!"
exit 1;
fi
# build iwasm with wasi-threads enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -fr build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_LIB_WASI_THREADS=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with wasi-threads enabled!"
exit 1;
fi
# build iwasm with GC enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_GC=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with GC enabled!"
exit 1;
fi
# build iwasm with exception handling enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_EXCE_HANDLING=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with exception handling enabled!"
exit 1;
fi
# build iwasm with memory64 enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_MEMORY64=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with memory64 enabled!"
exit 1;
fi
# build iwasm with hardware boundary check disabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_DISABLE_HW_BOUND_CHECK=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with hardware boundary check disabled!"
exit 1;
fi
# build iwasm with quick AOT entry disabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_QUICK_AOT_ENTRY=0
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with quick AOT entry disabled!"
exit 1;
fi
# build iwasm with wakeup of blocking operations disabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_DISABLE_WAKEUP_BLOCKING_OP=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with wakeup of blocking operations disabled!"
exit 1;
fi
# build iwasm with module instance context disabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_MODULE_INST_CONTEXT=0 \
-DWAMR_BUILD_LIBC_BUILTIN=0 -DWAMR_BUILD_LIBC_WASI=0
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with module instance context disabled!"
exit 1;
fi
# build iwasm with libc-uvwasi enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -fr build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_LIBC_UVWASI=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with libc-uvwasi enabled!"
exit 1;
fi
# build iwasm with fast jit lazy mode enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_FAST_JIT=1 -DWAMR_BUILD_FAST_JIT_DUMP=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with fast jit lazy mode enabled!"
exit 1;
fi
# build iwasm with fast jit eager mode enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_FAST_JIT=1 -DWAMR_BUILD_FAST_JIT_DUMP=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with fast jit eager mode enabled!"
exit 1;
fi
# TODO: use pre-built llvm binary to build llvm-jit and multi-tier-jit
: '
# build iwasm with llvm jit lazy mode enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_JIT=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build llvm jit lazy mode enabled!"
exit 1;
fi
# build iwasm with llvm jit eager mode enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_JIT=1 -DWAMR_BUILD_LAZY_JIT=0
make -j
if [[ $? != 0 ]]; then
echo "Failed to build llvm jit eager mode enabled!"
exit 1;
fi
# build iwasm with multi-tier jit enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_FAST_JIT=1 -DWAMR_BUILD_JIT=1 \
-DWAMR_BUILD_FAST_JIT_DUMP=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with multi-tier jit enabled!"
exit 1;
fi
'
# build iwasm with wasm mini-loader enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_MINI_LOADER=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build with wasm mini-loader enabled!"
exit 1;
fi
# build iwasm with source debugging enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_DEBUG_INTERP=1 -DWAMR_BUILD_DEBUG_AOT=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with source debugging enabled!"
exit 1;
fi
# build iwasm with AOT static PGO enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_STATIC_PGO=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with AOT static PGO enabled!"
exit 1;
fi
# build iwasm with configurable bounds checks enabled
cd ${WAMR_DIR}/product-mini/platforms/linux
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_CONFIGUABLE_BOUNDS_CHECKS=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with configurable bounds checks enabled!"
exit 1;
fi
# build iwasm with linux perf support enabled
cd ${WAMR_DIR}/product-mini/platforms/linux/
rm -rf build && mkdir build && cd build
cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_LINUX_PERF=1
make -j
if [[ $? != 0 ]]; then
echo "Failed to build iwasm with linux perf support enabled!"
exit 1;
fi

34
.github/workflows/codeql_fail_on_error.py vendored
View File

@ -1,34 +0,0 @@
#!/usr/bin/env python3
import json
import sys
# Return whether SARIF file contains error-level results
def codeql_sarif_contain_error(filename):
with open(filename, 'r') as f:
s = json.load(f)
for run in s.get('runs', []):
rules_metadata = run['tool']['driver']['rules']
if not rules_metadata:
rules_metadata = run['tool']['extensions'][0]['rules']
for res in run.get('results', []):
if 'ruleIndex' in res:
rule_index = res['ruleIndex']
elif 'rule' in res and 'index' in res['rule']:
rule_index = res['rule']['index']
else:
continue
try:
rule_level = rules_metadata[rule_index]['defaultConfiguration']['level']
except IndexError as e:
print(e, rule_index, len(rules_metadata))
else:
if rule_level == 'error':
return True
return False
if __name__ == "__main__":
if codeql_sarif_contain_error(sys.argv[1]):
sys.exit(1)