From 3183b65a94cb940a2d9ad5a5a0b9d387e0736a09 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?DOTTEL=20Ga=C3=ABl?= Date: Wed, 11 Mar 2026 23:37:54 +0100 Subject: [PATCH 1/5] Add a check for VideoSnapshot&& to ImageViewRGB32 conversion --- .../workflows/cpp-ci-serial-programs-base.yml | 64 ++++++++++++++++--- 1 file changed, 56 insertions(+), 8 deletions(-) diff --git a/.github/workflows/cpp-ci-serial-programs-base.yml b/.github/workflows/cpp-ci-serial-programs-base.yml index 09d52a5ba1..55a0f676fd 100644 --- a/.github/workflows/cpp-ci-serial-programs-base.yml +++ b/.github/workflows/cpp-ci-serial-programs-base.yml @@ -133,17 +133,65 @@ jobs: cat << 'EOF' > query.txt set output dump - match invocation( - isExpansionInFileMatching("SerialPrograms/"), - hasDeclaration(cxxConstructorDecl(ofClass(hasName("std::filesystem::path")))), - hasArgument(0, hasType(asString("std::string"))) + match anyOf( + invocation( + isExpansionInFileMatching("SerialPrograms/"), + hasDeclaration(cxxConstructorDecl(ofClass(hasName("std::filesystem::path")))), + hasArgument(0, hasType(asString("std::string"))) + ).bind("path_error"), + cxxConstructExpr( + isExpansionInFileMatching("SerialPrograms/"), + hasDeclaration(cxxConstructorDecl(ofClass(hasName("ImageViewRGB32")))), + hasArgument(0, hasType(rValueReferenceType(pointee(hasType(hasName("VideoSnapshot")))))), + unless(hasAncestor(functionDecl(isInline()))) + ).bind("view_error") ) EOF files=$(jq -r '.[].file' SerialPrograms/bin/compile_commands.json) - echo "$files" | xargs --max-args=150 clang-query -p SerialPrograms/bin/ -f query.txt >> output.txt - cat output.txt - if grep --silent "Match #" output.txt; then - echo "::error Forbidden std::filesystem::path construction detected!" + echo "$files" | xargs --max-args=50 clang-query -p SerialPrograms/bin/ -f query.txt > clang-query-output.txt 2> clang-query-error.txt || true + + if [ -s clang-query-error.txt ]; then + echo "Clang query encountered an error." + echo "Check clang-query-error.txt below." exit 1 fi + + FOUND_FORBIDDEN=0 + if grep -q "Binding for 'path_error'" clang-query-output.txt; then + echo "::error title=std::filesystem::path created from std::string. More information https://discord.com/channels/695809740428673034/1462210406616531259/1462567541825339635" + FOUND_FORBIDDEN=1 + fi + if grep -q "Binding for 'view_error'" clang-query-output.txt; then + echo "::error title=ImageViewRGB32 created from VideoSnapshot&& that is stored. It is a dangling pointer as nothing hold the data anymore" + FOUND_FORBIDDEN=1 + fi + + if [ "$FOUND_FORBIDDEN" -eq 1 ]; then + echo "Clang query encountered a banned pattern." + echo "Check clang-query-output.txt below." + exit 1 + fi + + echo "Scan completed successfully with no violations." + + - name: Upload compile commands + uses: actions/upload-artifact@v7 + if: inputs.run-clang-query && always() + with: + name: Compile commands (compiler=${{inputs.compiler}}) + path: Arduino-Source/SerialPrograms/bin/compile_commands.json + + - name: Upload Clang query output + uses: actions/upload-artifact@v7 + if: inputs.run-clang-query && always() + with: + name: Clang query output (compiler=${{inputs.compiler}}) + path: Arduino-Source/clang-query-output.txt + + - name: Upload Clang query error + uses: actions/upload-artifact@v7 + if: inputs.run-clang-query && always() + with: + name: Clang query error (compiler=${{inputs.compiler}}) + path: Arduino-Source/clang-query-error.txt \ No newline at end of file From 9b72ad66600d8ad4ba8965bcdb69f2961c20e2b6 Mon Sep 17 00:00:00 2001 From: pifopi Date: Mon, 23 Mar 2026 15:54:44 +0100 Subject: [PATCH 2/5] Improve script --- .../workflows/cpp-ci-serial-programs-base.yml | 35 +++++++------------ 1 file changed, 12 insertions(+), 23 deletions(-) diff --git a/.github/workflows/cpp-ci-serial-programs-base.yml b/.github/workflows/cpp-ci-serial-programs-base.yml index 55a0f676fd..7c3afa472c 100644 --- a/.github/workflows/cpp-ci-serial-programs-base.yml +++ b/.github/workflows/cpp-ci-serial-programs-base.yml @@ -149,49 +149,38 @@ jobs: EOF files=$(jq -r '.[].file' SerialPrograms/bin/compile_commands.json) - echo "$files" | xargs --max-args=50 clang-query -p SerialPrograms/bin/ -f query.txt > clang-query-output.txt 2> clang-query-error.txt || true + echo "$files" | xargs --max-args=50 clang-query -p SerialPrograms/bin/ -f query.txt > clang-query-stdout.txt 2> clang-query-stderr.txt || true - if [ -s clang-query-error.txt ]; then + if [ -s clang-query-stderr.txt ] && grep --quiet --invert-match "Processing file" clang-query-stderr.txt; then echo "Clang query encountered an error." - echo "Check clang-query-error.txt below." + echo "Check clang-query-stderr.txt below." exit 1 fi FOUND_FORBIDDEN=0 - if grep -q "Binding for 'path_error'" clang-query-output.txt; then - echo "::error title=std::filesystem::path created from std::string. More information https://discord.com/channels/695809740428673034/1462210406616531259/1462567541825339635" + if grep --quiet "Binding for 'path_error'" clang-query-stdout.txt; then + echo "std::filesystem::path created from std::string. More information https://discord.com/channels/695809740428673034/1462210406616531259/1462567541825339635" FOUND_FORBIDDEN=1 fi - if grep -q "Binding for 'view_error'" clang-query-output.txt; then - echo "::error title=ImageViewRGB32 created from VideoSnapshot&& that is stored. It is a dangling pointer as nothing hold the data anymore" + if grep --quiet "Binding for 'view_error'" clang-query-stdout.txt; then + echo "ImageViewRGB32 created from VideoSnapshot&& that is stored. It is a dangling pointer as nothing hold the data anymore" FOUND_FORBIDDEN=1 fi if [ "$FOUND_FORBIDDEN" -eq 1 ]; then echo "Clang query encountered a banned pattern." - echo "Check clang-query-output.txt below." + echo "Check clang-query-stdout.txt below." exit 1 fi echo "Scan completed successfully with no violations." - - name: Upload compile commands - uses: actions/upload-artifact@v7 - if: inputs.run-clang-query && always() - with: - name: Compile commands (compiler=${{inputs.compiler}}) - path: Arduino-Source/SerialPrograms/bin/compile_commands.json - - name: Upload Clang query output uses: actions/upload-artifact@v7 if: inputs.run-clang-query && always() with: name: Clang query output (compiler=${{inputs.compiler}}) - path: Arduino-Source/clang-query-output.txt - - - name: Upload Clang query error - uses: actions/upload-artifact@v7 - if: inputs.run-clang-query && always() - with: - name: Clang query error (compiler=${{inputs.compiler}}) - path: Arduino-Source/clang-query-error.txt \ No newline at end of file + path: | + Arduino-Source/SerialPrograms/bin/compile_commands.json + Arduino-Source/clang-query-stdout.txt + Arduino-Source/clang-query-stderr.txt \ No newline at end of file From c3891e422d64080f65d66fe2c6b96b702142b48f Mon Sep 17 00:00:00 2001 From: pifopi Date: Mon, 23 Mar 2026 16:59:19 +0100 Subject: [PATCH 3/5] One file at a time --- .github/workflows/cpp-ci-serial-programs-base.yml | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/.github/workflows/cpp-ci-serial-programs-base.yml b/.github/workflows/cpp-ci-serial-programs-base.yml index 7c3afa472c..9c3585aa3b 100644 --- a/.github/workflows/cpp-ci-serial-programs-base.yml +++ b/.github/workflows/cpp-ci-serial-programs-base.yml @@ -148,14 +148,8 @@ jobs: ) EOF - files=$(jq -r '.[].file' SerialPrograms/bin/compile_commands.json) - echo "$files" | xargs --max-args=50 clang-query -p SerialPrograms/bin/ -f query.txt > clang-query-stdout.txt 2> clang-query-stderr.txt || true - - if [ -s clang-query-stderr.txt ] && grep --quiet --invert-match "Processing file" clang-query-stderr.txt; then - echo "Clang query encountered an error." - echo "Check clang-query-stderr.txt below." - exit 1 - fi + files=$(jq --raw-output '.[].file' SerialPrograms/bin/compile_commands.json) + echo "$files" | xargs clang-query -p SerialPrograms/bin/ -f query.txt >> clang-query-stdout.txt FOUND_FORBIDDEN=0 if grep --quiet "Binding for 'path_error'" clang-query-stdout.txt; then @@ -182,5 +176,4 @@ jobs: name: Clang query output (compiler=${{inputs.compiler}}) path: | Arduino-Source/SerialPrograms/bin/compile_commands.json - Arduino-Source/clang-query-stdout.txt - Arduino-Source/clang-query-stderr.txt \ No newline at end of file + Arduino-Source/clang-query-stdout.txt \ No newline at end of file From 22f4c1927013c8e4c8fb344a97fe01e7cb69d7d4 Mon Sep 17 00:00:00 2001 From: pifopi Date: Mon, 23 Mar 2026 17:46:30 +0100 Subject: [PATCH 4/5] for each --- .github/workflows/cpp-ci-serial-programs-base.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/cpp-ci-serial-programs-base.yml b/.github/workflows/cpp-ci-serial-programs-base.yml index 9c3585aa3b..59d9ffcbc4 100644 --- a/.github/workflows/cpp-ci-serial-programs-base.yml +++ b/.github/workflows/cpp-ci-serial-programs-base.yml @@ -149,7 +149,10 @@ jobs: EOF files=$(jq --raw-output '.[].file' SerialPrograms/bin/compile_commands.json) - echo "$files" | xargs clang-query -p SerialPrograms/bin/ -f query.txt >> clang-query-stdout.txt + for file in $files; do + echo "Processing: $file" + clang-query -p SerialPrograms/bin/ -f query.txt "$file" >> clang-query-stdout.txt + done FOUND_FORBIDDEN=0 if grep --quiet "Binding for 'path_error'" clang-query-stdout.txt; then From 6a745567cc8ed5c15cc97f475775c97c17f51a17 Mon Sep 17 00:00:00 2001 From: pifopi Date: Mon, 23 Mar 2026 18:36:37 +0100 Subject: [PATCH 5/5] back to previous query --- .../workflows/cpp-ci-serial-programs-base.yml | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/.github/workflows/cpp-ci-serial-programs-base.yml b/.github/workflows/cpp-ci-serial-programs-base.yml index 59d9ffcbc4..d32cc41f88 100644 --- a/.github/workflows/cpp-ci-serial-programs-base.yml +++ b/.github/workflows/cpp-ci-serial-programs-base.yml @@ -133,18 +133,10 @@ jobs: cat << 'EOF' > query.txt set output dump - match anyOf( - invocation( - isExpansionInFileMatching("SerialPrograms/"), - hasDeclaration(cxxConstructorDecl(ofClass(hasName("std::filesystem::path")))), - hasArgument(0, hasType(asString("std::string"))) - ).bind("path_error"), - cxxConstructExpr( - isExpansionInFileMatching("SerialPrograms/"), - hasDeclaration(cxxConstructorDecl(ofClass(hasName("ImageViewRGB32")))), - hasArgument(0, hasType(rValueReferenceType(pointee(hasType(hasName("VideoSnapshot")))))), - unless(hasAncestor(functionDecl(isInline()))) - ).bind("view_error") + match invocation( + isExpansionInFileMatching("SerialPrograms/"), + hasDeclaration(cxxConstructorDecl(ofClass(hasName("std::filesystem::path")))), + hasArgument(0, hasType(asString("std::string"))) ) EOF