adding scan-build test (#1240)

* adding scan-build test * upgrade to clang-14 * excluding Kyber from scan-build test
2025-10-15 00:01:37 -04:00 · 2022-06-30 14:49:06 +02:00 · 2022-06-30 14:49:06 +02:00 · fbb34be899
commit fbb34be899
parent d402280283
2 changed files with 34 additions and 3 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -21,6 +21,7 @@ localCheckout: &localCheckout
  run: |-
    PROJECT_PATH=$(cd ${CIRCLE_WORKING_DIRECTORY}; pwd)
    mkdir -p ${PROJECT_PATH}
+    git config --global --add safe.directory /tmp/_circleci_local_build_repo
    cd /tmp/_circleci_local_build_repo
    git ls-files -z | xargs -0 -s 2090860 tar -c | tar -x -C ${PROJECT_PATH}
    cp -a /tmp/_circleci_local_build_repo/.git ${PROJECT_PATH}
@ -124,6 +125,25 @@ jobs:
      - store_artifacts:
          path: build/test-results

+
+  scan_build:
+    description: Executing scan-build test
+    parameters:
+      CONTAINER:
+        description: "The docker container to use."
+        type: string
+    docker:
+      - image: << parameters.CONTAINER >>
+    steps:
+      - checkout # change this from "checkout" to "*localCheckout" when running CircleCI locally
+      - run:
+          name: Configure (excluding Kyber because of known issue)
+          command: mkdir build && cd build && pwd && source ~/.bashrc && scan-build-14 cmake -GNinja -DOQS_ENABLE_KEM_KYBER=OFF ..
+      - run:
+          name: Build
+          command: scan-build-14 --status-bugs ninja
+          working_directory: build
+
  arm_machine:
    description: A template for running liboqs tests on ARM(presently only 64) machines
    parameters:
@ -319,6 +339,11 @@ workflows:
      #    name: debian-buster
      #    context: openquantumsafe
      #    CONTAINER: openquantumsafe/ci-debian-buster-amd64:latest
+      - scan_build:
+          <<: *require_buildcheck
+          name: scan_build
+          context: openquantumsafe
+          CONTAINER: openquantumsafe/ci-ubuntu-focal-x86_64:latest
      - linux_oqs:
          <<: *require_buildcheck
          name: ubuntu-focal-noopenssl
@ -334,10 +359,10 @@ workflows:
          PYTEST_ARGS: --ignore=tests/test_namespace.py --numprocesses=auto
      - linux_oqs:
          <<: *require_buildcheck
-          name: ubuntu-focal-clang9
+          name: ubuntu-focal-clang14
          context: openquantumsafe
          CONTAINER: openquantumsafe/ci-ubuntu-focal-x86_64:latest
-          CMAKE_ARGS: -DCMAKE_C_COMPILER=clang-9
+          CMAKE_ARGS: -DCMAKE_C_COMPILER=clang-14
      - linux_oqs:
          <<: *require_buildcheck
          name: ubuntu-bionic-i386
--- a/docs/algorithms/kem/kyber.md
+++ b/docs/algorithms/kem/kyber.md
@ -47,6 +47,8 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.

 Are implementations chosen based on runtime CPU feature detection? **Yes**.

+Implementation known to fail [scan-build](https://clang-analyzer.llvm.org/scan-build.html).
+
 ## Kyber768 implementation characteristics

 |        Implementation source        | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
@ -66,6 +68,8 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.

 Are implementations chosen based on runtime CPU feature detection? **Yes**.

+Implementation known to fail [scan-build](https://clang-analyzer.llvm.org/scan-build.html).
+
 ## Kyber1024 implementation characteristics

 |        Implementation source        | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
@ -85,6 +89,8 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.

 Are implementations chosen based on runtime CPU feature detection? **Yes**.

+Implementation known to fail [scan-build](https://clang-analyzer.llvm.org/scan-build.html).
+
 ## Explanation of Terms

- **Large Stack Usage**: Implementations identified as having such may cause failures when running in threads or in constrained environments.
+- **Large Stack Usage**: Implementations identified as having such may cause failures when running in threads or in constrained environments.