53 analyzer expand security coverage enforce global strict test runner stabilize expectation matching

.github/workflows/ci.yml

@@ -9,6 +9,9 @@ on:
       - "**"
   workflow_dispatch:
 
+env:
+  CCACHE_DIR: ${{ github.workspace }}/.ccache
+
 jobs:
   build:
     name: Build on ${{ matrix.os }}
@@ -22,15 +25,19 @@ jobs:
         os: [ubuntu-latest, macos-latest]
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
       with:
-        fetch-depth: 0
+        # Shallow clone is enough for building. Steps that need history
+        # (changelog, merge-base) should override with their own fetch.
+        fetch-depth: 1
 
+    # Linux: install toolchain + accelerators
     - name: Install dependencies (Linux)
       if: runner.os == 'Linux'
       run: |
         sudo apt-get update
-        sudo apt-get install -y build-essential cmake python3
+        sudo apt-get install -y build-essential cmake python3 \
+          ninja-build ccache lld
         # Install LLVM and Clang 20
         wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | sudo apt-key add -
         sudo apt-add-repository "deb http://apt.llvm.org/jammy/ llvm-toolchain-jammy-20 main"
@@ -39,38 +46,75 @@ jobs:
         echo "LLVM_DIR=/usr/lib/llvm-20/lib/cmake/llvm" >> $GITHUB_ENV
         echo "Clang_DIR=/usr/lib/llvm-20/lib/cmake/clang" >> $GITHUB_ENV
 
+    # macOS: install toolchain
     - name: Install dependencies (macOS)
       if: runner.os == 'macOS'
       run: |
-        brew install cmake python llvm@20
+        brew install cmake python llvm@20 ninja ccache
         echo "LLVM_DIR=$(brew --prefix llvm@20)/lib/cmake/llvm" >> $GITHUB_ENV
         echo "Clang_DIR=$(brew --prefix llvm@20)/lib/cmake/clang" >> $GITHUB_ENV
         echo "$(brew --prefix llvm@20)/bin" >> $GITHUB_PATH
 
-    - name: Configure via build.sh (quick)
+    # ccache: restore + configure
+    - name: Restore ccache
+      uses: actions/cache@v4
+      with:
+        path: ${{ env.CCACHE_DIR }}
+        key: ccache-${{ runner.os }}-${{ github.ref_name }}-${{ hashFiles('CMakeLists.txt', 'src/**', 'include/**') }}
+        restore-keys: |
+          ccache-${{ runner.os }}-${{ github.ref_name }}-
+          ccache-${{ runner.os }}-
+
+    - name: Configure ccache
       run: |
-        ./build.sh --build-dir build-script --type Release --configure-only
+        ccache --set-config=cache_dir=${{ env.CCACHE_DIR }}
+        ccache --set-config=max_size=500M
+        ccache --set-config=compression=true
+        ccache -z
 
-    - name: Configure and Build (Linux/macOS)
-      if: runner.os == 'Linux' || runner.os == 'macOS'
+    # FetchContent cache (sources only)
+    - name: Restore FetchContent sources
+      uses: actions/cache@v4
+      with:
+        path: |
+          build/_deps/cc-src
+          build/_deps/coretrace-logger-src
+        key: fetchcontent-${{ runner.os }}-llvm20-${{ hashFiles('CMakeLists.txt', 'cmake/**') }}
+        restore-keys: |
+          fetchcontent-${{ runner.os }}-llvm20-
+
+    # Configure
+    - name: Configure
       run: |
-        mkdir -p build && cd build
-        cmake .. -DCMAKE_BUILD_TYPE=Release \
-                -DLLVM_DIR=${{ env.LLVM_DIR }} \
-                -DClang_DIR=${{ env.Clang_DIR }} \
-                -DUSE_SHARED_LIB=OFF \
-                -DBUILD_TESTS=OFF
+        cmake -S . -B build -G Ninja \
+          -DCMAKE_BUILD_TYPE=Release \
+          -DLLVM_DIR=${{ env.LLVM_DIR }} \
+          -DClang_DIR=${{ env.Clang_DIR }} \
+          -DCMAKE_C_COMPILER_LAUNCHER=ccache \
+          -DCMAKE_CXX_COMPILER_LAUNCHER=ccache \
+          -DUSE_SHARED_LIB=OFF \
+          -DBUILD_TESTS=OFF \
+          ${{ runner.os == 'Linux' && '-DCMAKE_EXE_LINKER_FLAGS=-fuse-ld=lld -DCMAKE_SHARED_LINKER_FLAGS=-fuse-ld=lld' || '' }}
+
+    # Build
+    - name: Build
+      run: cmake --build build --config Release
 
-        cmake --build . --config Release
+    - name: Show ccache stats
+      if: always()
+      run: ccache -s
 
-    - name: Test Stack Usage Analyzer (Linux/macOS)
-      if: runner.os == 'Linux' || runner.os == 'macOS'
+    # Tests
+    - name: Test Stack Usage Analyzer
       timeout-minutes: 45
       run: |
         TEST_JOBS="$(python3 -c 'import os; print(max(1, min(8, os.cpu_count() or 1)))')"
         echo "Running run_test.py with ${TEST_JOBS} job(s)"
-        python3 -u run_test.py --jobs="${TEST_JOBS}"
+        EXTRA_ANALYZER_ARGS=""
+        CORETRACE_RUN_TEST_EXTRA_ANALYZER_ARGS="${EXTRA_ANALYZER_ARGS}" \
+          python3 -u run_test.py --jobs="${TEST_JOBS}"
 
+    # Self-analysis (Linux only)
     - name: Self-analysis (analyze own source code)
       if: runner.os == 'Linux'
       run: |

CMakeLists.txt

@@ -68,14 +68,20 @@ set(STACK_ANALYZER_SOURCES
     src/analysis/AnalyzerUtils.cpp
     src/analysis/CompileCommands.cpp
     src/analysis/ConstParamAnalysis.cpp
+    src/analysis/CommandInjectionAnalysis.cpp
     src/analysis/DuplicateIfCondition.cpp
     src/analysis/DynamicAlloca.cpp
+    src/analysis/BufferWriteModel.cpp
+    src/analysis/FrontendDiagnostics.cpp
     src/analysis/FunctionFilter.cpp
     src/analysis/IRValueUtils.cpp
     src/analysis/IntRanges.cpp
+    src/analysis/IntegerOverflowAnalysis.cpp
     src/analysis/InputPipeline.cpp
     src/analysis/InvalidBaseReconstruction.cpp
     src/analysis/MemIntrinsicOverflow.cpp
+    src/analysis/NullDerefAnalysis.cpp
+    src/analysis/OOBReadAnalysis.cpp
     src/analysis/ResourceLifetimeAnalysis.cpp
     src/analysis/Reachability.cpp
     src/analysis/SizeMinusKWrites.cpp
@@ -84,6 +90,8 @@ set(STACK_ANALYZER_SOURCES
     src/analysis/StackPointerEscape.cpp
     src/analysis/StackPointerEscapeModel.cpp
     src/analysis/StackPointerEscapeResolver.cpp
+    src/analysis/TOCTOUAnalysis.cpp
+    src/analysis/TypeConfusionAnalysis.cpp
     src/analysis/UninitializedVarAnalysis.cpp
     src/report/ReportSerialization.cpp
     src/mangle.cpp

Dockerfile

@@ -1,31 +1,39 @@
 # =============================================================================
-# CoreTrace Stack Analyzer — Production Docker Image
+# CoreTrace Stack Analyzer — Docker Image
 # =============================================================================
-# Multi-stage build: builds the analyzer, then creates a slim runtime image.
+# This Dockerfile supports 3 user-facing targets:
+#   - dev:
+#       toolchain + repo checkout, no build; default command is an interactive shell.
+#       Use it to run cmake/build/tests manually.
+#   - builder:
+#       compiles the analyzer into /repo/build/stack_usage_analyzer.
+#       Use it in CI or to extract binaries/artifacts.
+#   - runtime:
+#       production image with analyzer + models + Docker entrypoint wrapper.
+#       Default workdir is /workspace and entrypoint auto-resolves compile_commands.json.
 #
-# Default runtime behavior (via entrypoint wrapper):
-# - auto-detect /workspace/build/compile_commands.json (fallback: /workspace/compile_commands.json)
-# - --analysis-profile=fast
-# - --compdb-fast
-# - --resource-summary-cache-memory-only
-# - --resource-model=/models/resource-lifetime/generic.txt
+# Typical commands:
+#   # 1) Dev mode (interactive)
+#   docker build --target dev -t coretrace-stack-analyzer:dev .
+#   docker run --rm -it -v "$PWD:/repo" -w /repo coretrace-stack-analyzer:dev
 #
-# Usage:
-#   docker build -t coretrace-stack-analyzer .
-#   docker run --rm -v $(pwd):/workspace coretrace-stack-analyzer
+#   # 2) Builder mode (compile artifacts)
+#   docker build --target builder -t coretrace-stack-analyzer:builder .
+#   docker create --name coretrace-builder coretrace-stack-analyzer:builder
+#   docker cp coretrace-builder:/repo/build/stack_usage_analyzer ./build/stack_usage_analyzer
+#   docker rm coretrace-builder
 #
-# Override defaults with explicit args:
-#   docker run --rm -v $(pwd):/workspace coretrace-stack-analyzer \
-#       --analysis-profile=full --resource-model=/models/resource-lifetime/generic.txt
-#
-# Bypass defaults completely:
-#   docker run --rm -v $(pwd):/workspace coretrace-stack-analyzer --raw --help
+#   # 3) Runtime mode (analyze project from compile_commands.json)
+#   docker build --target runtime -t coretrace-stack-analyzer:runtime .
+#   docker run --rm -v "$PWD:/workspace" coretrace-stack-analyzer:runtime
+#   # pass --raw to bypass wrapper defaults:
+#   docker run --rm -v "$PWD:/workspace" coretrace-stack-analyzer:runtime --raw --help
 # =============================================================================
 
 # ---------------------------------------------------------------------------
-# Stage 1: Build
+# Stage 0: Base (toolchain + build deps)
 # ---------------------------------------------------------------------------
-FROM ubuntu:24.04 AS builder
+FROM ubuntu:24.04 AS base
 
 ARG DEBIAN_FRONTEND=noninteractive
 ARG LLVM_VERSION=20
@@ -52,6 +60,25 @@ RUN curl -fsSL https://apt.llvm.org/llvm.sh -o /tmp/llvm.sh \
     && apt-get install -y --no-install-recommends libclang-${LLVM_VERSION}-dev \
     && rm -rf /var/lib/apt/lists/*
 
+# Make sure LLVM shared libs are found at runtime (useful for dev builds too)
+ENV LD_LIBRARY_PATH=/usr/lib/llvm-${LLVM_VERSION}/lib
+
+# ---------------------------------------------------------------------------
+# Stage 1: Dev (deps + repo, no build)
+# ---------------------------------------------------------------------------
+FROM base AS dev
+
+WORKDIR /repo
+COPY . /repo
+
+# Default: interactive shell so you can build/test manually
+CMD ["bash"]
+
+# ---------------------------------------------------------------------------
+# Stage 2: Build (produces binaries)
+# ---------------------------------------------------------------------------
+FROM base AS builder
+
 WORKDIR /repo
 COPY . /repo
 
@@ -65,14 +92,14 @@ RUN cmake -S . -B build -G Ninja \
     && cmake --build build -j"$(nproc)"
 
 # ---------------------------------------------------------------------------
-# Stage 2: Runtime (slim)
+# Stage 3: Runtime (prod)
 # ---------------------------------------------------------------------------
-FROM ubuntu:24.04
+FROM ubuntu:24.04 AS runtime
 
 ARG DEBIAN_FRONTEND=noninteractive
 ARG LLVM_VERSION=20
 
-# Install only the runtime libraries needed by the analyzer binary
+# Install only what is needed to run (and to support the entrypoint script)
 RUN apt-get update && apt-get install -y --no-install-recommends \
     ca-certificates \
     curl \
@@ -97,7 +124,6 @@ COPY --from=builder /repo/models /models
 
 RUN chmod +x /usr/local/bin/coretrace-entrypoint.py
 
-# Make sure the binary can find LLVM shared libs
 ENV LD_LIBRARY_PATH=/usr/lib/llvm-${LLVM_VERSION}/lib
 
 WORKDIR /workspace