MDBF-143: Add Infer builder

grooverdan · grooverdan · commit 822e6bb6b02c · 2025-09-10T09:24:24.000+10:00
This preforms static analysis on the MariaDB codebase
by maintaining a git source repository as a shared volume.

Because static analysis takes time, a lot of time, there
is a shared cache volume to store build results from main
branches of the codebase so that as much incremental usage
can occur.

Infer runs in to phases, a capture and an analyze.

Infer output are in a result-dir this contains:
* report.json - what infer tools use
* report.txt - the human readable version of this
* capture.db - the sqlite3 version presentation of captured files and the
               relation to functions definitions.
* results.db - the analyze phase outputs

Of these, the report.json is desirable as the long term record of vulnerabilities.
diff --git a/configuration/builders/sequences/helpers.py b/configuration/builders/sequences/helpers.py
@@ -391,3 +391,26 @@ def mtr_junit_reporter(
             warn_on_fail=True,
         ),
     )
+
+
+def save_infer_logs(
+    logs_path: PurePath = PurePath("infer_results"),
+    step_wrapping_fn=lambda step: step,
+):
+    return step_wrapping_fn(
+        ShellStep(
+            command=SaveCompressedTar(
+                name="Save Infer artifacts/logs",
+                workdir=logs_path,
+                archive_name="logs",
+                destination="/packages/%(prop:tarbuildnum)s/logs/%(prop:buildername)s",
+            ),
+            url=URL(
+                url=f"{os.environ['ARTIFACTS_URL']}/%(prop:tarbuildnum)s/logs/%(prop:buildername)s",
+                url_text="Infer artifacts/logs",
+            ),
+            options=StepOptions(
+                alwaysRun=True,
+            ),
+        ),
+    )
diff --git a/configuration/builders/sequences/sast.py b/configuration/builders/sequences/sast.py
@@ -0,0 +1,155 @@
+from pathlib import PurePath
+
+from configuration.builders.infra.runtime import (
+    BuildSequence,
+    DockerConfig,
+    InContainer,
+)
+from configuration.builders.sequences.helpers import (
+    save_infer_logs,
+)
+from configuration.steps.base import StepOptions
+from configuration.steps.commands.compile import CompileCMakeCommand
+from configuration.steps.commands.configure import ConfigureMariaDBCMake
+from configuration.steps.commands.download import GitInitFromCommit, GitFetch
+from configuration.steps.commands.util import InferScript, PrintEnvironmentDetails
+from configuration.steps.generators.cmake.compilers import ClangCompiler
+from configuration.steps.generators.cmake.generator import CMakeGenerator
+from configuration.steps.generators.cmake.options import (
+    CMAKE,
+    WITH,
+    BuildType,
+    CMakeOption,
+)
+from configuration.steps.remote import ShellStep
+
+
+def infer(
+    config: DockerConfig,
+    jobs: int,
+):
+    sequence = BuildSequence()
+
+    sequence.add_step(ShellStep(command=PrintEnvironmentDetails()))
+    # infer --version
+
+    sequence.add_step(
+        InContainer(
+            docker_environment=config,
+            step=ShellStep(
+                command=BashCommand(
+                    command="git clean -df", workdir=PurePath("/mnt", "src")
+                ),
+                options=StepOptions(
+                    haltOnFailure=False,
+                    descriptionDone="git cleaned",
+                ),
+            ),
+        )
+    )
+
+    sequence.add_step(
+        InContainer(
+            ShellStep(
+                command=GitInitFromCommit(
+                    repo_url="%(prop:repository)s",
+                    commit="%(prop:revision)s",
+                    jobs=jobs,
+                    depth=0,
+                    workdir=PurePath("/mnt", "src"),
+                )
+            ),
+            docker_environment=config,
+        ),
+    )
+
+    sequence.add_step(
+        InContainer(
+            docker_environment=config,
+            step=ShellStep(
+                command=BashCommand(
+                    command="git diff --name-only FETCH_HEAD..%(prop:master_branch)s | tee $OLD_PWD/index.txt", workdir=PurePath("/mnt", "src")
+                ),
+                options=StepOptions(
+                    haltOnFailure=False,
+                    descriptionDone="names of changed files",
+                ),
+            ),
+        )
+    )
+
+    flags = [
+        # UBSAN is the only prevention of UNINIT_VAR(X) x= x
+        # that generated lots of uninit read/write errors.
+        CMakeOption(WITH.UBSAN, True),
+        CMakeOption(CMAKE.EXPORT_COMPILE_COMMANDS, True),
+    ]
+
+    sequence.add_step(
+        InContainer(
+            docker_environment=config,
+            step=ShellStep(
+                command=ConfigureMariaDBCMake(
+                    name="configure",
+                    cmake_generator=CMakeGenerator(
+                        use_ccache=True,
+                        flags=flags,
+                        source_path="/mnt/src",
+                        builddir="bld",
+                        compiler=ClangCompiler(),
+                    ),
+                ),
+                options=StepOptions(descriptionDone="Configure"),
+            ),
+        )
+    )
+
+    # Some server code is generated, so these need to be generated to test
+    sequence.add_step(
+        InContainer(
+            docker_environment=config,
+            step=ShellStep(
+                command=CompileCMakeCommand(
+                    builddir="bld",
+                    jobs=jobs,
+                    verbose=True,
+                    targets=[
+                        "GenError",
+                        "GenServerSource",
+                        "GenUnicodeDataSource",
+                        "GenFixPrivs",
+                    ],
+                ),
+                options=StepOptions(descriptionDone="compile"),
+            ),
+        )
+    )
+
+    env_vars = [
+        (
+            "JOBS",
+            str(jobs)
+        )
+    ]
+    sequence.add_step(
+        InContainer(
+            docker_environment=config,
+            step=ShellStep(
+                command=InferScript(),
+                command=BashScript("infer.sh", args=["%(prop:ldnum)s"]),
+                options=StepOptions(
+                    descriptionDone="infer analysis complete",
+                ),
+                env_vars=env_vars,
+            ),
+        )
+    )
+
+    sequence.add_step(
+        save_infer_logs(
+            step_wrapping_fn=lambda step: InContainer(
+                docker_environment=config, step=step
+            ),
+        )
+    )
+    return sequence
diff --git a/configuration/steps/commands/scripts/infer.sh b/configuration/steps/commands/scripts/infer.sh
@@ -0,0 +1,83 @@
+#!/bin/bash
+
+# Infer script for performing
+# static analysis on the MariaDB codebase
+
+set -x -e
+
+if [ $# -lt 2 ]; then
+	echo insufficient args >&2
+	exit 1
+fi
+
+# Our version
+branch=$1
+
+shift
+# The base branch
+master_branch=$1
+
+: "${JOBS:=4}"
+
+result_dir=$PWD/infer_results
+
+## Cases
+
+if [ "$branch" == "$master_branch" ]; then
+   if [ -d "/mnt/infer/$branch" ]; then
+     # Update to a main branch
+     pushd /mnt/src
+     git diff --name-only "${master_branch}..$(< /mnt/infer/"$branch"/commit)" | tee "$OLDPWD"/index.txt
+     popd
+   else
+     # New main branch
+     result_dir=/mnt/infer/$branch
+     rm index.txt
+   fi
+else
+  # Branch off from a main branch
+  if [ ! -s index.txt ]; then
+    echo "Empty changes - nothing necessary"
+    exit 0
+  fi
+
+  echo "Diff against $master_branch"
+fi
+
+capture()
+{
+  infer capture --compilation-database compile_commands.json --project-root /mnt/src --results-dir "${result_dir}" "$@"
+}
+
+analyze()
+{
+  infer analyze --project-root /mnt/src --results-dir "${result_dir}" --max-jobs "${JOBS}" "$@"
+}
+# Capture and analyze the feature of the files changes in index
+#
+cd bld
+capture
+
+if [ ! -f ../index.txt ]; then
+  echo "full run, this could take a while"
+  analyze
+  exit
+fi
+
+# some form of incremental
+analyze --changed-files-index ../index.txt
+
+# Preserve result
+cp "${result_dir}"/report.json ../report.json
+
+pushd /mnt/src
+git checkout "$master_branch"
+popd
+
+# just in case these have changed
+cmake -DCMAKE_EXPORT_COMPILE_COMMANDS=1 .
+
+capture --reactive --mark-unchanged-procs
+analyze --incremental-analysis  --changed-files-index ../index.txt
+
+infer reportdiff --report-current ../report.json --report-previous "${result_dir}"/report.json  --project-root /mnt/src --results-dir "${result_dir}"
diff --git a/configuration/steps/commands/util.py b/configuration/steps/commands/util.py
@@ -173,3 +173,13 @@ def __init__(
     ):
         args = [f"{binary}:{','.join(libs)}" for binary, libs in binary_checks.items()]
         super().__init__(script_name="ldd_check.sh", args=args)
+
+
+class InferScript(BashScriptCommand):
+    """
+    A command to run the infer analysis on the MariaDB codebase.
+    """
+
+    def __init__(self, output_file: str):
+        args = [output_file]
+        super().__init__(script_name="infer.sh", args=args)
diff --git a/master-migration/master.cfg b/master-migration/master.cfg
@@ -16,6 +16,7 @@ from configuration.builders.sequences.compile_only import (
 from configuration.builders.sequences.debug import openssl_fips
 from configuration.builders.sequences.release import deb_autobake, rpm_autobake
 from configuration.builders.sequences.sanitizers import asan_ubsan
+from configuration.builders.sequences.sast import infer
 from configuration.reporters import github_summary
 from configuration.workers import worker
 from master_common import base_master_config, IS_CHECKCONFIG
@@ -277,6 +278,39 @@ builder = "amd64-ubasan-clang-20"
 c["builders"].append(ubasan_builder(name=builder, debug=builder.endswith("debug")))
 
 
+## ------------------------------------------------------------------- ##
+##                           STATIC ANALYZERS BUILDERS                 ##
+## ------------------------------------------------------------------- ##
+
+c["builders"].append(
+    GenericBuilder(
+        name="amd64-infer-clang-20",
+        sequences=[
+            infer(
+                jobs=12,
+                config=DockerConfig(
+                    repository=os.environ["CONTAINER_REGISTRY_URL"],
+                    image_tag="debian13-infer-clang-20",
+                    workdir=PurePath("/home/buildbot"),
+                    bind_mounts=[
+                        ("/srv/buildbot/src", "/mnt/src"),
+                        ("/srv/buildbot/infer", "/mnt/infer"),
+                        (f'{os.environ["MASTER_PACKAGES_DIR"]}/', "/packages"),
+                    ],
+                    env_vars=[
+                        ("ARTIFACTS_URL", os.environ["ARTIFACTS_URL"]),
+                    ],
+                ),
+            )
+        ],
+    ).get_config(
+        workers=WORKER_POOL.get_workers_for_arch(arch="amd64"),
+        next_build=nextBuild,
+        can_start_build=canStartBuild,
+        tags=["clang", "infer", "sast"],
+        jobs=12,
+    )
+)
 
 ## ------------------------------------------------------------------- ##
 ##                             REPORTERS                               ##
