From 6bc2f9372bbd760267639f02fddbaa9b9376d185 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?DOTTEL=20Ga=C3=ABl?= Date: Wed, 11 Mar 2026 23:37:54 +0100 Subject: [PATCH 1/5] Add a check for VideoSnapshot&& to ImageViewRGB32 conversion --- .../workflows/cpp-ci-serial-programs-base.yml | 28 +++++++++++++++---- 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/.github/workflows/cpp-ci-serial-programs-base.yml b/.github/workflows/cpp-ci-serial-programs-base.yml index 09d52a5ba1..0f177d1fb2 100644 --- a/.github/workflows/cpp-ci-serial-programs-base.yml +++ b/.github/workflows/cpp-ci-serial-programs-base.yml @@ -132,8 +132,8 @@ jobs: cd Arduino-Source cat << 'EOF' > query.txt - set output dump - match invocation( + set output diag + match cxxConstructExpr( isExpansionInFileMatching("SerialPrograms/"), hasDeclaration(cxxConstructorDecl(ofClass(hasName("std::filesystem::path")))), hasArgument(0, hasType(asString("std::string"))) @@ -141,9 +141,25 @@ jobs: EOF files=$(jq -r '.[].file' SerialPrograms/bin/compile_commands.json) - echo "$files" | xargs --max-args=150 clang-query -p SerialPrograms/bin/ -f query.txt >> output.txt - cat output.txt - if grep --silent "Match #" output.txt; then - echo "::error Forbidden std::filesystem::path construction detected!" + echo "$files" | xargs --max-args=150 clang-query -p SerialPrograms/bin/ -f query.txt >> clang-query_output.txt + + echo "Clang query output (begin)" + cat clang-query_output.txt + echo "Clang query output (end)" + + if grep --silent "Match #" clang-query_output.txt; then + echo "::error Forbidden code detected! It can be one of the following:" + echo "::error - std::filesystem::path created from std::string. More information https://discord.com/channels/695809740428673034/1462210406616531259/1462567541825339635" + echo "::error - ImageViewRGB32 created from VideoSnapshot&& that is stored. It is a dangling pointer as nothing hold the data anymore" + echo "::error You can read more about the exact error with the artifact below." exit 1 fi + + - name: Upload Clang query output + uses: actions/upload-artifact@v7 + if: inputs.run-clang-query && always() + with: + name: Clang query output (compiler=${{inputs.compiler}}) + path: | + Arduino-Source/SerialPrograms/bin/compile_commands.json + Arduino-Source/clang-query_output.txt \ No newline at end of file From e76f84d5488036bcd49659c49e67c4c54c83b042 Mon Sep 17 00:00:00 2001 From: pifopi Date: Wed, 25 Mar 2026 13:35:27 +0100 Subject: [PATCH 2/5] Add second match This reverts commit f0d9b6c47e0cd4ff7582724a9307c5be396cedad. --- .github/workflows/cpp-ci-serial-programs-base.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/cpp-ci-serial-programs-base.yml b/.github/workflows/cpp-ci-serial-programs-base.yml index 0f177d1fb2..a42d99413a 100644 --- a/.github/workflows/cpp-ci-serial-programs-base.yml +++ b/.github/workflows/cpp-ci-serial-programs-base.yml @@ -138,6 +138,13 @@ jobs: hasDeclaration(cxxConstructorDecl(ofClass(hasName("std::filesystem::path")))), hasArgument(0, hasType(asString("std::string"))) ) + + match cxxConstructExpr( + isExpansionInFileMatching("SerialPrograms/"), + hasDeclaration(cxxConstructorDecl(ofClass(hasName("ImageViewRGB32")))), + hasArgument(0, hasType(rValueReferenceType(pointee(hasType(hasName("VideoSnapshot")))))), + unless(hasAncestor(functionDecl(isInline()))) + ) EOF files=$(jq -r '.[].file' SerialPrograms/bin/compile_commands.json) From 767b5cdea4be4a5d30e86e3462f579d6a3bb0f76 Mon Sep 17 00:00:00 2001 From: pifopi Date: Fri, 27 Mar 2026 13:08:10 +0100 Subject: [PATCH 3/5] fix matcher with LLVM 18 --- .github/workflows/cpp-ci-serial-programs-base.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cpp-ci-serial-programs-base.yml b/.github/workflows/cpp-ci-serial-programs-base.yml index a42d99413a..ed129e4bad 100644 --- a/.github/workflows/cpp-ci-serial-programs-base.yml +++ b/.github/workflows/cpp-ci-serial-programs-base.yml @@ -142,7 +142,7 @@ jobs: match cxxConstructExpr( isExpansionInFileMatching("SerialPrograms/"), hasDeclaration(cxxConstructorDecl(ofClass(hasName("ImageViewRGB32")))), - hasArgument(0, hasType(rValueReferenceType(pointee(hasType(hasName("VideoSnapshot")))))), + hasArgument(0, hasType(rValueReferenceType(references(hasName("VideoSnapshot")))), unless(hasAncestor(functionDecl(isInline()))) ) EOF From d1fc87e819ccd3485df3a126dab0a3246071656d Mon Sep 17 00:00:00 2001 From: pifopi Date: Fri, 27 Mar 2026 14:18:42 +0100 Subject: [PATCH 4/5] comment steps to speed up investigation --- .github/workflows/cpp-ci-serial-programs-base.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cpp-ci-serial-programs-base.yml b/.github/workflows/cpp-ci-serial-programs-base.yml index ed129e4bad..fd668fa2b0 100644 --- a/.github/workflows/cpp-ci-serial-programs-base.yml +++ b/.github/workflows/cpp-ci-serial-programs-base.yml @@ -86,7 +86,7 @@ jobs: mkdir bin cd bin cmake .. -DQT_MAJOR:STRING=6 ${{env.CMAKE_ADDITIONAL_FLAGS}} - cmake --build . --config RelWithDebInfo --parallel 10 + # cmake --build . --config RelWithDebInfo --parallel 10 - name: Prepare upload build if: inputs.upload-build @@ -147,8 +147,9 @@ jobs: ) EOF - files=$(jq -r '.[].file' SerialPrograms/bin/compile_commands.json) - echo "$files" | xargs --max-args=150 clang-query -p SerialPrograms/bin/ -f query.txt >> clang-query_output.txt + # files=$(jq -r '.[].file' SerialPrograms/bin/compile_commands.json) + # echo "$files" | xargs --max-args=150 clang-query -p SerialPrograms/bin/ -f query.txt >> clang-query_output.txt + clang-query -p SerialPrograms/bin/ /home/runner/work/Arduino-Source/Arduino-Source/Arduino-Source/SerialPrograms/bin/SerialProgramsLib_autogen/mocs_compilation.cpp -f query.txt >> clang-query_output.txt echo "Clang query output (begin)" cat clang-query_output.txt From 9a6206ee2b70a4ca0e45f6215055eec15ca922fc Mon Sep 17 00:00:00 2001 From: pifopi Date: Fri, 27 Mar 2026 14:45:37 +0100 Subject: [PATCH 5/5] change file --- .github/workflows/cpp-ci-serial-programs-base.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cpp-ci-serial-programs-base.yml b/.github/workflows/cpp-ci-serial-programs-base.yml index fd668fa2b0..5a9a265c14 100644 --- a/.github/workflows/cpp-ci-serial-programs-base.yml +++ b/.github/workflows/cpp-ci-serial-programs-base.yml @@ -149,7 +149,7 @@ jobs: # files=$(jq -r '.[].file' SerialPrograms/bin/compile_commands.json) # echo "$files" | xargs --max-args=150 clang-query -p SerialPrograms/bin/ -f query.txt >> clang-query_output.txt - clang-query -p SerialPrograms/bin/ /home/runner/work/Arduino-Source/Arduino-Source/Arduino-Source/SerialPrograms/bin/SerialProgramsLib_autogen/mocs_compilation.cpp -f query.txt >> clang-query_output.txt + clang-query -p SerialPrograms/bin/ /home/runner/work/Arduino-Source/Arduino-Source/Arduino-Source/3rdParty/QtWavFile/WavFile.cpp -f query.txt >> clang-query_output.txt echo "Clang query output (begin)" cat clang-query_output.txt