From 7d2fe6af75b410392175347a35c638d6503fd36b Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 22 Dec 2025 01:26:56 +0000 Subject: [PATCH 01/10] Initial plan From cc8d56d9e71892ff4be79414d674b3543fad69f9 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 22 Dec 2025 01:31:04 +0000 Subject: [PATCH 02/10] Add snippets for compiler warnings, ASAN, UBSAN and new static analysis CI workflow Co-authored-by: AarC10 <30483634+AarC10@users.noreply.github.com> --- .github/valgrind-zephyr.supp | 37 ++++ .github/workflows/static-analysis.yml | 197 ++++++++++++++++++ cmake/Snippets.cmake | 24 +++ snippets/asan/asan.conf | 3 + snippets/asan/snippet.yml | 3 + .../compiler-warnings/compiler-warnings.conf | 3 + snippets/compiler-warnings/snippet.yml | 4 + snippets/ubsan/snippet.yml | 3 + snippets/ubsan/ubsan.conf | 3 + 9 files changed, 277 insertions(+) create mode 100644 .github/valgrind-zephyr.supp create mode 100644 .github/workflows/static-analysis.yml create mode 100644 snippets/asan/asan.conf create mode 100644 snippets/asan/snippet.yml create mode 100644 snippets/compiler-warnings/compiler-warnings.conf create mode 100644 snippets/compiler-warnings/snippet.yml create mode 100644 snippets/ubsan/snippet.yml create mode 100644 snippets/ubsan/ubsan.conf diff --git a/.github/valgrind-zephyr.supp b/.github/valgrind-zephyr.supp new file mode 100644 index 000000000..419c83118 --- /dev/null +++ b/.github/valgrind-zephyr.supp @@ -0,0 +1,37 @@ +# Valgrind suppressions for Zephyr RTOS +# This file suppresses known false positives and Zephyr-internal behaviors + +{ + zephyr_thread_stack_uninitialized + Memcheck:Cond + ... + fun:z_* +} + +{ + zephyr_syscall_uninitialized + Memcheck:Value* + ... + fun:z_* +} + +{ + zephyr_kernel_internal + Memcheck:Addr* + ... + fun:z_* +} + +{ + native_posix_driver + Memcheck:Leak + ... + fun:*posix* +} + +{ + native_sim_driver + Memcheck:Leak + ... + fun:*native* +} diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml new file mode 100644 index 000000000..08b8cc8ef --- /dev/null +++ b/.github/workflows/static-analysis.yml @@ -0,0 +1,197 @@ +name: Static Analysis and Sanitizer Builds + +on: + push: + branches: + - main + pull_request: + branches: + - '*' + schedule: + - cron: "0 0 * * 1" + +env: + # Only run on native_sim for sanitizer and analysis builds + platforms: | + native_sim + +jobs: + compiler-warnings: + name: Build with -Wall Compiler Warnings + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + with: + path: FSW + fetch-depth: 2 + + - name: Run Starter Steps + uses: ./FSW/.github/actions/fsw-setup + + - name: Set test_roots based on changes + id: set_test_roots + shell: bash + working-directory: FSW + run: | + if [ "$GITHUB_REF_NAME" = "main" ]; then + # On main branch, run all test roots + python3 .github/scripts/determine_test_roots.py --map .github/hardware-roots.yaml --run-all > test_roots.txt + else + # On PR/branch, diff against main + git fetch origin main:refs/remotes/origin/main + git diff --name-only origin/main...HEAD > changed_files.txt + cat changed_files.txt | python3 .github/scripts/determine_test_roots.py --map .github/hardware-roots.yaml > test_roots.txt + fi + echo "test_roots<> $GITHUB_ENV + cat test_roots.txt >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV + + - name: Build with compiler warnings + if: steps.set_test_roots.outcome == 'success' && env.test_roots != '' + working-directory: FSW + shell: bash + run: | + export PKG_CONFIG_PATH=/usr/lib/i386-linux-gnu/pkgconfig + function add_arglist () { + echo "$2" | while read -r line; do + [ -z "$line" ] && continue + echo -n " $1 $line " + done; + } + west twister $(add_arglist -T "${{ env.test_roots }}") $(add_arglist -p "${{ env.platforms }}") -v --inline-logs --integration --extra-args=SNIPPET="compiler-warnings" + + asan-build: + name: Build and Test with Address Sanitizer (ASAN) + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + with: + path: FSW + fetch-depth: 2 + + - name: Run Starter Steps + uses: ./FSW/.github/actions/fsw-setup + + - name: Set test_roots based on changes + id: set_test_roots + shell: bash + working-directory: FSW + run: | + if [ "$GITHUB_REF_NAME" = "main" ]; then + python3 .github/scripts/determine_test_roots.py --map .github/hardware-roots.yaml --run-all > test_roots.txt + else + git fetch origin main:refs/remotes/origin/main + git diff --name-only origin/main...HEAD > changed_files.txt + cat changed_files.txt | python3 .github/scripts/determine_test_roots.py --map .github/hardware-roots.yaml > test_roots.txt + fi + echo "test_roots<> $GITHUB_ENV + cat test_roots.txt >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV + + - name: Build with ASAN + if: steps.set_test_roots.outcome == 'success' && env.test_roots != '' + working-directory: FSW + shell: bash + run: | + export PKG_CONFIG_PATH=/usr/lib/i386-linux-gnu/pkgconfig + function add_arglist () { + echo "$2" | while read -r line; do + [ -z "$line" ] && continue + echo -n " $1 $line " + done; + } + west twister $(add_arglist -T "${{ env.test_roots }}") $(add_arglist -p "${{ env.platforms }}") -v --inline-logs --integration --extra-args=SNIPPET="asan" + + ubsan-build: + name: Build and Test with Undefined Behavior Sanitizer (UBSAN) + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + with: + path: FSW + fetch-depth: 2 + + - name: Run Starter Steps + uses: ./FSW/.github/actions/fsw-setup + + - name: Set test_roots based on changes + id: set_test_roots + shell: bash + working-directory: FSW + run: | + if [ "$GITHUB_REF_NAME" = "main" ]; then + python3 .github/scripts/determine_test_roots.py --map .github/hardware-roots.yaml --run-all > test_roots.txt + else + git fetch origin main:refs/remotes/origin/main + git diff --name-only origin/main...HEAD > changed_files.txt + cat changed_files.txt | python3 .github/scripts/determine_test_roots.py --map .github/hardware-roots.yaml > test_roots.txt + fi + echo "test_roots<> $GITHUB_ENV + cat test_roots.txt >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV + + - name: Build with UBSAN + if: steps.set_test_roots.outcome == 'success' && env.test_roots != '' + working-directory: FSW + shell: bash + run: | + export PKG_CONFIG_PATH=/usr/lib/i386-linux-gnu/pkgconfig + function add_arglist () { + echo "$2" | while read -r line; do + [ -z "$line" ] && continue + echo -n " $1 $line " + done; + } + west twister $(add_arglist -T "${{ env.test_roots }}") $(add_arglist -p "${{ env.platforms }}") -v --inline-logs --integration --extra-args=SNIPPET="ubsan" + + valgrind-test: + name: Run with Valgrind Memory Checker + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + with: + path: FSW + fetch-depth: 2 + + - name: Run Starter Steps + uses: ./FSW/.github/actions/fsw-setup + + - name: Install Valgrind + run: | + sudo apt-get update + sudo apt-get install -y valgrind + + - name: Set test_roots based on changes + id: set_test_roots + shell: bash + working-directory: FSW + run: | + if [ "$GITHUB_REF_NAME" = "main" ]; then + python3 .github/scripts/determine_test_roots.py --map .github/hardware-roots.yaml --run-all > test_roots.txt + else + git fetch origin main:refs/remotes/origin/main + git diff --name-only origin/main...HEAD > changed_files.txt + cat changed_files.txt | python3 .github/scripts/determine_test_roots.py --map .github/hardware-roots.yaml > test_roots.txt + fi + echo "test_roots<> $GITHUB_ENV + cat test_roots.txt >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV + + - name: Build for Valgrind + if: steps.set_test_roots.outcome == 'success' && env.test_roots != '' + working-directory: FSW + shell: bash + run: | + export PKG_CONFIG_PATH=/usr/lib/i386-linux-gnu/pkgconfig + function add_arglist () { + echo "$2" | while read -r line; do + [ -z "$line" ] && continue + echo -n " $1 $line " + done; + } + # Build without sanitizers for Valgrind (sanitizers and Valgrind don't mix well) + west twister $(add_arglist -T "${{ env.test_roots }}") $(add_arglist -p "${{ env.platforms }}") -v --inline-logs --integration --enable-valgrind --valgrind-suppressions="${GITHUB_WORKSPACE}/FSW/.github/valgrind-zephyr.supp" diff --git a/cmake/Snippets.cmake b/cmake/Snippets.cmake index 620862fba..e959199fe 100644 --- a/cmake/Snippets.cmake +++ b/cmake/Snippets.cmake @@ -39,3 +39,27 @@ function(AddSimSnippets) AddSnippets(${SIM_SNIPPETS}) endfunction() + +function(AddCompilerWarningsSnippets) + list(APPEND COMPILER_WARNINGS_SNIPPETS + "compiler-warnings" + ) + + AddSnippets(${COMPILER_WARNINGS_SNIPPETS}) +endfunction() + +function(AddAsanSnippets) + list(APPEND ASAN_SNIPPETS + "asan" + ) + + AddSnippets(${ASAN_SNIPPETS}) +endfunction() + +function(AddUbsanSnippets) + list(APPEND UBSAN_SNIPPETS + "ubsan" + ) + + AddSnippets(${UBSAN_SNIPPETS}) +endfunction() diff --git a/snippets/asan/asan.conf b/snippets/asan/asan.conf new file mode 100644 index 000000000..04164af8a --- /dev/null +++ b/snippets/asan/asan.conf @@ -0,0 +1,3 @@ +# Address Sanitizer configuration +CONFIG_ASAN=y +CONFIG_NO_OPTIMIZATIONS=y diff --git a/snippets/asan/snippet.yml b/snippets/asan/snippet.yml new file mode 100644 index 000000000..a93ffc0d2 --- /dev/null +++ b/snippets/asan/snippet.yml @@ -0,0 +1,3 @@ +name: asan +append: + EXTRA_CONF_FILE: asan.conf diff --git a/snippets/compiler-warnings/compiler-warnings.conf b/snippets/compiler-warnings/compiler-warnings.conf new file mode 100644 index 000000000..d61d3b094 --- /dev/null +++ b/snippets/compiler-warnings/compiler-warnings.conf @@ -0,0 +1,3 @@ +# Enable compiler warnings for stricter code quality +CONFIG_COMPILER_WARNINGS_AS_ERRORS=y +CONFIG_COMPILER_COLOR_DIAGNOSTICS=y diff --git a/snippets/compiler-warnings/snippet.yml b/snippets/compiler-warnings/snippet.yml new file mode 100644 index 000000000..82a4cced6 --- /dev/null +++ b/snippets/compiler-warnings/snippet.yml @@ -0,0 +1,4 @@ +name: compiler-warnings +append: + EXTRA_CONF_FILE: compiler-warnings.conf + EXTRA_CFLAGS: -Wall diff --git a/snippets/ubsan/snippet.yml b/snippets/ubsan/snippet.yml new file mode 100644 index 000000000..3d4ef8254 --- /dev/null +++ b/snippets/ubsan/snippet.yml @@ -0,0 +1,3 @@ +name: ubsan +append: + EXTRA_CONF_FILE: ubsan.conf diff --git a/snippets/ubsan/ubsan.conf b/snippets/ubsan/ubsan.conf new file mode 100644 index 000000000..0e4f4a75c --- /dev/null +++ b/snippets/ubsan/ubsan.conf @@ -0,0 +1,3 @@ +# Undefined Behavior Sanitizer configuration +CONFIG_UBSAN=y +CONFIG_NO_OPTIMIZATIONS=y From fd896212294d9e84fc8ade5e1475e223fb295740 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 22 Dec 2025 01:33:09 +0000 Subject: [PATCH 03/10] Enable -Wall globally and fix static analysis workflow syntax Co-authored-by: AarC10 <30483634+AarC10@users.noreply.github.com> --- .github/workflows/static-analysis.yml | 12 +++++++----- CMakeLists.txt | 3 +++ cmake/CompilerWarnings.cmake | 10 ++++++++++ 3 files changed, 20 insertions(+), 5 deletions(-) create mode 100644 cmake/CompilerWarnings.cmake diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml index 08b8cc8ef..e4d2a7fe8 100644 --- a/.github/workflows/static-analysis.yml +++ b/.github/workflows/static-analysis.yml @@ -51,6 +51,8 @@ jobs: if: steps.set_test_roots.outcome == 'success' && env.test_roots != '' working-directory: FSW shell: bash + env: + EXTRA_CFLAGS: "-Wall -Wextra" run: | export PKG_CONFIG_PATH=/usr/lib/i386-linux-gnu/pkgconfig function add_arglist () { @@ -59,7 +61,7 @@ jobs: echo -n " $1 $line " done; } - west twister $(add_arglist -T "${{ env.test_roots }}") $(add_arglist -p "${{ env.platforms }}") -v --inline-logs --integration --extra-args=SNIPPET="compiler-warnings" + west twister $(add_arglist -T "${{ env.test_roots }}") $(add_arglist -p "${{ env.platforms }}") -v --inline-logs --integration --extra-args="SNIPPET=compiler-warnings" asan-build: name: Build and Test with Address Sanitizer (ASAN) @@ -102,7 +104,7 @@ jobs: echo -n " $1 $line " done; } - west twister $(add_arglist -T "${{ env.test_roots }}") $(add_arglist -p "${{ env.platforms }}") -v --inline-logs --integration --extra-args=SNIPPET="asan" + west twister $(add_arglist -T "${{ env.test_roots }}") $(add_arglist -p "${{ env.platforms }}") -v --inline-logs --integration --extra-args="SNIPPET=asan" ubsan-build: name: Build and Test with Undefined Behavior Sanitizer (UBSAN) @@ -145,7 +147,7 @@ jobs: echo -n " $1 $line " done; } - west twister $(add_arglist -T "${{ env.test_roots }}") $(add_arglist -p "${{ env.platforms }}") -v --inline-logs --integration --extra-args=SNIPPET="ubsan" + west twister $(add_arglist -T "${{ env.test_roots }}") $(add_arglist -p "${{ env.platforms }}") -v --inline-logs --integration --extra-args="SNIPPET=ubsan" valgrind-test: name: Run with Valgrind Memory Checker @@ -193,5 +195,5 @@ jobs: echo -n " $1 $line " done; } - # Build without sanitizers for Valgrind (sanitizers and Valgrind don't mix well) - west twister $(add_arglist -T "${{ env.test_roots }}") $(add_arglist -p "${{ env.platforms }}") -v --inline-logs --integration --enable-valgrind --valgrind-suppressions="${GITHUB_WORKSPACE}/FSW/.github/valgrind-zephyr.supp" + # Build native_sim targets without sanitizers (sanitizers and Valgrind don't mix well) + west twister $(add_arglist -T "${{ env.test_roots }}") $(add_arglist -p "${{ env.platforms }}") -v --inline-logs --integration --enable-valgrind diff --git a/CMakeLists.txt b/CMakeLists.txt index 7e8010861..7d464c88d 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -8,6 +8,9 @@ find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE}) project(Backplane-Flight-Computer) +# Enable strict compiler warnings for all builds +include(${CMAKE_CURRENT_SOURCE_DIR}/cmake/CompilerWarnings.cmake) + zephyr_syscall_include_directories(include) zephyr_include_directories(include) diff --git a/cmake/CompilerWarnings.cmake b/cmake/CompilerWarnings.cmake new file mode 100644 index 000000000..ef3a460d7 --- /dev/null +++ b/cmake/CompilerWarnings.cmake @@ -0,0 +1,10 @@ +# Enable strict compiler warnings for production builds +# This file adds -Wall and other recommended warning flags + +# Add warning flags for C and C++ compilation +zephyr_compile_options(-Wall) + +# Optionally add more warning flags +# Uncomment these if you want even stricter checks: +# zephyr_compile_options(-Wextra) +# zephyr_compile_options(-Wpedantic) From 151fd0eb122d0b145f23e1dff53e1c3654e1c4cb Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 22 Dec 2025 01:34:13 +0000 Subject: [PATCH 04/10] Add documentation for static analysis CI workflow Co-authored-by: AarC10 <30483634+AarC10@users.noreply.github.com> --- .github/STATIC_ANALYSIS.md | 59 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 .github/STATIC_ANALYSIS.md diff --git a/.github/STATIC_ANALYSIS.md b/.github/STATIC_ANALYSIS.md new file mode 100644 index 000000000..abcf023d3 --- /dev/null +++ b/.github/STATIC_ANALYSIS.md @@ -0,0 +1,59 @@ +# Static Analysis and Code Quality CI + +This workflow provides stricter code quality checks for the FSW repository. + +## Jobs + +### 1. Compiler Warnings (`compiler-warnings`) +- Builds all projects with `-Wall` enabled +- Catches common coding errors and potential issues at compile time +- Runs on `native_sim` platform + +### 2. Address Sanitizer (`asan-build`) +- Builds and tests with AddressSanitizer (ASAN) +- Detects memory errors: + - Use-after-free + - Heap buffer overflow + - Stack buffer overflow + - Memory leaks +- Only runs on `native_sim` (Linux-only) + +### 3. Undefined Behavior Sanitizer (`ubsan-build`) +- Builds and tests with UndefinedBehaviorSanitizer (UBSAN) +- Detects undefined behavior: + - Integer overflows + - Null pointer dereferences + - Invalid type casts + - Alignment violations +- Only runs on `native_sim` (Linux-only) + +### 4. Valgrind Memory Checker (`valgrind-test`) +- Runs executables under Valgrind +- Additional memory error detection +- Detects memory leaks and invalid memory access +- Uses suppressions file for known Zephyr false positives + +## Using Snippets Locally + +You can use these analysis tools locally when building: + +```bash +# Build with ASAN +west build -b native_sim app/your-app -- -DSNIPPET=asan + +# Build with UBSAN +west build -b native_sim app/your-app -- -DSNIPPET=ubsan + +# Build with compiler warnings +west build -b native_sim app/your-app -- -DSNIPPET=compiler-warnings +``` + +## Global Compiler Warnings + +All builds now include `-Wall` by default through the `cmake/CompilerWarnings.cmake` file. +This ensures production code meets stricter quality standards. + +## References + +- [Zephyr Static Code Analysis](https://docs.zephyrproject.org/latest/develop/sca/index.html) +- [Zephyr Native Sim with Sanitizers](https://docs.zephyrproject.org/latest/boards/native/native_sim/doc/index.html) From 7d319f8dab9967977a6ac76307c22fc583aa08a1 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 22 Dec 2025 01:35:50 +0000 Subject: [PATCH 05/10] Address code review feedback - simplify snippet functions and remove redundant EXTRA_CFLAGS Co-authored-by: AarC10 <30483634+AarC10@users.noreply.github.com> --- .github/workflows/static-analysis.yml | 2 -- cmake/Snippets.cmake | 18 +++--------------- 2 files changed, 3 insertions(+), 17 deletions(-) diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml index e4d2a7fe8..292ee497e 100644 --- a/.github/workflows/static-analysis.yml +++ b/.github/workflows/static-analysis.yml @@ -51,8 +51,6 @@ jobs: if: steps.set_test_roots.outcome == 'success' && env.test_roots != '' working-directory: FSW shell: bash - env: - EXTRA_CFLAGS: "-Wall -Wextra" run: | export PKG_CONFIG_PATH=/usr/lib/i386-linux-gnu/pkgconfig function add_arglist () { diff --git a/cmake/Snippets.cmake b/cmake/Snippets.cmake index e959199fe..87279c958 100644 --- a/cmake/Snippets.cmake +++ b/cmake/Snippets.cmake @@ -41,25 +41,13 @@ function(AddSimSnippets) endfunction() function(AddCompilerWarningsSnippets) - list(APPEND COMPILER_WARNINGS_SNIPPETS - "compiler-warnings" - ) - - AddSnippets(${COMPILER_WARNINGS_SNIPPETS}) + AddSnippets("compiler-warnings") endfunction() function(AddAsanSnippets) - list(APPEND ASAN_SNIPPETS - "asan" - ) - - AddSnippets(${ASAN_SNIPPETS}) + AddSnippets("asan") endfunction() function(AddUbsanSnippets) - list(APPEND UBSAN_SNIPPETS - "ubsan" - ) - - AddSnippets(${UBSAN_SNIPPETS}) + AddSnippets("ubsan") endfunction() From caddc36c586e2720549f762820ab48cd2284471a Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 22 Dec 2025 01:37:37 +0000 Subject: [PATCH 06/10] Add Valgrind suppressions file environment variable Co-authored-by: AarC10 <30483634+AarC10@users.noreply.github.com> --- .github/workflows/static-analysis.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml index 292ee497e..9f60b9c47 100644 --- a/.github/workflows/static-analysis.yml +++ b/.github/workflows/static-analysis.yml @@ -185,6 +185,8 @@ jobs: if: steps.set_test_roots.outcome == 'success' && env.test_roots != '' working-directory: FSW shell: bash + env: + VALGRIND_SUPPRESSIONS: ${{ github.workspace }}/FSW/.github/valgrind-zephyr.supp run: | export PKG_CONFIG_PATH=/usr/lib/i386-linux-gnu/pkgconfig function add_arglist () { From 386e7618c6ff6fed5dd8fe13a7eb37c08535bd28 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 22 Dec 2025 01:39:53 +0000 Subject: [PATCH 07/10] Fix code review issues - simplify CMakeLists.txt include and properly export VALGRIND_OPTS Co-authored-by: AarC10 <30483634+AarC10@users.noreply.github.com> --- .github/workflows/static-analysis.yml | 4 ++-- CMakeLists.txt | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml index 9f60b9c47..52ebef297 100644 --- a/.github/workflows/static-analysis.yml +++ b/.github/workflows/static-analysis.yml @@ -185,10 +185,10 @@ jobs: if: steps.set_test_roots.outcome == 'success' && env.test_roots != '' working-directory: FSW shell: bash - env: - VALGRIND_SUPPRESSIONS: ${{ github.workspace }}/FSW/.github/valgrind-zephyr.supp run: | export PKG_CONFIG_PATH=/usr/lib/i386-linux-gnu/pkgconfig + # Set Valgrind options to use our suppressions file + export VALGRIND_OPTS="--suppressions=${{ github.workspace }}/FSW/.github/valgrind-zephyr.supp" function add_arglist () { echo "$2" | while read -r line; do [ -z "$line" ] && continue diff --git a/CMakeLists.txt b/CMakeLists.txt index 7d464c88d..4f6de83d3 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -9,7 +9,7 @@ find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE}) project(Backplane-Flight-Computer) # Enable strict compiler warnings for all builds -include(${CMAKE_CURRENT_SOURCE_DIR}/cmake/CompilerWarnings.cmake) +include(cmake/CompilerWarnings.cmake) zephyr_syscall_include_directories(include) From 9d08bc884cb9c77fad6b1ef204ef161f08da4343 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 22 Dec 2025 01:41:22 +0000 Subject: [PATCH 08/10] Add clarifying comment for VALGRIND_OPTS usage Co-authored-by: AarC10 <30483634+AarC10@users.noreply.github.com> --- .github/workflows/static-analysis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml index 52ebef297..19f6ea062 100644 --- a/.github/workflows/static-analysis.yml +++ b/.github/workflows/static-analysis.yml @@ -188,6 +188,7 @@ jobs: run: | export PKG_CONFIG_PATH=/usr/lib/i386-linux-gnu/pkgconfig # Set Valgrind options to use our suppressions file + # VALGRIND_OPTS is used by Valgrind when invoked by twister export VALGRIND_OPTS="--suppressions=${{ github.workspace }}/FSW/.github/valgrind-zephyr.supp" function add_arglist () { echo "$2" | while read -r line; do From c73b9cbcb129defb1950d3723c543c262921c653 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 22 Dec 2025 01:42:45 +0000 Subject: [PATCH 09/10] Add security: limit GITHUB_TOKEN permissions to read-only Co-authored-by: AarC10 <30483634+AarC10@users.noreply.github.com> --- .github/workflows/static-analysis.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml index 19f6ea062..e9b807997 100644 --- a/.github/workflows/static-analysis.yml +++ b/.github/workflows/static-analysis.yml @@ -10,6 +10,10 @@ on: schedule: - cron: "0 0 * * 1" +# Limit permissions to read-only for security +permissions: + contents: read + env: # Only run on native_sim for sanitizer and analysis builds platforms: | From 9c280b77681a210cbc13fe4cf6ad85adeb04506e Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 22 Dec 2025 02:23:59 +0000 Subject: [PATCH 10/10] Fix CMake error: move -Wall directly to root CMakeLists.txt after project() Co-authored-by: AarC10 <30483634+AarC10@users.noreply.github.com> --- .github/STATIC_ANALYSIS.md | 2 +- CMakeLists.txt | 6 +++--- cmake/CompilerWarnings.cmake | 10 ---------- 3 files changed, 4 insertions(+), 14 deletions(-) delete mode 100644 cmake/CompilerWarnings.cmake diff --git a/.github/STATIC_ANALYSIS.md b/.github/STATIC_ANALYSIS.md index abcf023d3..758347efb 100644 --- a/.github/STATIC_ANALYSIS.md +++ b/.github/STATIC_ANALYSIS.md @@ -50,7 +50,7 @@ west build -b native_sim app/your-app -- -DSNIPPET=compiler-warnings ## Global Compiler Warnings -All builds now include `-Wall` by default through the `cmake/CompilerWarnings.cmake` file. +All builds now include `-Wall` by default through the root `CMakeLists.txt`. This ensures production code meets stricter quality standards. ## References diff --git a/CMakeLists.txt b/CMakeLists.txt index 4f6de83d3..764ce5d8f 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -8,12 +8,12 @@ find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE}) project(Backplane-Flight-Computer) -# Enable strict compiler warnings for all builds -include(cmake/CompilerWarnings.cmake) - zephyr_syscall_include_directories(include) zephyr_include_directories(include) + +# Enable strict compiler warnings for all builds +zephyr_compile_options(-Wall) add_subdirectory(drivers) add_subdirectory(lib) diff --git a/cmake/CompilerWarnings.cmake b/cmake/CompilerWarnings.cmake deleted file mode 100644 index ef3a460d7..000000000 --- a/cmake/CompilerWarnings.cmake +++ /dev/null @@ -1,10 +0,0 @@ -# Enable strict compiler warnings for production builds -# This file adds -Wall and other recommended warning flags - -# Add warning flags for C and C++ compilation -zephyr_compile_options(-Wall) - -# Optionally add more warning flags -# Uncomment these if you want even stricter checks: -# zephyr_compile_options(-Wextra) -# zephyr_compile_options(-Wpedantic)