Skip to content

46 ci integrate coretrace stack analyzer into GitHub actions sarif code scanning #47

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
SizzleUnrlsd merged 46 commits into from
Feb 24, 2026

fix(sarif): clamp SARIF region line/column to 1-based values

e594d18
Select commit
Loading
Failed to load commit list.
Merged

46 ci integrate coretrace stack analyzer into GitHub actions sarif code scanning #47

fix(sarif): clamp SARIF region line/column to 1-based values
e594d18
Select commit
Loading
Failed to load commit list.
GitHub Advanced Security / coretrace-stack-analyzer succeeded Feb 22, 2026 in 8s

29 new alerts

New alerts in code changed by this pull request

  • 15 warnings
  • 14 notes

Alerts not introduced by this pull request might have been detected because the code changes were too large.

See annotations below for details.

View all branch alerts.

Annotations

Check warning on line 1315 in src/analysis/UninitializedVarAnalysis.cpp

See this annotation in the file changed.

Code scanning / coretrace-stack-analyzer

ResourceLifetime.IncompleteInterproc Warning

[ !!Warn ] inter-procedural resource analysis incomplete: handle 'visited' may be acquired by an unmodeled/external callee before release ↳ no matching resource model rule or cross-TU summary was found for at least one related call ↳ include callee definitions in inputs or extend --resource-model to improve precision

Check warning on line 507 in src/analysis/StackPointerEscape.cpp

See this annotation in the file changed.

Code scanning / coretrace-stack-analyzer

ResourceLifetime.IncompleteInterproc Warning

[ !!Warn ] inter-procedural resource analysis incomplete: handle 'localSlotsContainingTrackedAddr' may be acquired by an unmodeled/external callee before release ↳ no matching resource model rule or cross-TU summary was found for at least one related call ↳ include callee definitions in inputs or extend --resource-model to improve precision

Check warning on line 1531 in src/analysis/ResourceLifetimeAnalysis.cpp

See this annotation in the file changed.

Code scanning / coretrace-stack-analyzer

ResourceLifetime.IncompleteInterproc Warning

[ !!Warn ] inter-procedural resource analysis incomplete: handle 'visited' may be acquired by an unmodeled/external callee before release ↳ no matching resource model rule or cross-TU summary was found for at least one related call ↳ include callee definitions in inputs or extend --resource-model to improve precision

Check warning on line 1142 in src/analysis/ResourceLifetimeAnalysis.cpp

See this annotation in the file changed.

Code scanning / coretrace-stack-analyzer

ResourceLifetime.IncompleteInterproc Warning

[ !!Warn ] inter-procedural resource analysis incomplete: handle 'visitedValues' may be acquired by an unmodeled/external callee before release ↳ no matching resource model rule or cross-TU summary was found for at least one related call ↳ include callee definitions in inputs or extend --resource-model to improve precision

Check warning on line 1142 in src/analysis/ResourceLifetimeAnalysis.cpp

See this annotation in the file changed.

Code scanning / coretrace-stack-analyzer

ResourceLifetime.IncompleteInterproc Warning

[ !!Warn ] inter-procedural resource analysis incomplete: handle 'visitedSlots' may be acquired by an unmodeled/external callee before release ↳ no matching resource model rule or cross-TU summary was found for at least one related call ↳ include callee definitions in inputs or extend --resource-model to improve precision

Check warning on line 1076 in src/analysis/ResourceLifetimeAnalysis.cpp

See this annotation in the file changed.

Code scanning / coretrace-stack-analyzer

ResourceLifetime.IncompleteInterproc Warning

[ !!Warn ] inter-procedural resource analysis incomplete: handle 'visited' may be acquired by an unmodeled/external callee before release ↳ no matching resource model rule or cross-TU summary was found for at least one related call ↳ include callee definitions in inputs or extend --resource-model to improve precision

Check warning on line 1008 in src/analysis/ResourceLifetimeAnalysis.cpp

See this annotation in the file changed.

Code scanning / coretrace-stack-analyzer

ResourceLifetime.IncompleteInterproc Warning

[ !!Warn ] inter-procedural resource analysis incomplete: handle 'visited' may be acquired by an unmodeled/external callee before release ↳ no matching resource model rule or cross-TU summary was found for at least one related call ↳ include callee definitions in inputs or extend --resource-model to improve precision

Check warning on line 1005 in src/analysis/ResourceLifetimeAnalysis.cpp

See this annotation in the file changed.

Code scanning / coretrace-stack-analyzer

UninitializedLocalRead Warning

[ !!Warn ] potential read of uninitialized local variable 'out' ↳ this call may read the value before any definite initialization in '\_ZN6ctrace5stack8analysis12\_GLOBAL\_\_N\_110StorageKeyC2EOS3\_'

Check warning on line 993 in src/analysis/ResourceLifetimeAnalysis.cpp

See this annotation in the file changed.

Code scanning / coretrace-stack-analyzer

UninitializedLocalRead Warning

[ !!Warn ] potential read of uninitialized local variable 'out' ↳ this call may read the value before any definite initialization in '\_ZN6ctrace5stack8analysis12\_GLOBAL\_\_N\_110StorageKeyC2EOS3\_'

Check warning on line 823 in src/analysis/ResourceLifetimeAnalysis.cpp

See this annotation in the file changed.

Code scanning / coretrace-stack-analyzer

UninitializedLocalRead Warning

[ !!Warn ] potential read of uninitialized local variable 'out' ↳ this call may read the value before any definite initialization in '\_ZN6ctrace5stack8analysis12\_GLOBAL\_\_N\_110StorageKeyC2EOS3\_'

Check warning on line 821 in src/analysis/ResourceLifetimeAnalysis.cpp

See this annotation in the file changed.

Code scanning / coretrace-stack-analyzer

UninitializedLocalRead Warning

[ !!Warn ] potential read of uninitialized local variable 'out' ↳ this call may read the value before any definite initialization in '\_ZN6ctrace5stack8analysis12\_GLOBAL\_\_N\_110StorageKeyC2EOS3\_'

Check warning on line 978 in src/analysis/DuplicateIfCondition.cpp

See this annotation in the file changed.

Code scanning / coretrace-stack-analyzer

ResourceLifetime.IncompleteInterproc Warning

[ !!Warn ] inter-procedural resource analysis incomplete: handle 'seen' may be acquired by an unmodeled/external callee before release ↳ no matching resource model rule or cross-TU summary was found for at least one related call ↳ include callee definitions in inputs or extend --resource-model to improve precision

Check warning on line 71 in src/analysis/MemIntrinsicOverflow.cpp

See this annotation in the file changed.

Code scanning / coretrace-stack-analyzer

UninitializedLocalVariable Warning

[ !!Warn ] local variable 'classifyByName' is never initialized ↳ declared without initializer and no definite write was found in this function

Check warning on line 120 in src/analysis/IRValueUtils.cpp

See this annotation in the file changed.

Code scanning / coretrace-stack-analyzer

ResourceLifetime.IncompleteInterproc Warning

[ !!Warn ] inter-procedural resource analysis incomplete: handle 'ref.tmp' may be acquired by an unmodeled/external callee before release ↳ no matching resource model rule or cross-TU summary was found for at least one related call ↳ include callee definitions in inputs or extend --resource-model to improve precision

Check warning on line 1011 in src/analysis/DuplicateIfCondition.cpp

See this annotation in the file changed.

Code scanning / coretrace-stack-analyzer

ResourceLifetime.IncompleteInterproc Warning

[ !!Warn ] inter-procedural resource analysis incomplete: handle 'seen' may be acquired by an unmodeled/external callee before release ↳ no matching resource model rule or cross-TU summary was found for at least one related call ↳ include callee definitions in inputs or extend --resource-model to improve precision

Check notice on line 332 in src/analysis/DuplicateIfCondition.cpp

See this annotation in the file changed.

Code scanning / coretrace-stack-analyzer

None Note

[ !Info! ] recursive or mutually recursive function detected

Check notice on line 510 in src/analysis/StackPointerEscape.cpp

See this annotation in the file changed.

Code scanning / coretrace-stack-analyzer

ConstParameterNotModified.Reference Note

[ !Info! ] ConstParameterNotModified.Reference: parameter 'model' in function 'ctrace::stack::analysis::(anonymous namespace)::buildFunctionEscapeFacts(llvm::Module&, std::function<bool (llvm::Function const&)> const&, ctrace::stack::analysis::IndirectTargetResolver&, std::unordered_map<llvm::Function const*, unsigned int, std::hash<llvm::Function const*>, std::equal_to<llvm::Function const*>, std::allocator<std::pair<llvm::Function const* const, unsigned int> > > const&, ctrace::stack::analysis::StackEscapeModel const&, ctrace::stack::analysis::StackEscapeRuleMatcher&)' is never used to modify the referred object ↳ current type: StackEscapeRuleMatcher &model ↳ suggested type: const StackEscapeRuleMatcher &model

Check notice on line 510 in src/analysis/StackPointerEscape.cpp

See this annotation in the file changed.

Code scanning / coretrace-stack-analyzer

ConstParameterNotModified.Reference Note

[ !Info! ] ConstParameterNotModified.Reference: parameter 'shouldAnalyze' in function 'ctrace::stack::analysis::(anonymous namespace)::buildFunctionEscapeFacts(llvm::Module&, std::function<bool (llvm::Function const&)> const&, ctrace::stack::analysis::IndirectTargetResolver&, std::unordered_map<llvm::Function const*, unsigned int, std::hash<llvm::Function const*>, std::equal_to<llvm::Function const*>, std::allocator<std::pair<llvm::Function const* const, unsigned int> > > const&, ctrace::stack::analysis::StackEscapeModel const&, ctrace::stack::analysis::StackEscapeRuleMatcher&)' is never used to modify the referred object ↳ current type: IndirectTargetResolver &shouldAnalyze ↳ suggested type: const IndirectTargetResolver &shouldAnalyze

Check notice on line 332 in src/analysis/StackPointerEscape.cpp

See this annotation in the file changed.

Code scanning / coretrace-stack-analyzer

ConstParameterNotModified.Reference Note

[ !Info! ] ConstParameterNotModified.Reference: parameter 'arg' in function 'ctrace::stack::analysis::(anonymous namespace)::collectParamEscapeFacts(llvm::Function&, llvm::Argument&, std::function<bool (llvm::Function const&)> const&, ctrace::stack::analysis::IndirectTargetResolver&, std::unordered_map<llvm::Function const*, unsigned int, std::hash<llvm::Function const*>, std::equal_to<llvm::Function const*>, std::allocator<std::pair<llvm::Function const* const, unsigned int> > > const&, ctrace::stack::analysis::StackEscapeModel const&, ctrace::stack::analysis::StackEscapeRuleMatcher&, ctrace::stack::analysis::ParamEscapeFacts&)' is never used to modify the referred object ↳ current type: Argument &arg ↳ suggested type: const Argument &arg

Check notice on line 332 in src/analysis/StackPointerEscape.cpp

See this annotation in the file changed.

Code scanning / coretrace-stack-analyzer

ConstParameterNotModified.Reference Note

[ !Info! ] ConstParameterNotModified.Reference: parameter 'F' in function 'ctrace::stack::analysis::(anonymous namespace)::collectParamEscapeFacts(llvm::Function&, llvm::Argument&, std::function<bool (llvm::Function const&)> const&, ctrace::stack::analysis::IndirectTargetResolver&, std::unordered_map<llvm::Function const*, unsigned int, std::hash<llvm::Function const*>, std::equal_to<llvm::Function const*>, std::allocator<std::pair<llvm::Function const* const, unsigned int> > > const&, ctrace::stack::analysis::StackEscapeModel const&, ctrace::stack::analysis::StackEscapeRuleMatcher&, ctrace::stack::analysis::ParamEscapeFacts&)' is never used to modify the referred object ↳ current type: Function &F ↳ suggested type: const Function &F

Check notice on line 139 in src/analysis/StackPointerEscape.cpp

See this annotation in the file changed.

Code scanning / coretrace-stack-analyzer

None Note

[ !Info! ] recursive or mutually recursive function detected

Check notice on line 208 in src/analysis/StackComputation.cpp

See this annotation in the file changed.

Code scanning / coretrace-stack-analyzer

ConstParameterNotModified.ReferenceRvaluePreferValue Note

[ !Info! ] ConstParameterNotModified.ReferenceRvaluePreferValue: parameter 'isRecursiveCallee' in function 'bool ctrace::stack::analysis::(anonymous namespace)::detectInfiniteRecursionByDominance<ctrace::stack::analysis::detectInfiniteRecursionComponent(std::vector<llvm::Function const*, std::allocator<llvm::Function const*> > const&)::$_0>(llvm::Function&, ctrace::stack::analysis::detectInfiniteRecursionComponent(std::vector<llvm::Function const*, std::allocator<llvm::Function const*> > const&)::$_0&&)' is an rvalue reference and is never used to modify the referred object ↳ consider passing by value (<anonymous type> isRecursiveCallee) or const reference (const <anonymous type> &isRecursiveCallee) ↳ current type: <anonymous type> &&isRecursiveCallee

Check notice on line 208 in src/analysis/StackComputation.cpp

See this annotation in the file changed.

Code scanning / coretrace-stack-analyzer

ConstParameterNotModified.ReferenceRvaluePreferValue Note

[ !Info! ] ConstParameterNotModified.ReferenceRvaluePreferValue: parameter 'isRecursiveCallee' in function 'bool ctrace::stack::analysis::(anonymous namespace)::detectInfiniteRecursionByDominance<ctrace::stack::analysis::detectInfiniteSelfRecursion(llvm::Function&)::$_0>(llvm::Function&, ctrace::stack::analysis::detectInfiniteSelfRecursion(llvm::Function&)::$_0&&)' is an rvalue reference and is never used to modify the referred object ↳ consider passing by value (<anonymous type> isRecursiveCallee) or const reference (const <anonymous type> &isRecursiveCallee) ↳ current type: <anonymous type> &&isRecursiveCallee

Check notice on line 1597 in src/analysis/ResourceLifetimeAnalysis.cpp

See this annotation in the file changed.

Code scanning / coretrace-stack-analyzer

ConstParameterNotModified.Pointer Note

[ !Info! ] ConstParameterNotModified.Pointer: parameter 'allowPointerSlotFallback' in function 'ctrace::stack::analysis::(anonymous namespace)::mapSummaryEffectToCallerStorage(ctrace::stack::analysis::(anonymous namespace)::ParamLifetimeEffect const&, llvm::CallBase const&, llvm::Function const&, ctrace::stack::analysis::(anonymous namespace)::MethodClassInfo const&, llvm::DataLayout const&, bool, bool\*)' is never used to modify the pointed object ↳ current type: bool \*allowPointerSlotFallback ↳ suggested type: const bool \*allowPointerSlotFallback

Check notice on line 1392 in src/analysis/ResourceLifetimeAnalysis.cpp

See this annotation in the file changed.

Code scanning / coretrace-stack-analyzer

None Note

[ !Info! ] recursive or mutually recursive function detected