diff --git a/.ci/Dockerfile.doca b/.ci/Dockerfile.doca index 4597a43c024..908fd537153 100644 --- a/.ci/Dockerfile.doca +++ b/.ci/Dockerfile.doca @@ -25,8 +25,17 @@ RUN set -eux; \ curl \ unzip \ podman \ - gcc-9 \ - jq + gcc-11 \ + cpp-11 \ + jq \ + dpkg-dev \ + debhelper \ + patchelf \ + python3-pyelftools \ + libfuse3-dev \ + libaio-dev \ + libncurses-dev + ### TOOLS INSTALL ### RUN set -eux; \ diff --git a/.ci/ci_env.sh b/.ci/ci_env.sh index df7e2bb1231..ca406d57a09 100755 --- a/.ci/ci_env.sh +++ b/.ci/ci_env.sh @@ -22,4 +22,4 @@ export CI_ENV_DOCA_BUILDER_TAG="2.10.0087-devel-ubuntu22.04-arm64" # changes that affect components in CI builder images. # CI builder images use it as docker tag. # Format=- -export CI_ENV_CI_REV="250205-2" +export CI_ENV_CI_REV="250305-1" diff --git a/.ci/coverity.sh b/.ci/coverity.sh new file mode 100755 index 00000000000..d2c89511493 --- /dev/null +++ b/.ci/coverity.sh @@ -0,0 +1,172 @@ +#!/bin/bash -exEl +set -o pipefail + +progname=$(basename $0) + +DEFECTS_EXPECTED=13 + +function usage() +{ + cat << HEREDOC + Usage: $progname [--pre_script "./autogen.sh;./configure"] [--build_cmd "make all"] [--ignore_files "devx gtest"] [--verbose] + optional arguments: + -h, --help show this help message and exit + -p, --pre_script STRING Preparation commands to run prior running coverity + -b, --build_script STRING Build command to pass to coverity + -i, --ignore_files STRING Space separated list of files/dirs to ignore + --url STRING Coverity Server URL + --user STRING Login to Coverity Server + --password STRING Password to Coverity Server + --stream STRING Stream on Coverity Server where to upload the report + --upload Upload report to Coverity Server (--url, --user, --password are required) + --doca-version STRING DOCA SDK version + -v, --verbose increase the verbosity of the bash script +HEREDOC +exit 0 +} + + + +while [[ "$#" -gt 0 ]]; do + case $1 in + -p|--pre_script) pre_cmd="$2"; shift ;; + -b|--build_script) build_cmd="$2"; shift ;; + -i|--include_files) include_list="$2"; shift ;; + --url) url="$2"; shift ;; + --user) user="$2"; shift ;; + --password) password="$2"; shift ;; + --stream) stream="$2"; shift ;; + --upload) upload=true;; + --doca-version) DOCA_VERSION="$2"; shift ;; + -h|--help) usage ;; + -v|--verbose) set +x ;; + *) echo "Unknown parameter passed: $1"; exit 1 ;; + esac + shift +done + +if [ ! -d .git ]; then + echo "Error: should be run from project root" + exit 1 +fi + +if [ ! -z ${upload} ]; then + [ ! -z "$url" ] || { echo "Error: --url must be provided when --upload is set!"; exit 1; } + [ ! -z "$user" ] || { echo "Error: --user must be provided when --upload is set!"; exit 1; } + [ ! -z "$password" ] || { echo "Error: --password must be provided when --upload is set!"; exit 1; } + [ ! -z "$stream" ] || { echo "Error: --stream must be provided when --upload is set!"; exit 1; } +fi + + +ncpus=$(cat /proc/cpuinfo|grep processor|wc -l) + +# Current coverity version (2023.12) supports GCC <= 11 +if ! command -v gcc-11 &> /dev/null; then + echo "Error: gcc-11 is not installed!" + exit 1 +fi + +export CC=gcc-11 +export CXX=g++-11 + + +function install_dependencies() { + + # Install DOCA STA + wget https://urm.nvidia.com/artifactory/sw-nbu-doca-local/doca-sdk/$(echo $DOCA_VERSION | grep -o "[0-9]\+\.[0-9]\+\.[0-9]")/DOCA_${DOCA_VERSION//./-}-1/doca-sdk-sta-${DOCA_VERSION}.tar.gz + tar xzvf doca-sdk-sta-${DOCA_VERSION}.tar.gz --no-same-owner + cd doca-sdk-sta-${DOCA_VERSION} + . ./devtools/public/set_env_variables.sh --deb + ./devtools/public/doca_package_build.sh --dpu --deb + cd ../ + sudo dpkg --force-all -i doca-sdk-sta_${DOCA_VERSION}-1_arm64.deb libdoca-sdk-sta-dev_${DOCA_VERSION}-1_arm64.deb +} + +# Build and install NVMF Target Offload + +if [ -n "${pre_cmd}" ]; then + + echo "==== Running Pre-commands ====" + + set +eE + install_dependencies + /bin/bash -c "$pre_cmd" + rc=$? + + if [ $rc -ne 0 ]; then + echo pre-commands failed + exit 1 + fi + + set -eE +fi + +cov_build="cov_build" +rm -rf $cov_build + +echo "==== Running coverity ====" + +export PATH="$PATH:/auto/sw_tools/Commercial/Synopsys/Coverity/Coverity_2023.12/linux_arm64/bin" + +cov-build --dir $cov_build $build_cmd + +if [ -n "${include_list}" ]; then + echo "==== Restricting analysis to include list ====" + + # Generate a list of all captured files + set -x + all_files=$(cov-manage-emit --dir ${cov_build} list | grep ">"| awk '{print $3}') + echo "All files: $all_files" + # Compute files to delete (those NOT in allow_list) + for file in ${all_files}; do + count=0 + for f in ${include_list}; do + if echo "${file}" | grep -q "$f"; then + count=$((count + 1)) + fi + done + if [ $count -eq 0 ]; then + cov-manage-emit --dir ${cov_build} --tu-pattern "file('${file}')" delete ||: + fi + done +fi + + +echo "==== Running anaysis ====" + +cov-analyze --jobs 1 --security \ + --enable INTEGER_OVERFLOW \ + --enable AUDIT.SPECULATIVE_EXECUTION_DATA_LEAK \ + --concurrency --dir $cov_build + +if [ ! -z ${upload} ]; then + + echo "==== Uploading report ====" + + cov-commit-defects --ssl --on-new-cert trust \ + --url $url --user $user --password $password \ + --dir $cov_build \ + --stream $stream +fi + +cov-format-errors --dir $cov_build --html-output $cov_build/html + +nerrors=$(cov-format-errors --dir $cov_build --emacs-style |& tee $cov_build/coverity.log | grep 'Type:' | wc -l ) + +echo -e "Number of Defects: ${nerrors} (expected $DEFECTS_EXPECTED)\n" + +if (( $nerrors > $DEFECTS_EXPECTED )); then + echo "FAIL" + echo "New defects were added." + echo "Number of defects ($nerrors) > ($DEFECTS_EXPECTED) defects expected!" + echo "Please fix new defects or mark them as false-positive by incrementing the DEFECTS_EXPECTED in .ci/coverity.sh" + exit $nerrors +elif (( $nerrors < $DEFECTS_EXPECTED )); then + echo "FAIL" + echo "Defects were removed without updating the expected number." + echo "Number of defects ($nerrors) < ($DEFECTS_EXPECTED) defects expected!" + echo "Please update DEFECTS_EXPECTED to $nerrors in .ci/coverity.sh" + exit $nerrors +else + exit 0 +fi diff --git a/.ci/job_matrix_doca_nvmf_target_offload_pr.yaml.in b/.ci/job_matrix_doca_nvmf_target_offload_pr.yaml.in index 77a599c774b..2680f3712bd 100644 --- a/.ci/job_matrix_doca_nvmf_target_offload_pr.yaml.in +++ b/.ci/job_matrix_doca_nvmf_target_offload_pr.yaml.in @@ -43,11 +43,14 @@ kubernetes: privileged: true arch_table: aarch64: - jnlpImage: 'dockerhub.nvidia.com/jenkins/inbound-agent:latest' - dockerImage: 'quay.io/podman/stable:v5.1.2' + jnlpImage: 'dockerhub.nvidia.com/jenkins/inbound-agent:3283.v92c105e0f819-6' + dockerImage: 'urm.nvidia.com/quay-remote/podman/stable:v5.3.2' x86_64: - jnlpImage: 'dockerhub.nvidia.com/jenkins/inbound-agent:latest' - dockerImage: 'quay.io/podman/stable:v5.1.2' + jnlpImage: 'dockerhub.nvidia.com/jenkins/inbound-agent:3283.v92c105e0f819-6' + dockerImage: 'urm.nvidia.com/quay-remote/podman/stable:v5.3.2' + +volumes: + - {mountPath: /auto/sw_tools, hostPath: /auto/sw_tools} empty_volumes: - {mountPath: /var/home/swx-jenkins/.local/share/containers, memory: false} @@ -65,6 +68,10 @@ runs_on_dockers: file: '.ci/Dockerfile.doca', name: 'doca_ci', arch: 'aarch64', tag: "${CI_ENV_CI_REV}", build_args: '--build-arg DOCA_IMAGE_TAG=$DOCA_BUILDER_TAG --pull --no-cache' } + - { + file: '.ci/Dockerfile.doca', name: 'toolbox', arch: 'aarch64', tag: "${CI_ENV_CI_REV}", + category: 'tool', build_args: '--build-arg DOCA_IMAGE_TAG=$DOCA_BUILDER_TAG --pull --no-cache' + } steps: - name: Clone DPA sign tool @@ -86,3 +93,18 @@ steps: --docker-registry-path=$DOCKER_REGISTRY_PATH \ --docker-image-name=doca_nvmf_target_offload \ --sign --push + + - name: Coverity + containerSelector: "{name:'toolbox'}" + run: | + .ci/coverity.sh --pre_script 'pwd && ls -la && .ci/dpdk_patch.sh && ./configure --with-rdma=mlx5_dv --with-doca --with-flexio --disable-tests --disable-unit-tests --disable-examples --prefix=/opt' \ + --build_script "make -j4" \ + --include_files 'lib/nvmf/rdma_offload.c lib/env_dpdk/dmabuf.c' \ + --doca-version `echo $DOCA_RUNTIME_TAG | grep -o "[0-9]\+\.[0-9]\+\.[0-9]*"` \ + --verbose + archiveArtifacts: 'cov_build/html/**/*,cov_build/coverity.log,cov_build/*.txt' + publishHTML: + reportDir: 'cov_build/html' + reportFiles: 'index.html' + reportName: 'Coverity Report' + parallel: true \ No newline at end of file