From c32f9e7e08a5c510c49724236b9c0de1b2e3c3f8 Mon Sep 17 00:00:00 2001 From: Slobodan Predolac Date: Fri, 5 Jun 2026 11:52:39 -0700 Subject: [PATCH 1/2] Add CodeQL workflow (security-and-quality, debug+prof+cxx) --- .github/workflows/codeql.yml | 57 ++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..492cbb59 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,57 @@ +name: "CodeQL" + +# CodeQL static analysis for C/C++. Runs on GitHub's x86_64 runners with full +# network access, so it works even when a contributor's devserver can't reach +# github.com. +# +# Query suite: "security-and-quality" — GitHub's most comprehensive built-in +# suite. It is a superset of "security-extended" (so it still includes +# cpp/uncontrolled-arithmetic, the CWE-190/191 analog to the Veracode integer +# overflow/underflow findings on sz.h) and additionally pulls in the +# maintainability and reliability queries that high-quality repositories use to +# catch a broader class of bugs. +# +# Build config: --enable-debug --enable-prof --enable-cxx. Debug makes +# jemalloc's assert()s live (config_debug becomes a true const, not a no-op), so +# CodeQL credits them as guards and trusts the invariants they document; prof +# and cxx compile the profiling-only and C++ (operator new/delete) sources so +# those are analyzed too. This config is already built/tested in linux-ci.yml. + +on: + push: + branches: [ dev, ci_travis ] + pull_request: + branches: [ dev ] + +jobs: + analyze: + name: Analyze C/C++ + runs-on: ubuntu-latest + permissions: + security-events: write # required to upload code-scanning results + contents: read + actions: read + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Install build deps + run: sudo apt-get update && sudo apt-get install -y autoconf + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: c-cpp + queries: security-and-quality + + - name: Build jemalloc + run: | + ./autogen.sh + ./configure --enable-debug --enable-prof --enable-cxx + make -j"$(nproc)" + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:c-cpp" From 38099e3901e6cf97fee57c5f419432778584bd1b Mon Sep 17 00:00:00 2001 From: Slobodan Predolac Date: Fri, 5 Jun 2026 11:52:39 -0700 Subject: [PATCH 2/2] Fix CodeQL findings: size_t flush checksum + arena_get asserts --- src/arena.c | 3 ++- src/arenas_management.c | 1 + src/jemalloc_init.c | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/src/arena.c b/src/arena.c index 55651402..86acc34c 100644 --- a/src/arena.c +++ b/src/arena.c @@ -1375,6 +1375,7 @@ arena_ptr_array_flush_impl_large(tsdn_t *tsdn, szind_t binind, edata_t *edata = item_edata[0].edata; unsigned cur_arena_ind = edata_arena_ind_get(edata); arena_t *cur_arena = arena_get(tsdn, cur_arena_ind, false); + assert(cur_arena != NULL); if (!arena_is_auto(cur_arena)) { malloc_mutex_lock(tsdn, &cur_arena->large_mtx); @@ -1464,7 +1465,7 @@ arena_ptr_array_flush_impl(tsd_t *tsd, szind_t binind, * Checks for sized deallocation bugs, failing early rather than * corrupting metadata. */ - size_t szind_sum = binind * nflush; + size_t szind_sum = (size_t)binind * nflush; emap_edata_lookup_batch(tsd, &arena_emap_global, nflush, &arena_ptr_array_flush_ptr_getter, (void *)arr, &arena_ptr_array_flush_metadata_visitor, (void *)&szind_sum, diff --git a/src/arenas_management.c b/src/arenas_management.c index 394303a3..eb477754 100644 --- a/src/arenas_management.c +++ b/src/arenas_management.c @@ -166,6 +166,7 @@ arena_init(tsdn_t *tsdn, unsigned ind, const arena_config_t *config) { static void arena_bind(tsd_t *tsd, unsigned ind, bool internal) { arena_t *arena = arena_get(tsd_tsdn(tsd), ind, false); + assert(arena != NULL); arena_nthreads_inc(arena, internal); if (internal) { diff --git a/src/jemalloc_init.c b/src/jemalloc_init.c index 34cfdcf5..f9ada6f8 100644 --- a/src/jemalloc_init.c +++ b/src/jemalloc_init.c @@ -642,6 +642,7 @@ malloc_init_hard(void) { * need it to set correct value for deferral_allowed. */ arena_t *a0 = arena_get(tsd_tsdn(tsd), 0, false); + assert(a0 != NULL); hpa_shard_opts_t hpa_shard_opts = opt_hpa_opts; hpa_shard_opts.deferral_allowed = background_thread_enabled(); if (pa_shard_enable_hpa(tsd_tsdn(tsd), &a0->pa_shard,