Static Analysis using CodeChecker :)

.github/workflows/static-analysis.yml

@@ -0,0 +1,86 @@
+# JULEA - Flexible storage framework
+# Copyright (C) 2026 Jan Frase
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+name: static-analysis.yml
+on: [push, pull_request]
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  # This job is responsible for running Codechecker.
+  code-checker:
+    name: Code checker
+    runs-on: ubuntu-24.04
+    timeout-minutes: 60
+    env:
+      JULEA_SPACK_DIR: /julea-dependencies
+
+
+    steps:
+      # First, checkout julea.
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+          show-progress: false
+
+      # Get the dependencies.
+      - name: Install dependencies
+        run: |
+          sudo apt update
+          sudo apt --yes --no-install-recommends install meson ninja-build pkgconf libglib2.0-dev libbson-dev libfabric-dev libgdbm-dev liblmdb-dev libsqlite3-dev libleveldb-dev libmongoc-dev libmariadb-dev librocksdb-dev libfuse3-dev libopen-trace-format-dev librados-dev
+
+      # Then, generate compile_commands.json.
+      - name: Generate compile_commands.json
+        env:
+          CC: clang
+        run: |
+          . scripts/environment.sh
+          meson setup bld
+
+      # Install CodeChecker, gcc and cppcheck.
+      - name: Install CodeChecker
+        run: |
+          pip install codechecker
+          sudo apt install --yes --no-install-recommends cppcheck gcc 
+
+      - name: Install Infer
+        run: |
+          VERSION=1.3.0; \
+          curl -sSL "https://github.com/facebook/infer/releases/download/v$VERSION/infer-linux-x86_64-v$VERSION.tar.xz" \
+          | sudo tar -C /opt -xJ && \
+          sudo ln -s "/opt/infer-linux-x86_64-v$VERSION/bin/infer" /usr/local/bin/infer
+
+      # Run the analysis.
+      - name: Run CodeChecker
+        # Since we already have ~100 warnings, i have disabled the sensitive checks for now.
+        # Should we ever run out of warnings, feel free to enable them again :D
+        run: CodeChecker analyze ./bld/compile_commands.json -o results --ctu || true #--enable sensitive
+
+      # Parse the results and generate an HTML report.
+      - name: Generate HTML report
+        run: |
+          # The parse command returns with exit code 2 if it finds any bugs.
+          # Thus, we ignore the exit code with "|| true", to avoid failing the workflow.
+          CodeChecker parse --export html --output ./reports_html ./results || true
+
+      # Lastly, upload the results to the CI.
+      - name: Upload results
+        uses: actions/upload-artifact@v7.0.1
+        with:
+          name: "CodeChecker Bug Reports"
+          path: ./reports_html

doc/static-analysis.md

@@ -0,0 +1,38 @@
+# Static Analysis
+
+The codebase is checked for defects using CodeChecker, which wraps several static analysis tools (clang-sa, gcc, infer, cppcheck).
+
+## Pipeline
+It is automatically run in the GitHub pipeline and emits an artifact called "CodeChecker Bug Reports".
+A small summary of the number and types of errors found is given at the end of the "Generate HTML report" step.
+To view the detailed results, the artifact must be downloaded, extracted, and the `index.html` or `statistics.html` file opened.
+
+## Local
+Alternatively, the tool can be run locally.
+A full guide can be found [here](https://github.com/Ericsson/codechecker/blob/master/docs/usage.md).
+
+Notably, the tool can calculate a diff between two analysis runs as explained [here](https://github.com/Ericsson/codechecker/blob/master/docs/usage.md#using-diff-command-on-the-local-filesystem).
+This can be used to check whether your current local changes would introduce or remove any bugs.
+
+In summary:
+1. Ensure CodeChecker, the desired static analysis tools, and all JULEA dependencies are installed and available.
+
+2. Generate a `compile_commands.json` file.
+```bash
+meson setup -Dis_analysis_build=true bld
+```
+
+3. Run the analysis.
+```bash
+CodeChecker analyze ./bld/compile_commands.json -o results
+```
+
+4. Parse and view the results.
+```bash
+CodeChecker parse --export html --output ./reports_html ./results  &&
+firefox ./reports_html/index.html
+```
+
+## Potential improvements
+The current setup is quite bare-bones.
+CodeChecker supports running a server to store results of previous analysis runs, tracking reports that have already been marked as known false positives, and automatically calculating a diff between the main branch and the branch to be merged.