Merge pull request bytecodealliance#3369 from bytecodealliance/main

Merge branch main into dev/checkpoint_and_restore
victoryang00 · Apr 26, 2024 · 2a630c9 · 2a630c9
2 parents ef3babc + 120b965
commit 2a630c9
Show file tree

Hide file tree

Showing 103 changed files with 5,272 additions and 1,192 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,35 @@
+# Copyright (C) 2019 Intel Corporation. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+
+version: 2
+updates:
+
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+    interval: "weekly"
+
+- package-ecosystem: "docker"
+  directory: "/.devcontainer"
+  schedule:
+    interval: "weekly"
+
+- package-ecosystem: "devcontainers"
+  directory: "/"
+  schedule:
+    interval: "weekly"
+
+- package-ecosystem: "pip"
+  directory: "/build-scripts"
+  schedule:
+    interval: "weekly"
+
+- package-ecosystem: "pip"
+  directory: "/language-bindings/python/wasm-c-api"
+  schedule:
+    interval: "weekly"
+
+- package-ecosystem: "pip"
+  directory: "/language-bindings/python/wamr-api"
+  schedule:
+    interval: "weekly"
diff --git a/.github/workflows/codeql_buildscript.sh → .github/scripts/codeql_buildscript.sh b/.github/workflows/codeql_buildscript.sh → .github/scripts/codeql_buildscript.sh
@@ -1,5 +1,10 @@
 #!/usr/bin/env bash
 
+#
+# Copyright (C) 2019 Intel Corporation.  All rights reserved.
+# SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+#
+
 sudo apt update
 
 sudo apt install -y build-essential cmake g++-multilib libgcc-11-dev lib32gcc-11-dev ccache ninja-build ccache

diff --git a/.github/scripts/codeql_fail_on_error.py b/.github/scripts/codeql_fail_on_error.py
@@ -0,0 +1,124 @@
+#!/usr/bin/env python3
+
+#
+# Copyright (C) 2019 Intel Corporation.  All rights reserved.
+# SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+#
+
+import json
+import sys
+import os
+import requests
+
+
+def fetch_dismissed_alerts(repo_name, github_token):
+    headers = {
+        "Authorization": f"token {github_token}",
+        "Accept": "application/vnd.github.v3+json",
+    }
+    url = (
+        f"https://api.github.com/repos/{repo_name}/code-scanning/alerts?state=dismissed"
+    )
+    response = requests.get(url, headers=headers)
+    return response.json()  # This assumes a successful API call
+
+
+def parse_location(location):
+    path = location.get("physicalLocation", {}).get("artifactLocation", {}).get("uri")
+    start_line = location.get("physicalLocation", {}).get("region", {}).get("startLine")
+    column_range = (
+        location.get("physicalLocation", {}).get("region", {}).get("startColumn"),
+        location.get("physicalLocation", {}).get("region", {}).get("endColumn"),
+    )
+    return (path, start_line, column_range)
+
+
+def is_dismissed(rule_id, path, start_line, column_range, dismissed_alerts):
+    for alert in dismissed_alerts:
+        alert_rule_id = alert.get("rule", {}).get("id")
+        alert_path = alert.get("location", {}).get("path")
+        alert_start_line = alert.get("location", {}).get("start_line")
+        alert_column_range = (
+            alert.get("location", {}).get("start_column"),
+            alert.get("location", {}).get("end_column"),
+        )
+
+        if (
+            rule_id == alert_rule_id
+            and path == alert_path
+            and start_line == alert_start_line
+            and column_range == alert_column_range
+        ):
+            return True
+    return False
+
+
+# Return whether SARIF file contains error-level results
+def codeql_sarif_contain_error(filename, dismissed_alerts):
+    has_error = False
+
+    with open(filename, "r") as f:
+        s = json.load(f)
+
+    for run in s.get("runs", []):
+        rules_metadata = run["tool"]["driver"]["rules"]
+        if not rules_metadata:
+            rules_metadata = run["tool"]["extensions"][0]["rules"]
+
+        for res in run.get("results", []):
+            if "ruleIndex" in res:
+                rule_index = res["ruleIndex"]
+            elif "rule" in res and "index" in res["rule"]:
+                rule_index = res["rule"]["index"]
+            else:
+                continue
+
+            # check whether it's dismissed before
+            rule_id = res["ruleId"]
+            path, start_line, column_range = parse_location(res["locations"][0])
+            # the source code is from dependencies
+            if "_deps" in path:
+                continue
+            if is_dismissed(rule_id, path, start_line, column_range, dismissed_alerts):
+                print(
+                    f"====== Finding a dismissed entry: {rule_id} at {path}:{start_line} is dismissed.======"
+                )
+                print(res)
+                continue
+
+            try:
+                rule_level = rules_metadata[rule_index]["defaultConfiguration"]["level"]
+            except IndexError as e:
+                print(e, rule_index, len(rules_metadata))
+            else:
+                if rule_level == "error":
+                    # very likely to be an actual error
+                    if rules_metadata[rule_index]["properties"].get("precision") in [
+                        "high",
+                        "very-high",
+                    ]:
+                        # the security severity is above medium(Common Vulnerability Scoring System (CVSS) >= 4.0)
+                        if "security-severity" in rules_metadata[rule_index][
+                            "properties"
+                        ] and (
+                            float(
+                                rules_metadata[rule_index]["properties"][
+                                    "security-severity"
+                                ]
+                            )
+                            > 4.0
+                        ):
+                            print("====== Finding a likely error. ======")
+                            print(res)
+                            has_error = True
+
+    return has_error
+
+
+if __name__ == "__main__":
+    GITHUB_TOKEN = os.getenv("GITHUB_TOKEN")
+    GITHUB_REPOSITORY = os.getenv("GITHUB_REPOSITORY")
+    dismissed_alerts = fetch_dismissed_alerts(GITHUB_REPOSITORY, GITHUB_TOKEN)
+
+    if codeql_sarif_contain_error(sys.argv[1], dismissed_alerts):
+        sys.exit(1)
diff --git a/.github/scripts/fetch_and_compare_version.py b/.github/scripts/fetch_and_compare_version.py
@@ -42,9 +42,12 @@ def fetch_version_from_code():
 
 
 def fetch_latest_git_tag():
-    list_tag_cmd = (
-        'git tag --list WAMR-*.*.* --sort=committerdate --format="%(refname:short)"'
-    )
+    """
+    Get the most recent tag from the HEAD,
+    if it's main branch, it should be the latest release tag.
+    if it's release/x.x.x branch, it should be the latest release tag of the branch.
+    """
+    list_tag_cmd = "git describe --tags --abbrev=0 HEAD"
     p = subprocess.run(shlex.split(list_tag_cmd), capture_output=True, check=True)
 
     all_tags = p.stdout.decode().strip()

diff --git a/.github/workflows/build_wamr_lldb.yml b/.github/workflows/build_wamr_lldb.yml
@@ -82,9 +82,7 @@ jobs:
       - name: install utils macos
         if: steps.lldb_build_cache.outputs.cache-hit != 'true' && contains(inputs.runner, 'macos')
         run: |
-          brew remove swig
-          brew install [email protected] cmake ninja libedit
-          brew link --overwrite [email protected]
+          brew install swig cmake ninja libedit
           sudo rm -rf /Library/Developer/CommandLineTools
 
       - name: install utils ubuntu

diff --git a/.github/workflows/build_wamr_sdk.yml b/.github/workflows/build_wamr_sdk.yml
@@ -58,6 +58,12 @@ jobs:
           sudo rm ${basename}
           sudo mv wasi-sdk-* wasi-sdk
 
+      - name: download dependencies
+        run: |
+          cd ./wamr-app-framework/deps
+          ./download.sh
+        working-directory: wamr-sdk
+
       - name: generate wamr-sdk release
         run: |
           cd ./wamr-app-framework/wamr-sdk

diff --git a/.github/workflows/build_wamr_vscode_ext.yml b/.github/workflows/build_wamr_vscode_ext.yml
@@ -21,7 +21,7 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Use Node.js 16.x
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: 16.x
 

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -28,7 +28,7 @@ jobs:
     #   - https://gh.io/supported-runners-and-hardware-resources
     #   - https://gh.io/using-larger-runners
     # Consider using larger runners for possible analysis time improvements.
-    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-20.04' }}
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-13') || 'ubuntu-20.04' }}
     timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
     permissions:
       actions: read
@@ -49,7 +49,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
 
@@ -64,9 +64,9 @@ jobs:
     #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
 
     - run: |
-        ./.github/workflows/codeql_buildscript.sh
+        ./.github/scripts/codeql_buildscript.sh
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3
       with:
         category: "/language:${{matrix.language}}"
         upload: false
@@ -95,20 +95,23 @@ jobs:
         output: ${{ steps.step1.outputs.sarif-output }}/cpp.sarif
 
     - name: Upload CodeQL results to code scanning
-      uses: github/codeql-action/upload-sarif@v2
+      uses: github/codeql-action/upload-sarif@v3
       with:
         sarif_file: ${{ steps.step1.outputs.sarif-output }}
         category: "/language:${{matrix.language}}"
 
     - name: Upload CodeQL results as an artifact
       if: success() || failure()
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: codeql-results
         path: ${{ steps.step1.outputs.sarif-output }}
         retention-days: 10
 
     - name: Fail if an error is found
       run: |
-        ./.github/workflows/codeql_fail_on_error.py \
+        ./.github/scripts/codeql_fail_on_error.py \
           ${{ steps.step1.outputs.sarif-output }}/cpp.sarif
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        GITHUB_REPOSITORY: ${{ github.repository }}
diff --git a/.github/workflows/codeql_fail_on_error.py b/.github/workflows/codeql_fail_on_error.py
diff --git a/.github/workflows/compilation_on_android_ubuntu.yml b/.github/workflows/compilation_on_android_ubuntu.yml
@@ -389,14 +389,14 @@ jobs:
           cd /opt
           sudo wget ${{ matrix.wasi_sdk_release }}
           sudo tar -xzf wasi-sdk-*.tar.gz
-          sudo mv wasi-sdk-20.0 wasi-sdk
+          sudo ln -sf wasi-sdk-20.0 wasi-sdk
 
       - name: download and install wabt
         run: |
           cd /opt
           sudo wget ${{ matrix.wabt_release }}
           sudo tar -xzf wabt-1.0.31-*.tar.gz
-          sudo mv wabt-1.0.31 wabt
+          sudo ln -sf wabt-1.0.31 wabt
       - name: Get LLVM libraries
         id: retrieve_llvm_libs
         uses: actions/cache@v4
@@ -491,6 +491,13 @@ jobs:
           ./iwasm wasm-apps/trap.aot | grep "#" > call_stack_aot.txt
           bash -x ../symbolicate.sh
 
+      - name: Build Sample [native-stack-overflow]
+        run: |
+          cd samples/native-stack-overflow
+          ./build.sh
+          ./run.sh test1
+          ./run.sh test2
+
   test:
     needs:
       [