Internal changes

PiperOrigin-RevId: 545262005

8 files changed, 190 insertions, 20 deletions

diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml
index a7b23d6..ff5e8fd 100644
--- a/.github/workflows/build_test.yml
+++ b/.github/workflows/build_test.yml
@@ -33,7 +33,7 @@ jobs:
             build_system: cmake
             c_compiler: gcc-9
             cxx_compiler: g++-9
-            os: ubuntu-18.04
+            os: ubuntu-20.04
 
           # TODO: consider running this combination in docker
           #- name: cmake:clang3.5
@@ -114,12 +114,13 @@ jobs:
           # TODO: consider running this combination in docker
           #- name: python2.7:gcc5
 
-          - name: python27:clang9
-            build_system: python
-            c_compiler: clang-9
-            python_version: 2.7
-            cxx_compiler: clang++-9
-            os: ubuntu-18.04
+          # TODO: consider running this combination in docker
+          #- name: python27:clang9
+          #  build_system: python
+          #  c_compiler: clang-9
+          #  python_version: 2.7
+          #  cxx_compiler: clang++-9
+          #  os: ubuntu-20.04
 
           # TODO: consider running this combination in docker
           #- name: python27-win
@@ -202,7 +203,7 @@ jobs:
           - name: bazel-win:root
             build_system: bazel
             bazel_project: .
-            os: windows-latest
+            os: windows-2019
 
           # TODO: use single dll on windows, otherwise it fails to link
           #- name: bazel-win:go
@@ -213,7 +214,7 @@ jobs:
           - name: bazel-win:java
             build_system: bazel
             bazel_project: java
-            os: windows-latest
+            os: windows-2019
 
           # TODO: blocked by Bazel Closure rules issue
           #- name: bazel-win:js
@@ -224,7 +225,7 @@ jobs:
           - name: bazel-win:research
             build_system: bazel
             bazel_project: research
-            os: windows-latest
+            os: windows-2019
 
           - name: make
             build_system: make
@@ -245,7 +246,7 @@ jobs:
     steps:
     - name: Install extra deps @ Ubuntu
       if: ${{ runner.os == 'Linux' }}
-      # Already installed: bazel, clang{10-12}, cmake, gcc{9,10}, java{8,11}, maven, python{2.7,3.5-3.9}
+      # Already installed: bazel, clang{10-12}, cmake, gcc{9,10}, java{8,11}, maven, python{3.5-3.9}
       run: |
         EXTRA_PACKAGES="${{ matrix.extra_apt_pkgs || '' }}"
         sudo apt update
@@ -293,7 +294,7 @@ jobs:
       if: ${{ matrix.build_system == 'bazel' }}
       run: |
         cd ${GITHUB_WORKSPACE}/${{ matrix.bazel_project }}
-        bazel build -c opt ...:all
+        bazelisk build -c opt ...:all
 
     - name: Fix symlinks for Bazel (Windows)
       if: ${{ matrix.build_system == 'bazel' && runner.os == 'Windows' && matrix.bazel_project == 'java' }}
@@ -337,9 +338,9 @@ jobs:
       if: ${{ matrix.build_system == 'bazel' }}
       run: |
         cd ${GITHUB_WORKSPACE}/${{ matrix.bazel_project }}
-        bazel query "tests(...)" --output=label > ${RUNNER_TEMP}/tests.lst
-        [ -s ${RUNNER_TEMP}/tests.lst ] && bazel test -c opt ...:all
-        bazel clean
+        bazelisk query "tests(...)" --output=label > ${RUNNER_TEMP}/tests.lst
+        [ -s ${RUNNER_TEMP}/tests.lst ] && bazelisk test -c opt ...:all
+        bazelisk clean
 
     - name: Build / Test with Maven
       if: ${{ matrix.build_system == 'maven' }}
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..bd043c9
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,63 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "master" ]
+  schedule:
+    - cron: '18 15 * * 0'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: 'ubuntu-latest'
+    timeout-minutes: 360
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'cpp', 'java', 'javascript', 'python' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        config: |
+          paths-ignore: 
+            - research
+
+    - if: matrix.language == 'cpp'
+      name: Build CPP
+      uses: github/codeql-action/autobuild@v2
+
+    - if: matrix.language == 'cpp' || matrix.language == 'java'
+      name: Build Java
+      run: |
+        cd ${GITHUB_WORKSPACE}/java
+        bazelisk build --spawn_strategy=local --nouse_action_cache -c opt ...:all
+
+    - if: matrix.language == 'javascript'
+      name: Build JS
+      uses: github/codeql-action/autobuild@v2
+
+    - if: matrix.language == 'cpp' || matrix.language == 'python'
+      name: Build Python
+      run: |
+        python setup.py build_ext
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
+      with:
+        category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
new file mode 100644
index 0000000..a71f9f8
--- /dev/null
+++ b/.github/workflows/scorecard.yml
@@ -0,0 +1,72 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '23 21 * * 1'
+  push:
+    branches: [ "master" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
+        with:
+          sarif_file: results.sarif
diff --git a/BUILD b/BUILD
index 07a6793..34e4a54 100644
--- a/BUILD
+++ b/BUILD
@@ -45,6 +45,17 @@ create_msvc_config()
 
 STRICT_C_OPTIONS = select({
     ":msvc": [],
+    ":clang-cl": [
+        "/W4",
+        "-Wconversion",
+        "-Wlong-long",
+        "-Wmissing-declarations",
+        "-Wmissing-prototypes",
+        "-Wno-strict-aliasing",
+        "-Wshadow",
+        "-Wsign-compare",
+        "-Wno-sign-conversion",
+    ],
     "//conditions:default": [
         "--pedantic-errors",
         "-Wall",
@@ -124,6 +135,7 @@ cc_library(
     hdrs = [":enc_headers"],
     copts = STRICT_C_OPTIONS,
     linkopts = select({
+        ":clang-cl": [],
         ":msvc": [],
         "//conditions:default": ["-lm"],
     }),
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 9e4cf40..3c391f6 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1,7 +1,7 @@
 # Available CMake versions:
-#  - Ubuntu 18.04 LTS (deprecated on GitHub Actions) : 3.10.4
-#  - Solaris 11.4 SRU 15                             : 3.15 
-cmake_minimum_required(VERSION 3.10.4)
+#  - Ubuntu  20.04 LTS   : 3.16.3
+#  - Solaris 11.4 SRU 15 : 3.15
+cmake_minimum_required(VERSION 3.15)
 
 # Since this project's version is loaded from other files, this policy
 # will help suppress the warning generated by cmake.
diff --git a/c/common/platform.h b/c/common/platform.h
index f1c1dc7..7406f3f 100644
--- a/c/common/platform.h
+++ b/c/common/platform.h
@@ -209,8 +209,13 @@ OR:
 #define BROTLI_TARGET_RISCV64
 #endif
 
+#if defined(__loongarch_lp64)
+#define BROTLI_TARGET_LOONGARCH64
+#endif
+
 #if defined(BROTLI_TARGET_X64) || defined(BROTLI_TARGET_ARMV8_64) || \
-    defined(BROTLI_TARGET_POWERPC64) || defined(BROTLI_TARGET_RISCV64)
+    defined(BROTLI_TARGET_POWERPC64) || defined(BROTLI_TARGET_RISCV64) || \
+    defined(BROTLI_TARGET_LOONGARCH64)
 #define BROTLI_TARGET_64_BITS 1
 #else
 #define BROTLI_TARGET_64_BITS 0
@@ -269,7 +274,7 @@ OR:
 #define BROTLI_UNALIGNED_READ_FAST (!!0)
 #elif defined(BROTLI_TARGET_X86) || defined(BROTLI_TARGET_X64) ||       \
     defined(BROTLI_TARGET_ARMV7) || defined(BROTLI_TARGET_ARMV8_ANY) || \
-    defined(BROTLI_TARGET_RISCV64)
+    defined(BROTLI_TARGET_RISCV64) || defined(BROTLI_TARGET_LOONGARCH64)
 /* These targets are known to generate efficient code for unaligned reads
  * (e.g. a single instruction, not multiple 1-byte loads, shifted and or'd
  * together). */
diff --git a/c/fuzz/decode_fuzzer.c b/c/fuzz/decode_fuzzer.c
index 46144e0..697f9bf 100644
--- a/c/fuzz/decode_fuzzer.c
+++ b/c/fuzz/decode_fuzzer.c
@@ -27,6 +27,11 @@ int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   size_t total_out = 0;
 
   BrotliDecoderState* state = BrotliDecoderCreateInstance(0, 0, 0);
+  if (!state) {
+    // OOM is out-of-scope here.
+    free(buffer);
+    return 0;
+  }
 
   if (addend == 0)
     addend = size;
diff --git a/compiler_config_setting.bzl b/compiler_config_setting.bzl
index 572032b..b7bb7b9 100644
--- a/compiler_config_setting.bzl
+++ b/compiler_config_setting.bzl
@@ -14,6 +14,13 @@ def create_msvc_config():
   # be removed.
   if hasattr(cc_common, "do_not_use_tools_cpp_compiler_present"):
     native.config_setting(
+      name = "clang-cl",
+      flag_values = {
+          "@bazel_tools//tools/cpp:compiler": "clang-cl",
+      },
+      visibility = ["//visibility:public"],
+    )
+    native.config_setting(
       name = "msvc",
       flag_values = {
           "@bazel_tools//tools/cpp:compiler": "msvc-cl",
@@ -22,6 +29,11 @@ def create_msvc_config():
     )
   else:
     native.config_setting(
+      name = "clang-cl",
+      values = {"compiler": "clang-cl"},
+      visibility = ["//visibility:public"],
+    )
+    native.config_setting(
       name = "msvc",
       values = {"compiler": "msvc-cl"},
       visibility = ["//visibility:public"],