Skip to content

Enable Clang sanitizers in Linux/Clang CI pipeline #8737

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 12 commits into
base: develop
Choose a base branch
from
Draft

Enable Clang sanitizers in Linux/Clang CI pipeline #8737

wants to merge 12 commits into from

Conversation

@tautschnig
Copy link
Collaborator

@tautschnig tautschnig commented Nov 26, 2025

Adds a dedicated CI job that runs unit and regression tests on Ubuntu 24.04 after compiling with Clang's sanitizers. Enables address sanitizer (buffer overflow, use-after-free, use-after-return, double-free), memory leak sanitizer, and undefined-behavior sanitizer (integer overflow).

Fixes: #832

  • Each commit message has a non-empty body, explaining why the change was made.
  • n/a Methods or procedures I have added are documented, following the guidelines provided in CODING_STANDARD.md.
  • n/a The feature or user visible behaviour I have added or modified has been documented in the User Guide in doc/cprover-manual/
  • Regression or unit tests are included, or existing tests cover the modified code (in this case I have detailed which ones those are in the commit message).
  • n/a My commit message includes data points confirming performance improvements (if claimed).
  • My PR is restricted to a single feature or bugfix.
  • n/a White-space or formatting changes outside the feature-related changed lines are in commits of their own.

@tautschnig tautschnig requested review from a team and peterschrammel as code owners November 26, 2025 10:03
@codecov
Copy link

codecov bot commented Nov 26, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 96.29630% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 80.00%. Comparing base (1505c36) to head (b5055e6).

Files with missing lines Patch % Lines
src/goto-symex/symex_dereference.cpp 80.00% 1 Missing ⚠️
src/goto-symex/symex_other.cpp 66.66% 1 Missing ⚠️
Additional details and impacted files 
@@           Coverage Diff            @@
##           develop    #8737   +/-   ##
========================================
  Coverage    80.00%   80.00%           
========================================
  Files         1700     1700           
  Lines       188254   188242   -12     
  Branches        73       73           
========================================
- Hits        150615   150607    -8     
+ Misses       37639    37635    -4

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@tautschnig tautschnig self-assigned this Nov 26, 2025
@tautschnig tautschnig force-pushed the address-sanitizer-ci branch from 869c8c6 to 65d8860 Compare December 1, 2025 18:16
@tautschnig tautschnig requested a review from kroening as a code owner December 1, 2025 19:05
kroening
kroening reviewed Dec 1, 2025
View reviewed changes
@tautschnig tautschnig force-pushed the address-sanitizer-ci branch 2 times, most recently from 34e4887 to c71effb Compare December 2, 2025 01:24
@tautschnig tautschnig marked this pull request as draft December 2, 2025 01:28
@tautschnig tautschnig force-pushed the address-sanitizer-ci branch 3 times, most recently from 6ec771d to ea2876b Compare December 2, 2025 02:57
@tautschnig
Enable Clang sanitizers in Linux/Clang CI pipeline
fa96e3c 
Adds a dedicated CI job that runs unit and regression tests on Ubuntu
24.04 after compiling with Clang's sanitizers. Enables address sanitizer
(buffer overflow, use-after-free, use-after-return, double-free), memory
leak sanitizer, and undefined-behavior sanitizer (integer overflow).

- [AddressSanitizer Documentation](https://clang.llvm.org/docs/AddressSanitizer.html)
- [LeakSanitizer Documentation](https://clang.llvm.org/docs/LeakSanitizer.html)
- [UndefinedBehaviorSanitizer Documentation](https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html)

Fixes: diffblue#832
@tautschnig
Do not use value-set supported simplification with multiple threads
d354ac8 
Shared pointers may be updated in yet-to-be-executed threads.
@tautschnig
Fix reference to temporary that has gone out of scope
e3f5627 
Although the temporary is bound by a const reference, that reference is
then just passed on to subobject initialisers. Per
https://en.cppreference.com/w/cpp/language/reference_initialization.html#Lifetime_of_a_temporary,
"passing on" does not extend the lifetime of a temporary.

Try working around asan
@tautschnig
Initialise all POD members of goto_symex_statet
c8243b8 
The constructor did not take care of them and our unit tests exposed
that, at least within unit tests, we were accessing uninitialised
members.
@tautschnig
Remove language_mode from goto_symext
cb88728 
`goto_symex_statet` holds a reference to a language mode, which was
being initialised to `goto_symext::language_mode` in
`goto_symext::initialize_entry_point_state`. That `goto_symext` object,
however, may be the one created in
`single_path_symex_only_checkert::initialize_worklist`, whereupon the
`goto_symex_statet` will outlive it.

Fix this problem by getting rid of the `language_mode` member of
`goto_symext` and initialise `goto_symex_statet::language_mode` from a
mode in the symbol table, which outlives all goto-symex objects.
@tautschnig tautschnig force-pushed the address-sanitizer-ci branch from ea2876b to cb0753c Compare December 2, 2025 04:24
@tautschnig
Avoid invalid shift caused by excessive object bits
eaaf057 
Use mp_integer to compute the number of permitted objects as the number
of object bits is related to the analysis target platform and need not
be within the analysis-execution platform's limits.
@tautschnig tautschnig force-pushed the address-sanitizer-ci branch from cb0753c to eaaf057 Compare December 2, 2025 04:38
@tautschnig tautschnig force-pushed the address-sanitizer-ci branch from da1568c to f5e79cc Compare December 2, 2025 13:07
@tautschnig tautschnig force-pushed the address-sanitizer-ci branch from 39de428 to 0c544dc Compare December 2, 2025 15:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kroening kroening kroening left review comments

@peterschrammel peterschrammel Awaiting requested review from peterschrammel peterschrammel is a code owner

@TGWDB TGWDB Awaiting requested review from TGWDB TGWDB will be requested when the pull request is marked ready for review TGWDB is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@tautschnig tautschnig

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Use clang address sanitizer in linux/clang CI

2 participants

@tautschnig @kroening