Merge pull request #14227 from NixOS/asan-hydra

packaging: Add buildWithSanitizers to hydraJobs
2025-10-14 02:19:32 +08:00 · 2025-10-12 17:43:54 +00:00
parent d9cabddd17 de75a180cb
commit a01df8de21
20 changed files with 74 additions and 44 deletions
--- a/ci/gha/tests/default.nix
+++ b/ci/gha/tests/default.nix
@@ -23,16 +23,6 @@ let
  packages' = nixFlake.packages.${system};
  stdenv = (getStdenv pkgs);

-  enableSanitizersLayer = finalAttrs: prevAttrs: {
-    mesonFlags =
-      (prevAttrs.mesonFlags or [ ])
-      ++ [ (lib.mesonOption "b_sanitize" "address,undefined") ]
-      ++ (lib.optionals stdenv.cc.isClang [
-        # https://www.github.com/mesonbuild/meson/issues/764
-        (lib.mesonBool "b_lundef" false)
-      ]);
-  };
-
  collectCoverageLayer = finalAttrs: prevAttrs: {
    env =
      let
@@ -55,14 +45,15 @@ let
    '';
  };

-  componentOverrides =
-    (lib.optional withSanitizers enableSanitizersLayer)
-    ++ (lib.optional withCoverage collectCoverageLayer);
+  componentOverrides = (lib.optional withCoverage collectCoverageLayer);
 in

 rec {
  nixComponentsInstrumented = nixComponents.overrideScope (
    final: prev: {
+      withASan = withSanitizers;
+      withUBSan = withSanitizers;
+
      nix-store-tests = prev.nix-store-tests.override { withBenchmarks = true; };
      # Boehm is incompatible with ASAN.
      nix-expr = prev.nix-expr.override { enableGC = !withSanitizers; };
--- a/doc/manual/meson.build
+++ b/doc/manual/meson.build
@@ -15,7 +15,6 @@ pymod = import('python')
 python = pymod.find_installation('python3')

 nix_env_for_docs = {
-  'ASAN_OPTIONS' : 'abort_on_error=1:print_summary=1:detect_leaks=0',
  'HOME' : '/dummy',
  'NIX_CONF_DIR' : '/dummy',
  'NIX_SSL_CERT_FILE' : '/dummy/no-ca-bundle.crt',
--- a/nix-meson-build-support/common/asan-options/asan-options.cc
+++ b/nix-meson-build-support/common/asan-options/asan-options.cc
@@ -0,0 +1,6 @@
+extern "C" [[gnu::retain, gnu::weak]] const char * __asan_default_options()
+{
+    // We leak a bunch of memory knowingly on purpose. It's not worthwhile to
+    // diagnose that memory being leaked for now.
+    return "abort_on_error=1:print_summary=1:detect_leaks=0:detect_odr_violation=0";
+}
--- a/nix-meson-build-support/common/asan-options/meson.build
+++ b/nix-meson-build-support/common/asan-options/meson.build
@@ -1,7 +1,3 @@
-asan_test_options_env = {
-  'ASAN_OPTIONS' : 'abort_on_error=1:print_summary=1:detect_leaks=0',
-}
-
 # Clang gets grumpy about missing libasan symbols if -shared-libasan is not
 # passed when building shared libs, at least on Linux
 if cxx.get_id() == 'clang' and ('address' in get_option('b_sanitize') or 'undefined' in get_option(
@@ -10,3 +6,6 @@ if cxx.get_id() == 'clang' and ('address' in get_option('b_sanitize') or 'undefi
  add_project_link_arguments('-shared-libasan', language : 'cpp')
 endif

+if 'address' in get_option('b_sanitize')
+  deps_other += declare_dependency(sources : 'asan-options.cc')
+endif
--- a/packaging/components.nix
+++ b/packaging/components.nix
@@ -204,6 +204,25 @@ let
      mesonFlags = [ (lib.mesonBool "b_asneeded" false) ] ++ prevAttrs.mesonFlags or [ ];
    };

+  enableSanitizersLayer =
+    finalAttrs: prevAttrs:
+    let
+      sanitizers = lib.optional scope.withASan "address" ++ lib.optional scope.withUBSan "undefined";
+    in
+    {
+      mesonFlags =
+        (prevAttrs.mesonFlags or [ ])
+        ++ lib.optionals (lib.length sanitizers > 0) (
+          [
+            (lib.mesonOption "b_sanitize" (lib.concatStringsSep "," sanitizers))
+          ]
+          ++ (lib.optionals stdenv.cc.isClang [
+            # https://www.github.com/mesonbuild/meson/issues/764
+            (lib.mesonBool "b_lundef" false)
+          ])
+        );
+    };
+
  nixDefaultsLayer = finalAttrs: prevAttrs: {
    strictDeps = prevAttrs.strictDeps or true;
    enableParallelBuilding = true;
@@ -246,6 +265,16 @@ in

  inherit filesetToSource;

+  /**
+    Whether meson components are built with [AddressSanitizer](https://clang.llvm.org/docs/AddressSanitizer.html).
+  */
+  withASan = false;
+
+  /**
+    Whether meson components are built with [UndefinedBehaviorSanitizer](https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html).
+  */
+  withUBSan = false;
+
  /**
    A user-provided extension function to apply to each component derivation.
  */
@@ -332,6 +361,7 @@ in
    setVersionLayer
    mesonLayer
    fixupStaticLayer
+    enableSanitizersLayer
    scope.mesonComponentOverrides
  ];
  mkMesonExecutable = mkPackageBuilder [
@@ -342,6 +372,7 @@ in
    mesonLayer
    mesonBuildLayer
    fixupStaticLayer
+    enableSanitizersLayer
    scope.mesonComponentOverrides
  ];
  mkMesonLibrary = mkPackageBuilder [
@@ -353,6 +384,7 @@ in
    mesonBuildLayer
    mesonLibraryLayer
    fixupStaticLayer
+    enableSanitizersLayer
    scope.mesonComponentOverrides
  ];

--- a/packaging/hydra.nix
+++ b/packaging/hydra.nix
@@ -158,6 +158,27 @@ in
    in
    forAllPackages (pkgName: forAllSystems (system: components.${system}.${pkgName}));

+  buildWithSanitizers =
+    let
+      components = forAllSystems (
+        system:
+        let
+          pkgs = nixpkgsFor.${system}.native;
+        in
+        pkgs.nixComponents2.overrideScope (
+          self: super: {
+            # Boost coroutines fail with ASAN on darwin.
+            withASan = !pkgs.stdenv.buildPlatform.isDarwin;
+            withUBSan = true;
+            nix-expr = super.nix-expr.override { enableGC = false; };
+            # Unclear how to make Perl bindings work with a dynamically linked ASAN.
+            nix-perl-bindings = null;
+          }
+        )
+      );
+    in
+    forAllPackages (pkgName: forAllSystems (system: components.${system}.${pkgName}));
+
  buildNoTests = forAllSystems (system: nixpkgsFor.${system}.native.nixComponents2.nix-cli);

  # Toggles some settings for better coverage. Windows needs these
--- a/src/libexpr-tests/meson.build
+++ b/src/libexpr-tests/meson.build
@@ -82,7 +82,7 @@ this_exe = executable(
 test(
  meson.project_name(),
  this_exe,
-  env : asan_test_options_env + {
+  env : {
    '_NIX_TEST_UNIT_DATA' : meson.current_source_dir() / 'data',
  },
  protocol : 'gtest',
--- a/src/libexpr-tests/package.nix
+++ b/src/libexpr-tests/package.nix
@@ -62,7 +62,6 @@ mkMesonExecutable (finalAttrs: {
              mkdir -p "$HOME"
            ''
            + ''
-              export ASAN_OPTIONS=abort_on_error=1:print_summary=1:detect_leaks=0
              export _NIX_TEST_UNIT_DATA=${resolvePath ./data}
              ${stdenv.hostPlatform.emulator buildPackages} ${lib.getExe finalAttrs.finalPackage}
              touch $out
--- a/src/libfetchers-tests/meson.build
+++ b/src/libfetchers-tests/meson.build
@@ -63,7 +63,7 @@ this_exe = executable(
 test(
  meson.project_name(),
  this_exe,
-  env : asan_test_options_env + {
+  env : {
    '_NIX_TEST_UNIT_DATA' : meson.current_source_dir() / 'data',
  },
  protocol : 'gtest',
--- a/src/libfetchers-tests/package.nix
+++ b/src/libfetchers-tests/package.nix
@@ -61,7 +61,6 @@ mkMesonExecutable (finalAttrs: {
            buildInputs = [ writableTmpDirAsHomeHook ];
          }
          ''
-            export ASAN_OPTIONS=abort_on_error=1:print_summary=1:detect_leaks=0
            export _NIX_TEST_UNIT_DATA=${resolvePath ./data}
            ${stdenv.hostPlatform.emulator buildPackages} ${lib.getExe finalAttrs.finalPackage}
            touch $out
--- a/src/libflake-tests/meson.build
+++ b/src/libflake-tests/meson.build
@@ -58,7 +58,7 @@ this_exe = executable(
 test(
  meson.project_name(),
  this_exe,
-  env : asan_test_options_env + {
+  env : {
    '_NIX_TEST_UNIT_DATA' : meson.current_source_dir() / 'data',
    'NIX_CONFIG' : 'extra-experimental-features = flakes',
    'HOME' : meson.current_build_dir() / 'test-home',
--- a/src/libflake-tests/package.nix
+++ b/src/libflake-tests/package.nix
@@ -59,7 +59,6 @@ mkMesonExecutable (finalAttrs: {
            buildInputs = [ writableTmpDirAsHomeHook ];
          }
          (''
-            export ASAN_OPTIONS=abort_on_error=1:print_summary=1:detect_leaks=0
            export _NIX_TEST_UNIT_DATA=${resolvePath ./data}
            export NIX_CONFIG="extra-experimental-features = flakes"
            ${stdenv.hostPlatform.emulator buildPackages} ${lib.getExe finalAttrs.finalPackage}
--- a/src/libstore-tests/meson.build
+++ b/src/libstore-tests/meson.build
@@ -104,7 +104,7 @@ this_exe = executable(
 test(
  meson.project_name(),
  this_exe,
-  env : asan_test_options_env + {
+  env : {
    '_NIX_TEST_UNIT_DATA' : meson.current_source_dir() / 'data',
    'HOME' : meson.current_build_dir() / 'test-home',
    'NIX_REMOTE' : meson.current_build_dir() / 'test-home' / 'store',
@@ -138,7 +138,7 @@ if get_option('benchmarks')
  benchmark(
    'nix-store-benchmarks',
    benchmark_exe,
-    env : asan_test_options_env + {
+    env : {
      '_NIX_TEST_UNIT_DATA' : meson.current_source_dir() / 'data',
    },
  )
--- a/src/libstore-tests/package.nix
+++ b/src/libstore-tests/package.nix
@@ -83,7 +83,6 @@ mkMesonExecutable (finalAttrs: {
          }
          (
            ''
-              export ASAN_OPTIONS=abort_on_error=1:print_summary=1:detect_leaks=0
              export _NIX_TEST_UNIT_DATA=${data + "/src/libstore-tests/data"}
              export NIX_REMOTE=$HOME/store
              ${stdenv.hostPlatform.emulator buildPackages} ${lib.getExe finalAttrs.finalPackage}
--- a/src/libutil-tests/meson.build
+++ b/src/libutil-tests/meson.build
@@ -97,7 +97,7 @@ this_exe = executable(
 test(
  meson.project_name(),
  this_exe,
-  env : asan_test_options_env + {
+  env : {
    '_NIX_TEST_UNIT_DATA' : meson.current_source_dir() / 'data',
  },
  protocol : 'gtest',
--- a/src/libutil-tests/package.nix
+++ b/src/libutil-tests/package.nix
@@ -61,7 +61,6 @@ mkMesonExecutable (finalAttrs: {
              mkdir -p "$HOME"
            ''
            + ''
-              export ASAN_OPTIONS=abort_on_error=1:print_summary=1:detect_leaks=0
              export _NIX_TEST_UNIT_DATA=${./data}
              ${stdenv.hostPlatform.emulator buildPackages} ${lib.getExe finalAttrs.finalPackage}
              touch $out
--- a/src/nix/asan-options.cc
+++ b/src/nix/asan-options.cc
@@ -1,6 +0,0 @@
-extern "C" [[gnu::retain]] const char * __asan_default_options()
-{
-    // We leak a bunch of memory knowingly on purpose. It's not worthwhile to
-    // diagnose that memory being leaked for now.
-    return "abort_on_error=1:print_summary=1:detect_leaks=0";
-}
--- a/src/nix/meson.build
+++ b/src/nix/meson.build
@@ -61,7 +61,6 @@ subdir('nix-meson-build-support/generate-header')
 nix_sources = [ config_priv_h ] + files(
  'add-to-store.cc',
  'app.cc',
-  'asan-options.cc',
  'build.cc',
  'bundle.cc',
  'cat.cc',
--- a/tests/functional/test-libstoreconsumer/main.cc
+++ b/tests/functional/test-libstoreconsumer/main.cc
@@ -5,13 +5,6 @@

 using namespace nix;

-extern "C" [[gnu::retain]] const char * __asan_default_options()
-{
-    // We leak a bunch of memory knowingly on purpose. It's not worthwhile to
-    // diagnose that memory being leaked for now.
-    return "abort_on_error=1:print_summary=1:detect_leaks=0";
-}
-
 int main(int argc, char ** argv)
 {
    try {
--- a/tests/functional/test-libstoreconsumer/meson.build
+++ b/tests/functional/test-libstoreconsumer/meson.build
@@ -1,11 +1,12 @@
 cxx = meson.get_compiler('cpp')

+deps_other = []
 subdir('nix-meson-build-support/common/asan-options')

 libstoreconsumer_tester = executable(
  'test-libstoreconsumer',
  'main.cc',
-  dependencies : [
+  dependencies : deps_other + [
    dependency('nix-store'),
  ],
  build_by_default : false,