ci: Enable address and undefined behavior sanitizers

meson supports the following sanitizers: "address" (e.g. out-of-bounds
memory access, use-after-free, etc.), "thread" (data races), "undefined"
(e.g. signed integer overflow), and "memory" (use of uninitialized
memory). Note that not all sanitizers are supported by all compilers,
and that more sanitizers exist.

Not all sanitizers can be enabled at the same time, but "address" and
"undefined" can. Both thread and memory sanitizers require an instrumented
build of all dependencies, including libc.

gcc and clang use different implementations of these sanitizers and
have proven to find different issues. Create CI jobs for both.

Signed-off-by: Tim Wiederhake <twiederh@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 11a201563f094af17942690cfad1712aaa3886d8..b5930a0a46d55fe0e5b6a861b317d6059522d55a 100644 (file)
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -70,6 +70,26 @@ stages:
         meson test -C build --no-suite syntax-check --print-errorlogs;
       fi
 
+.sanitizer_build_job:
+  stage: builds
+  image: $CI_REGISTRY_IMAGE/ci-ubuntu-2004:latest
+  needs:
+    - x64-ubuntu-2004-container
+  rules:
+    - if: "$TEMPORARILY_DISABLED"
+      allow_failure: true
+    - when: on_success
+  cache:
+    paths:
+      - ccache/
+    key: "$CI_JOB_NAME"
+  before_script:
+    - *script_variables
+  script:
+    - meson build --werror -Db_lundef=false -Db_sanitize="$SANITIZER"
+    - ninja -C build;
+    - ninja -C build test;
+
 # Jobs that we delegate to Cirrus CI because they require an operating
 # system other than Linux. These jobs will only run if the required
 # setup has been performed on the GitLab account (see ci/README.rst).
@@ -518,6 +538,21 @@ mingw64-fedora-rawhide:
     NAME: fedora-rawhide
     CROSS: mingw64
 
+# Sanitizers
+
+sanitize-gcc:
+  extends: .sanitizer_build_job
+  variables:
+    ASAN_OPTIONS: verify_asan_link_order=0
+    CC: gcc
+    SANITIZER: address,undefined
+
+sanitize-clang:
+  extends: .sanitizer_build_job
+  variables:
+    CC: clang
+    SANITIZER: address,undefined
+
 
 # This artifact published by this job is downloaded by libvirt.org to
 # be deployed to the web root: