ci: add a asan+ubsan test run on x86_64-linux

This should at least catch out blatantly bad patches that don't pass the test suite with ASan. We don't do this to the integration tests since they run on relatively limited-memory VMs and so it may not be super safe to run an evaluator with leak driven garbage collection for them. Fixes: https://git.lix.systems/lix-project/lix/issues/403 Fixes: https://git.lix.systems/lix-project/lix/issues/319 Change-Id: I5267b02626866fd33e8b4d8794344531af679f78
author: Jade Lovelace <lix@jade.fyi> 2024-07-23 22:43:38 +0200
committer: Jade Lovelace <lix@jade.fyi> 2024-07-31 14:13:39 -0700
commit: e51263057f21e77602481d6a6d826ff8cc0c1db0 (patch)
tree: 821ee4284b14626fa39bc485cffb709014661b47
parent: 19ae87e5cec71912c7e7ecec5dc8ff18d18c60ee (diff)
2 files changed, 21 insertions, 1 deletions
diff --git a/flake.nix b/flake.nix
index cec970974..9a3087c4b 100644
--- a/flake.nix
+++ b/flake.nix
@@ -275,6 +275,15 @@
 
         # System tests.
         tests = import ./tests/nixos { inherit lib nixpkgs nixpkgsFor; } // {
+          # This is x86_64-linux only, just because we have significantly
+          # cheaper x86_64-linux compute in CI.
+          # It is clangStdenv because clang's sanitizers are nicer.
+          asanBuild = self.packages.x86_64-linux.nix-clangStdenv.override {
+            sanitize = [
+              "address"
+              "undefined"
+            ];
+          };
 
           # Make sure that nix-env still produces the exact same result
           # on a particular version of Nixpkgs.
diff --git a/package.nix b/package.nix
index 61015bac9..0807ec1de 100644
--- a/package.nix
+++ b/package.nix
@@ -57,6 +57,10 @@
   buildUnreleasedNotes ? true,
   internalApiDocs ? false,
 
+  # List of Meson sanitize options. Accepts values of b_sanitize, e.g.
+  # "address", "undefined", "thread".
+  sanitize ? null,
+
   # Not a real argument, just the only way to approximate let-binding some
   # stuff for argument defaults.
   __forDefaults ? {
@@ -166,6 +170,12 @@ stdenv.mkDerivation (finalAttrs: {
   dontBuild = false;
 
   mesonFlags =
+    let
+      sanitizeOpts = lib.optionals (sanitize != null) (
+        [ "-Db_sanitize=${builtins.concatStringsSep "," sanitize}" ]
+        ++ lib.optional (builtins.elem "address" sanitize) "-Dgc=disabled"
+      );
+    in
     lib.optionals hostPlatform.isLinux [
       # You'd think meson could just find this in PATH, but busybox is in buildInputs,
       # which don't actually get added to PATH. And buildInputs is correct over
@@ -182,7 +192,8 @@ stdenv.mkDerivation (finalAttrs: {
       (lib.mesonBool "enable-tests" finalAttrs.finalPackage.doCheck)
       (lib.mesonBool "enable-docs" canRunInstalled)
     ]
-    ++ lib.optional (hostPlatform != buildPlatform) "--cross-file=${mesonCrossFile}";
+    ++ lib.optional (hostPlatform != buildPlatform) "--cross-file=${mesonCrossFile}"
+    ++ sanitizeOpts;
 
   # We only include CMake so that Meson can locate toml11, which only ships CMake dependency metadata.
   dontUseCmakeConfigure = true;
author	Jade Lovelace <lix@jade.fyi>	2024-07-23 22:43:38 +0200
committer	Jade Lovelace <lix@jade.fyi>	2024-07-31 14:13:39 -0700
commit	e51263057f21e77602481d6a6d826ff8cc0c1db0 (patch)
tree	821ee4284b14626fa39bc485cffb709014661b47
parent	19ae87e5cec71912c7e7ecec5dc8ff18d18c60ee (diff)