From 45e250a9e9f3c3e8e8af2983366b170bf54f890e Mon Sep 17 00:00:00 2001
From: Jia Tan <jiat0218@gmail.com>
Date: Wed, 28 Jun 2023 21:01:22 +0800
Subject: CI: Add test with -fsanitize=address,undefined.

ci_build.sh was updated to accept disabling of __attribute__ ifunc
and CLMUL. This will allow -fsanitize=address to pass because ifunc
is incompatible with -fsanitize=address. The CLMUL implementation has
optimizations that potentially read past the buffer and mask out the
unwanted bytes.

This test will only run on Autotools Linux.
---
 .github/workflows/ci.yml | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

(limited to '.github/workflows/ci.yml')

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d00dd0d2..f2e8c70a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -65,10 +65,10 @@ jobs:
       # -p specifies the phase (build or test) to help narrow down an error
       #    if one occurs.
       #
-      # Start with the 32-bit build because the autoconf cache must be reset
-      # after the build because the 32-bit build sets the CFLAGS env variable.
-      # By starting with the 32-bit build, we only have to clear the
-      # cache once. The 32-bit build is only tested on Autotools Linux.
+      # The first two builds/tests are only run on Autotools Linux and
+      # affect the CFLAGS. Resetting the CFLAGS requires clearing the
+      # config cache between runs, so the tests that require CFLAGS are
+      # done first.
       - name: Build 32-bit
         if: ${{ matrix.os == 'ubuntu-latest' && matrix.build_system == 'autotools' }}
         run: ./build-aux/ci_build.sh -b autotools -p build -f "-m32"
@@ -78,6 +78,21 @@ jobs:
             ./build-aux/ci_build.sh -b autotools -p test -f "-m32" -n 32_bit
             cd ../xz_build && make distclean
 
+      # ifunc and clmul must be disabled for this test because they will
+      # fail with -fsanitize=address. __attribute__ ifunc is incompatible
+      # with -fsanitize=address.CLMUL optimizations will read past the
+      # bounds of small buffers and mask out the unneeded values. This
+      # triggers -fsanitize=address to report an error even though the
+      # operation is safe.
+      - name: Build with -fsanitize=address,undefined
+        if: ${{ matrix.os == 'ubuntu-latest' && matrix.build_system == 'autotools' }}
+        run: ./build-aux/ci_build.sh -b autotools -p build -f "-fsanitize=address,undefined" -d ifunc,clmul
+      - name: Test with -fsanitize=address,undefined
+        if: ${{ matrix.os == 'ubuntu-latest' && matrix.build_system == 'autotools' }}
+        run: |
+            ./build-aux/ci_build.sh -b autotools -p test -f "-fsanitize=address,undefined" -d ifunc,clmul
+            cd ../xz_build && make distclean
+
       - name: Build with full features
         run: ./build-aux/ci_build.sh -b ${{ matrix.build_system }} -p build
       - name: Test with full features
-- 
cgit v1.2.3