GitLab

Cheng Shao pushed to branch wip/terrorjack/asan at Glasgow Haskell Compiler / GHC

Commits:

70d366c7

by Cheng Shao at 2025-12-17T00:39:47+01:00

hadrian: add support for building with AddressSanitizer

This patch adds a +asan flavour transformer to hadrian to build all
stage1+ C/C++ code with AddressBehaviorSanitizer. This is particularly
useful to catch potential out-of-bounds and use-after-free bugs in the
RTS codebase.

eff6cc25

by Cheng Shao at 2025-12-17T00:39:51+01:00

ci: add ubsan+asan job

We now have a `x86_64-linux-fedora43-validate+debug_info+ubsan+asan`
validate/nightly job with both UBSan/ASan enabled.

d43effd3
by Cheng Shao at 2025-12-17T00:39:51+01:00
```
rts: add ASAN poisoning to mblock allocator
```

Changes:

.gitlab/generate-ci/gen_ci.hs

@@ -162,6 +162,7 @@ data BuildConfig
                  , tablesNextToCode :: Bool
                  , threadSanitiser :: Bool
                  , ubsan :: Bool
 +                , asan :: Bool
                  , noSplitSections :: Bool
                  , validateNonmovingGc :: Bool
                  , textWithSIMDUTF :: Bool
@@ -173,7 +174,7 @@ configureArgsStr :: BuildConfig -> String
  configureArgsStr bc = unwords $
       ["--enable-unregisterised"| unregisterised bc ]
    ++ ["--disable-tables-next-to-code" | not (tablesNextToCode bc) ]
 -  ++ ["--with-intree-gmp" | Just _ <- pure (crossTarget bc) ]
 +  ++ ["--with-intree-gmp" | isJust (crossTarget bc) || ubsan bc || asan bc ]
    ++ ["--with-system-libffi" | crossTarget bc == Just "wasm32-wasi" ]
    ++ ["--enable-ipe-data-compression" | withZstd bc ]
    ++ ["--enable-strict-ghc-toolchain-check"]
@@ -188,6 +189,7 @@ mkJobFlavour BuildConfig{..} = Flavour buildFlavour opts
             [HostFullyStatic | hostFullyStatic] ++
             [ThreadSanitiser | threadSanitiser] ++
             [UBSan | ubsan] ++
 +           [ASan | asan] ++
             [NoSplitSections | noSplitSections, buildFlavour == Release ] ++
             [BootNonmovingGc | validateNonmovingGc ] ++
             [TextWithSIMDUTF | textWithSIMDUTF]
@@ -201,6 +203,7 @@ data FlavourTrans =
      | HostFullyStatic
      | ThreadSanitiser
      | UBSan
 +    | ASan
      | NoSplitSections
      | BootNonmovingGc
      | TextWithSIMDUTF
@@ -230,6 +233,7 @@ vanilla = BuildConfig
    , tablesNextToCode = True
    , threadSanitiser = False
    , ubsan = False
 +  , asan = False
    , noSplitSections = False
    , validateNonmovingGc = False
    , textWithSIMDUTF = False
@@ -283,8 +287,8 @@ llvm = vanilla { llvmBootstrap = True }
  tsan :: BuildConfig
  tsan = vanilla { threadSanitiser = True }
 -enableUBSan :: BuildConfig
 -enableUBSan = vanilla { withDwarf = True, ubsan = True }
 +enableUBSanASan :: BuildConfig
 +enableUBSanASan = vanilla { withDwarf = True, ubsan = True, asan = True }
  noTntc :: BuildConfig
  noTntc = vanilla { tablesNextToCode = False }
@@ -381,6 +385,7 @@ flavourString (Flavour base trans) = base_string base ++ concatMap (("+" ++) . f
      flavour_string HostFullyStatic = "host_fully_static"
      flavour_string ThreadSanitiser = "thread_sanitizer_cmm"
      flavour_string UBSan = "ubsan"
 +    flavour_string ASan = "asan"
      flavour_string NoSplitSections = "no_split_sections"
      flavour_string BootNonmovingGc = "boot_nonmoving_gc"
      flavour_string TextWithSIMDUTF = "text_simdutf"
@@ -1213,15 +1218,24 @@ fedora_x86 =
    , hackage_doc_job (disableValidate (standardBuildsWithConfig Amd64 (Linux Fedora43) releaseConfig))
    , disableValidate (standardBuildsWithConfig Amd64 (Linux Fedora43) dwarf)
    , disableValidate (standardBuilds Amd64 (Linux Fedora43))
 -    -- For UBSan jobs, only enable for validate/nightly pipelines.
 -    -- Also disable docs since it's not the point for UBSan jobs.
 +    -- For UBSan/ASan jobs, only enable for validate/nightly
 +    -- pipelines. Also disable docs since it's not the point for
 +    -- UBSan/ASan jobs.
 +    --
 +    -- See
 +    -- https://github.com/llvm/llvm-project/blob/llvmorg-21.1.8/compiler-rt/lib/sanitizer_common/sanitizer_flags.inc
 +    -- for ASAN options help, for now these are required to pass the
 +    -- testsuite
    , modifyJobs
        ( setVariable "HADRIAN_ARGS" "--docs=none"
            . addVariable
              "UBSAN_OPTIONS"
              "suppressions=$CI_PROJECT_DIR/rts/.ubsan-suppressions"
 +          . addVariable
 +            "ASAN_OPTIONS"
 +            "detect_leaks=false:handle_segv=0:handle_sigfpe=0:verify_asan_link_order=false"
+       )
 -      $ validateBuilds Amd64 (Linux Fedora43) enableUBSan
 +      $ validateBuilds Amd64 (Linux Fedora43) enableUBSanASan
+   ]
    where
      hackage_doc_job = rename (<> "-hackage") . modifyJobs (addVariable "HADRIAN_ARGS" "--haddock-for-hackage")

.gitlab/jobs.yaml

@@ -3195,7 +3195,7 @@
        "XZ_OPT": "-9"
+     }
    },
 -  "nightly-x86_64-linux-fedora43-validate+debug_info+ubsan": {
 +  "nightly-x86_64-linux-fedora43-validate+debug_info+ubsan+asan": {
      "after_script": [
        ".gitlab/ci.sh save_cache",
        ".gitlab/ci.sh save_test_output",
@@ -3206,7 +3206,7 @@
      "artifacts": {
        "expire_in": "8 weeks",
        "paths": [
 -        "ghc-x86_64-linux-fedora43-validate+debug_info+ubsan.tar.xz",
 +        "ghc-x86_64-linux-fedora43-validate+debug_info+ubsan+asan.tar.xz",
          "junit.xml",
          "unexpected-test-output.tar.gz"
        ],
@@ -3248,14 +3248,15 @@
        "x86_64-linux"
      ],
      "variables": {
 +      "ASAN_OPTIONS": "detect_leaks=false:handle_segv=0:handle_sigfpe=0:verify_asan_link_order=false",
        "BIGNUM_BACKEND": "gmp",
 -      "BIN_DIST_NAME": "ghc-x86_64-linux-fedora43-validate+debug_info+ubsan",
 -      "BUILD_FLAVOUR": "validate+debug_info+ubsan",
 -      "CONFIGURE_ARGS": "--enable-strict-ghc-toolchain-check",
 +      "BIN_DIST_NAME": "ghc-x86_64-linux-fedora43-validate+debug_info+ubsan+asan",
 +      "BUILD_FLAVOUR": "validate+debug_info+ubsan+asan",
 +      "CONFIGURE_ARGS": "--with-intree-gmp --enable-strict-ghc-toolchain-check",
        "HADRIAN_ARGS": "--docs=none",
        "INSTALL_CONFIGURE_ARGS": "--enable-strict-ghc-toolchain-check",
        "RUNTEST_ARGS": "",
 -      "TEST_ENV": "x86_64-linux-fedora43-validate+debug_info+ubsan",
 +      "TEST_ENV": "x86_64-linux-fedora43-validate+debug_info+ubsan+asan",
        "UBSAN_OPTIONS": "suppressions=$CI_PROJECT_DIR/rts/.ubsan-suppressions",
        "XZ_OPT": "-9"
+     }
@@ -7346,7 +7347,7 @@
        "TEST_ENV": "x86_64-linux-fedora43-validate+debug_info"
+     }
    },
 -  "x86_64-linux-fedora43-validate+debug_info+ubsan": {
 +  "x86_64-linux-fedora43-validate+debug_info+ubsan+asan": {
      "after_script": [
        ".gitlab/ci.sh save_cache",
        ".gitlab/ci.sh save_test_output",
@@ -7357,7 +7358,7 @@
      "artifacts": {
        "expire_in": "2 weeks",
        "paths": [
 -        "ghc-x86_64-linux-fedora43-validate+debug_info+ubsan.tar.xz",
 +        "ghc-x86_64-linux-fedora43-validate+debug_info+ubsan+asan.tar.xz",
          "junit.xml",
          "unexpected-test-output.tar.gz"
        ],
@@ -7383,7 +7384,7 @@
      ],
      "rules": [
+       {
 -        "if": "((($ONLY_JOBS) && ($ONLY_JOBS =~ /.*\\bx86_64-linux-fedora43-validate\\+debug_info\\+ubsan(\\s|$).*/)) || (($ONLY_JOBS == null) && ((($CI_MERGE_REQUEST_LABELS =~ /.*full-ci.*/) || ($CI_MERGE_REQUEST_LABELS =~ /.*marge_bot_batch_merge_job.*/) || ($CI_COMMIT_BRANCH == \"master\") || ($CI_COMMIT_BRANCH =~ /ghc-[0-9]+\\.[0-9]+/))))) && ($RELEASE_JOB != \"yes\") && ($NIGHTLY == null)",
 +        "if": "((($ONLY_JOBS) && ($ONLY_JOBS =~ /.*\\bx86_64-linux-fedora43-validate\\+debug_info\\+ubsan\\+asan(\\s|$).*/)) || (($ONLY_JOBS == null) && ((($CI_MERGE_REQUEST_LABELS =~ /.*full-ci.*/) || ($CI_MERGE_REQUEST_LABELS =~ /.*marge_bot_batch_merge_job.*/) || ($CI_COMMIT_BRANCH == \"master\") || ($CI_COMMIT_BRANCH =~ /ghc-[0-9]+\\.[0-9]+/))))) && ($RELEASE_JOB != \"yes\") && ($NIGHTLY == null)",
          "when": "on_success"
+       }
      ],
@@ -7399,14 +7400,15 @@
        "x86_64-linux"
      ],
      "variables": {
 +      "ASAN_OPTIONS": "detect_leaks=false:handle_segv=0:handle_sigfpe=0:verify_asan_link_order=false",
        "BIGNUM_BACKEND": "gmp",
 -      "BIN_DIST_NAME": "ghc-x86_64-linux-fedora43-validate+debug_info+ubsan",
 -      "BUILD_FLAVOUR": "validate+debug_info+ubsan",
 -      "CONFIGURE_ARGS": "--enable-strict-ghc-toolchain-check",
 +      "BIN_DIST_NAME": "ghc-x86_64-linux-fedora43-validate+debug_info+ubsan+asan",
 +      "BUILD_FLAVOUR": "validate+debug_info+ubsan+asan",
 +      "CONFIGURE_ARGS": "--with-intree-gmp --enable-strict-ghc-toolchain-check",
        "HADRIAN_ARGS": "--docs=none",
        "INSTALL_CONFIGURE_ARGS": "--enable-strict-ghc-toolchain-check",
        "RUNTEST_ARGS": "",
 -      "TEST_ENV": "x86_64-linux-fedora43-validate+debug_info+ubsan",
 +      "TEST_ENV": "x86_64-linux-fedora43-validate+debug_info+ubsan+asan",
        "UBSAN_OPTIONS": "suppressions=$CI_PROJECT_DIR/rts/.ubsan-suppressions"
+     }
    },

hadrian/doc/flavours.md

@@ -242,6 +242,10 @@ The supported transformers are listed below:
          <td><code>ubsan</code></td>
          <td>Build all stage1+ C/C++ code with UndefinedBehaviorSanitizer support</td>
      </tr>
 +    <tr>
 +        <td><code>asan</code></td>
 +        <td>Build all stage1+ C/C++ code with AddressSanitizer support</td>
 +    </tr>
      <tr>
          <td><code>llvm</code></td>
          <td>Use GHC's LLVM backend (`-fllvm`) for all stage1+ compilation.</td>

hadrian/src/Flavour.hs

@@ -8,6 +8,7 @@ module Flavour
    , splitSections
    , enableThreadSanitizer
    , enableUBSan
 +  , enableASan
    , enableLateCCS
    , enableHashUnitIds
    , enableDebugInfo, enableTickyGhc
@@ -56,6 +57,7 @@ flavourTransformers = M.fromList
      , "thread_sanitizer" =: enableThreadSanitizer False
      , "thread_sanitizer_cmm" =: enableThreadSanitizer True
      , "ubsan"            =: enableUBSan
 +    , "asan"             =: enableASan
      , "llvm"             =: viaLlvmBackend
      , "profiled_ghc"     =: enableProfiledGhc
      , "no_dynamic_ghc"   =: disableDynamicGhcPrograms
@@ -303,6 +305,28 @@ enableUBSan =
            builder Testsuite ? arg "--config=have_ubsan=True"
+         ]
 +-- | Build all stage1+ C/C++ code with AddressSanitizer support:
 +-- https://clang.llvm.org/docs/AddressSanitizer.html
 +enableASan :: Flavour -> Flavour
 +enableASan =
 +  addArgs $
 +    notStage0
 +      ? mconcat
 +        [ package rts
 +            ? builder (Cabal Flags)
 +            ? arg "+asan"
 +            <> (needSharedLibSAN ? arg "+shared-libsan"),
 +          builder (Ghc CompileHs) ? arg "-optc-fsanitize=address",
 +          builder (Ghc CompileCWithGhc) ? arg "-optc-fsanitize=address",
 +          builder (Ghc CompileCppWithGhc) ? arg "-optcxx-fsanitize=address",
 +          builder (Ghc LinkHs)
 +            ? arg "-optc-fsanitize=address"
 +            <> arg "-optl-fsanitize=address"
 +            <> (needSharedLibSAN ? arg "-optl-shared-libsan"),
 +          builder (Cc CompileC) ? arg "-fsanitize=address",
 +          builder Testsuite ? arg "--config=have_asan=True"
 +        ]
++
  -- | Use the LLVM backend in stages 1 and later.
  viaLlvmBackend :: Flavour -> Flavour
  viaLlvmBackend = addArgs $ notStage0 ? builder Ghc ? arg "-fllvm"

rts/include/Stg.h

@@ -335,6 +335,7 @@ external prototype return neither of these types to workaround #11395.
  #include "stg/MachRegsForHost.h"
  #include "stg/Regs.h"
  #include "stg/Ticky.h"
 +#include "rts/ASANUtils.h"
  #include "rts/TSANUtils.h"
  #if IN_STG_CODE

rts/include/rts/ASANUtils.h

 +#pragma once
++
 +#if defined(__SANITIZE_ADDRESS__)
 +#define ASAN_ENABLED
 +#elif defined(__has_feature)
 +#if __has_feature(address_sanitizer)
 +#define ASAN_ENABLED
 +#endif
 +#endif
++
 +#if defined(ASAN_ENABLED)
 +#include <sanitizer/asan_interface.h>
 +#define USED_IF_ASAN
 +#else
 +#include <stdlib.h>
 +#define USED_IF_ASAN __attribute__((unused))
 +#endif
++
 +static inline void
 +__ghc_asan_poison_memory_region(void const volatile *addr USED_IF_ASAN,
 +                                size_t size USED_IF_ASAN) {
 +#if defined(ASAN_ENABLED)
 +  __asan_poison_memory_region(addr, size);
 +#endif
 +}
++
 +static inline void
 +__ghc_asan_unpoison_memory_region(void const volatile *addr USED_IF_ASAN,
 +                                  size_t size USED_IF_ASAN) {
 +#if defined(ASAN_ENABLED)
 +  __asan_unpoison_memory_region(addr, size);
 +#endif
 +}

rts/rts.cabal

@@ -97,6 +97,12 @@ flag ubsan
      UndefinedBehaviorSanitizer.
    default: False
    manual: True
 +flag asan
 +  description:
 +    Link with -fsanitize=address, to be enabled when building with
 +    AddressSanitizer.
 +  default: False
 +  manual: True
  flag shared-libsan
    description:
      Link with -shared-libsan, to guarantee only one copy of the
@@ -216,6 +222,9 @@ library
        if flag(ubsan)
          ld-options: -fsanitize=undefined
 +      if flag(asan)
 +        ld-options: -fsanitize=address
++
        if flag(shared-libsan)
          ld-options: -shared-libsan
@@ -280,6 +289,7 @@ library
                          -- ^ generated
                          rts/ghc_ffi.h
                          rts/Adjustor.h
 +                        rts/ASANUtils.h
                          rts/ExecPage.h
                          rts/BlockSignals.h
                          rts/Bytecodes.h

rts/sm/MBlock.c

@@ -579,6 +579,8 @@ getMBlocks(uint32_t n)
      ret = getCommittedMBlocks(n);
 +    __ghc_asan_unpoison_memory_region(ret, (W_)n * MBLOCK_SIZE);
++
      debugTrace(DEBUG_gc, "allocated %d megablock(s) at %p",n,ret);
      mblocks_allocated += n;
@@ -611,6 +613,8 @@ freeMBlocks(void *addr, uint32_t n)
      mblocks_allocated -= n;
 +    __ghc_asan_poison_memory_region(addr, (W_)n * MBLOCK_SIZE);
++
      decommitMBlocks(addr, n);
+ }

testsuite/driver/testglobals.py

@@ -189,6 +189,9 @@ class TestConfig:
          # Are we running with UndefinedBehaviorSanitizer enabled?
          self.have_ubsan = False
 +        # Are we running with AddressSanitizer enabled?
 +        self.have_asan = False
++
          # Do symbols use leading underscores?
          self.leading_underscore = False

testsuite/driver/testlib.py

@@ -1093,6 +1093,9 @@ def have_thread_sanitizer( ) -> bool:
  def have_ubsan( ) -> bool:
      return config.have_ubsan
 +def have_asan( ) -> bool:
 +    return config.have_asan
++
  def gcc_as_cmmp() -> bool:
      return config.cmm_cpp_is_gcc

testsuite/tests/rts/T18623/all.T

@@ -8,6 +8,8 @@ test('T18623',
       # Recent versions of osx report an error when running `ulimit -v`
       when(opsys('darwin'), skip),
       when(arch('powerpc64le'), skip),
 +     # ASan can't allocate shadow memory
 +     when(have_asan(), skip),
       cmd_prefix('ulimit -v ' + str(8 * 1024 ** 2) + ' && '),
       ignore_stdout],
      run_command,

testsuite/tests/rts/all.T

@@ -105,6 +105,8 @@ def remove_parenthesis(s):
      return re.sub(r'\s+\([^)]*\)', '', s)
  test('outofmem', [ when(opsys('darwin'), skip),
 +                   # ASan shadow memory allocation blows up
 +                   when(have_asan(), skip),
                     # this is believed to cause other processes to die
                     # that happen concurrently while the outofmem test
                     # runs in CI. As such we'll need to disable it on