GitLab

Cheng Shao pushed to branch wip/ubsan at Glasgow Haskell Compiler / GHC

Commits:

2cf983a0

by Cheng Shao at 2025-11-08T13:28:25+01:00

hadrian: add support for building with UndefinedBehaviorSanitizer

This patch adds a +ubsan flavour transformer to hadrian to build all
stage1+ C/C++ code with UndefinedBehaviorSanitizer. This is
particularly useful to catch potential undefined behavior in the RTS
codebase.

5 changed files:

hadrian/doc/flavours.md
hadrian/src/Flavour.hs
rts/rts.cabal
testsuite/driver/testglobals.py
testsuite/driver/testlib.py

Changes:

hadrian/doc/flavours.md

@@ -238,6 +238,10 @@ The supported transformers are listed below:
          <td><code>thread_sanitizer</code></td>
          <td>Build the runtime system with ThreadSanitizer support</td>
      </tr>
 +    <tr>
 +        <td><code>ubsan</code></td>
 +        <td>Build all stage1+ C/C++ code with UndefinedBehaviorSanitizer support</td>
 +    </tr>
      <tr>
          <td><code>llvm</code></td>
          <td>Use GHC's LLVM backend (`-fllvm`) for all stage1+ compilation.</td>

hadrian/src/Flavour.hs

@@ -7,6 +7,7 @@ module Flavour
    , addArgs
    , splitSections
    , enableThreadSanitizer
 +  , enableUBSan
    , enableLateCCS
    , enableHashUnitIds
    , enableDebugInfo, enableTickyGhc
@@ -33,6 +34,9 @@ import Data.Either
  import Data.Map (Map)
  import qualified Data.Map as M
  import qualified Data.Set as Set
 +import GHC.Platform.ArchOS
 +import Oracles.Flag
 +import Oracles.Setting
  import Packages
  import Flavour.Type
  import Settings.Parser
@@ -53,6 +57,7 @@ flavourTransformers = M.fromList
      , "no_split_sections" =: noSplitSections
      , "thread_sanitizer" =: enableThreadSanitizer False
      , "thread_sanitizer_cmm" =: enableThreadSanitizer True
 +    , "ubsan"            =: enableUBSan
      , "llvm"             =: viaLlvmBackend
      , "profiled_ghc"     =: enableProfiledGhc
      , "no_dynamic_ghc"   =: disableDynamicGhcPrograms
@@ -258,6 +263,66 @@ enableThreadSanitizer instrumentCmm = addArgs $ notStage0 ? mconcat
+         ]
+     ]
 +-- | Whether or not -shared-libsan should be passed to clang at
 +-- link-time.
 +--
 +-- See
 +-- https://github.com/llvm/llvm-project/blob/llvmorg-21.1.5/clang/lib/Driver/SanitizerArgs.cpp#L1008,
 +-- clang defaults to -shared-libsan on darwin/windows and
 +-- -static-libsan on linux. In general, -static-libsan is incredibly
 +-- problematic when multiple copies of the sanitizer runtimes coexist
 +-- in the same address space due to being linked into multiple Haskell
 +-- libraries. So we should explicitly specify `-shared-libsan` if
 +-- needed.
 +--
 +-- A small downside of -shared-libsan is the clang-specific sanitizer
 +-- runtime shared library path needs to be manually specified via
 +-- @export LD_LIBRARY_PATH=$(dirname $(clang -print-libgcc-file-name
 +-- -rtlib=compiler-rt))@ for ld.so to find it at runtime.
 +needSharedLibSAN :: Action Bool
 +needSharedLibSAN = do
 +  is_clang <- flag CcLlvmBackend
 +  is_default_shared_libsan <- anyTargetOs [OSDarwin, OSMinGW32]
 +  pure $ is_clang && not is_default_shared_libsan
++
 +-- | Build all stage1+ C/C++ code with UndefinedBehaviorSanitizer
 +-- support:
 +-- https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html.
 +--
 +-- Note that we also pass -fno-sanitize=function to clang, since
 +-- "runtime call to function foo through pointer to incorrect function
 +-- type" is unfortunately pretty common (e.g. evac_fn in rts) and
 +-- impact the signal to noise ratio of UBSAN warnings. gcc doesn't
 +-- implement this instrumentation though.
 +enableUBSan :: Flavour -> Flavour
 +enableUBSan =
 +  addArgs $
 +    notStage0
 +      ? mconcat
 +        [ package rts
 +            ? builder (Cabal Flags)
 +            ? arg "+ubsan"
 +            <> (needSharedLibSAN ? arg "+shared-libsan"),
 +          builder (Ghc CompileHs)
 +            ? arg "-optc-fsanitize=undefined"
 +            <> (flag CcLlvmBackend ? arg "-optc-fno-sanitize=function"),
 +          builder (Ghc CompileCWithGhc)
 +            ? arg "-optc-fsanitize=undefined"
 +            <> (flag CcLlvmBackend ? arg "-optc-fno-sanitize=function"),
 +          builder (Ghc CompileCppWithGhc)
 +            ? arg "optcxx-fsanitize=undefined"
 +            <> (flag CcLlvmBackend ? arg "-optcxx-fno-sanitize=function"),
 +          builder (Ghc LinkHs)
 +            ? arg "-optc-fsanitize=undefined"
 +            <> arg "-optl-fsanitize=undefined"
 +            <> (needSharedLibSAN ? arg "-optl-shared-libsan")
 +            <> (flag CcLlvmBackend ? arg "-optc-fno-sanitize=function"),
 +          builder (Cc CompileC)
 +            ? arg "-fsanitize=undefined"
 +            <> (flag CcLlvmBackend ? arg "-fno-sanitize=function"),
 +          builder Testsuite ? arg "--config=have_ubsan=True"
 +        ]
++
  -- | Use the LLVM backend in stages 1 and later.
  viaLlvmBackend :: Flavour -> Flavour
  viaLlvmBackend = addArgs $ notStage0 ? builder Ghc ? arg "-fllvm"

rts/rts.cabal

@@ -91,6 +91,19 @@ flag thread-sanitizer
      in @rts/include/rts/TSANUtils.h@.
    default: False
    manual: True
 +flag ubsan
 +  description:
 +    Link with -fsanitize=undefined, to be enabled when building with
 +    UndefinedBehaviorSanitizer.
 +  default: False
 +  manual: True
 +flag shared-libsan
 +  description:
 +    Link with -shared-libsan, to guarantee only one copy of the
 +    sanitizer runtimes exist in the address space. See
 +    needSharedLibSAN in hadrian/src/Flavour.hs.
 +  default: False
 +  manual: True
  library
      -- rts is a wired in package and
@@ -200,6 +213,12 @@ library
          cc-options: -fsanitize=thread
          ld-options: -fsanitize=thread
 +      if flag(ubsan)
 +        ld-options: -fsanitize=undefined
++
 +      if flag(shared-libsan)
 +        ld-options: -shared-libsan
++
        if os(linux)
           -- the RTS depends upon libc. while this dependency is generally
           -- implicitly added by `cc`, we must explicitly add it here to ensure

testsuite/driver/testglobals.py

@@ -186,6 +186,9 @@ class TestConfig:
          # Are we running in a ThreadSanitizer-instrumented build?
          self.have_thread_sanitizer = False
 +        # Are we running with UndefinedBehaviorSanitizer enabled?
 +        self.have_ubsan = False
++
          # Do symbols use leading underscores?
          self.leading_underscore = False

testsuite/driver/testlib.py

@@ -1090,6 +1090,8 @@ def llvm_build ( ) -> bool:
  def have_thread_sanitizer( ) -> bool:
      return config.have_thread_sanitizer
 +def have_ubsan( ) -> bool:
 +    return config.have_ubsan
  def gcc_as_cmmp() -> bool:
      return config.cmm_cpp_is_gcc