Stabilize mandatory CI lanes (R1): TSan suppressions, MSan retirement, scanner fix#41
Open
CharlesHoskinson wants to merge 15 commits into
Open
Stabilize mandatory CI lanes (R1): TSan suppressions, MSan retirement, scanner fix#41CharlesHoskinson wants to merge 15 commits into
CharlesHoskinson wants to merge 15 commits into
Conversation
Suppression file at root, issue-linked (#38, #39); llvm-symbolizer installed so suppressions actually match; tsan presets carry the same TSAN_OPTIONS. Wrong-thread tests skip under TSan instead of being suppressed. MSan matrix leg removed (re-entry tracked in #40). osv-scanner invocation replaced with a recursive JSON scan; mutes stay until a triaged dispatch run lands. Gate demotion rule recorded in CONTRIBUTING. TSan allow_failure stays until the first suppressed run is green (#38).
ASan: alloc_dealloc_mismatch=0 for the uninstrumented system libc++/ libc++abi pair (191 false positives); real fix for DOSBoxContext move ctor/assignment dropping memory/dma/dos/dos_filesystem ownership (16MB leak per move, caught by LSan). UBSan: FORCE_INT sentinels widen the dosbox_error_code/dosbox_log_level value range so forged FFI values are representable (the defensive default: arms were UB-unreachable). Fuzz: lane gets libc++ like every other clang lane (clang-18 + libstdc++ lacks <expected>). Sanitizers matrix gets fail-fast:false so legs report independently. Dependency scan unmuted: vulns fail the job; exit 128 (no parseable sources) is the documented baseline pending SBOM (#42).
…l link TSan allow_failure dropped after bring-up run 27304193585 went green under suppressions (4511/4511); the dead continue-on-error wiring goes with it. fuzz_config_parser recompiles src/app/config_parser.cpp directly, so it links gsl-lite itself with legends_core's contract config (gsl-lite is deliberately PRIVATE and doesn't propagate). Dependency scan: first honest run detected vendored fluidsynth CVEs (CVE-2021-21417, CVE-2025-56225) - baselined in osv-scanner.toml with issue #43 as the exit; new findings fail the job.
…order The clang-rt fuzzer archive references libstdc++ internals; with -stdlib=libc++ those go unresolved because the driver appends the runtime after user libraries. --no-as-needed -lstdc++ keeps libstdc++ available to it. Move-ctor init list reordered to declaration order (the public state members precede the private fields).
The driver appends libclang_rt.fuzzer after all user libraries, where its libstdc++ references can't be resolved in a -stdlib=libc++ link. Under libc++ the fuzz targets now link the runtime archive explicitly followed by libstdc++ (fuzzer-no-link keeps the coverage instrumentation); plain libstdc++ builds are unchanged. Supersedes the LDFLAGS attempt.
A plain -lstdc++ under -stdlib=libc++ was not honored at its command-line position; the verbatim shared-object path is.
fuzz_input_injection calls pal::Platform init/shutdown - link legends_pal. fuzz_config_parser's recompiled config_parser.cpp calls legends::getConfigDir() - compile src/app/platform_dirs.cpp into the target. First-ever link of these targets; the lane never built since being made mandatory.
ci.yml's fuzz_config_parser steps point at corpus/config, which the generator never created (libFuzzer aborts on a missing directory). Seeds cover minimal, typical, malformed, and empty configs.
Owner
Author
|
All R1 exit criteria met; openspec change
|
windows-2026 image (VS 18, MSVC 19.51) emits C4875 in gsl-lite under /WX. Rollout is gradual: green on windows-2025 at 03:00 UTC, red on windows-2026 at 17:02 UTC the same day. Unpin tracked separately.
This reverts commit 9fa8bd3.
VS 18 2026 (MSVC 19.51) reached both windows-latest and windows-2025 images in-place, so runner pinning cannot hold the toolchain; the prior pin is reverted. C4875 fires inside gsl-lite (gsl-lite.hpp:2218), not project code.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements openspec change
ci-stabilize-mandatory-lanes(CI-THESIS.md R1), migration steps 1-2.Summary
tsan-suppressions.txtat root, one issue-linked entry per race family (TSan: engine global-state race family (REQ-TH-004) #38, TSan: CrashBreadcrumb::add ring-buffer race #39); wired into thethreadmatrix env and bothtsanpresets;llvm-18installed so suppressions symbolize.allow_failurestays on TSan until this PR''s run proves the suppressed leg green, then it is dropped here (TSan: engine global-state race family (REQ-TH-004) #38).tests/unit/test_thread_safety.cpp) skip under TSan via feature-detect instead of suppression - suppressing them would mask real races in the same paths.dependency-scan: the--lockfile cmake/dependencies.cmakeinvocation was never parseable; replaced with a recursive JSON scan of the vendored trees. Mutes (|| true,continue-on-error) remain until a dispatch run is triaged, then are removed per design D5.Verification
address,undefined,threadlegs andfuzzjob are the evidence run; TSan log should show suppressions matching (report count zero) with frames symbolized.allow_failureonce green; ASan/UBSan/fuzz triage from this run''s logs (design D6); dependency-scan dispatch + unmute (D5).