-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
374 lines (355 loc) · 16.8 KB
/
Linux-asan-ubsan.yml
File metadata and controls
374 lines (355 loc) · 16.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
name: CI Linux ASan + UBSan [No Menu]
# Builds full RetroArch with -fsanitize=address,undefined and runs
# headless smoke invocations. Three coverage tiers, in increasing
# order of how much of the binary they actually instrument:
#
# 1. --help and --features. Exit(0) directly after printing.
# Coverage scope: libc init, main(), frontend driver bootstrap,
# argv duplication, the getopt walk, and the print functions.
# Strict ASan + UBSan -- baseline confirmed clean (run #1).
#
# 2. Headless imageviewer core under Xvfb + sdl2 video driver +
# null audio driver, --max-frames=300 for a clean shutdown
# through the normal runloop teardown. Exercises core loading
# via dlopen, the imageviewer's stb_image-driven loader, the
# SDL2 + X11 + MIT-SHM rendering pipeline, the runloop, and
# cleanup-on-shutdown. Soft-fail (continue-on-error) on this
# first iteration: lots can go wrong (libGL leaks, driver
# init noise) that aren't RetroArch bugs but would fail the
# run if treated strictly. Sanitizer findings are still
# surfaced in step output for triage.
#
# The per-sample tests under .github/workflows/Linux-samples-gfx.yml,
# Linux-samples-tasks.yml, and Linux-libretro-{db,common}-samples.yml
# regression-test specific predicates that previously had bugs. This
# job is complementary -- it covers everything those harnesses can't
# reach because the code only runs from main(), and catches future
# heap-corruption / UB regressions across the whole code base for
# free as a side effect of any change that can be exercised by a
# headless run.
#
# Build configuration matches Linux-Headless.yml (--disable-menu) with
# additional --disable-discord --disable-cheevos --disable-networking
# to shrink the third-party surface on this first iteration. Each can
# be re-enabled once the baseline is green.
on:
push:
branches:
- master
pull_request:
branches:
- master
workflow_dispatch:
permissions:
contents: read
env:
ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
jobs:
asan-ubsan:
name: Build with ASan+UBSan and run headless smoke
runs-on: ubuntu-latest
timeout-minutes: 25
steps:
- name: Install dependencies
# Mirrors Linux-Headless.yml's apt set so the build matches a
# known-good headless configuration. Adds:
# xvfb / x11-utils -- virtual X server for the imageviewer
# smoke step + xdpyinfo for diagnostics
# libsdl2-dev (already in the base set) provides the SDL2
# video driver used by that smoke -- see the smoke step's
# comment for why SDL2 over xvideo. No sanitizer-specific
# packages required; libasan / libubsan ship with the gcc
# that ubuntu-latest has installed by default.
run: |
sudo apt-get update -y
sudo apt-get install -y \
build-essential \
libxkbcommon-dev libx11-xcb-dev \
xvfb x11-utils \
zlib1g-dev libfreetype6-dev \
libegl1-mesa-dev libgles2-mesa-dev libgbm-dev \
nvidia-cg-toolkit nvidia-cg-dev \
libavcodec-dev libsdl2-dev libsdl-image1.2-dev \
libxml2-dev yasm
- name: Checkout
uses: actions/checkout@v3
- name: Configure (no menu, no discord/cheevos/networking, sdl2 on)
# Trim the build surface for the first iteration so any
# sanitizer hit is a RetroArch-internal bug rather than noise
# from a vendored third-party subsystem. The disabled
# subsystems will be re-enabled in follow-up patches as the
# baseline stays green. --enable-sdl2 is explicit because
# the imageviewer smoke step below selects sdl2 as the video
# driver; if its build deps were ever missing, a silent fall-
# back to a different driver would skew the smoke's coverage
# without warning.
run: |
./configure \
--disable-menu \
--disable-discord \
--disable-cheevos \
--disable-networking \
--enable-sdl2
- name: Build with -fsanitize=address,undefined
# The top-level Makefile (line 153) propagates SANITIZER into
# CFLAGS / CXXFLAGS / LDFLAGS for every translation unit and
# the final link. ASan defaults to abort-on-heap-corruption;
# UBSan recovery is controlled at runtime via UBSAN_OPTIONS
# (see the smoke-run steps below).
run: |
make -j$(getconf _NPROCESSORS_ONLN) \
SANITIZER=address,undefined
test -x retroarch
file retroarch
- name: Smoke run --help (ASan + UBSan strict)
# `--help` exits cleanly via exit(0) after printing the usage
# banner. Coverage scope: libc init, main(), frontend
# driver bootstrap, argv duplication, the getopt walk over
# the full option table, and retroarch_print_help() itself.
# Doesn't reach into core loading / video init / cleanup-on-
# shutdown; the imageviewer smoke step below covers those.
# ASan and UBSan both run in halt-on-error mode: the first
# run of this workflow (Apr 28 2026, run #1) reported zero
# distinct UBSan diagnostics across both --help and
# --features, so the baseline for these two surfaces is
# clean and we enforce it. If a future change introduces
# signed-overflow / alignment / shift-too-large UB along
# the option-parsing or print paths, this step will fail
# and the diagnostic line will be in the captured stderr.
env:
ASAN_OPTIONS: abort_on_error=1:detect_leaks=0:print_stacktrace=1:strict_string_checks=1
UBSAN_OPTIONS: print_stacktrace=1:halt_on_error=1
# Avoid noise from libGL / Mesa / Wayland symbol-resolution
# leaks at process shutdown; those are not RetroArch bugs.
LSAN_OPTIONS: exitcode=0
run: |
set -eu
timeout 30 ./retroarch --help > /tmp/help.out 2> /tmp/help.err || rc=$?
echo "exit=${rc:-0}"
echo "=== stdout (head) ==="
head -40 /tmp/help.out
echo "=== stderr ==="
cat /tmp/help.err
# ASan abort_on_error sends the process to exit code 1 + a
# SUMMARY: line on stderr. Treat any "AddressSanitizer:"
# or UBSan "runtime error:" marker as fatal regardless of
# exit code -- belt-and-suspenders to the runtime options
# in case a future sanitizer release changes its default
# exit semantics.
if grep -q "AddressSanitizer:" /tmp/help.err; then
echo "[FAIL] AddressSanitizer reported a finding"
exit 1
fi
if grep -q "runtime error:" /tmp/help.err; then
echo "[FAIL] UBSan reported a finding"
exit 1
fi
echo "[pass] retroarch --help under ASan+UBSan"
- name: Smoke run --features (ASan + UBSan strict)
# `--features` exits cleanly via exit(0) after printing the
# compile-time feature list. Coverage scope is the same as
# --help (libc init / main / frontend bootstrap / arg parse)
# plus retroarch_print_features(), which walks the static
# video / audio / input / camera / location / record / cheats
# / network / database / overlay / hid feature tables. Each
# such walk reads pointers into a static-string table -- low
# corruption surface but a useful sanity check that the link-
# time feature flags resolve consistently. Doesn't reach
# core loading or cleanup-on-shutdown. Like the --help step
# this enforces UBSan strict because the baseline is clean.
env:
ASAN_OPTIONS: abort_on_error=1:detect_leaks=0:print_stacktrace=1:strict_string_checks=1
UBSAN_OPTIONS: print_stacktrace=1:halt_on_error=1
LSAN_OPTIONS: exitcode=0
run: |
set -eu
timeout 30 ./retroarch --features > /tmp/features.out 2> /tmp/features.err || rc=$?
echo "exit=${rc:-0}"
echo "=== stdout (head) ==="
head -40 /tmp/features.out
echo "=== stderr ==="
cat /tmp/features.err
if grep -q "AddressSanitizer:" /tmp/features.err; then
echo "[FAIL] AddressSanitizer reported a finding"
exit 1
fi
if grep -q "runtime error:" /tmp/features.err; then
echo "[FAIL] UBSan reported a finding"
exit 1
fi
echo "[pass] retroarch --features under ASan+UBSan"
- name: Build imageviewer core under ASan + UBSan
# The standalone Makefile under cores/libretro-imageviewer/
# honours the same SANITIZER= knob as the top-level Makefile
# (added in the v9 Makefile cleanup, efae310). Building the
# core with sanitizers enabled means the stb_image-driven
# decode path is fully instrumented when RetroArch dlopens
# it -- ASan would otherwise only catch heap corruption via
# the global allocator interceptor and would miss stack-
# buffer-overflow / use-after-return inside stb_image
# itself. Same SANITIZER= value as the main build.
run: |
set -eu
cd cores/libretro-imageviewer
make clean
make SANITIZER=address,undefined
test -x image_core.so
file image_core.so
- name: Generate test PNG for imageviewer
# Tiny 8x8 solid-red PNG, 75 bytes. Hand-rolled via Python
# struct + zlib to avoid an apt dependency on imagemagick or
# similar. Python ships on every ubuntu-latest by default.
# Saved under /tmp because the workspace lives on a path
# GitHub Actions cleans up post-run anyway.
run: |
set -eu
python3 - <<'PY'
import struct, zlib
def chunk(name, data):
crc = zlib.crc32(name + data)
return struct.pack('>I', len(data)) + name + data + \
struct.pack('>I', crc)
sig = b'\x89PNG\r\n\x1a\n'
ihdr = chunk(b'IHDR',
struct.pack('>IIBBBBB', 8, 8, 8, 2, 0, 0, 0))
raw = b''
for _ in range(8):
raw += b'\x00' + b'\xff\x00\x00' * 8
idat = chunk(b'IDAT', zlib.compress(raw))
iend = chunk(b'IEND', b'')
with open('/tmp/test.png', 'wb') as f:
f.write(sig + ihdr + idat + iend)
PY
file /tmp/test.png
- name: Smoke run imageviewer headless under Xvfb (soft-fail)
# Loads cores/libretro-imageviewer/image_core.so against a
# tiny PNG, runs --max-frames=300 (~5s nominal at 60fps,
# ~15-25s under sanitizer overhead), then exits via the
# normal runloop teardown path. Covers what the --help and
# --features smokes can't: dlopen of a libretro core,
# retro_load_game, the stb_image decode path, the SDL2 +
# X11 + MIT-SHM rendering pipeline, the runloop, and full
# cleanup-on-shutdown.
#
# Why sdl2 specifically: the v10 first attempt selected
# xvideo (smaller, more self-contained, real YUV color
# tables). Run #1 of that workflow tripped on Xvfb
# exposing the XVideo extension but providing zero
# adaptors:
#
# [XVideo] XvQueryAdaptors() found 0 adaptors.
# [Video] Cannot open video driver. Exiting...
#
# That's correct defensive code in the xvideo driver, not
# a bug -- but it means xvideo can't be exercised on Xvfb
# without real video hardware, which the runner doesn't
# have. SDL2 over X11 / MIT-SHM works on Xvfb out of the
# box (verified via a standalone SDL_CreateRenderer probe
# before this patch landed). Coverage tradeoff: we lose
# xvideo's YUV color-conversion path but keep all the
# high-leverage surface (dlopen, core lifecycle, stb_image,
# runloop, video driver init, full cleanup).
#
# Soft-fail (continue-on-error: true) on this iteration.
# Reasoning: lots can go wrong here that aren't RetroArch
# bugs -- libGL / Mesa software-rasterizer leaks at
# shutdown, X11 driver init noise -- and forcing strict
# cleanliness before measuring the baseline would block
# merges on noise. Sanitizer findings ARE still surfaced
# in the step output for triage; they just don't fail
# the job. Once the baseline is characterised, this step
# can be flipped to strict the same way the --help step
# was in v8.
#
# Audio driver is "null" (no PulseAudio / ALSA dependency
# on the runner). Verbose output is on so the run captures
# the full log for triage.
continue-on-error: true
env:
# detect_leaks=0 because libGL / Mesa symbol-resolution
# plus X11 connection caches produce non-trivial leaks at
# process shutdown that aren't RetroArch bugs. Can be
# flipped on later with a suppression file. Heap
# corruption / UAF / double-free still abort under
# abort_on_error=1.
ASAN_OPTIONS: abort_on_error=1:detect_leaks=0:print_stacktrace=1:strict_string_checks=1
# halt_on_error=0 so a single signed-overflow somewhere
# in the runloop doesn't truncate the stderr log before
# we see the full picture. The grep below still
# surfaces every "runtime error:" line for triage.
UBSAN_OPTIONS: print_stacktrace=1:halt_on_error=0
LSAN_OPTIONS: exitcode=0
run: |
set -eu
# Start Xvfb on display :99. -screen geometry is small
# because the imageviewer doesn't care about resolution
# and we're trying to minimise X server memory. SDL2's
# X11 backend uses MIT-SHM (which Xvfb provides by
# default) for image transfer.
Xvfb :99 -screen 0 320x240x24 -nolisten tcp &
XVFB_PID=$!
# Ensure cleanup on any exit (including soft-fail ones).
trap "kill $XVFB_PID 2>/dev/null || true" EXIT
# Give Xvfb time to come up; xdpyinfo confirms MIT-SHM is
# available before we waste cycles trying to use it.
# Extension names in xdpyinfo output are indented with
# leading whitespace, hence ^[[:space:]]+.
for i in 1 2 3 4 5; do
if DISPLAY=:99 xdpyinfo -queryExtensions 2>/dev/null \
| grep -qE "^[[:space:]]+MIT-SHM\b"; then
break
fi
sleep 1
done
DISPLAY=:99 xdpyinfo -queryExtensions \
| grep -E "^[[:space:]]+MIT-SHM\b" || true
# Minimal config: sdl2 video, null audio. Everything
# else takes built-in defaults.
mkdir -p /tmp/asan-cfg
cat > /tmp/asan-cfg/retroarch.cfg <<EOF
video_driver = "sdl2"
audio_driver = "null"
video_threaded = "false"
video_fullscreen = "false"
video_windowed_fullscreen = "false"
EOF
# Run. --max-frames triggers a clean shutdown via the
# normal runloop teardown after N frames, which is what
# we want for cleanup-path coverage. Wall-clock timeout
# is a safety net at 60s; --max-frames at 300 should
# finish in well under that even with sanitizer overhead.
set +e
DISPLAY=:99 timeout 60 ./retroarch \
-c /tmp/asan-cfg/retroarch.cfg \
-L cores/libretro-imageviewer/image_core.so \
/tmp/test.png \
--max-frames=300 \
--verbose \
> /tmp/imageviewer.out 2> /tmp/imageviewer.err
rc=$?
set -e
echo "exit=${rc}"
echo "=== stdout (last 80) ==="
tail -80 /tmp/imageviewer.out || true
echo "=== stderr (last 200) ==="
tail -200 /tmp/imageviewer.err || true
# Surface sanitizer findings explicitly (informational --
# we do NOT exit 1 because this step is soft-fail). Once
# the baseline is characterised, this section will gate
# on findings the same way the --help / --features steps
# do.
if grep -q "AddressSanitizer:" /tmp/imageviewer.err; then
echo ""
echo "[INFO] AddressSanitizer reported finding(s):"
grep -A 2 "AddressSanitizer:" /tmp/imageviewer.err \
| head -40
fi
ub_count=$(grep -c "runtime error:" /tmp/imageviewer.err \
2>/dev/null || true)
if [ "${ub_count:-0}" != "0" ]; then
echo ""
echo "[INFO] UBSan reported ${ub_count} runtime error(s):"
grep -h "runtime error:" /tmp/imageviewer.err \
| sort -u | head -20
fi
echo "[done] imageviewer headless smoke (soft-fail)"