ci: add ASAN integration test job#1970
Conversation
|
right, asan check spotted some problematic code parts, but symbolizer is not giving human readable stack traces. I will try to fix symbolizer as well as part of this PR, then failing asan checks need to be fixed. |
Running the existing integration tests under AddressSanitizer and UndefinedBehaviorSanitizer gives the project a targeted signal for use-after-free, buffer overflows, invalid lifetime assumptions, and undefined behavior in exercised proxy code paths. The ASAN job reuses the Dockerfile.tests flow with reduced parallelism and longer timeouts to keep sanitizer output readable. The job passes the sanitizer Bazel configs explicitly so the check stays scoped to the Cilium proxy CI path. Signed-off-by: Kateryna Nezdolii <kateryna.nezdolii@gmail.com>
Envoy's ASAN test rules use the local LLVM symbolizer to turn sanitizer addresses into readable function, file, and line information. Keep the executable in the trimmed builder toolchain and verify that it can run while building the image. Signed-off-by: Kateryna Nezdolii <kateryna.nezdolii@gmail.com>
The rolling Jammy archive removes superseded package versions, which makes a clean builder image rebuild fail when the pinned libtinfo5 artifact disappears. Use a fixed Ubuntu snapshot so the required compatibility package remains available for both amd64 and arm64. Signed-off-by: Kateryna Nezdolii <kateryna.nezdolii@gmail.com>
|
symbolizer is fixed now, now will be addressing asan failures one by one (asan stops after the first error, so more may appear once current one is fixed). Current failure: |
HeaderUtility may return a string view backed by request header storage. DELETE_ON_MISMATCH removed that header before recording its rejected value, leaving access logging to copy from freed memory. Record the rejected value before removing the header, matching the ordering already used by DELETE_ON_MATCH. Signed-off-by: Kateryna Nezdolii <kateryna.nezdolii@gmail.com>
Running the existing integration tests under AddressSanitizer and UndefinedBehaviorSanitizer gives us a targeted signal for use-after-free, buffer overflows, invalid lifetime assumptions, and undefined behavior in exercised proxy code paths.
The ASAN job reuses the Dockerfile.tests flow with reduced parallelism and longer timeouts to keep sanitizer output readable. The job passes the sanitizer Bazel configs explicitly so the check stays scoped to the Cilium proxy CI path.