Skip to content

ci: add ASAN integration test job#1970

Open
nezdolik wants to merge 4 commits into
mainfrom
add-asan-check
Open

ci: add ASAN integration test job#1970
nezdolik wants to merge 4 commits into
mainfrom
add-asan-check

Conversation

@nezdolik

@nezdolik nezdolik commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Running the existing integration tests under AddressSanitizer and UndefinedBehaviorSanitizer gives us a targeted signal for use-after-free, buffer overflows, invalid lifetime assumptions, and undefined behavior in exercised proxy code paths.

The ASAN job reuses the Dockerfile.tests flow with reduced parallelism and longer timeouts to keep sanitizer output readable. The job passes the sanitizer Bazel configs explicitly so the check stays scoped to the Cilium proxy CI path.

@nezdolik nezdolik requested a review from a team as a code owner July 6, 2026 14:41
@nezdolik nezdolik requested a review from mhofstetter July 6, 2026 14:41

@mhofstetter mhofstetter left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. It seems as the added test fails on the PR.
  2. Please remove the merge commit and use rebase

@nezdolik

nezdolik commented Jul 7, 2026

Copy link
Copy Markdown
Contributor Author

right, asan check spotted some problematic code parts, but symbolizer is not giving human readable stack traces. I will try to fix symbolizer as well as part of this PR, then failing asan checks need to be fixed.

nezdolik added 3 commits July 10, 2026 11:59
Running the existing integration tests under AddressSanitizer and UndefinedBehaviorSanitizer gives the project a targeted signal for use-after-free, buffer overflows, invalid lifetime assumptions, and undefined behavior in exercised proxy code paths.

The ASAN job reuses the Dockerfile.tests flow with reduced parallelism and longer timeouts to keep sanitizer output readable. The job passes the sanitizer Bazel configs explicitly so the check stays scoped to the Cilium proxy CI path.

Signed-off-by: Kateryna Nezdolii <kateryna.nezdolii@gmail.com>
Envoy's ASAN test rules use the local LLVM symbolizer to turn sanitizer addresses into readable function, file, and line information. Keep the executable in the trimmed builder toolchain and verify that it can run while building the image.

Signed-off-by: Kateryna Nezdolii <kateryna.nezdolii@gmail.com>
The rolling Jammy archive removes superseded package versions, which makes a clean builder image rebuild fail when the pinned libtinfo5 artifact disappears. Use a fixed Ubuntu snapshot so the required compatibility package remains available for both amd64 and arm64.

Signed-off-by: Kateryna Nezdolii <kateryna.nezdolii@gmail.com>
@nezdolik

Copy link
Copy Markdown
Contributor Author

symbolizer is fixed now, now will be addressing asan failures one by one (asan stops after the first error, so more may appear once current one is fixed). Current failure:
heap-use-after-free in AllowedPathRegexDeleteHeader/0:
network_policy.cc:460 obtains a view into the request header.
network_policy.cc:524 removes the header, freeing its storage.
network_policy.cc:525 passes the now-dangling view to logRejected().
accesslog.cc:277 reads that freed memory while copying the value into protobuf.
The trigger is cilium_http_integration_test.cc:775.

HeaderUtility may return a string view backed by request header storage. DELETE_ON_MISMATCH removed that header before recording its rejected value, leaving access logging to copy from freed memory.

Record the rejected value before removing the header, matching the ordering already used by DELETE_ON_MATCH.

Signed-off-by: Kateryna Nezdolii <kateryna.nezdolii@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants