Make it an error to disable container checks when libc++ is built with them

ldionne · ldionne · commit 109e94013cde · 2025-12-04T17:03:23.000-05:00
diff --git a/libcxx/include/__debug_utils/sanitizers.h b/libcxx/include/__debug_utils/sanitizers.h
@@ -17,15 +17,31 @@
 #  pragma GCC system_header
 #endif
 
-// _LIBCPP_ENABLE_ASAN_CONTAINER_CHECKS determines whether the containers should provide ASAN container
-// overflow checks. Some containers like std::string need stricter requirements in order to enable these
-// checks and also need to check that the library was built with sanitizer support (_LIBCPP_INSTRUMENTED_WITH_ASAN).
+// Within libc++, _LIBCPP_ENABLE_ASAN_CONTAINER_CHECKS determines whether the containers should
+// provide ASAN container overflow checks. That setting attempts to honour ASAN's documented option
+// __SANITIZER_DISABLE_CONTAINER_OVERFLOW__ which can be defined by users to disable container overflow
+// checks.
+//
+// However, since parts of some containers (e.g. std::string) are compiled separately into the built
+// library, there are caveats:
+// - __SANITIZER_DISABLE_CONTAINER_OVERFLOW__ can't always be honoured, i.e. if the built library
+//   was compiled with ASAN container checks, it's impossible to turn them off afterwards. We diagnose
+//   this with an error to avoid the proliferation of invalid configurations that appear to work.
+//
+// - The container overflow checks themselves are not always available even when the user is compiling
+//   with -fsanitize=address. If a container is compiled separately like std::string, it can't provide
+//   container checks unless the separately compiled code was built with container checks enabled. These
+//   containers need to also conditionalize whether they provide overflow checks on `_LIBCPP_INSTRUMENTED_WITH_ASAN`.
 #if __has_feature(address_sanitizer) && !defined(__SANITIZER_DISABLE_CONTAINER_OVERFLOW__)
 #  define _LIBCPP_ENABLE_ASAN_CONTAINER_CHECKS 1
 #else
 #  define _LIBCPP_ENABLE_ASAN_CONTAINER_CHECKS 0
 #endif
 
+#if _LIBCPP_INSTRUMENTED_WITH_ASAN && !_LIBCPP_ENABLE_ASAN_CONTAINER_CHECKS
+#  error "We can't disable ASAN container checks when libc++ has been built with these checks enabled"
+#endif
+
 #if _LIBCPP_ENABLE_ASAN_CONTAINER_CHECKS
 
 extern "C" {
diff --git a/libcxx/test/extensions/libcxx/asan/diagnose_container_overflow_checks_disablement.verify.cpp b/libcxx/test/extensions/libcxx/asan/diagnose_container_overflow_checks_disablement.verify.cpp
@@ -0,0 +1,23 @@
+//===----------------------------------------------------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+// XFAIL: FROZEN-CXX03-HEADERS-FIXME
+
+// REQUIRES: libcpp-instrumented-with-asan
+
+// Check that we diagnose when libc++ has been built with ASAN instrumentation
+// and the user requests turning off the ASAN container checks. Since that is
+// impossible to implement, we diagnose this with an error instead.
+//
+// ADDITIONAL_COMPILE_FLAGS: -D__SANITIZER_DISABLE_CONTAINER_OVERFLOW__
+
+#include <deque>
+#include <string>
+#include <vector>
+
+// expected-error@*:* {{We can't disable ASAN container checks when libc++ has been built with these checks enabled}}
diff --git a/libcxx/test/extensions/libcxx/asan/disable_container_overflow_checks.pass.cpp b/libcxx/test/extensions/libcxx/asan/disable_container_overflow_checks.pass.cpp
@@ -7,12 +7,18 @@
 //===----------------------------------------------------------------------===//
 
 // XFAIL: FROZEN-CXX03-HEADERS-FIXME
-// REQUIRES: asan
 
 // Check that libc++ honors when __SANITIZER_DISABLE_CONTAINER_OVERFLOW__ is set
 // and disables the container overflow checks.
+//
+// ADDITIONAL_COMPILE_FLAGS: -fsanitize=address -D__SANITIZER_DISABLE_CONTAINER_OVERFLOW__
+
+// When libc++ is build with ASAN instrumentation, we can't turn off the ASAN checks,
+// and that is diagnosed as an error.
+// UNSUPPORTED: libcpp-instrumented-with-asan
 
-// ADDITIONAL_COMPILE_FLAGS: -D__SANITIZER_DISABLE_CONTAINER_OVERFLOW__
+// MSAN, TSAN and ASAN are mutually exclusive
+// UNSUPPORTED: msan, tsan
 
 #include <deque>
 #include <string>
diff --git a/libcxx/utils/libcxx/test/features/libcxx_macros.py b/libcxx/utils/libcxx/test/features/libcxx_macros.py
@@ -44,6 +44,7 @@
 true_false_macros = {
     "_LIBCPP_HAS_THREAD_API_EXTERNAL": "libcpp-has-thread-api-external",
     "_LIBCPP_HAS_THREAD_API_PTHREAD": "libcpp-has-thread-api-pthread",
+    "_LIBCPP_INSTRUMENTED_WITH_ASAN": "libcpp-instrumented-with-asan",
 }
 for macro, feature in true_false_macros.items():
     features.append(

Original file line number	Diff line number	Diff line change
`@@ -44,6 +44,7 @@`
`44`	`44`	`true_false_macros = {`
`45`	`45`	`"_LIBCPP_HAS_THREAD_API_EXTERNAL": "libcpp-has-thread-api-external",`
`46`	`46`	`"_LIBCPP_HAS_THREAD_API_PTHREAD": "libcpp-has-thread-api-pthread",`
	`47`	`+ "_LIBCPP_INSTRUMENTED_WITH_ASAN": "libcpp-instrumented-with-asan",`
`47`	`48`	`}`
`48`	`49`	`for macro, feature in true_false_macros.items():`
`49`	`50`	`features.append(`