AddressSanitizer segfaults in gitlab CI docker containers with PIE and ASLR enabled (compiler-rt) #164989
Description
When building C++ code with -fsanitize=address,undefined and running tests in debian12 Docker containers via our gitlab CI on a KVM-virtualized Ubuntu host, we experienced:
- Non-deterministic segmentation faults, sometimes during runtime, occasionally even during build
- Random crash locations, no real pattern in where crashes occurred
- Simple code crashes, even simple tests like
ASSERT_TRUE(true)would segfault randomly like 1 out of 4 times
A very much NOT recommend option was to disable ASLR with sudo sysctl -w kernel.randomize_va_space=0.
Only do this temporary for debugging purposes for public machines as it makes them insecure. For private and local machines this might be okay.
Our final solution was to build and link our sanitizer tests with -no-pie.
Should we keep this or is there another solution?
I would very much wish that this should be clearly mentioned in the documentation to save other people 1 week of debugging time.
Or better that the leak sanitizer does not crash with a not descriptive and random segfault.
Or is this even a bug? Was this fixed in a newer version?
version info
Debian clang version 14.0.6
Target: x86_64-pc-linux-gnu
Thread model: posix
NOTE: this issue also occurred with GCC 12.2.0 libasan.