ci: isolate sanitizer flags per matrix job

flyingrobots · flyingrobots · commit dd579fc424b0 · 2025-10-20T11:53:57.000-07:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -122,11 +122,29 @@ jobs:
         CC: clang-18
         CXX: clang++-18
       run: |
+        SAN="${{ matrix.sanitizer }}"
+        EXTRA_SANITIZER_FLAGS="-DMETAGRAPH_SANITIZERS=ON"
+
+        case "$SAN" in
+          address)
+            EXTRA_SANITIZER_FLAGS="$EXTRA_SANITIZER_FLAGS -DMETAGRAPH_ASAN=ON -DMETAGRAPH_UBSAN=ON -DMETAGRAPH_TSAN=OFF -DMETAGRAPH_MSAN=OFF"
+            ;;
+          undefined)
+            EXTRA_SANITIZER_FLAGS="$EXTRA_SANITIZER_FLAGS -DMETAGRAPH_ASAN=OFF -DMETAGRAPH_UBSAN=ON -DMETAGRAPH_TSAN=OFF -DMETAGRAPH_MSAN=OFF"
+            ;;
+          thread)
+            EXTRA_SANITIZER_FLAGS="$EXTRA_SANITIZER_FLAGS -DMETAGRAPH_ASAN=OFF -DMETAGRAPH_UBSAN=OFF -DMETAGRAPH_TSAN=ON -DMETAGRAPH_MSAN=OFF"
+            ;;
+          memory)
+            EXTRA_SANITIZER_FLAGS="$EXTRA_SANITIZER_FLAGS -DMETAGRAPH_ASAN=OFF -DMETAGRAPH_UBSAN=OFF -DMETAGRAPH_TSAN=OFF -DMETAGRAPH_MSAN=ON"
+            ;;
+        esac
+
         cmake -B build -G Ninja \
           -DCMAKE_BUILD_TYPE=Debug \
-          -DMETAGRAPH_SANITIZERS=ON \
-          -DCMAKE_C_FLAGS="-fsanitize=${{ matrix.sanitizer }} -fno-omit-frame-pointer" \
-          -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=${{ matrix.sanitizer }}"
+          ${EXTRA_SANITIZER_FLAGS} \
+          -DCMAKE_C_FLAGS="-fsanitize=${SAN} -fno-omit-frame-pointer" \
+          -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=${SAN}"
 
     - name: Build
       run: cmake --build build
diff --git a/AGENTS.md b/AGENTS.md
@@ -105,4 +105,5 @@ See [docs/guides/DEBRIEF_FORMAT.md](docs/guides/DEBRIEF_FORMAT.md) for the JSONL
 {"date":"2025-10-20","time":"13:42","summary":"Hardened release builds with full stack canaries to satisfy CI security audit stack check.","topics":[{"topic":"Security audit parity","what":"Replaced -fstack-protector-strong with -fstack-protector-all","why":"Quality Matrix security audit marked stack canaries as disabled on the Linux runner","context":"Audit script checks mg-cli binary for __stack_chk_fail symbol","issue":"strong mode doesn’t emit canaries when functions lack risky frames","resolution":"Always request -fstack-protector-all so the guard symbol is emitted","future_work":"Monitor audit output on the next CI cycle","time_percent":100}],"key_decisions":[],"action_items":[]}
 {"date":"2025-10-20","time":"15:12","summary":"Taught the security audit to recognize safe-stack builds and dump details when failing in CI.","topics":[{"topic":"Audit false positive","what":"Detect __safestack_unsafe_stack_ptr alongside __stack_chk_fail","why":"Linux Release builds use Clang safe-stack so the previous detector flagged stack canaries as missing","context":"Quality Matrix security audit kept aborting despite hardening flags","issue":"Audit only looked for __stack_chk_fail which isn’t emitted with safe-stack","resolution":"Count either symbol and continue to report stack protection as enabled","future_work":"Keep an eye on future toolchain upgrades in case symbol names change","time_percent":70},{"topic":"CI diagnostics","what":"Emit the full .ignored/security-audit.txt before exiting","why":"Artifact upload isn’t always reliable, making it hard to inspect failures","context":"GitHub Actions quality matrix","issue":"Engineers could not see what triggered the critical flag","resolution":"Surface the report inline when the script exits non-zero","future_work":"None","time_percent":30}],"key_decisions":[],"action_items":[]}
 {"date":"2025-10-20","time":"15:55","summary":"Closed the loop on clang-tidy’s implicit-bool complaint by reinstating the explicit cast and confirmed the audit now reports PIE correctly in CI.","topics":[{"topic":"Digits buffer assert","what":"Restored the (_Bool) cast in the _Static_assert guarding the 64-byte scratch array","why":"GNU-GON-CRY clang-tidy treats int-to-bool conversions as errors","context":"readability-implicit-bool-conversion flagged the newer form","issue":"CI failed after removing the cast","resolution":"Reintroduced the explicit cast to satisfy the lint rule","future_work":"None","time_percent":60},{"topic":"CI audit parity","what":"Verified the updated PIE detection logic against the build artifacts","why":"Ensure Linux release jobs stop flagging false negatives","context":"Security audit now prints the report inline on failure","issue":"Needed a local run to confirm","resolution":"Ran the audit targeting build/ and observed PIE marked enabled","future_work":"Monitor the next Quality Matrix run","time_percent":40}],"key_decisions":[],"action_items":[]}
+{"date":"2025-10-20","time":"11:35","summary":"Unblocked the sanitizer CI leg by disabling conflicting ASAN flags when running the MSAN job.","topics":[{"topic":"Sanitizer matrix","what":"Gated METAGRAPH_*SAN toggles per workflow matrix leg","why":"CI memory sanitizer run failed because both -fsanitize=memory and -fsanitize=address were set","context":"GitHub Actions sanitizers job on feat/minimal-dpoi-qca-loop","issue":"ASAN defaults stayed enabled when requesting MSAN, causing clang to reject the flag combination","resolution":"Updated ci.yml to map each matrix entry to explicit METAGRAPH_{A,U,T,M}SAN settings before invoking CMake","future_work":"Watch the next CI cycle in case MSAN still lacks instrumented runtimes","time_percent":100}],"key_decisions":["Disable ASAN/UBSAN when invoking the MSAN and TSAN legs"],"action_items":[]}
 ```
