Thanks for the pull request, and welcome! The Rust team is excited to review your changes, and you should hear from @nikomatsakis (or someone else) soon.

If any changes to this PR are deemed necessary, please add them as extra commits. This ensures that the reviewer can see what has changed since they last reviewed the code. Due to the way GitHub handles out-of-date commits, this should also make it reasonably obvious what issues have or haven't been addressed. Large or tricky changes may require several passes of review and changes.

Please see the contribution instructions for more information.

This is WIP revival of #31605. Right now, this only contains the Leak Sanitizer
as I'm getting familiar with the previous implementation and with sanitizers, in
general.

I'm bringing this back to life because one concern brought up in the original PR
was that std had to be recompiled with some extra LLVM instrumentation pass to
be able to use the sanitizers but such mechanism didn't exist.
Today, Xargo can recompile std (and all
its dependencies) with custom compilation flags so it could make sanitizer
support feasible.

Comments

• "LeakSanitizer is only supported on x86_64 Linux."

• The above example doesn't always work, as in it sometimes doesn't detect the
  memory leak. And by sometimes, I mean that out of 10_000 runs it doesn't
  detect the leak 4_991 times. I don't know if this expected or not, or who's
  to blame for this.

• Unlike [WIP] Sanitizers support. #31605, the leak sanitizer runtime has been packaged into a crate,
  rustc_lsan, and is built using Cargo instead of using bootstrap. Also, the
  rustc_lsan crate forces the executable to use the alloc_system allocator
  because it was reported back in [WIP] Sanitizers support. #31605 that the sanitizers don't work well
  with jemalloc.

• Building the sanitizer runtimes uses cmake (the runtimes are part of
  the compiler-rt project). As a result, rustc_lsan builds on Arch Linux but
  not on Ubuntu :-/. This is because Ubuntu's llvm-dev package installs some
  cmakefiles in a directory different from where compiler-rt cmake build system
  expects them.

• The leak sanitizer does NOT require (re)compiling stuff with an extra
  LLVM instrumentation pass; it only requires linking the runtime. The other
  sanitizers do require the extra LLVM pass though.

• As you see in the example, the sanitizer runtime is explicitly linked via
  extern crate rustc_lsan. I think it would make more sense to implicitly link
  it using -C sanitize=leak like the original PR did. -C sanitize=foo seems
  like it would make more compatible with the "build this crate with an extra
  LLVM pass" requirement that the other sanitizers have.

Concerns

• If we continue using compiler-rt's build system (cmake), the one crate per
  sanitizer approach will result in building N runtimes N times because, AFAICT,
  compiler-rt build system provides no way to build a single runtime; it always
  builds all of them. Unless there some way to have many crates share the output
  directory of a single build script (workspaces?)

TODO

• Does this work with LTO? Yes

• Does this work with the test runner (#[test])? Yes

• Can we build the sanitizers (C code) manually without relying on cmake?

cc @alexcrichton @brson @tmiasko

☔ The latest upstream changes (presumably #38697) made this pull request unmergeable. Please resolve the merge conflicts.

@japaric I'm excited to hear that xargo can compile std with custom flags. However, I feel like there is an RFC wanting to be written here. But I'm not quite sure what it is. =)

At minimum, surely a feature gate of some kind would be required.

Neat!

How come we need to specially recognize the asan crate? Does it need to go in a special place on the linker command line?

I'm not really sure what the best way to expose this will be long-term. For now, though, having it be optional and behind a feature gate seems ok.

How come we need to specially recognize the asan crate? Does it need to go in a special place on the linker command line?

(a) It needs to be linked using -Wl,--whole-archive and (b) it provides malloc et al. symbols that must override the real ones (to intercept them) so it needs to be linked before the object/crate/library that provides the real e.g. malloc implementation.

I think the ordering is guaranteed via extern crate alloc_system that it shows up before that crate, but it could show up on the far left which means the symbols wouldn't get pulled in presumably as there'd be no references to them (this is what -Wl,--whole-archive fixes).

@alexcrichton That is, indeed, the case. It doesn't work without -Wl,--whole-archive but rustc_lsan does appear on the "far left" so at least I can remove that part of the logic.

Travis failure seems legit to me: "llvm-config not found".

OK. Added ThreadSanitizer support and added an unstable -Z sanitizer flag to
enable either sanitizer.

Using LeakSanitizer is as simple as cargo rustc -- -Z sanitizer=leak && target/debug/app and using ThreadSanitizer is as simple as RUSTFLAGS="-Z sanitizer=thread" xargo run (*). See the PR description for actual examples.

(*) Actually, first you have patch src/libstd to workaround
#36501. Here's the patch

--- a/src/libstd/Cargo.toml
+++ b/src/libstd/Cargo.toml
@@ -7,7 +7,6 @@ build = "build.rs"
 [lib]
 name = "std"
 path = "lib.rs"
-crate-type = ["dylib", "rlib"]

 [dependencies]
 alloc = { path = "../liballoc" }

Some comments:

LeakSanitizer only requires linking a runtime so, IMO, it makes sense to
distribute librustc_lsan with the std component of the
x86_64-unknown-linux-gnu target, which is the only target supported by lsan.
That's how the rustbuild is configured right now.

ThreadSanitizer requires recompiling the std facade with an extra LLVM pass
and linking to the tsan runtime. The former requirement is taken care of by
Xargo. But, because Xargo overrides the default sysroot, rustc_tsan must be
available in that sysroot. What I'm doing now is compiling rustc_tsan as
part of Xargo's sysroot. It would be better if one could just use a rustc_tsan
that's distributed as part of the std component though as compiling the
runtime requires having LLVM installed in the host system and the runtime
doesn't compile on Ubuntu because of how it has laid out its LLVM installation.

rust-lang/compiler-rt needs to be patched to make tsan work with PIE
executables. I'll send the patch (it's a backport) in a bit.

Pushed AddressSanitizer support and added an example to the PR description.

Interestingly, an empty main functions trips up asan's "ODR violation" check:

$ cat src/main.rs
fn main() {}

$ RUSTFLAGS="-Z sanitizer=address" xargo run
   Compiling oob v0.1.0 (file:///home/japaric/tmp/oob)
    Finished debug [unoptimized + debuginfo] target(s) in 0.53 secs
     Running `target/debug/oob`
=================================================================
==5051==ERROR: AddressSanitizer: odr-violation (0x5579099b23a0):
  [1] size=0 'ref.1O' core.cgu-0.rs
  [2] size=0 'ref.19' std.cgu-0.rs
These globals were registered at these points:
  [1]:
    #0 0x5579098c66e0 in __asan_register_globals.part.10 /shared/rust/checkouts/lsan/src/compiler-rt/lib/asan/asan_globals.cc:309
    #1 0x5579099b0dfb in asan.module_ctor (/home/japaric/tmp/oob/target/debug/oob+0x188dfb)

  [2]:
    #0 0x5579098c66e0 in __asan_register_globals.part.10 /shared/rust/checkouts/lsan/src/compiler-rt/lib/asan/asan_globals.cc:309
    #1 0x5579098a8b5b in asan.module_ctor (/home/japaric/tmp/oob/target/debug/oob+0x80b5b)

==5051==HINT: if you don't care about these errors you may set ASAN_OPTIONS=detect_odr_violation=0
SUMMARY: AddressSanitizer: odr-violation: global 'ref.1O' at core.cgu-0.rs
==5051==ABORTING

@japaric

travis says:

-- Configuring incomplete, errors occurred!

See also "/checkout/obj/build/x86_64-unknown-linux-gnu/stage0-std/x86_64-unknown-linux-gnu/release/build/rustc_lsan-809bddb3df858e87/out/build/CMakeFiles/CMakeOutput.log".

--- stderr

CMake Error at CMakeLists.txt:46 (message):

  llvm-config not found: specify LLVM_CONFIG_PATH

not sure what's up w/ that

@nikomatsakis

Quoting myself

the runtime doesn't compile on Ubuntu because of how it has laid out its LLVM installation.

Travis is testing on Ubuntu. We should build rustc_lsan against the LLVM that rustbuild builds instead of against system LLVM but that's more tricky.

MemorySanitizer is now working (example in the PR description) but requires the latest compiler-rt release. We could backport some stuff to make our fork work (but we would have to first figure out what needs to be backported) or we could simply upgrade our fork to something more recent (easier).

So, @alexcrichton -- I feel more-or-less about experimenting in this direction without an RFC, but it seems like we should have some docs. Maybe a tracking issue? I feel like I would not want this interface to stabilize without an RFC. Not sure what team has jurisdiction here, probably @rust-lang/compiler or @rust-lang/tools.

Yeah I'm fine experimenting here as well. I want to make sure that everything is thoroughly feature gated, but beyond that it seems worthwhile to enable supporting this at all

I wonder though if we can experiment here with less of this support in-tree. @japaric do you have an idea of how we might minimize basically the size of this PR? Ideally we wouldn't maintain all of this in tree because development would be slowed down, and hopefully one day these crates can all be on crates.io anyway.

I'm slightly hesitant here as this would be one of the first "linux only" features we support in-tree, so if we can keep it external that would be nice.

@alexcrichton Initial testing with rustc_lsan shows that the sanitizer runtimes can live out of tree. I'll update the PR with that in mind.

Great work, @japaric!

Some thoughts on integration into the compiler:

• ISTM, that the extra LLVM pass would fit well with Rust-specific target-feature's. This allows having a custom version of Rust runtime libs, compiled with special flags/passes/etc, which is exactly what we want here.
• We already build the "builtins" part of the compiler-rt using a custom build script instead of cmake. I wonder if extending this approach to sanitizer runtimes would be more reliable cross platform-wise than cmake?
• Could we fold sanitizer runtimes into compiler-rt? (guarded by #cfg[target-feature="?san"]). Compiler-rt is already special for the compiler, which always puts it on the command line after any user libraries.
• Similarly, could we fold delegation of malloc to the *san runtime into alloc_system (again, guarded by an appropriate #cfg[...])?

@japaric It is great to see more work on sanitizer support!

Regarding the question how much of this should be in-tree or not, I think the
runtime libraries should be in-tree for the simple reason that LLVM sanitizer
passes are already in-tree and distributed along with rust compiler. Moreover,
those passes depend on specific version of sanitizer runtime libraries, and
separating the two creates avenue for problematic mismatches (while working on
previous reincarnation of sanitizer support #31605, I hit exactly this problem;
it wasn't exactly trivial to debug).

@bors r=alexcrichton

📌 Commit e180dd5 has been approved by alexcrichton

Should this be marked with relnotes tag?

@malbarbo currently this is a nightly-only feature, but we'll be sure to feature it in the relnotes once it's stable!

@japaric that reminds me, can you file a tracking issue for stabilizing these?

@alexcrichton Done. #39699

Thanks, @japaric , what a great feature!

@japaric @alexcrichton This PR integrates with rustbuild in a really weird way. It adds some always-enabled 'optional' std features, lsan/msan/asan, and then omits actually producing any code for them if the LLVM_CONFIG environment variable is absent; the LLVM_CONFIG variable is only added if --enable-sanitizers is passed.

Shouldn't there be more sanity in this? Actually enabling the feature only if the config flag is on?

@whitequark sounds reasonable to me, yeah. We may also be able to remove the features now as they were from a previous iteration as well. @japaric what do you think?

Yeah, seems fine to remove the Cargo features. I'll prepare a PR.