Skip to content

Add sanitizer support using GCC toolchain features #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
saksham-chawla wants to merge 5 commits into
base: codex/replay-pr-64-base
Choose a base branch
from
Open

Add sanitizer support using GCC toolchain features #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
e79bcb1
Add sanitizer support using GCC toolchain features
RSingh1511 Feb 16, 2026
d2c40e7
Remove TSan from CI due to kernel compatibility issues
RSingh1511 Feb 16, 2026
1ede9eb
Fix sanitizer workflow to test //score/... targets
RSingh1511 Feb 25, 2026
5bc82b8
Adopt centralized sanitizer infrastructure from score_cpp_policies
RSingh1511 Feb 25, 2026
f70f1c0
Add repo-specific suppression files
RSingh1511 Mar 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions .bazelrc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,3 +82,43 @@ coverage --combined_report=lcov
coverage --test_env=COVERAGE_GCOV_OPTIONS=-bcu
coverage --features=coverage
coverage --cache_test_results=no

# ==============================================================================
# Dynamic analysis (sanitizers) for Linux host builds/tests
# ==============================================================================

# Debug symbols for sanitizer stack traces
test:with_debug_symbols --cxxopt=-g1
test:with_debug_symbols --strip=never

# AddressSanitizer + UndefinedBehaviorSanitizer + LeakSanitizer (Combined)
build:asan_ubsan_lsan --config=x86_64-linux
build:asan_ubsan_lsan --features=asan
build:asan_ubsan_lsan --features=ubsan
build:asan_ubsan_lsan --features=lsan
build:asan_ubsan_lsan --platform_suffix=asan_ubsan_lsan
test:asan_ubsan_lsan --config=with_debug_symbols
test:asan_ubsan_lsan --test_tag_filters=-no-asan,-no-lsan,-no-ubsan
test:asan_ubsan_lsan --@score_cpp_policies//sanitizers/flags:sanitizer=asan_ubsan_lsan
test:asan_ubsan_lsan --run_under=@score_cpp_policies//sanitizers:wrapper

# Shortcuts for individual sanitizers
build:asan --config=asan_ubsan_lsan
test:asan --test_tag_filters=-no-asan
build:ubsan --config=asan_ubsan_lsan
test:ubsan --test_tag_filters=-no-ubsan
build:lsan --config=asan_ubsan_lsan
test:lsan --test_tag_filters=-no-lsan
Comment on lines +106 to +111
Copy link

@propel-code-bot propel-code-bot bot Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Important

[Logic] The shortcut configs (asan, ubsan, lsan) inherit asan_ubsan_lsan via --config=asan_ubsan_lsan but then override --test_tag_filters with a narrower filter. Since Bazel uses last-value-wins for --test_tag_filters, running bazel test --config=asan will build with ASan+UBSan+LSan but only exclude -no-asan tests, not -no-lsan or -no-ubsan. This means tests tagged no-ubsan or no-lsan will still execute under those sanitizers, potentially causing false failures or undefined behavior.

Either remove the shortcut tag overrides (relying on the parent config's filters) or make the shortcuts self-contained with the correct combined filters:

test:asan   --test_tag_filters=-no-asan,-no-lsan,-no-ubsan
test:ubsan  --test_tag_filters=-no-asan,-no-lsan,-no-ubsan
test:lsan   --test_tag_filters=-no-asan,-no-lsan,-no-ubsan
Context for Agents 
The shortcut configs (`asan`, `ubsan`, `lsan`) inherit `asan_ubsan_lsan` via `--config=asan_ubsan_lsan` but then override `--test_tag_filters` with a narrower filter. Since Bazel uses last-value-wins for `--test_tag_filters`, running `bazel test --config=asan` will build with ASan+UBSan+LSan **but only exclude `-no-asan` tests**, not `-no-lsan` or `-no-ubsan`. This means tests tagged `no-ubsan` or `no-lsan` will still execute under those sanitizers, potentially causing false failures or undefined behavior.

Either remove the shortcut tag overrides (relying on the parent config's filters) or make the shortcuts self-contained with the correct combined filters:
```
test:asan   --test_tag_filters=-no-asan,-no-lsan,-no-ubsan
test:ubsan  --test_tag_filters=-no-asan,-no-lsan,-no-ubsan
test:lsan   --test_tag_filters=-no-asan,-no-lsan,-no-ubsan
```

File: .bazelrc
Line: 111
Chain of Thought
  • Validation Decision: accepted
  • Confidence: 0.95
  • Likelihood Score: 4/5
  • Likelihood Reason: Anyone using the shortcut configs (--config=asan, --config=ubsan, --config=lsan) will trigger this issue. Tests tagged no-ubsan or no-lsan will run under those sanitizers when using --config=asan, likely causing false failures. The shortcuts exist to be used, so this will surface for a noticeable portion of users.
  • Suggested Action: keep
  • Tool Calls Used: 2

Reasoning

The comment correctly identifies a real bug in the newly added code. Here's the evidence:

  1. Bazel's --test_tag_filters is a last-value-wins flag - confirmed via library docs. When specified multiple times, the last value completely replaces earlier values.

  2. The config expansion chain creates a conflict:

    • build:asan --config=asan_ubsan_lsan (line 106) inherits the parent config, which includes test:asan_ubsan_lsan --test_tag_filters=-no-asan,-no-lsan,-no-ubsan (line 101)
    • test:asan --test_tag_filters=-no-asan (line 107) then overrides the inherited test_tag_filters with a narrower filter

  3. Net effect of --config=asan:

    • Builds with all three sanitizers enabled (ASan+UBSan+LSan via features)
    • But only excludes tests tagged no-asan, NOT no-ubsan or no-lsan
    • Tests tagged no-ubsan or no-lsan will still execute under those active sanitizers

  4. This is newly introduced by this PR - all the sanitizer config lines are additions in the diff.

  5. The comment is actionable - it provides two concrete solutions: either remove the shortcut tag overrides entirely (relying on parent's filters) or make each shortcut use the full combined filter string.

The same issue applies symmetrically to --config=ubsan and --config=lsan.

Evidence Summary

1. Library Docs

  • Library: bazel
  • Query: test_tag_filters flag behavior last value wins accumulating
Now let me search specifically for documentation about flag accumulation behavior and "last value wins" semantics in Bazel:Here is the relevant Bazel documentation regarding `--test_tag_filters` and flag behavior:

---

## `--test_tag_filters`

### Syntax
```
--test_tag_filters=tag[,tag]*
```
...

2. File Snapshot (HEAD)

  • File: .bazelrc
  • Lines: 85-124
85: 
86: # ==============================================================================
87: # Dynamic analysis (sanitizers) for Linux host builds/tests
88: # ==============================================================================
89: 
90: # Debug symbols for sanitizer stack traces  
91: test:with_debug_symbols --cxxopt=-g1
92: test:with_debug_symbols --strip=never
93: 
94: # AddressSanitizer + UndefinedBehaviorSanitizer + LeakSanitizer (Combined)
...

Fix in Cursor


# ThreadSanitizer (cannot be combined with ASan/LSan)
build:tsan --config=x86_64-linux
build:tsan --features=tsan
build:tsan --platform_suffix=tsan
# GCC 12 promotes TSan limitation on atomic_thread_fence to -Werror=tsan.
# Downgrade to warning so external deps (score_baselibs) compile; TSan still runs.
build:tsan --cxxopt=-Wno-error=tsan
test:tsan --config=with_debug_symbols
test:tsan --cxxopt=-O1
test:tsan --test_tag_filters=-no-tsan
test:tsan --@score_cpp_policies//sanitizers/flags:sanitizer=tsan
test:tsan --run_under=@score_cpp_policies//sanitizers:wrapper
69 changes: 69 additions & 0 deletions .github/workflows/sanitizers.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
# *******************************************************************************
# Copyright (c) 2026 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0
#
# SPDX-License-Identifier: Apache-2.0
# *******************************************************************************

name: Sanitizers

on:
pull_request:
types: [opened, reopened, synchronize]
merge_group:
types: [checks_requested]

permissions:
contents: read

jobs:
sanitizer-tests:
name: Bazel Tests (${{ matrix.sanitizer_config }})
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
sanitizer_config: [asan_ubsan_lsan]

steps:
- name: Checkout repository
uses: actions/[email protected]
with:
ref: ${{ github.head_ref || github.event.pull_request.head.ref || github.ref }}
repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}

- name: Setup Bazel with shared caching
uses: bazel-contrib/[email protected]
with:
bazelisk-version: 1.26.0
disk-cache: true
repository-cache: true
bazelisk-cache: true
cache-save: ${{ github.event_name == 'push' }}
Copy link

@propel-code-bot propel-code-bot bot Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Important

[Logic] cache-save is set to ${{ github.event_name == 'push' }}, but this workflow only triggers on pull_request and merge_group events (lines 17-20). The expression github.event_name == 'push' will always evaluate to false, so the Bazel disk/repository cache is never saved. On every run the cache starts empty, negating the caching setup entirely. Either add a push trigger to the workflow, or change the condition to match one of the actual trigger events (e.g., github.event_name == 'merge_group').

Context for Agents 
[**Bug**] `cache-save` is set to `${{ github.event_name == 'push' }}`, but this workflow only triggers on `pull_request` and `merge_group` events (lines 17-20). The expression `github.event_name == 'push'` will **always** evaluate to `false`, so the Bazel disk/repository cache is never saved. On every run the cache starts empty, negating the caching setup entirely. Either add a `push` trigger to the workflow, or change the condition to match one of the actual trigger events (e.g., `github.event_name == 'merge_group'`).

File: .github/workflows/sanitizers.yml
Line: 48
Chain of Thought
  • Validation Decision: accepted
  • Confidence: 0.00
  • Likelihood Score: 0/5
  • Suggested Action: keep
  • Tool Calls Used: 16

Reasoning

Failed to parse validation response

Evidence Summary

1. File Lookup

  • Filename: .yml
  • Max Results: 10
No files found matching '.yml'

2. File Lookup

  • Filename: sanitizers.yml
No files found matching 'sanitizers.yml'

3. Library Docs

  • Library: bazel-contrib/setup-bazel
  • Query: cache-save parameter
The library wasn't found on npm or Context7. Let me search on GitHub — `bazel-contrib/setup-bazel` is a GitHub Action, so let me try searching its source code directly.The library isn't indexed in the available registries or Context7. Since `bazel-contrib/setup-bazel` is a GitHub Action, let me try to find its documentation through alternative searches.Unfortunately, the `bazel-contrib/setup-bazel` GitHub Action is not indexed in the documentation sources or package registries available to me. However, based on publicly known documentation for this GitHub Action, here is the relevant information about the **`cache-save`** parameter:

---

## `cache-save` Parameter — `bazel-contrib/setup-bazel`

### Description

The `cache-save` input controls **whether caches are saved** at the end of a workflow run. This is useful for optimizing CI pipelines by skipping cache saves on certain runs (e.g., pull request builds) where you don't want to update the cache.
...

4. File Lookup

  • Filename: workflows
  • Max Results: 10
No files found matching 'workflows'

5. File Snapshot (HEAD)

  • File: .github/workflows/sanitizers.yml
1: # *******************************************************************************
2: # Copyright (c) 2026 Contributors to the Eclipse Foundation
3: #
4: # See the NOTICE file(s) distributed with this work for additional
5: # information regarding copyright ownership.
6: #
7: # This program and the accompanying materials are made available under the
8: # terms of the Apache License Version 2.0 which is available at
9: # https://www.apache.org/licenses/LICENSE-2.0
10: #
...

6. File Lookup

  • Filename: test.yml
No files found matching 'test.yml'

7. File Lookup

  • Filename: ci.yml
No files found matching 'ci.yml'

8. File Lookup

  • Filename: bazel.yml
No files found matching 'bazel.yml'

9. File Lookup

  • Filename: build.yml
Found 1 file(s) matching 'build.yml':
- .github/workflows/build.yml

10. File Snapshot (BASE)

  • File: .github/workflows/build.yml
1: # *******************************************************************************
2: # Copyright (c) 2025 Contributors to the Eclipse Foundation
3: #
4: # See the NOTICE file(s) distributed with this work for additional
5: # information regarding copyright ownership.
6: #
7: # This program and the accompanying materials are made available under the
8: # terms of the Apache License Version 2.0 which is available at
9: # https://www.apache.org/licenses/LICENSE-2.0
10: #
...

Fix in Cursor


- name: Run sanitizer tests via Bazel
run: |
set -euo pipefail
echo "Running: bazel test --config=${{ matrix.sanitizer_config }} //score/..."
# Note: Scoped to C/C++ targets only. Rust targets require Rust-specific
# sanitizer handling and are excluded via tag filters.
bazel test \
--config=${{ matrix.sanitizer_config }} \
//score/... \
--build_tag_filters=-rust \
--test_tag_filters=-rust \
Comment on lines +56 to +60
Copy link

@propel-code-bot propel-code-bot bot Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Important

[Testing] Passing --test_tag_filters=-rust here overwrites the filter list that --config=asan_ubsan_lsan adds in .bazelrc (--test_tag_filters=-no-asan,-no-lsan,-no-ubsan). Bazel does not merge multiple --test_tag_filters flags—the last one wins—so all tests tagged no-asan/no-lsan/no-ubsan will now run under sanitizers even though they are explicitly marked incompatible, causing spurious CI failures. Either drop the explicit flag or include all exclusions in a single list, e.g. --test_tag_filters=-rust,-no-asan,-no-lsan,-no-ubsan.

Context for Agents 
Passing `--test_tag_filters=-rust` here overwrites the filter list that `--config=asan_ubsan_lsan` adds in `.bazelrc` (`--test_tag_filters=-no-asan,-no-lsan,-no-ubsan`). Bazel does not merge multiple `--test_tag_filters` flags—the last one wins—so all tests tagged `no-asan`/`no-lsan`/`no-ubsan` will now run under sanitizers even though they are explicitly marked incompatible, causing spurious CI failures. Either drop the explicit flag or include all exclusions in a single list, e.g. `--test_tag_filters=-rust,-no-asan,-no-lsan,-no-ubsan`.

File: .github/workflows/sanitizers.yml
Line: 60
Chain of Thought
  • Validation Decision: accepted
  • Confidence: 0.97
  • Likelihood Score: 5/5
  • Likelihood Reason: The Bazel --test_tag_filters flag definitively uses "last one wins" semantics (not accumulation). This is confirmed by Bazel GitHub issue #7322 which is specifically a feature request to change this behavior. The command line --test_tag_filters=-rust will inevitably override the .bazelrc config's --test_tag_filters=-no-asan,-no-lsan,-no-ubsan, causing sanitizer-incompatible tests to run every single CI invocation.
  • Suggested Action: keep
  • Tool Calls Used: 2

Reasoning

The review comment claims:

  1. --test_tag_filters=-rust on the command line (workflow line 60) overwrites --test_tag_filters=-no-asan,-no-lsan,-no-ubsan from .bazelrc line 101 (set via test:asan_ubsan_lsan config).
  2. Bazel does not merge multiple --test_tag_filters flags — the last one wins.
  3. This will cause tests tagged no-asan/no-lsan/no-ubsan to run under sanitizers, causing spurious CI failures.

Evidence gathered:

  1. .bazelrc at HEAD (line 101): test:asan_ubsan_lsan --test_tag_filters=-no-asan,-no-lsan,-no-ubsan — confirmed this setting exists.

  2. Workflow file (line 57-60): The command runs --config=asan_ubsan_lsan first, then --test_tag_filters=-rust after it on the command line. Since Bazel expands --config=X in place, the effective order is --test_tag_filters=-no-asan,-no-lsan,-no-ubsan (from config expansion) followed by --test_tag_filters=-rust (from explicit CLI), and the last one wins.

  3. Bazel "last one wins" behavior confirmed: GitHub issue Change build_tag_filters and test_tag_filters options to accumulate uses bazelbuild/bazel#7322 is titled "Change build_tag_filters and test_tag_filters options to accumulate uses" and explicitly states that command-line --test_tag_filters "totally ignore those options" set in .bazelrc. This is a known, documented limitation — the flag does NOT accumulate.

  4. Both files are new in this PR.github/workflows/sanitizers.yml is a brand new file and the sanitizer configs in .bazelrc are also new additions, so this is a bug introduced by this PR, not pre-existing debt.

  5. The suggested fix is correct: Combining all exclusions into a single --test_tag_filters=-rust,-no-asan,-no-lsan,-no-ubsan would properly filter all intended tags.

  6. Additional note: The .bazelrc also has test --test_tag_filters=-manual on line 21, which would similarly be overridden by the command line flag, potentially also running manual-tagged tests. The comment doesn't mention this but it's another consequence of the same issue.

The ...

Evidence Summary

1. File Snapshot (HEAD)

  • File: .bazelrc
1: # *******************************************************************************
2: # Copyright (c) 2025 Contributors to the Eclipse Foundation
3: #
4: # See the NOTICE file(s) distributed with this work for additional
5: # information regarding copyright ownership.
6: #
7: # This program and the accompanying materials are made available under the
8: # terms of the Apache License Version 2.0 which is available at
9: # https://www.apache.org/licenses/LICENSE-2.0
10: #
...

Fix in Cursor

--verbose_failures

- name: Upload Bazel test logs (always)
if: always()
uses: actions/upload-artifact@v6
with:
name: bazel-testlogs-${{ matrix.sanitizer_config }}
path: bazel-testlogs/**/test.log
if-no-files-found: warn
6 changes: 6 additions & 0 deletions MODULE.bazel
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,12 @@ bazel_dep(name = "score_platform", version = "0.5.3", dev_dependency = True)
# Toolchains and extensions
bazel_dep(name = "score_bazel_cpp_toolchains", version = "0.2.2", dev_dependency = True)
bazel_dep(name = "score_toolchains_rust", version = "0.4.0", dev_dependency = True)
bazel_dep(name = "score_cpp_policies", version = "0.0.0", dev_dependency = True)
git_override(
module_name = "score_cpp_policies",
commit = "07a78d6",
remote = "https://github.com/RSingh1511/score_cpp_policies.git",
Copy link

@propel-code-bot propel-code-bot bot Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Important

[Security] The remote points to a personal GitHub repository (RSingh1511/score_cpp_policies), not the organization's (eclipse-score). Personal forks can be deleted, force-pushed, or go stale without notice, breaking all CI and developer builds. This should point to the canonical organization repository.

Suggested change
remote = "https://github.com/RSingh1511/score_cpp_policies.git",
remote = "https://github.com/eclipse-score/score_cpp_policies.git",
Context for Agents 
The remote points to a personal GitHub repository (`RSingh1511/score_cpp_policies`), not the organization's (`eclipse-score`). Personal forks can be deleted, force-pushed, or go stale without notice, breaking all CI and developer builds. This should point to the canonical organization repository.

```suggestion
    remote = "https://github.com/eclipse-score/score_cpp_policies.git",
```

File: MODULE.bazel
Line: 44
Chain of Thought
  • Validation Decision: accepted
  • Confidence: 0.97
  • Likelihood Score: 5/5
  • Likelihood Reason: Personal forks can be deleted or force-pushed at any time, which would inevitably break builds for all developers and CI. The issue is introduced by this PR and inconsistent with the established pattern of using organization repos.
  • Suggested Action: keep
  • Tool Calls Used: 3

Reasoning

The comment is accurate and well-supported by evidence:

  1. Issue is real: The PR adds lines 40-45, which introduce a new git_override for score_cpp_policies pointing to https://github.com/RSingh1511/score_cpp_policies.git — a personal GitHub repository.

  2. Inconsistent with existing pattern: All other git_override entries in MODULE.bazel use organization repositories:

    • trlchttps://github.com/bmw-software-engineering/trlc.git
    • score_baselibshttps://github.com/eclipse-score/baselibs.git
    • score_communicationhttps://github.com/eclipse-score/communication.git

  3. Introduced by this PR: This is new code (all added lines), not pre-existing debt. The BASE file has no reference to score_cpp_policies at all.

  4. Actionable: The comment provides a concrete fix — change the remote URL to https://github.com/eclipse-score/score_cpp_policies.git, consistent with the repository's naming convention (score_* packages use eclipse-score organization).

  5. Real risk: Depending on a personal fork for a build dependency is a well-known supply chain risk. If the owner deletes, force-pushes, or abandons the fork, all builds break.

Evidence Summary

1. File Snapshot (HEAD)

  • File: MODULE.bazel
1: # *******************************************************************************
2: # Copyright (c) 2025 Contributors to the Eclipse Foundation
3: #
4: # See the NOTICE file(s) distributed with this work for additional
5: # information regarding copyright ownership.
6: #
7: # This program and the accompanying materials are made available under the
8: # terms of the Apache License Version 2.0 which is available at
9: # https://www.apache.org/licenses/LICENSE-2.0
10: #
...

2. File Snapshot (BASE)

  • File: MODULE.bazel
1: # *******************************************************************************
2: # Copyright (c) 2025 Contributors to the Eclipse Foundation
3: #
4: # See the NOTICE file(s) distributed with this work for additional
5: # information regarding copyright ownership.
6: #
7: # This program and the accompanying materials are made available under the
8: # terms of the Apache License Version 2.0 which is available at
9: # https://www.apache.org/licenses/LICENSE-2.0
10: #
...

Fix in Cursor

)

# S-CORE crates
bazel_dep(name = "score_crates", version = "0.0.6")
Expand Down
23 changes: 23 additions & 0 deletions quality/sanitizer/BUILD
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# *******************************************************************************
# Copyright (c) 2026 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0
#
# SPDX-License-Identifier: Apache-2.0
# *******************************************************************************

filegroup(
Copy link

@propel-code-bot propel-code-bot bot Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Important

[Logic] The repo_suppressions filegroup is declared and made publicly visible, but it is not referenced anywhere in .bazelrc or by the @score_cpp_policies//sanitizers:wrapper / @score_cpp_policies//sanitizers/flags:sanitizer targets. Are these suppression files actually wired into the sanitizer runtime environment (e.g., via ASAN_OPTIONS=suppressions=...)? If not, they will be silently ignored and sanitizer findings they're meant to suppress will still fire.

Context for Agents 
The `repo_suppressions` filegroup is declared and made publicly visible, but it is not referenced anywhere in `.bazelrc` or by the `@score_cpp_policies//sanitizers:wrapper` / `@score_cpp_policies//sanitizers/flags:sanitizer` targets. Are these suppression files actually wired into the sanitizer runtime environment (e.g., via `ASAN_OPTIONS=suppressions=...`)? If not, they will be silently ignored and sanitizer findings they're meant to suppress will still fire.

File: quality/sanitizer/BUILD
Line: 14
Chain of Thought
  • Validation Decision: accepted
  • Confidence: 0.65
  • Likelihood Score: 3/5
  • Likelihood Reason: The filegroup has no visible consumer in this repo's code. The external wrapper might consume it by convention, but there's no evidence of that in this PR. Currently the suppression files are empty so nothing is actually lost, but the infrastructure gap is real if future suppressions are added without wiring them in.
  • Suggested Action: keep
  • Tool Calls Used: 10

Reasoning

The comment correctly identifies that:

  1. The repo_suppressions filegroup is declared in quality/sanitizer/BUILD with public visibility.
  2. There is no reference to this filegroup in .bazelrc - the sanitizer configs use --run_under=@score_cpp_policies//sanitizers:wrapper and --@score_cpp_policies//sanitizers/flags:sanitizer=... but never reference //quality/sanitizer:repo_suppressions.
  3. No *SAN_OPTIONS=suppressions=... environment variables are set anywhere in the PR's changes.

The one uncertainty is whether the external @score_cpp_policies//sanitizers:wrapper (from a git_override pointing to RSingh1511/score_cpp_policies.git) might have a built-in convention to discover and use //quality/sanitizer:repo_suppressions. We cannot inspect that external module from this repo. If the wrapper does consume it automatically, the comment would be a false positive.

However, the comment is phrased as a question ("Are these suppression files actually wired into the sanitizer runtime environment?") rather than an assertion, which is appropriate given the uncertainty. It's asking the PR author to confirm the wiring exists somewhere (perhaps in the external wrapper).

The comment is actionable because it:

  • Points to a specific potential gap in the infrastructure
  • Identifies exactly what mechanism would be needed (e.g., ASAN_OPTIONS=suppressions=...)
  • Asks for concrete verification

Currently, the suppression files are empty (just comments), so the practical impact is zero right now. But the comment is valid as a design review concern about the infrastructure being incomplete.

Evidence Summary

1. File Snapshot (HEAD)

  • File: MODULE.bazel
1: # *******************************************************************************
2: # Copyright (c) 2025 Contributors to the Eclipse Foundation
3: #
4: # See the NOTICE file(s) distributed with this work for additional
5: # information regarding copyright ownership.
6: #
7: # This program and the accompanying materials are made available under the
8: # terms of the Apache License Version 2.0 which is available at
9: # https://www.apache.org/licenses/LICENSE-2.0
10: #
...

2. File Snapshot (HEAD)

  • File: .bazelrc
1: # *******************************************************************************
2: # Copyright (c) 2025 Contributors to the Eclipse Foundation
3: #
4: # See the NOTICE file(s) distributed with this work for additional
5: # information regarding copyright ownership.
6: #
7: # This program and the accompanying materials are made available under the
8: # terms of the Apache License Version 2.0 which is available at
9: # https://www.apache.org/licenses/LICENSE-2.0
10: #
...

3. File Snapshot (HEAD)

  • File: .github/workflows/sanitizers.yml
1: # *******************************************************************************
2: # Copyright (c) 2026 Contributors to the Eclipse Foundation
3: #
4: # See the NOTICE file(s) distributed with this work for additional
5: # information regarding copyright ownership.
6: #
7: # This program and the accompanying materials are made available under the
8: # terms of the Apache License Version 2.0 which is available at
9: # https://www.apache.org/licenses/LICENSE-2.0
10: #
...

4. File Snapshot (HEAD)

  • File: quality/sanitizer/lsan.supp
1: # *******************************************************************************
2: # Copyright (c) 2026 Contributors to the Eclipse Foundation
3: #
4: # See the NOTICE file(s) distributed with this work for additional
5: # information regarding copyright ownership.
6: #
7: # This program and the accompanying materials are made available under the
8: # terms of the Apache License Version 2.0 which is available at
9: # https://www.apache.org/licenses/LICENSE-2.0
10: #
...

5. File Snapshot (HEAD)

  • File: quality/sanitizer/asan.supp
1: # *******************************************************************************
2: # Copyright (c) 2026 Contributors to the Eclipse Foundation
3: #
4: # See the NOTICE file(s) distributed with this work for additional
5: # information regarding copyright ownership.
6: #
7: # This program and the accompanying materials are made available under the
8: # terms of the Apache License Version 2.0 which is available at
9: # https://www.apache.org/licenses/LICENSE-2.0
10: #
...

6. File Snapshot (HEAD)

  • File: quality/sanitizer/ubsan.supp
1: # *******************************************************************************
2: # Copyright (c) 2026 Contributors to the Eclipse Foundation
3: #
4: # See the NOTICE file(s) distributed with this work for additional
5: # information regarding copyright ownership.
6: #
7: # This program and the accompanying materials are made available under the
8: # terms of the Apache License Version 2.0 which is available at
9: # https://www.apache.org/licenses/LICENSE-2.0
10: #
...

7. File Snapshot (HEAD)

  • File: quality/sanitizer/tsan.supp
1: # *******************************************************************************
2: # Copyright (c) 2026 Contributors to the Eclipse Foundation
3: #
4: # See the NOTICE file(s) distributed with this work for additional
5: # information regarding copyright ownership.
6: #
7: # This program and the accompanying materials are made available under the
8: # terms of the Apache License Version 2.0 which is available at
9: # https://www.apache.org/licenses/LICENSE-2.0
10: #
...

Fix in Cursor

name = "repo_suppressions",
srcs = [
"asan.supp",
"lsan.supp",
"tsan.supp",
"ubsan.supp",
],
visibility = ["//visibility:public"],
)
17 changes: 17 additions & 0 deletions quality/sanitizer/asan.supp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# *******************************************************************************
# Copyright (c) 2026 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0
#
# SPDX-License-Identifier: Apache-2.0
# *******************************************************************************

# Suppressions for the AddressSanitizer
# See: https://clang.llvm.org/docs/AddressSanitizer.html#issue-suppression
# Every suppression requires a justification.
# Suppressions that share the same justification may be organized in a single block.
17 changes: 17 additions & 0 deletions quality/sanitizer/lsan.supp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# *******************************************************************************
# Copyright (c) 2026 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0
#
# SPDX-License-Identifier: Apache-2.0
# *******************************************************************************

# Suppressions for the LeakSanitizer
# See: https://github.com/google/sanitizers/wiki/AddressSanitizerLeakSanitizer#suppressions
# Every suppression requires a justification.
# Suppressions that share the same justification may be organized in a single block.
17 changes: 17 additions & 0 deletions quality/sanitizer/tsan.supp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# *******************************************************************************
# Copyright (c) 2026 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0
#
# SPDX-License-Identifier: Apache-2.0
# *******************************************************************************

# Suppressions for the ThreadSanitizer
# See: https://github.com/google/sanitizers/wiki/ThreadSanitizerSuppressions
# Every suppression requires a justification.
# Suppressions that share the same justification may be organized in a single block.
17 changes: 17 additions & 0 deletions quality/sanitizer/ubsan.supp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# *******************************************************************************
# Copyright (c) 2026 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0
#
# SPDX-License-Identifier: Apache-2.0
# *******************************************************************************

# Suppressions for the UndefinedBehaviorSanitizer
# See: https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html#runtime-suppressions
# Every suppression requires a justification.
# Suppressions that share the same justification may be organized in a single block.
6 changes: 6 additions & 0 deletions score/mw/log/rust/score_log_bridge/BUILD
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,11 @@ rust_test(
edition = "2021",
rustc_flags = RUSTC_FLAGS,
tags = [
"no-asan", # Rust tests with C++ FFI require sanitizer-instrumented stdlib
"no-lsan",
"no-tsan",
"no-ubsan",
"rust",
"unit_tests",
"ut",
],
Expand All @@ -113,6 +118,7 @@ rust_binary(
],
edition = "2021",
rustc_flags = RUSTC_FLAGS,
tags = ["rust"],
visibility = ["//visibility:public"],
deps = [
":score_log_bridge",
Expand Down