autotools: Disable eager MSan in ctime_tests #1517

pull real-or-random wants to merge 3 commits into bitcoin-core:master from real-or-random:202404-msan-retval changing 3 files +48 −7

real-or-random commented at 3:15 PM on April 15, 2024: contributor

This is the autotools solution for #1516.

Alternatively, we could have a full-blown --enable-msan option, but it's more work, and I'm not convinced that it's necessary or at least much better.

hebasto If you're Concept ACK, are you willing to work on an equivalent PR for CMake?
real-or-random added the label assurance on Apr 15, 2024
real-or-random added the label build on Apr 15, 2024
real-or-random added the label side-channel on Apr 15, 2024
sipa commented at 3:37 PM on April 15, 2024: contributor

Concept ACK
hebasto commented at 10:53 AM on April 23, 2024: member

Concept ACK.

@hebasto If you're Concept ACK, are you willing to work on an equivalent PR for CMake?

Sure. I am :)

hebasto commented at 11:45 AM on April 23, 2024: member

To have any effect, the ctime_tests_CFLAGS variable has to AC_SUBSTed.

However, to achieve the goal, the -fno-sanitize-memory-param-retval option has to be applied to the library code as well. So, I suggest:

--- a/configure.ac
+++ b/configure.ac
@@ -142,7 +142,7 @@ if test "x$GCC" = "xyes"; then
   # We need to wrap the argument in a --(start/end)-no-unused-arguments block to suppress a
   # -Wunused-command-line-argument warning, which clang emits if MSan is not actually enabled, i.e.,
   # if -fsanitize=memory does not appear on the command line.
-  SECP_TRY_APPEND_CFLAGS([--start-no-unused-arguments -fno-sanitize-memory-param-retval --end-no-unused-arguments], ctime_tests_CFLAGS)
+  SECP_TRY_APPEND_CFLAGS([--start-no-unused-arguments -fno-sanitize-memory-param-retval --end-no-unused-arguments], SECP_CFLAGS)
 fi
 
 ###

real-or-random commented at 12:13 PM on May 7, 2024: contributor
To have any effect, the ctime_tests_CFLAGS variable has to AC_SUBSTed.

No, this seems to happen automatically. make V=1 shows me that it's effective.

However, to achieve the goal, the -fno-sanitize-memory-param-retval option has to be applied to the library code as well.

Okay, true. Sorry, I thought I had tested this before opening a PR.

Then this is a bit annoying. Your suggestion will work for our "abuse" of MSan in the ctime_tests. But it will also disable the new eager checking behind the back of the user in the case of normal use, i.e., checking for actual memory issues.

So if we want to have both eager checking in "normal" MSan mode, and clean ctime_tests, I see no other way than having two builds (and adding a build to CI is not a problem). I think one of the following approaches will be sensible:
1. disable the ctime_tests if we find -fsanitize=memory or similar on the command line (but parsing this is complex in cases such as -fsanitize=unreachable,memory this may be fragile and overkill)
2. work with your suggestion to add this to SECP_CFLAGS, but only if constant-time tests are enabled. We could additionally print a warning that tells the users to disable the constant-time tests if they want to avoid that we add -fno-sanitize-memory-param-retval.
The second looks better to me. What do you think?
hebasto commented at 5:00 PM on May 7, 2024: member

To have any effect, the ctime_tests_CFLAGS variable has to AC_SUBSTed.

No, this seems to happen automatically. make V=1 shows me that it's effective.

I mean, only ctime_tests.c is compiled with ctime_tests_CFLAGS. However, all code is needed to be compiled with -fno-sanitize-memory-param-retval.

hebasto commented at 5:42 PM on May 7, 2024: member

disable the ctime_tests if we find -fsanitize=memory or similar on the command line (but parsing this is complex in cases such as -fsanitize=unreachable,memory this may be fragile and overkill)

The following check might be used:

AC_DEFUN([SECP_MSAN_CHECK], [
AC_MSG_CHECKING(whether MemorySanitizer is enabled)
AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
  #if defined(__has_feature)
  #  if __has_feature(memory_sanitizer)
  #    error "MemorySanitizer is enabled."
  #  endif
  #endif
  ]])], [msan_enabled=no], [msan_enabled=yes])
AC_MSG_RESULT([$msan_enabled])
])

real-or-random force-pushed on May 22, 2024
real-or-random force-pushed on May 22, 2024
real-or-random commented at 1:30 PM on May 22, 2024: contributor

2. work with your suggestion to add this to SECP_CFLAGS, but only if constant-time tests are enabled. We could additionally print a warning that tells the users to disable the constant-time tests if they want to avoid that we add -fno-sanitize-memory-param-retval.

I did this, using your suggested check for msan. Also rebased. Ready for review from my side.

Note: CI is currently failing on macOS. This should be resolved once the GitHub Actions image is updated to have brew 4.3.1, which has the fix (https://github.com/Homebrew/brew/pull/17336). The images are updated every week, so the issue should just disappear in a few days.
real-or-random commented at 2:55 PM on May 22, 2024: contributor

Pushed another commit that adds a CI job with eager checks enabled explicitly (-fsanitize-memory-param-retval).

autotools: Disable eager MSan in ctime_tests

Co-authored-by: Hennadii Stepanov <32963518+hebasto@users.noreply.github.com>

55e5d975db

configure: Move "experimental" warning to bottom
to make it more promiment
e1bef0961c
ci: Add job with -fsanitize-memory-param-retval ebfb82ee2f
real-or-random force-pushed on May 26, 2024
real-or-random commented at 12:02 PM on May 26, 2024: contributor

Force pushed to fix a logic bug, should be really ready for review now. :)
hebasto approved
hebasto commented at 2:07 PM on May 26, 2024: member

ACK ebfb82ee2f8c15ae6129932380b1dfb0942ea35a, tested on Ubuntu 24.04 with different clang versions (from 15 to 18) and different build configurations. CI changes look OK as well.
hebasto commented at 2:57 PM on May 26, 2024: member

@real-or-random

@hebasto If you're Concept ACK, are you willing to work on an equivalent PR for CMake?

Please consider #1532.
real-or-random merged this on May 27, 2024
real-or-random closed this on May 27, 2024
real-or-random referenced this in commit 4b8d5eeacf on Jun 10, 2024
fanquake referenced this in commit b941c15808 on Jun 25, 2024
hebasto referenced this in commit b20389c74a on Jun 25, 2024
fanquake referenced this in commit 1408944d2e on Jun 25, 2024
achow101 referenced this in commit 9ac4f69ec2 on Jun 26, 2024
gatleas17 commented at 5:19 PM on June 27, 2024: none

Thx
vmta referenced this in commit bafdd96c0a on Jul 3, 2024
janus referenced this in commit 411aef6677 on Jul 26, 2024
vmta referenced this in commit 871c80c433 on Sep 6, 2024
vmta referenced this in commit 4d1f6d5635 on Oct 29, 2024
div72 referenced this in commit af627d47c3 on Apr 12, 2025
oskarszoon referenced this in commit 0d5c9260f4 on Jul 1, 2025
real-or-random referenced this in commit 42e75b613b on Sep 19, 2025
github-actions[bot] referenced this in commit 758d4e90b4 on Mar 1, 2026
github-actions[bot] referenced this in commit 68a2178f22 on Mar 1, 2026
github-actions[bot] referenced this in commit a8bc1a0b2b on Mar 1, 2026
0x000000000019d6689c085ae165831e934ff76 referenced this in commit 3b9450150d on Mar 2, 2026
csjones referenced this in commit a4d92824ae on Mar 2, 2026

Contributors

Labels

assurance build side-channel

Linked (view graph)

#1516 False positives in constant-time tests when using MSan on Clang >= 16 #1532 cmake: Disable eager MSan in ctime_tests #1536 ci: macOS brew outdated / upgrade macOS version?