Skip to content

build(bazel): cut sanitized variant over to Bazel (DEV-6344, PR Y+2)#615

Merged
subotic merged 3 commits intomainfrom
feature/dev-6344-bazel-migration-pr-y2-sanitized-variant-via-bazel
May 3, 2026
Merged

build(bazel): cut sanitized variant over to Bazel (DEV-6344, PR Y+2)#615
subotic merged 3 commits intomainfrom
feature/dev-6344-bazel-migration-pr-y2-sanitized-variant-via-bazel

Conversation

@subotic
Copy link
Copy Markdown
Contributor

@subotic subotic commented May 3, 2026
edited
Loading

Fixes DEV-6344

Motivation

PR Y+2 of the seven-PR Bazel migration. The sanitized (ASan + UBSan)
build was the next variant to leave Nix authority because (a) it has
no production consumers — it is a CI gate only — so the migration
risk is bounded to one workflow, and (b) Bazel's --per_file_copt
gives clean per-translation-unit scoping that the prior CMake
ENABLE_SANITIZERS option achieved through a target-attached
INTERFACE library. The cutover proves the Bazel sanitizer toolchain
under foreign_cc + Nix dev-shell on the actual CI hardware before the
remaining variants (default / dev / release / fuzz / docker) follow.

Summary

  • Replaces the deleted .#sanitized Nix output with Bazel-native
    --config=asan / --config=ubsan blocks, wrapped by
    just bazel-build-sanitized.
  • sanitizer.yml's build step runs Bazel inside nix develop
    (matching bazel-build.yml); the e2e step still uses
    just nix-test-e2e against the Bazel-built binary at
    bazel-bin/src/sipi.
  • Removes the dead ENABLE_SANITIZERS CMake option, the
    enableSanitizers package.nix parameter, and the .#sanitized
    flake output. Aligns the surrounding documentation.

Key Changes

Build orchestration (Bazel side)

  • .bazelrc: --config=asan / --config=ubsan blocks. Each carries
    --compilation_mode=dbg, --strip=never,
    -fno-omit-frame-pointer, -fno-optimize-sibling-calls, plus its
    sanitizer's -fsanitize=… copt + linkopt. DWARF stays inline so
    LSan's symbol-name suppressions in .lsan_suppressions.txt
    (leak:lua*) match.
  • --per_file_copt regex ^(src|shttps|fuzz|test)/.*\.(cpp|cc|cxx|c|mm)$
    scopes sanitizer flags to first-party TUs only, leaving foreign_cc
    ext libs uninstrumented (mirrors prior CMake scope). Extension list
    covers every C-family extension upfront so future .cc/.cxx/.mm
    additions stay loud.
  • justfile: adds bazel-build-sanitized *FLAGS='' recipe; removes
    nix-build-sanitized and the build-sanitized/ line in clean.
    The variadic *FLAGS positional lets CI pass --disk_cache=…
    without duplicating the recipe body.
  • 9 new ext/<lib>/BUILD.bazel files pin
    cache_entries["CMAKE_BUILD_TYPE"] = "RelWithDebInfo" and
    configuration = "RelWithDebInfo" so --compilation_mode=dbg
    doesn't poison the foreign_cc cmake() builds with =Debug.

CI (sanitizer.yml)

  • Build step runs nix develop --command bash -c "just bazel-build-sanitized --disk_cache=\$HOME/.cache/bazel-disk".
  • actions/cache@v4 step manages ~/.cache/bazel-disk with the
    same DEV-6371 strategy bazel-build.yml uses (targeted key
    formula, no setup-bazel disk-cache wiring to avoid 0-byte
    poisoning).
  • jlumbroso/free-disk-space step releases ~6 GB of pre-installed
    SDKs so the LLVM 19 toolchain + 22 ext libs + disk cache fit on
    ubuntu-24.04.
  • Path-trigger filter gains .bazelrc, .bazelversion,
    MODULE.bazel, MODULE.bazel.lock, BUILD.bazel, **/BUILD.bazel,
    bazel/**, tools/**, ext/**, and
    .github/workflows/sanitizer.yml so Bazel-graph changes also
    re-run sanitizer CI.
  • Post-failure Make.log dump step (same shape as bazel-build.yml)
    surfaces the foreign_cc rule's stderr that
    rules_foreign_cc otherwise hides behind
    "output X was not created".

CMake cleanup

  • CMakeLists.txt: removes the sanitizer_config INTERFACE library,
    the option(ENABLE_SANITIZERS …) declaration, and the
    target_link_libraries(sipi sanitizer_config) guard.
  • test/CMakeLists.txt: removes the matching
    target_link_libraries(libsipi_testable PUBLIC sanitizer_config)
    guard.

Docs

  • CLAUDE.md: build-completeness invariant no longer lists
    .#sanitized; the Bazel inner-loop quick reference adds
    bazel-build-sanitized.
  • building.md, nix.md, ci.md, cpp-style-guide.md,
    testing-strategy.md: nix-build-sanitized references replaced
    with bazel-build-sanitized /
    bazel build --config=asan --config=ubsan //src:sipi.
  • REVIEW.md: sanitizer-gate bullet now states coverage is e2e-only
    in this window (see Gotchas).

Challenges and Decisions

CFLAGS poisoning of foreign_cc rules

Problem: Initial attempt used global --copt=-fsanitize=address.
This poisoned rules_foreign_cc's make() / cmake() /
configure_make() rules — they collect copts from the cc toolchain
and forward them as CFLAGS / CXXFLAGS to upstream Makefiles.
Kakadu's hand-written Makefile ignored the injected -fsanitize=…
on the link line, so its libkdu.a link was missing the matching
linkopt and the foreign_cc rule failed with "output X was not
created".

Tried: (a) Adding global --linkopt=-fsanitize=… to compensate
— didn't help, kakadu's Makefile builds with its own LD and
ignores Bazel linkopts. (b) Bazel select() + custom toolchain to
swap a sanitizer-enabled cc toolchain — adds ~150 lines of toolchain
boilerplate for one variant.

Solution: --per_file_copt=<regex>@<flag>. This is action-scoped
— it applies only when Bazel itself runs a compile action whose
source path matches the regex, and is NOT consulted when foreign_cc
collects toolchain flags for env-var forwarding. Matches the prior
CMake build's scope exactly: the sanitizer_config INTERFACE
library only attached to sipi and libsipi_testable, never to
ext/* foreign_cc targets.

--compilation_mode=dbg poisoning cmake() ext deps

Problem: Bazel's --compilation_mode=dbg propagates into
rules_foreign_cc's cmake() rules as -DCMAKE_BUILD_TYPE=Debug.
Two failure modes followed:

  1. Some upstream CMakeLists.txt files apply
    set_target_properties(... DEBUG_POSTFIX "d") (libpng, sentry,
    curl as "-d") in Debug mode and produce e.g. libpng16d.a /
    libcurl-d.a instead of the unsuffixed name expected by
    out_static_libs.
  2. Per-config IMPORTED-target files (XConfig-debug.cmake,
    XConfig-relwithdebinfo.cmake) only exist for the matching build
    type; downstream cmake() consumers that resolve a different
    config fail with IMPORTED_LOCATION not set for … configuration "<X>".

Tried: (a) Drop --compilation_mode=dbg and scope -g -O0 to
first-party TUs via --per_file_copt — worked for source-level
debugging but broke kakadu's own Makefile which keys on the
Make.STD build mode. (b) Restoring --compilation_mode=dbg and
patching ext libs to disable DEBUG_POSTFIX — too invasive across 9
deps.

Solution: Each cmake() ext dep pins both
cache_entries["CMAKE_BUILD_TYPE"] = "RelWithDebInfo" AND a
rule-level configuration = "RelWithDebInfo" attribute. The
cache_entries value beats the auto-injected =Debug in
rules_foreign_cc's cmake_script.bzl; the configuration
attribute pins the --config used by cmake --build /
cmake --install. Both are needed — neither alone works. Sipi's own
first-party TUs are unaffected because they don't go through cmake;
their -fsanitize=… reaches them via the --per_file_copt block
above.

-fsanitize=undefined link failure

Problem: Build progressed past kakadu but failed at the final
sipi link with ld.lld: error: undefined symbol: __ubsan_vptr_type_cache and __ubsan_handle_dynamic_type_cache_miss.

Cause: -fsanitize=undefined activates the vptr (RTTI) check by
default. Verifying RTTI at run time requires UBSan symbols that
toolchains_llvm's compiler-rt only ships in the dynamic
libclang_rt.ubsan_standalone_cxx-…so form. The toolchain's link
line forces static -l:libc++.a -l:libc++abi.a, so the dynamic
runtime is never pulled in and lld fails.

Solution: -fno-sanitize=vptr at both compile and link layers.
The other UBSan checks (integer overflow, null deref, alignment, …)
don't depend on the C++ runtime and link cleanly. Sipi's prior CMake
build escaped this because the Nix toolchain linked C++ dynamically
and the runtime resolved against the system libc++ — that escape
hatch is gone under toolchains_llvm's static link.

CI environment mismatch (kakadu output not created)

Problem: sanitizer.yml initially ran just bazel-build-sanitized
directly. On the GitHub-hosted ubuntu-24.04 runner, bazelisk was
picked up from the runner image (NOT from the Nix dev-shell) and
several foreign_cc-driven rules saw a degraded PATH/env: kakadu's
repository_rule couldn't find the right gh, foreign_cc Makefiles
couldn't find perl/autoconf/automake/libtoolize, and the
.bazelrc's --action_env=NIX_LDFLAGS,ACLOCAL_PATH was forwarding
empty values because those env vars only exist inside nix develop.

Solution: Wrap the build step with nix develop --command bash -c '…', matching bazel-build.yml. Local Mac builds had been passing
because nix develop is the natural entry point there.

Stamping for STABLE_SIPI_VERSION

Problem: After the earlier fixes the build itself succeeded,
but the e2e suite then failed with expected stdout to be "sipi 4.1.1", got "sipi 0.0.0-unstamped".

Cause: tools/workspace_status.sh emits STABLE_SIPI_VERSION
from version.txt, and src/BUILD.bazel's
expand_template(stamp_substitutions = {…}) bakes it into
SipiVersion.h. Stamp substitutions only fire when the build is
invoked with --stamp.

Solution: Add --stamp to the recipe.

Gotchas

  • Sanitizer coverage is e2e-only in this window. bazel build
    is build-only — unit-test sanitizer coverage temporarily disappears
    from CI until DEV-6348 (PR Y+6) cuts the unit-test execution path
    over to Bazel cc_test. The e2e suite still runs the binary
    sanitized via just nix-test-e2e against bazel-bin/src/sipi, so
    user-facing flow regressions remain gated. REVIEW.md's
    "Sanitizer gate" bullet now reflects this; reviewers approving PRs
    in this window need to know.
  • --per_file_copt regex is the only mechanism scoping sanitizer
    flags to first-party TUs.     A future BUILD refactor that moves a
    .cpp file out of src//shttps//fuzz//test/ (e.g. into a
    genrule output, a nested package, or a symlinked workspace)
    will silently drop sanitizer instrumentation on that file with no
    warning and no build error. The extension list is broad
    (\.(cpp|cc|cxx|c|mm)$); the path prefix list is what to widen
    if the layout changes.
  • --compilation_mode=dbg propagates to all foreign_cc cmake()
    deps.     Adding a new cmake() ext dep requires pinning BOTH
    cache_entries["CMAKE_BUILD_TYPE"] = "RelWithDebInfo" AND
    configuration = "RelWithDebInfo" on the rule. Without the
    second, install-phase artifact paths still resolve under
    <prefix>/lib/cmake/X/XConfig-debug.cmake and break consumers.
    The 9 ext/*/BUILD.bazel files added here are templates.
  • vptr disable is a real coverage gap, not a workaround that
    goes away on its own.     It will stay disabled until either
    toolchains_llvm starts shipping libclang_rt.ubsan_standalone_cxx
    in static form or the project moves to dynamic libc++. Both are
    upstream-driven; track via .bazelrc's inline rationale.

Test Plan

  • macOS-aarch64 local build verified. nix develop -c bazel build --config=asan --config=ubsan //src:sipi succeeds on darwin-aarch64; satisfies CLAUDE.md's build-completeness invariant.
  • nix flake check --no-build succeeds — .#sanitized removal does not break flake evaluation; remaining outputs (.#dev, .#default, .#release, .#fuzz, .#docker*, .#e2e-tests, .#smoke-test) still resolve on aarch64-darwin.
  • bazelisk version works in nix develop; bazelisk canonicalize-flags --config=asan --config=ubsan returns 0 (configs parse).
  • Repo-wide grep — no remaining references to enableSanitizers, ENABLE_SANITIZERS, sanitizer_config, nix-build-sanitized, or .#sanitized outside the new recipe's contextual comment.
  • CI: sanitizer.yml green on this PR with the Bazel-built binary; ASan + UBSan signature identical to the previous Nix-built run.
  • CI: .lsan_suppressions.txt still consulted — verify negative case by removing one leak:lua* line and confirming the corresponding leak surfaces as a SUMMARY: line in the e2e step (manual workflow_dispatch run).
  • CI: /tmp/asan-e2e.* glob and SUMMARY: post-processing path unchanged from prior runs.
  • CI: Bazel disk cache hit on a no-op rebuild (re-run after first green to confirm ~/.cache/bazel-disk persistence and the targeted key formula).

🤖 Generated with Claude Code

@linear-code
Copy link
Copy Markdown

linear-code Bot commented May 3, 2026

DEV-6344 Bazel migration PR Y+2 — Sanitized variant via Bazel; sanitizer.yml build cutover

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 3, 2026
edited
Loading

Overview

Image reference daschswiss/sipi:v4.1.1 daschswiss/sipi:latest
- digest 65b287d0ceae dfdf374a5034
- tag v4.1.1 latest
- environment production
- provenance 0b37305
- vulnerabilities critical: 0 high: 0 medium: 72 low: 18 critical: 0 high: 0 medium: 0 low: 0
- platform linux/amd64 linux/amd64
- size 217 MB 144 MB (-73 MB)
- packages 486 123 (-363)
Environment Variables (6 changes)
  • + 2 added
  • - 2 removed
  • ± 2 changed
  • 1 unchanged
-LANG=en_US.UTF-8
+LANG=C.UTF-8
-LANGUAGE=en_US.UTF-8
-LC_ALL=en_US.UTF-8
+LC_ALL=C.UTF-8
-PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+SSL_CERT_FILE=/nix/store/zp564phiicll8d53d973gbh8y3iiwlm7-nss-cacert-3.121/etc/ssl/certs/ca-bundle.crt
 TZ=Europe/Zurich
+TZDIR=/nix/store/cxjmhdbpy3bk12jc6lwpmcvlas76a7zm-tzdata-2026a/share/zoneinfo
Labels (7 changes)
  • + 5 added
  • - 1 removed
  • ± 1 changed
-maintainer=support@dasch.swiss
+org.opencontainers.image.description=IIIF-compatible media server.
+org.opencontainers.image.licenses=AGPL-3.0-only
+org.opencontainers.image.revision=0b37305b8118fe6bb3a4cfcc3b0efab23347be9b
+org.opencontainers.image.source=https://github.com/dasch-swiss/sipi
+org.opencontainers.image.title=Sipi
-org.opencontainers.image.version=24.04
+org.opencontainers.image.version=v4.1.1
Config (1 changes)
  • ± 1 changed
  • 3 unchanged
 1024/tcp=
 cmd=--config=/sipi/config/sipi.config.lua
-entrypoint=/usr/sbin/pid1 --verbose -- /sipi/sipi
+entrypoint=/nix/store/lzx3vwggc3y2diwpkql7a5k425x46pvz-tini-0.19.0/bin/tini -- /nix/store/jm9jwji5kl9b4bcwmd0y2r00z6ffqwk7-sipi-4.1.1/bin/sipi
 workdir=/sipi
Policies (0 improved, 0 worsened, 2 missing data)
Policy Name daschswiss/sipi:v4.1.1 daschswiss/sipi:latest Change Standing
Default non-root user ⚠️ ⚠️ No Change
No AGPL v3 licenses No Change
No fixable critical or high vulnerabilities No Change
No high-profile vulnerabilities No Change
No outdated base images ❓ No data ❓ No data
No unapproved base images ❓ No data ❓ No data
Supply chain attestations ⚠️ 2 ⚠️ 2 No Change
Packages and Vulnerabilities (609 package changes and 0 vulnerability changes)
  • ➕ 123 packages added
  • ➖ 486 packages removed
Changes for packages of type deb (486 changes)
Package Version
daschswiss/sipi:v4.1.1		 Version
daschswiss/sipi:latest
acl 2.3.2-1build1.1
alsa-lib 1.2.11-1ubuntu0.2
aom 3.8.2-2ubuntu0.1
apparmor 4.0.1really4.0.1-0ubuntu0.24.04.6
apt 2.8.3
attr 1:2.5.2-1build1.1
audit 1:3.1.2-2.1build1.1
base-files 13ubuntu10.4
base-passwd 3.6.3build1
bash 5.2.21-2ubuntu4
brotli 1.1.0-2build2
bsdutils 1:2.39.3-9ubuntu6.5
bzip2 1.0.8-5.1build0.1
ca-certificates 20240203
cairo 1.18.0-3build1
cdebconf 0.271ubuntu3
chromaprint 1.5.1-5
cjson 1.7.17-1
codec2 1.2.0-2build1
coreutils 9.4-3ubuntu6.2
curl 8.5.0-2ubuntu10.8
cyrus-sasl2 2.1.28+dfsg1-5ubuntu3.1
dash 0.5.12-6ubuntu5
dav1d 1.4.1-1build1
db5.3 5.3.28+dfsg2-7
dbus 1.14.10-4ubuntu4.1
debconf 1.5.86ubuntu1
debianutils 5.17build1
diffutils 1:3.10-1build1
dpkg 1.22.6ubuntu6.5
e2fsprogs 1.47.0-2.4~exp1ubuntu4.1
elfutils 0.190-1.1ubuntu0.1
expat 2.6.1-2ubuntu0.4
ffmpeg 7:6.1.1-3ubuntu5
fftw3 3.3.10-1ubuntu3
findutils 4.9.0-5build1
flac 1.4.3+ds-2.1ubuntu2
flite 2.2-6build3
fontconfig 2.15.0-1.1ubuntu2
fontconfig-config 2.15.0-1.1ubuntu2
fonts-dejavu 2.37-8
fonts-dejavu-core 2.37-8
fonts-dejavu-mono 2.37-8
freetype 2.13.2+dfsg-1ubuntu0.1
fribidi 1.0.13-3build1
game-music-emu 0.6.3-7build1
gcc-14 14.2.0-4ubuntu2~24.04.1
gcc-14-base 14.2.0-4ubuntu2~24.04.1
gdk-pixbuf 2.42.10+dfsg-3ubuntu3.3
glib2.0 2.80.0-6ubuntu3.8
glibc 2.39-0ubuntu8.7
gmp 2:6.3.0+dfsg-2ubuntu6.1
gnupg2 2.4.4-2ubuntu17.4
gnutls28 3.8.3-1.1ubuntu3.5
gpgv 2.4.4-2ubuntu17.4
graphite2 1.3.14-2build1
grep 3.11-4build1
gzip 1.12-1ubuntu3.1
harfbuzz 8.3.0-2build2
highway 1.0.7-8.1build1
hostname 3.23+nmu2ubuntu2
icu 74.2-1ubuntu3.1
init-system-helpers 1.66ubuntu1
jackd2 1.9.21~dfsg-3ubuntu3
jbigkit 2.1-6.1ubuntu2
jpeg-xl 0.7.0-10.2ubuntu6.1
keyutils 1.6.3-3build1
krb5 1.20.1-6ubuntu2.6
lame 3.100-6build1
lapack 3.12.0-3build1.1
lcms2 2.14-2build1
lerc 4.0.0+ds-4ubuntu2
libacl1 2.3.2-1build1.1
libaom3 3.8.2-2ubuntu0.1
libapparmor1 4.0.1really4.0.1-0ubuntu0.24.04.6
libapt-pkg6.0t64 2.8.3
libasound2-data 1.2.11-1ubuntu0.2
libasound2t64 1.2.11-1ubuntu0.2
libass 1:0.17.1-2build1
libass9 1:0.17.1-2build1
libassuan 2.5.6-1build1
libassuan0 2.5.6-1build1
libasyncns 0.8-6build4
libasyncns0 0.8-6build4
libattr1 1:2.5.2-1build1.1
libaudit-common 1:3.1.2-2.1build1.1
libaudit1 1:3.1.2-2.1build1.1
libavc1394 0.5.4-5build3
libavc1394-0 0.5.4-5build3
libavcodec60 7:6.1.1-3ubuntu5
libavdevice60 7:6.1.1-3ubuntu5
libavfilter9 7:6.1.1-3ubuntu5
libavformat60 7:6.1.1-3ubuntu5
libavutil58 7:6.1.1-3ubuntu5
libblas3 3.12.0-3build1.1
libblkid1 2.39.3-9ubuntu6.5
libbluray 1:1.3.4-1build1
libbluray2 1:1.3.4-1build1
libbrotli1 1.1.0-2build2
libbs2b 3.1.0+dfsg-7build1
libbs2b0 3.1.0+dfsg-7build1
libbsd 0.12.1-1build1.1
libbsd0 0.12.1-1build1.1
libbz2-1.0 1.0.8-5.1build0.1
libc-bin 2.39-0ubuntu8.7
libc6 2.39-0ubuntu8.7
libcaca 0.99.beta20-4ubuntu0.1
libcaca0 0.99.beta20-4ubuntu0.1
libcairo-gobject2 1.18.0-3build1
libcairo2 1.18.0-3build1
libcap-ng 0.8.4-2build2
libcap-ng0 0.8.4-2build2
libcap2 1:2.66-5ubuntu2.2
libcdio 2.1.0-4.1ubuntu1.2
libcdio-cdda2t64 10.2+2.0.1-1.1build2
libcdio-paranoia 10.2+2.0.1-1.1build2
libcdio-paranoia2t64 10.2+2.0.1-1.1build2
libcdio19t64 2.1.0-4.1ubuntu1.2
libchromaprint1 1.5.1-5
libcjson1 1.7.17-1
libcodec2-1.2 1.2.0-2build1
libcom-err2 1.47.0-2.4~exp1ubuntu4.1
libcrypt1 1:4.4.36-4build1
libcurl4t64 8.5.0-2ubuntu10.8
libdatrie 0.2.13-3build1
libdatrie1 0.2.13-3build1
libdav1d7 1.4.1-1build1
libdb5.3t64 5.3.28+dfsg2-7
libdbus-1-3 1.14.10-4ubuntu4.1
libdc1394 2.2.6-4build1
libdc1394-25 2.2.6-4build1
libdebconfclient0 0.271ubuntu3
libdecor-0 0.2.2-1build2
libdecor-0-0 0.2.2-1build2
libdeflate 1.19-1build1.1
libdeflate0 1.19-1build1.1
libdrm 2.4.125-1ubuntu0.1~24.04.1
libdrm-amdgpu1 2.4.125-1ubuntu0.1~24.04.1
libdrm-common 2.4.125-1ubuntu0.1~24.04.1
libdrm-intel1 2.4.125-1ubuntu0.1~24.04.1
libdrm2 2.4.125-1ubuntu0.1~24.04.1
libedit 3.1-20230828-1build1
libedit2 3.1-20230828-1build1
libelf1t64 0.190-1.1ubuntu0.1
libexpat1 2.6.1-2ubuntu0.4
libext2fs2t64 1.47.0-2.4~exp1ubuntu4.1
libffi 3.4.6-1build1
libffi8 3.4.6-1build1
libfftw3-double3 3.3.10-1ubuntu3
libflac12t64 1.4.3+ds-2.1ubuntu2
libflite1 2.2-6build3
libfontconfig1 2.15.0-1.1ubuntu2
libfreetype6 2.13.2+dfsg-1ubuntu0.1
libfribidi0 1.0.13-3build1
libgbm1 25.2.8-0ubuntu0.24.04.1
libgcc-s1 14.2.0-4ubuntu2~24.04.1
libgcrypt20 1.10.3-2build1
libgdk-pixbuf-2.0-0 2.42.10+dfsg-3ubuntu3.3
libgdk-pixbuf2.0-common 2.42.10+dfsg-3ubuntu3.3
libgfortran5 14.2.0-4ubuntu2~24.04.1
libgl1 1.7.0-1build1
libgl1-mesa-dri 25.2.8-0ubuntu0.24.04.1
libglib2.0-0t64 2.80.0-6ubuntu3.8
libglvnd 1.7.0-1build1
libglvnd0 1.7.0-1build1
libglx-mesa0 25.2.8-0ubuntu0.24.04.1
libglx0 1.7.0-1build1
libgme0 0.6.3-7build1
libgmp10 2:6.3.0+dfsg-2ubuntu6.1
libgnutls30t64 3.8.3-1.1ubuntu3.5
libgomp1 14.2.0-4ubuntu2~24.04.1
libgpg-error 1.47-3build2.1
libgpg-error0 1.47-3build2.1
libgraphite2-3 1.3.14-2build1
libgsm 1.0.22-1build1
libgsm1 1.0.22-1build1
libgssapi-krb5-2 1.20.1-6ubuntu2.6
libharfbuzz0b 8.3.0-2build2
libhogweed6t64 3.9.1-2.2build1.1
libhwy1t64 1.0.7-8.1build1
libicu74 74.2-1ubuntu3.1
libidn2 2.3.7-2build1.1
libidn2-0 2.3.7-2build1.1
libiec61883 1.2.0-6build1
libiec61883-0 1.2.0-6build1
libjack-jackd2-0 1.9.21~dfsg-3ubuntu3
libjbig0 2.1-6.1ubuntu2
libjpeg-turbo 2.1.5-2ubuntu2
libjpeg-turbo8 2.1.5-2ubuntu2
libjpeg8 8c-2ubuntu11
libjpeg8-empty 8c-2ubuntu11
libjxl0.7 0.7.0-10.2ubuntu6.1
libk5crypto3 1.20.1-6ubuntu2.6
libkeyutils1 1.6.3-3build1
libkrb5-3 1.20.1-6ubuntu2.6
libkrb5support0 1.20.1-6ubuntu2.6
liblapack3 3.12.0-3build1.1
liblcms2-2 2.14-2build1
libldap2 2.6.10+dfsg-0ubuntu0.24.04.1
liblerc4 4.0.0+ds-4ubuntu2
liblilv-0-0 0.24.22-1build1
libllvm20 1:20.1.2-0ubuntu1~24.04.2
liblz4-1 1.9.4-1build1.1
liblzma5 5.6.1+really5.4.5-1ubuntu0.2
libmbedcrypto7t64 2.28.8-1
libmd 1.1.0-2build1.1
libmd0 1.1.0-2build1.1
libmount1 2.39.3-9ubuntu6.5
libmp3lame0 3.100-6build1
libmpg123-0t64 1.32.5-1ubuntu1.1
libmysofa 1.3.2+dfsg-2ubuntu2
libmysofa1 1.3.2+dfsg-2ubuntu2
libncursesw6 6.4+20240113-1ubuntu2
libnettle8t64 3.9.1-2.2build1.1
libnghttp2-14 1.59.0-1ubuntu0.2
libnorm1t64 1.5.9+dfsg-3.1build1
libnpth0t64 1.6-3.1build1
libnuma1 2.0.18-1ubuntu0.24.04.1
libogg 1.3.5-3build1
libogg0 1.3.5-3build1
libopenal-data 1:1.23.1-4build1
libopenal1 1:1.23.1-4build1
libopenjp2-7 2.5.0-2ubuntu0.4
libopenmpt 0.7.3-1.1build3
libopenmpt0t64 0.7.3-1.1build3
libopus0 1.4-1build1
libp11-kit0 0.25.3-4ubuntu2.1
libpam-modules 1.5.3-5ubuntu5.5
libpam-modules-bin 1.5.3-5ubuntu5.5
libpam-runtime 1.5.3-5ubuntu5.5
libpam0g 1.5.3-5ubuntu5.5
libpango-1.0-0 1.52.1+ds-1build1
libpangocairo-1.0-0 1.52.1+ds-1build1
libpangoft2-1.0-0 1.52.1+ds-1build1
libpciaccess 0.17-3ubuntu0.24.04.2
libpciaccess0 0.17-3ubuntu0.24.04.2
libpcre2-8-0 10.42-4ubuntu2.1
libpgm 5.3.128~dfsg-2.1build1
libpgm-5.3-0t64 5.3.128~dfsg-2.1build1
libpixman-1-0 0.42.2-1build1
libplacebo 6.338.2-2build1
libplacebo338 6.338.2-2build1
libpng1.6 1.6.43-5ubuntu0.5
libpng16-16t64 1.6.43-5ubuntu0.5
libpocketsphinx3 0.8.0+real5prealpha+1-15ubuntu5
libpostproc57 7:6.1.1-3ubuntu5
libproc2-0 2:4.0.4-4ubuntu3.2
libpsl 0.21.2-1.1build1
libpsl5t64 0.21.2-1.1build1
libpulse0 1:16.1+dfsg1-2ubuntu10.1
librabbitmq 0.11.0-1build2
librabbitmq4 0.11.0-1build2
librav1e0 0.7.1-2
libraw1394 2.1.2-2build3
libraw1394-11 2.1.2-2build3
librist 0.2.10+dfsg-2
librist4 0.2.10+dfsg-2
librsvg 2.58.0+dfsg-1build1
librsvg2-2 2.58.0+dfsg-1build1
librtmp1 2.4+20151223.gitfa8646d.1-2build7
librubberband2 3.3.0+dfsg-2build1
libsamplerate 0.2.2-4build1
libsamplerate0 0.2.2-4build1
libsasl2-2 2.1.28+dfsg1-5ubuntu3.1
libsasl2-modules-db 2.1.28+dfsg1-5ubuntu3.1
libsdl2 2.30.0+dfsg-1ubuntu3.1
libsdl2-2.0-0 2.30.0+dfsg-1ubuntu3.1
libseccomp 2.5.5-1ubuntu3.1
libseccomp2 2.5.5-1ubuntu3.1
libselinux 3.5-2ubuntu2.1
libselinux1 3.5-2ubuntu2.1
libsemanage 3.5-1build5
libsemanage-common 3.5-1build5
libsemanage2 3.5-1build5
libsensors-config 1:3.6.0-9build1
libsensors5 1:3.6.0-9build1
libsepol 3.5-2build1
libsepol2 3.5-2build1
libserd-0-0 0.32.2-1
libsharpyuv0 1.3.2-0.4build3
libshine3 3.1.1-2build1
libslang2 2.3.3-3build2
libsmartcols1 2.39.3-9ubuntu6.5
libsnappy1v5 1.1.10-1build1
libsndfile 1.2.2-1ubuntu5.24.04.1
libsndfile1 1.2.2-1ubuntu5.24.04.1
libsndio7.0 1.9.0-0.3build3
libsodium 1.0.18-1ubuntu0.24.04.1
libsodium23 1.0.18-1ubuntu0.24.04.1
libsord-0-0 0.16.16-2build1
libsoxr 0.1.3-4build3
libsoxr0 0.1.3-4build3
libspeex1 1.2.1-2ubuntu2.24.04.1
libsphinxbase3t64 0.8+5prealpha+1-17build2
libsratom-0-0 0.6.16-1build1
libsrt1.5-gnutls 1.5.3-1build2
libss2 1.47.0-2.4~exp1ubuntu4.1
libssh 0.10.6-2ubuntu0.4
libssh-4 0.10.6-2ubuntu0.4
libssh-gcrypt-4 0.10.6-2ubuntu0.4
libssl3t64 3.0.13-0ubuntu3.9
libstdc++6 14.2.0-4ubuntu2~24.04.1
libsvtav1enc1d1 1.7.0+dfsg-2build1
libswresample4 7:6.1.1-3ubuntu5
libswscale7 7:6.1.1-3ubuntu5
libsystemd0 255.4-1ubuntu8.15
libtasn1-6 4.19.0-3ubuntu0.24.04.2
libthai 0.1.29-2build1
libthai-data 0.1.29-2build1
libthai0 0.1.29-2build1
libtheora 1.1.1+dfsg.1-16.1build3
libtheora0 1.1.1+dfsg.1-16.1build3
libtiff6 4.5.1+git230720-4ubuntu2.5
libtinfo6 6.4+20240113-1ubuntu2
libtwolame0 0.4.0-2build3
libudev1 255.4-1ubuntu8.15
libudfread 1.1.2-1build1
libudfread0 1.1.2-1build1
libunibreak 5.1-2build1
libunibreak5 5.1-2build1
libunistring 1.1-2build1.1
libunistring5 1.1-2build1.1
libusb-1.0 2:1.0.27-1
libusb-1.0-0 2:1.0.27-1
libuuid1 2.39.3-9ubuntu6.5
libva 2.20.0-2ubuntu0.1
libva-drm2 2.20.0-2ubuntu0.1
libva-x11-2 2.20.0-2ubuntu0.1
libva2 2.20.0-2ubuntu0.1
libvdpau 1.5-2build1
libvdpau1 1.5-2build1
libvidstab 1.1.0-2build1
libvidstab1.1 1.1.0-2build1
libvorbis 1.3.7-1build3
libvorbis0a 1.3.7-1build3
libvorbisenc2 1.3.7-1build3
libvorbisfile3 1.3.7-1build3
libvpl2 2023.3.0-1build1
libvpx 1.14.0-1ubuntu2.3
libvpx9 1.14.0-1ubuntu2.3
libvulkan1 1.3.275.0-1build1
libwayland-client0 1.22.0-2.1build1
libwayland-cursor0 1.22.0-2.1build1
libwayland-egl1 1.22.0-2.1build1
libwebp 1.3.2-0.4build3
libwebp7 1.3.2-0.4build3
libwebpmux3 1.3.2-0.4build3
libx11 2:1.8.7-1build1
libx11-6 2:1.8.7-1build1
libx11-data 2:1.8.7-1build1
libx11-xcb1 2:1.8.7-1build1
libx264-164 2:0.164.3108+git31e19f9-1
libx265-199 3.5-2build1
libxau 1:1.0.9-1build6
libxau6 1:1.0.9-1build6
libxcb 1.15-1ubuntu2
libxcb-dri3-0 1.15-1ubuntu2
libxcb-glx0 1.15-1ubuntu2
libxcb-present0 1.15-1ubuntu2
libxcb-randr0 1.15-1ubuntu2
libxcb-render0 1.15-1ubuntu2
libxcb-shape0 1.15-1ubuntu2
libxcb-shm0 1.15-1ubuntu2
libxcb-sync1 1.15-1ubuntu2
libxcb-xfixes0 1.15-1ubuntu2
libxcb1 1.15-1ubuntu2
libxcrypt 1:4.4.36-4build1
libxcursor 1:1.2.1-1build1
libxcursor1 1:1.2.1-1build1
libxdmcp 1:1.1.3-0ubuntu6
libxdmcp6 1:1.1.3-0ubuntu6
libxext 2:1.3.4-1build2
libxext6 2:1.3.4-1build2
libxfixes 1:6.0.0-2build1
libxfixes3 1:6.0.0-2build1
libxi 2:1.8.1-1build1
libxi6 2:1.8.1-1build1
libxkbcommon 1.6.0-1build1
libxkbcommon0 1.6.0-1build1
libxml2 2.9.14+dfsg-1.3ubuntu3.7
libxrandr 2:1.5.2-2build1
libxrandr2 2:1.5.2-2build1
libxrender 1:0.9.10-1.1build1
libxrender1 1:0.9.10-1.1build1
libxshmfence 1.3-1build5
libxshmfence1 1.3-1build5
libxss 1:1.2.3-1build3
libxss1 1:1.2.3-1build3
libxv 2:1.0.11-1.1build1
libxv1 2:1.0.11-1.1build1
libxvidcore4 2:1.3.7-1build1
libxxf86vm 1:1.1.4-1build4
libxxf86vm1 1:1.1.4-1build4
libxxhash0 0.8.2-2build1
libzimg2 3.0.5+ds1-1build1
libzix-0-0 0.4.2-2build1
libzmq5 4.3.5-1build2
libzstd 1.5.5+dfsg2-2build1.1
libzstd1 1.5.5+dfsg2-2build1.1
libzvbi-common 0.2.42-2
libzvbi0t64 0.2.42-2
lilv 0.24.22-1build1
llvm-toolchain-20 1:20.1.2-0ubuntu1~24.04.2
lm-sensors 1:3.6.0-9build1
locales 2.39-0ubuntu8.7
login 1:4.13+dfsg1-4ubuntu3.2
logsave 1.47.0-2.4~exp1ubuntu4.1
lz4 1.9.4-1build1.1
mawk 1.3.4.20240123-1build1
mbedtls 2.28.8-1
mesa 25.2.8-0ubuntu0.24.04.1
mesa-libgallium 25.2.8-0ubuntu0.24.04.1
mount 2.39.3-9ubuntu6.5
mpg123 1.32.5-1ubuntu1.1
ncurses 6.4+20240113-1ubuntu2
ncurses-base 6.4+20240113-1ubuntu2
ncurses-bin 6.4+20240113-1ubuntu2
nettle 3.9.1-2.2build1.1
nghttp2 1.59.0-1ubuntu0.2
norm 1.5.9+dfsg-3.1build1
npth 1.6-3.1build1
numactl 2.0.18-1ubuntu0.24.04.1
ocl-icd 2.3.2-1build1
ocl-icd-libopencl1 2.3.2-1build1
onevpl 2023.3.0-1build1
openal-soft 1:1.23.1-4build1
openjpeg2 2.5.0-2ubuntu0.4
openldap 2.6.10+dfsg-0ubuntu0.24.04.1
openssl 3.0.13-0ubuntu3.9
opus 1.4-1build1
p11-kit 0.25.3-4ubuntu2.1
pam 1.5.3-5ubuntu5.5
pango1.0 1.52.1+ds-1build1
passwd 1:4.13+dfsg1-4ubuntu3.2
pcre2 10.42-4ubuntu2.1
perl 5.38.2-3.2ubuntu0.2
perl-base 5.38.2-3.2ubuntu0.2
pixman 0.42.2-1build1
pocketsphinx 0.8.0+real5prealpha+1-15ubuntu5
procps 2:4.0.4-4ubuntu3.2
pulseaudio 1:16.1+dfsg1-2ubuntu10.1
rtmpdump 2.4+20151223.gitfa8646d.1-2build7
rubberband 3.3.0+dfsg-2build1
rust-rav1e 0.7.1-2
sed 4.9-2build1
sensible-utils 0.0.22
serd 0.32.2-1
shadow 1:4.13+dfsg1-4ubuntu3.2
shared-mime-info 2.4-4
shine 3.1.1-2build1
slang2 2.3.3-3build2
snappy 1.1.10-1build1
sndio 1.9.0-0.3build3
sord 0.16.16-2build1
speex 1.2.1-2ubuntu2.24.04.1
sphinxbase 0.8+5prealpha+1-17build2
sratom 0.6.16-1build1
srt 1.5.3-1build2
svt-av1 1.7.0+dfsg-2build1
systemd 255.4-1ubuntu8.15
sysvinit 3.08-6ubuntu3
sysvinit-utils 3.08-6ubuntu3
tar 1.35+dfsg-3build1
tiff 4.5.1+git230720-4ubuntu2.5
twolame 0.4.0-2build3
tzdata 2026a-0ubuntu0.24.04.1
ubuntu-keyring 2023.11.28.1
unminimize 0.2.1
util-linux 2.39.3-9ubuntu6.5
vulkan-loader 1.3.275.0-1build1
wayland 1.22.0-2.1build1
x11-common 1:7.7+23ubuntu3
x264 2:0.164.3108+git31e19f9-1
x265 3.5-2build1
xkb-data 2.41-2ubuntu1.1
xkeyboard-config 2.41-2ubuntu1.1
xorg 1:7.7+23ubuntu3
xvidcore 2:1.3.7-1build1
xxhash 0.8.2-2build1
xz-utils 5.6.1+really5.4.5-1ubuntu0.2
zeromq3 4.3.5-1build2
zimg 3.0.5+ds1-1build1
zix 0.4.2-2build1
zlib 1:1.3.dfsg-3.1ubuntu2.1
zlib1g 1:1.3.dfsg-3.1ubuntu2.1
zvbi 0.2.42-2
Changes for packages of type generic (3 changes)
Package Version
daschswiss/sipi:v4.1.1		 Version
daschswiss/sipi:latest
bash 5.3.9
curl 8.19.0
ffmpeg 8.0.1
Changes for packages of type nix (120 changes)
Package Version
daschswiss/sipi:v4.1.1		 Version
daschswiss/sipi:latest
acl 2.3.2
alsa-lib 1.2.15.3
alsa-topology-conf 1.2.5.1
alsa-ucm-conf 1.2.15.3
attr 2.5.2
bash 5.3p9
bash-interactive 5.3p9
brotli 1.2.0
bzip2 1.0.8
cjson 1.7.19
coreutils 9.10
curl 8.19.0
dav1d 1.5.3
dbus 1.16.2
dconf 0.49.0
dejavu-fonts-minimal 2.37
dns-root-data 2025-04-14
expat 2.7.5
ffmpeg-headless 8.0.1
fftw-single 3.3.10
flac 1.5.0
fontconfig 2.17.1
freetype 2.14.2
fribidi 1.0.16
gcc 15.2.0
giflib 5.2.2
glib 2.86.3
glibc 2.42-61
gmp-with-cxx 6.3.0
gnutls 3.8.12
graphite2 1.3.14
harfbuzz 12.3.0
hwdata 0.406
keyutils 1.6.3
kmod 31
krb5 1.22.1
lame 3.100
lcms2 2.18
lerc 4.1.0
libaom 3.12.1
libass 0.17.4
libbluray 1.4.1
libdeflate 1.25
libdrm 2.4.131
libevent 2.1.12
libffi 3.5.2
libidn2 2.3.8
libjack2 1.9.22
libjpeg-turbo 3.1.4
libmpg123 1.33.4
libogg 1.3.6
libopenmpt 0.8.6
libopus 1.6.1
libpciaccess 0.19
libpng-apng 1.6.56
libpsl 0.21.5
libpulseaudio 17.0
librist 0.2.11
libsamplerate 0.2.2
libselinux 3.10
libsndfile 1.2.2
libssh 0.12.0
libssh2 1.11.1
libtasn1 4.21.0
libtheora 1.2.0
libtiff 4.7.1
libtool 2.5.4
libunistring 1.4.2
libva-minimal 2.23.0
libvmaf 3.0.0
libvorbis 1.3.7
libvpx 1.16.0
libwebp 1.6.0
libx11 1.8.13
libxau 1.0.12
libxcb 1.17.0
libxcrypt 4.5.2
libxdmcp 1.1.5
libxml2 2.15.1
mbedtls 3.6.5
mpg123 1.33.4
ncurses 6.6
nettle 3.10.2
nghttp2 1.68.1
nghttp3 1.15.0
ngtcp2 1.22.0
nss-cacert 3.121
numactl 2.0.18
ocl-icd 2.3.4
openapv 0.2.1.2
openjpeg 2.5.4
openssl 3.6.1
p11-kit 0.26.2
pcre2 10.46
publicsuffix-list-0 unstable-2026-03-26
readline 8.3p3
sipi 4.1.1
soxr 0.1.3
speex 1.2.1
speexdsp 1.2.1
srt 1.5.4
svt-av1 3.1.2
systemd-minimal 260.1
systemd-minimal-libs 260.1
tini 0.19.0
tzdata 2026a
unbound 1.24.2
util-linux-minimal 2.42
v4l-utils 1.32.0
vid.stab-1.1.1 unstable-2025-08-21
vulkan-loader 1.4.341.0
x264 0-unstable-2025-01-03
x265 4.1
xgcc 15.2.0
xvidcore 1.3.7
xz 5.8.3
zimg 3.0.6
zlib 1.3.2
zstd 1.5.7
zvbi 0.2.44

@codecov
Copy link
Copy Markdown

codecov Bot commented May 3, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 17.3%. Comparing base (0b810ed) to head (501a35b).
⚠️ Report is 7 commits behind head on main.

Additional details and impacted files

see 1 file with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@subotic subotic force-pushed the feature/dev-6344-bazel-migration-pr-y2-sanitized-variant-via-bazel branch from 2e2106a to 4e70b69 Compare May 3, 2026 13:44
subotic added 3 commits May 3, 2026 15:49
@subotic
build(bazel): cut sanitized variant over from Nix to Bazel (DEV-6344)
685cc6c 
Implements PR Y+2 of the Sipi Bazel migration (DEV-6341). The sanitized
build now runs through Bazel via two composable configs in `.bazelrc`:

    bazel build --config=asan --config=ubsan //src:sipi

Each config carries `--compilation_mode=dbg`, `--strip=never`,
`-fno-omit-frame-pointer`, `-fno-optimize-sibling-calls`, plus the
sanitizer's `-fsanitize=…` copt + linkopt. DWARF stays inline so LSan's
symbol-name suppressions in `.lsan_suppressions.txt` (`leak:lua*`)
match. Mirrors the prior `-fsanitize=address,undefined` flags from the
deleted `ENABLE_SANITIZERS` CMake option.

Sanitizer copts are scoped to first-party translation units via
`--per_file_copt=^(src|shttps|fuzz|test)/.*\.(cpp|cc|cxx|c|mm)$@-fsanitize=…`
rather than global `--copt`. Action-scoped flags do NOT propagate as
foreign_cc CFLAGS, so kakadu/openssl/exiv2/png/etc. stay
uninstrumented — the same property the prior CMake build had (the
`sanitizer_config` INTERFACE library only attached to `sipi` and
`libsipi_testable`, never to `ext/*` foreign_cc targets). Mixing
instrumented sipi with uninstrumented deps is supported by ASan and
UBSan. The extension list covers every C-family suffix upfront so a
future `.cc`/`.cxx`/`.mm` translation unit fails loud rather than
silently dropping coverage.

UBSan vptr is disabled with `-fno-sanitize=vptr` at both compile and
link layers because toolchains_llvm only ships the C++-runtime-dependent
`libclang_rt.ubsan_standalone_cxx` in dynamic form, while sipi's link
line is static. Other UBSan checks (integer overflow, null deref,
alignment, …) link cleanly. Tracked inline in `.bazelrc`; revisit when
toolchains_llvm ships static or sipi moves to dynamic libc++.

Each `cmake()` ext dep (`ext/{curl,exiv2,expat,jansson,png,sentry,tiff,webp,zstd}/BUILD.bazel`)
pins both `cache_entries["CMAKE_BUILD_TYPE"] = "RelWithDebInfo"` AND a
rule-level `configuration = "RelWithDebInfo"` to neutralise
`--compilation_mode=dbg`'s propagation as `-DCMAKE_BUILD_TYPE=Debug`.
Without this, two failure modes follow: (1) some upstream CMakeLists
apply `set_target_properties(... DEBUG_POSTFIX "d")` (libpng, sentry;
curl as `"-d"`) producing e.g. `libpng16d.a` instead of the unsuffixed
name expected by `out_static_libs`; (2) per-config IMPORTED-target files
(`XConfig-debug.cmake`) only exist for the matching build type, breaking
downstream consumers with `IMPORTED_LOCATION not set for … configuration "<X>"`.
Both attributes are required — neither alone works.

The new `just bazel-build-sanitized *FLAGS=''` recipe is what
`sanitizer.yml`'s build step now invokes via
`nix develop --command bash -c "just bazel-build-sanitized
--disk_cache=\$HOME/.cache/bazel-disk"`. The `*FLAGS` positional lets CI
inject the disk-cache path without duplicating the recipe body.
`--verbose_failures` surfaces the underlying cmake/make output from any
failing foreign_cc dep — without it, Bazel only reports the higher-level
"output X was not created" line. `--stamp` runs
`tools/workspace_status.sh` so `STABLE_SIPI_VERSION` (from
`version.txt`) is baked into `SipiVersion.h` via `src/BUILD.bazel`'s
`expand_template(stamp_substitutions = {…})`; without it the binary
reports `sipi 0.0.0-unstamped` and the `cli_version_flag` e2e test
fails.

The workflow's e2e step keeps using `just nix-test-e2e` (Bazel-driven
e2e moves in PR Y+5 / DEV-6347), now pointing `SIPI_BIN` at
`bazel-bin/src/sipi` instead of `result/bin/sipi`. `LSAN_OPTIONS`,
`ASAN_OPTIONS=log_path=/tmp/asan-e2e`, the `SUMMARY:` post-processing
grep, and the artifact upload are all unchanged — only the
build-orchestrator changes.

`sanitizer.yml` also gains the same DEV-6371 cache strategy
`bazel-build.yml` uses (`actions/cache@v5` directly with a targeted key
formula, not `setup-bazel`'s built-in disk-cache wiring), a
`jlumbroso/free-disk-space` step to release pre-installed SDKs that
would otherwise crowd the LLVM 19 toolchain + ext-lib closure off
ubuntu-24.04, and a post-failure `Make.log` dump step that surfaces
foreign_cc rule stderr. Trigger paths cover every Bazel-graph input
(`.bazelrc`, `.bazelversion`, `MODULE.bazel*`, `BUILD.bazel`,
`**/BUILD.bazel`, `bazel/**`, `tools/**`, `ext/**`,
`.github/workflows/sanitizer.yml`).

Removes:
- `flake.nix` `.#sanitized` package output (the
  `pkgs.sipi.override { enableSanitizers = true; ... }.overrideAttrs
  { dontStrip = true; separateDebugInfo = false; }` block).
- `package.nix` `enableSanitizers` parameter and its
  `-DENABLE_SANITIZERS=ON` cmakeFlag — no remaining caller.
- `just nix-build-sanitized` recipe and the `build-sanitized/` line in
  `just clean`.

Coverage note: until DEV-6348 (Y+6) cuts unit-test execution to Bazel
`cc_test`, the sanitizer.yml workflow exercises the e2e suite only —
`bazel build` is build-only by design. The full debug-and-design
journey (CFLAGS-poisoning of foreign_cc, `--compilation_mode=dbg`
propagation, vptr link error, kakadu env mismatch, `--stamp` e2e
expectation) is captured in the PR description's
"Challenges and Decisions" section.
@subotic
build(cmake): remove now-dead ENABLE_SANITIZERS option (DEV-6344)
a0ea40a 
After the previous commit moves the sanitized variant to
`bazel build --config=asan --config=ubsan`, the CMake `ENABLE_SANITIZERS`
option no longer has any caller. `package.nix` no longer passes
`-DENABLE_SANITIZERS=ON`, and CI's sanitizer.yml drives Bazel directly.

Removes:
- The `sanitizer_config` INTERFACE library block in `CMakeLists.txt`
  (the `option()` declaration and the `target_compile_options` /
  `target_link_options` setting `-fsanitize=address,undefined`).
- `target_link_libraries(sipi sanitizer_config)` and the surrounding
  guard at `CMakeLists.txt`.
- `target_link_libraries(libsipi_testable PUBLIC sanitizer_config)` and
  its guard in `test/CMakeLists.txt`.

The dev-shell inner-loop CMake build is being phased out alongside the
broader Bazel migration; deleting dead options here keeps the CMake
surface honest until `package.nix` and `CMakeLists.txt` themselves are
removed in PR Y+7 (DEV-6349).
@subotic
docs: align sanitized references with Bazel cutover (DEV-6344)
501a35b 
Updates documentation to reflect the Nix→Bazel sanitized-build cutover:

- `CLAUDE.md`: drop `.#sanitized` from the build-completeness invariant;
  add `bazel-build-sanitized` to the Bazel inner-loop quick reference.
- `docs/src/development/building.md`: replace `nix-build-sanitized` with
  `bazel-build-sanitized` in the common-commands example and the target
  table.
- `docs/src/development/ci.md`: update local-reproduction snippet to
  `bazel build --config=asan --config=ubsan` plus the e2e env vars
  (`ASAN_OPTIONS`, `LSAN_OPTIONS`); drop `nix-build-sanitized` from the
  Linux-target recipe list.
- `docs/src/development/cpp-style-guide.md`: rewrite the Sanitizer
  Flags section in terms of `--config=asan` / `--config=ubsan`.
- `docs/src/development/nix.md`: drop `nix-build-sanitized` from the
  build-artifacts table; drop `.#sanitized` from the "Derivation"
  primer paragraph and the "Building Linux binaries from macOS"
  cross-platform list, forward-pointing to `bazel-build-sanitized` /
  `building.md`.
- `docs/src/development/testing-strategy.md`: refresh the Memory
  Safety section's infrastructure table and CI Integration row to
  reference Bazel; note that unit-test sanitizer coverage returns when
  Y+6 (DEV-6348) cuts CI's unit-test execution to Bazel `cc_test`.
- `REVIEW.md`: extend the "Sanitizer gate" bullet to flag the
  e2e-only coverage window — the Bazel build step compile-instruments
  every first-party translation unit, but `bazel build` is build-only,
  so unit tests are not executed under sanitizers until DEV-6348.
  Reviewers approving PRs in this window need to know.
@subotic subotic force-pushed the feature/dev-6344-bazel-migration-pr-y2-sanitized-variant-via-bazel branch from 4e70b69 to 501a35b Compare May 3, 2026 13:50
@subotic subotic merged commit fec6727 into main May 3, 2026
11 checks passed
@subotic subotic deleted the feature/dev-6344-bazel-migration-pr-y2-sanitized-variant-via-bazel branch May 3, 2026 14:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@subotic