Skip to content

refactor: replace deprecated local_resources flag with local_cpu_reso…#21

Merged
Sam-Si merged 10 commits into
mainfrom
feat/final-ci-hardening
Apr 30, 2026
Merged

refactor: replace deprecated local_resources flag with local_cpu_reso…#21
Sam-Si merged 10 commits into
mainfrom
feat/final-ci-hardening

Conversation

@Sam-Si

@Sam-Si Sam-Si commented Apr 19, 2026

Copy link
Copy Markdown
Owner

…urces and local_ram_resources in CI workflows

Sam-Si added 10 commits April 19, 2026 19:52
@Sam-Si
refactor: replace deprecated local_resources flag with local_cpu_reso…
e0e493b 
…urces and local_ram_resources in CI workflows
@Sam-Si
refactor: centralize Bazel CI configurations into a dedicated bazelrc…
a141f2c 
… file
@Sam-Si
feat: configure MSan build settings and suppression rules for CI
c772ee4
@Sam-Si
feat: add TSan proof-of-detection test
77bc7d7 
Add a deliberately buggy BuggyMetricsCollector that mirrors DCodeX's
real DynamicWorkerCoordinator::Metrics pattern. It contains intentional
data races (unprotected read-modify-write on shared counters and a
TOCTOU race in GetCacheHitRate) that are invisible to normal testing
but caught deterministically by ThreadSanitizer.

The test is tagged 'manual' so it never runs in //..., and a new CI
step ('TSan Proof-of-Detection') runs it under --config=tsan and
EXPECTS failure. If TSan fails to detect the race, the CI itself
fails — proving the sanitizer pipeline is broken.

Verified locally:
  - Without TSan: PASSED (race is invisible)
  - With TSan: FAILED with 'ThreadSanitizer: data race' (race caught)
@Sam-Si
fix: resolve CI bash pipefail and bazel flag deprecation warnings
d30d25f 
* Refactor the TSan proof step in CI to avoid bash pipefail conflicts
  when capturing Bazel exit codes.
* Read the test log directly from bazel-testlogs to reliably detect
  the ThreadSanitizer data race footprint.
* Update ci.bazelrc to use the non-deprecated local_resources=cpu=N
  syntax for Bazel 7.x.
@Sam-Si
ci: retrigger pipeline
0bb332b
@Sam-Si
fix: exclude sandbox_test from TSan to prevent OOM on CI
f48b6b4 
sandbox_test forks clang++ and compiled binaries as child processes.
Under TSan (8x memory overhead), these forked processes exhaust the
7GB CI runner memory, causing 'out of memory: failed to allocate
TracePart' errors and spurious exit code 66 failures.

Tagged sandbox_test with 'no-tsan' and added --test_tag_filters=-no-tsan
to the CI TSan step. sandbox_test still runs under Standard, ASan,
and MSan configurations.
@Sam-Si
fix: run sandbox_test under TSan with constrained resources (Option D)
eccba99 
Instead of excluding sandbox_test from TSan entirely, split the TSan
step into two:
  1. Main TSan step: runs all tests except sandbox_test (20 iterations)
  2. Constrained TSan step: runs sandbox_test with --runs_per_test=1
     and --local_test_jobs=1 to prevent OOM from forked clang++

Also reduce CI log noise:
  - test_output=errors (only print output for failing tests)
  - noannounce_rc (suppress the full bazelrc option dump)
  - show_progress_rate_limit=5 (throttle progress updates)
  - curses=no (disable terminal control sequences)
@Sam-Si
fix: redirect bazel output to file for TSan proof grep
eac187a 
The test log symlink lives at .bazel/testlogs/ (due to
--symlink_prefix=.bazel/) not bazel-testlogs/. Instead of
guessing the symlink path, capture bazel's stdout+stderr
to /tmp/tsan_proof_output.log and grep that directly.
@Sam-Si
fix: remove MSan from CI — requires instrumented libc++
c344ec8 
MSan fundamentally requires ALL linked libraries to be compiled with
MSan instrumentation. The system libstdc++ on GitHub Actions runners
is not instrumented, causing every test to fail in googletest's
static initialization (testing::Message::Message) before any DCodeX
code even executes.

TSan and ASan remain — they work correctly with non-instrumented
system libraries. The MSan config is preserved in .bazelrc for local
use with a custom toolchain.
@Sam-Si Sam-Si force-pushed the feat/final-ci-hardening branch from f656e91 to c344ec8 Compare April 30, 2026 18:18
@Sam-Si Sam-Si merged commit 0bc4bf6 into main Apr 30, 2026
1 of 2 checks passed
@Sam-Si Sam-Si deleted the feat/final-ci-hardening branch April 30, 2026 18:21
@github-advanced-security

github-advanced-security AI commented Apr 30, 2026

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Sam-Si @github-advanced-security