Fix UBSan-flagged undefined behavior and clean up sanitizer suppressions

- Fix signed integer overflow UB in negation operations by performing negation in unsigned domain before casting back to signed. Applies to IOUAmount, XRPAmount, MPTAmount, and throughout STAmount (operator+, set, canonicalize, xrp/iou/mpt accessors, constructors). - Fix post-decrement loop patterns that cause unsigned integer overflow (e.g. `while(n--)`) by replacing with `while(n > 0) { --n; ... }` or `for` loops in DecayingSample.h, varint.h, base64.cpp, BasicApp.cpp, and yield_to.h. - Add Counts::adjustCounter() helper in PeerFinder to safely adjust size_t counters by signed values without triggering UBSan. - Fix uninitialized member in ValidatorSite_test and remove overflow-dependent initialization in LexicalCast_test. - Drastically reduce ubsan.supp by removing broad per-file suppressions now that the underlying issues are fixed. Keep only targeted suppressions for external libraries (RocksDB, protobuf, gRPC, nudb, snappy, abseil) and intentional unsigned wraps in rippled (STAmount arithmetic, nft::cipheredTaxon). - Remove UBSAN_OPTIONS runtime suppressions file from CI workflow. - Enable UBSan builds for gcc-13 in addition to clang-20 in CI matrix. - Add fPIC handling in conanfile.py when Address sanitizer is active. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-29 15:37:57 +00:00 · 2026-03-11 11:37:28 +00:00
parent 3baf5454f2
commit fe8403f9c4
17 changed files with 140 additions and 181 deletions
--- a/.github/scripts/strategy-matrix/generate.py
+++ b/.github/scripts/strategy-matrix/generate.py
@@ -236,10 +236,12 @@ def generate_strategy_matrix(all: bool, config: Config) -> list:
        # names get truncated.
        # Add Address and Thread (both coupled with UB) sanitizers for specific bookworm distros.
        # GCC-Asan rippled-embedded tests are failing because of https://github.com/google/sanitizers/issues/856
-        if (
-            os["distro_version"] == "bookworm"
-            and f"{os['compiler_name']}-{os['compiler_version']}" == "clang-20"
-        ):
+        if os[
+            "distro_version"
+        ] == "bookworm" and f"{os['compiler_name']}-{os['compiler_version']}" in [
+            "gcc-13",
+            "clang-20",
+        ]:
            # Add ASAN + UBSAN configuration.
            configurations.append(
                {
@@ -250,7 +252,7 @@ def generate_strategy_matrix(all: bool, config: Config) -> list:
                    "build_type": build_type,
                    "os": os,
                    "architecture": architecture,
-                    "sanitizers": "address,undefinedbehavior",
+                    "sanitizers": "undefinedbehavior",
                }
            )
            # TSAN is deactivated due to seg faults with latest compilers.