From 6ebe7d2bb39978e70d85a718919d4af31cc00bc2 Mon Sep 17 00:00:00 2001
From: Tim Ruffing <crypto@timruffing.de>
Date: Wed, 30 Aug 2023 18:11:36 +0200
Subject: [PATCH 1/5] ci/Dockerfile: Always use versioned clang packages

This commit switches to a new strategy to make sure we're installing the
most recent LLVM packages. Before this commit, we used the unversioned
LLVM packages (e.g., `clang` instead of `clang-18`), which are supposed
to provide the latest snapshot, but this is broken for arm64 [1],
which we want to add in a later PR.

Anyway, the new approach is cleaner because it does not require us to
fiddle with the installed `clang` package by removing a symlink.

[1] https://github.com/llvm/llvm-project/issues/64790

Co-authored-by: Hennadii Stepanov <32963518+hebasto@users.noreply.github.com>
---
 ci/linux-debian.Dockerfile | 28 ++++++++++++++++------------
 1 file changed, 16 insertions(+), 12 deletions(-)

diff --git a/ci/linux-debian.Dockerfile b/ci/linux-debian.Dockerfile
index 48714b42e..b7a13a064 100644
--- a/ci/linux-debian.Dockerfile
+++ b/ci/linux-debian.Dockerfile
@@ -46,17 +46,21 @@ RUN mkdir gcc && cd gcc && \
     cd ../.. && rm -rf gcc && \
     ln -s /opt/gcc-snapshot/bin/gcc /usr/bin/gcc-snapshot
 
-# Install clang snapshot
-RUN wget -qO- https://apt.llvm.org/llvm-snapshot.gpg.key | tee /etc/apt/trusted.gpg.d/apt.llvm.org.asc && \
+# Install clang snapshot, see https://apt.llvm.org/
+RUN \
+    # Setup GPG keys of LLVM repository
+    apt-get update && apt-get install --no-install-recommends -y wget && \
+    wget -qO- https://apt.llvm.org/llvm-snapshot.gpg.key | tee /etc/apt/trusted.gpg.d/apt.llvm.org.asc && \
     # Add repository for this Debian release
     . /etc/os-release && echo "deb http://apt.llvm.org/${VERSION_CODENAME} llvm-toolchain-${VERSION_CODENAME} main" >> /etc/apt/sources.list && \
-    # Install clang snapshot
-    apt-get update && apt-get install --no-install-recommends -y clang && \
-    # Remove just the "clang" symlink again
-    apt-get remove -y clang && \
-    # We should have exactly two clang versions now
-    ls /usr/bin/clang* && \
-    [[    $(ls /usr/bin/clang-?? | sort | wc -l) -eq "2" ]] && \
-    # Create symlinks for them
-    ln -s $(ls /usr/bin/clang-?? | sort | tail -1) /usr/bin/clang-snapshot && \
-    ln -s $(ls /usr/bin/clang-?? | sort | head -1) /usr/bin/clang
+    apt-get update && \
+    # Determine the version number of the LLVM development branch
+    LLVM_VERSION=$(apt-cache search --names-only '^clang-[0-9]+$' | sort -V | tail -1 | cut -f1 -d" " | cut -f2 -d"-" ) && \
+    # Install
+    apt-get install --no-install-recommends -y "clang-${LLVM_VERSION}" && \
+    # Create symlink
+    ln -s "/usr/bin/clang-${LLVM_VERSION}" /usr/bin/clang-snapshot && \
+    # Clean up
+    apt-get autoremove -y wget && \
+    apt-get clean
+

From 4b8a647ad3a59c2421d1d4c6e653f21d453e2612 Mon Sep 17 00:00:00 2001
From: Tim Ruffing <crypto@timruffing.de>
Date: Wed, 30 Aug 2023 18:15:43 +0200
Subject: [PATCH 2/5] ci/gha: Add ARM64 QEMU jobs for clang and clang-snapshot

---
 .github/workflows/ci.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b0ed412bc..e139afe36 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -283,11 +283,22 @@ jobs:
       ELLSWIFT: 'yes'
       CTIMETESTS: 'no'
 
+    strategy:
+      fail-fast: false
+      matrix:
+        configuration:
+          - env_vars: { } # gcc
+          - env_vars: # clang
+              CC: 'clang --target=aarch64-linux-gnu'
+          - env_vars: # clang-snapshot
+              CC: 'clang-snapshot --target=aarch64-linux-gnu'
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
 
       - name: CI script
+        env: ${{ matrix.configuration.env_vars }}
         uses: ./.github/actions/run-in-docker-action
         with:
           dockerfile: ./ci/linux-debian.Dockerfile

From 2f0d3bbffb288621f4232c90424f77d44cc69166 Mon Sep 17 00:00:00 2001
From: Tim Ruffing <crypto@timruffing.de>
Date: Wed, 30 Aug 2023 17:13:38 +0200
Subject: [PATCH 3/5] ci/Dockerfile: Warn if `ulimit -n` is too high when
 running Docker

The underlying issue does not affect our CI hosts, but is an issue on my
development machine (Arch Linux). In particular, this affects the vanilla
configuration of Docker on systemd, which has effectively no limit:
https://github.com/docker/packaging/blob/11400a3f5a20f2e3eecc3e6347a2ad9ce41278c7/pkg/docker-engine/common/systemd/docker.service#L31

I hope this saves future generations some precious hours of their life.
---
 ci/linux-debian.Dockerfile | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/ci/linux-debian.Dockerfile b/ci/linux-debian.Dockerfile
index b7a13a064..dd4cf8b3a 100644
--- a/ci/linux-debian.Dockerfile
+++ b/ci/linux-debian.Dockerfile
@@ -2,6 +2,17 @@ FROM debian:stable-slim
 
 SHELL ["/bin/bash", "-c"]
 
+WORKDIR /root
+
+# A too high maximum number of file descriptors (with the default value
+# inherited from the docker host) can cause issues with some of our tools:
+#  - sanitizers hanging: https://github.com/google/sanitizers/issues/1662 
+#  - valgrind crashing: https://stackoverflow.com/a/75293014
+# This is not be a problem on our CI hosts, but developers who run the image
+# on their machines may run into this (e.g., on Arch Linux), so warn them.
+# (Note that .bashrc is only executed in interactive bash shells.)
+RUN echo 'if [[ $(ulimit -n) -gt 200000 ]]; then echo "WARNING: Very high value reported by \"ulimit -n\". Consider passing \"--ulimit nofile=32768\" to \"docker run\"."; fi' >> /root/.bashrc
+
 RUN dpkg --add-architecture i386 && \
     dpkg --add-architecture s390x && \
     dpkg --add-architecture armhf && \
@@ -24,8 +35,6 @@ RUN apt-get update && apt-get install --no-install-recommends -y \
         gcc-mingw-w64-i686-win32 wine32 \
         python3
 
-WORKDIR /root
-
 # Build and install gcc snapshot
 ARG GCC_SNAPSHOT_MAJOR=14
 RUN mkdir gcc && cd gcc && \

From e78c7b68eb7e91cf9b88408c053867f148d62ffa Mon Sep 17 00:00:00 2001
From: Tim Ruffing <crypto@timruffing.de>
Date: Wed, 30 Aug 2023 18:25:06 +0200
Subject: [PATCH 4/5] ci/Dockerfile: Reduce size of Docker image further

 - No need to have wget installed
 - Clean up rm -rf /var/lib/apt/lists/, see
   https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#apt-get
---
 ci/linux-debian.Dockerfile | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/ci/linux-debian.Dockerfile b/ci/linux-debian.Dockerfile
index dd4cf8b3a..e719907e8 100644
--- a/ci/linux-debian.Dockerfile
+++ b/ci/linux-debian.Dockerfile
@@ -22,7 +22,7 @@ RUN dpkg --add-architecture i386 && \
 # dkpg-dev: to make pkg-config work in cross-builds
 # llvm: for llvm-symbolizer, which is used by clang's UBSan for symbolized stack traces
 RUN apt-get update && apt-get install --no-install-recommends -y \
-        git ca-certificates wget \
+        git ca-certificates \
         make automake libtool pkg-config dpkg-dev valgrind qemu-user \
         gcc clang llvm libclang-rt-dev libc6-dbg \
         g++ \
@@ -37,7 +37,8 @@ RUN apt-get update && apt-get install --no-install-recommends -y \
 
 # Build and install gcc snapshot
 ARG GCC_SNAPSHOT_MAJOR=14
-RUN mkdir gcc && cd gcc && \
+RUN apt-get update && apt-get install --no-install-recommends -y wget libgmp-dev libmpfr-dev libmpc-dev flex && \
+    mkdir gcc && cd gcc && \
     wget --progress=dot:giga --https-only --recursive --accept '*.tar.xz' --level 1 --no-directories "https://gcc.gnu.org/pub/gcc/snapshots/LATEST-${GCC_SNAPSHOT_MAJOR}" && \
     wget "https://gcc.gnu.org/pub/gcc/snapshots/LATEST-${GCC_SNAPSHOT_MAJOR}/sha512.sum" && \
     sha512sum --check --ignore-missing sha512.sum && \
@@ -46,14 +47,13 @@ RUN mkdir gcc && cd gcc && \
     [[ $(ls *.tar.xz | wc -l) -eq "1" ]] && \
     tar xf *.tar.xz && \
     mkdir gcc-build && cd gcc-build && \
-    apt-get update && apt-get install --no-install-recommends -y libgmp-dev libmpfr-dev libmpc-dev flex && \
     ../*/configure --prefix=/opt/gcc-snapshot --enable-languages=c --disable-bootstrap --disable-multilib --without-isl && \
     make -j $(nproc) && \
     make install && \
-    apt-get autoremove -y libgmp-dev libmpfr-dev libmpc-dev flex && \
-    apt-get clean && \
     cd ../.. && rm -rf gcc && \
-    ln -s /opt/gcc-snapshot/bin/gcc /usr/bin/gcc-snapshot
+    ln -s /opt/gcc-snapshot/bin/gcc /usr/bin/gcc-snapshot && \
+    apt-get autoremove -y wget libgmp-dev libmpfr-dev libmpc-dev flex && \
+    apt-get clean && rm -rf /var/lib/apt/lists/*
 
 # Install clang snapshot, see https://apt.llvm.org/
 RUN \
@@ -71,5 +71,5 @@ RUN \
     ln -s "/usr/bin/clang-${LLVM_VERSION}" /usr/bin/clang-snapshot && \
     # Clean up
     apt-get autoremove -y wget && \
-    apt-get clean
+    apt-get clean && rm -rf /var/lib/apt/lists/*
 

From 2635068abf93ebcf7f200eef14acafc3300e32f7 Mon Sep 17 00:00:00 2001
From: Tim Ruffing <crypto@timruffing.de>
Date: Wed, 30 Aug 2023 19:03:19 +0200
Subject: [PATCH 5/5] ci/gha: Let MSan continue checking after errors in all
 jobs

---
 .github/workflows/ci.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e139afe36..7d8a76215 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -485,11 +485,11 @@ jobs:
       matrix:
         configuration:
           - env_vars:
-              CFLAGS: '-fsanitize=memory -g'
+              CFLAGS: '-fsanitize=memory -fsanitize-recover=memory -g'
           - env_vars:
               ECMULTGENPRECISION: 2
               ECMULTWINDOW: 2
-              CFLAGS: '-fsanitize=memory -g -O3'
+              CFLAGS: '-fsanitize=memory -fsanitize-recover=memory -g -O3'
 
     env:
       ECDH: 'yes'