CI: Run backend unit tests under valgrind

hanno-becker · hanno-becker · commit b1dc236f8d49 · 2026-04-19T05:14:54.000+01:00
Add unit_valgrind job to ci.yml that runs the unit tests under
valgrind on x86_64 and aarch64 runners. This catches buffer
overflows in hand-written assembly that ASan cannot detect, since
ASan only instruments compiler-generated code.

Signed-off-by: Hanno Becker &lt;beckphan@amazon.co.uk&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -469,6 +469,45 @@ jobs:
           examples: false
           stack: true
           check_namespace: false
+  unit_valgrind:
+    name: Unit tests + valgrind (${{ matrix.target.name }}, ${{ matrix.cflags }})
+    strategy:
+      fail-fast: false
+      matrix:
+        external:
+         - ${{ github.repository_owner != 'pq-code-package' }}
+        target:
+          - runner: ubuntu-latest
+            name: x86_64
+          - runner: ubuntu-24.04-arm
+            name: aarch64
+        cflags: ['-O3', '-Os']
+        exclude:
+          - external: true
+    runs-on: ${{ matrix.target.runner }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Unit tests under valgrind
+        uses: ./.github/actions/functest
+        with:
+          gh_token: ${{ secrets.GITHUB_TOKEN }}
+          nix-shell: valgrind-varlat_gcc15
+          nix-cache: false
+          opt: opt
+          cflags: "${{ matrix.cflags }} -std=c11 -D_GNU_SOURCE -DMLK_CONFIG_FILE=\\\\\\\"../test/configs/custom_heap_alloc_config.h\\\\\\\""
+          func: false
+          kat: false
+          acvp: false
+          wycheproof: false
+          examples: false
+          stack: false
+          unit: true
+          alloc: false
+          rng_fail: false
+          check_namespace: false
+          # Disable AArch64 SHA3 extension: valgrind cannot emulate it
+          extra_env: "MK_COMPILER_SUPPORTS_SHA3=0"
+          exec_wrapper: "valgrind --error-exitcode=1"
   config_variations:
     name: Non-standard configurations
     strategy:
diff --git a/test/mk/components.mk b/test/mk/components.mk
@@ -32,9 +32,8 @@ $(MLKEM768_OBJS): CFLAGS += -DMLK_CONFIG_PARAMETER_SET=768
 MLKEM1024_OBJS = $(call MAKE_OBJS,$(MLKEM1024_DIR),$(SOURCES) $(FIPS202_SRCS))
 $(MLKEM1024_OBJS): CFLAGS += -DMLK_CONFIG_PARAMETER_SET=1024
 
-# Unit test object files - same sources but with MLK_STATIC_TESTABLE= and custom heap alloc config
-UNIT_CFLAGS = -DMLK_STATIC_TESTABLE= -Wno-missing-prototypes \
-  -DMLK_CONFIG_FILE=\"../test/configs/custom_heap_alloc_config.h\" -std=c11 -D_GNU_SOURCE
+# Unit test object files - same sources but with MLK_STATIC_TESTABLE=
+UNIT_CFLAGS = -DMLK_STATIC_TESTABLE= -Wno-missing-prototypes
 
 MLKEM512_UNIT_OBJS = $(call MAKE_OBJS,$(MLKEM512_DIR)/unit,$(SOURCES) $(FIPS202_SRCS))
 $(MLKEM512_UNIT_OBJS): CFLAGS += -DMLK_CONFIG_PARAMETER_SET=512 $(UNIT_CFLAGS)
