introduce sanitizers in CI

Signed-off-by: Mikhail Kot <mikhail@spiraldb.com>

Author: myrrc

.github/workflows/ci.yml

@@ -379,16 +379,16 @@ jobs:
           flags: ${{ matrix.suite }}
           use_oidc: true
 
-  rust-test:
-    name: "Rust tests (sanitizer)"
+  rust-test-asan:
+    name: "Rust tests (address sanitizer)"
     timeout-minutes: 40
     runs-on: >-
       ${{ github.repository == 'vortex-data/vortex'
-          && format('runs-on={0}/runner=amd64-medium/image=ubuntu24-full-x64-pre-v2/tag=rust-test-sanitizer', github.run_id)
+          && format('runs-on={0}/runner=amd64-medium/image=ubuntu24-full-x64-pre-v2/tag=rust-test-address-sanitizer', github.run_id)
           || 'ubuntu-latest' }}
     env:
       # Add debug symbols and enable ASAN/LSAN with better output
-      ASAN_OPTIONS: "symbolize=1:print_stats=1:check_initialization_order=1:detect_leaks=1:halt_on_error=0:verbosity=1:leak_check_at_exit=1"
+      ASAN_OPTIONS: "symbolize=1:print_stats=1:check_initialization_order=1:detect_leaks=1:verbosity=1:leak_check_at_exit=1"
       LSAN_OPTIONS: "verbosity=1:report_objects=1"
       ASAN_SYMBOLIZER_PATH: "/usr/bin/llvm-symbolizer"
       # Link against DuckDB debug build
@@ -416,14 +416,124 @@ jobs:
           # Build with full debug info first (helps with caching)
           cargo +$NIGHTLY_TOOLCHAIN build --locked --all-features  \
             --target x86_64-unknown-linux-gnu \
-            -p vortex-buffer -p vortex-ffi -p vortex-fastlanes -p vortex-fsst -p vortex-alp -p vortex-array
+            -p vortex-buffer -p vortex-fastlanes -p vortex-fsst -p vortex-alp -p vortex-array
+
           # Run tests with sanitizers and debug output
           cargo +$NIGHTLY_TOOLCHAIN nextest run \
             --locked \
             --all-features \
             --no-fail-fast \
             --target x86_64-unknown-linux-gnu \
-            -p vortex-buffer -p vortex-ffi -p vortex-fastlanes -p vortex-fsst -p vortex-alp -p vortex-array
+            -p vortex-buffer -p vortex-fastlanes -p vortex-fsst -p vortex-alp -p vortex-array
+
+          # vortex-ffi requires --no-default-features as otherwise we pull in
+          # Mimalloc which interferes with sanitizers
+          # cargo nextest reports less leaks than cargo test
+          cargo +$NIGHTLY_TOOLCHAIN test --locked --no-default-features \
+            -Zbuild-std --no-fail-fast --target x86_64-unknown-linux-gnu \
+            -p vortex-ffi -- --no-capture
+
+  rust-test-msan:
+    name: "Rust tests (memory sanitizer)"
+    timeout-minutes: 40
+    runs-on: >-
+      ${{ github.repository == 'vortex-data/vortex'
+          && format('runs-on={0}/runner=amd64-medium/image=ubuntu24-full-x64-pre-v2/tag=rust-test-memory-sanitizer', github.run_id)
+          || 'ubuntu-latest' }}
+    env:
+      # Add debug symbols and enable ASAN/LSAN with better output
+      MSAN_OPTIONS: "symbolize=1:print_stats=1:verbosity=1"
+      MSAN_SYMBOLIZER_PATH: "/usr/bin/llvm-symbolizer"
+      # Link against DuckDB debug build
+      VX_DUCKDB_DEBUG: "1"
+      # Keep frame pointers for better stack traces
+      CARGO_PROFILE_DEV_DEBUG: "true"
+      CARGO_PROFILE_TEST_DEBUG: "true"
+      # Skip slow tests that are too expensive under sanitizer
+      VORTEX_SKIP_SLOW_TESTS: "1"
+    steps:
+      - uses: runs-on/action@v2
+        if: github.repository == 'vortex-data/vortex'
+        with:
+          sccache: s3
+      - uses: actions/checkout@v6
+      - uses: ./.github/actions/setup-prebuild
+      - name: Install nightly for sanitizer
+        run: |
+          rustup toolchain install $NIGHTLY_TOOLCHAIN
+          rustup component add --toolchain $NIGHTLY_TOOLCHAIN rust-src rustfmt clippy llvm-tools-preview
+      - name: Rust Tests
+        env:
+          RUSTFLAGS: "-A warnings -Zsanitizer=memory -Cunsafe-allow-abi-mismatch=sanitizer --cfg disable_loom --cfg vortex_nightly -C debuginfo=2 -C opt-level=0 -C strip=none"
+        run: |
+          # Build with full debug info first (helps with caching)
+          cargo +$NIGHTLY_TOOLCHAIN build --locked --all-features  \
+            -Zbuild-std --target x86_64-unknown-linux-gnu \
+            -p vortex-buffer -p vortex-fastlanes -p vortex-fsst -p vortex-alp -p vortex-array
+
+          # Run tests with sanitizers and debug output
+          cargo +$NIGHTLY_TOOLCHAIN nextest run \
+            --locked --all-features --no-fail-fast \
+            -Zbuild-std --target x86_64-unknown-linux-gnu \
+            -p vortex-buffer -p vortex-fastlanes -p vortex-fsst -p vortex-alp -p vortex-array
+
+          # vortex-ffi requires --no-default-features as otherwise we pull in
+          # Mimalloc which interferes with sanitizers
+          # cargo nextest reports less leaks than cargo test
+          cargo +$NIGHTLY_TOOLCHAIN test --locked --no-default-features \
+            -Zbuild-std --no-fail-fast --target x86_64-unknown-linux-gnu \
+            -p vortex-ffi -- --no-capture
+
+  rust-test-tsan:
+    name: "Rust tests (thread sanitizer)"
+    timeout-minutes: 40
+    runs-on: >-
+      ${{ github.repository == 'vortex-data/vortex'
+          && format('runs-on={0}/runner=amd64-medium/image=ubuntu24-full-x64-pre-v2/tag=rust-test-thread-sanitizer', github.run_id)
+          || 'ubuntu-latest' }}
+    env:
+      # Add debug symbols and enable ASAN/LSAN with better output
+      TSAN_OPTIONS: "symbolize=1:verbosity=1"
+      TSAN_SYMBOLIZER_PATH: "/usr/bin/llvm-symbolizer"
+      # Link against DuckDB debug build
+      VX_DUCKDB_DEBUG: "1"
+      # Keep frame pointers for better stack traces
+      CARGO_PROFILE_DEV_DEBUG: "true"
+      CARGO_PROFILE_TEST_DEBUG: "true"
+      # Skip slow tests that are too expensive under sanitizer
+      VORTEX_SKIP_SLOW_TESTS: "1"
+    steps:
+      - uses: runs-on/action@v2
+        if: github.repository == 'vortex-data/vortex'
+        with:
+          sccache: s3
+      - uses: actions/checkout@v6
+      - uses: ./.github/actions/setup-prebuild
+      - name: Install nightly for sanitizer
+        run: |
+          rustup toolchain install $NIGHTLY_TOOLCHAIN
+          rustup component add --toolchain $NIGHTLY_TOOLCHAIN rust-src rustfmt clippy llvm-tools-preview
+      - name: Rust Tests
+        env:
+          RUSTFLAGS: "-A warnings -Zsanitizer=thread -Cunsafe-allow-abi-mismatch=sanitizer --cfg disable_loom --cfg vortex_nightly -C debuginfo=2 -C opt-level=0 -C strip=none"
+        run: |
+          # Build with full debug info first (helps with caching)
+          cargo +$NIGHTLY_TOOLCHAIN build --locked --all-features  \
+            -Zbuild-std --target x86_64-unknown-linux-gnu \
+            -p vortex-buffer -p vortex-fastlanes -p vortex-fsst -p vortex-alp -p vortex-array
+
+          # Run tests with sanitizers and debug output
+          cargo +$NIGHTLY_TOOLCHAIN nextest run \
+            -Zbuild-std --locked --all-features \
+            --no-fail-fast --target x86_64-unknown-linux-gnu \
+            -p vortex-buffer -p vortex-fastlanes -p vortex-fsst -p vortex-alp -p vortex-array
+
+          # vortex-ffi requires --no-default-features as otherwise we pull in
+          # Mimalloc which interferes with sanitizers
+          # cargo nextest reports less issues than cargo test
+          cargo +$NIGHTLY_TOOLCHAIN test --locked --no-default-features \
+            -Zbuild-std --no-fail-fast --target x86_64-unknown-linux-gnu \
+            -p vortex-ffi -- --no-capture
 
   cuda-build-lint:
     if: github.repository == 'vortex-data/vortex'

vortex-ffi/README.md

@@ -26,9 +26,9 @@ item cannot be referenced in the documentation if it does not have a documentati
 
 ## Updating Headers
 
-To rebuild the header file (requires nightly toolchain):
+To rebuild the header file:
 
-```shell
+```sh
 cargo +nightly build -p vortex-ffi
 ```
 
@@ -41,17 +41,61 @@ Stable builds use the checked-in header file at `cinclude/vortex.h`.
 - **For regular development**: Stable toolchain builds work with existing checked-in headers
 - **CI validation**: Automated checks verify header freshness using nightly toolchain
 
-### Testing
+### Testing C part
 
 Build the test library
 
-```
+```sh
 cmake -Bbuild
 cmake --build build -j $(nproc)
 ```
 
 Run the tests
 
-```
+```sh
 ctest --test-dir build -j $(nproc)
 ```
+
+You would need C++ compiler toolchain to run the tests since they use Catch2.
+
+### Testing Rust part with sanitizers
+
+AddressSanitizer:
+
+```sh
+# inside vortex-ffi
+RUSTFLAGS="-Z sanitizer=address" \
+cargo +nightly test -Zbuild-std \
+    --no-default-features --target <target triple> \
+    -- --no-capture
+```
+
+MemorySanitizer:
+
+```sh
+RUSTFLAGS="-Z sanitizer=memory -Cunsafe-allow-abi-mismatch=sanitizer" \
+cargo +nightly test -Zbuild-std \
+    --no-default-features --target <target triple> \
+    -- --no-capture
+```
+
+ThreadSanitizer:
+
+```sh
+RUSTFLAGS="-Z sanitizer=thread -Cunsafe-allow-abi-mismatch=sanitizer" \
+cargo +nightly test -Zbuild-std \
+    --no-default-features --target <target triple> \
+    -- --no-capture
+```
+
+- `-Zbuild-std` is needed as memory and thread sanitizers report std errors
+  otherwise.
+- `--no-default-features` is needed as we use Mimalloc otherwise which interferes
+with sanitizers.
+- `allow-abi-mismatch` is safe because in our dependency graph only crates like
+  `compiler_builtins` unset sanitization, and they do it on purpose.
+- Make sure to use `cargo test` and not `cargo nextest` as nextest reports less
+leaks.
+- If you want stack trace symbolization, install `llvm-symbolizer`.
+
+### Testing Rust and C part with sanitizers

vortex-ffi/build.rs

@@ -2,10 +2,11 @@
 // SPDX-FileCopyrightText: Copyright the Vortex contributors
 
 #![allow(clippy::unwrap_used)]
-#![allow(clippy::panic)]
+#![allow(clippy::exit)]
 use std::env;
 use std::path::PathBuf;
 use std::process::Command;
+use std::process::exit;
 
 fn main() {
     // Set up dependency tracking
@@ -65,21 +66,17 @@ fn main() {
                 );
             }
         }
-        Err(e) => {
+        Err(err) => {
             // Check if this might be a sanitizer-related incompatibility
-            let error_msg = e.to_string();
+            let err = err.to_string();
             let rustflags = env::var("RUSTFLAGS").unwrap_or_default();
 
-            if rustflags.contains("sanitizer") || error_msg.contains("sanitizer") {
-                println!(
-                    "cargo:warning=Skipping header generation due to sanitizer incompatibility"
-                );
-                println!("cargo:warning=Error: {}", e);
+            if rustflags.contains("sanitizer") || err.contains("sanitizer") {
+                println!("cargo:info=Skipping header generation due to sanitizers");
                 return;
             }
-
-            // For non-sanitizer errors, fail hard as these indicate real problems
-            panic!("Failed to generate header with cbindgen: {}", e);
+            println!("cargo:error=Failed to generate header with cbindgen: {err}");
+            exit(1);
         }
     }
 }

vortex-ffi/cinclude/vortex.h

@@ -266,8 +266,6 @@ typedef struct vx_array_iterator vx_array_iterator;
  * The `sink` interface is used to collect array chunks and place them into a resource
  * (e.g. an array stream or file (`vx_array_sink_open_file`)).
  *
- * ## Thread Safety
- *
  * This struct is **not** thread-safe for concurrent operations. While the underlying
  * `Sender` is thread-safe, the FFI wrapper should only be accessed from a single thread
  * to avoid race conditions between `push` and `close` operations. The `close` operation
@@ -742,37 +740,45 @@ void vx_session_free(vx_session *ptr);
 
 /**
  * Create a new Vortex session.
- *
- * The caller is responsible for freeing the session with [`vx_session_free`].
+ * The session is owned and must be freed by the caller.
  */
 vx_session *vx_session_new(void);
 
 /**
- * Clone a Vortex session, returning an owned copy.
- *
- * The caller is responsible for freeing the session with [`vx_session_free`].
+ * Clone a Vortex session.
+ * The cloned copy is owned and must be freed by the caller.
  */
 vx_session *vx_session_clone(const vx_session *session);
 
+/**
+ * Free an owned [`vx_array_sink`] object.
+ */
+void vx_array_sink_free(vx_array_sink *ptr);
+
 /**
  * Opens a writable array stream, where sink is used to push values into the stream.
- * To close the stream close the sink with `vx_array_sink_close`.
+ * path must not be NULL.
+ * This method does not take ownership of dtype.
+ * If an error is encountered, NULL is returned, and error field is populated
+ * with an owned error which must be freed by the caller.
+ * Returned sink is owned and must be freed by the caller
  */
-vx_array_sink *vx_array_sink_open_file(const vx_session *session,
-                                       const char *path,
-                                       const vx_dtype *dtype,
-                                       vx_error **error_out);
+vx_array_sink *
+vx_array_sink_open_file(const vx_session *session, const char *path, const vx_dtype *dtype, vx_error **error);
 
 /**
- * Pushed a single array chunk into a file sink.
+ * Push a single array into a file sink.
+ * Does not take ownership of array.
  */
-void vx_array_sink_push(vx_array_sink *sink, const vx_array *array, vx_error **error_out);
+void vx_array_sink_push(vx_array_sink *sink, const vx_array *array, vx_error **error);
 
 /**
- * Closes an array sink, must be called to ensure all the values pushed to the sink are written
+ * Close an array sink.
+ * Takes ownership of sink and frees it.
+ * Must be called to ensure all the values pushed to the sink are written
  * to the external resource.
  */
-void vx_array_sink_close(vx_array_sink *sink, vx_error **error_out);
+void vx_array_sink_close(vx_array_sink *sink, vx_error **error);
 
 /**
  * Clone a borrowed [`vx_string`], returning an owned [`vx_string`].

vortex-ffi/src/session.rs

@@ -16,18 +16,16 @@ box_wrapper!(
 );
 
 /// Create a new Vortex session.
-///
-/// The caller is responsible for freeing the session with [`vx_session_free`].
+/// The session is owned and must be freed by the caller.
 #[unsafe(no_mangle)]
 pub unsafe extern "C-unwind" fn vx_session_new() -> *mut vx_session {
     vx_session::new(Box::new(
         VortexSession::default().with_handle(RUNTIME.handle()),
     ))
 }
 
-/// Clone a Vortex session, returning an owned copy.
-///
-/// The caller is responsible for freeing the session with [`vx_session_free`].
+/// Clone a Vortex session.
+/// The cloned copy is owned and must be freed by the caller.
 #[unsafe(no_mangle)]
 pub unsafe extern "C-unwind" fn vx_session_clone(session: *const vx_session) -> *mut vx_session {
     let session = vx_session::as_ref(session);