Skip to content

ci(fuzz): force RUSTFLAGS=-C target-feature=-crt-static (#168 defense)#189

Merged
avrabe merged 1 commit into
mainfrom
fix/fuzz-rustflags-crt-static
May 25, 2026
Merged

ci(fuzz): force RUSTFLAGS=-C target-feature=-crt-static (#168 defense)#189
avrabe merged 1 commit into
mainfrom
fix/fuzz-rustflags-crt-static

Conversation

@avrabe
Copy link
Copy Markdown
Contributor

@avrabe avrabe commented May 25, 2026

Summary

Belt-and-suspenders defense against the #168 sanitizer/crt-static failure pattern that just recurred on PR #188 (fuzz_resolver_terminates job 77662221327 and fuzz_fusion_roundtrip job 77662221339).

`fuzz.yml` already has a thoughtful "don't install musl as a target" mitigation, but that only addresses one failure mode. The underlying hazard surfaces whenever a drifted smithy runner has `target-feature=+crt-static` configured via `/etc/cargo/config.toml` or an inherited `RUSTFLAGS` env var — even on a gnu-host build, cargo-fuzz's `-Z sanitizer=address` then crashes with the canonical "sanitizer is incompatible with statically linked libc" error.

Setting `RUSTFLAGS` at the workflow env level overrides any cargo-config rustflags (cargo gives env-`RUSTFLAGS` strict precedence). On clean runners the feature was already off, so this is a harmless no-op; on drifted runners it force-disables static-crt up-front before cargo-fuzz ever calls into rustc.

What this is not

Not a replacement for the upstream smithy ask in #168 — re-imaging the rust-cpu runner pool remains the durable fix. This stops the noise on every fuzz PR landing on a drifted runner until smithy gets to it.

Test plan

  • YAML parses (`check-yaml` pre-commit passed)
  • Fuzz workflow runs against this PR — expect all four targets green
  • Confirm no behavior change on clean runners (target feature already off, flag is a no-op)

🤖 Generated with Claude Code

@avrabe @claude
ci(fuzz): force RUSTFLAGS=-C target-feature=-crt-static (#168 defense)
9c94275 
The musl-target-not-installed mitigation already in fuzz.yml's "Install
nightly Rust" comment prevents one failure mode (explicit musl target
in the dtolnay/rust-toolchain action). But the underlying #168 hazard
still surfaces when a drifted smithy runner has crt-static configured
via /etc/cargo/config.toml or an inherited RUSTFLAGS env var — even on
a gnu-host build, cargo-fuzz's `-Z sanitizer=address` then crashes
with "sanitizer is incompatible with statically linked libc."

This just recurred on PR #188 (fuzz_resolver_terminates +
fuzz_fusion_roundtrip), so the meld-side mitigation needs to be
stronger than "trust runner config." Setting RUSTFLAGS at the
workflow env level completely overrides any cargo-config rustflags
(cargo gives env-RUSTFLAGS strict precedence). On clean runners the
target feature was already off, so the flag is a harmless no-op; on
drifted runners it force-disables static-crt up-front before
cargo-fuzz ever calls into rustc.

This doesn't replace the upstream smithy ask in #168 (re-image the
rust-cpu runner pool) — that's still the durable fix. But it stops
the noise on every fuzz PR landing on a drifted runner until smithy
gets to it.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 25, 2026

LS-N verification gate

33/33 approved LS entries verified

count
Passed (≥1 test, all green) 33
Failed (≥1 test failure) 0
Missing (no ls_*_NN_* test found) 0

Approved loss-scenarios.yaml entries are expected to have a
regression test named ls_<letter>_<num>_* (e.g. LS-A-11
ls_a_11_*). The gate runs each prefix via cargo test --lib --no-fail-fast and aggregates pass/fail/missing.

Failed LS entries

(none)

Missing regression tests

(none)

Updated automatically by tools/post_verification_comment.py.
Source of truth: safety/stpa/loss-scenarios.yaml.

@avrabe avrabe merged commit 75e0ac6 into main May 25, 2026
14 checks passed
@avrabe avrabe deleted the fix/fuzz-rustflags-crt-static branch May 25, 2026 09:23
This was referenced May 25, 2026
Open
Merged
avrabe added a commit that referenced this pull request May 25, 2026
@avrabe @claude
chore: release v0.12.0 (#190)
5bdff15 
Four-PR cycle. Cycle detection for cross-component streams (#188),
signed/attested release pipeline (#186, first real cut), README
consumer verification recipe (#187), and a defensive fuzz workflow
fix for drifted self-hosted runners (#189).

v0.12.0 is the first meld release published with the new artifact
flow: per-target tar.gz archives, CycloneDX SBOM, cosign-signed
SHA256SUMS.txt + bundle, and SLSA v1 build provenance per archive.
v0.11.0's binaries were the last bare-asset release.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
@avrabe avrabe mentioned this pull request May 26, 2026
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@avrabe