research integration of sanitizers in CI pipeline to find vulnerabilities

[natoscott]

Along the lines of #1477 it'd be good to get a CI target to run QA on a (non-release) build of PCP with sanitizer options enabled - like -fsanitize=address, -fsanitize=undefined and maybe -fsanitize=thread too.

[andreasgerstmayr]

I've added a --with-sanitizer option to our configure script a while back (it only supports a single value, but afaics -fsanitize=address,undefined also works fine.

You can copy the build/ci/platforms/fedora35-container.yml file, update the ./Makepkgs invocation with --with-sanitizer and add the new platform to .github/workflows/qa.yml. Probably the sanitizer need some dependencies, which need to be added to qa/admin/package-lists/Fedora+35+x86_64.

[andreasgerstmayr]

A memory leak sanitizer would be great as well, but that'll change all timings of the QA scripts, and some will run in timeouts. Maybe we can add a new QA group as an allowlist for all tests which can run with the memleak sanitizer (or a denylist for all tests which can't run with the memleak sanitizer).