Source: inotify-tools
Version: 3.14-4
Severity: grave


In inotify-tools 3.14-4, all the qa sanitizers were enabled in
DEB_BUILD_MAINT_OPTIONS. This should not be done in production.

* Many architectures do not support sanitizers. Your package FTBFS on
mips* due to this. While clang supports ASan on mips, gcc does not.

* The man page for dpkg-buildflags explicitly states these options
should not be used in production builds and are for debugging only.

* Enabling sanitizers causes an approx 2x performance penalty.

* Enabling ASan changes the behavior of a program in some circumstances
(mainly relating to memory management and things like LD_PRELOAD no
longer work without hacks). Enabling ASan in a library package is even
worse because you will impose these behavior changes on all users of
your library who may not be expecting them.

* ASan complains about memory leaks and these are easy to reproduce with
inotify-tools. While this is very useful during development, I do not
think users should be subjected to these types of bugs which are mostly
harmless. Eg run inotifywait without any arguments are ASan will
complain loudly.

* Users of libinotifytools0 must now enable ASan themselves or use the
LD_PRELOAD hack otherwise they will not start. For example, the attached
simple test program fails to run with:

==19349==ASan runtime does not come first in initial library list; you
should either link runtime to your application or manually preload it

#include <inotifytools/inotifytools.h>

int main(void)
    return 0;

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to