fix(coreaudio): fix undefined behavior causing sanitizer crashes (#1052)

sinkingsugar · web-flow · commit f3eb5c89b0f1 · 2025-12-02T21:15:05.000+01:00
* fix(coreaudio): make data_size mutable in audio_devices() to fix sanitizer crashes In audio_devices(), data_size was declared as immutable but AudioObjectGetPropertyDataSize needs to write the actual property size into it. This caused undefined behavior that sanitizers (ASAN/TSAN) detected as writes to immutable memory. This bug was introduced in commit ed9d643 when migrating from coreaudio-rs to objc2-core-audio. The old raw pointer code hid the UB with an unsafe cast (&data_size as *const _ as *mut _), but the new NonNull API properly enforces mutability contracts. The fix changes: - let data_size = 0u32; → let mut data_size = 0u32; - NonNull::from(&data_size) → NonNull::from(&mut data_size) Fixes crashes during device enumeration under AddressSanitizer and ThreadSanitizer on macOS. * fix(coreaudio): make all data_size variables mutable in device.rs Fixed 7 more instances of the same UB pattern where data_size was declared immutable but passed to CoreAudio APIs that write to it: In set_sample_rate() (lines 64, 81, 128): - AudioObjectGetPropertyData writes the actual data size back - Both calls to get sample rates and sample rate ranges In Device::id() (line 376): - AudioObjectGetPropertyData for kAudioDevicePropertyDeviceUID In Device::supported_configs() (lines 420, 471): - AudioObjectGetPropertyDataSize writes the required buffer size - AudioObjectGetPropertyData confirms the size In Device::default_config() (line 598): - AudioObjectGetPropertyData for stream format All of these were causing sanitizer crashes because the CoreAudio APIs expect mutable references (the size parameter is 'inout'). * ci: add sanitizer builds to catch undefined behavior Added comprehensive sanitizer testing using matrix strategy: - AddressSanitizer (ASAN) for memory safety bugs - ThreadSanitizer (TSAN) for race conditions and threading issues - Runs on both macOS (CoreAudio) and Linux (ALSA) These sanitizers run the existing test suite with runtime instrumentation to catch undefined behavior that normal builds miss. This would have caught the data_size mutability bugs fixed in the previous commits.
diff --git a/.github/workflows/sanitizers.yml b/.github/workflows/sanitizers.yml
@@ -0,0 +1,92 @@
+name: Sanitizers
+
+on:
+  push:
+    branches: [master]
+    paths-ignore:
+      - "**.md"
+      - "docs/**"
+      - "LICENSE*"
+      - ".gitignore"
+  pull_request:
+    branches: [master]
+    paths-ignore:
+      - "**.md"
+      - "docs/**"
+      - "LICENSE*"
+      - ".gitignore"
+  workflow_dispatch:
+
+jobs:
+  sanitizers:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: macOS-latest
+            target: aarch64-apple-darwin
+            sanitizer: address
+            name: ASAN-macOS
+
+          - os: macOS-latest
+            target: aarch64-apple-darwin
+            sanitizer: thread
+            name: TSAN-macOS
+
+          - os: ubuntu-latest
+            target: x86_64-unknown-linux-gnu
+            sanitizer: address
+            name: ASAN-Linux
+
+          - os: ubuntu-latest
+            target: x86_64-unknown-linux-gnu
+            sanitizer: thread
+            name: TSAN-Linux
+
+    name: ${{ matrix.name }}
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Cache Linux audio packages
+        if: runner.os == 'Linux'
+        uses: awalsh128/cache-apt-pkgs-action@latest
+        with:
+          packages: libasound2-dev libjack-jackd2-dev libjack-jackd2-0 libdbus-1-dev
+
+      - name: Install macOS dependencies
+        if: runner.os == 'macOS'
+        run: brew install llvm
+
+      - name: Install nightly Rust with rust-src
+        uses: dtolnay/rust-toolchain@nightly
+        with:
+          components: rust-src
+
+      - name: Rust Cache
+        uses: Swatinem/rust-cache@v2
+        with:
+          key: ${{ matrix.name }}
+
+      - name: Run tests with sanitizer
+        env:
+          RUSTFLAGS: -Zsanitizer=${{ matrix.sanitizer }}
+          RUSTDOCFLAGS: -Zsanitizer=${{ matrix.sanitizer }}
+          TSAN_OPTIONS: ${{ matrix.sanitizer == 'thread' && 'second_deadlock_stack=1' || '' }}
+        run: |
+          cargo +nightly test \
+            -Zbuild-std \
+            --target ${{ matrix.target }} \
+            --lib \
+            --verbose
+
+      - name: Upload sanitizer logs
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ matrix.name }}-logs
+          path: |
+            *.log.*
+            /tmp/asan.*
+            /tmp/tsan.*
+          if-no-files-found: ignore
diff --git a/src/host/coreaudio/macos/device.rs b/src/host/coreaudio/macos/device.rs
@@ -62,14 +62,14 @@ fn set_sample_rate(
         mElement: kAudioObjectPropertyElementMaster,
     };
     let mut sample_rate: f64 = 0.0;
-    let data_size = mem::size_of::<f64>() as u32;
+    let mut data_size = mem::size_of::<f64>() as u32;
     let status = unsafe {
         AudioObjectGetPropertyData(
             audio_device_id,
             NonNull::from(&property_address),
             0,
             null(),
-            NonNull::from(&data_size),
+            NonNull::from(&mut data_size),
             NonNull::from(&mut sample_rate).cast(),
         )
     };
@@ -79,14 +79,14 @@ fn set_sample_rate(
     if sample_rate as u32 != target_sample_rate.0 {
         // Get available sample rate ranges.
         property_address.mSelector = kAudioDevicePropertyAvailableNominalSampleRates;
-        let data_size = 0u32;
+        let mut data_size = 0u32;
         let status = unsafe {
             AudioObjectGetPropertyDataSize(
                 audio_device_id,
                 NonNull::from(&property_address),
                 0,
                 null(),
-                NonNull::from(&data_size),
+                NonNull::from(&mut data_size),
             )
         };
         coreaudio::Error::from_os_status(status)?;
@@ -99,7 +99,7 @@ fn set_sample_rate(
                 NonNull::from(&property_address),
                 0,
                 null(),
-                NonNull::from(&data_size),
+                NonNull::from(&mut data_size),
                 NonNull::new(ranges.as_mut_ptr()).unwrap().cast(),
             )
         };
@@ -126,15 +126,15 @@ fn set_sample_rate(
         // Send sample rate updates back on a channel.
         let sample_rate_handler = move || {
             let mut rate: f64 = 0.0;
-            let data_size = mem::size_of::<f64>() as u32;
+            let mut data_size = mem::size_of::<f64>() as u32;
 
             let result = unsafe {
                 AudioObjectGetPropertyData(
                     audio_device_id,
                     NonNull::from(&sample_rate_address),
                     0,
                     null(),
-                    NonNull::from(&data_size),
+                    NonNull::from(&mut data_size),
                     NonNull::from(&mut rate).cast(),
                 )
             };
@@ -427,7 +427,7 @@ impl Device {
 
         // CFString is copied from the audio object, use wrap_under_create_rule
         let mut uid: *mut CFString = std::ptr::null_mut();
-        let data_size = size_of::<*mut CFString>() as u32;
+        let mut data_size = size_of::<*mut CFString>() as u32;
 
         // SAFETY: AudioObjectGetPropertyData is documented to write a CFString pointer
         // for kAudioDevicePropertyDeviceUID. We check the status code before use.
@@ -437,7 +437,7 @@ impl Device {
                 NonNull::from(&property_address),
                 0,
                 null(),
-                NonNull::from(&data_size),
+                NonNull::from(&mut data_size),
                 NonNull::from(&mut uid).cast(),
             )
         };
@@ -471,13 +471,13 @@ impl Device {
 
         unsafe {
             // Retrieve the devices audio buffer list.
-            let data_size = 0u32;
+            let mut data_size = 0u32;
             let status = AudioObjectGetPropertyDataSize(
                 self.audio_device_id,
                 NonNull::from(&property_address),
                 0,
                 null(),
-                NonNull::from(&data_size),
+                NonNull::from(&mut data_size),
             );
             check_os_status(status)?;
 
@@ -488,7 +488,7 @@ impl Device {
                 NonNull::from(&property_address),
                 0,
                 null(),
-                NonNull::from(&data_size),
+                NonNull::from(&mut data_size),
                 NonNull::new(audio_buffer_list.as_mut_ptr()).unwrap().cast(),
             );
             check_os_status(status)?;
@@ -522,13 +522,13 @@ impl Device {
             // See https://github.com/thestk/rtaudio/blob/master/RtAudio.cpp#L1369C1-L1375C39
 
             property_address.mSelector = kAudioDevicePropertyAvailableNominalSampleRates;
-            let data_size = 0u32;
+            let mut data_size = 0u32;
             let status = AudioObjectGetPropertyDataSize(
                 self.audio_device_id,
                 NonNull::from(&property_address),
                 0,
                 null(),
-                NonNull::from(&data_size),
+                NonNull::from(&mut data_size),
             );
             check_os_status(status)?;
 
@@ -540,7 +540,7 @@ impl Device {
                 NonNull::from(&property_address),
                 0,
                 null(),
-                NonNull::from(&data_size),
+                NonNull::from(&mut data_size),
                 NonNull::new(ranges.as_mut_ptr()).unwrap().cast(),
             );
             check_os_status(status)?;
@@ -649,13 +649,13 @@ impl Device {
 
         unsafe {
             let mut asbd: AudioStreamBasicDescription = mem::zeroed();
-            let data_size = mem::size_of::<AudioStreamBasicDescription>() as u32;
+            let mut data_size = mem::size_of::<AudioStreamBasicDescription>() as u32;
             let status = AudioObjectGetPropertyData(
                 self.audio_device_id,
                 NonNull::from(&property_address),
                 0,
                 null(),
-                NonNull::from(&data_size),
+                NonNull::from(&mut data_size),
                 NonNull::from(&mut asbd).cast(),
             );
             default_config_error_from_os_status(status)?;
diff --git a/src/host/coreaudio/macos/enumerate.rs b/src/host/coreaudio/macos/enumerate.rs
@@ -26,13 +26,13 @@ unsafe fn audio_devices() -> Result<Vec<AudioDeviceID>, OSStatus> {
         };
     }
 
-    let data_size = 0u32;
+    let mut data_size = 0u32;
     let status = AudioObjectGetPropertyDataSize(
         kAudioObjectSystemObject as AudioObjectID,
         NonNull::from(&property_address),
         0,
         null(),
-        NonNull::from(&data_size),
+        NonNull::from(&mut data_size),
     );
     try_status_or_return!(status);
 
@@ -45,7 +45,7 @@ unsafe fn audio_devices() -> Result<Vec<AudioDeviceID>, OSStatus> {
         NonNull::from(&property_address),
         0,
         null(),
-        NonNull::from(&data_size),
+        NonNull::from(&mut data_size),
         NonNull::new(audio_devices.as_mut_ptr()).unwrap().cast(),
     );
     try_status_or_return!(status);
