Pr/daniel noland/sanitize and clean up

nix/base-image/default.nix

@@ -1,19 +1,20 @@
 {
-    stdenv,
-    glibc,
-    libgcc,
-}: stdenv.mkDerivation rec {
-    pname = "base-image";
-    version = "25.07";
+  stdenv,
+  glibc,
+  libgcc,
+}:
+stdenv.mkDerivation {
+  pname = "base-image";
+  version = "25.07";
 
-    src = ./root;
+  src = ./root;
 
-    installPhase = ''
-        cp -r $src $out
-    '';
-    dontUnpack = true;
-    buildInputs = [
-        glibc.out
-        libgcc.libgcc
-    ];
+  installPhase = ''
+    cp -r $src $out
+  '';
+  dontUnpack = true;
+  buildInputs = [
+    glibc.out
+    libgcc.libgcc
+  ];
 }

nix/dpdk/default.nix

@@ -105,11 +105,11 @@ stdenv.mkDerivation rec {
     "cryptodev" # required for vhost
     "dmadev" # required by vhost
     "ethdev"
-    "eventdev" # needed for i40e
+    "eventdev"
     "pci"
-    "security" # needed for i40e
-    "timer" # needed for i40e
-    "vhost" # enabled to facilitate testing with vm runner
+    "security"
+    "timer"
+    "vhost"
   ];
 
   disabledDrivers = [
@@ -259,17 +259,16 @@ stdenv.mkDerivation rec {
     "-Db_colorout=never"
     "-Db_coverage=false"
     "-Db_lto=true"
-    "-Db_lundef=true"
+    "-Db_lundef=false"
     "-Db_pch=true"
     "-Db_pgo=off"
     "-Db_pie=true"
-    "-Db_sanitize=none"
     "-Dbackend=ninja"
     "-Ddefault_library=static"
     "-Denable_docs=false"
     "-Denable_driver_sdk=false"
     "-Dibverbs_link=static"
-    "-Dmax_numa_nodes=4"
+    "-Dmax_numa_nodes=8"
     "-Dstrip=false" # We should strip binaries in a separate step to preserve detached debug info
     "-Dtests=false" # Running DPDK tests in CI is usually silly
     "-Duse_hpet=false"

nix/flags.nix

@@ -6,20 +6,33 @@ let
       debug = "-ggdb3 -gdwarf-5 -gembed-source";
       security = "-fstack-protector-strong";
       errors = "-Werror=odr -Werror=strict-aliasing";
-      profile = {
-        debug = "-Og -fno-inline -fno-omit-frame-pointer";
-        release = "-O3 -flto=thin";
-      };
+      profile =
+        let
+          release = "-O3 -flto=thin";
+          profile = "-fprofile-instr-generate -fcoverage-mapping -fno-omit-frame-pointer -fno-sanitize-merge";
+        in
+        {
+          debug = "-Og -fno-inline -fno-omit-frame-pointer";
+          inherit release;
+          fuzz = "${release} ${profile} -fsanitize=address,leak,undefined,local-bounds";
+          fuzz_thread = "${release} ${profile} -fsanitize=thread";
+        };
       end = "-Qunused-arguments";
     };
-    link = {
-      linker = "-fuse-ld=lld";
-      profile = {
-        debug = "";
+    link =
+      let
         release = "-flto=thin -Wl,-O3 -Wl,-z,relro,-z,now";
+      in
+      {
+        linker = "-fuse-ld=lld";
+        profile = {
+          debug = "";
+          inherit release;
+          fuzz = "${release} -shared-libasan -fsanitize=address,leak,undefined,local-bounds";
+          fuzz_thread = "${release} -fsanitize=thread -Wl,--allow-shlib-undefined";
+        };
+        end = "-Qunused-arguments";
       };
-      end = "-Qunused-arguments";
-    };
   };
   cflags =
     type: with flags.compile; "${machine} ${debug} ${security} ${errors} ${profile.${type}} ${end}";
@@ -34,4 +47,6 @@ in
 {
   release = configuration "release";
   debug = configuration "debug";
+  fuzz = configuration "fuzz";
+  fuzz_thread = configuration "fuzz_thread";
 }