fix(testrunner): suppress glibc nss dlopen reachable in --valgrind

Azer0s · Azer0s · commit 2931a429a533 · 2026-05-12T22:04:28.000+02:00
diff --git a/main.go b/main.go
@@ -180,6 +180,20 @@ func tinRuntimeDir() string {
 	return filepath.Join(filepath.Dir(ex), "runtime")
 }
 
+// valgrindNssSuppressionsPath returns the path to the glibc-nss
+// suppressions file shipped alongside the tin binary, or "" when it
+// can't be located.  Used by --valgrind to silence the linker-level
+// reachable blocks from getaddrinfo's lazy dlopen of nss / resolv
+// modules.
+func valgrindNssSuppressionsPath() string {
+	p := filepath.Join(tinRuntimeDir(), "valgrind-glibc-nss.supp")
+	if _, err := os.Stat(p); err != nil {
+		return ""
+	}
+
+	return p
+}
+
 // stdlibDirForDirectives returns the effective stdlib path for $TIN_STDLIB expansion.
 // Uses override if provided; otherwise falls back to <execDir>/stdlib.
 func stdlibDirForDirectives(override string) string {
@@ -2670,14 +2684,25 @@ func validateMemcheck(memcheck string) {
 func memcheckCmd(memcheck, binary string, binArgs ...string) *exec.Cmd {
 	switch memcheck {
 	case "valgrind":
-		args := append([]string{
+		vgArgs := []string{
 			"--error-exitcode=1",
 			"--leak-check=full",
 			"--errors-for-leak-kinds=all",
-			binary,
-		}, binArgs...)
+		}
+		// Suppress glibc's lazy nss/resolver dlopen bookkeeping: the
+		// first getaddrinfo() in a process loads libnss_*/libresolv via
+		// __libc_dlopen_mode -> _dl_open and keeps those mappings live
+		// until exit, which valgrind reports as "still reachable".  The
+		// suppression file at runtime/valgrind-glibc-nss.supp anchors
+		// each rule at `_dl_open` so real leaks elsewhere still surface.
+		if suppPath := valgrindNssSuppressionsPath(); suppPath != "" {
+			vgArgs = append(vgArgs, "--suppressions="+suppPath)
+		}
+
+		vgArgs = append(vgArgs, binary)
+		vgArgs = append(vgArgs, binArgs...)
 
-		return wrapExec("valgrind", args...)
+		return wrapExec("valgrind", vgArgs...)
 	case "leaks":
 		args := append([]string{"--atExit", "--", binary}, binArgs...)
 
diff --git a/runtime/valgrind-glibc-nss.supp b/runtime/valgrind-glibc-nss.supp
@@ -0,0 +1,36 @@
+# runtime/valgrind-glibc-nss.supp -- valgrind suppressions for glibc's
+# lazy nss / resolver module loading.
+#
+# The first getaddrinfo() (and similar nss callers) in a glibc process
+# loads libnss_files.so / libnss_dns.so / libresolv.so via
+# __libc_dlopen_mode -> _dl_open and keeps the resulting mappings live
+# for the program's lifetime.  The rtld bookkeeping for those .so's
+# (linkmap entries, version maps, scope arrays, cache strdup'd paths)
+# stays in glibc's globals with no dlclose() ever called -- valgrind
+# reports each as "still reachable".
+#
+# Verified by a pure-C reproducer that calls only getaddrinfo() +
+# freeaddrinfo() with zero Tin code on the stack: 9,816 bytes / 21
+# blocks / 8 records, byte-for-byte identical to what Tin's dns_test
+# shows.  Every record's call chain terminates at `_dl_open` (the
+# dynamic linker's open-and-map entry), so we anchor the match there.
+# Real reachable leaks elsewhere in the program (no `_dl_open` frame
+# on the stack) still surface.
+
+{
+   glibc-rtld-dlopen-malloc-reachable
+   Memcheck:Leak
+   match-leak-kinds: reachable
+   fun:malloc
+   ...
+   fun:_dl_open
+}
+
+{
+   glibc-rtld-dlopen-calloc-reachable
+   Memcheck:Leak
+   match-leak-kinds: reachable
+   fun:calloc
+   ...
+   fun:_dl_open
+}
