cordx56 · MuntasirSZN · Jun 9, 2025 · Jun 8, 2025 · Jun 8, 2025 · Jun 8, 2025
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -46,71 +46,58 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y valgrind
 
-      - name: Install cargo tools
-        run: |
-          cargo install cargo-audit
-
       - name: Make scripts executable (Unix)
         if: runner.os != 'Windows'
         run: chmod +x scripts/*.sh
 
-      - name: Run security checks
+      - name: Run comprehensive security checks
         shell: bash
         run: |
-          set -e  # Exit on any command failure
+          # The security script will auto-detect CI environment and install missing tools
           ./scripts/security.sh
 
       - name: Create security summary and cleanup
         if: always()
         shell: bash
         run: |
-          echo "# Security Testing Summary" > security-summary.txt
-          echo "Generated: $(date)" >> security-summary.txt
-          echo "OS: ${{ matrix.os }}" >> security-summary.txt
-          echo "" >> security-summary.txt
-
-          # Check if we have various log files and summarize them
-          if [ -f "valgrind.log" ]; then
-            echo "## Valgrind Results" >> security-summary.txt
-            echo "Log file size: $(wc -c < valgrind.log) bytes" >> security-summary.txt
-            echo "Last 10 lines:" >> security-summary.txt
-            tail -10 valgrind.log >> security-summary.txt || true
-            echo "" >> security-summary.txt
+          # The security script should have created its own summary
+          if [ -f "security-logs/security_summary_*.md" ]; then
+            echo "Security script summary found:"
+            ls -la security-logs/security_summary_*.md
+          else
+            echo "Warning: Security script summary not found, creating fallback summary"
+            mkdir -p security-logs
+            echo "# Security Testing Summary (Fallback)" > security-logs/fallback-summary.txt
+            echo "Generated: $(date)" >> security-logs/fallback-summary.txt
+            echo "OS: ${{ matrix.os }}" >> security-logs/fallback-summary.txt
+            echo "Status: Script may have failed to complete properly" >> security-logs/fallback-summary.txt
           fi
 
-          if ls *.trace >/dev/null 2>&1; then
-            echo "## Trace Files" >> security-summary.txt
-            ls -lh *.trace >> security-summary.txt || true
-            echo "" >> security-summary.txt
+          # List all generated logs for debugging
+          if [ -d "security-logs" ]; then
+            echo "Available security logs:"
+            ls -la security-logs/
+            echo "Total log directory size: $(du -sh security-logs 2>/dev/null | cut -f1 || echo 'N/A')"
           fi
 
-          # Check target directory sizes and clean up large build artifacts
+          # Clean up large build artifacts but preserve logs
           if [ -d "target/sanitizer" ]; then
-            echo "## Sanitizer Build Info" >> security-summary.txt
-            echo "Directory size before cleanup: $(du -sh target/sanitizer | cut -f1)" >> security-summary.txt
-
-            # Keep only essential files, remove large debug artifacts
+            echo "Cleaning up sanitizer build artifacts..."
             find target/sanitizer -name "*.rlib" -delete 2>/dev/null || true
             find target/sanitizer -name "*.rmeta" -delete 2>/dev/null || true
             find target/sanitizer -name "deps" -type d -exec rm -rf {} + 2>/dev/null || true
             find target/sanitizer -name "incremental" -type d -exec rm -rf {} + 2>/dev/null || true
-
-            echo "Directory size after cleanup: $(du -sh target/sanitizer 2>/dev/null | cut -f1 || echo 'N/A')" >> security-summary.txt
-            echo "" >> security-summary.txt
           fi
-
-          echo "## Environment" >> security-summary.txt
-          echo "Rust version: $(rustc --version)" >> security-summary.txt
-          echo "Cargo version: $(cargo --version)" >> security-summary.txt
-          echo "Target: $(rustc -vV | grep host | cut -d' ' -f2)" >> security-summary.txt
 
-      - name: Upload security artifacts (on failure)
-        if: failure()
+      - name: Upload security artifacts (always)
+        if: always()
         uses: actions/upload-artifact@v4
         with:
-          name: security-logs-${{ matrix.os }}
+          name: security-logs-${{ matrix.os }}-${{ github.run_id }}
           path: |
-            valgrind.log
+            security-logs/
             *.trace
-            security-summary.txt
+            DrMemory-*.log
+            drmemory.*.log
+            instruments_output*.trace
           retention-days: 7
diff --git a/.gitignore b/.gitignore
@@ -1,5 +1,9 @@
 **/target
 perf-tests/dummy-package/Cargo.lock
+
+# Benchmark and size baselines are machine-specific and should not be committed
+baselines/
+
 # Nix stuff can be ignored, see https://github.com/cordx56/rustowl/issues/59
 result*
 .envrc
@@ -9,3 +13,4 @@ result*
 completions/
 man/
 memory-bank/
+security-logs/
diff --git a/docs/drmemory-setup.md b/docs/drmemory-setup.md
@@ -0,0 +1,184 @@
+# DrMemory Setup for Windows
+
+DrMemory is a memory debugging tool for Windows that can detect memory errors, leaks, and other issues in native applications, including Rust programs.
+
+## Quick Setup
+
+### Option 1: Automatic Installation (Recommended)
+
+Run the security script with automatic installation:
+
+```bash
+./scripts/security.sh --install
+```
+
+Or use the dedicated PowerShell script:
+
+```powershell
+# From PowerShell (as Administrator or with appropriate permissions)
+Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
+.\scripts\setup-drmemory-windows.ps1 -AddToPath
+```
+
+### Option 2: Manual Installation
+
+1. **Download DrMemory**
+   - Go to [DrMemory Releases](https://github.com/DynamoRIO/drmemory/releases)
+   - Download `DrMemory-Windows-2.6.0.zip` (or latest version)
+
+2. **Extract and Install**
+   ```powershell
+   # Extract to a directory, e.g., C:\Tools\DrMemory
+   Expand-Archive -Path DrMemory-Windows-2.6.0.zip -DestinationPath C:\Tools\
+   ```
+
+3. **Add to PATH**
+   ```powershell
+   # Add to user PATH environment variable
+   $env:PATH += ";C:\Tools\DrMemory-Windows-2.6.0\bin"
+
+   # Or add permanently through System Properties > Environment Variables
+   ```
+
+## Using DrMemory with RustOwl
+
+### Basic Usage
+
+```bash
+# Test RustOwl with DrMemory
+drmemory -- ./target/security/rustowl.exe check ./perf-tests/dummy-package
+```
+
+### With the Security Script
+
+```bash
+# Run all security tests including DrMemory
+./scripts/security.sh
+
+# Run only DrMemory tests
+./scripts/security.sh --no-miri --no-sanitizers --no-audit
+```
+
+## DrMemory Options for Rust Programs
+
+DrMemory has several options that are particularly useful for Rust programs:
+
+```bash
+# Basic memory error detection
+drmemory -- your_program.exe
+
+# More detailed tracking
+drmemory -track_heap -count_leaks -- your_program.exe
+
+# Light mode (faster but less comprehensive)
+drmemory -light -- your_program.exe
+
+# Generate reports
+drmemory -logdir results -- your_program.exe
+```
+
+## Common Issues and Solutions
+
+### Issue: "DrMemory not found"
+
+**Solution:** Ensure DrMemory is in your PATH or use the full path:
+```bash
+C:\Tools\DrMemory-Windows-2.6.0\bin\drmemory.exe -- your_program.exe
+```
+
+### Issue: "Access denied" when installing
+
+**Solution:** Run PowerShell as Administrator or install to user directory:
+```powershell
+.\setup-drmemory-windows.ps1 -InstallPath "$env:USERPROFILE\DrMemory" -AddToPath
+```
+
+### Issue: Performance is very slow
+
+**Solution:** Use light mode for faster analysis:
+```bash
+drmemory -light -- your_program.exe
+```
+
+### Issue: Too much output
+
+**Solution:** Use specific options to focus on errors:
+```bash
+drmemory -quiet -brief -- your_program.exe
+```
+
+## Understanding DrMemory Output
+
+DrMemory will report several types of issues:
+
+- **UNADDRESSABLE ACCESS**: Reading/writing memory that wasn't allocated
+- **UNINITIALIZED READ**: Reading uninitialized memory
+- **INVALID HEAP ARGUMENT**: Invalid arguments to heap functions
+- **LEAK**: Memory that was allocated but never freed
+- **POSSIBLE LEAK**: Memory that might be leaked
+
+For Rust programs, you're most likely to see:
+- Issues in unsafe code blocks
+- Problems with FFI (Foreign Function Interface) calls
+- Memory leaks in long-running programs
+
+## Integration with CI/CD
+
+You can integrate DrMemory testing into your CI pipeline:
+
+```yaml
+# Example for GitHub Actions
+- name: Install DrMemory
+  run: |
+    powershell -ExecutionPolicy Bypass -File scripts/setup-drmemory-windows.ps1 -AddToPath
+
+- name: Run Security Tests
+  run: |
+    ./scripts/security.sh
+```
+
+## Advanced Configuration
+
+### Custom Suppressions
+
+Create a suppressions file to ignore known false positives:
+
+```
+# drmemory_suppressions.txt
+UNADDRESSABLE ACCESS
+name=known_issue_in_library
+...
+```
+
+Use with:
+```bash
+drmemory -suppress drmemory_suppressions.txt -- your_program.exe
+```
+
+### Detailed Logging
+
+For debugging DrMemory itself:
+```bash
+drmemory -verbose 2 -logdir detailed_logs -- your_program.exe
+```
+
+## Troubleshooting
+
+1. **Verify Installation**
+   ```bash
+   drmemory -version
+   ```
+
+2. **Test with Simple Program**
+   ```bash
+   drmemory -- rustowl.exe --help
+   ```
+
+3. **Check Logs**
+   DrMemory creates log files in the current directory or specified logdir.
+
+## Resources
+
+- [DrMemory Documentation](https://drmemory.org/docs/)
+- [DrMemory GitHub Repository](https://github.com/DynamoRIO/drmemory)
+- [DynamoRIO Project](https://dynamorio.org/)
diff --git a/scripts/README.md b/scripts/README.md
@@ -71,7 +71,7 @@ Local performance benchmarking with regression detection.
 - Automatic test package detection
 - Configurable regression thresholds
 - HTML report generation
-- CI/local consistency
+- Local development focus
 
 **Usage:**
 ```bash
@@ -86,6 +86,8 @@ Local performance benchmarking with regression detection.
 ./scripts/bench.sh --clean --open --test-package ./examples
 ```
 
+**Note:** Benchmarks are designed for local development only. CI environments introduce too much variability for reliable performance measurement.
+
 ## Prerequisites
 
 ### Common Requirements
@@ -112,27 +114,22 @@ brew install gnuplot
 
 ## Integration with CI
 
-These scripts are designed to match their corresponding CI workflows:
+These scripts are designed to complement CI workflows where applicable:
 
 - **`security.sh`** ↔ **`.github/workflows/security.yml`**: Same security analysis tools
-- **`bench.sh`** ↔ **`.github/workflows/bench-performance.yml`**: Same benchmarks, same tools
 
-This ensures that local testing provides the same results as CI, making development more predictable and reliable.
+Note: Benchmarking (`bench.sh`) is intentionally local-only due to CI environment variability.
 
 ### GitHub Actions Integration
 
-The scripts integrate with several workflows:
-
-#### Performance Workflows
-- **`setup-baseline.yml`**: Creates initial baseline (runs once, then can be deleted)
-- **`create-baseline.yml`**: Updates baselines when main branch changes
-- **`bench-performance.yml`**: Compares PR performance against baselines
+The scripts integrate with workflows where appropriate:
 
 #### Security Workflows
 - **`security.yml`**: Runs comprehensive security testing across platforms
 
-#### Composite Actions
-- **`.github/actions/comment-benchmark/`**: Reusable action for PR performance comments
+#### Development Scripts
+- **`bench.sh`**: Local-only performance testing (not suitable for CI)
+- **`dev-checks.sh`**: Can be used in CI for code quality checks
 
 ## Development Workflow
 
@@ -144,7 +141,7 @@ The scripts integrate with several workflows:
 # Run security tests
 ./scripts/security.sh
 
-# Check performance impact
+# Check performance impact (local only)
 ./scripts/bench.sh
 
 # Check binary size impact