ci(tsan): address review findings on PR #5725

Two small follow-ups from the CodeRabbit + Gemini review:

  * include/makefiles_vars.mk — emit a $(warning ...) for
    vm.mmap_rnd_bits=28 from the WITHTSAN=1 branch, mirroring the
    existing ASAN warning. Both sanitizers need the same 28-bit
    ASLR ceiling and the original commit's claim that "the warning
    above already covers both" was wrong: the ASAN warning only
    fires under WITHASAN=1, so a TSAN-only build was running
    silent.

  * .github/workflows/CI-unit-tests-tsan.yml — fix the compose
    project-name transform to match the Makefile. The Makefile's
    binaries/proxysql% rule uses `${GIT_VERSION/./}` (strip first
    dot only); the workflow was using `${GIT_VERSION//./}` (strip
    all dots), which put `docker compose run` into a different
    project namespace than `make ubuntu24-tap` had declared. In
    practice the Makefile tears down its project before exiting
    so the visible effect was just a redundant fresh
    network/volume on the run step, but the build-chain contract
    is "same project name throughout" and we should honour it.
    Comment block updated so it stops claiming the two transforms
    are the same operation.

.github/workflows/CI-unit-tests-tsan.yml

@@ -132,11 +132,15 @@ jobs:
       # same volume mounts (defined on ubuntu24_dbg_build →
       # ubuntu24_build → _build).
       #
-      # The compose project name has to match the one `make ubuntu24-
-      # tap` used (Makefile binaries/proxysql% rule: `${GIT_VERSION/.
-      # /}`) so docker compose can attach to the same network/volume
-      # set the build phase declared. We compute GIT_VERSION the same
-      # way the Makefile does and apply the same `s/.//g` transform.
+      # The compose project name uses the same single-dot strip the
+      # Makefile binaries/proxysql% rule applies (`${GIT_VERSION/./}`,
+      # not `${GIT_VERSION//./}`) so this `run` lands in the namespace
+      # `make ubuntu24-tap` declared. Practically the build recipe
+      # tears its project down before exiting, so the only thing we'd
+      # observe from a mismatched project name is `docker compose`
+      # creating a fresh network/volume set on the fly — but keeping
+      # them consistent is the contract the rest of the build chain
+      # relies on.
       #
       # SKIP_PROXYSQL=1 short-circuits the daemon + backend checks in
       # run-tests-isolated.bash, so it just iterates groups.json and
@@ -147,7 +151,7 @@ jobs:
         INFRA_ID: ci-unit-tests-tsan
       run: |
         GIT_VERSION="$(git describe --long --abbrev=7)"
-        PROJECT="${GIT_VERSION//./}"
+        PROJECT="${GIT_VERSION/./}"
         # Two on-the-fly apt installs: the build image is package-build-
         # focused, not test-execution-focused, so it ships neither.
         #   * python3-packaging: run-tests-isolated.bash uses it to

include/makefiles_vars.mk

@@ -58,14 +58,14 @@ endif
 # variable name to keep the propagation paths unchanged across deps/
 # lib/ src/ test/ Makefiles. Reuse means a build is *either* ASAN
 # *or* TSAN, never both. TSAN inherits ASAN's ASLR width constraint
-# (Linux 5.18+ defaults vm.mmap_rnd_bits=32; TSAN expects 28); the
-# warning above already covers both.
+# (Linux 5.18+ defaults vm.mmap_rnd_bits=32; TSAN expects 28).
 ifeq ($(WITHTSAN),1)
 ifeq ($(WITHASAN),1)
     $(error WITHASAN=1 and WITHTSAN=1 are mutually exclusive — pick one)
 endif
 	WASAN := -fsanitize=thread
 	export NOJEMALLOC=1
+    $(warning TSAN needs ASLR =< 28bits, make sure 'sysctl vm.mmap_rnd_bits=28' is set.)
 endif
 
 NOJEM :=