From 5a7ebe5ad47a2cd85ff9d30eec1da9f4613f3278 Mon Sep 17 00:00:00 2001 From: moz-mdauer Date: Mon, 10 Mar 2025 15:20:22 +0100 Subject: [PATCH] Introduce service for NSS testing with TSan --- services/nss-tsan-fuzz/Dockerfile | 28 +++++++++ services/nss-tsan-fuzz/launch.sh | 91 +++++++++++++++++++++++++++++ services/nss-tsan-fuzz/service.yaml | 1 + services/nss-tsan-fuzz/setup.sh | 66 +++++++++++++++++++++ 4 files changed, 186 insertions(+) create mode 100644 services/nss-tsan-fuzz/Dockerfile create mode 100755 services/nss-tsan-fuzz/launch.sh create mode 100644 services/nss-tsan-fuzz/service.yaml create mode 100755 services/nss-tsan-fuzz/setup.sh diff --git a/services/nss-tsan-fuzz/Dockerfile b/services/nss-tsan-fuzz/Dockerfile new file mode 100644 index 00000000..ce14b727 --- /dev/null +++ b/services/nss-tsan-fuzz/Dockerfile @@ -0,0 +1,28 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at https://mozilla.org/MPL/2.0/. + +FROM ubuntu:24.04 + +LABEL maintainer="Maurice Dauer " + +ENV LOGNAME=worker +ENV HOSTNAME=taskcluster-worker +ARG DEBIAN_FRONTEND=noninteractive + +RUN useradd -d /home/worker -s /bin/bash -m worker + +COPY recipes/linux/ /src/recipes/ +COPY services/nss-tsan-fuzz/setup.sh /src/recipes/setup-nss-tsan-fuzz.sh +COPY services/nss-tsan-fuzz/launch.sh /home/worker/ + +RUN /src/recipes/setup-nss-tsan-fuzz.sh + +ENV LANG=en_US.UTF-8 +ENV LC_ALL=en_US.UTF-8 + +USER worker +WORKDIR /home/worker + +ENTRYPOINT ["/usr/local/bin/fuzzing-pool-launch"] +CMD ["/home/worker/launch.sh"] diff --git a/services/nss-tsan-fuzz/launch.sh b/services/nss-tsan-fuzz/launch.sh new file mode 100755 index 00000000..4ba6e31a --- /dev/null +++ b/services/nss-tsan-fuzz/launch.sh @@ -0,0 +1,91 @@ +#!/usr/bin/env bash +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at https://mozilla.org/MPL/2.0/. + +set -e +set -x +set -o pipefail + +# shellcheck source=recipes/linux/common.sh +source .local/bin/common.sh + +# Clone nss/nspr +retry hg clone https://hg.mozilla.org/projects/nspr +retry hg clone https://hg.mozilla.org/projects/nss + +# Build nss with --fuzz=tsan +pushd nss +./build.sh -c -v --fuzz=tsan --disable-tests +popd + +# Setup fuzzmanger +get-tc-secret fuzzmanagerconf "$HOME/.fuzzmanagerconf" + +# Setup gcloud +mkdir -p ~/.config/gcloud +get-tc-secret ossfuzz-gutils ~/.config/gcloud/application_default_credentials.json raw +echo -e "[Credentials]\ngs_service_key_file = /home/worker/.config/gcloud/application_default_credentials.json" > .boto + +# Clone corpora +mkdir -p ./corpus/nss_tls-client-no_fuzzer_mode +mkdir -p ./corpus/nss_dtls-client-no_fuzzer_mode + +pushd corpus/nss_tls-client-no_fuzzer_mode +gsutil cp "gs://nss-backup.clusterfuzz-external.appspot.com/corpus/libFuzzer/nss_tls-client-no_fuzzer_mode/latest.zip" . +unzip latest.zip +rm -f latest.zip +popd + +pushd corpus/nss_dtls-client-no_fuzzer_mode +gsutil cp "gs://nss-backup.clusterfuzz-external.appspot.com/corpus/libFuzzer/nss_dtls-client-no_fuzzer_mode/latest.zip" . +unzip latest.zip +rm -f latest.zip +popd + +# TSan setup +export TSAN_OPTIONS="halt_on_error=1 suppressions=$PWD/nss/fuzz/config/tsan.suppressions" + +function check-for-crash() { + local binary=$1 + + if [ -f crash-* ]; then + zip -r testcase.zip crash-* + collector --submit --stdout stdout.log --crashdata stderr.log \ + --binary $binary --tool nss-tsan-fuzz \ + --testcase testcase.zip + rm -rf crash-* testcase.zip + fi +} + +# Run tls client target +BINARY="dist/Debug/bin/nsstsan-tls-client" +THREADS=$((2 + RANDOM % 25)) +MAX_TIME=$((60 * 60 * 5)) + +timeout -k $((MAX_TIME + 300)) $((MAX_TIME + 300)) \ + $BINARY run ./corpus/nss_tls-client-no_fuzzer_mode $THREADS $MAX_TIME \ + > stdout.log 2> stderr.log || true +check-for-crash $BINARY + +# Run dtls client target +BINARY="dist/Debug/bin/nsstsan-dtls-client" +THREADS=$((2 + RANDOM % 25)) +MAX_TIME=$((60 * 60 * 5)) + +timeout -k $((MAX_TIME + 300)) $((MAX_TIME + 300)) \ + $BINARY run ./corpus/nss_dtls-client-no_fuzzer_mode $THREADS $MAX_TIME \ + > stdout.log 2> stderr.log || true +check-for-crash $BINARY + +# Run database target +BINARY="dist/Debug/bin/nsstsan-database" +THREADS=$((2 + RANDOM % 25)) +MAX_TIME=$((60 * 60 * 2)) + +mkdir nsstsandb && \ + certutil -N -d sql:nsstsandb --empty-password + +timeout -k $((MAX_TIME + 300)) $((MAX_TIME + 300)) \ + $BINARY run $THREADS $MAX_TIME > stdout.log 2> stderr.log || true +check-for-crash $BINARY diff --git a/services/nss-tsan-fuzz/service.yaml b/services/nss-tsan-fuzz/service.yaml new file mode 100644 index 00000000..e58ae9e8 --- /dev/null +++ b/services/nss-tsan-fuzz/service.yaml @@ -0,0 +1 @@ +name: nss-tsan-fuzz diff --git a/services/nss-tsan-fuzz/setup.sh b/services/nss-tsan-fuzz/setup.sh new file mode 100755 index 00000000..84d7f465 --- /dev/null +++ b/services/nss-tsan-fuzz/setup.sh @@ -0,0 +1,66 @@ +#!/bin/bash +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at https://mozilla.org/MPL/2.0/. + +set -e +set -x +set -o pipefail + +# shellcheck source=recipes/linux/common.sh +source "${0%/*}/common.sh" + +#### Bootstrap Packages + +sys-update + +#### Install recipes + +cd "${0%/*}" +./fuzzmanager.sh +./gsutil.sh +./taskcluster.sh + +packages=( + binutils + clang + curl + git + gyp + jshon + libclang-rt-dev + libssl-dev + locales + make + mercurial + ninja-build + openssh-client + python-is-python3 + python3 + strace + unzip + zlib1g-dev +) + +sys-embed "${packages[@]}" + +#### Base System Configuration + +# Generate locales +locale-gen en_US.utf8 + +#### Base Environment Configuration + +mkdir -p /home/worker/.local/bin + +# Add `cleanup.sh` to let images perform standard cleanup operations. +cp "${0%/*}/cleanup.sh" /home/worker/.local/bin/cleanup.sh + +# Add shared `common.sh` to Bash +cp "${0%/*}/common.sh" /home/worker/.local/bin/common.sh +printf "source ~/.local/bin/common.sh\n" >> /home/worker/.bashrc + +/home/worker/.local/bin/cleanup.sh + +chown -R worker:worker /home/worker +chmod 0777 /src