[tools] initial fuzz coverage script#10289
Conversation
Signed-off-by: Asra Ali <asraa@google.com>
|
/review @htuch Questions:
|
Signed-off-by: Asra Ali <asraa@google.com>
htuch
left a comment
There was a problem hiding this comment.
This is super awesome, really looking forward to being able to gate commits on fuzz coverage and the flow here makes a lot of sense (generate tmp corpus from real fuzz runs, then do a normal coverage build).
test/run_envoy_fuzz_coverage.sh
Outdated
| if [[ $# -gt 0 ]]; then | ||
| FUZZ_TARGETS=$* | ||
| else | ||
| # By default, this will be all fuzz targets. |
There was a problem hiding this comment.
Something like this also exists in the OSS-fuzz runner script. Could we define this in a common bash utility script and import it in both locations?
There was a problem hiding this comment.
What do you think of the tag? makes it an easy bazel query
test/run_envoy_fuzz_coverage.sh
Outdated
| echo "Building fuzz targets..." | ||
| for t in ${FUZZ_TARGETS} | ||
| do | ||
| bazel build "${t}_with_libfuzzer" --config asan-fuzzer -c opt |
There was a problem hiding this comment.
Can you do a single build invocation by listing all the targets on the bazel build CLI? That should be faster.
test/run_envoy_fuzz_coverage.sh
Outdated
| for t in ${FUZZ_TARGETS} | ||
| do | ||
| # Get the original corpus for the fuzz target | ||
| ORIGINAL_CORPUS=$(bazel query "labels(srcs, ${t}_corpus)" | head -1) |
There was a problem hiding this comment.
Does this work for a generated corpus?
There was a problem hiding this comment.
Yes, modified to pull data attribute, so now it works for something like route fuzz test
test/run_envoy_fuzz_coverage.sh
Outdated
| done | ||
|
|
||
| # Wait for background process to run. | ||
| # TODO? Processes will still run in background if user ctrl-c. |
There was a problem hiding this comment.
Consider adding trap handlers, see the trap Bash builtin.
|
@lizan probably should also give this a pass once it's ready to ship. |
lizan
left a comment
There was a problem hiding this comment.
I see a lot of duplication from the coverage script, is it possible to reuse possible parts from there? Or, use a environment var or parameter to control that script to generate fuzz before run coverage?
I'm seeing a failure in OSS-Fuzz build, as well as fuzz CI tool #10289 due to fuzzing build macro FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION. Basically, PR #10050 introduced regex rewrites that are tested in config_impl_test, which is executed to create the corpus for route_fuzz_test. Fuzz builds are built with the FUZZING_BUILD_MODE... macro, and the RE2 library that does the regex rewrites in the test only does single replacements in fuzzing mode rather than the global replacement in the tests, so the test fails, and the fuzz build fails. This change defined FUZZING_BUILD_MODE... only for fuzzing build rules, and explicitly undefines them for the config_impl_test. RE OSS-Fuzz builds, this is odd. Bazel CLI flags take precedence, so I'm not sure what to do when we build in that environment. I can't seem to #undef in the tests, but I need to come up with some solution.I don't like manually removing the CLI flag in our build script, but maybe? https://github.com/google/oss-fuzz/blob/66e0e379395d3a3ee741b08f4d306e1ed71c4003/infra/base-images/base-clang/Dockerfile Testing: bazel build //test/common/router:route_fuzz_test_with_libfuzzer --config=asan-fuzzer Signed-off-by: Asra Ali <asraa@google.com>
Signed-off-by: Asra Ali <asraa@google.com>
Signed-off-by: Asra Ali <asraa@google.com>
Signed-off-by: Asra Ali <asraa@google.com>
test/build_and_run_fuzz_targets.sh
Outdated
| TEMP_CORPORA+="${CORPUS_DIR} " | ||
| # Run fuzzing process. | ||
| TARGET_BINARY="${t/://}" | ||
| bazel-bin/${TARGET_BINARY:2}_with_libfuzzer -max_total_time=60 ${CORPUS_DIR} $(pwd)${ORIGINAL_CORPUS:1} & |
|
The convergence with the coverage script looks really nice! |
Signed-off-by: Asra Ali <asraa@google.com>
|
Fixed up the rest of the comments + tested with full and partial runs of the fuzz mode and regular mode... I did change the script to build and run fuzz targets to not exit if it fails, the reason is sometimes the fuzz targets find unrelated blockers (for eg ones on OSS-Fuzz) within the 60 seconds, and I don't think we want to totally block devs from submission if the coverage script fails from an existing bug it finds. wdyt? |
|
@asraa seems fine to power on thru those failure although one day I would hope we can remove that; ultimately the main thing we want is to be able to gate on coverage here. |
test/build_and_run_fuzz_targets.sh
Outdated
| LIBFUZZER_TARGETS+="${t}_with_libfuzzer " | ||
| done | ||
|
|
||
| bazel build ${LIBFUZZER_TARGETS} --config asan-fuzzer -c opt |
There was a problem hiding this comment.
Should we be using ${BAZEL_BUiLD_OPTIONS} here @lizan ?
There was a problem hiding this comment.
Yes unless there's reason not to do so.
There was a problem hiding this comment.
Done! Sorry about that
| TARGET="${t}_with_libfuzzer" | ||
| else | ||
| TEST_ARGS=(--test_arg="--log-path /dev/null" --test_arg="-l trace") | ||
| OBJECTS="bazel-bin/test/coverage/coverage_tests" |
There was a problem hiding this comment.
It feels like this should be outside the loop, as it's only done once.
There was a problem hiding this comment.
For clarity? In the case that it's just coverage_tests the loop only has one item.
There was a problem hiding this comment.
Yeah, maybe. I don't feel that strongly, it just took a somewhat higher cognitive hit processing that code in the loop :)
There was a problem hiding this comment.
Hm to resolve, I added a comment addressing the loop -- what I didn't want was to copy/paste the bazel command per loop, but if that makes more sense let me know!
|
This pull request has been automatically marked as stale because it has not had activity in the last 7 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
Signed-off-by: Asra Ali <asraa@google.com>
|
@lizan any final comments before merging? |
|
This pull request has been automatically marked as stale because it has not had activity in the last 7 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
lizan
left a comment
There was a problem hiding this comment.
Sorry for the delay, can you merge master?
Signed-off-by: Asra Ali <asraa@google.com>
Signed-off-by: Asra Ali <asraa@google.com>
Signed-off-by: Asra Ali <asraa@google.com>
|
All set -- sorry there were a couple coverage related PRs submitted very recently |
|
LGTM, will let @lizan do final approval and merge. |
Signed-off-by: Asra Ali <asraa@google.com>
|
This pull request has been automatically marked as stale because it has not had activity in the last 7 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
|
@asraa can you check CI? |
Signed-off-by: Asra Ali <asraa@google.com>
|
On it -- need to figure out why coverage script seems to have a regression on master when testing locally. |
Signed-off-by: Asra Ali <asraa@google.com>
|
I couldn't repro locally with docker |
|
friendly ping @lizan -- looks like it's passing CI |
Fuzz coverage script to run all fuzz targets (or ones specified) for 1 min creating a temporary corpus for testcases with new coverage, and then runs a coverage script over all the binaries produced from
bazel coverage.usage:
test/run_envoy_fuzz_coverage.sh(runs all fuzz targets)test/run_envoy_fuzz_coverage.sh //test/common/common:base64_fuzz_test //test/common/common:hash_fuzz_test(runs just specified)Risk level: Low
Testing: Local
Signed-off-by: Asra Ali asraa@google.com