oss-fuzz/infra/base-images/base-runner/test_all

#!/bin/bash -u
# Copyright 2016 Google Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
################################################################################

# Percentage threshold that needs to be reached for marking a build as failed.
ALLOWED_BROKEN_TARGETS_PERCENTAGE=${ALLOWED_BROKEN_TARGETS_PERCENTAGE:-10}

# Test all fuzz targets in the $OUT/ dir.
TOTAL_TARGETS_COUNT=0

# Number of CPUs available, this is needed for running tests in parallel.
NPROC=$(nproc)

# Directories where bad build check results will be written to.
VALID_TARGETS_DIR="/tmp/valid_fuzz_targets"
BROKEN_TARGETS_DIR="/tmp/broken_fuzz_targets"
rm -rf $VALID_TARGETS_DIR
rm -rf $BROKEN_TARGETS_DIR
mkdir $VALID_TARGETS_DIR
mkdir $BROKEN_TARGETS_DIR

# Main loop that iterates through all fuzz targets and runs the check.
for FUZZER_BINARY in $(find $OUT/ -maxdepth 1 -executable -type f); do
  if file "$FUZZER_BINARY" | grep -v ELF > /dev/null 2>&1; then
    continue
  fi

  # Continue if not a fuzz target.
  if [[ $FUZZING_ENGINE != "none" ]]; then
    grep "LLVMFuzzerTestOneInput" $FUZZER_BINARY > /dev/null 2>&1 || continue
  fi

  FUZZER=$(basename $FUZZER_BINARY)
  if [[ "$FUZZER" == afl-* ]]; then
    continue
  fi
  if [[ "$FUZZER" == honggfuzz ]]; then
    continue
  fi

  echo "INFO: performing bad build checks for $FUZZER_BINARY."

  LOG_PATH_FOR_BROKEN_TARGET="${BROKEN_TARGETS_DIR}/${FUZZER}"

  # Launch bad build check process in the background. Ignore the exit codes, as
  # we check the percentage of broken fuzz targets after running all the checks.
  bad_build_check $FUZZER_BINARY &> $LOG_PATH_FOR_BROKEN_TARGET &

  # Count total number of fuzz targets being tested.
  TOTAL_TARGETS_COUNT=$[$TOTAL_TARGETS_COUNT+1]

  # Do not spawn more processes than the number of CPUs available.
  n_child_proc=$(jobs -rp | wc -l)
  while [ "$n_child_proc" -eq "$NPROC" ]; do
    sleep 4
    n_child_proc=$(jobs -rp | wc -l)
  done
done

# Wait for background processes to finish.
wait

# Sanity check in case there are no fuzz targets in the $OUT/ dir.
if [ "$TOTAL_TARGETS_COUNT" -eq "0" ]; then
  echo "ERROR: no fuzzers found in $OUT/"
  ls -al $OUT
  exit 1
fi

# An empty log file indicated that corresponding fuzz target is not broken.
find $BROKEN_TARGETS_DIR -empty -exec mv {} $VALID_TARGETS_DIR \;

# Calculate number of valid and broken fuzz targets.
VALID_TARGETS_COUNT=$(ls $VALID_TARGETS_DIR | wc -l)
BROKEN_TARGETS_COUNT=$(ls $BROKEN_TARGETS_DIR | wc -l)

# Sanity check to make sure that bad build check doesn't skip any fuzz target.
if [ "$TOTAL_TARGETS_COUNT" -ne "$[$VALID_TARGETS_COUNT+$BROKEN_TARGETS_COUNT]" ]; then
  echo "ERROR: bad_build_check seems to have a bug, total number of fuzz" \
       "does not match number of fuzz targets tested."
  echo "Total fuzz targets ($TOTAL_TARGETS_COUNT):"
  ls -al $OUT
  echo "Valid fuzz targets ($VALID_TARGETS_COUNT):"
  ls -al $VALID_TARGETS_DIR
  echo "Total fuzz targets ($BROKEN_TARGETS_COUNT):"
  ls -al $BROKEN_TARGETS_DIR
  exit 1
fi

# Build info about all broken fuzz targets (if any).
if [ "$BROKEN_TARGETS_COUNT" -gt "0" ]; then
  echo "Broken fuzz targets ($BROKEN_TARGETS_COUNT):"
  for target in $(ls $BROKEN_TARGETS_DIR); do
    echo "${target}:"
    cat ${BROKEN_TARGETS_DIR}/${target}
  done
fi

# Calculate the percentage of broken fuzz targets and make the finel decision.
BROKEN_TARGETS_PERCENTAGE=$[$BROKEN_TARGETS_COUNT*100/$TOTAL_TARGETS_COUNT]


if [ "$BROKEN_TARGETS_PERCENTAGE" -gt "$ALLOWED_BROKEN_TARGETS_PERCENTAGE" ]; then
  echo "ERROR: $BROKEN_TARGETS_PERCENTAGE% of fuzz targets seem to be broken." \
       "See the list above for a detailed information."

  # TODO: figure out how to not fail the "special" cases handled below. Those
  # are from "example" and "c-ares" projects and are too small targets to pass.
  if [ "$(ls $OUT/do_stuff_fuzzer $OUT/ares_*_fuzzer $OUT/checksum_fuzzer $OUT/xmltest $OUT/fuzz_compression_sas_rle 2>/dev/null | wc -l)" -gt "0" ]; then
    exit 0
  fi

  exit 1
else
  echo "$TOTAL_TARGETS_COUNT fuzzers total, $BROKEN_TARGETS_COUNT seem to be" \
       "broken ($BROKEN_TARGETS_PERCENTAGE%)."
  exit 0
fi
[infra] Enable bad build checks once again. (#838) * [infra] Enable bad build checks once again. * Minor typo. * [bad_example] Update build flags for reproducing bad instrumentation scenario. * [bad_example] split bad/no instrumentation case into two different ones. * Use new approach for partial instrumentation detection + do that only for libFuzzer. * Rename bad_example_bad_instrumentation into bad_example_partial_instrumentation. * Calculate number of broken targets and fail if 10+% are broken. * Multiprocess madness. * Always run all checks and store all errors + clean up the code and add comments * Add special handling for the projects with very small fuzz targets. * Remove unnecessary semicolon. * Address review comments. * Address more review comments, small refactoring. 2018-04-17 16:31:53 +00:00			`#!/bin/bash -u`
[infra] extracting base-runner image 2016-11-18 22:53:09 +00:00			`# Copyright 2016 Google Inc.`
			`#`
			`# Licensed under the Apache License, Version 2.0 (the "License");`
			`# you may not use this file except in compliance with the License.`
			`# You may obtain a copy of the License at`
			`#`
			`# http://www.apache.org/licenses/LICENSE-2.0`
			`#`
			`# Unless required by applicable law or agreed to in writing, software`
			`# distributed under the License is distributed on an "AS IS" BASIS,`
			`# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`# See the License for the specific language governing permissions and`
			`# limitations under the License.`
			`#`
			`################################################################################`

[infra] Enable bad build checks once again. (#838) * [infra] Enable bad build checks once again. * Minor typo. * [bad_example] Update build flags for reproducing bad instrumentation scenario. * [bad_example] split bad/no instrumentation case into two different ones. * Use new approach for partial instrumentation detection + do that only for libFuzzer. * Rename bad_example_bad_instrumentation into bad_example_partial_instrumentation. * Calculate number of broken targets and fail if 10+% are broken. * Multiprocess madness. * Always run all checks and store all errors + clean up the code and add comments * Add special handling for the projects with very small fuzz targets. * Remove unnecessary semicolon. * Address review comments. * Address more review comments, small refactoring. 2018-04-17 16:31:53 +00:00			`# Percentage threshold that needs to be reached for marking a build as failed.`
[infra] make it possible to override the percentage of targets that can be broken (#2419) 10% is an absolutely sensible default in general especially for single-purpose libraries like json-parsers. When large "umbrella" projects (like systemd) are fuzzed with 30 fuzzers (and counting (hopefully :-)) covering code scattered all over their repositories it's too easy to introduce a broken fuzzer or break a couple of fuzzers accidentally even after running `check_build`. Waiting for two to three days for ClusterFuzz to open an issue isn't ideal from the point of view of large open-source project maintainers (where generally contributors come and go) so one solution would be to run something like when PRs are opened ```sh helper.py check_build ALLOWED_BROKEN_TARGETS_PERCENTAGE=0 ... ``` and catch issues as early as possible (and fix them while the context isn't completely faded away). I also considered changing this with `sed` and rebuilding `base-images/base-runner` locally but it takes too much time, looks too kludgy (even to me) and is likely to be broken in a week or so :-) 2019-05-15 13:38:09 +00:00			`ALLOWED_BROKEN_TARGETS_PERCENTAGE=${ALLOWED_BROKEN_TARGETS_PERCENTAGE:-10}`
[infra] extracting base-runner image 2016-11-18 22:53:09 +00:00
[infra] Enable bad build checks once again. (#838) * [infra] Enable bad build checks once again. * Minor typo. * [bad_example] Update build flags for reproducing bad instrumentation scenario. * [bad_example] split bad/no instrumentation case into two different ones. * Use new approach for partial instrumentation detection + do that only for libFuzzer. * Rename bad_example_bad_instrumentation into bad_example_partial_instrumentation. * Calculate number of broken targets and fail if 10+% are broken. * Multiprocess madness. * Always run all checks and store all errors + clean up the code and add comments * Add special handling for the projects with very small fuzz targets. * Remove unnecessary semicolon. * Address review comments. * Address more review comments, small refactoring. 2018-04-17 16:31:53 +00:00			`# Test all fuzz targets in the $OUT/ dir.`
			`TOTAL_TARGETS_COUNT=0`

			`# Number of CPUs available, this is needed for running tests in parallel.`
			`NPROC=$(nproc)`

			`# Directories where bad build check results will be written to.`
			`VALID_TARGETS_DIR="/tmp/valid_fuzz_targets"`
			`BROKEN_TARGETS_DIR="/tmp/broken_fuzz_targets"`
			`rm -rf $VALID_TARGETS_DIR`
			`rm -rf $BROKEN_TARGETS_DIR`
			`mkdir $VALID_TARGETS_DIR`
			`mkdir $BROKEN_TARGETS_DIR`

			`# Main loop that iterates through all fuzz targets and runs the check.`
[infra] Enable clange code coverage reports generation for local runs. (#1494) * [infra] Enable clange code coverage reports generation for local runs. * Use runner image and move corpus management to the helper.py . * Clean up, delete unnecessary stuff, add comments. * Run fuzz targets in parallel. Do not exit in case of an error. * Address review feedback, except of the threading thing. * Fix a typo. * Use ThreadPool implementatino available in standard python2.7 package. * Add dry run support + no corpus download option. * Fix flags handling + add log output in case of an error. * Append arguments for fuzz target instead of replacing them. * Remove dry run functionality as it currently errors out after two runs. * Fix some spacing in the code. * Update documentation regarding new code coverage script. 2018-06-14 22:00:46 +00:00			`for FUZZER_BINARY in $(find $OUT/ -maxdepth 1 -executable -type f); do`
Fix fuzzer executable detection in test_all. (#156) 2016-12-08 20:41:14 +00:00			`if file "$FUZZER_BINARY" \| grep -v ELF > /dev/null 2>&1; then`
			`continue`
			`fi`

Fix check for LLVMFuzzerTestOneInput (#1572) 2018-06-26 15:23:56 +00:00			`# Continue if not a fuzz target.`
Don't check for LLVMFuzzerTestOneInput when there is no fuzzing engine. (#1579) 2018-06-28 14:08:57 +00:00			`if [[ $FUZZING_ENGINE != "none" ]]; then`
			`grep "LLVMFuzzerTestOneInput" $FUZZER_BINARY > /dev/null 2>&1 \|\| continue`
			`fi`
Fix bad build check. (#1568) * Fix bad build check. Bad build checks previously just checked that a file is an executable ELF. This is insufficient because libraries are also executable ELFs. Add a check that the file contains LLVMFuzzerTestOneInput, in order to consider a fuzz target. Also update coverage and test_report for consistency. 2018-06-25 23:35:28 +00:00
[infra] extracting base-runner image 2016-11-18 22:53:09 +00:00			`FUZZER=$(basename $FUZZER_BINARY)`
Support honggfuzz as a FUZZING_ENGINE (#636) 2017-06-02 00:55:01 +00:00			`if [[ "$FUZZER" == afl-* ]]; then`
			`continue`
			`fi`
			`if [[ "$FUZZER" == honggfuzz ]]; then`
[infra] (experimental) Support building with AFL (#396) 2017-02-16 23:09:37 +00:00			`continue`
			`fi`

[infra] Enable bad build checks once again. (#838) * [infra] Enable bad build checks once again. * Minor typo. * [bad_example] Update build flags for reproducing bad instrumentation scenario. * [bad_example] split bad/no instrumentation case into two different ones. * Use new approach for partial instrumentation detection + do that only for libFuzzer. * Rename bad_example_bad_instrumentation into bad_example_partial_instrumentation. * Calculate number of broken targets and fail if 10+% are broken. * Multiprocess madness. * Always run all checks and store all errors + clean up the code and add comments * Add special handling for the projects with very small fuzz targets. * Remove unnecessary semicolon. * Address review comments. * Address more review comments, small refactoring. 2018-04-17 16:31:53 +00:00			`echo "INFO: performing bad build checks for $FUZZER_BINARY."`

			`LOG_PATH_FOR_BROKEN_TARGET="${BROKEN_TARGETS_DIR}/${FUZZER}"`

[infra] Add support for dataflow builds to the helper script and build check (#1632). (#2501) * [infra] Add support for dataflow builds to the helper script and build check (#1632). * Update travis config file. * Address self-review comments and specify dataflow sanitizer for zstd as well. * Fix fuzzing_engines in project.yaml * Fix bad build check for DFSan. * Use "hasattr" in helper.py to check the sanitizer argument. * Address more review comments. * Remove DataFlow config from zstd. * fix a typo 2019-06-12 18:08:15 +00:00			`# Launch bad build check process in the background. Ignore the exit codes, as`
			`# we check the percentage of broken fuzz targets after running all the checks.`
[i386] Do i386 builds of projects that have opted-in (#2416) 2019-05-15 21:00:57 +00:00			`bad_build_check $FUZZER_BINARY &> $LOG_PATH_FOR_BROKEN_TARGET &`
[infra] Enable bad build checks once again. (#838) * [infra] Enable bad build checks once again. * Minor typo. * [bad_example] Update build flags for reproducing bad instrumentation scenario. * [bad_example] split bad/no instrumentation case into two different ones. * Use new approach for partial instrumentation detection + do that only for libFuzzer. * Rename bad_example_bad_instrumentation into bad_example_partial_instrumentation. * Calculate number of broken targets and fail if 10+% are broken. * Multiprocess madness. * Always run all checks and store all errors + clean up the code and add comments * Add special handling for the projects with very small fuzz targets. * Remove unnecessary semicolon. * Address review comments. * Address more review comments, small refactoring. 2018-04-17 16:31:53 +00:00
			`# Count total number of fuzz targets being tested.`
			`TOTAL_TARGETS_COUNT=$[$TOTAL_TARGETS_COUNT+1]`

			`# Do not spawn more processes than the number of CPUs available.`
Use "jobs -rp" instead of "jobs -p" to avoid infinite loop. (#1411) 2018-05-11 00:47:05 +00:00			`n_child_proc=$(jobs -rp \| wc -l)`
[infra] Enable bad build checks once again. (#838) * [infra] Enable bad build checks once again. * Minor typo. * [bad_example] Update build flags for reproducing bad instrumentation scenario. * [bad_example] split bad/no instrumentation case into two different ones. * Use new approach for partial instrumentation detection + do that only for libFuzzer. * Rename bad_example_bad_instrumentation into bad_example_partial_instrumentation. * Calculate number of broken targets and fail if 10+% are broken. * Multiprocess madness. * Always run all checks and store all errors + clean up the code and add comments * Add special handling for the projects with very small fuzz targets. * Remove unnecessary semicolon. * Address review comments. * Address more review comments, small refactoring. 2018-04-17 16:31:53 +00:00			`while [ "$n_child_proc" -eq "$NPROC" ]; do`
			`sleep 4`
Use "jobs -rp" instead of "jobs -p" to avoid infinite loop. (#1411) 2018-05-11 00:47:05 +00:00			`n_child_proc=$(jobs -rp \| wc -l)`
[infra] Enable bad build checks once again. (#838) * [infra] Enable bad build checks once again. * Minor typo. * [bad_example] Update build flags for reproducing bad instrumentation scenario. * [bad_example] split bad/no instrumentation case into two different ones. * Use new approach for partial instrumentation detection + do that only for libFuzzer. * Rename bad_example_bad_instrumentation into bad_example_partial_instrumentation. * Calculate number of broken targets and fail if 10+% are broken. * Multiprocess madness. * Always run all checks and store all errors + clean up the code and add comments * Add special handling for the projects with very small fuzz targets. * Remove unnecessary semicolon. * Address review comments. * Address more review comments, small refactoring. 2018-04-17 16:31:53 +00:00			`done`
[infra] extracting base-runner image 2016-11-18 22:53:09 +00:00			`done`

[infra] Enable bad build checks once again. (#838) * [infra] Enable bad build checks once again. * Minor typo. * [bad_example] Update build flags for reproducing bad instrumentation scenario. * [bad_example] split bad/no instrumentation case into two different ones. * Use new approach for partial instrumentation detection + do that only for libFuzzer. * Rename bad_example_bad_instrumentation into bad_example_partial_instrumentation. * Calculate number of broken targets and fail if 10+% are broken. * Multiprocess madness. * Always run all checks and store all errors + clean up the code and add comments * Add special handling for the projects with very small fuzz targets. * Remove unnecessary semicolon. * Address review comments. * Address more review comments, small refactoring. 2018-04-17 16:31:53 +00:00			`# Wait for background processes to finish.`
			`wait`

			`# Sanity check in case there are no fuzz targets in the $OUT/ dir.`
			`if [ "$TOTAL_TARGETS_COUNT" -eq "0" ]; then`
[infra] extracting base-runner image 2016-11-18 22:53:09 +00:00			`echo "ERROR: no fuzzers found in $OUT/"`
			`ls -al $OUT`
			`exit 1`
			`fi`

[infra] Enable bad build checks once again. (#838) * [infra] Enable bad build checks once again. * Minor typo. * [bad_example] Update build flags for reproducing bad instrumentation scenario. * [bad_example] split bad/no instrumentation case into two different ones. * Use new approach for partial instrumentation detection + do that only for libFuzzer. * Rename bad_example_bad_instrumentation into bad_example_partial_instrumentation. * Calculate number of broken targets and fail if 10+% are broken. * Multiprocess madness. * Always run all checks and store all errors + clean up the code and add comments * Add special handling for the projects with very small fuzz targets. * Remove unnecessary semicolon. * Address review comments. * Address more review comments, small refactoring. 2018-04-17 16:31:53 +00:00			`# An empty log file indicated that corresponding fuzz target is not broken.`
			`find $BROKEN_TARGETS_DIR -empty -exec mv {} $VALID_TARGETS_DIR \;`

			`# Calculate number of valid and broken fuzz targets.`
			`VALID_TARGETS_COUNT=$(ls $VALID_TARGETS_DIR \| wc -l)`
			`BROKEN_TARGETS_COUNT=$(ls $BROKEN_TARGETS_DIR \| wc -l)`

			`# Sanity check to make sure that bad build check doesn't skip any fuzz target.`
			`if [ "$TOTAL_TARGETS_COUNT" -ne "$[$VALID_TARGETS_COUNT+$BROKEN_TARGETS_COUNT]" ]; then`
			`echo "ERROR: bad_build_check seems to have a bug, total number of fuzz" \`
			`"does not match number of fuzz targets tested."`
			`echo "Total fuzz targets ($TOTAL_TARGETS_COUNT):"`
			`ls -al $OUT`
			`echo "Valid fuzz targets ($VALID_TARGETS_COUNT):"`
			`ls -al $VALID_TARGETS_DIR`
			`echo "Total fuzz targets ($BROKEN_TARGETS_COUNT):"`
			`ls -al $BROKEN_TARGETS_DIR`
			`exit 1`
			`fi`

			`# Build info about all broken fuzz targets (if any).`
			`if [ "$BROKEN_TARGETS_COUNT" -gt "0" ]; then`
			`echo "Broken fuzz targets ($BROKEN_TARGETS_COUNT):"`
			`for target in $(ls $BROKEN_TARGETS_DIR); do`
			`echo "${target}:"`
			`cat ${BROKEN_TARGETS_DIR}/${target}`
			`done`
			`fi`

			`# Calculate the percentage of broken fuzz targets and make the finel decision.`
			`BROKEN_TARGETS_PERCENTAGE=$[$BROKEN_TARGETS_COUNT*100/$TOTAL_TARGETS_COUNT]`


			`if [ "$BROKEN_TARGETS_PERCENTAGE" -gt "$ALLOWED_BROKEN_TARGETS_PERCENTAGE" ]; then`
			`echo "ERROR: $BROKEN_TARGETS_PERCENTAGE% of fuzz targets seem to be broken." \`
			`"See the list above for a detailed information."`

			`# TODO: figure out how to not fail the "special" cases handled below. Those`
			`# are from "example" and "c-ares" projects and are too small targets to pass.`
Renable bad build check for jsoncpp_fuzzer. (#2945) 2019-10-12 00:06:18 +00:00			`if [ "$(ls $OUT/do_stuff_fuzzer $OUT/ares_*_fuzzer $OUT/checksum_fuzzer $OUT/xmltest $OUT/fuzz_compression_sas_rle 2>/dev/null \| wc -l)" -gt "0" ]; then`
[infra] Enable bad build checks once again. (#838) * [infra] Enable bad build checks once again. * Minor typo. * [bad_example] Update build flags for reproducing bad instrumentation scenario. * [bad_example] split bad/no instrumentation case into two different ones. * Use new approach for partial instrumentation detection + do that only for libFuzzer. * Rename bad_example_bad_instrumentation into bad_example_partial_instrumentation. * Calculate number of broken targets and fail if 10+% are broken. * Multiprocess madness. * Always run all checks and store all errors + clean up the code and add comments * Add special handling for the projects with very small fuzz targets. * Remove unnecessary semicolon. * Address review comments. * Address more review comments, small refactoring. 2018-04-17 16:31:53 +00:00			`exit 0`
			`fi`

			`exit 1`
			`else`
			`echo "$TOTAL_TARGETS_COUNT fuzzers total, $BROKEN_TARGETS_COUNT seem to be" \`
			`"broken ($BROKEN_TARGETS_PERCENTAGE%)."`
			`exit 0`
			`fi`