Commit 7621bb07 authored by Tim Taubert's avatar Tim Taubert

Bug 1330655 - Make NSS build within OSS-Fuzz r=franziskus

Differential Revision: https://nss-review.dev.mozaws.net/D161

--HG--
extra : amend_source : 875313e502f89c1488e945bd4f2b2aaf7b487575
parent d8a4fc55
......@@ -17,3 +17,4 @@ GTAGS
.ycm_extra_conf.py*
fuzz/libFuzzer/*
fuzz/corpus
fuzz/out
......@@ -17,3 +17,4 @@ GTAGS
.ycm_extra_conf.py*
fuzz/libFuzzer/*
fuzz/corpus
fuzz/out
......@@ -285,7 +285,7 @@ async function scheduleFuzzing() {
"/bin/bash",
"-c",
"bin/checkout.sh && " +
"nss/automation/taskcluster/scripts/build_gyp.sh -g -v --fuzz"
"nss/automation/taskcluster/scripts/build_gyp.sh -g -v --fuzz=tls"
],
artifacts: {
public: {
......
......@@ -18,4 +18,4 @@ mkdir -p nss/fuzz/corpus/$type
objdir=$(cat dist/latest)
# Run nssfuzz.
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:dist/$objdir/lib dist/$objdir/bin/nssfuzz-"$type" "$@"
dist/$objdir/bin/nssfuzz-"$type" "$@"
......@@ -15,9 +15,9 @@ show_help()
{
cat << EOF
Usage: ${0##*/} [-hcv] [-j <n>] [--nspr] [--gyp|-g] [--opt|-o] [-m32]
[--test] [--fuzz] [--pprof] [--scan-build[=output]]
[--test] [--pprof] [--scan-build[=output]] [--ct-verif]
[--asan] [--ubsan] [--msan] [--sancov[=edge|bb|func|...]]
[--ct-verif] [--disable-tests]
[--disable-tests] [--fuzz[=tls|oss]]
This script builds NSS with gyp and ninja.
......@@ -35,7 +35,9 @@ NSS build tool options:
--opt|-o do an opt build
-m32 do a 32-bit build on a 64-bit system
--test ignore map files and export everything we have
--fuzz enable fuzzing mode. this always enables test builds
--fuzz build fuzzing targets (this always enables test builds)
--fuzz=tls to enable TLS fuzzing mode
--fuzz=oss to build for OSS-Fuzz
--pprof build with gperftool support
--ct-verif build with valgrind for ct-verif
--scan-build run the build with scan-build (scan-build has to be in the path)
......@@ -74,6 +76,8 @@ rebuild_nspr=0
target=Debug
verbose=0
fuzz=0
fuzz_tls=0
fuzz_oss=0
gyp_params=(--depth="$cwd" --generator-output=".")
nspr_params=()
......@@ -95,6 +99,8 @@ while [ $# -gt 0 ]; do
-v) ninja_params+=(-v); verbose=1 ;;
--test) gyp_params+=(-Dtest_build=1) ;;
--fuzz) fuzz=1 ;;
--fuzz=oss) fuzz=1; fuzz_oss=1 ;;
--fuzz=tls) fuzz=1; fuzz_tls=1 ;;
--scan-build) enable_scanbuild ;;
--scan-build=?*) enable_scanbuild "${1#*=}" ;;
--opt|-o) opt_build=1 ;;
......@@ -108,6 +114,7 @@ while [ $# -gt 0 ]; do
--pprof) gyp_params+=(-Duse_pprof=1) ;;
--ct-verif) gyp_params+=(-Dct_verif=1) ;;
--disable-tests) gyp_params+=(-Ddisable_tests=1) ;;
--no-zdefs) gyp_params+=(-Dno_zdefs=1) ;;
*) show_help; exit 2 ;;
esac
shift
......@@ -152,6 +159,7 @@ check_config()
mkdir -p $(dirname "$newconf")
echo CC="$CC" >"$newconf"
echo CCC="$CCC" >>"$newconf"
echo CXX="$CXX" >>"$newconf"
for i in "$@"; do echo $i; done | sort >>"$newconf"
# Note: The following diff fails if $oldconf isn't there as well, which
......@@ -170,6 +178,9 @@ elif [ ! -d "$dist_dir"/$target ]; then
rebuild_nspr=1
fi
# Update NSPR ${C,CXX,LD}FLAGS.
nspr_set_flags $sanitizer_flags
if check_config "$nspr_config" "${nspr_params[@]}" \
nspr_cflags="$nspr_cflags" \
nspr_cxxflags="$nspr_cxxflags" \
......@@ -177,6 +188,11 @@ if check_config "$nspr_config" "${nspr_params[@]}" \
rebuild_nspr=1
fi
# Forward sanitizer flags.
if [ ! -z "$sanitizer_flags" ]; then
gyp_params+=(-Dsanitizer_flags="$sanitizer_flags")
fi
if check_config "$gyp_config" "${gyp_params[@]}"; then
rebuild_gyp=1
fi
......
......@@ -97,12 +97,11 @@
'moz_fold_libs%': 0,
'moz_folded_library_name%': '',
'ssl_enable_zlib%': 1,
'use_asan%': 0,
'use_ubsan%': 0,
'use_msan%': 0,
'use_sancov%': 0,
'sanitizer_flags%': 0,
'test_build%': 0,
'no_zdefs%': 0,
'fuzz%': 0,
'fuzz_tls%': 0,
'sign_libs%': 1,
'use_pprof%': 0,
'ct_verif%': 0,
......@@ -135,7 +134,7 @@
'-lc',
],
}],
[ 'use_asan==1 or use_ubsan!=0 or fuzz==1', {
[ 'fuzz==1', {
'variables': {
'debug_optimization_level%': '1',
},
......@@ -216,7 +215,6 @@
[ 'cc_use_gnu_ld==1', {
'ldflags': [
'-Wl,--gc-sections',
'-Wl,-z,defs',
],
'conditions': [
['OS=="dragonfly" or OS=="freebsd" or OS=="netbsd" or OS=="openbsd"', {
......@@ -225,6 +223,11 @@
'-Wl,--warn-unresolved-symbols',
],
}],
['no_zdefs==0', {
'ldflags': [
'-Wl,-z,defs',
],
}],
],
}],
],
......@@ -348,73 +351,22 @@
'<!@(<(python) <(DEPTH)/coreconf/werror.py)',
],
}],
[ 'fuzz==1', {
[ 'fuzz_tls==1', {
'cflags': [
'-Wno-unused-function',
]
],
}],
[ 'use_asan==1', {
'variables': {
'asan_flags': '<!(<(python) <(DEPTH)/coreconf/sanitizers.py asan)',
'no_ldflags': '<!(<(python) <(DEPTH)/coreconf/sanitizers.py ld)',
},
'cflags': ['<@(asan_flags)'],
'ldflags': ['<@(asan_flags)'],
'ldflags!': ['<@(no_ldflags)'],
[ 'sanitizer_flags!=0', {
'cflags': ['<@(sanitizer_flags)'],
'ldflags': ['<@(sanitizer_flags)'],
'xcode_settings': {
'OTHER_CFLAGS': ['<@(asan_flags)'],
'OTHER_LDFLAGS!': ['<@(no_ldflags)'],
'OTHER_CFLAGS': ['<@(sanitizer_flags)'],
# We want to pass -fsanitize=... to our final link call,
# but not to libtool. OTHER_LDFLAGS is passed to both.
# To trick GYP into doing what we want, we'll piggyback on
# LIBRARY_SEARCH_PATHS, producing "-L/usr/lib -fsanitize=...".
# The -L/usr/lib is redundant but innocuous: it's a default path.
'LIBRARY_SEARCH_PATHS': ['/usr/lib <(asan_flags)'],
},
}],
[ 'use_ubsan!=0', {
'variables': {
'ubsan_flags': '<!(<(python) <(DEPTH)/coreconf/sanitizers.py ubsan <(use_ubsan))',
'no_ldflags': '<!(<(python) <(DEPTH)/coreconf/sanitizers.py ld)',
},
'cflags': ['<@(ubsan_flags)'],
'ldflags': ['<@(ubsan_flags)'],
'ldflags!': ['<@(no_ldflags)'],
'xcode_settings': {
'OTHER_CFLAGS': ['<@(ubsan_flags)'],
'OTHER_LDFLAGS!': ['<@(no_ldflags)'],
# See comment above.
'LIBRARY_SEARCH_PATHS': ['/usr/lib <(ubsan_flags)'],
},
}],
[ 'use_msan==1', {
'variables': {
'msan_flags': '<!(<(python) <(DEPTH)/coreconf/sanitizers.py msan)',
'no_ldflags': '<!(<(python) <(DEPTH)/coreconf/sanitizers.py ld)',
},
'cflags': ['<@(msan_flags)'],
'ldflags': ['<@(msan_flags)'],
'ldflags!': ['<@(no_ldflags)'],
'xcode_settings': {
'OTHER_CFLAGS': ['<@(msan_flags)'],
'OTHER_LDFLAGS!': ['<@(no_ldflags)'],
# See comment above.
'LIBRARY_SEARCH_PATHS': ['/usr/lib <(msan_flags)'],
},
}],
[ 'use_sancov!=0', {
'variables': {
'sancov_flags': '<!(<(python) <(DEPTH)/coreconf/sanitizers.py sancov <(use_sancov))',
'no_ldflags': '<!(<(python) <(DEPTH)/coreconf/sanitizers.py ld)',
},
'cflags': ['<@(sancov_flags)'],
'ldflags': ['<@(sancov_flags)'],
'ldflags!': ['<@(no_ldflags)'],
'xcode_settings': {
'OTHER_CFLAGS': ['<@(sancov_flags)'],
'OTHER_LDFLAGS!': ['<@(no_ldflags)'],
# See comment above.
'LIBRARY_SEARCH_PATHS': ['/usr/lib <(sancov_flags)'],
'LIBRARY_SEARCH_PATHS': ['/usr/lib <(sanitizer_flags)'],
},
}],
[ 'OS=="android" and mozilla_client==0', {
......
......@@ -2,15 +2,23 @@
# This file is used by build.sh to setup fuzzing.
gyp_params+=(-Dtest_build=1 -Dfuzz=1)
enable_sanitizer asan
enable_ubsan
enable_sancov
# Add debug symbols even for opt builds.
nspr_params+=(--enable-debug-symbols)
echo "fuzz [1/2] Cloning libFuzzer files ..."
run_verbose "$cwd"/fuzz/clone_libfuzzer.sh
if [ "$fuzz_oss" = 1 ]; then
gyp_params+=(-Dno_zdefs=1)
else
enable_sanitizer asan
enable_ubsan
enable_sancov
fi
echo "fuzz [2/2] Cloning fuzzing corpus ..."
run_verbose "$cwd"/fuzz/clone_corpus.sh
if [ "$fuzz_tls" = 1 ]; then
gyp_params+=(-Dfuzz_tls=1)
fi
if [ ! -f "/usr/lib/libFuzzingEngine.a" ]; then
echo "Cloning libFuzzer files ..."
run_verbose "$cwd"/fuzz/clone_libfuzzer.sh
fi
......@@ -14,12 +14,11 @@ if hash gmake 2>/dev/null; then
make() { command gmake "$@"; }
fi
nspr_sanitizer()
nspr_set_flags()
{
local extra=$(python $cwd/coreconf/sanitizers.py "$@")
nspr_cflags="$nspr_cflags $extra"
nspr_cxxflags="$nspr_cxxflags $extra"
nspr_ldflags="$nspr_ldflags $extra"
nspr_cflags="$CFLAGS $@"
nspr_cxxflags="$CXXFLAGS $@"
nspr_ldflags="$LDFLAGS $@"
}
nspr_build()
......
......@@ -5,7 +5,7 @@ import sys
def main():
if len(sys.argv) < 2:
raise Exception('Specify either "ld", asan", "msan", "sancov" or "ubsan" as argument.')
raise Exception('Specify either "asan", "msan", "sancov" or "ubsan" as argument.')
sanitizer = sys.argv[1]
if sanitizer == "ubsan":
......@@ -27,12 +27,7 @@ def main():
print('-fsanitize-coverage='+sys.argv[2]+' ', end='')
return
# We have to remove this from the ld flags when building asan.
if sanitizer == "ld":
print('-Wl,-z,defs ', end='')
return
raise Exception('Specify either "ld", asan", "msan", "sancov" or "ubsan" as argument.')
raise Exception('Specify either "asan", "msan", "sancov" or "ubsan" as argument.')
if __name__ == '__main__':
main()
#!/usr/bin/env bash
# This file is used by build.sh to setup sanitizers.
sanitizer_flags=""
# This tracks what sanitizers are enabled, and their options.
declare -A sanitizers
enable_sanitizer()
......@@ -8,8 +10,13 @@ enable_sanitizer()
local san="$1"
[ -n "${sanitizers[$san]}" ] && return
sanitizers[$san]="${2:-1}"
gyp_params+=(-Duse_"$san"="${2:-1}")
nspr_sanitizer "$san" "$2"
if [ -z "$sanitizer_flags" ]; then
gyp_params+=(-Dno_zdefs=1)
fi
local cflags=$(python $cwd/coreconf/sanitizers.py "$@")
sanitizer_flags="$sanitizer_flags $cflags"
}
enable_sancov()
......
......@@ -4,39 +4,86 @@
{
'includes': [
'../coreconf/config.gypi',
'../cmd/platlibs.gypi'
],
'variables': {
'use_fuzzing_engine': '<!(test -f /usr/lib/libFuzzingEngine.a && echo 1 || echo 0)',
},
'target_defaults': {
'variables': {
'debug_optimization_level': '2',
},
'target_conditions': [
[ '_type=="executable"', {
'libraries!': [
'<@(nspr_libs)',
],
'libraries': [
'<(nss_dist_obj_dir)/lib/libplds4.a',
'<(nss_dist_obj_dir)/lib/libnspr4.a',
'<(nss_dist_obj_dir)/lib/libplc4.a',
],
}],
],
},
'targets': [
{
'target_name': 'libFuzzer',
'type': 'static_library',
'sources': [
'libFuzzer/FuzzerCrossOver.cpp',
'libFuzzer/FuzzerDriver.cpp',
'libFuzzer/FuzzerExtFunctionsDlsym.cpp',
'libFuzzer/FuzzerExtFunctionsWeak.cpp',
'libFuzzer/FuzzerExtFunctionsWeakAlias.cpp',
'libFuzzer/FuzzerIO.cpp',
'libFuzzer/FuzzerIOPosix.cpp',
'libFuzzer/FuzzerIOWindows.cpp',
'libFuzzer/FuzzerLoop.cpp',
'libFuzzer/FuzzerMain.cpp',
'libFuzzer/FuzzerMerge.cpp',
'libFuzzer/FuzzerMutate.cpp',
'libFuzzer/FuzzerSHA1.cpp',
'libFuzzer/FuzzerTracePC.cpp',
'libFuzzer/FuzzerTraceState.cpp',
'libFuzzer/FuzzerUtil.cpp',
'libFuzzer/FuzzerUtilDarwin.cpp',
'libFuzzer/FuzzerUtilLinux.cpp',
'libFuzzer/FuzzerUtilPosix.cpp',
'libFuzzer/FuzzerUtilWindows.cpp',
'target_name': 'fuzz_base',
'dependencies': [
'<(DEPTH)/lib/certdb/certdb.gyp:certdb',
'<(DEPTH)/lib/certhigh/certhigh.gyp:certhi',
'<(DEPTH)/lib/cryptohi/cryptohi.gyp:cryptohi',
'<(DEPTH)/lib/base/base.gyp:nssb',
'<(DEPTH)/lib/dev/dev.gyp:nssdev',
'<(DEPTH)/lib/pki/pki.gyp:nsspki',
'<(DEPTH)/lib/util/util.gyp:nssutil',
'<(DEPTH)/lib/nss/nss.gyp:nss_static',
'<(DEPTH)/lib/pk11wrap/pk11wrap.gyp:pk11wrap',
],
'conditions': [
['use_fuzzing_engine==0', {
'type': 'static_library',
'sources': [
'libFuzzer/FuzzerCrossOver.cpp',
'libFuzzer/FuzzerDriver.cpp',
'libFuzzer/FuzzerExtFunctionsDlsym.cpp',
'libFuzzer/FuzzerExtFunctionsWeak.cpp',
'libFuzzer/FuzzerExtFunctionsWeakAlias.cpp',
'libFuzzer/FuzzerIO.cpp',
'libFuzzer/FuzzerIOPosix.cpp',
'libFuzzer/FuzzerIOWindows.cpp',
'libFuzzer/FuzzerLoop.cpp',
'libFuzzer/FuzzerMain.cpp',
'libFuzzer/FuzzerMerge.cpp',
'libFuzzer/FuzzerMutate.cpp',
'libFuzzer/FuzzerSHA1.cpp',
'libFuzzer/FuzzerTracePC.cpp',
'libFuzzer/FuzzerTraceState.cpp',
'libFuzzer/FuzzerUtil.cpp',
'libFuzzer/FuzzerUtilDarwin.cpp',
'libFuzzer/FuzzerUtilLinux.cpp',
'libFuzzer/FuzzerUtilPosix.cpp',
'libFuzzer/FuzzerUtilWindows.cpp',
],
'cflags/': [
['exclude', '-fsanitize-coverage'],
],
'xcode_settings': {
'OTHER_CFLAGS/': [
['exclude', '-fsanitize-coverage'],
],
},
'direct_dependent_settings': {
'include_dirs': [
'libFuzzer',
],
},
}, {
'type': 'none',
'direct_dependent_settings': {
'libraries': ['-lFuzzingEngine'],
}
}]
],
'direct_dependent_settings': {
'include_dirs': [
'libFuzzer',
],
}
},
{
'target_name': 'nssfuzz-cert',
......@@ -48,33 +95,33 @@
],
'dependencies': [
'<(DEPTH)/exports.gyp:nss_exports',
'libFuzzer',
'fuzz_base',
],
},
{
'target_name': 'nssfuzz-pkcs8',
'target_name': 'nssfuzz-spki',
'type': 'executable',
'sources': [
'asn1_mutators.cc',
'spki_target.cc',
'initialize.cc',
'pkcs8_target.cc',
],
'dependencies': [
'<(DEPTH)/exports.gyp:nss_exports',
'libFuzzer',
'fuzz_base',
],
},
{
'target_name': 'nssfuzz-spki',
'target_name': 'nssfuzz-pkcs8',
'type': 'executable',
'sources': [
'asn1_mutators.cc',
'spki_target.cc',
'initialize.cc',
'pkcs8_target.cc',
],
'dependencies': [
'<(DEPTH)/exports.gyp:nss_exports',
'libFuzzer',
'fuzz_base',
],
},
{
......@@ -82,25 +129,9 @@
'type': 'none',
'dependencies': [
'nssfuzz-cert',
'nssfuzz-pkcs8',
'nssfuzz-spki',
]
'nssfuzz-pkcs8',
],
}
],
'target_defaults': {
'variables': {
'debug_optimization_level': '2',
},
'cflags/': [
['exclude', '-fsanitize-coverage'],
],
'xcode_settings': {
'OTHER_CFLAGS/': [
['exclude', '-fsanitize-coverage'],
],
},
},
'variables': {
'module': 'nss',
}
}
##############################################
## ##
## WARNING: You're building with -Dfuzz=1 ##
## ##
## This means: ##
## ##
## * Your PRNG is DETERMINISTIC. ##
## * TLS transcripts are PLAINTEXT. ##
## * TLS signature checks are DISABLED. ##
## ##
## Thank you for fuzzing! ##
## ##
##############################################
##################################################
## ##
## WARNING: You're building with -Dfuzz_tls=1 ##
## ##
## This means: ##
## ##
## * Your PRNG is DETERMINISTIC. ##
## * TLS transcripts are PLAINTEXT. ##
## * Session tickets are NOT encrypted. ##
## * TLS signature/MAC checks are DISABLED. ##
## ##
## Thank you for fuzzing! ##
## ##
##################################################
......@@ -14,7 +14,7 @@
'-lstdc++',
],
}],
[ 'fuzz==1', {
[ 'fuzz_tls==1', {
'defines': [
'UNSAFE_FUZZER_MODE',
],
......
......@@ -225,7 +225,7 @@
}],
],
}],
[ 'fuzz==1', {
[ 'fuzz_tls==1', {
'sources': [
'det_rng.c',
],
......@@ -391,7 +391,7 @@
'NSS_USE_COMBA',
],
}],
[ 'target_arch=="x64" and use_msan==0', {
[ 'target_arch=="x64"', {
'defines': [
'USE_HW_AES',
'INTEL_GCM',
......
......@@ -63,7 +63,7 @@
'NSS_SSL_ENABLE_ZLIB',
],
}],
[ 'fuzz==1', {
[ 'fuzz_tls==1', {
'defines': [
'UNSAFE_FUZZER_MODE',
],
......
......@@ -241,7 +241,7 @@
},
],
}],
[ 'fuzz==1', {
[ 'fuzz_tls==1', {
'targets': [
{
'target_name': 'fuzz_warning',
......@@ -256,12 +256,16 @@
}
],
},
],
}],
[ 'fuzz==1', {
'targets': [
{
'target_name': 'fuzz',
'type': 'none',
'dependencies': [
'fuzz/fuzz.gyp:nssfuzz',
]
],
},
],
}],
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment