Currently, when fuzzers are enabled, we run meson from within meson
to build the fuzzer executables with sanitizers. The idea is that
we can build the fuzzers with different kinds of sanitizers
independently from the main build.
The issue with this setup is that we don't actually make use of it.
We only build the fuzzers with one set of sanitizers (address,undefined)
so we're adding a bunch of extra complexity without any benefit as we
can just setup the top level meson build with these sanitizers and get
the same result.
The other issue with this setup is that we don't pass on all the options
passed to the top level meson build to the nested meson build. The only things
we pass on are extra compiler arguments and the value of the auto_features
option, but none of the individual feature options if overridden are passed on,
which can lead to very hard to debug issues as an option enabled in the top
level build is not enabled in the nested build.
Since we're not getting anything useful out of this setup, let's simplify
and get rid of the nested meson build. Instead, sanitizers should be enabled
for the top level meson.build. This currently didn't work as we were overriding
the sanitizers passed to the meson build with the fuzzer sanitizer, so we
fix that as well by making sure we combine the fuzzer sanitizer with the ones
passed in by the user.
We also drop support for looking up libFuzzer as a separate library as
it has been shipped builtin in clang since clang 6.0, so we can assume
that -fsanitize=fuzzer is available.
To make sure we still run the fuzzing tests, we enable the fuzz-tests option
by default now to make sure they still always run (without instrumentation unless
one of llvm-fuzz or oss-fuzz is enabled).
(cherry picked from commit
d8def5dc8745c3d77cf49ad5abbb6719ffd94035)
## Fuzzers
-systemd includes fuzzers in `src/fuzz/` that use libFuzzer and are automatically run by [OSS-Fuzz](https://github.com/google/oss-fuzz) with sanitizers.
-To add a fuzz target, create a new `src/fuzz/fuzz-foo.c` file with a `LLVMFuzzerTestOneInput` function and add it to the list in `src/fuzz/meson.build`.
+systemd includes fuzzers in `src/fuzz/` that use libFuzzer and are automatically
+run by [OSS-Fuzz](https://github.com/google/oss-fuzz) with sanitizers. To add a
+fuzz target, create a new `src/fuzz/fuzz-foo.c` file with a
+`LLVMFuzzerTestOneInput` function and add it to the list in
+`src/fuzz/meson.build`.
-Whenever possible, a seed corpus and a dictionary should also be added with new fuzz targets.
-The dictionary should be named `src/fuzz/fuzz-foo.dict` and the seed corpus should be built and exported as `$OUT/fuzz-foo_seed_corpus.zip` in `tools/oss-fuzz.sh`.
+Whenever possible, a seed corpus and a dictionary should also be added with new
+fuzz targets. The dictionary should be named `src/fuzz/fuzz-foo.dict` and the
+seed corpus should be built and exported as `$OUT/fuzz-foo_seed_corpus.zip` in
+`tools/oss-fuzz.sh`.
-The fuzzers can be built locally if you have libFuzzer installed by running `tools/oss-fuzz.sh`, or by running:
+The fuzzers can be built locally by running `tools/oss-fuzz.sh`, or by running:
```sh
CC=clang CXX=clang++ \
ninja -C build-libfuzz fuzzers
```
-Each fuzzer then can be then run manually together with a directory containing the initial corpus:
+Each fuzzer then can be then run manually together with a directory containing
+the initial corpus:
```
export UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1
build-libfuzz/fuzz-varlink-idl test/fuzz/fuzz-varlink-idl/
```
-Note: the `halt_on_error=1` UBSan option is especially important,
-otherwise the fuzzer won't crash when undefined behavior is triggered.
+Note: the `halt_on_error=1` UBSan option is especially important, otherwise the
+fuzzer won't crash when undefined behavior is triggered.
You should also confirm that the fuzzers can be built and run using
[the OSS-Fuzz toolchain](https://google.github.io/oss-fuzz/advanced-topics/reproducing/#building-using-docker):
./infra/helper.py coverage --no-corpus-download systemd
```
-If you find a bug that impacts the security of systemd,
-please follow the guidance in [CONTRIBUTING.md](/CONTRIBUTING) on how to report a security vulnerability.
+If you find a bug that impacts the security of systemd, please follow the
+guidance in [CONTRIBUTING.md](/CONTRIBUTING) on how to report a security
+vulnerability.
For more details on building fuzzers and integrating with OSS-Fuzz, visit:
endif
if want_libfuzzer
- fuzzing_engine = meson.get_compiler('cpp').find_library('Fuzzer', required : false)
- if fuzzing_engine.found()
- userspace_c_args += '-fsanitize-coverage=trace-pc-guard,trace-cmp'
- elif cc.has_argument('-fsanitize=fuzzer-no-link')
+ if cc.has_argument('-fsanitize=fuzzer-no-link')
userspace_c_args += '-fsanitize=fuzzer-no-link'
else
- error('Looks like neither libFuzzer nor -fsanitize=fuzzer-no-link is supported')
+ error('Looks like -fsanitize=fuzzer-no-link is not supported')
endif
elif want_ossfuzz
fuzzing_engine = meson.get_compiler('cpp').find_library('FuzzingEngine')
'install' : false,
}
-if want_ossfuzz or (want_libfuzzer and fuzzing_engine.found())
+if want_ossfuzz
fuzz_additional_kwargs = {
'dependencies' : fuzzing_engine,
}
-elif want_libfuzzer and not fuzzing_engine.found()
+elif want_libfuzzer
fuzz_additional_kwargs = {
'link_args' : ['-fsanitize=fuzzer'],
}
if is_fuzz
fuzzer_exes += exe
- if want_tests != 'false'
- # Run the fuzz regression tests without any sanitizers enabled.
- # Additional invocations with sanitizers may get added below.
+ if want_tests != 'false' and want_fuzz_tests
fuzz_ins = fuzz_regression_tests.get(name, {})
foreach directive : fuzz_ins.get('directives', [])
tt = '@0@_@1@'.format(name, fs.name(directive.full_path()))
exe,
suite : 'fuzz',
args : directive.full_path(),
+ env : ['UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1'],
+ timeout : 60,
depends : directive)
endforeach
foreach file : fuzz_ins.get('files', [])
test(tt,
exe,
suite : 'fuzz',
+ env : ['UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1'],
+ timeout : 60,
args : file)
endforeach
endif
endif
endforeach
-# Enable tests for all supported sanitizers
-foreach tuple : fuzz_sanitizers
- sanitizer = tuple[0]
- build = tuple[1]
-
- if cc.has_link_argument('-fsanitize=@0@'.format(sanitizer))
- foreach fuzzer, fuzz_ins : fuzz_regression_tests
- name = '@0@:@1@'.format(fuzzer, sanitizer)
- if want_tests == 'false'
- message('Not compiling @0@ because tests is set to false'.format(name))
- continue
- endif
- if not want_fuzz_tests
- message('Not compiling @0@ because fuzz-tests is set to false'.format(name))
- continue
- endif
- exe = custom_target(
- name,
- output : name,
- depends : build,
- command : [ln, '-fs',
- build.full_path() / fuzzer,
- '@OUTPUT@'],
- build_by_default : true)
-
- foreach directive : fuzz_ins.get('directives', [])
- test('@0@_@1@_@2@'.format(fuzzer, fs.name(directive.full_path()), sanitizer),
- env,
- suite : 'fuzz+san',
- env : ['UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1'],
- timeout : 60,
- args : [exe.full_path(), directive.full_path()],
- depends : directive)
- endforeach
- foreach file : fuzz_ins.get('files', [])
- test('@0@_@1@_@2@'.format(fuzzer, fs.name(file), sanitizer),
- env,
- suite : 'fuzz+san',
- env : ['UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1'],
- timeout : 60,
- args : [exe.full_path(), file])
- endforeach
- endforeach
- endif
-endforeach
-
#####################################################################
if git.found()
description : 'enable extra tests with =unsafe')
option('slow-tests', type : 'boolean', value : false,
description : 'run the slow tests by default')
-option('fuzz-tests', type : 'boolean', value : false,
- description : 'run the fuzzer regression tests by default (with sanitizers)')
+option('fuzz-tests', type : 'boolean', value : true,
+ description : 'run the fuzzer regression tests')
option('install-tests', type : 'boolean', value : false,
description : 'install test executables')
option('log-message-verification', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : 'disabled' },
############################################################
-# TODO: Use native string formatting with meson >= 1.3.0
-if get_option('auto_features').enabled()
- sanitize_auto_features = 'enabled'
-elif get_option('auto_features').disabled()
- sanitize_auto_features = 'disabled'
-else
- sanitize_auto_features = 'auto'
-endif
-
-fuzz_c_args = get_option('c_args')
-fuzz_cpp_args = cxx_cmd != '' ? get_option('cpp_args') : []
-
-sanitize_address_undefined = custom_target(
- 'sanitize-address-undefined-fuzzers',
- output : 'sanitize-address-undefined-fuzzers',
- command : [meson_build_sh,
- meson.project_source_root(),
- '@OUTPUT@',
- 'fuzzers',
- ' '.join(fuzz_c_args + '-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION'),
- ' '.join(fuzz_cpp_args + '-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION'),
- '-Dfuzz-tests=true -Db_lundef=false -Db_sanitize=address,undefined --optimization=@0@ @1@ --auto-features=@2@'.format(
- get_option('optimization'),
- get_option('werror') ? '--werror' : '',
- sanitize_auto_features
- ),
- ' '.join(cc.cmd_array()),
- cxx_cmd])
-
-fuzz_sanitizers = [['address,undefined', sanitize_address_undefined]]
fuzz_testsdir = 'test/fuzz'
if git.found() and fs.is_dir(meson.project_source_root() / '.git')
projects / thirdparty / systemd.git / commitdiff
