.gitlab-ci.yml: replace valgrind checks with ASan

Running the full test suite under valgrind wastes a lot of time and
may cause intermittent failures due to timeout.  We have them mainly
for VALGRIND_MAKE_MEM_UNDEFINED client request, though the ASan tests
now cover the equivalent after
f23c3a6cba43706a6ebb3f9b0018cd658dcc0a72.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index ddf766aa8cc82c35c8eeb6854a0ad2e9533ad84a..c1676996ed1da0c144f85ad0210225acd087e98c 100644 (file)
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -268,6 +268,42 @@ UB+ASAN-Werror-aggressive.Fedora.x86_64.gcc:
   except:
     - tags
 
+# ASan with -DAGGRESSIVE_REALLOC is set
+# Two runs, one with normal backend and another with pkcs11 trust store
+UB+ASAN-Werror.Fedora.x86_64.gcc-aggressive:
+  extends:
+    - .test
+    - .fedora
+  needs:
+    - fedora/bootstrap
+  script:
+    - export UBSAN_OPTIONS=print_stacktrace=1
+    - export LSAN_OPTIONS=suppressions=$(pwd)/devel/lsan.supp
+    - export CFLAGS="-std=c99 -O1 -g -Wno-cpp -Werror -fno-omit-frame-pointer -fsanitize=undefined,bool,alignment,null,enum,bounds-strict,address,leak,nonnull-attribute -fno-sanitize-recover=all -fsanitize-address-use-after-scope -DAGGRESSIVE_REALLOC"
+    - export CXXFLAGS="$CFLAGS"
+    - dash ./configure --cache-file $CCACHE_FILE --disable-guile --disable-doc --disable-hardware-acceleration
+    - sed -i 's/-Werror/-Wno-parentheses -Werror/g' src/Makefile
+    - make -j$BUILDJOBS
+    # Use $BUILDJOBS since the fuzzers should use mainly CPU (no blocking I/O)
+    - make -j$BUILDJOBS check -C fuzz
+    - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x1
+    - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x2
+    - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x4
+    - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x8
+    - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x20
+    - make -j$CHECKJOBS check -C tests
+    - dash ./configure --cache-file $CCACHE_FILE --disable-guile --disable-doc --disable-hardware-acceleration --with-default-trust-store-pkcs11="pkcs11:" --with-system-priority-file=/etc/crypto-policies/back-ends/gnutls.config --with-default-priority-string=@SYSTEM
+    - make clean
+    - sed -i 's/-Werror/-Wno-parentheses -Werror/g' src/Makefile
+    - make -j$BUILDJOBS
+    # Use $BUILDJOBS since most of the job is building all tests, then just running 4 tests
+    - make -j$BUILDJOBS check -C tests TESTS="trust-store p11-kit-load.sh priority-init2 set-default-prio" SUBDIRS=.
+  tags:
+    - shared
+    - linux
+  except:
+    - tags
+
 ##############################################################################
 ########################### Fedora pipelines #################################
 ##############################################################################
@@ -432,62 +468,6 @@ fedora-nettle-minigmp/test:
     - PKG_CONFIG_PATH=${PWD}/nettle-git/$NETTLE_DIR/lib64/pkgconfig LD_LIBRARY_PATH=${PWD}/nettle-git/$NETTLE_DIR/lib64 GNUTLS_TEST_TIMEOUT=600000 make -j$CHECKJOBS check
   timeout: 3h
 
-fedora-valgrind/build:
-  extends:
-    - .build
-    - .fedora
-  needs:
-    - fedora/bootstrap
-  script:
-    # gcc in fedora31 inlines strcmp in a way that causes valgrind errors
-    - CFLAGS="-O2 -g -fno-builtin-strcmp" ./configure --disable-gcc-warnings --disable-doc --cache-file $CCACHE_FILE --disable-guile --disable-full-test-suite --enable-valgrind-tests --with-pkcs12-iter-count=10000
-    - make -j$BUILDJOBS
-    - make -j$BUILDJOBS check TESTS=""
-  only:
-    - branches@gnutls/gnutls
-
-fedora-valgrind/test:
-  extends:
-    - .test
-    - .fedora
-  script:
-    - GNUTLS_TEST_TIMEOUT=600000 make -j$(nproc) check
-  dependencies:
-    - fedora-valgrind/build
-  needs:
-    - fedora-valgrind/build
-  timeout: 5h
-  only:
-    - branches@gnutls/gnutls
-
-fedora-valgrind-aggressive/build:
-  extends:
-    - .build
-    - .fedora
-  needs:
-    - fedora/bootstrap
-  script:
-    # gcc in fedora31 inlines strcmp in a way that causes valgrind errors
-    - CFLAGS="-O2 -g -fno-builtin-strcmp -DAGGRESSIVE_REALLOC" ./configure --disable-gcc-warnings --disable-doc --cache-file $CCACHE_FILE --disable-guile --disable-full-test-suite --enable-valgrind-tests --with-pkcs12-iter-count=10000
-    - make -j$BUILDJOBS
-    - make -j$BUILDJOBS check TESTS=""
-  only:
-    - branches@gnutls/gnutls
-
-fedora-valgrind-aggressive/test:
-  extends:
-    - .test
-    - .fedora
-  script:
-    - GNUTLS_TEST_TIMEOUT=600000 make -j$(nproc) check
-  dependencies:
-    - fedora-valgrind-aggressive/build
-  needs:
-    - fedora-valgrind-aggressive/build
-  timeout: 5h
-  only:
-    - branches@gnutls/gnutls
-
 fedora-threadsan/build:
   extends:
     - .build