mirror of
https://github.com/python/cpython.git
synced 2025-09-26 18:29:57 +00:00
gh-107652: Set up CIFuzz to run fuzz targets continuously (#107653)
Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
This commit is contained in:
Illia Volochii
GitHub
parent
326c6c4e07
commit
ea7b53ff67
3 changed files with 66 additions and 0 deletions
61
.github/workflows/build.yml
vendored
61
.github/workflows/build.yml
vendored
|
|
@ -40,6 +40,7 @@ jobs:
|
||||||
run-docs: ${{ steps.docs-changes.outputs.run-docs || false }}
|
run-docs: ${{ steps.docs-changes.outputs.run-docs || false }}
|
||||||
run_tests: ${{ steps.check.outputs.run_tests }}
|
run_tests: ${{ steps.check.outputs.run_tests }}
|
||||||
run_hypothesis: ${{ steps.check.outputs.run_hypothesis }}
|
run_hypothesis: ${{ steps.check.outputs.run_hypothesis }}
|
||||||
|
run_cifuzz: ${{ steps.check.outputs.run_cifuzz }}
|
||||||
config_hash: ${{ steps.config_hash.outputs.hash }}
|
config_hash: ${{ steps.config_hash.outputs.hash }}
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
|
|
@ -76,6 +77,17 @@ jobs:
|
||||||
echo "Run hypothesis tests"
|
echo "Run hypothesis tests"
|
||||||
echo "run_hypothesis=true" >> $GITHUB_OUTPUT
|
echo "run_hypothesis=true" >> $GITHUB_OUTPUT
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# oss-fuzz maintains a configuration for fuzzing the main branch of
|
||||||
|
# CPython, so CIFuzz should be run only for code that is likely to be
|
||||||
|
# merged into the main branch; compatibility with older branches may
|
||||||
|
# be broken.
|
||||||
|
if [ "$GITHUB_BASE_REF" = "main" ]; then
|
||||||
|
# The tests are pretty slow so they are executed only for PRs
|
||||||
|
# changing relevant files.
|
||||||
|
FUZZ_RELEVANT_FILES='(\.c$|\.h$|\.cpp$|^configure$|^\.github/workflows/build\.yml$|^Modules/_xxtestfuzz)'
|
||||||
|
git diff --name-only origin/$GITHUB_BASE_REF.. | grep -qvE $FUZZ_RELEVANT_FILES && echo "run_cifuzz=true" >> $GITHUB_OUTPUT || true
|
||||||
|
fi
|
||||||
- name: Compute hash for config cache key
|
- name: Compute hash for config cache key
|
||||||
id: config_hash
|
id: config_hash
|
||||||
run: |
|
run: |
|
||||||
|
|
@ -534,6 +546,46 @@ jobs:
|
||||||
- name: Tests
|
- name: Tests
|
||||||
run: xvfb-run make test
|
run: xvfb-run make test
|
||||||
|
|
||||||
|
# CIFuzz job based on https://google.github.io/oss-fuzz/getting-started/continuous-integration/
|
||||||
|
cifuzz:
|
||||||
|
name: CIFuzz
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
timeout-minutes: 60
|
||||||
|
needs: check_source
|
||||||
|
if: needs.check_source.outputs.run_cifuzz == 'true'
|
||||||
|
permissions:
|
||||||
|
security-events: write
|
||||||
|
strategy:
|
||||||
|
fail-fast: false
|
||||||
|
matrix:
|
||||||
|
sanitizer: [address, undefined, memory]
|
||||||
|
steps:
|
||||||
|
- name: Build fuzzers (${{ matrix.sanitizer }})
|
||||||
|
id: build
|
||||||
|
uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
|
||||||
|
with:
|
||||||
|
oss-fuzz-project-name: cpython3
|
||||||
|
sanitizer: ${{ matrix.sanitizer }}
|
||||||
|
- name: Run fuzzers (${{ matrix.sanitizer }})
|
||||||
|
uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
|
||||||
|
with:
|
||||||
|
fuzz-seconds: 600
|
||||||
|
oss-fuzz-project-name: cpython3
|
||||||
|
output-sarif: true
|
||||||
|
sanitizer: ${{ matrix.sanitizer }}
|
||||||
|
- name: Upload crash
|
||||||
|
uses: actions/upload-artifact@v3
|
||||||
|
if: failure() && steps.build.outcome == 'success'
|
||||||
|
with:
|
||||||
|
name: ${{ matrix.sanitizer }}-artifacts
|
||||||
|
path: ./out/artifacts
|
||||||
|
- name: Upload SARIF
|
||||||
|
if: always() && steps.build.outcome == 'success'
|
||||||
|
uses: github/codeql-action/upload-sarif@v2
|
||||||
|
with:
|
||||||
|
sarif_file: cifuzz-sarif/results.sarif
|
||||||
|
checkout_path: cifuzz-sarif
|
||||||
|
|
||||||
all-required-green: # This job does nothing and is only used for the branch protection
|
all-required-green: # This job does nothing and is only used for the branch protection
|
||||||
name: All required checks pass
|
name: All required checks pass
|
||||||
if: always()
|
if: always()
|
||||||
|
|
@ -550,6 +602,7 @@ jobs:
|
||||||
- build_ubuntu_ssltests
|
- build_ubuntu_ssltests
|
||||||
- test_hypothesis
|
- test_hypothesis
|
||||||
- build_asan
|
- build_asan
|
||||||
|
- cifuzz
|
||||||
|
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
|
|
@ -562,6 +615,7 @@ jobs:
|
||||||
build_ubuntu_ssltests,
|
build_ubuntu_ssltests,
|
||||||
build_win32,
|
build_win32,
|
||||||
build_win_arm64,
|
build_win_arm64,
|
||||||
|
cifuzz,
|
||||||
test_hypothesis,
|
test_hypothesis,
|
||||||
allowed-skips: >-
|
allowed-skips: >-
|
||||||
${{
|
${{
|
||||||
|
|
@ -585,6 +639,13 @@ jobs:
|
||||||
'
|
'
|
||||||
|| ''
|
|| ''
|
||||||
}}
|
}}
|
||||||
|
${{
|
||||||
|
!fromJSON(needs.check_source.outputs.run_cifuzz)
|
||||||
|
&& '
|
||||||
|
cifuzz,
|
||||||
|
'
|
||||||
|
|| ''
|
||||||
|
}}
|
||||||
${{
|
${{
|
||||||
!fromJSON(needs.check_source.outputs.run_hypothesis)
|
!fromJSON(needs.check_source.outputs.run_hypothesis)
|
||||||
&& '
|
&& '
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,2 @@
|
||||||
|
Set up CIFuzz to run fuzz targets in GitHub Actions. Patch by Illia
|
||||||
|
Volochii.
|
||||||
|
|
@ -13,6 +13,9 @@ oss-fuzz will regularly pull from CPython, discover all the tests in
|
||||||
automatically be run in oss-fuzz, while also being smoke-tested as part of
|
automatically be run in oss-fuzz, while also being smoke-tested as part of
|
||||||
CPython's test suite.
|
CPython's test suite.
|
||||||
|
|
||||||
|
In addition, the tests are run on GitHub Actions using CIFuzz for PRs to the
|
||||||
|
main branch changing relevant files.
|
||||||
|
|
||||||
Adding a new fuzz test
|
Adding a new fuzz test
|
||||||
----------------------
|
----------------------
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue