Skip to content

gh-107652: Set up CIFuzz to run fuzz targets continuously #107653

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 8 commits into from
Oct 9, 2023
Merged

gh-107652: Set up CIFuzz to run fuzz targets continuously #107653

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
f2c1668
Set up CIFuzz to run fuzz targets continuously
illia-v Aug 5, 2023
58d0e57
Change names of job steps
illia-v Aug 5, 2023
ccae802
Change the condition for running CIFuzz
illia-v Aug 6, 2023
6aedeb8
Mention CIFuzz in README for fuzz tests
illia-v Aug 6, 2023
65f2ba3
Merge branch 'main' into cifuzz
illia-v Aug 25, 2023
6754686
Merge branch 'main' into cifuzz
illia-v Oct 4, 2023
582a598
Merge branch 'main' into cifuzz
illia-v Oct 9, 2023
c5cec4a
Add `cifuzz` to `allowed-failures` and `allowed-skips`
illia-v Oct 9, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 61 additions & 0 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ jobs:
run-docs: ${{ steps.docs-changes.outputs.run-docs || false }}
run_tests: ${{ steps.check.outputs.run_tests }}
run_hypothesis: ${{ steps.check.outputs.run_hypothesis }}
run_cifuzz: ${{ steps.check.outputs.run_cifuzz }}
config_hash: ${{ steps.config_hash.outputs.hash }}
steps:
- uses: actions/checkout@v4
Expand Down Expand Up @@ -76,6 +77,17 @@ jobs:
echo "Run hypothesis tests"
echo "run_hypothesis=true" >> $GITHUB_OUTPUT
fi

# oss-fuzz maintains a configuration for fuzzing the main branch of
# CPython, so CIFuzz should be run only for code that is likely to be
# merged into the main branch; compatibility with older branches may
# be broken.
if [ "$GITHUB_BASE_REF" = "main" ]; then
# The tests are pretty slow so they are executed only for PRs
# changing relevant files.
FUZZ_RELEVANT_FILES='(\.c$|\.h$|\.cpp$|^configure$|^\.github/workflows/build\.yml$|^Modules/_xxtestfuzz)'
git diff --name-only origin/$GITHUB_BASE_REF.. | grep -qvE $FUZZ_RELEVANT_FILES && echo "run_cifuzz=true" >> $GITHUB_OUTPUT || true
fi
- name: Compute hash for config cache key
id: config_hash
run: |
Expand Down Expand Up @@ -534,6 +546,46 @@ jobs:
- name: Tests
run: xvfb-run make test

# CIFuzz job based on https://google.github.io/oss-fuzz/getting-started/continuous-integration/
cifuzz:
name: CIFuzz
runs-on: ubuntu-latest
timeout-minutes: 60
needs: check_source
if: needs.check_source.outputs.run_cifuzz == 'true'
permissions:
security-events: write
strategy:
fail-fast: false
matrix:
sanitizer: [address, undefined, memory]
steps:
- name: Build fuzzers (${{ matrix.sanitizer }})
id: build
uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
with:
oss-fuzz-project-name: cpython3
sanitizer: ${{ matrix.sanitizer }}
- name: Run fuzzers (${{ matrix.sanitizer }})
uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
with:
fuzz-seconds: 600
oss-fuzz-project-name: cpython3
output-sarif: true
sanitizer: ${{ matrix.sanitizer }}
- name: Upload crash
uses: actions/upload-artifact@v3
if: failure() && steps.build.outcome == 'success'
with:
name: ${{ matrix.sanitizer }}-artifacts
path: ./out/artifacts
- name: Upload SARIF
if: always() && steps.build.outcome == 'success'
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: cifuzz-sarif/results.sarif
checkout_path: cifuzz-sarif

all-required-green: # This job does nothing and is only used for the branch protection
name: All required checks pass
if: always()
Expand All @@ -550,6 +602,7 @@ jobs:
- build_ubuntu_ssltests
- test_hypothesis
- build_asan
- cifuzz

runs-on: ubuntu-latest

Expand All @@ -562,6 +615,7 @@ jobs:
build_ubuntu_ssltests,
build_win32,
build_win_arm64,
cifuzz,
test_hypothesis,
allowed-skips: >-
${{
Expand All @@ -585,6 +639,13 @@ jobs:
'
|| ''
}}
${{
!fromJSON(needs.check_source.outputs.run_cifuzz)
&& '
cifuzz,
'
|| ''
}}
${{
!fromJSON(needs.check_source.outputs.run_hypothesis)
&& '
Expand Down
2 changes: 2 additions & 0 deletions Misc/NEWS.d/next/Tests/2023-08-05-14-01-07.gh-issue-107652.5OxOlT.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
Set up CIFuzz to run fuzz targets in GitHub Actions. Patch by Illia
Volochii.
3 changes: 3 additions & 0 deletions Modules/_xxtestfuzz/README.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@ oss-fuzz will regularly pull from CPython, discover all the tests in
automatically be run in oss-fuzz, while also being smoke-tested as part of
CPython's test suite.

In addition, the tests are run on GitHub Actions using CIFuzz for PRs to the
main branch changing relevant files.

Adding a new fuzz test
----------------------

Expand Down