From 820d8276f7dfcf4fad132d8ab7e37f0162539db1 Mon Sep 17 00:00:00 2001 From: Boquan Fang Date: Tue, 19 Nov 2024 20:05:05 +0000 Subject: [PATCH 1/3] ci: remove Valgrind checks from omnibus and generalBatch A separate Valgrind test has been fully integrated into the github CI and the release CI. Therefore, Valgrind in generalBatch and Omnibus should be removed. --- Makefile | 10 ---- codebuild/bin/s2n_codebuild.sh | 18 ------ codebuild/spec/buildspec_generalbatch.yml | 66 --------------------- codebuild/spec/buildspec_omnibus.yml | 72 ----------------------- tests/Makefile | 9 --- tests/unit/Makefile | 47 --------------- 6 files changed, 222 deletions(-) diff --git a/Makefile b/Makefile index 42e55aeac90..545e6519031 100644 --- a/Makefile +++ b/Makefile @@ -62,16 +62,6 @@ bin: libs integrationv2: bin $(MAKE) -C tests integrationv2 -.PHONY : valgrind -valgrind: bin - $(MAKE) -C tests valgrind - -# https://github.com/aws/s2n-tls/issues/3758 -# Run valgrind in pedantic mode (--errors-for-leak-kinds=all) -.PHONY : pedantic_valgrind -pedantic_valgrind: bin - $(MAKE) -C tests pedantic_valgrind - .PHONY : coverage coverage: run-lcov run-genhtml diff --git a/codebuild/bin/s2n_codebuild.sh b/codebuild/bin/s2n_codebuild.sh index 12a3a47e2c1..b42f1428f1a 100755 --- a/codebuild/bin/s2n_codebuild.sh +++ b/codebuild/bin/s2n_codebuild.sh @@ -43,24 +43,6 @@ make clean; echo "Using $JOBS jobs for make.."; echo "running with libcrypto: ${S2N_LIBCRYPTO}, gcc_version: ${GCC_VERSION}" -if [[ "$OS_NAME" == "linux" && "$TESTS" == "valgrind" ]]; then - # For linux make a build with debug symbols and run valgrind - # We have to output something every 9 minutes, as some test may run longer than 10 minutes - # and will not produce any output - while sleep 9m; do echo "=====[ $SECONDS seconds still running ]====="; done & - - if [[ "$S2N_LIBCRYPTO" == "openssl-1.1.1" ]]; then - # https://github.com/aws/s2n-tls/issues/3758 - # Run valgrind in pedantic mode (--errors-for-leak-kinds=all) - echo "running task pedantic_valgrind" - S2N_DEBUG=true make -j $JOBS pedantic_valgrind - else - S2N_DEBUG=true make -j $JOBS valgrind - fi - - kill %1 -fi - test_linked_libcrypto() { s2n_executable="$1" so_path="${LIBCRYPTO_ROOT}/lib/libcrypto.so" diff --git a/codebuild/spec/buildspec_generalbatch.yml b/codebuild/spec/buildspec_generalbatch.yml index 129d242eabb..2ded277a61b 100644 --- a/codebuild/spec/buildspec_generalbatch.yml +++ b/codebuild/spec/buildspec_generalbatch.yml @@ -53,72 +53,6 @@ batch: BUILD_S2N: 'true' TESTS: exec_leak identifier: s2nExecLeak - - buildspec: codebuild/spec/buildspec_ubuntu.yml - env: - compute-type: BUILD_GENERAL1_LARGE - image: 024603541914.dkr.ecr.us-west-2.amazonaws.com/docker:ubuntu18codebuild - privileged-mode: true - variables: - BUILD_S2N: true - GCC_VERSION: 6 - S2N_LIBCRYPTO: openssl-1.0.2-fips - TESTS: valgrind - identifier: s2nValgrindOpenSSL102Gcc6Fips - - identifier: s2nValgrindOpenSSL3 - buildspec: codebuild/spec/buildspec_ubuntu.yml - env: - privileged-mode: true - compute-type: BUILD_GENERAL1_LARGE - image: 024603541914.dkr.ecr.us-west-2.amazonaws.com/docker:ubuntu18codebuild - variables: - TESTS: valgrind - GCC_VERSION: 9 - S2N_LIBCRYPTO: openssl-3.0 - BUILD_S2N: true - - buildspec: codebuild/spec/buildspec_ubuntu.yml - env: - compute-type: BUILD_GENERAL1_LARGE - image: 024603541914.dkr.ecr.us-west-2.amazonaws.com/docker:ubuntu18codebuild - privileged-mode: true - variables: - BUILD_S2N: true - GCC_VERSION: 9 - S2N_LIBCRYPTO: openssl-1.1.1 - TESTS: valgrind - identifier: s2nValgrindOpenSSL111Gcc9 - - buildspec: codebuild/spec/buildspec_ubuntu.yml - env: - compute-type: BUILD_GENERAL1_LARGE - image: 024603541914.dkr.ecr.us-west-2.amazonaws.com/docker:ubuntu18codebuild - privileged-mode: true - variables: - BUILD_S2N: 'true' - GCC_VERSION: '6' - S2N_LIBCRYPTO: 'openssl-1.0.2' - TESTS: valgrind - identifier: s2nValgrindOpenssl102 - - buildspec: codebuild/spec/buildspec_ubuntu.yml - env: - compute-type: BUILD_GENERAL1_LARGE - image: 024603541914.dkr.ecr.us-west-2.amazonaws.com/docker:ubuntu18codebuild - privileged-mode: true - variables: - BUILD_S2N: 'true' - GCC_VERSION: '6' - S2N_LIBCRYPTO: 'awslc' - TESTS: valgrind - identifier: s2nValgrindAwslc - - buildspec: codebuild/spec/buildspec_ubuntu.yml - env: - compute-type: BUILD_GENERAL1_LARGE - image: 024603541914.dkr.ecr.us-west-2.amazonaws.com/docker:ubuntu18codebuild - privileged-mode: true - variables: - BUILD_S2N: 'true' - GCC_VERSION: '6' - S2N_LIBCRYPTO: 'awslc-fips' - TESTS: valgrind - identifier: s2nValgrindAwslcFips - identifier: s2nAsanOpenSSL111Coverage buildspec: codebuild/spec/buildspec_ubuntu.yml env: diff --git a/codebuild/spec/buildspec_omnibus.yml b/codebuild/spec/buildspec_omnibus.yml index 2277e63f0c3..6e5c2215f6f 100644 --- a/codebuild/spec/buildspec_omnibus.yml +++ b/codebuild/spec/buildspec_omnibus.yml @@ -48,78 +48,6 @@ batch: variables: TESTS: sidetrail - - identifier: s2nValgrindOpenSSL3 - buildspec: codebuild/spec/buildspec_ubuntu.yml - env: - privileged-mode: true - compute-type: BUILD_GENERAL1_LARGE - image: 024603541914.dkr.ecr.us-west-2.amazonaws.com/docker:ubuntu18codebuild - variables: - TESTS: valgrind - GCC_VERSION: 9 - S2N_LIBCRYPTO: openssl-3.0 - BUILD_S2N: true - - - identifier: s2nValgrindOpenSSL102Gcc6Fips - buildspec: codebuild/spec/buildspec_ubuntu.yml - env: - privileged-mode: true - compute-type: BUILD_GENERAL1_LARGE - image: 024603541914.dkr.ecr.us-west-2.amazonaws.com/docker:ubuntu18codebuild - variables: - TESTS: valgrind - GCC_VERSION: 6 - S2N_LIBCRYPTO: openssl-1.0.2-fips - BUILD_S2N: true - - - identifier: s2nValgrindOpenSSL111Gcc9 - buildspec: codebuild/spec/buildspec_ubuntu.yml - env: - privileged-mode: true - compute-type: BUILD_GENERAL1_LARGE - image: 024603541914.dkr.ecr.us-west-2.amazonaws.com/docker:ubuntu18codebuild - variables: - TESTS: valgrind - GCC_VERSION: 9 - S2N_LIBCRYPTO: openssl-1.1.1 - BUILD_S2N: true - - - identifier: s2nValgrindOpenssl102 - buildspec: codebuild/spec/buildspec_ubuntu.yml - env: - privileged-mode: true - compute-type: BUILD_GENERAL1_LARGE - image: 024603541914.dkr.ecr.us-west-2.amazonaws.com/docker:ubuntu18codebuild - variables: - TESTS: valgrind - GCC_VERSION: '6' - S2N_LIBCRYPTO: 'openssl-1.0.2' - BUILD_S2N: 'true' - - - identifier: s2nValgrindAwslc - buildspec: codebuild/spec/buildspec_ubuntu.yml - env: - privileged-mode: true - compute-type: BUILD_GENERAL1_LARGE - image: 024603541914.dkr.ecr.us-west-2.amazonaws.com/docker:ubuntu18codebuild - variables: - TESTS: valgrind - GCC_VERSION: '6' - S2N_LIBCRYPTO: 'awslc' - BUILD_S2N: 'true' - - - identifier: s2nValgrindAwslcFips - buildspec: codebuild/spec/buildspec_ubuntu.yml - env: - privileged-mode: true - compute-type: BUILD_GENERAL1_LARGE - image: 024603541914.dkr.ecr.us-west-2.amazonaws.com/docker:ubuntu18codebuild - variables: - TESTS: valgrind - GCC_VERSION: '6' - S2N_LIBCRYPTO: 'awslc-fips' - BUILD_S2N: 'true' - - identifier: s2nAsanOpenSSL111Coverage buildspec: codebuild/spec/buildspec_ubuntu.yml env: diff --git a/tests/Makefile b/tests/Makefile index d7affd989a2..67b82a64bb0 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -25,15 +25,6 @@ all: libs viz ${MAKE} -C unit @echo "\033[1m ${COMPILE_INFO} \033[0;39m" -.PHONY : valgrind -valgrind: libs - ${MAKE} -C unit valgrind - -# https://github.com/aws/s2n-tls/issues/3758 -# Run valgrind in pedantic mode (--errors-for-leak-kinds=all) -pedantic_valgrind: libs - ${MAKE} -C unit pedantic_valgrind - .PHONY : libs libs: ${MAKE} -C testlib diff --git a/tests/unit/Makefile b/tests/unit/Makefile index b4d4feaa8f5..debdd70c29c 100644 --- a/tests/unit/Makefile +++ b/tests/unit/Makefile @@ -16,8 +16,6 @@ SRCS=$(wildcard *.c) OBJS=$(SRCS:.c=.o) TESTS=$(SRCS:.c=) -VALGRIND_TESTS=$(SRCS:.c=.valgrind) -PEDANTIC_VALGRIND_TESTS:=$(SRCS:.c=.pedantic_valgrind) CRYPTO_LDFLAGS = -L$(LIBCRYPTO_ROOT)/lib # Users can specify a subset of tests to be run, otherwise run all tests. @@ -55,51 +53,6 @@ $(UNIT_TESTS):: ./$@ endif -$(VALGRIND_TESTS):: - @${CC} ${CFLAGS} -o $(@:.valgrind=) $(@:.valgrind=.c) ${LDFLAGS} 2>&1 - @DYLD_LIBRARY_PATH="$(LIBCRYPTO_ROOT)/lib:$$DYLD_LIBRARY_PATH" \ - LD_LIBRARY_PATH="$(LIBCRYPTO_ROOT)/lib:$$LD_LIBRARY_PATH" \ - S2N_VALGRIND=1 \ - valgrind \ - --leak-check=full \ - --leak-resolution=high \ - --trace-children=yes \ - --run-libc-freeres=no \ - -q --error-exitcode=123 \ - --error-limit=no \ - --num-callers=40 \ - --undef-value-errors=no \ - --log-fd=2 \ - --suppressions=valgrind.suppressions \ - ./$(@:.valgrind=) - -$(PEDANTIC_VALGRIND_TESTS):: - @${CC} ${CFLAGS} -o $(@:.pedantic_valgrind=) $(@:.pedantic_valgrind=.c) ${LDFLAGS} 2>&1 - @DYLD_LIBRARY_PATH="$(LIBCRYPTO_ROOT)/lib:$$DYLD_LIBRARY_PATH" \ - LD_LIBRARY_PATH="$(LIBCRYPTO_ROOT)/lib:$$LD_LIBRARY_PATH" \ - S2N_VALGRIND=1 \ - valgrind \ - --leak-check=full \ - --leak-resolution=high \ - --trace-children=yes \ - --run-libc-freeres=yes \ - -q --error-exitcode=123 \ - --error-limit=no \ - --num-callers=40 \ - --undef-value-errors=no \ - --show-leak-kinds=all \ - --errors-for-leak-kinds=all \ - --suppressions=valgrind.suppressions \ - ./$(@:.pedantic_valgrind=) - -.PHONY : valgrind -valgrind: $(VALGRIND_TESTS) - -# https://github.com/aws/s2n-tls/issues/3758 -# Run valgrind in pedantic mode (--errors-for-leak-kinds=all) -.PHONY : pedantic_valgrind -pedantic_valgrind: $(PEDANTIC_VALGRIND_TESTS) - .PHONY : clean clean: decruft @$(foreach test, $(TESTS), rm -f -- "${test}";) From c671011a78784856350e43b06df4df7b7296a13b Mon Sep 17 00:00:00 2001 From: Boquan Fang Date: Tue, 19 Nov 2024 21:44:21 +0000 Subject: [PATCH 2/3] Synced Omnibus buildspec with the inline buildspec on Codebuild. Then delete Valgrind sections. --- codebuild/spec/buildspec_omnibus.yml | 108 +++++++++++++-------------- 1 file changed, 53 insertions(+), 55 deletions(-) diff --git a/codebuild/spec/buildspec_omnibus.yml b/codebuild/spec/buildspec_omnibus.yml index 6e5c2215f6f..d747518a9c2 100644 --- a/codebuild/spec/buildspec_omnibus.yml +++ b/codebuild/spec/buildspec_omnibus.yml @@ -61,18 +61,6 @@ batch: BUILD_S2N: 'true' S2N_COVERAGE: 'true' - - identifier: s2nAsanOpenssl3 - buildspec: codebuild/spec/buildspec_ubuntu.yml - env: - privileged-mode: true - compute-type: BUILD_GENERAL1_LARGE - image: 024603541914.dkr.ecr.us-west-2.amazonaws.com/docker:ubuntu18codebuild - variables: - TESTS: asan - GCC_VERSION: '6' - S2N_LIBCRYPTO: 'openssl-3.0' - BUILD_S2N: 'true' - - identifier: s2nAsanOpenssl102 buildspec: codebuild/spec/buildspec_ubuntu.yml env: @@ -85,7 +73,7 @@ batch: S2N_LIBCRYPTO: 'openssl-1.0.2' BUILD_S2N: 'true' - - identifier: s2nUnitOpenssl111Gcc9 + - identifier: s2nUnitNoPQ buildspec: codebuild/spec/buildspec_ubuntu.yml env: privileged-mode: true @@ -95,26 +83,42 @@ batch: TESTS: unit GCC_VERSION: '9' S2N_LIBCRYPTO: 'openssl-1.1.1' + S2N_NO_PQ: 1 BUILD_S2N: 'true' + - identifier: s2nUnitOpenSSL3GCC9 + buildspec: codebuild/spec/buildspec_ubuntu.yml + env: + compute-type: BUILD_GENERAL1_LARGE + image: 024603541914.dkr.ecr.us-west-2.amazonaws.com/docker:ubuntu18codebuild + privileged-mode: true + variables: + BUILD_S2N: true + GCC_VERSION: 9 + S2N_COVERAGE: true + S2N_LIBCRYPTO: openssl-3.0 + TESTS: unit + - identifier: s2nUnitAl2Arm - buildspec: codebuild/spec/buildspec_amazonlinux2.yml + buildspec: codebuild/spec/buildspec_amazonlinux.yml env: type: ARM_CONTAINER compute-type: BUILD_GENERAL1_LARGE image: aws/codebuild/amazonlinux2-aarch64-standard:2.0 privileged-mode: true variables: + S2N_NO_PQ: 1 TESTS: unit - identifier: s2nUnitAl2 - buildspec: codebuild/spec/buildspec_amazonlinux2.yml + buildspec: codebuild/spec/buildspec_amazonlinux.yml env: image: aws/codebuild/amazonlinux2-x86_64-standard:3.0 privileged-mode: true compute-type: BUILD_GENERAL1_SMALL variables: TESTS: unit + S2N_NO_PQ: 1 - identifier: s2nLibcryptoInterningOpenSSL buildspec: codebuild/spec/buildspec_ubuntu.yml @@ -137,16 +141,6 @@ batch: BUILD_S2N: 'true' S2N_LIBCRYPTO: awslc - - identifier: s2nExecLeak - buildspec: codebuild/spec/buildspec_ubuntu.yml - env: - privileged-mode: true - compute-type: BUILD_GENERAL1_LARGE - image: 024603541914.dkr.ecr.us-west-2.amazonaws.com/docker:ubuntu18codebuild - variables: - TESTS: exec_leak - BUILD_S2N: 'true' - - identifier: s2nUnitCRT buildspec: codebuild/spec/buildspec_ubuntu.yml env: @@ -167,7 +161,18 @@ batch: TESTS: sharedandstatic # must use the libcrypto that's actually installed on the system S2N_LIBCRYPTO: openssl-1.1.1 - + + - identifier: s2nDynamicLoad + buildspec: codebuild/spec/buildspec_ubuntu.yml + env: + compute-type: BUILD_GENERAL1_SMALL + image: 024603541914.dkr.ecr.us-west-2.amazonaws.com/docker:ubuntu18codebuild + privileged-mode: true + variables: + TESTS: dynamicload + GCC_VERSION: '9' + S2N_LIBCRYPTO: openssl-1.1.1 + - buildspec: codebuild/spec/buildspec_ubuntu.yml env: compute-type: BUILD_GENERAL1_LARGE @@ -180,22 +185,6 @@ batch: TESTS: unit identifier: s2nUnitOpenSSL111Gcc6 - - identifier: s2nUnitCoverage - buildspec: codebuild/spec/buildspec_unit_coverage.yml - env: - privileged-mode: true - compute-type: BUILD_GENERAL1_LARGE - image: 024603541914.dkr.ecr.us-west-2.amazonaws.com/docker:ubuntu22codebuild - variables: - S2N_LIBCRYPTO: openssl-1.1.1 - - - identifier: 32BitBuildAndUnit - buildspec: codebuild/spec/buildspec_32bit_cross_compile.yml - env: - privileged-mode: true - compute-type: BUILD_GENERAL1_LARGE - image: 024603541914.dkr.ecr.us-west-2.amazonaws.com/docker:ubuntu22codebuild - - buildspec: codebuild/spec/buildspec_ubuntu.yml env: compute-type: BUILD_GENERAL1_SMALL @@ -205,44 +194,53 @@ batch: BUILD_S2N: 'true' GCC_VERSION: '6' S2N_LIBCRYPTO: 'libressl' + S2N_NO_PQ: 1 TESTS: unit identifier: s2nUnitLibressl - buildspec: codebuild/spec/buildspec_ubuntu.yml env: compute-type: BUILD_GENERAL1_SMALL - image: 024603541914.dkr.ecr.us-west-2.amazonaws.com/docker:ubuntu22codebuild + image: 024603541914.dkr.ecr.us-west-2.amazonaws.com/docker:ubuntu18codebuild privileged-mode: true variables: BUILD_S2N: 'true' GCC_VERSION: '9' S2N_LIBCRYPTO: 'boringssl' + S2N_NO_PQ: 1 TESTS: unit identifier: s2nUnitBoringssl - # Fuzz tests - - identifier: s2nFuzzerOpenSSL111Coverage - buildspec: codebuild/spec/buildspec_ubuntu_fuzz_artifacts.yml + - identifier: s2nFuzzerAWSLC + buildspec: codebuild/spec/buildspec_fuzz.yml env: privileged-mode: true - compute-type: BUILD_GENERAL1_LARGE - image: aws/codebuild/standard:5.0 + compute-type: BUILD_GENERAL1_XLARGE + image: 024603541914.dkr.ecr.us-west-2.amazonaws.com/docker:ubuntu22codebuild + variables: + S2N_LIBCRYPTO: awslc + COMPILER: clang + FUZZ_TIMEOUT_SEC: 60 + + - identifier: s2nFuzzerOpenSSL111 + buildspec: codebuild/spec/buildspec_fuzz.yml + env: + privileged-mode: true + compute-type: BUILD_GENERAL1_XLARGE + image: 024603541914.dkr.ecr.us-west-2.amazonaws.com/docker:ubuntu22codebuild variables: S2N_LIBCRYPTO: openssl-1.1.1 - LATEST_CLANG: true - TESTS: fuzz + COMPILER: clang FUZZ_TIMEOUT_SEC: 60 - FUZZ_COVERAGE: true - identifier: s2nFuzzerOpenSSL102FIPS - buildspec: codebuild/spec/buildspec_ubuntu_fuzz_artifacts.yml + buildspec: codebuild/spec/buildspec_fuzz.yml env: privileged-mode: true - compute-type: BUILD_GENERAL1_LARGE + compute-type: BUILD_GENERAL1_XLARGE image: 024603541914.dkr.ecr.us-west-2.amazonaws.com/docker:ubuntu22codebuild variables: S2N_LIBCRYPTO: openssl-1.0.2-fips - LATEST_CLANG: true - TESTS: fuzz + COMPILER: clang FUZZ_TIMEOUT_SEC: 60 From fdbb72775dc5d13099f90d31cfcca109345f191e Mon Sep 17 00:00:00 2001 From: Boquan Fang Date: Mon, 2 Dec 2024 19:37:48 +0000 Subject: [PATCH 3/3] address PR comments: * remove S2N_NO_PQ variable from Omnibus --- codebuild/spec/buildspec_omnibus.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/codebuild/spec/buildspec_omnibus.yml b/codebuild/spec/buildspec_omnibus.yml index d747518a9c2..863b78c9fab 100644 --- a/codebuild/spec/buildspec_omnibus.yml +++ b/codebuild/spec/buildspec_omnibus.yml @@ -83,7 +83,6 @@ batch: TESTS: unit GCC_VERSION: '9' S2N_LIBCRYPTO: 'openssl-1.1.1' - S2N_NO_PQ: 1 BUILD_S2N: 'true' - identifier: s2nUnitOpenSSL3GCC9 @@ -107,7 +106,6 @@ batch: image: aws/codebuild/amazonlinux2-aarch64-standard:2.0 privileged-mode: true variables: - S2N_NO_PQ: 1 TESTS: unit - identifier: s2nUnitAl2 @@ -118,7 +116,6 @@ batch: compute-type: BUILD_GENERAL1_SMALL variables: TESTS: unit - S2N_NO_PQ: 1 - identifier: s2nLibcryptoInterningOpenSSL buildspec: codebuild/spec/buildspec_ubuntu.yml @@ -194,7 +191,6 @@ batch: BUILD_S2N: 'true' GCC_VERSION: '6' S2N_LIBCRYPTO: 'libressl' - S2N_NO_PQ: 1 TESTS: unit identifier: s2nUnitLibressl @@ -207,7 +203,6 @@ batch: BUILD_S2N: 'true' GCC_VERSION: '9' S2N_LIBCRYPTO: 'boringssl' - S2N_NO_PQ: 1 TESTS: unit identifier: s2nUnitBoringssl