diff --git a/.azure-pipelines/linux.yml b/.azure-pipelines/linux.yml index 842e1c992e74..f3337072613e 100644 --- a/.azure-pipelines/linux.yml +++ b/.azure-pipelines/linux.yml @@ -10,6 +10,8 @@ jobs: CI_TARGET: 'bazel.gcc' compile_time_options: CI_TARGET: 'bazel.compile_time_options' + fuzz: + CI_TARGET: 'bazel.fuzz' dependsOn: [] # this removes the implicit dependency on previous stage and causes this to run in parallel. timeoutInMinutes: 360 pool: diff --git a/.bazelrc b/.bazelrc index a74e3e350c02..01d32bdd3fd3 100644 --- a/.bazelrc +++ b/.bazelrc @@ -145,4 +145,6 @@ build:remote-ci --remote_executor=grpcs://remotebuildexecution.googleapis.com build:asan-fuzzer --config=asan build:asan-fuzzer --define=FUZZING_ENGINE=libfuzzer build:asan-fuzzer --copt=-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -build:asan-fuzzer --copt=-fsanitize-coverage=trace-pc-guard \ No newline at end of file +build:asan-fuzzer --copt=-fsanitize-coverage=trace-pc-guard +# Remove UBSAN halt_on_error to avoid crashing on protobuf errors. +build:asan-fuzzer --test_env=UBSAN_OPTIONS=print_stacktrace=1 \ No newline at end of file diff --git a/bazel/envoy_test.bzl b/bazel/envoy_test.bzl index 91d65b8803e5..4e7e91e0070b 100644 --- a/bazel/envoy_test.bzl +++ b/bazel/envoy_test.bzl @@ -115,7 +115,7 @@ def envoy_cc_fuzz_test(name, corpus, deps = [], tags = [], **kwargs): tags = ["manual"] + tags, ) - native.cc_binary( + native.cc_test( name = name + "_with_libfuzzer", copts = envoy_copts("@envoy", test = True), linkopts = ["-fsanitize=fuzzer"] + _envoy_test_linkopts(), @@ -123,7 +123,7 @@ def envoy_cc_fuzz_test(name, corpus, deps = [], tags = [], **kwargs): testonly = 1, data = [corpus_name], deps = [":" + test_lib_name], - tags = ["manual"] + tags, + tags = ["manual", "fuzzer"] + tags, ) # Envoy C++ test targets should be specified with this function. diff --git a/ci/README.md b/ci/README.md index 1f3c4301fb30..04864d581498 100644 --- a/ci/README.md +++ b/ci/README.md @@ -98,6 +98,8 @@ The `./ci/run_envoy_docker.sh './ci/do_ci.sh '` targets are: * `bazel.coverity` — build Envoy static binary and run Coverity Scan static analysis. * `bazel.tsan` — build and run tests under `-c dbg --config=clang-tsan` with clang. * `bazel.tsan ` — build and run a specified test or test dir under `-c dbg --config=clang-tsan` with clang. +* `bazel.fuzz` — build and run fuzz tests under `-c dbg --config=asan-fuzzer` with clang. +* `bazel.fuzz ` — build and run a specified fuzz test or test dir under `-c dbg --config=asan-fuzzer` with clang. If specifying a single fuzz test, must use the full target name with "_with_libfuzzer" for ``. * `bazel.compile_time_options` — build Envoy and run tests with various compile-time options toggled to their non-default state, to ensure they still build. * `bazel.compile_time_options ` — build Envoy and run a specified test or test dir with various compile-time options toggled to their non-default state, to ensure they still build. * `bazel.clang_tidy` — build and run clang-tidy over all source files. diff --git a/ci/do_ci.sh b/ci/do_ci.sh index db8bc0bdbd24..f94d96fc8cdd 100755 --- a/ci/do_ci.sh +++ b/ci/do_ci.sh @@ -253,6 +253,13 @@ elif [[ "$CI_TARGET" == "bazel.coverity" ]]; then "${ENVOY_BUILD_DIR}"/envoy-coverity-output.tgz \ "${ENVOY_DELIVERY_DIR}"/envoy-coverity-output.tgz exit 0 +elif [[ "$CI_TARGET" == "bazel.fuzz" ]]; then + setup_clang_toolchain + FUZZ_TEST_TARGETS="$(bazel query "attr('tags','fuzzer',${TEST_TARGETS})")" + echo "bazel ASAN libFuzzer build with fuzz tests ${FUZZ_TEST_TARGETS}" + echo "Building envoy fuzzers and executing 100 fuzz iterations..." + bazel_with_collection test ${BAZEL_BUILD_OPTIONS} --config=asan-fuzzer ${FUZZ_TEST_TARGETS} --test_arg="-runs=10" + exit 0 elif [[ "$CI_TARGET" == "fix_format" ]]; then echo "fix_format..." ./tools/check_format.py fix