Mirror
/
cpython
mirror of https://github.com/python/cpython
4
1
Fork 0
Code Issues Releases Wiki Activity

gh-107652: Set up CIFuzz to run fuzz targets continuously (#107653) 

Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
This commit is contained in:
Illia Volochii 2023-10-09 18:30:10 +03:00 committed by GitHub
parent 326c6c4e07
commit ea7b53ff67
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 66 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
.github/workflows/build.yml vendored
View File

@ -40,6 +40,7 @@ jobs:
run-docs: ${{ steps.docs-changes.outputs.run-docs || false }}
run_tests: ${{ steps.check.outputs.run_tests }}
run_hypothesis: ${{ steps.check.outputs.run_hypothesis }}
run_cifuzz: ${{ steps.check.outputs.run_cifuzz }}
config_hash: ${{ steps.config_hash.outputs.hash }}
steps:
- uses: actions/checkout@v4
@ -76,6 +77,17 @@ jobs:
echo "Run hypothesis tests"
echo "run_hypothesis=true" >> $GITHUB_OUTPUT
fi
# oss-fuzz maintains a configuration for fuzzing the main branch of
# CPython, so CIFuzz should be run only for code that is likely to be
# merged into the main branch; compatibility with older branches may
# be broken.
if [ "$GITHUB_BASE_REF" = "main" ]; then
# The tests are pretty slow so they are executed only for PRs
# changing relevant files.
FUZZ_RELEVANT_FILES='(\.c$|\.h$|\.cpp$|^configure$|^\.github/workflows/build\.yml$|^Modules/_xxtestfuzz)'
git diff --name-only origin/$GITHUB_BASE_REF.. | grep -qvE $FUZZ_RELEVANT_FILES && echo "run_cifuzz=true" >> $GITHUB_OUTPUT || true
fi
- name: Compute hash for config cache key
id: config_hash
run: |
@ -534,6 +546,46 @@ jobs:
- name: Tests
run: xvfb-run make test
# CIFuzz job based on https://google.github.io/oss-fuzz/getting-started/continuous-integration/
cifuzz:
name: CIFuzz
runs-on: ubuntu-latest
timeout-minutes: 60
needs: check_source
if: needs.check_source.outputs.run_cifuzz == 'true'
permissions:
security-events: write
strategy:
fail-fast: false
matrix:
sanitizer: [address, undefined, memory]
steps:
- name: Build fuzzers (${{ matrix.sanitizer }})
id: build
uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
with:
oss-fuzz-project-name: cpython3
sanitizer: ${{ matrix.sanitizer }}
- name: Run fuzzers (${{ matrix.sanitizer }})
uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
with:
fuzz-seconds: 600
oss-fuzz-project-name: cpython3
output-sarif: true
sanitizer: ${{ matrix.sanitizer }}
- name: Upload crash
uses: actions/upload-artifact@v3
if: failure() && steps.build.outcome == 'success'
with:
name: ${{ matrix.sanitizer }}-artifacts
path: ./out/artifacts
- name: Upload SARIF
if: always() && steps.build.outcome == 'success'
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: cifuzz-sarif/results.sarif
checkout_path: cifuzz-sarif
all-required-green: # This job does nothing and is only used for the branch protection
name: All required checks pass
if: always()
@ -550,6 +602,7 @@ jobs:
- build_ubuntu_ssltests
- test_hypothesis
- build_asan
- cifuzz
runs-on: ubuntu-latest
@ -562,6 +615,7 @@ jobs:
build_ubuntu_ssltests,
build_win32,
build_win_arm64,
cifuzz,
test_hypothesis,
allowed-skips: >-
${{
@ -585,6 +639,13 @@ jobs:
'
|| ''
}}
${{
!fromJSON(needs.check_source.outputs.run_cifuzz)
&& '
cifuzz,
'
|| ''
}}
${{
!fromJSON(needs.check_source.outputs.run_hypothesis)
&& '

2
Misc/NEWS.d/next/Tests/2023-08-05-14-01-07.gh-issue-107652.5OxOlT.rst Normal file
View File

@ -0,0 +1,2 @@
Set up CIFuzz to run fuzz targets in GitHub Actions. Patch by Illia
Volochii.

3
Modules/_xxtestfuzz/README.rst
View File

@ -13,6 +13,9 @@ oss-fuzz will regularly pull from CPython, discover all the tests in
automatically be run in oss-fuzz, while also being smoke-tested as part of
CPython's test suite.
In addition, the tests are run on GitHub Actions using CIFuzz for PRs to the
main branch changing relevant files.
Adding a new fuzz test
----------------------