Introduce service for NSS testing with TSan

moz-mdauer · moz-mdauer · commit 5a7ebe5ad47a · 2025-05-20T10:57:19.000+02:00
diff --git a/services/nss-tsan-fuzz/Dockerfile b/services/nss-tsan-fuzz/Dockerfile
@@ -0,0 +1,28 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+FROM ubuntu:24.04
+
+LABEL maintainer="Maurice Dauer <mdauer@mozilla.com>"
+
+ENV LOGNAME=worker
+ENV HOSTNAME=taskcluster-worker
+ARG DEBIAN_FRONTEND=noninteractive
+
+RUN useradd -d /home/worker -s /bin/bash -m worker
+
+COPY recipes/linux/ /src/recipes/
+COPY services/nss-tsan-fuzz/setup.sh /src/recipes/setup-nss-tsan-fuzz.sh
+COPY services/nss-tsan-fuzz/launch.sh /home/worker/
+
+RUN /src/recipes/setup-nss-tsan-fuzz.sh
+
+ENV LANG=en_US.UTF-8
+ENV LC_ALL=en_US.UTF-8
+
+USER worker
+WORKDIR /home/worker
+
+ENTRYPOINT ["/usr/local/bin/fuzzing-pool-launch"]
+CMD ["/home/worker/launch.sh"]
diff --git a/services/nss-tsan-fuzz/launch.sh b/services/nss-tsan-fuzz/launch.sh
@@ -0,0 +1,91 @@
+#!/usr/bin/env bash
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+set -e
+set -x
+set -o pipefail
+
+# shellcheck source=recipes/linux/common.sh
+source .local/bin/common.sh
+
+# Clone nss/nspr
+retry hg clone https://hg.mozilla.org/projects/nspr
+retry hg clone https://hg.mozilla.org/projects/nss
+
+# Build nss with --fuzz=tsan
+pushd nss
+./build.sh -c -v --fuzz=tsan --disable-tests
+popd
+
+# Setup fuzzmanger
+get-tc-secret fuzzmanagerconf "$HOME/.fuzzmanagerconf"
+
+# Setup gcloud
+mkdir -p ~/.config/gcloud
+get-tc-secret ossfuzz-gutils ~/.config/gcloud/application_default_credentials.json raw
+echo -e "[Credentials]\ngs_service_key_file = /home/worker/.config/gcloud/application_default_credentials.json" > .boto
+
+# Clone corpora
+mkdir -p ./corpus/nss_tls-client-no_fuzzer_mode
+mkdir -p ./corpus/nss_dtls-client-no_fuzzer_mode
+
+pushd corpus/nss_tls-client-no_fuzzer_mode
+gsutil cp "gs://nss-backup.clusterfuzz-external.appspot.com/corpus/libFuzzer/nss_tls-client-no_fuzzer_mode/latest.zip" .
+unzip latest.zip
+rm -f latest.zip
+popd
+
+pushd corpus/nss_dtls-client-no_fuzzer_mode
+gsutil cp "gs://nss-backup.clusterfuzz-external.appspot.com/corpus/libFuzzer/nss_dtls-client-no_fuzzer_mode/latest.zip" .
+unzip latest.zip
+rm -f latest.zip
+popd
+
+# TSan setup
+export TSAN_OPTIONS="halt_on_error=1 suppressions=$PWD/nss/fuzz/config/tsan.suppressions"
+
+function check-for-crash() {
+    local binary=$1
+
+    if [ -f crash-* ]; then
+        zip -r testcase.zip crash-*
+        collector --submit --stdout stdout.log --crashdata stderr.log \
+                  --binary $binary --tool nss-tsan-fuzz \
+                  --testcase testcase.zip
+        rm -rf crash-* testcase.zip
+    fi
+}
+
+# Run tls client target
+BINARY="dist/Debug/bin/nsstsan-tls-client"
+THREADS=$((2 + RANDOM % 25))
+MAX_TIME=$((60 * 60 * 5))
+
+timeout -k $((MAX_TIME + 300)) $((MAX_TIME + 300)) \
+    $BINARY run ./corpus/nss_tls-client-no_fuzzer_mode $THREADS $MAX_TIME \
+    > stdout.log 2> stderr.log || true
+check-for-crash $BINARY
+
+# Run dtls client target
+BINARY="dist/Debug/bin/nsstsan-dtls-client"
+THREADS=$((2 + RANDOM % 25))
+MAX_TIME=$((60 * 60 * 5))
+
+timeout -k $((MAX_TIME + 300)) $((MAX_TIME + 300)) \
+    $BINARY run ./corpus/nss_dtls-client-no_fuzzer_mode $THREADS $MAX_TIME \
+    > stdout.log 2> stderr.log || true
+check-for-crash $BINARY
+
+# Run database target
+BINARY="dist/Debug/bin/nsstsan-database"
+THREADS=$((2 + RANDOM % 25))
+MAX_TIME=$((60 * 60 * 2))
+
+mkdir nsstsandb && \
+    certutil -N -d sql:nsstsandb --empty-password
+
+timeout -k $((MAX_TIME + 300)) $((MAX_TIME + 300)) \
+    $BINARY run $THREADS $MAX_TIME > stdout.log 2> stderr.log || true
+check-for-crash $BINARY
diff --git a/services/nss-tsan-fuzz/service.yaml b/services/nss-tsan-fuzz/service.yaml
@@ -0,0 +1 @@
+name: nss-tsan-fuzz
diff --git a/services/nss-tsan-fuzz/setup.sh b/services/nss-tsan-fuzz/setup.sh
@@ -0,0 +1,66 @@
+#!/bin/bash
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+set -e
+set -x
+set -o pipefail
+
+# shellcheck source=recipes/linux/common.sh
+source "${0%/*}/common.sh"
+
+#### Bootstrap Packages
+
+sys-update
+
+#### Install recipes
+
+cd "${0%/*}"
+./fuzzmanager.sh
+./gsutil.sh
+./taskcluster.sh
+
+packages=(
+    binutils
+    clang
+    curl
+    git
+    gyp
+    jshon
+    libclang-rt-dev
+    libssl-dev
+    locales
+    make
+    mercurial
+    ninja-build
+    openssh-client
+    python-is-python3
+    python3
+    strace
+    unzip
+    zlib1g-dev
+)
+
+sys-embed "${packages[@]}"
+
+#### Base System Configuration
+
+# Generate locales
+locale-gen en_US.utf8
+
+#### Base Environment Configuration
+
+mkdir -p /home/worker/.local/bin
+
+# Add `cleanup.sh` to let images perform standard cleanup operations.
+cp "${0%/*}/cleanup.sh" /home/worker/.local/bin/cleanup.sh
+
+# Add shared `common.sh` to Bash
+cp "${0%/*}/common.sh" /home/worker/.local/bin/common.sh
+printf "source ~/.local/bin/common.sh\n" >> /home/worker/.bashrc
+
+/home/worker/.local/bin/cleanup.sh
+
+chown -R worker:worker /home/worker
+chmod 0777 /src
