Add build steps for introspector images#7059
Conversation
oliverchang
left a comment
oliverchang
left a comment
There was a problem hiding this comment.
Nice! Just a general comment on the patching approach below.
infra/build/functions/base_images.py
Outdated
| BASE_PROJECT = 'oss-fuzz-base' | ||
| TAG_PREFIX = f'gcr.io/{BASE_PROJECT}/' | ||
| MAJOR_VERSION = 'v1' | ||
| INTROSPECTOR_VERSION = 'introspector' |
There was a problem hiding this comment.
nit: s/VERSION/TAG/ to be more precise.
infra/build/functions/base_images.py
Outdated
| 'bash', '-c', | ||
| ('cd fuzz-introspector/ && cd oss_fuzz_integration/' | ||
| ' && sed -i \'s/\.\/infra\/base\-images\/all.sh/' | ||
| '#\.\/infra\/base\-images\/all.sh/\'' |
There was a problem hiding this comment.
Let's upstream as many of the image diffs as possible to avoid this hacky and difficult to maintain patching. Could you create another PR to incorporate the changes in https://github.com/ossf/fuzz-introspector/blob/main/oss_fuzz_integration/oss-fuzz-patches.diff ?
We can guard certain things with env vars if necessary.
There was a problem hiding this comment.
made all.sh conditional to skip it if in cloud build.
|
I think we should consider that fuzz-introspector currently builds a custom Clang with a 2-line patch due to https://reviews.llvm.org/D77704 Please see the lines here: https://github.com/ossf/fuzz-introspector/blob/main/oss_fuzz_integration/oss-fuzz-patches.diff#L127-L129 Another thought is the use of |
Yes it would be really great if we could get https://reviews.llvm.org/D77704 merged, or alternatively use a different mechanism for computing call graphs. Both of those will take time though, and we'd like to start being able to run this at scale on all of our OSS-Fuzz projects.
Yep! I also suggested to @Navidem in #7060 (comment) to just use the main_repo property in project.yaml. |
|
@Navidem FYI this commit ossf/fuzz-introspector@c27b407 updates such that we no longer require a special version of LLVM in fuzz-introspector. Fuzz-introspector now works with latest oss-fuzz as well |
Nice, thanks!! That makes it so much easier to integrate. |
Np - notice we do still need to patch clang :/ i.e. before we needed LLVM 12 + patching. Now we only need patching. |
Re the patches: Are the required changes self contained in a bunch of LLVM tools (i.e. ranlib, ar) such that we can just copy out these binaries into the main |
@oliverchang the patch is a single line in terms of code, and then a header file inclusion. See this comment I wrote in another PR The patch is simply to add a line before here: https://github.com/llvm/llvm-project/blob/main/llvm/lib/Transforms/IPO/PassManagerBuilder.cpp#L997 and then we add the required plugin header as well. The line we add is |
Thanks for explaining! Re just including this into In any case, it's probably safer to start with a separate image first for testing and move to a single image in the future. Perhaps we may even find another mechanism for generating the call graph that doesn't require LTO? |
infra/build/functions/base_images.py
Outdated
| 'gcr.io/oss-fuzz-base/base-runner', | ||
| 'args': [ | ||
| 'bash', '-c', | ||
| (f'sed -i s/base-clang/base-clang:{INTROSPECTOR_TAG}/g' |
There was a problem hiding this comment.
let's set the replace pattern to 'base-clang:.*' in case the base-clang is already set to a tag.
There was a problem hiding this comment.
First, probably you meant 'base-clang.*', right?
Second, the replacement is applied on vanilla oss-fuzz clone, so there won't be an explicit tag for the image used by base-builder. Unless you are assuming in future we may have such tagging.
infra/build/functions/base_images.py
Outdated
| steps.append({ | ||
| 'args': [ | ||
| 'build', | ||
| '--build-arg': build_arg, |
There was a problem hiding this comment.
Does passing --build-arg with an empty string work as expected (i.e. a no-op) ?
There was a problem hiding this comment.
You're right, the empty string breaks the build, did not test it properly last night!
Probably better approach would be passing build-arg for both image builds, in case of base-clang:introspector it is consumed. For the case of base-builder:introspector it produces a benign warning, but build succeeds.
Atm the goal is to maintain a stable interface for OSS-Fuzz so we wont run into updating issues, but also enable non-oss-fuzz builds which may have more experimental features. Another aspect that may make things unstable in the long-term is introducing new languages into fuzz-introspector.
Sounds good and I agree that it's probably safer. It would also be nice to not alert users on failed introspector builds (at least in the beginning) and instead give us a chance of going through them to correct potential issues. FYI I don't think LTO will be removed in the near future - we still get significant benefits from it. However, if the OSS-Fuzz integration shows it's a problem for many projects then we should reconsider. With that said, the only project I know of that does not go well with LTO atm is bitcoin-core. Other projects that have failed with LTO has been due to memory exhaustion and this can sometimes be fixed by constraining the build (e.g. from N processes to just a few). We track these issues here |
infra/build/functions/base_images.py
Outdated
|
|
||
| introspector_steps = _get_introspector_base_images_steps( | ||
| INTROSPECTOR_BASE_IMAGES, tag_prefix) | ||
| intro_images = [ |
There was a problem hiding this comment.
nit: s/intro/introspector/. Always better to be more explicit (and consistent) here.
|
Please also fix the lint issues. |
|
@oliverchang this should be ready for merge. |
3 participants
No description provided.