Add faketime test script #7799
Add faketime test script #7799
Conversation
yuhaoth
force-pushed
the
pr/add-faketime-test-script
branch
from
86f98df to
7e7e2de
Compare
yuhaoth
added
needs-review
yuhaoth
force-pushed
the
pr/add-faketime-test-script
branch
from
7e7e2de to
dbb1786
Compare
Signed-off-by: Jerry Yu <[email protected]>
Signed-off-by: Jerry Yu <[email protected]>
Signed-off-by: Jerry Yu <[email protected]>
Signed-off-by: Jerry Yu <[email protected]>
Signed-off-by: Jerry Yu <[email protected]>
Signed-off-by: Jerry Yu <[email protected]>
Signed-off-by: Jerry Yu <[email protected]>
Signed-off-by: Jerry Yu <[email protected]>
yuhaoth
force-pushed
the
pr/add-faketime-test-script
branch
from
dbb1786 to
73bc0f6
Compare
| @@ -380,6 +381,22 @@ check_tools() | |||
| done | |||
| } | |||
|
|
|||
| check_faketime() { | |||
|
|
|||
| for i in /usr/local/lib/faketime/libfaketime.so.1 \ | |||
There was a problem hiding this comment.
Why not use the faketime program?
There was a problem hiding this comment.
It might cause make fail or other fail due to time stamp.
If we do not wrap all commands, make or other program might report fail. And I think this change is the easiest way to avoid those failure
|
|
||
| # CFLAGS and LDFLAGS for Asan builds that don't use CMake | ||
| # default to -O2, use -Ox _after_ this if you want another level | ||
| ASAN_CFLAGS='-O2 -Werror -fsanitize=address,undefined -fno-sanitize-recover=all' |
There was a problem hiding this comment.
Asan or Msan combined with faketime leads do a deadlock when using Clang on Ubuntu 22.04 (and other versions). This is a known issue which has been partially resolved by wolfcw/libfaketime#389 . We can build our own faketime executable with that feature included (there's no release yet), with -DFAIL_PRE_INIT_CALLS' activated at compile time. Then faketime is compatible with Clang's sanitizers.
I tested on Ubuntu 22.04 with clang 14 and faketime 27b9c83a27cf253fcfa05bcbc635e85b36acb1cc built with
make FAKETIME_COMPILE_CFLAGS='-DFAKE_FILE_TIMESTAMPS -DFAKE_RANDOM -DINTERCEPT_SYSCALL -DFAIL_PRE_INIT_CALLS'
There doesn't seem to be a problem with GCC's sanitizers, other than needing to load lib*san.so before libfaketime.so, so we can't use the faketime binary.
There was a problem hiding this comment.
Note that I'm not sure whether we want to do that: it makes sense to run the faketime job without Asan, since we only care about functional testing there. But it would be convenient. to be able to at least occasionally run a full all.sh with faketime, so I intend to make a patch to our build/test scripts (to support faketime invocation when running tests) and to the dockerfiles (to build our own faketime instead of using the one from the Linux distribution) that makes it possible.
There was a problem hiding this comment.
I will try that firstly. I will update this PR with a mbedtls-test PR when it pass my local test.
There was a problem hiding this comment.
I've been experimenting with that and I have dockerfile patches ready in https://github.com/Mbed-TLS/mbedtls-test/tree/dev/gilles-peskine-arm/faketime-20240116 (this branch also contains groovy patches that were just for this one test run). I also have some build script patches in https://github.com/gilles-peskine-arm/mbedtls/tree/faketime-testing-3.4.1 etc which I find too invasive. CI results: development, 3.4.1, 2.28.4.
There was a problem hiding this comment.
ASAN_OPTIONS=verify_asan_link_order=0 faketime -f +100d might be better solution. See https://github.com/google/sanitizers/wiki/AddressSanitizerFlags.
I just pass test_default_cmake_gcc_asan, I test it with LD_PRELOAD. And I like your patches. With ASAN_OPTIONS, no invasion needed.
There was a problem hiding this comment.
In your patches, change https://github.com/Mbed-TLS/mbedtls-test/blob/5e1d2ee0d511705178d0db99b54107ed3887300a/vars/gen_jobs.groovy#L550 to
common.all_sh_precommand += "ASAN_OPTIONS=verify_asan_link_order=0 faketime -f +${days_ahead}d " . I think that's enough.
gilles-peskine-arm
added
the
needs-adoption
Description
This is for detecting expired CRL/CRT and checking if the generate commands work correctly.
For time being,
tests/data_files/Makefiledoes not work correctly. Components for that will failPR checklist
Please tick as appropriate and edit the reasons (e.g.: "backport: not needed because this is a new feature")