Skip to content

driver: Fix startup crash when fuzzing native libraries (#883) #329

driver: Fix startup crash when fuzzing native libraries (#883)

driver: Fix startup crash when fuzzing native libraries (#883) #329

# This file exists over using one workflow and a matrix because matrices don't give you an easy way to use different
# secrets. The way that exists, having the secret's key name be a value, only works within `with` and not in `env`
# blocks (see https://github.com/orgs/community/discussions/26302#discussioncomment-3905492). This is a problem because
# we need to load the secret in `env` in order to check that it's there, so we can know if we want to run the fuzzing
# job. And we need _that_ because any PRs that come in from forks may not have these secrets defined and thus would
# cause our CI to fail if we let the steps run.
name: CI Fuzz Featured Project
# Set an action secret called "FEATURED_CI_FUZZ_API_TOKEN" with an API token
# generated in CI Fuzz web interface.
on:
workflow_dispatch:
push:
branches: [ main ]
pull_request:
branches: [ main ]
env:
PROJECT_NAME: projects/Jazzer-2bd02dc5
# The fuzzing server gRPC URL.
FUZZING_SERVER_ADDRESS: grpc.code-intelligence.com:443
# The fuzzing server HTTP URL.
WEB_APP_ADDRESS: https://app.code-intelligence.com
# Directory in which the repository will be cloned.
CHECKOUT_DIR: checkout-dir/
CIFUZZ_DOWNLOAD_URL: "https://github.com/CodeIntelligenceTesting/cifuzz/releases/latest/download/cifuzz_installer_linux_amd64"
CIFUZZ_INSTALL_DIR: ./cifuzz
FUZZING_ARTIFACT: fuzzing-artifact.tar.gz
jobs:
setup:
runs-on: ubuntu-latest
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#example-using-secrets
env:
ci_fuzz_token: ${{ secrets.FEATURED_CI_FUZZ_API_TOKEN }}
steps:
- id: checkout
name: Checkout Repository
uses: actions/checkout@v3
with:
path: ${{ env.CHECKOUT_DIR }}
- id: install-cifuzz
name: Install cifuzz
run: |
curl --fail --silent --show-error --location -o cifuzz_installer "$CIFUZZ_DOWNLOAD_URL"
chmod u+x cifuzz_installer
./cifuzz_installer --install-dir $CIFUZZ_INSTALL_DIR
- name: Set Build Buddy config
run: $CHECKOUT_DIR/.github/scripts/echoBuildBuddyConfig.sh ${{ secrets.BUILDBUDDY_API_KEY }} >> $GITHUB_ENV
shell: bash
- id: build-jazzer
name: Build Jazzer deps
run: cd $CHECKOUT_DIR && bazel build //deploy:jazzer-junit-project //deploy:jazzer-project //deploy:jazzer-api-project //selffuzz:jazzer_selffuzz //selffuzz:jazzer_api_selffuzz
- id: build-fuzzers
name: Build Fuzzers
run: |
export cifuzz_DIR="$GITHUB_WORKSPACE/$CIFUZZ_INSTALL_DIR/share/cmake"
cd $CHECKOUT_DIR/selffuzz/
$GITHUB_WORKSPACE/$CIFUZZ_INSTALL_DIR/bin/cifuzz bundle \
--commit $GITHUB_SHA \
--branch $GITHUB_REF_NAME \
--output $GITHUB_WORKSPACE/$CHECKOUT_DIR/$FUZZING_ARTIFACT
shell: "bash"
- id: start-fuzzing
name: Start Fuzzing
uses: CodeIntelligenceTesting/github-actions/start-fuzzing@v5
if: ${{ env.ci_fuzz_token != '' }}
with:
ci_fuzz_api_token: ${{ secrets.FEATURED_CI_FUZZ_API_TOKEN }}
fuzzing_server_address: ${{ env.FUZZING_SERVER_ADDRESS }}
fuzzing_artifact: ${{ env.CHECKOUT_DIR }}/${{ env.FUZZING_ARTIFACT }}
checkout_directory: ${{ env.CHECKOUT_DIR }}/selffuzz
project: ${{ env.PROJECT_NAME }}
- id: monitor-fuzzing
name: Fuzzing
uses: CodeIntelligenceTesting/github-actions/monitor-fuzzing@v5
if: ${{ env.ci_fuzz_token != '' }}
with:
ci_fuzz_api_token: ${{ secrets.FEATURED_CI_FUZZ_API_TOKEN }}
test_collection_run: ${{ steps.start-fuzzing.outputs.test_collection_run }}
fuzzing_server_address: ${{ env.FUZZING_SERVER_ADDRESS }}
dashboard_address: ${{ env.WEB_APP_ADDRESS }}
project: ${{ env.PROJECT_NAME }}
- id: save-results
name: Save Fuzz Test Results
uses: CodeIntelligenceTesting/github-actions/save-results@v5
if: ${{ env.ci_fuzz_token != '' && (success() || failure()) }}
with:
ci_fuzz_api_token: ${{ secrets.FEATURED_CI_FUZZ_API_TOKEN }}
test_collection_run: ${{ steps.start-fuzzing.outputs.test_collection_run }}
fuzzing_server_address: ${{ env.FUZZING_SERVER_ADDRESS }}
dashboard_address: ${{ env.WEB_APP_ADDRESS }}
project: ${{ env.PROJECT_NAME }}
- id: upload-artifact
uses: actions/upload-artifact@v3
if: ${{ env.ci_fuzz_token != '' && (success() || failure()) }}
with:
name: ci_fuzz_results-featured
path: |
findings.json
coverage.json
web_app_address.txt