Re: [PATCH v3 2/2] gitlab-ci.yml: Add jobs to test CFI flags

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3 2/2] gitlab-ci.yml: Add jobs to test CFI flags

From:	Daniel P . Berrangé
Subject:	Re: [PATCH v3 2/2] gitlab-ci.yml: Add jobs to test CFI flags
Date:	Thu, 4 Mar 2021 10:39:42 +0000
User-agent:	Mutt/2.0.5 (2021-01-21)

On Wed, Mar 03, 2021 at 10:09:48PM -0500, Daniele Buono wrote:
> QEMU has had options to enable control-flow integrity features
> for a few months now. Add two sets of build/check/acceptance
> jobs to ensure the binary produced is working fine.
> 
> The three sets allow testing of x86_64 binaries for x86_64, s390x,
> ppc64 and aarch64 targets
> 
> Signed-off-by: Daniele Buono <dbuono@linux.vnet.ibm.com>
> ---
>  .gitlab-ci.yml | 119 +++++++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 119 insertions(+)
> 
> diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
> index 814f51873f..7b1f25c92e 100644
> --- a/.gitlab-ci.yml
> +++ b/.gitlab-ci.yml
> @@ -483,6 +483,125 @@ clang-user:
>        --extra-cflags=-fsanitize=undefined 
> --extra-cflags=-fno-sanitize-recover=undefined
>      MAKE_CHECK_ARGS: check-unit check-tcg
>  
> +# Set LD_JOBS=1 because this requires LTO and ld consumes a large amount of 
> memory.
> +# On gitlab runners, default value sometimes end up calling 2 lds 
> concurrently and
> +# triggers an Out-Of-Memory error
> +#
> +# Since slirp callbacks are used in QEMU Timers, slirp needs to be compiled 
> together
> +# with QEMU and linked as a static library to avoid false positives in CFI 
> checks.
> +# This can be accomplished by using -enable-slirp=git, which avoids the use 
> of
> +# a system-wide version of the library
> +#
> +# Split in three sets of build/check/acceptance to limit the execution time 
> of each
> +# job
> +build-cfi-arm:

s/arm/aarch64/

> +  <<: *native_build_job_definition
> +  needs:
> +  - job: amd64-fedora-container
> +  variables:
> +    LD_JOBS: 1
> +    AR: llvm-ar
> +    IMAGE: fedora
> +    CONFIGURE_ARGS: --cc=clang --cxx=clang++ --enable-cfi --enable-cfi-debug
> +      --enable-safe-stack --enable-slirp=git
> +    TARGETS: aarch64-softmmu
> +    MAKE_CHECK_ARGS: check-build
> +  artifacts:
> +    expire_in: 2 days
> +    paths:
> +      - build
> +
> +check-cfi-arm:
> +  <<: *native_test_job_definition
> +  needs:
> +    - job: build-cfi-arm
> +      artifacts: true
> +  variables:
> +    IMAGE: fedora
> +    MAKE_CHECK_ARGS: check
> +
> +acceptance-cfi-arm:
> +  <<: *native_test_job_definition
> +  needs:
> +    - job: build-cfi-arm
> +      artifacts: true
> +  variables:
> +    IMAGE: fedora
> +    MAKE_CHECK_ARGS: check-acceptance
> +  <<: *acceptance_definition
> +
> +build-cfi-ibm:

Lets not use vendor names here - keep the target names. ie

  build-cfi-s390x-ppc64

and equivalent for the rest of the jobs below....

> +  <<: *native_build_job_definition
> +  needs:
> +  - job: amd64-fedora-container
> +  variables:
> +    LD_JOBS: 1
> +    AR: llvm-ar
> +    IMAGE: fedora
> +    CONFIGURE_ARGS: --cc=clang --cxx=clang++ --enable-cfi --enable-cfi-debug
> +      --enable-safe-stack --enable-slirp=git
> +    TARGETS: ppc64-softmmu s390x-softmmu
> +    MAKE_CHECK_ARGS: check-build
> +  artifacts:
> +    expire_in: 2 days
> +    paths:
> +      - build
> +
> +check-cfi-ibm:
> +  <<: *native_test_job_definition
> +  needs:
> +    - job: build-cfi-ibm
> +      artifacts: true
> +  variables:
> +    IMAGE: fedora
> +    MAKE_CHECK_ARGS: check
> +
> +acceptance-cfi-ibm:
> +  <<: *native_test_job_definition
> +  needs:
> +    - job: build-cfi-ibm
> +      artifacts: true
> +  variables:
> +    IMAGE: fedora
> +    MAKE_CHECK_ARGS: check-acceptance
> +  <<: *acceptance_definition
> +
> +build-cfi-intel:
> +  <<: *native_build_job_definition
> +  needs:
> +  - job: amd64-fedora-container
> +  variables:
> +    LD_JOBS: 1
> +    AR: llvm-ar
> +    IMAGE: fedora
> +    CONFIGURE_ARGS: --cc=clang --cxx=clang++ --enable-cfi --enable-cfi-debug
> +      --enable-safe-stack --enable-slirp=git
> +    TARGETS: x86_64-softmmu
> +    MAKE_CHECK_ARGS: check-build
> +  artifacts:
> +    expire_in: 2 days
> +    paths:
> +      - build
> +
> +check-cfi-intel:
> +  <<: *native_test_job_definition
> +  needs:
> +    - job: build-cfi-intel
> +      artifacts: true
> +  variables:
> +    IMAGE: fedora
> +    MAKE_CHECK_ARGS: check
> +
> +acceptance-cfi-intel:
> +  <<: *native_test_job_definition
> +  needs:
> +    - job: build-cfi-intel
> +      artifacts: true
> +  variables:
> +    IMAGE: fedora
> +    MAKE_CHECK_ARGS: check-acceptance
> +  <<: *acceptance_definition
> +
>  tsan-build:
>    <<: *native_build_job_definition
>    variables:
> -- 
> 2.30.0
> 

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH v3 0/2] gitlab-ci.yml: Add jobs to test CFI, Daniele Buono, 2021/03/03
- [PATCH v3 1/2] gitlab-ci.yml: Allow custom # of parallel linkers, Daniele Buono, 2021/03/03
  - Re: [PATCH v3 1/2] gitlab-ci.yml: Allow custom # of parallel linkers, Daniel P . Berrangé, 2021/03/04
- [PATCH v3 2/2] gitlab-ci.yml: Add jobs to test CFI flags, Daniele Buono, 2021/03/03
  - Re: [PATCH v3 2/2] gitlab-ci.yml: Add jobs to test CFI flags, Daniel P . Berrangé <=
    - Re: [PATCH v3 2/2] gitlab-ci.yml: Add jobs to test CFI flags, Thomas Huth, 2021/03/04
    - Re: [PATCH v3 2/2] gitlab-ci.yml: Add jobs to test CFI flags, Daniel P . Berrangé, 2021/03/04
- Re: [PATCH v3 0/2] gitlab-ci.yml: Add jobs to test CFI, Alex Bennée, 2021/03/04

Prev by Date: [PULL 0/1] virtiofs queue (minor security)
Next by Date: Re: [PATCH] virtiofsd: Add qemu version and copyright info
Previous by thread: [PATCH v3 2/2] gitlab-ci.yml: Add jobs to test CFI flags
Next by thread: Re: [PATCH v3 2/2] gitlab-ci.yml: Add jobs to test CFI flags
Index(es):
- Date
- Thread