ci: run the tests under ASan/UBsan on GHActions
It was tested in https://github.com/SELinuxProject/selinux/pull/321 and https://github.com/SELinuxProject/selinux/pull/320. In the process it discovered a few issues all of which were fixed inb98d3c4c53
ea539017fb
fe01a91a79
f95dbf2c74
Now that all the issues are gone it should be safe to turn it on to make it easier to automatically catch bugs like that almost as soon as they end up in the repository. Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>
This commit is contained in:
parent
b78560fd37
commit
ad2ff8a840
2 changed files with 33 additions and 17 deletions
22
.github/workflows/run_tests.yml
vendored
22
.github/workflows/run_tests.yml
vendored
|
@ -29,6 +29,9 @@ jobs:
|
||||||
python-ruby-version: {python: 3.9, ruby: 2.7, other: linker-bfd}
|
python-ruby-version: {python: 3.9, ruby: 2.7, other: linker-bfd}
|
||||||
- compiler: clang
|
- compiler: clang
|
||||||
python-ruby-version: {python: 3.9, ruby: 2.7, other: linker-gold}
|
python-ruby-version: {python: 3.9, ruby: 2.7, other: linker-gold}
|
||||||
|
include:
|
||||||
|
- compiler: gcc
|
||||||
|
python-ruby-version: {python: 3.9, ruby: 2.7, other: sanitizers}
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v2
|
- uses: actions/checkout@v2
|
||||||
|
@ -88,6 +91,11 @@ jobs:
|
||||||
elif [ "${{ matrix.python-ruby-version.other }}" = "test-debug" ] ; then
|
elif [ "${{ matrix.python-ruby-version.other }}" = "test-debug" ] ; then
|
||||||
# Test hat debug build works fine
|
# Test hat debug build works fine
|
||||||
EXPLICIT_MAKE_VARS="DEBUG=1"
|
EXPLICIT_MAKE_VARS="DEBUG=1"
|
||||||
|
elif [ "${{ matrix.python-ruby-version.other }}" = "sanitizers" ] ; then
|
||||||
|
sanitizers='-fsanitize=address,undefined'
|
||||||
|
EXPLICIT_MAKE_VARS="CFLAGS='-g -I$DESTDIR/usr/include $sanitizers' LDFLAGS='-L$DESTDIR/usr/lib $sanitizers' LDLIBS= CPPFLAGS= OPT_SUBDIRS="
|
||||||
|
echo "ASAN_OPTIONS=strict_string_checks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1" >> $GITHUB_ENV
|
||||||
|
echo "UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1" >> $GITHUB_ENV
|
||||||
else
|
else
|
||||||
EXPLICIT_MAKE_VARS=
|
EXPLICIT_MAKE_VARS=
|
||||||
fi
|
fi
|
||||||
|
@ -139,18 +147,18 @@ jobs:
|
||||||
- name: Run tests
|
- name: Run tests
|
||||||
run: |
|
run: |
|
||||||
echo "::group::make install"
|
echo "::group::make install"
|
||||||
make -j$(nproc) install $EXPLICIT_MAKE_VARS -k
|
eval make -j$(nproc) install $EXPLICIT_MAKE_VARS -k
|
||||||
echo "::endgroup::"
|
echo "::endgroup::"
|
||||||
echo "::group::make install-pywrap"
|
echo "::group::make install-pywrap"
|
||||||
make -j$(nproc) install-pywrap $EXPLICIT_MAKE_VARS -k
|
eval make -j$(nproc) install-pywrap $EXPLICIT_MAKE_VARS -k
|
||||||
echo "::endgroup::"
|
echo "::endgroup::"
|
||||||
echo "::group::make install-rubywrap"
|
echo "::group::make install-rubywrap"
|
||||||
make -j$(nproc) install-rubywrap $EXPLICIT_MAKE_VARS -k
|
eval make -j$(nproc) install-rubywrap $EXPLICIT_MAKE_VARS -k
|
||||||
echo "::endgroup::"
|
echo "::endgroup::"
|
||||||
|
|
||||||
# Now that everything is installed, run "make all" to build everything which may have not been built
|
# Now that everything is installed, run "make all" to build everything which may have not been built
|
||||||
echo "::group::make all"
|
echo "::group::make all"
|
||||||
make -j$(nproc) all $EXPLICIT_MAKE_VARS -k
|
eval make -j$(nproc) all $EXPLICIT_MAKE_VARS -k
|
||||||
echo "::endgroup::"
|
echo "::endgroup::"
|
||||||
|
|
||||||
# Set up environment variables for the tests and show variables (to help debugging issues)
|
# Set up environment variables for the tests and show variables (to help debugging issues)
|
||||||
|
@ -164,9 +172,10 @@ jobs:
|
||||||
|
|
||||||
# Run tests
|
# Run tests
|
||||||
echo "::group::make test"
|
echo "::group::make test"
|
||||||
make test $EXPLICIT_MAKE_VARS
|
eval make test $EXPLICIT_MAKE_VARS
|
||||||
echo "::endgroup::"
|
echo "::endgroup::"
|
||||||
|
|
||||||
|
if [ "${{ matrix.python-ruby-version.other }}" != "sanitizers" ] ; then
|
||||||
# Test Python and Ruby wrappers
|
# Test Python and Ruby wrappers
|
||||||
echo "::group::Test Python and Ruby wrappers"
|
echo "::group::Test Python and Ruby wrappers"
|
||||||
$PYTHON -c 'import selinux;import selinux.audit2why;import semanage;print(selinux.is_selinux_enabled())'
|
$PYTHON -c 'import selinux;import selinux.audit2why;import semanage;print(selinux.is_selinux_enabled())'
|
||||||
|
@ -177,6 +186,7 @@ jobs:
|
||||||
echo "::group::scripts/run-flake8"
|
echo "::group::scripts/run-flake8"
|
||||||
./scripts/run-flake8
|
./scripts/run-flake8
|
||||||
echo "::endgroup::"
|
echo "::endgroup::"
|
||||||
|
fi
|
||||||
|
|
||||||
echo "::group::Test .gitignore and make clean distclean"
|
echo "::group::Test .gitignore and make clean distclean"
|
||||||
# Remove every installed files
|
# Remove every installed files
|
||||||
|
@ -184,6 +194,6 @@ jobs:
|
||||||
# Test that "git status" looks clean, or print a clear error message
|
# Test that "git status" looks clean, or print a clear error message
|
||||||
git status --short | sed -n 's/^??/error: missing .gitignore entry for/p' | (! grep '^')
|
git status --short | sed -n 's/^??/error: missing .gitignore entry for/p' | (! grep '^')
|
||||||
# Clean up everything and show which file needs to be added to "make clean"
|
# Clean up everything and show which file needs to be added to "make clean"
|
||||||
make clean distclean $EXPLICIT_MAKE_VARS
|
eval make clean distclean $EXPLICIT_MAKE_VARS
|
||||||
git ls-files --ignored --others --exclude-standard | sed 's/^/error: "make clean distclean" did not remove /' | (! grep '^')
|
git ls-files --ignored --others --exclude-standard | sed 's/^/error: "make clean distclean" did not remove /' | (! grep '^')
|
||||||
echo "::endgroup::"
|
echo "::endgroup::"
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
ENV ?= env
|
||||||
M4 ?= m4
|
M4 ?= m4
|
||||||
MKDIR ?= mkdir
|
MKDIR ?= mkdir
|
||||||
EXE ?= libsepol-tests
|
EXE ?= libsepol-tests
|
||||||
|
@ -45,9 +46,14 @@ clean:
|
||||||
rm -f $(policies)
|
rm -f $(policies)
|
||||||
rm -f policies/test-downgrade/policy.hi policies/test-downgrade/policy.lo
|
rm -f policies/test-downgrade/policy.hi policies/test-downgrade/policy.lo
|
||||||
|
|
||||||
|
# mkdir is run in a clean environment created by env -i to avoid failing under ASan with:
|
||||||
|
#
|
||||||
|
# ASan runtime does not come first in initial library list;
|
||||||
|
# you should either link runtime to your application or manually preload it with LD_PRELOAD
|
||||||
|
#
|
||||||
|
# when the source code is built with ASan
|
||||||
test: $(EXE) $(policies)
|
test: $(EXE) $(policies)
|
||||||
$(MKDIR) -p policies/test-downgrade
|
$(ENV) -i $(MKDIR) -p policies/test-downgrade
|
||||||
../../checkpolicy/checkpolicy -M policies/test-cond/refpolicy-base.conf -o policies/test-downgrade/policy.hi
|
../../checkpolicy/checkpolicy -M policies/test-cond/refpolicy-base.conf -o policies/test-downgrade/policy.hi
|
||||||
./$(EXE)
|
./$(EXE)
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue