chronos: Pause compile just before compiling the fuzz target so that we can reuse it later.

[DonggeLiu]

@jonathanmetzman proposed a great idea about saving the machine state just before compiling the fuzz target so that we can compile different fuzz targets from that state later without having to go through the earlier commands.
This is particularly beneficial for OSS-Fuzz-Gen.

This PR is an (incomplete) PoC at that.
Ideally, we:

1. Replace the fuzz target compilation command and all commands after it with no-ops,
2. Save them into a script (e.g., $SRC/re-run.sh), and
3. Push the resulting image for later reuse.

In this way, we can reuse the image later by swapping the fuzz target source code and executing $SRC/re-run.sh.

The script in the PR can do 2, but not 1.
This might be OK already because steps in 1 are normally at the end, and there is unlikely any check to prevent them, but ideally, we should do 1, too.

To test this locally:

python infra/helper.py build_image libiec61850
docker run -ti --entrypoint=/bin/bash gcr.io/oss-fuzz/libiec61850
(in container) compile
cat /src/re-run.sh

[github-actions]

DonggeLiu has previously contributed to projects/libiec61850. The previous PR was #10109

[DonggeLiu]

oss-fuzz/infra/experimental/chronos/README.md

Lines 1 to 12 in 0a8f45e

	# Usage
	Under `OSS-Fuzz` root directory:
	```bash
	export PROJECT=libiec61850
	export FUZZ_TARGET=fuzz_mms_decode.c
	export FUZZING_LANGUAGE=c
	infra/experimental/chronos/prepare-recompile "$PROJECT" "$FUZZ_TARGET" "$FUZZING_LANGUAGE"
	python infra/helper.py build_image "$PROJECT"
	docker run -ti --entrypoint="compile" --name "${PROJECT}-origin" "gcr.io/oss-fuzz/${PROJECT}"
	docker commit "${PROJECT}-origin" "gcr.io/oss-fuzz/${PROJECT}-ofg-cached"
	docker run -ti --entrypoint="recompile" "gcr.io/oss-fuzz/${PROJECT}-ofg-cached"
	```

[DonggeLiu]

@oliverchang, shall we integrate this into the daily automatic build for C/C++ projects?
Being able to pull cached images (e.g., gcr.io/oss-fuzz/libiec61850-ofg-cached) can be helpful, low priority to show their status on the webpage.

[DonggeLiu]

/gcbrun skip

[DonggeLiu]

The Infra tests / build (pull_request) CI failure seems unrelated.

[oliverchang]

@oliverchang, shall we integrate this into the daily automatic build for C/C++ projects? Being able to pull cached images (e.g., gcr.io/oss-fuzz/libiec61850-ofg-cached) can be helpful, low priority to show their status on the webpage.

Unfortunately we can't trust images pushed by the OSS-Fuzz build process to gcr.io/oss-fuzz. Any project being built can push to gcr.io/oss-fuzz/ANYTHING, which is why we don't use this in our infra anywhere today.

[oliverchang]

neat!

[oliverchang]

Can you please add a general high level few sentences as a comment to describe how this script works?

e.g.

# This script intercepts commands in the build process of a project, and records all bash commands (and env variable values) from the point that the fuzz target source is encountered....

[DonggeLiu]

Done, thanks

[DavidKorczynski]

There's no reference to sanitizers and it might be nice to include this. Perhaps both in the README.md and also in prepare-recompile as its necessary to set the sanitizer environment variable to ensure recompile builds in the respective sanitizer. Maybe also clarify this is only libfuzzer atm?

[DonggeLiu]

There's no reference to sanitizers and it might be nice to include this.

Could you elaborate a bit more on what to include? Thanks

in prepare-recompile as its necessary to set the sanitizer environment variable to ensure recompile builds in the respective sanitizer.

Please correct me if I misunderstood you, but I thought all env vars (including -fsanitizer=* in c-/cxx-flags) are stored and reset in:

oss-fuzz/infra/experimental/chronos/chronos.sh

Line 51 in 432e69a

declare -p | grep -Ev 'declare -[^ ]*r[^ ]*' > "$RECOMPILE_ENV"

oss-fuzz/infra/experimental/chronos/chronos.sh

Line 35 in 432e69a

echo "source $RECOMPILE_ENV" >> "$RECOMPILE_SCRIPT"

Maybe also clarify this is only libfuzzer atm?

Yep, good point. I will add this.

Thanks!

[DavidKorczynski]

when compile is run here, SANITIZER wont be set and consequently we won't set the any sanitizer flags in the following code (since sanitizer is '') (

oss-fuzz/infra/base-images/base-builder/compile

Lines 69 to 72 in 432e69a

	if [ -z "${SANITIZER_FLAGS-}" ]; then
	FLAGS_VAR="SANITIZER_FLAGS_${SANITIZER}"
	export SANITIZER_FLAGS=${!FLAGS_VAR-}
	fi

) as we want the relevant variables here

oss-fuzz/infra/base-images/base-builder/Dockerfile

Lines 60 to 76 in 432e69a

	ENV SANITIZER_FLAGS_address "-fsanitize=address -fsanitize-address-use-after-scope"
	ENV SANITIZER_FLAGS_hwaddress "-fsanitize=hwaddress -fuse-ld=lld -Wno-unused-command-line-argument"
	# Set of '-fsanitize' flags matches '-fno-sanitize-recover' + 'unsigned-integer-overflow'.
	ENV SANITIZER_FLAGS_undefined "-fsanitize=array-bounds,bool,builtin,enum,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unsigned-integer-overflow,unreachable,vla-bound,vptr -fno-sanitize-recover=array-bounds,bool,builtin,enum,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unreachable,vla-bound,vptr"
	# Don't include "function" since it is unsupported on aarch64.
	ENV SANITIZER_FLAGS_undefined_aarch64 "-fsanitize=array-bounds,bool,builtin,enum,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unsigned-integer-overflow,unreachable,vla-bound,vptr -fno-sanitize-recover=array-bounds,bool,builtin,enum,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unreachable,vla-bound,vptr"
	ENV SANITIZER_FLAGS_memory "-fsanitize=memory -fsanitize-memory-track-origins"
	ENV SANITIZER_FLAGS_thread "-fsanitize=thread"
	ENV SANITIZER_FLAGS_introspector "-O0 -flto -fno-inline-functions -fuse-ld=gold -Wno-unused-command-line-argument"
	# Do not use any sanitizers in the coverage build.
	ENV SANITIZER_FLAGS_coverage ""

For OFG we need to have two different builds:
SANITIZER == 'coverage'
SANITIZER == 'address'
but I assume in general it's intended to use this with sanitizers, which might make it nice to show how to do this in the README. I think just adding -e SANITIZER="address" to the docker run command would do the job

[DavidKorczynski]

@DonggeLiu re #11937 (comment) -- I think my comment only applies to the README for now

[DonggeLiu]

OK Done

[DavidKorczynski]

Maybe also clarify this is only libfuzzer atm?

Yep, good point. I will add this.

I think they might work with multiple engines? Similar with sanitizers though, one just needs to control the fuzz engine variable when running compile

[jonathanmetzman]

I'll try to take a look before the end of the week. Is this a totally different implementation of the idea than jcc2? https://github.com/google/oss-fuzz/blob/master/infra/base-images/base-builder/jcc/jcc2.go

[DonggeLiu]

I'll try to take a look before the end of the week. Is this a totally different implementation of the idea than jcc2? https://github.com/google/oss-fuzz/blob/master/infra/base-images/base-builder/jcc/jcc2.go

Thanks!
Yes, sorry. I did not follow that because I was hoping this could save more resources (e.g., building the project once for all its benchmarks). Later, we will run OFG on all functions suggested by FI on each project, and this can be handy.

[jonathanmetzman]

What are OFG and FI?

[DonggeLiu]

What are OFG and FI?

OSS-Fuzz-Gen and FuzzIntrospector

[DonggeLiu]

2821e62 modifies /src/build.sh in container instead of in OSS-Fuzz, because some projects do not maintain their build.sh in OSS-Fuzz. /src/build.sh should be the most universal and final version used by compile.