[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v3 2/2] gitlab-ci.yml: Add jobs to test CFI flags
From: |
Daniel P . Berrangé |
Subject: |
Re: [PATCH v3 2/2] gitlab-ci.yml: Add jobs to test CFI flags |
Date: |
Thu, 4 Mar 2021 10:39:42 +0000 |
User-agent: |
Mutt/2.0.5 (2021-01-21) |
On Wed, Mar 03, 2021 at 10:09:48PM -0500, Daniele Buono wrote:
> QEMU has had options to enable control-flow integrity features
> for a few months now. Add two sets of build/check/acceptance
> jobs to ensure the binary produced is working fine.
>
> The three sets allow testing of x86_64 binaries for x86_64, s390x,
> ppc64 and aarch64 targets
>
> Signed-off-by: Daniele Buono <dbuono@linux.vnet.ibm.com>
> ---
> .gitlab-ci.yml | 119 +++++++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 119 insertions(+)
>
> diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
> index 814f51873f..7b1f25c92e 100644
> --- a/.gitlab-ci.yml
> +++ b/.gitlab-ci.yml
> @@ -483,6 +483,125 @@ clang-user:
> --extra-cflags=-fsanitize=undefined
> --extra-cflags=-fno-sanitize-recover=undefined
> MAKE_CHECK_ARGS: check-unit check-tcg
>
> +# Set LD_JOBS=1 because this requires LTO and ld consumes a large amount of
> memory.
> +# On gitlab runners, default value sometimes end up calling 2 lds
> concurrently and
> +# triggers an Out-Of-Memory error
> +#
> +# Since slirp callbacks are used in QEMU Timers, slirp needs to be compiled
> together
> +# with QEMU and linked as a static library to avoid false positives in CFI
> checks.
> +# This can be accomplished by using -enable-slirp=git, which avoids the use
> of
> +# a system-wide version of the library
> +#
> +# Split in three sets of build/check/acceptance to limit the execution time
> of each
> +# job
> +build-cfi-arm:
s/arm/aarch64/
> + <<: *native_build_job_definition
> + needs:
> + - job: amd64-fedora-container
> + variables:
> + LD_JOBS: 1
> + AR: llvm-ar
> + IMAGE: fedora
> + CONFIGURE_ARGS: --cc=clang --cxx=clang++ --enable-cfi --enable-cfi-debug
> + --enable-safe-stack --enable-slirp=git
> + TARGETS: aarch64-softmmu
> + MAKE_CHECK_ARGS: check-build
> + artifacts:
> + expire_in: 2 days
> + paths:
> + - build
> +
> +check-cfi-arm:
> + <<: *native_test_job_definition
> + needs:
> + - job: build-cfi-arm
> + artifacts: true
> + variables:
> + IMAGE: fedora
> + MAKE_CHECK_ARGS: check
> +
> +acceptance-cfi-arm:
> + <<: *native_test_job_definition
> + needs:
> + - job: build-cfi-arm
> + artifacts: true
> + variables:
> + IMAGE: fedora
> + MAKE_CHECK_ARGS: check-acceptance
> + <<: *acceptance_definition
> +
> +build-cfi-ibm:
Lets not use vendor names here - keep the target names. ie
build-cfi-s390x-ppc64
and equivalent for the rest of the jobs below....
> + <<: *native_build_job_definition
> + needs:
> + - job: amd64-fedora-container
> + variables:
> + LD_JOBS: 1
> + AR: llvm-ar
> + IMAGE: fedora
> + CONFIGURE_ARGS: --cc=clang --cxx=clang++ --enable-cfi --enable-cfi-debug
> + --enable-safe-stack --enable-slirp=git
> + TARGETS: ppc64-softmmu s390x-softmmu
> + MAKE_CHECK_ARGS: check-build
> + artifacts:
> + expire_in: 2 days
> + paths:
> + - build
> +
> +check-cfi-ibm:
> + <<: *native_test_job_definition
> + needs:
> + - job: build-cfi-ibm
> + artifacts: true
> + variables:
> + IMAGE: fedora
> + MAKE_CHECK_ARGS: check
> +
> +acceptance-cfi-ibm:
> + <<: *native_test_job_definition
> + needs:
> + - job: build-cfi-ibm
> + artifacts: true
> + variables:
> + IMAGE: fedora
> + MAKE_CHECK_ARGS: check-acceptance
> + <<: *acceptance_definition
> +
> +build-cfi-intel:
> + <<: *native_build_job_definition
> + needs:
> + - job: amd64-fedora-container
> + variables:
> + LD_JOBS: 1
> + AR: llvm-ar
> + IMAGE: fedora
> + CONFIGURE_ARGS: --cc=clang --cxx=clang++ --enable-cfi --enable-cfi-debug
> + --enable-safe-stack --enable-slirp=git
> + TARGETS: x86_64-softmmu
> + MAKE_CHECK_ARGS: check-build
> + artifacts:
> + expire_in: 2 days
> + paths:
> + - build
> +
> +check-cfi-intel:
> + <<: *native_test_job_definition
> + needs:
> + - job: build-cfi-intel
> + artifacts: true
> + variables:
> + IMAGE: fedora
> + MAKE_CHECK_ARGS: check
> +
> +acceptance-cfi-intel:
> + <<: *native_test_job_definition
> + needs:
> + - job: build-cfi-intel
> + artifacts: true
> + variables:
> + IMAGE: fedora
> + MAKE_CHECK_ARGS: check-acceptance
> + <<: *acceptance_definition
> +
> tsan-build:
> <<: *native_build_job_definition
> variables:
> --
> 2.30.0
>
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|