Add memory sanitizer test to travis #687
Conversation
.travis.yml
Outdated
| # and BIGNUM are disabled because clang memory sanitizer does not work | ||
| # with inline assembly (https://clang.llvm.org/docs/MemorySanitizer.html). | ||
| # The memory sanitizer is instructed to exit with a different exit code | ||
| # using MSAN_OPTIONS. This is because the default exit code is 77 - the |
There was a problem hiding this comment.
Wow, how long did it take you to figure this out?
There was a problem hiding this comment.
Haha, not long luckily. The automake doc is pretty clear about exit code 77 being the cause of skipped tests.
|
Apparently both test programs fail with the sanitizer enabled on travis. I'm testing this locally and the output is much better with
Interestingly, I get different results with coverage on and off (due to the enabled VERIFYs), and in both cases the sanitizer fails pretty early here. :/ edit: The caveat of all these options is that they don't work on the compiler options that we really use for the build in the end. I still think they're useful, I guess the memory sanitizer is more useful for spotting mistakes in the source code and not issues introduced by the compiler. |
|
@real-or-random you're missing |
.travis.yml
Outdated
| # using MSAN_OPTIONS. This is because the default exit code is 77 - the | ||
| # same exit code that autotools make check interprets as a test that is | ||
| # supposed to be skipped. | ||
| env: EXTRAFLAGS="--disable-openssl-tests CFLAGS=-fsanitize=memory" ASM=no BIGNUM=no EXPERIMENTAL=yes ENDOMORPHISM=yes RECOVERY=yes ECDH=yes MSAN_OPTIONS=exitcode=42 |
There was a problem hiding this comment.
Maybe it's a good idea to test with both ENDOMORPHISM=yes and ENDOMORPHISM=no because both code paths are interesting for memory: setting up the contexts involves a lot of pointer arithmetic etc.
There was a problem hiding this comment.
Yeah I can add that.
|
Strong Concept ACK Cannot survive over long time horizons without the sanitizers :) Thanks for doing this @jonasnick! |
jonasnick
force-pushed
the
travis-memsanitizer
branch
from
33ad6d6
to
e50fd67
Compare
|
Rebased. @real-or-random
When I experimented with this before opening the PR I noticed that with |
jonasnick
force-pushed
the
travis-memsanitizer
branch
from
e50fd67
to
d746fa2
Compare
|
I've added a non-endo test. But my tests with |
jonasnick
force-pushed
the
travis-memsanitizer
branch
2 times, most recently
from
e23148a
to
f3cae6b
Compare
|
With @real-or-random's help I added |
|
ACK f3cae6b
Makes perfect sense by the way. |
|
The msan is a much weaker test than valgrind particularly with -DVALGRIND as that tests properties that can't be easily tested any other way ... does the travis environment have valgrind? We've historically used valgrind (so this is not a case where valgrind is too slow to be useful)... |
My guess was that it is too slow but this was really just a guess. If you say it's not, we should definitively try it. |
|
@gmaxwell I'm not an expert on valgrind and/or sanitizers, |
|
@elichai that isn't the case, memcheck checks the stack/heap, use of freed memory, use of uninitilized memory (regardless of stack or heap). And it isn't broken by SIMD or assembly ... Sometimes optimizations in the compiler can hide issues, since valgrind cannot see any behaviour that doesn't actually make it into the binary, but the optimizers can hide bugs from msan too. Moreover, libsecp256k1's tests have active instrumentation for valgrind which mark memory that calls shouldn't touch as uninitialized and then after the calls verifies that it's still uninitialized-- making sure that its not moving data out and putting it back from pointers it shouldn't be accessing at all. With the exception of bugs totally removed by optimization I'm not aware of any case where msan is more sensitive than valgrind, but I'm aware of many where it's less. Because valgrind can actually run with the production binaries it can also catch miscompliation. -- even the msan page states "MSan implements a subset of functionality found in Valgrind (Memcheck tool)". The big thing that msan has going for it is that its faster than memcheck. Of course, there is no harm in using both... but switching from using valgrind in development to msan run in travis would be a step back. |
|
@elichai valgrind certainly found the uninitialized I temporarily added to #558. @gmaxwell this PR is not intended to replace local testing - it's just belt and suspenders. Travis is not to be trusted anyway. I played with running valgrind in travis and it seems to work with "test count" 8 instead of the default 64 jonasnick#10. I'll open an alternative PR with a more cleaned up version of the valgrind travis config. |
|
|
||
| # clang with memory sanitizer | ||
| # | ||
| # --disable-openssl-tests because openssl uses uninitialized memory. ASM |
There was a problem hiding this comment.
nit: I haven't checked this myself, but an alternative might be to export MSAN_OPTIONS with a suppressions file for the openssl function that is affected.
There was a problem hiding this comment.
Indeed but I don't think that's better in the end, and disabling the tests as done here is simpler. Note that the flag here really just influences just the test code. OpenSSL is only used in the tests, not used in the library itself.
|
The memory sanitizer documentation says that it implements a subset of valgrind's memcheck. So I don't think we need both and can close this PR if we have valgrind. |
dd98cc9 travis: Added a valgrind test without endro and enabled recovery+ecdh (Elichai Turkel) b4c1382 Add valgrind check to travis (Elichai Turkel) Pull request description: As discussed in #687 This adds valgrind check to the repo. It doesn't run on recovery+ecdh because of the time. No openssl because of uninitialized mem. I debated between with and without ASM, but decided with ASM because it might be more fragile(?). I wasn't sure if I should pass `-DVALGRIND` via `CFLAGS` or `CPPFLAGS`, it seems like because this is only C then there shouldn't even be `CPPFLAGS` but looks like we use `CPPFLAGS` in other places for the preprocessor definitions. If people are worried about the time it takes we can mark it as `allow_failure` although I don't think it's a problem here because there's only a handful of PRs and they're usually open for weeks. ACKs for top commit: real-or-random: ACK dd98cc9 I looked at the diff jonasnick: ACK dd98cc9 Tree-SHA512: 72d7f1f4c8dd4c58501ac1003b28296d6fd140a8f7711e9e3b3c04a3fbce358ff1c89d2e1d1c5489d7668d3019981264c5cadecae3d9b48cd38c9463e287d8ad
In #558 there was an unintialized memory read (in the tests). This happened in all travis test configs but only a single test configuration produced an error in a verify check. In order to catch issues with uninitialized memory reliably, this PR adds a test configuration with the clang memory sanitizer to travis. The memory sanitizer errors out when running with the unfixed schnorrsig PR.
The result of running this PR with an additional commit that adds an uninitialized memory can be viewed at https://travis-ci.org/jonasnick/secp256k1/jobs/607352962