Fix ox-ruby build, fix detection of ruby targets, make ruby more consistent with other languages.

[jonathanmetzman]

No description provided.

[jonathanmetzman]

/gcbrun trial_build.py ruby

[jonathanmetzman]

@AdvenamTacet @mschwager by the way is there a way we can bundle the ruby interpreter, with the fuzzers/scripts like we do with Python?

[AdvenamTacet]

This week I have no access to my PC, but if you could point me to what you exactly mean, I should have enough time for open source next week to try to implement it.

I believe that Ruby and Python implementations are similar enough to assume that it's possible.

[oliverchang]

This week I have no access to my PC, but if you could point me to what you exactly mean, I should have enough time for open source next week to try to implement it.

I believe that Ruby and Python implementations are similar enough to assume that it's possible.

Sorry for the delayed responses! I'm chiming in @jonathanmetzman 's stead here.

What we mean is, for Python for example we bundle the interpreter via pyinstaller. see https://google.github.io/oss-fuzz/getting-started/new-project-guide/python-lang/#buildsh:

  # To avoid issues with Python version conflicts, or changes in environment
  # over time on the OSS-Fuzz bots, we use pyinstaller to create a standalone
  # package. Though not necessarily required for reproducing issues, this is
  # required to keep fuzzers working properly in OSS-Fuzz.
  pyinstaller --distpath $OUT --onefile --name $fuzzer_package $fuzzer

Is there some equivalent for Ruby we can use here?

[mschwager]

Hey, thanks for the PR, overall this LGTM 👍

Is there some equivalent for Ruby we can use here?

Hmm, searching around a bit, it looks like traveling-ruby, ruby-packer, or mruby could be options, but I don't have experience with any of them. Is finding and implementing a Ruby packer a blocker for this PR? I ask because finding one and making sure it works properly could take a bit of time, so I wouldn't want to hold up this PR if we don't have to.

[kirito999]

tail of https://oss-fuzz-build-logs.storage.googleapis.com/index.html#ox-ruby
Step #4 - "build-check-libfuzzer-address-x86_64": ERROR: No fuzz targets found.
Step #4 - "build-check-libfuzzer-address-x86_64": ********************************************************************************
Step #4 - "build-check-libfuzzer-address-x86_64": Build checks failed.
Step #4 - "build-check-libfuzzer-address-x86_64": To reproduce, run:
Step #4 - "build-check-libfuzzer-address-x86_64": python infra/helper.py build_image ox-ruby
Step #4 - "build-check-libfuzzer-address-x86_64": python infra/helper.py build_fuzzers --sanitizer address --engine libfuzzer --architecture x86_64 ox-ruby
Step #4 - "build-check-libfuzzer-address-x86_64": python infra/helper.py check_build --sanitizer address --engine libfuzzer --architecture x86_64 ox-ruby
Step #4 - "build-check-libfuzzer-address-x86_64": ********************************************************************************

Outfile should rename to pass check. And maybe edit ruzzy_build or ox/build.sh can solve the error.

such as :
fuzz_parse -> parse_fuzzer
fuzz_sax_parse -> sax_parse_fuzzer

[kirito999]

And in Step #3 - "compile-libfuzzer-address-x86_64"

how to borrow ox env(gem install ox) to next step(runner)?

should edit ox/Dockerfile to install ox again in runner env？

[AdvenamTacet]

should edit ox/Dockerfile to install ox again in runner env？

No. Installing ox in runner should not be necessary.

The idea is to install ox (or any other project) in $OUT subdirectory (like $OUT/fuzz-gem). Then it's available in builder and runner. It requires environment variables/installation flags set during build and run.

oss-fuzz/infra/base-images/base-builder-ruby/Dockerfile

Lines 52 to 53 in e0d3b99

	ENV GEM_HOME="$OUT/fuzz-gem"
	ENV GEM_PATH="/install/ruzzy"

[oliverchang]

Hey, thanks for the PR, overall this LGTM 👍

Is there some equivalent for Ruby we can use here?

Hmm, searching around a bit, it looks like traveling-ruby, ruby-packer, or mruby could be options, but I don't have experience with any of them. Is finding and implementing a Ruby packer a blocker for this PR? I ask because finding one and making sure it works properly could take a bit of time, so I wouldn't want to hold up this PR if we don't have to.

Unfortunately, this (making the builds self contained and portable in some way) is a pretty big requirement for us. Our actual execution environment (ClusterFuzz), uses a different image from OSS-Fuzz, and changes over time. We need the ability to execute older builds even if the runtime image is updated (for bisecting older builds).

[mschwager]

Hey all,

I've started to work on this, but I'm having some issues running things locally. It appears to be issues compiling centipede locally:

$ python infra/helper.py build_image base-builder
...
16.07 Server terminated abruptly (error code: 14, error message: 'Socket closed', log file: '/root/.cache/bazel/_bazel_root/01f2dc9a2beab65d52412fb8bf07d1a0/server/jvm.out')
16.07 
------
Dockerfile:142
--------------------
 140 |     ENV CENTIPEDE_BIN_DIR=$SRC/fuzztest/bazel-bin
 141 |     COPY precompile_centipede /usr/local/bin/
 142 | >>> RUN precompile_centipede
 143 |     
 144 |     COPY sanitizers /usr/local/lib/sanitizers
--------------------
ERROR: failed to solve: process "/bin/sh -c precompile_centipede" did not complete successfully: exit code: 37
ERROR:__main__:Docker build failed.

This issue (tensorflow/models#3647 (comment)) has lead me to believe I need to lower the job count and/or increase memory. I've given the Docker containers 72GB of memory, so I'm surprised it's that memory hungry. I've also tried passing -j 8 to bazel build in infra/base-images/base-builder/precompile_centipede and I get the following error:

73.10 ERROR: /src/fuzztest/centipede/BUILD:703:11: Compiling centipede/runner_fork_server.cc failed: (Exit -1): clang-18 failed: error executing CppCompile command (from target //centipede:centipede_runner_no_main) /usr/local/bin/clang-18 -U_FORTIFY_SOURCE -fstack-protector -Wall -Wthread-safety -Wself-assign -Wunused-but-set-parameter -Wno-free-nonheap-object -fcolor-diagnostics -fno-omit-frame-pointer -g0 -O2 ... (remaining 30 arguments skipped)
73.10 
73.10 Use --sandbox_debug to see verbose messages from the sandbox and retain the sandbox build root for debugging
73.10 Action failed to execute: java.io.IOException: Cannot run program "/root/.cache/bazel/_bazel_root/install/ec66cb4ed623de0db7a7f89408b9b468/process-wrapper" (in directory "/root/.cache/bazel/_bazel_root/01f2dc9a2beab65d52412fb8bf07d1a0/sandbox/processwrapper-sandbox/244/execroot/_main"): error=0, Failed to exec spawn helper: pid: 1905, signal: 4
73.52 INFO: Elapsed time: 65.219s, Critical Path: 7.36s
73.52 INFO: 813 processes: 576 internal, 237 processwrapper-sandbox.
73.52 ERROR: Build did NOT complete successfully
------
Dockerfile:142
--------------------
 140 |     ENV CENTIPEDE_BIN_DIR=$SRC/fuzztest/bazel-bin
 141 |     COPY precompile_centipede /usr/local/bin/
 142 | >>> RUN precompile_centipede
 143 |     
 144 |     COPY sanitizers /usr/local/lib/sanitizers
--------------------
ERROR: failed to solve: process "/bin/sh -c precompile_centipede" did not complete successfully: exit code: 36
ERROR:__main__:Docker build failed.

Have you seen anything like this before, or are there any steps I'm missing for running locally?

[AdvenamTacet]

@mschwager you can see this error while building base-image locally. Instead, you can pull the base-image and build other images based on the pulled one. If you already have that image, you can use helper.py or you can use infra/base-images/all.sh (comment out images you don't need) for simplicity.

Also, docker build -t gcr.io/oss-fuzz-base/base-clang infra/base-images/base-clang sometimes fails for me, but it's enough to rerun.

[mschwager]

@mschwager you can see this error while building base-image locally. Instead, you can pull the base-image and build other images based on the pulled one. If you already have that image, you can use helper.py or you can use infra/base-images/all.sh (comment out images you don't need) for simplicity.

Also, docker build -t gcr.io/oss-fuzz-base/base-clang infra/base-images/base-clang sometimes fails for me, but it's enough to rerun.

Hmm, I'm sure I can hack up files locally to make things build. But the problem I'm currently having is install_ruby.sh is copied in by infra/base-images/base-builder/Dockerfile. So if I modify install_ruby.sh then I need to rebuild the base for the changes to take effect. Is there a better way to do this, or do I need to rebuild the base every time I modify install_ruby.sh?

I guess I can add a line to copy it in in infra/base-images/base-builder-ruby/Dockerfile. But that begs the question, why are the install_*.sh scripts copied in by the base and not the respective language/s builder Dockerfile? 🤷

[AdvenamTacet]

@mschwager you pull only base-image, then locally build base-clang and base-builder. Therefore, if you modify install_ruby.sh which is added in base-builder, this change is included in your final image.

Edit: and yes, you have to rebuild base-builder every time you modify install_ruby.sh. Later it's enough to rebuild that one image and all based on it.

But that begs the question, why are the install_*.sh scripts copied in by the base and not the respective language/s builder Dockerfile?

I added it there, because all other languages were implemented that way already. Thankfully, base-builder builds really fast, only base-clang takes a while and you don't need to do it more than once.

[mschwager]

I've made some progress, but I haven't gotten anything working end-to-end.

The different architectures in play here are giving my system issues. I'm running this on a Mac with Apple silicon, so ARM64, and using Docker Desktop for Mac. I was initially using the infra/helper.py script, but that wasn't detecting local Docker image modifications correctly. I suspect this is due to docker build vs. docker buildx build discrepancies in the script. So I ended up running docker commands manually and appending --platform linux/amd64 everywhere. With this I was able to successfully build the base-builder, base-builder-ruby, and ox-ruby images. So I got to the point where I can test out some of these Ruby packager solutions.

Tebako

I started with tebako. I got quite far with this tool, but I haven't been able to successfully build a packaged binary with all the necessary contents. Here was the final error:

$ tebako press --root=/src/ox-ruby --entry-point=fuzz_parse.rb --output=/tmp/ox-fuzz.teb
...
make[9]: *** [lib/CMakeFiles/libzstd_shared.dir/build.make:202: lib/CMakeFiles/libzstd_shared.dir/root/.tebako/deps/src/_dwarfs_wr/deps/src/_zstd/lib/compress/hist.c.o] Illegal instruction
make[9]: *** Waiting for unfinished jobs....
...
make[8]: *** [CMakeFiles/Makefile2:128: lib/CMakeFiles/libzstd_shared.dir/all] Error 2
make[8]: *** Waiting for unfinished jobs....
...
[ 57%] Building C object lib/CMakeFiles/libzstd_static.dir/root/.tebako/deps/src/_dwarfs_wr/deps/src/_zstd/lib/legacy/zstd_v04.c.o
[ 59%] Building C object lib/CMakeFiles/libzstd_static.dir/root/.tebako/deps/src/_dwarfs_wr/deps/src/_zstd/lib/legacy/zstd_v05.c.o
/root/.tebako/deps/src/_dwarfs_wr/deps/src/_zstd/lib/legacy/zstd_v04.c:3548:35: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]
 3548 | size_t ZBUFFv04_recommendedDInSize()  { return BLOCKSIZE + 3; }
      |                                   ^
      |                                    void
/root/.tebako/deps/src/_dwarfs_wr/deps/src/_zstd/lib/legacy/zstd_v04.c:3549:36: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]
 3549 | size_t ZBUFFv04_recommendedDOutSize() { return BLOCKSIZE; }
      |                                    ^
      |                                     void
[ 60%] Building C object lib/CMakeFiles/libzstd_static.dir/root/.tebako/deps/src/_dwarfs_wr/deps/src/_zstd/lib/legacy/zstd_v06.c.o
[ 61%] Building C object lib/CMakeFiles/libzstd_static.dir/root/.tebako/deps/src/_dwarfs_wr/deps/src/_zstd/lib/legacy/zstd_v07.c.o
2 warnings generated.
[ 63%] Linking C static library libzstd.a
[ 63%] Built target libzstd_static
make[7]: *** [Makefile:136: all] Error 2
make[6]: *** [CMakeFiles/_zstd.dir/build.make:86: /root/.tebako/deps/src/_dwarfs_wr/deps/src/_zstd-stamp/_zstd-build] Error 2
make[5]: *** [CMakeFiles/Makefile2:156: CMakeFiles/_zstd.dir/all] Error 2
make[4]: *** [Makefile:136: all] Error 2
make[3]: *** [CMakeFiles/_dwarfs_wr.dir/build.make:86: /root/.tebako/deps/src/_dwarfs_wr-stamp/_dwarfs_wr-build] Error 2
make[2]: *** [CMakeFiles/Makefile2:91: CMakeFiles/_dwarfs_wr.dir/all] Error 2
make[1]: *** [CMakeFiles/Makefile2:257: CMakeFiles/tebako.dir/rule] Error 2
make: *** [Makefile:202: tebako] Error 2
Tebako script failed: 'tebako press' build step failed [104]

The Illegal instruction errors occur frequently throughout the many things that need to be built here. Most of them don't appear to be fatal to the build process. I'm not sure if that's what ultimately failed this build. I suspect this is due to the architecture discrepancies (e.g. ARM64 vs AMD64). So I could never get tebako to work properly. It also currently only appears to support clang-12 on Ubuntu 20.04. These base-builder images are using clang-18, so that could be an issue too.

ruby-packer

This ultimately resulted in an Illegal instruction too:

$ ./rubyc -r /src/ox-ruby -o /tmp/ox-bin /src/ox-ruby/fuzz_parse.rb
...
make[1]: *** [Makefile:7798: test/buildtest_pkcs7.c] Illegal instruction
make[1]: *** Waiting for unfinished jobs....
make[1]: Leaving directory '/tmp/rubyc/openssl'
make: *** [Makefile:174: all] Error 2

Additionally, ruby-packer is unmaintained, hasn't had an update in 4 years, and is currently hardcoded to use Ruby 2.7.1. Ruzzy requires Ruby > 3.0.0, so I don't think this tool will work either.

traveling-ruby

This project also appears to be unmaintained, and hasn't had an update in 3 years. It states that arbitrary Ruby C extensions aren't supported. Since this is a requirement for Ruzzy, I don't think this project will work either.

mruby-cli

I didn't try this one, but it hasn't had an update in 8 years, so I doubt it will work.

Conclusion

tebako seems like the most promising, but I'm not sure if it's mature enough yet. All the other tools seem to have bit rotted. I don't think Ruby currently has a mature equivalent for Python's pyinstaller. So I'm not sure if we can achieve the goal of bundled, single file binaries to run Ruzzy fuzz jobs.

[mschwager]

This was as far as I got with tebako: mschwager@b65333b.

I think if we can ignore the following CMake compiler warnings then tebako may work:

/root/.tebako/deps/src/_dwarfs_wr/deps/src/_zstd/lib/legacy/zstd_v04.c:3548:35: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]
 3548 | size_t ZBUFFv04_recommendedDInSize()  { return BLOCKSIZE + 3; }
      |                                   ^
      |                                    void
/root/.tebako/deps/src/_dwarfs_wr/deps/src/_zstd/lib/legacy/zstd_v04.c:3549:36: warning: a function declaration without a prototype is deprecated in all versions of C [-Wstrict-prototypes]
 3549 | size_t ZBUFFv04_recommendedDOutSize() { return BLOCKSIZE; }
      |                                    ^
      |  

I think it's failing on the zstd compilation here: https:/tamatebako/tebako/blob/685a6ea6e3869fa2db4f121aaf7d4549eb084920/CMakeLists.txt#L309-L328

[mschwager]

Okay, some updates here.

I've gotten tebako (kinda) working. I think the Illegal instruction errors I was getting inside the OSS-Fuzz containers were preventing me from making progress. It looks like the gcr.io/oss-fuzz-* OSS-Fuzz images are only built for x86_64. I see there's some support for aarch64, but it doesn't look like those are currently pushed to the container registry. Regardless, trying to piece all this together at the same time was too many moving pieces, so I decided to try and get tebako working with Ruzzy in a minimally viable way. Here's the environment I created for that:

FROM --platform=linux/arm64 ubuntu:20.04

ENV DEBIAN_FRONTEND=noninteractive

RUN apt update
RUN apt install -y sudo git curl build-essential pkg-config bison flex autoconf   \
    binutils-dev libevent-dev acl-dev libfmt-dev libjemalloc-dev libiberty-dev    \
    libdouble-conversion-dev liblz4-dev liblzma-dev libssl-dev libunwind-dev      \
    libboost-filesystem-dev libboost-program-options-dev libboost-system-dev      \
    libboost-iostreams-dev  libboost-date-time-dev libboost-context-dev           \
    libboost-regex-dev libboost-thread-dev libbrotli-dev libdwarf-dev libelf-dev  \
    libgoogle-glog-dev libffi-dev libgdbm-dev libyaml-dev libncurses-dev          \
    libreadline-dev libutfcpp-dev libncurses-dev libreadline-dev gcc-10 g++-10    \
    clang-12 clang++-12 ruby-dev ruby-bundler libstdc++-10-dev

ARG CMAKE_VERSION=3.26.5
ENV CC=clang-12
ENV CXX=clang++-12

RUN mkdir -p cmake-install && \
    curl -L -o cmake-install/cmake.sh \
        https:/Kitware/CMake/releases/download/v"$CMAKE_VERSION"/cmake-"$CMAKE_VERSION"-linux-aarch64.sh && \
    sh cmake-install/cmake.sh --skip-license --prefix="/usr/local"

RUN git clone --recurse-submodules https:/tamatebako/tebako.git
WORKDIR /tebako
RUN git checkout v0.8.7
RUN bundle install
RUN exe/tebako clean_ruby
RUN exe/tebako setup -R 3.2.5

RUN git clone https:/ohler55/ox
RUN mkdir -p ox/bin/
COPY fuzz_parse.rb ox/bin/

CMD ["/bin/bash"]

# Add the following to ox/ox.gemspec to allow the tebako entrypoint to work:
# s.files = Dir['{lib,ext}/**/*.{rb,h,c}'] + ['LICENSE', 'README.md', 'CHANGELOG.md'] + Dir["bin/**/*.rb"]
# s.bindir        = 'bin'
# s.executables << "fuzz_parse.rb”
# s.add_runtime_dependency 'ruzzy'

# RUN MAKE="make --environment-overrides V=1" \
#     LDSHARED="$CC -shared" \
#     LDSHAREDXX="$CXX -shared" \
#     CFLAGS="-fsanitize=fuzzer-no-link -fno-omit-frame-pointer -fno-common -fPIC -g" \
#     CXXFLAGS="-fsanitize=fuzzer-no-link -fno-omit-frame-pointer -fno-common -fPIC -g" \
#     exe/tebako press --root=ox --entry-point=fuzz_parse.rb --output=fuzz_parse -R 3.2.5

NOTE: The extensive compilations happening here have quite a bit of non-determinism. I've broken necessary tools and re-fixed them by simply running the same command. Take this into consideration if you're going down this path. For example, the exe/tebako press command went from working, to compiler errors, to working again, all with the same command being run 🤷.

If you run the above Docker image you'll be dropped into a shell to play around with the resultant artifacts. After tebako press successfully runs you will be presented with a fuzz_parse binary. This binary should include the fuzzing target, harness, and everything necessary to run the fuzzer. We're closer, but we're not quite there yet:

root@1caf8b55ccab:/tebako# ./fuzz_parse -help=1
Usage:

To run fuzzing pass 0 or more directories.
/__tebako_memfs__/bin/fuzz_parse.rb [-flag1=val1 [-flag2=val2 ...] ] [dir1 [dir2 ...] ]

To run individual tests without fuzzing pass 1 or more files:
/__tebako_memfs__/bin/fuzz_parse.rb [-flag1=val1 [-flag2=val2 ...] ] file1 [file2 ...]

Flags: (strictly in form -flag=value)
 verbosity                           	1	Verbosity level.
...

root@1caf8b55ccab:/tebako# LD_PRELOAD=./o/s/lib/ruby/gems/3.2.0/gems/ruzzy-0.7.0/ext/cruzzy/asan_with_fuzzer.so ./fuzz_parse 
Segmentation fault

I'm not sure why it's seg faulting - there could be a million reasons. I suspect something isn't linking properly.

Here's the backtrace:

root@1caf8b55ccab:/tebako# LD_PRELOAD=./o/s/lib/ruby/gems/3.2.0/gems/ruzzy-0.7.0/ext/cruzzy/asan_with_fuzzer.so gdb fuzz_parse
warning: Found custom handler for signal 7 (Bus error) preinstalled.
warning: Found custom handler for signal 8 (Floating point exception) preinstalled.
warning: Found custom handler for signal 11 (Segmentation fault) preinstalled.
Some signal dispositions inherited from the environment (SIG_DFL/SIG_IGN)
won't be propagated to spawned programs.
GNU gdb (Ubuntu 9.2-0ubuntu1~20.04.2) 9.2
...
(gdb) run
Starting program: /tebako/fuzz_parse 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/aarch64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x0000000000d540b8 in malloc_conf_init_helper ()
#2  0x0000000000d55dc4 in malloc_init_hard_a0_locked ()
#3  0x0000000000d55fc8 in malloc_init_hard ()
#4  0x0000000000d5a544 in calloc ()
#5  0x0000fffff74708b4 in _dlerror_run (operate=operate@entry=0xfffff74701f8 <dlsym_doit>, 
    args=args@entry=0xfffffffff448) at dlerror.c:148
#6  0x0000fffff7470290 in __dlsym (handle=<optimized out>, name=<optimized out>) at dlsym.c:70
#7  0x0000fffff75b0af8 in __interception::InterceptFunction(char const*, unsigned long*, unsigned long, unsigned long) () from ./o/s/lib/ruby/gems/3.2.0/gems/ruzzy-0.7.0/ext/cruzzy/asan_with_fuzzer.so
#8  0x0000fffff75913e8 in InitializeCommonInterceptors() ()
   from ./o/s/lib/ruby/gems/3.2.0/gems/ruzzy-0.7.0/ext/cruzzy/asan_with_fuzzer.so
#9  0x0000fffff7590c40 in __asan::InitializeAsanInterceptors() ()
   from ./o/s/lib/ruby/gems/3.2.0/gems/ruzzy-0.7.0/ext/cruzzy/asan_with_fuzzer.so
#10 0x0000fffff75ac8cc in __asan::AsanInitInternal() ()
   from ./o/s/lib/ruby/gems/3.2.0/gems/ruzzy-0.7.0/ext/cruzzy/asan_with_fuzzer.so
#11 0x0000fffff7590c0c in __interceptor___cxa_atexit ()
   from ./o/s/lib/ruby/gems/3.2.0/gems/ruzzy-0.7.0/ext/cruzzy/asan_with_fuzzer.so
#12 0x000000000059fa3c in __sanitizer::InitializeCoverage(bool, char const*) ()
#13 0x00000000005a7640 in __ubsan::InitAsStandalone() ()
#14 0x000000000058d6dc in __ubsan::PreInitAsStandalone() ()
#15 0x0000fffff7fdaa3c in _dl_init (main_map=0xfffff7fff210, argc=1, argv=0xfffffffff648, 
    env=0xfffffffff658) at dl-init.c:104
#16 0x0000fffff7fcd184 in _dl_start_user () from /lib/ld-linux-aarch64.so.1
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

So something with malloc? My debugging expertise in this area is not so great, so I could definitely use some help. Some portions of the compiled artifacts are using jemalloc, so perhaps that's causing issues? For example, I think the underlying Ruby build and their libdwarfs use jemalloc, but I haven't 100% confirmed this.

So next steps would be debugging this segmentation fault and determining why fuzzing isn't fully executing as expected.