Source release 16.4.0

2020-10-09 16:08:56 -07:00
parent 160df9f57a
commit 9d17a531ee
562 changed files with 52913 additions and 37426 deletions
--- a/oemcrypto/test/fuzz_tests/README.md
+++ b/oemcrypto/test/fuzz_tests/README.md
@@ -139,9 +139,76 @@
    ```
    *Note*: Make sure LLVMFuzzerTestOneInput calls the function you want to fuzz.

-*   Add a new target to oemcrypto_fuzztests.gyp file and follow instructions in 
+*   Add a new target to oemcrypto_fuzztests.gyp file and follow instructions in
    [testing fuzzer locally](#testing-fuzzer-locally) to build and test locally.

+## Building OEMCrypto fuzz scripts and uploading them to Google Cloud Storage:
+
+*   We are using Google Cloud Buid (GCB) in order to setup continuous
+    integration which uploads OEMCrypto fuzz binaries to Google Cloud Storage.
+    GCB expects build script in form of a docker image that is uploaded to
+    Google Container Registry(GCR).
+
+    The cloud build scripts (docker images) for widevine projects are
+    [here](https://widevine-internal.googlesource.com/cloud/+/refs/heads/master/docker/README.md)
+
+    Refer to README of the project to setup a new docker image and uploading
+    the image to GCR.
+
+*   Git on borg repository needs to be integrated with GCB and a git trigger
+    needs to be set up in order to achieve continuous integration. Git trigger
+    will mention which docker image the GCB needs to use in order to build fuzz
+    binaries. GCB searches for docker images from GCR.
+
+    Design document lists the steps to create a git trigger.
+
+### Adding a new fuzz script to the build script:
+
+*   In order to update build script such as adding a new fuzzer to build script,
+    we need to update the build script in docker image from cloud repository.
+    [Build script.](https://widevine-internal.googlesource.com/cloud/+/refs/heads/master/docker
+    /cloud_build/oemcrypto/release/ubuntu/fuzz/build.sh)
+
+    Add the new fuzz script name to fuzzers variable and follow steps in README
+    to upload new docker image. Make sure you update the tag to be higher than
+    latest version in GCR.
+
+    Run the following command from your machine to update the docker image tag
+    in the git trigger.
+
+    ```shell
+      stubby call --rpc_creds_file=/tmp/mint.txt \
+      blade:alphasource-ci-proctor-metadata-service-prod \
+      ProctorMetadataService.UpdateTrigger --proto2 <<EOF
+      trigger {
+        cloud_project_number: 257246079067
+        name: "cdm-git-trigger"
+        id: "e8939c9a-d971-4c05-91b5-e0544abf872b"
+        state: LIVE
+        git_trigger {
+          url: "https://widevine-internal.googlesource.com/cdm"
+          branch_name: "master"
+        }
+        build_configs {
+          build {
+            steps {
+              name: "gcr.io/google.com/blockbuster-1154/
+              cloud-build-oemcrypto-release-ubuntu-fuzz:LATEST_TAG_VERSION"
+            }
+          }
+        }
+        result_config {
+          email_config {
+            notify_condition {
+              condition: ON_FAILURE
+            }
+            to_address: "wideving-engprod@google.com"
+          }
+        }
+      }
+      EOF
+    ```
+
 ## Generate code coverage reports locally

 *   Code coverage is a means of measuring fuzzer performance. We want to make
@@ -152,36 +219,29 @@
    generated manually. Future plan is to build a dashboard for git on borg
    coverage reports.

-*   In order to generate coverage reports, we need to compile fuzzer binary with
-    flags to enable coverage. We can remove
-    `-fsanitize=fuzzer,address,undefined` from oemcrypto_fuzztests.gypi file as
-    that is needed only while fuzzing. Add following flags to both cflags_cc and
-    ldflags of oemcrypto_fuzztests.gypi and build fuzz binaries as mentioned in
-    `Testing fuzzer locally` section.
+### Generate code coverage reports using script from Google cloud build
+*   A docker image with script to generate code coverage reports for oemcrypto
+    fuzz scripts is linked with a GCB trigger
+    `oemcrypto-fuzzing-code-coverage-git-trigger`. More information about clang
+    source based coverage can be found
+    [here](https://clang.llvm.org/docs/SourceBasedCodeCoverage.html).

-    ```
-    '-fprofile-instr-generate',
-    '-fcoverage-mapping',
-    ```
+*   This trigger when invoked compiles oemcrypto fuzz scripts with clang source
+    based code coverage enabled, downloads latest corpus from cluster fuzz
+    for the respective fuzzer, generates and uploads code coverage html reports
+    to [GCS](https://pantheon.corp.google.com/storage/browser/oemcrypto_fuzzing_code_coverage_reports;tab=objects?forceOnBucketsSortingFiltering=false&project=google.com:blockbuster-1154&prefix=).

-*   We need to run fuzzer binary against the corpus downloaded from
-    [clusterfuzz](https://clusterfuzz.corp.google.com/fuzzer-stats). Clock on
-    download link from corpus_backup column. Use gsutil command to download the
-    entire corpus for the fuzz binary.
+*   The trigger can be invoked manually using cloud scheduler
+    `oemcrypto_fuzzing_code_coverage_reports`.

-*   Use the following commands to generate raw profile data file with coverage
-    information and generate a html coverage report for a single fuzzer. More
-    information about clang source based coverage can be found
-    [here](https://clang.llvm.org/docs/SourceBasedCodeCoverage.html). Follow
-    [this](https://clang.llvm.org/docs/SourceBasedCodeCoverage.html) for steps
-    to combine code coverage reports of multiple fuzzers.
+*   In order to generate latest code coverage reports from master branch,
+    go to pantheon->cloud scheduler->oemcrypto_fuzzing_code_coverage_reports and
+    click on `RUN NOW` button.

-    ```shell
-    # Run fuzz binary against corpus backup to generate default.profraw file.
-    $ ./out/Default/fuzz_binary path/to/corpus/backup -runs=0
-    # Index raw profile files to generate coverage reports.
-    $ llvm-profdata merge -sparse default.profraw -o default.profdata
-    # Generate html coverage file.
-    $ llvm-cov show ./out/Default/fuzz_binary -format=html \
-    -instr-profile=default.profdata -o default.html
-    ```
+*   The above step should invoke a google cloud build. Go to cloud build console
+    and find latest build job with Trigger Name
+    `oemcrypto-fuzzing-code-coverage-git-trigger`.
+
+*   Once the build job is successful, latest code coverage reports can be
+    downloaded from [GCS](https://pantheon.corp.google.com/storage/browser/oemcrypto_fuzzing_code_coverage_reports;tab=objects?forceOnBucketsSortingFiltering=false&project=google.com:blockbuster-1154&prefix=).
+    The coverage report folder uploaded to GCS is appended with timestamp.