Run master TSAN on gcc-12 (#2072)

* Run master TSAN on gcc-12 --------- Co-authored-by: Harrm <[email protected]>
qdrvm · May 16, 2024 · d0b94e0 · d0b94e0
1 parent 3ba5a61
commit d0b94e0
Show file tree

Hide file tree

Showing 14 changed files with 83 additions and 108 deletions.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -82,46 +82,6 @@ jobs:
           du -hd1 /__w /github || true
 
   Linux-self-hosted:
-    if: ${{ github.ref == 'refs/heads/master' || startsWith( github.ref, 'refs/tags/' ) }}
-    strategy:
-      fail-fast: false
-      matrix:
-        options:
-          - name: "Self-hosted: Linux: gcc-12 ASAN"
-            run: ./housekeeping/make_build.sh -DCLEAR_OBJS=ON -DCMAKE_TOOLCHAIN_FILE=cmake/toolchain/gcc-12_cxx20.cmake -DASAN=ON
-          - name: "Self-hosted: Linux: clang-15 TSAN WAVM"
-            run: ./housekeeping/make_build.sh -DCLEAR_OBJS=ON -DCMAKE_TOOLCHAIN_FILE=cmake/toolchain/clang-15_cxx20.cmake -DTSAN=ON -DWASM_COMPILER=WAVM
-          - name: "Self-hosted: Linux: clang-15 UBSAN"
-            run: ./housekeeping/make_build.sh -DCLEAR_OBJS=ON -DCMAKE_TOOLCHAIN_FILE=cmake/toolchain/clang-15_cxx20.cmake -DUBSAN=ON
-          - name: "Self-hosted: Linux: clang-15 External Project"
-            run: ./housekeeping/make_external_build.sh -DCLEAR_OBJS=ON -DCMAKE_TOOLCHAIN_FILE=../../cmake/toolchain/clang-15_cxx20.cmake
-
-    name: "${{ matrix.options.name }}"
-    runs-on: [ actions-runner-controller ]
-    timeout-minutes: 60
-    container: qdrvm/kagome-dev:7-minideb
-    steps:
-      - uses: actions/checkout@dc323e67f16fb5f7663d20ff7941f27f5809e9b6
-      - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed
-        with:
-          path: ${{ env.CACHE_PATHS }}
-          key: ${{ github.job }}-${{ matrix.options.name }}-${{ env.CACHE_VERSION }}
-      - name: df du
-        run: |
-          df -m || true
-          du -hd1 /__w /github || true
-      - name: Install mold
-        run: ./housekeeping/ci_install_mold.sh --make-default
-      - name: "${{ matrix.options.name }}"
-        run: "${{ matrix.options.run }}"
-      - name: df du
-        if: ${{ always() }}
-        run: |
-          df -m || true
-          du -hd1 /__w /github || true
-
-  Linux-self-hosted-PR:
-    if: ${{ contains( github.event.pull_request.labels.*.name, 'Non-master self-hosted') }}
     strategy:
       fail-fast: false
       matrix:
@@ -145,19 +105,10 @@ jobs:
         with:
           path: ${{ env.CACHE_PATHS }}
           key: ${{ github.job }}-${{ matrix.options.name }}-${{ env.CACHE_VERSION }}
-      - name: df du
-        run: |
-          df -m || true
-          du -hd1 /__w /github || true
       - name: Install mold
         run: ./housekeeping/ci_install_mold.sh --make-default
       - name: "${{ matrix.options.name }}"
         run: "${{ matrix.options.run }}"
-      - name: df du
-        if: ${{ always() }}
-        run: |
-          df -m || true
-          du -hd1 /__w /github || true
 
   clang-tidy:
     name: "Linux: clang-tidy"
@@ -194,21 +145,12 @@ jobs:
         with:
           path: ${{ env.CACHE_PATHS }}
           key: ${{ github.job }}-${{ env.CACHE_VERSION }}
-      - name: df du
-        run: |
-          df -m || true
-          du -hd1 /__w /github || true
       - name: Install mold
         run: ./housekeeping/ci_install_mold.sh --make-default
       - name: makeBuild
         env:
           BUILD_FINAL_TARGET: ctest_coverage
         run: ./housekeeping/make_build.sh -DCMAKE_TOOLCHAIN_FILE=cmake/toolchain/gcc-12_cxx20.cmake -DCOVERAGE=ON -DCLEAR_OBJS=ON
-      - name: df du
-        if: ${{ always() }}
-        run: |
-          df -m || true
-          du -hd1 /__w /github || true
       - if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
         name: Submit Coverage
         env:

diff --git a/cmake/Hunter/config.cmake b/cmake/Hunter/config.cmake
@@ -40,7 +40,7 @@ hunter_config(
 
 hunter_config(
     libp2p
-    VERSION 0.1.21
+    VERSION 0.1.22
     KEEP_PACKAGE_SOURCES
 )
 

diff --git a/cmake/Hunter/hunter-gate-url.cmake b/cmake/Hunter/hunter-gate-url.cmake
@@ -1,5 +1,5 @@
 HunterGate(
-  URL  https://github.com/qdrvm/hunter/archive/refs/tags/v0.25.3-qdrvm10.zip
-  SHA1 9571399d8d091420131eb81f884521326c9d3615
+  URL  https://github.com/qdrvm/hunter/archive/refs/tags/v0.25.3-qdrvm11.zip
+  SHA1 20620ee1e2e9738b2d4561be2622d71e8c73bee9
   LOCAL
 )
diff --git a/cmake/toolchain/flags/sanitize_thread.cmake b/cmake/toolchain/flags/sanitize_thread.cmake
@@ -9,13 +9,22 @@ endif ()
 
 include(${CMAKE_CURRENT_LIST_DIR}/../../add_cache_flag.cmake)
 
+set(TSAN_IGNORELIST "${CMAKE_CURRENT_LIST_DIR}/../../../.thread-sanitizer-ignore")
+
+set(ENV{TSAN_OPTIONS} "suppressions=${TSAN_IGNORELIST}")
+
 set(FLAGS
     -fsanitize=thread
-    -fsanitize-blacklist="${CMAKE_CURRENT_LIST_DIR}/../../../.thread-sanitizer-ignore"
-    -fsanitize-ignorelist="${CMAKE_CURRENT_LIST_DIR}/../../../.thread-sanitizer-ignore"
     -g
     -O1
 )
+if (CMAKE_CXX_COMPILER_ID STREQUAL Clang)
+  set(FLAGS
+      ${FLAGS}
+      -fsanitize-blacklist="${TSAN_IGNORELIST}"
+      -fsanitize-ignorelist="${TSAN_IGNORELIST}"
+  )
+endif()
 
 foreach(FLAG IN LISTS FLAGS)
   add_cache_flag(CMAKE_CXX_FLAGS ${FLAG})

diff --git a/core/application/app_configuration.hpp b/core/application/app_configuration.hpp
@@ -264,6 +264,11 @@ namespace kagome::application {
      */
     virtual std::chrono::milliseconds pvfSubprocessDeadline() const = 0;
 
+    /**
+     * Whether secure validator mode should be disabled.
+     */
+    virtual bool disableSecureMode() const = 0;
+
     enum class OffchainWorkerMode { WhenValidating, Always, Never };
     /**
      * @return enum constant of the mode of run offchain workers

diff --git a/core/application/impl/app_configuration_impl.cpp b/core/application/impl/app_configuration_impl.cpp
@@ -6,6 +6,7 @@
 
 #include "application/impl/app_configuration_impl.hpp"
 
+#include <boost/program_options/value_semantic.hpp>
 #include <charconv>
 #include <filesystem>
 #include <limits>
@@ -891,6 +892,7 @@ namespace kagome::application {
         "Disables spawn of child pvf check processes, thus they could not be aborted by deadline timer")
         ("parachain-check-deadline", po::value<uint32_t>()->default_value(2000),
         "Pvf check subprocess execution deadline in milliseconds")
+        ("insecure-validator-i-know-what-i-do", po::bool_switch(), "Allows a validator to run insecurely outside of Secure Validator Mode.")
         ;
     po::options_description benchmark_desc("Benchmark options");
     benchmark_desc.add_options()
@@ -1512,6 +1514,10 @@ namespace kagome::application {
       pvf_subprocess_deadline_ = std::chrono::milliseconds(*arg);
     }
 
+    if (find_argument(vm, "insecure-validator-i-know-what-i-do")) {
+      disable_secure_mode_ = true;
+    }
+
     bool offchain_worker_value_error = false;
     find_argument<std::string>(
         vm,

diff --git a/core/application/impl/app_configuration_impl.hpp b/core/application/impl/app_configuration_impl.hpp
@@ -232,6 +232,9 @@ namespace kagome::application {
     std::chrono::milliseconds pvfSubprocessDeadline() const override {
       return pvf_subprocess_deadline_;
     }
+    bool disableSecureMode() const override {
+      return disable_secure_mode_;
+    }
 
    private:
     void parse_general_segment(const rapidjson::Value &val);
@@ -383,6 +386,7 @@ namespace kagome::application {
     bool should_precompile_parachain_modules_{true};
     bool use_pvf_subprocess_{true};
     std::chrono::milliseconds pvf_subprocess_deadline_{2000};
+    bool disable_secure_mode_{false};
   };
 
 }  // namespace kagome::application

diff --git a/core/dispute_coordinator/impl/sending_dispute.cpp b/core/dispute_coordinator/impl/sending_dispute.cpp
@@ -157,7 +157,7 @@ namespace kagome::dispute {
       protocol->doRequest(
           peer_id,
           request_,
-          [wp{weak_from_this()}, authority_id(authority_id), peer_id](
+          [wp{weak_from_this()}, authority_id(authority_id), peer_id(peer_id)](
               auto res) mutable {
             if (auto self = wp.lock()) {
               if (res.has_value()) {

diff --git a/core/parachain/pvf/kagome_pvf_worker.cpp b/core/parachain/pvf/kagome_pvf_worker.cpp
@@ -271,29 +271,33 @@ namespace kagome::parachain {
     SL_VERBOSE(logger, "Cache directory: {}", input.cache_dir);
 
 #ifdef __linux__
-    SL_VERBOSE(logger, "Attempting to enable secure validator mode...");
+    if (!input.force_disable_secure_mode) {
+      SL_VERBOSE(logger, "Attempting to enable secure validator mode...");
 
-    if (auto res = changeRoot(input.cache_dir); !res) {
-      SL_ERROR(logger,
-               "Failed to enable secure validator mode (change root): {}",
-               res.error().message());
-      return std::errc::not_supported;
-    }
-    input.cache_dir = "/";
+      if (auto res = changeRoot(input.cache_dir); !res) {
+        SL_ERROR(logger,
+                 "Failed to enable secure validator mode (change root): {}",
+                 res.error().message());
+        return std::errc::not_supported;
+      }
+      input.cache_dir = "/";
 
-    if (auto res = enableLandlock(input.cache_dir); !res) {
-      SL_ERROR(logger,
-               "Failed to enable secure validator mode (landlock): {}",
-               res.error().message());
-      return std::errc::not_supported;
-    }
-    if (auto res = enableSeccomp(); !res) {
-      SL_ERROR(logger,
-               "Failed to enable secure validator mode (seccomp): {}",
-               res.error().message());
-      return std::errc::not_supported;
+      if (auto res = enableLandlock(input.cache_dir); !res) {
+        SL_ERROR(logger,
+                 "Failed to enable secure validator mode (landlock): {}",
+                 res.error().message());
+        return std::errc::not_supported;
+      }
+      if (auto res = enableSeccomp(); !res) {
+        SL_ERROR(logger,
+                 "Failed to enable secure validator mode (seccomp): {}",
+                 res.error().message());
+        return std::errc::not_supported;
+      }
+      SL_VERBOSE(logger, "Successfully enabled secure validator mode");
+    } else {
+      SL_WARN(logger, "Secure validator mode disabled in node configuration");
     }
-    SL_VERBOSE(logger, "Successfully enabled secure validator mode");
 #else
     SL_WARN(
         logger,

diff --git a/core/parachain/pvf/kagome_pvf_worker_injector.hpp b/core/parachain/pvf/kagome_pvf_worker_injector.hpp
@@ -111,12 +111,9 @@ namespace kagome::parachain {
                                                               input.cache_dir](
                                                              const auto
                                                                  &injector) {
-          std::optional<std::shared_ptr<runtime::wavm::ModuleCache>>
-              module_cache_opt;
-          if (cache_dir) {
-            module_cache_opt = std::make_shared<runtime::wavm::ModuleCache>(
-                injector.template create<sptr<crypto::Hasher>>(), *cache_dir);
-          }
+          kagome::filesystem::path path_cache_dir(cache_dir);
+          auto module_cache = std::make_shared<runtime::wavm::ModuleCache>(
+              injector.template create<sptr<crypto::Hasher>>(), path_cache_dir);
           return std::make_shared<runtime::wavm::ModuleFactoryImpl>(
               injector
                   .template create<sptr<runtime::wavm::CompartmentWrapper>>(),
@@ -125,7 +122,7 @@ namespace kagome::parachain {
               injector.template create<sptr<storage::trie::TrieStorage>>(),
               injector.template create<sptr<storage::trie::TrieSerializer>>(),
               injector.template create<sptr<runtime::wavm::IntrinsicModule>>(),
-              module_cache_opt,
+              module_cache,
               injector.template create<sptr<crypto::Hasher>>());
         }),
         bind_by_lambda<runtime::ModuleFactory>([](const auto &injector) {

diff --git a/core/parachain/pvf/pvf_impl.cpp b/core/parachain/pvf/pvf_impl.cpp
@@ -351,6 +351,7 @@ namespace kagome::parachain {
         executor_params,
         app_configuration_->runtimeCacheDirPath(),
         app_configuration_->log(),
+        app_configuration_->disableSecureMode(),
     };
     runWorker(*io_context_,
               scheduler_,

diff --git a/core/parachain/pvf/pvf_worker_types.hpp b/core/parachain/pvf/pvf_worker_types.hpp
@@ -23,7 +23,7 @@ namespace kagome::parachain {
   };
 
   struct PvfWorkerInput {
-    SCALE_TIE(7);
+    SCALE_TIE(8);
 
     RuntimeEngine engine;
     common::Buffer runtime_code;
@@ -32,6 +32,7 @@ namespace kagome::parachain {
     runtime::RuntimeContextFactory::ContextParams runtime_params;
     std::string cache_dir;
     std::vector<std::string> log_params;
+    bool force_disable_secure_mode;
   };
 
 }  // namespace kagome::parachain
diff --git a/test/core/parachain/secure_mode.cpp b/test/core/parachain/secure_mode.cpp
@@ -11,6 +11,8 @@
 #include <filesystem>
 #include <fstream>
 #include <ios>
+#include <libp2p/common/final_action.hpp>
+#include <system_error>
 #include <type_traits>
 
 #include "parachain/pvf/kagome_pvf_worker.hpp"
@@ -60,21 +62,23 @@ TEST(SecureMode, SeccompWorks) {
 }
 
 TEST(SecureMode, ChangeRootWorks) {
-  EXPECT_EXIT(
-      ([=]() {
-        auto dir =
-            std::filesystem::temp_directory_path() / "kagome_secure_mode_test";
-        std::filesystem::create_directories(dir);
-        ASSERT_OUTCOME_SUCCESS_TRY(changeRoot(dir));
-        ASSERT_EQ(std::filesystem::current_path(), "/");
-        ASSERT_EQ(std::distance(std::filesystem::directory_iterator{"/"},
-                                std::filesystem::directory_iterator{}),
-                  0);
-        ASSERT_EQ(std::filesystem::canonical(".."), "/");
-        std::exit(0);
-      }()),
-      testing::ExitedWithCode(0),
-      "");
+  // since death tests use fork(), landlock restrictions will not leak to other
+  // tests in the suite
+  EXPECT_EXIT(([=]() {
+                libp2p::common::FinalAction final = []() { std::exit(0); };
+                auto dir = std::filesystem::temp_directory_path()
+                         / "kagome_secure_mode_test/chroot";
+                std::filesystem::create_directories(dir);
+                ASSERT_OUTCOME_SUCCESS_TRY(changeRoot(dir));
+                ASSERT_EQ(std::filesystem::current_path(), "/");
+                ASSERT_EQ(
+                    std::distance(std::filesystem::directory_iterator{"/"},
+                                  std::filesystem::directory_iterator{}),
+                    0);
+                ASSERT_EQ(std::filesystem::canonical(".."), "/");
+              }()),
+              testing::ExitedWithCode(0),
+              "");
 }
 
 void accessFs(const std::filesystem::path &dir, bool should_succeed) {
@@ -120,7 +124,7 @@ void accessFs(const std::filesystem::path &dir, bool should_succeed) {
   }
 }
 
-TEST(SecureMode, LandlockWorks) {
+TEST(SecureMode, DISABLED_LandlockWorks) {
   auto dir = std::filesystem::temp_directory_path() / "kagome_secure_mode_test";
   std::filesystem::create_directories(dir);
   std::filesystem::current_path(dir);

diff --git a/test/mock/core/application/app_configuration_mock.hpp b/test/mock/core/application/app_configuration_mock.hpp
@@ -146,6 +146,8 @@ namespace kagome::application {
                 (),
                 (const, override));
 
+    MOCK_METHOD(bool, disableSecureMode, (), (const, override));
+
     MOCK_METHOD(bool, isOffchainIndexingEnabled, (), (const, override));
 
     MOCK_METHOD(std::optional<Subcommand>, subcommand, (), (const, override));