Fixes for Missing Instrumentation of Native Extension Code
Native extensions used by this project were not being instrumented despite the environment variables set in build.sh because pip was downloading prebuilt binaries instead of building them with appropriate flags. The result was reduced fuzzer efficacy for ASAN runs and little to no value for UBSAN runs.
This is fixed by building dependencies with instrumentation in build.sh:
Passing --no-binary :all: to pip install instructs pip to prefer building/compiling the required dependencies rather than downloading a pre-built binary. The result is a slower install, but enables more effective fuzzing by instrumenting native extensions shipped with dependencies.
:all: is used instead of specifying individual dependencies to make the build more resilient and adaptable to upstream dependency changes.
The Dockerfile was also updated to install the required build dependencies.
Misc.
Moves the pip upgrade into the Dockerfile so it is only done once
when the image is built.
Removes the google-cloud-core install step and instead relies on the
google-cloud-iam package to specify its own dependencies.
Removes deprecated enable_python_coverage=True argument from
atheris.Setup.
DaveLak is a new contributor to projects/gc-iam. The PR must be approved by known contributors before it can be merged. The past contributors are: arthurscchan
Fixes Monorail Issue 61581.
The https://github.com/googleapis/python-iam repository was archived on 2023-10-26 and the project was moved to the
google-cloud-iam
package in the https://github.com/googleapis/google-cloud-python repository. The upstream migration removed the source code from the original repo, resulting in the broken build.Related PRs Fixing Similar Issues
12015
12016
Other Changes Introduced Here
Fixes for Missing Instrumentation of Native Extension Code
Native extensions used by this project were not being instrumented despite the environment variables set in
build.sh
becausepip
was downloading prebuilt binaries instead of building them with appropriate flags. The result was reduced fuzzer efficacy for ASAN runs and little to no value for UBSAN runs.This is fixed by building dependencies with instrumentation in
build.sh
:Passing
--no-binary :all:
topip install
instructs pip to prefer building/compiling the required dependencies rather than downloading a pre-built binary. The result is a slower install, but enables more effective fuzzing by instrumenting native extensions shipped with dependencies.:all:
is used instead of specifying individual dependencies to make the build more resilient and adaptable to upstream dependency changes.The
Dockerfile
was also updated to install the required build dependencies.Misc.
pip
upgrade into theDockerfile
so it is only done once when the image is built.google-cloud-core
install step and instead relies on thegoogle-cloud-iam
package to specify its own dependencies.enable_python_coverage=True
argument fromatheris.Setup
.