summaryrefslogtreecommitdiffhomepage
path: root/tools
AgeCommit message (Collapse)Author
2021-10-25Add support for containerd 1.5Fabricio Voznika
"cri.runtimeoptions.v1" moved to "runtimeoptions.v1" and containerd configuration format version 2 is required. Updates #6449 PiperOrigin-RevId: 405474653
2021-10-18Add hook to add addition build tagsMichael Pratt
PiperOrigin-RevId: 404025736
2021-10-18Support distinction for RWMutex and read-only locks.Adin Scannell
Fixes #6590 PiperOrigin-RevId: 404007524
2021-10-05Fix "Installing from source" instructionsAndrei Vagin
Fixes #6387
2021-09-30Skip analysis of standard library packages using genericsMichael Pratt
The upstream analysis packages we depend on do not yet support analysis of code using Go 1.18 type parameter features, making analysis of the Go tip standard library choke and crash. Skip these packages for now. PiperOrigin-RevId: 400030256
2021-09-22Add Execve and ExitNotifyParent checkpoints.Jamie Liu
Call sites for the two checkpoints aren't added yet. PiperOrigin-RevId: 398375903
2021-09-22Make benchmark `String()` output prettier.Etienne Perot
PiperOrigin-RevId: 398372542
2021-09-22Add `NewCondition` helper in `bigquery.go`.Etienne Perot
PiperOrigin-RevId: 398366805
2021-09-13tools/show_paths.bzl: check that provider_map isn't NoneAndrei Vagin
Otherwise it can fail: $ bazel cquery pkg/p9/... --output=starlark --starlark:file=tools/show_paths.bzl ... ERROR: Starlark evaluation error for //pkg/p9/p9test:mockgen: Traceback (most recent call last): File "tools/show_paths.bzl", line 8, column 32, in format Error: 'NoneType' value has no field or method 'get' PiperOrigin-RevId: 396457764
2021-09-13Support anonymous structs in checklocks.Adin Scannell
Fixes #6558 PiperOrigin-RevId: 396393293
2021-09-03Add //pkg/sentry/seccheck.Jamie Liu
This defines common infrastructure for dynamically-configured security checks, including an example usage in the clone(2) path. PiperOrigin-RevId: 394797270
2021-08-31Automated rollback of changelist 390405182gVisor bot
PiperOrigin-RevId: 394004809
2021-08-25[bm-dashboard] Add debugging to guitar benchmarks.Zach Koopmans
Add logs to big query for benchmarks. This is to debug the actual sent data from BQ so it can be compared to the data produced by the benchmark run. Current logs end with "Sending benchmarks", which is ambiguous. Log success to make sure they are sent. PiperOrigin-RevId: 392944104
2021-08-23Use --output=starlark trick for all build path parsing.Adin Scannell
There is no reason to limit this to debian paths. PiperOrigin-RevId: 392469415
2021-08-18Declare default outputs from nogo_stdlibMichael Pratt
nogo_stdlib propogate facts and findings to downstream nogo_aspects via NogoStdlibInfo. This all works fine except one case: directly building a nogo_stdlib. e.g., bazel build //tools/nogo:stdlib. In this case, nothing is requesting the NogoStdlibInfo, and thus the target has nothing to do. This can be rather confusing when trying to debug failures in :stdlib, as building :stdlib does nothing. Fix this by declaring the facts and findings as default outputs from nogo_stdlib. Now direct bazel build will request these outputs and actually trigger the analysis. Standard aspect builds are unaffected. PiperOrigin-RevId: 391580126
2021-08-17Internal change.gVisor bot
PiperOrigin-RevId: 391331401
2021-08-16Internal change.gVisor bot
PiperOrigin-RevId: 391217339
2021-08-12Clear Merkle files before measuring verity fsChong Cai
PiperOrigin-RevId: 390467957
2021-08-12Automated rollback of changelist 390346783gVisor bot
PiperOrigin-RevId: 390405182
2021-08-12Internal change.gVisor bot
PiperOrigin-RevId: 390346783
2021-08-12Internal change.gVisor bot
PiperOrigin-RevId: 390318725
2021-08-11[op] Fix //debian:debian.Ayush Ranjan
Co-authored-by: Andrei Vagin <avagin@google.com> PiperOrigin-RevId: 390232925
2021-07-30checklinkname: rudimentary type-checking of linkname directivesMichael Pratt
This CL introduces a 'checklinkname' analyzer, which provides rudimentary type-checking that verifies that function signatures on the local and remote sides of //go:linkname directives match expected values. If the Go standard library changes the definitions of any of these function, checklinkname will flag the change as a finding, providing an error informing the gVisor team to adapt to the upstream changes. This allows us to eliminate the majority of gVisor's forward-looking negative build tags, as we can catch mismatches in testing [1]. The remaining forward-looking negative build tags are covering shared struct definitions, which I hope to add to checklinkname in a future CL. [1] Of course, semantics/requirements can change without the signature changing, so we still must be careful, but this covers the common case. PiperOrigin-RevId: 387873847
2021-07-27Use go:build directives in generated files.Jamie Liu
Build constraints are now inferred from go:build directives rather than +build directives. +build directives are still emitted in generated files as required in Go 1.16 and earlier. Note that go/build/constraint was added in Go 1.16, so gVisor now requires Go 1.16. PiperOrigin-RevId: 387240779
2021-07-26Fix per-analyzer overrides of default-disabled groupsMichael Pratt
Currently behavior of config groups with `default: false` is buggy. The intention is that adding an empty suppression section for that group to a specific analyzer config should enable reporting for that analyzer. i.e., ``` groups: - name: foo regex: "^foo/" default: false global: ... analyzers: asmdecl: foo: # Enabled. ``` This should enable the foo group only for asmdecl. Unfortunately, today the actual behavior depends on the contents of the `global:` section. If `global:` contains an entry for foo, then it will work as described. If `global:` does _not_ contain an entry for foo, then the group default (disabled) always applies and the individual analyzer options have no effect. The cause of this is confusion in `AnalyzerConfig.shouldReport`, which doesn't distinguish between explicit suppression via a global suppression/exclude and simply having no configuration at all. Make this more explicit, so that the no configuration case can continue to per-analyzer configuration before falling back to the group default. The last test case in the added test fails without this change. This re-enables several opted-in analyzers for external dependencies, which have gained a few more false positives to suppress. PiperOrigin-RevId: 386904725
2021-07-21buildkite: update GoKevin Krakauer
#6322 tried to update Go to 1.16, but existing nodes fail to upgrade due to the presence of old Go [1]. Specifically when trying to add Go to `/usr/bin`: ``` ln: failed to create symbolic link '/usr/bin/go': File exists ``` Also: - Removing `golang-go` also removes apt installs of `gcc` and `pkg-config`, so those are installed explicitly. - Add `-c` to wget, which will prevent re-downloading Go for each run. - Disable GO111MODULE when building cri-tools and containerd, since we're using pre-module versions of each. 1 - https://buildkite.com/gvisor/pipeline/builds/7285#3593244c-e411-472d-804a-9c7fbbd24762 PiperOrigin-RevId: 386106881
2021-07-20Add go:build directives as required by Go 1.17's gofmt.Jamie Liu
PiperOrigin-RevId: 385894869
2021-07-16Automated rollback of changelist 385029528Kevin Krakauer
PiperOrigin-RevId: 385200993
2021-07-15buildkite: bump Go version to 1.16Kevin Krakauer
We're currently on 1.13, which can cause build issues with code targeting later versions. PiperOrigin-RevId: 385029528
2021-07-12[syserror] Update syserror to linuxerr for more errors.Zach Koopmans
Update the following from syserror to the linuxerr equivalent: EEXIST EFAULT ENOTDIR ENOTTY EOPNOTSUPP ERANGE ESRCH PiperOrigin-RevId: 384329869
2021-07-07Sentry: Measure the time it takes to initialize the Sentry.Etienne Perot
PiperOrigin-RevId: 383472507
2021-07-01Mix checklocks and atomic analyzers.Adin Scannell
This change makes the checklocks analyzer considerable more powerful, adding: * The ability to traverse complex structures, e.g. to have multiple nested fields as part of the annotation. * The ability to resolve simple anonymous functions and closures, and perform lock analysis across these invocations. This does not apply to closures that are passed elsewhere, since it is not possible to know the context in which they might be invoked. * The ability to annotate return values in addition to receivers and other parameters, with the same complex structures noted above. * Ignoring locking semantics for "fresh" objects, i.e. objects that are allocated in the local frame (typically a new-style function). * Sanity checking of locking state across block transitions and returns, to ensure that no unexpected locks are held. Note that initially, most of these findings are excluded by a comprehensive nogo.yaml. The findings that are included are fundamental lock violations. The changes here should be relatively low risk, minor refactorings to either include necessary annotations to simplify the code structure (in general removing closures in favor of methods) so that the analyzer can be easily track the lock state. This change additional includes two changes to nogo itself: * Sanity checking of all types to ensure that the binary and ast-derived types have a consistent objectpath, to prevent the bug above from occurring silently (and causing much confusion). This also requires a trick in order to ensure that serialized facts are consumable downstream. This can be removed with https://go-review.googlesource.com/c/tools/+/331789 merged. * A minor refactoring to isolation the objdump settings in its own package. This was originally used to implement the sanity check above, but this information is now being passed another way. The minor refactor is preserved however, since it cleans up the code slightly and is minimal risk. PiperOrigin-RevId: 382613300
2021-06-09Rename go files that contain "main" function to main.go.Nicolas Lacasse
This is a good Go convention that we should follow. PiperOrigin-RevId: 378538679
2021-06-04Update GitHub packages.Adin Scannell
PiperOrigin-RevId: 377611852
2021-05-27Fix specific releases and update install instructions.Ian Lewis
Fixes #6084 PiperOrigin-RevId: 376293659
2021-05-19Fix nogo analysis.Adin Scannell
Ignore calls to atomic functions in case there is no analysis information. It is unclear why this has broken in some cases, perhaps these functions have been replaced by intrinsics as an optimization? PiperOrigin-RevId: 374682441
2021-05-12Fix TODO comments.Ian Lewis
Fix TODO comments referring to incorrect issue numbers. Also fix the link in issue reviver comments to include the right url fragment. PiperOrigin-RevId: 373491821
2021-05-11Merge pull request #5694 from kevinGC:align32gVisor bot
PiperOrigin-RevId: 373271579
2021-05-10Fix issue reviverIan Lewis
Fixes invocation of the Github issue reviver by including the required 'path' command line option. Also updates the issue reviver to add a 'revived' label to revived issues. Issues with a 'revived' label will no longer be marked as stale. PiperOrigin-RevId: 373046772
2021-05-06fix build constraintsKevin Krakauer
2021-05-06internal import of Go cloud client librariesgVisor bot
PiperOrigin-RevId: 372376653
2021-05-05Internal changeKevin Krakauer
PiperOrigin-RevId: 372166050
2021-05-04Document how to handle build failures from go-marshal verbosity.Rahat Mahmood
With debugging enabled, go-marshal can generate too much output for bazel under default configurations, which can cause builds to fail. The limit defaults to 1 MB. PiperOrigin-RevId: 372030402
2021-04-26nogo: enable bazel workers and other optimizations.Adin Scannell
This is a suite of changes intended to dramatically speed up nogo speed. First, there are minor changes that help efficiency significantly. * Gob-based encoding is used internally, and JSON only used for the final set of findings. This is done to preserve the existing format (which is consumed by external tooling), and to facilitate manual debugging. * Unnecessary regex compilation is elided in the configuration, and care is taken for merges to prevent redundant entries. I'm not sure quite sure how, but it turns out that this was consumed a significant amount of time, presumably compiling the same regexes over and over again. Second, this change enables bazel workers for nogo analyzers. Workers enable persistent processes instead of creating and tearing down a sandbox every invocation. A library is introduced to abstraction these details, and allow the tools to still be written using standard flags, etc. The key here is that these binaries and the core of nogo become aware of caches with worker.Cache. This allows us to save significant time loading the same set of files and findings over and over again. These caches are keyed by the digests that are provided by bazel, and are capped in overall size. Note that the worker package attempts to capture output during each run, but tools are no longer permitted to write to stdout. This necessitated dropping some spurious output from checklocks. PiperOrigin-RevId: 370505732
2021-04-23Improve nogo action cache-ability.Adin Scannell
Presently, the standard library facts are not serialized in a deterministic order. This means that they have the possibility to change on each iteration, requiring a large scale re-analysis of all downstream actions, which includes all packages. Improve cache-ability of nogo actions by improving the determinism of the both facts and findings. Internally, default facts should be serialized as a sorted list for this reason already. PiperOrigin-RevId: 370188259
2021-04-23[op] Remove Build job from GitHub actions.Ayush Ranjan
We already have blocking nogo tests which show all findings. This job was building all nogo targets, and posting all the findings to GitHub as a check run. Building nogo takes a while so we actually end up wasting a lot of time doing redundant work. This is aligned with our goal of moving away from GitHub actions to BuildKite only. PiperOrigin-RevId: 370134875
2021-04-20Clean test tags.Adin Scannell
PiperOrigin-RevId: 369505182
2021-04-16[lisa] Make go_marshal pass correctly sized buffers to safecopy.Ayush Ranjan
gohacks.Memmove() takes in the number of bytes to move. The current generated code passes len(src) and len(dst) as the number of bytes to move. However, the marshal.Marshallable interface allows passing in larger buffers. The stated precondition is that the buffer should be "at least" SizeBytes() in length but it is allowed to be larger. This change now correctly calls Memmove with the argument for the number of bytes to move as type.SizeBytes(). This was caught when I made lisafs use the Unsafe marshalling API and got a lot of memory violations. PiperOrigin-RevId: 368952642
2021-04-14[syserror] Remove syserror from go_marshalZach Koopmans
PiperOrigin-RevId: 368470656
2021-04-14Automatically enforce limited netstack dependenciesKevin Krakauer
Netstack is supposed to be somewhat independent of the rest of gVisor, and others should be able to use it without pulling in excessive dependencies. Currently, there is no way to fight dependency creep besides careful code review. This change introduces a test rule `netstack_deps_check` that ensures the target only relies on gVisor targets and a short allowlist of external dependencies. Users who add a dependency will see an error and have to manually update the allowlist. The set of packages to test comes from //runsc, as it uses packages we would expect users to commonly rely on. It was generated via: $ find ./runsc -name BUILD | xargs grep tcpip | awk '{print $2}' | sort | uniq (Note: We considered giving //pkg/tcpip it's own go.mod, but this breaks go tooling.) PiperOrigin-RevId: 368456711