Merge branch 'master' into fix-reproduce

Author: ret2libc

.github/workflows/ubuntu_version_sync.yml

@@ -14,15 +14,19 @@
 #
 ################################################################################
 
-name: 'Ubuntu Version Sync'
+name: 'Ubuntu Version Sync Check'
 
 on:
   pull_request:
     types: [opened, synchronize, reopened]
 
 jobs:
   check-sync:
+    name: Ubuntu File Synchronization Check
     runs-on: ubuntu-latest
+    env:
+      BASE_SHA: ${{ github.event.pull_request.base.sha }}
+      HEAD_SHA: ${{ github.event.pull_request.head.sha }}
     steps:
     - name: 'Checkout code'
       uses: actions/checkout@v4
@@ -34,7 +38,7 @@ jobs:
       run: |
         set -e
         
-        MODIFIED_FILES=$(git diff --name-only ${{ github.event.pull_request.base.sha }}...${{ github.event.pull_request.head.sha }})
+        MODIFIED_FILES=$(git diff --name-only $BASE_SHA...$HEAD_SHA)
         echo "Checking for synchronized file changes..."
         echo "Modified files in this PR:"
         echo "$MODIFIED_FILES"
@@ -63,27 +67,27 @@ jobs:
         VERSIONS=("ubuntu-20-04" "ubuntu-24-04")
 
         # Check Dockerfiles
-        for legacy_file in "${{!LEGACY_DOCKERFILES[@]}}"; do
-          if echo "$MODIFIED_FILES" | grep -q "^${legacy_file}$"; then
+        for legacy_file in "${!LEGACY_DOCKERFILES[@]}"; do
+          if [[ "${legacy_file}" == infra/* ]] && echo "$MODIFIED_FILES" | grep -q "^${legacy_file}$"; then
             echo "Legacy file changed: $legacy_file. Verifying counterparts..."
-            for version in "${{VERSIONS[@]}}"; do
-              pattern=${{LEGACY_DOCKERFILES[$legacy_file]}}
-              versioned_file="${{pattern/{{version}}/$version}}"
-              if ! echo "$MODIFIED_FILES" | grep -q "^${{versioned_file}}$"; then
+            for version in "${VERSIONS[@]}"; do
+              pattern="${LEGACY_DOCKERFILES[$legacy_file]}"
+              versioned_file="${pattern/\{version\}/$version}"
+              if ! echo "$MODIFIED_FILES" | grep -q "^${versioned_file}$"; then
                 ERRORS+="\n- Legacy file '${legacy_file}' was changed, but its counterpart '${versioned_file}' was not."
               fi
             done
           fi
         done
 
         # Check Scripts
-        for legacy_file in "${{!LEGACY_SCRIPTS[@]}}"; do
+        for legacy_file in "${!LEGACY_SCRIPTS[@]}"; do
           if echo "$MODIFIED_FILES" | grep -q "^${legacy_file}$"; then
             echo "Legacy script changed: $legacy_file. Verifying counterparts..."
-            for version in "${{VERSIONS[@]}}"; do
-              pattern=${{LEGACY_SCRIPTS[$legacy_file]}}
-              versioned_file="${{pattern/{{version}}/$version}}"
-              if ! echo "$MODIFIED_FILES" | grep -q "^${{versioned_file}}$"; then
+            for version in "${VERSIONS[@]}"; do
+              pattern="${LEGACY_SCRIPTS[$legacy_file]}"
+              versioned_file="${pattern/\{version\}/$version}"
+              if ! echo "$MODIFIED_FILES" | grep -q "^${versioned_file}$"; then
                 ERRORS+="\n- Legacy script '${legacy_file}' was changed, but its counterpart '${versioned_file}' was not."
               fi
             done

infra/base-images/base-builder-ruby/Dockerfile

@@ -18,10 +18,8 @@ FROM gcr.io/oss-fuzz-base/base-builder
 
 RUN git clone https://github.com/trailofbits/ruzzy.git $SRC/ruzzy
 
-RUN install_ruby.sh
-ENV PATH="$PATH:/usr/local/rvm/rubies/ruby-3.3.1/bin"
-
-RUN gem update --system 3.5.11
+RUN /usr/local/bin/install_ruby.sh
+RUN /usr/local/bin/gem update --system 3.5.11
 
 # Install ruzzy
 WORKDIR $SRC/ruzzy

infra/base-images/base-builder-ruby/ubuntu-20-04.Dockerfile

@@ -18,10 +18,8 @@ FROM gcr.io/oss-fuzz-base/base-builder:ubuntu-20-04
 
 RUN git clone https://github.com/trailofbits/ruzzy.git $SRC/ruzzy
 
-RUN install_ruby.sh
-ENV PATH="$PATH:/usr/local/rvm/rubies/ruby-3.3.1/bin"
-
-RUN gem update --system 3.5.11
+RUN /usr/local/bin/install_ruby.sh
+RUN /usr/local/bin/gem update --system 3.5.11
 
 # Install ruzzy
 WORKDIR $SRC/ruzzy

infra/base-images/base-builder-ruby/ubuntu-24-04.Dockerfile

@@ -18,8 +18,8 @@ FROM gcr.io/oss-fuzz-base/base-builder:ubuntu-24-04
 
 RUN git clone https://github.com/trailofbits/ruzzy.git $SRC/ruzzy
 
-RUN install_ruby.sh
-ENV PATH="$PATH:/usr/local/rvm/rubies/ruby-3.3.1/bin"
+RUN /usr/local/bin/install_ruby.sh
+RUN /usr/local/bin/gem update --system 3.5.11
 
 RUN gem update --system 3.5.11
 

infra/base-images/base-builder/indexer/utils.py

@@ -22,6 +22,12 @@
 import subprocess
 from typing import Final, Sequence
 
+from absl import logging
+
+from google3.pyglib import gfile
+import pathlib
+
+
 LD_BINARY_NAME: Final[str] = "ld-linux-x86-64.so.2"
 _LD_BINARY_PATH: Final[pathlib.Path] = pathlib.Path("/lib64") / LD_BINARY_NAME
 
@@ -79,3 +85,52 @@ def get_shared_libraries(
   )
 
   return _parse_ld_trace_output(result.stdout.decode())
+
+
+def copy_shared_libraries(
+    libraries: Sequence[SharedLibrary], dst_path: pathlib.Path
+) -> None:
+  """Copies the shared libraries to the shared directory."""
+  for lib in libraries:
+    try:
+      logging.info("Copying %s => %s", lib.name, lib.path)
+      gfile.Copy(lib.path, dst_path / lib.path.name, overwrite=True, mode=0o755)
+    except gfile.GOSError:
+      logging.exception("Could not copy %s to %s", lib.path, dst_path)
+      raise
+
+
+def patch_binary_rpath_and_interpreter(
+    binary_path: os.PathLike[str],
+    lib_mount_path: pathlib.Path,
+):
+  """Patches the binary rpath and interpreter."""
+  subprocess.run(
+      [
+          "patchelf",
+          "--set-rpath",
+          lib_mount_path.as_posix(),
+          "--force-rpath",
+          binary_path,
+      ],
+      check=True,
+  )
+
+  subprocess.run(
+      [
+          "patchelf",
+          "--set-interpreter",
+          (lib_mount_path / LD_BINARY_NAME).as_posix(),
+          binary_path,
+      ],
+      check=True,
+  )
+
+
+def get_library_mount_path(binary_id: str) -> pathlib.Path:
+  return pathlib.Path("/tmp") / (binary_id + "_lib")
+
+
+def report_progress(stage: str, is_done: bool = False) -> None:
+  """Reports progress of a stage of the snapshotting process."""
+  logging.info("%s%s", stage, "..." if not is_done else "")

infra/base-images/base-builder/install_ruby.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash -eux
 # Copyright 2024 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,14 +15,19 @@
 #
 ################################################################################
 
-apt update
-apt install -y lsb-release software-properties-common gnupg2 binutils xz-utils libyaml-dev
-gpg2 --keyserver keyserver.ubuntu.com --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 7D2BAF1CF37B13E2069D6956105BD0E739499BDB
+echo "Starting ruby installation"
+RUBY_VERSION=3.3.1
+RUBY_DEPS="binutils xz-utils libyaml-dev libffi-dev zlib1g-dev"
+apt update && apt install -y $RUBY_DEPS
+curl -O https://cache.ruby-lang.org/pub/ruby/3.3/ruby-$RUBY_VERSION.tar.gz
+tar -xvf ruby-$RUBY_VERSION.tar.gz
+cd ruby-$RUBY_VERSION
+./configure
+make -j$(nproc)
+make install
+cd ../
 
-curl -sSL https://get.rvm.io > ruby_installation.sh
-chmod +x ruby_installation.sh
-bash ruby_installation.sh stable
+# Clean up the sources.
+rm -rf ./ruby-$RUBY_VERSION ruby-$RUBY_VERSION.tar.gz
 
-. /etc/profile.d/rvm.sh
-
-rvm install ruby-3.3.1
+echo "Finished installing ruby"

infra/base-images/base-runner/Dockerfile

@@ -109,14 +109,14 @@ RUN wget https://repo1.maven.org/maven2/org/jacoco/org.jacoco.cli/0.8.7/org.jaco
 COPY install_javascript.sh /
 RUN /install_javascript.sh && rm /install_javascript.sh
 
-# Copy built ruby and ruzzy from builder
-COPY --from=base-ruby /usr/local/rvm /usr/local/rvm
-COPY --from=base-ruby /install/ruzzy /install/ruzzy
-COPY ruzzy /usr/local/bin/ruzzy
-ENV PATH="$PATH:/usr/local/rvm/rubies/ruby-3.3.1/bin"
-# RubyGems installation directory
-ENV GEM_HOME="$OUT/fuzz-gem"
-ENV GEM_PATH="/install/ruzzy"
+# Copy built ruby. It is up to the fuzzing harnesses
+# themselves to set GEM_HOME and GEM_PATH appropriately, as this depends
+# on how the harnesses are packaged.
+COPY --from=base-ruby /usr/local/bin/ruby /usr/local/bin/ruby
+COPY --from=base-ruby /usr/local/bin/gem /usr/local/bin/gem
+COPY --from=base-ruby /usr/local/lib/ruby /usr/local/lib/ruby
+COPY --from=base-ruby /usr/local/include/ruby-3.3.0 /usr/local/include/ruby-3.3.0
+
 
 # Do this last to make developing these files easier/faster due to caching.
 COPY bad_build_check \

infra/base-images/base-runner/ubuntu-20-04.Dockerfile

@@ -109,14 +109,13 @@ RUN wget https://repo1.maven.org/maven2/org/jacoco/org.jacoco.cli/0.8.7/org.jaco
 COPY install_javascript.sh /
 RUN /install_javascript.sh && rm /install_javascript.sh
 
-# Copy built ruby and ruzzy from builder
-COPY --from=base-ruby /usr/local/rvm /usr/local/rvm
-COPY --from=base-ruby /install/ruzzy /install/ruzzy
-COPY ruzzy /usr/bin/ruzzy
-ENV PATH="$PATH:/usr/local/rvm/rubies/ruby-3.3.1/bin"
-# RubyGems installation directory
-ENV GEM_HOME="$OUT/fuzz-gem"
-ENV GEM_PATH="/install/ruzzy"
+# Copy built ruby. It is up to the fuzzing harnesses
+# themselves to set GEM_HOME and GEM_PATH appropriately, as this depends
+# on how the harnesses are packaged.
+COPY --from=base-ruby /usr/local/bin/ruby /usr/local/bin/ruby
+COPY --from=base-ruby /usr/local/bin/gem /usr/local/bin/gem
+COPY --from=base-ruby /usr/local/lib/ruby /usr/local/lib/ruby
+COPY --from=base-ruby /usr/local/include/ruby-3.3.0 /usr/local/include/ruby-3.3.0
 
 # Do this last to make developing these files easier/faster due to caching.
 COPY bad_build_check \

infra/base-images/base-runner/ubuntu-24-04.Dockerfile

@@ -109,14 +109,13 @@ RUN wget https://repo1.maven.org/maven2/org/jacoco/org.jacoco.cli/0.8.7/org.jaco
 COPY install_javascript.sh /
 RUN /install_javascript.sh && rm /install_javascript.sh
 
-# Copy built ruby and ruzzy from builder
-COPY --from=base-ruby /usr/local/rvm /usr/local/rvm
-COPY --from=base-ruby /install/ruzzy /install/ruzzy
-COPY ruzzy /usr/bin/ruzzy
-ENV PATH="$PATH:/usr/local/rvm/rubies/ruby-3.3.1/bin"
-# RubyGems installation directory
-ENV GEM_HOME="$OUT/fuzz-gem"
-ENV GEM_PATH="/install/ruzzy"
+# Copy built ruby. It is up to the fuzzing harnesses
+# themselves to set GEM_HOME and GEM_PATH appropriately, as this depends
+# on how the harnesses are packaged.
+COPY --from=base-ruby /usr/local/bin/ruby /usr/local/bin/ruby
+COPY --from=base-ruby /usr/local/bin/gem /usr/local/bin/gem
+COPY --from=base-ruby /usr/local/lib/ruby /usr/local/lib/ruby
+COPY --from=base-ruby /usr/local/include/ruby-3.3.0 /usr/local/include/ruby-3.3.0
 
 # Do this last to make developing these files easier/faster due to caching.
 COPY bad_build_check \

infra/build/functions/base_images.py

@@ -47,6 +47,23 @@
 # This version will receive the ':v1' tag.
 DEFAULT_VERSION = 'legacy'
 
+# Defines the dependency graph for base images.
+IMAGE_DEPENDENCIES = {
+    'base-clang': ['base-image'],
+    'base-clang-full': ['base-clang'],
+    'base-builder': ['base-clang'],
+    'base-builder-go': ['base-builder'],
+    'base-builder-javascript': ['base-builder'],
+    'base-builder-jvm': ['base-builder'],
+    'base-builder-python': ['base-builder'],
+    'base-builder-ruby': ['base-builder'],
+    'base-builder-rust': ['base-builder'],
+    'base-builder-swift': ['base-builder'],
+    'base-runner': ['base-image', 'base-builder'],
+    'base-runner-debug': ['base-runner'],
+    'indexer': ['base-clang-full'],
+}
+
 
 class ImageConfig:
   """Configuration for a specific base image version."""
@@ -85,6 +102,8 @@ def _resolve_dockerfile(self) -> str:
       if os.path.exists(versioned_dockerfile):
         logging.info('Using versioned Dockerfile: %s', versioned_dockerfile)
         return versioned_dockerfile
+      raise FileNotFoundError(
+          f'Versioned Dockerfile not found for {self.name}:{self.version}')
 
     legacy_dockerfile = os.path.join(self.path, 'Dockerfile')
     logging.info('Using legacy Dockerfile: %s', legacy_dockerfile)
@@ -156,6 +175,8 @@ def full_image_name_with_tag(self) -> str:
 def get_base_image_steps(images: Sequence[ImageConfig]) -> list[dict]:
   """Returns build steps for a given list of image configurations."""
   steps = [build_lib.get_git_clone_step()]
+  build_ids = {}
+
   for image_config in images:
     # The final tag is ':v1' for the default version, or the version name
     # (e.g., ':ubuntu-24-04') for others.
@@ -167,11 +188,20 @@ def get_base_image_steps(images: Sequence[ImageConfig]) -> list[dict]:
       tags.append(f'{IMAGE_NAME_PREFIX}{image_config.name}:latest')
 
     dockerfile_path = os.path.join('oss-fuzz', image_config.dockerfile_path)
-    steps.append(
-        build_lib.get_docker_build_step(tags,
-                                        image_config.path,
-                                        dockerfile_path=dockerfile_path,
-                                        build_args=image_config.build_args))
+    step = build_lib.get_docker_build_step(tags,
+                                           image_config.path,
+                                           dockerfile_path=dockerfile_path,
+                                           build_args=image_config.build_args)
+
+    # Check for dependencies and add 'waitFor' if necessary.
+    dependencies = IMAGE_DEPENDENCIES.get(image_config.name, [])
+    wait_for = [build_ids[dep] for dep in dependencies if dep in build_ids]
+    if wait_for:
+      step['waitFor'] = wait_for
+
+    build_ids[image_config.name] = step['id']
+    steps.append(step)
+
   return steps