Add sanitizer CI job (#703)

Author: sfod

.builder/actions/build_samples.py

@@ -2,6 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0.
 
 import Builder
+import itertools
 import os
 import sys
 
@@ -62,7 +63,7 @@ def run(self, env):
             'servicetests/tests/ShadowUpdate/',
         ]
 
-        for sample_path in samples:
+        for sample_path in itertools.chain(samples, servicetests, da_samples, defender_samples):
             build_path = os.path.join('build', sample_path)
             steps.append(['cmake',
                           f'-B{build_path}',
@@ -71,43 +72,9 @@ def run(self, env):
                           '-DCMAKE_BUILD_TYPE=RelWithDebInfo'])
             # append extra cmake configs
             steps[-1].extend(cmd_args.cmake_extra)
-            steps.append(['cmake',
-                          '--build', build_path,
-                          '--config', 'RelWithDebInfo'])
-
-        for sample_path in servicetests:
-            build_path = os.path.join('build', sample_path)
-            steps.append(['cmake',
-                          f'-B{build_path}',
-                          f'-H{sample_path}',
-                          f'-DCMAKE_PREFIX_PATH={env.install_dir}',
-                          '-DCMAKE_BUILD_TYPE=RelWithDebInfo'])
-            # append extra cmake configs
-            steps[-1].extend(cmd_args.cmake_extra)
-            steps.append(['cmake',
-                          '--build', build_path,
-                          '--config', 'RelWithDebInfo'])
-
-        for sample_path in da_samples:
-            build_path = os.path.join('build', sample_path)
-            steps.append(['cmake',
-                          f'-B{build_path}',
-                          f'-H{sample_path}',
-                          f'-DCMAKE_PREFIX_PATH={env.install_dir}',
-                          '-DCMAKE_BUILD_TYPE=RelWithDebInfo'])
-            # append extra cmake configs
-            steps[-1].extend(cmd_args.cmake_extra)
-            steps.append(['cmake',
-                          '--build', build_path,
-                          '--config', 'RelWithDebInfo'])
-
-        for sample_path in defender_samples:
-            build_path = os.path.join('build', sample_path)
-            steps.append(['cmake',
-                          f'-B{build_path}',
-                          f'-H{sample_path}',
-                          f'-DCMAKE_PREFIX_PATH={env.install_dir}',
-                          '-DCMAKE_BUILD_TYPE=RelWithDebInfo'])
+            # Currently, cmake_args sets only Linux-specific options.
+            if sys.platform == "linux" or sys.platform == "linux2":
+                steps[-1].extend(env.config['cmake_args'])
             steps.append(['cmake',
                           '--build', build_path,
                           '--config', 'RelWithDebInfo'])

.github/workflows/ci.yml

@@ -685,3 +685,193 @@ jobs:
       - name: Check for edits to code-generated files
         run: |
           ./utils/check_codegen_edits.py
+
+  clang-sanitizers:
+    runs-on: ubuntu-24.04 # latest
+    strategy:
+      matrix:
+        sanitizer-variants: ["tsan", "asan"]
+    permissions:
+      id-token: write # This is required for requesting the JWT
+    steps:
+      - name: Build ${{ env.PACKAGE_NAME }} + consumers
+        run: |
+          echo "Downloading source"
+          git clone --recursive https://github.com/aws/aws-iot-device-sdk-cpp-v2.git --branch ${{ env.HEAD_REF || github.ref_name }}
+          echo "Running builder"
+          python -c "from urllib.request import urlretrieve; urlretrieve('${{ env.BUILDER_HOST }}/${{ env.BUILDER_SOURCE }}/${{ env.BUILDER_VERSION }}/builder.pyz?run=${{ env.RUN }}', 'builder.pyz')"
+          python builder.pyz build -p ${{ env.PACKAGE_NAME }} --variant ${{ matrix.sanitizer-variants }}
+      - name: Running samples in CI setup
+        run: |
+          python3 -m pip install boto3
+          sudo apt-get update -y
+          sudo apt-get install softhsm2 -y
+          softhsm2-util --version
+      - name: configure AWS credentials (Fleet provisioning)
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ env.CI_FLEET_PROVISIONING_ROLE }}
+          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+      - name: run Fleet Provisioning service client test for MQTT311
+        working-directory: ./aws-iot-device-sdk-cpp-v2/servicetests
+        run: |
+          export PYTHONPATH=${{ github.workspace }}/aws-iot-device-sdk-cpp-v2/utils
+          python3 ./test_cases/test_fleet_provisioning.py --config-file test_cases/mqtt3_fleet_provisioning_cfg.json --thing-name-prefix Fleet_Thing_
+      - name: run Fleet Provisioning service client test for MQTT5
+        working-directory: ./aws-iot-device-sdk-cpp-v2/servicetests
+        run: |
+          export PYTHONPATH=${{ github.workspace }}/aws-iot-device-sdk-cpp-v2/utils
+          python3 ./test_cases/test_fleet_provisioning.py --config-file test_cases/mqtt5_fleet_provisioning_cfg.json --thing-name-prefix Fleet_Thing_
+      - name: run Fleet Provisioning with CSR service client test for MQTT311
+        working-directory: ./aws-iot-device-sdk-cpp-v2/servicetests
+        run: |
+          export PYTHONPATH=${{ github.workspace }}/aws-iot-device-sdk-cpp-v2/utils
+          python3 ./test_cases/test_fleet_provisioning.py --config-file test_cases/mqtt3_fleet_provisioning_with_csr_cfg.json --thing-name-prefix Fleet_Thing_
+      - name: run Fleet Provisioning with CSR service client test for MQTT5
+        working-directory: ./aws-iot-device-sdk-cpp-v2/servicetests
+        run: |
+          export PYTHONPATH=${{ github.workspace }}/aws-iot-device-sdk-cpp-v2/utils
+          python3 ./test_cases/test_fleet_provisioning.py --config-file test_cases/mqtt5_fleet_provisioning_with_csr_cfg.json --thing-name-prefix Fleet_Thing_
+      - name: configure AWS credentials (Jobs)
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ env.CI_JOBS_SERVICE_CLIENT_ROLE }}
+          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+      - name: run mqtt3 Jobs serviceTests
+        working-directory: ./aws-iot-device-sdk-cpp-v2/servicetests
+        run: |
+          export PYTHONPATH=${{ github.workspace }}/aws-iot-device-sdk-cpp-v2/utils
+          python3 ./test_cases/test_jobs_execution.py --config-file ${{ env.CI_SERVICE_TESTS_CFG_FOLDER }}/mqtt3_jobs_cfg.json
+      - name: run mqtt5 Jobs serviceTests
+        working-directory: ./aws-iot-device-sdk-cpp-v2/servicetests
+        run: |
+          export PYTHONPATH=${{ github.workspace }}/aws-iot-device-sdk-cpp-v2/utils
+          python3 ./test_cases/test_jobs_execution.py --config-file ${{ env.CI_SERVICE_TESTS_CFG_FOLDER }}/mqtt5_jobs_cfg.json
+      - name: configure AWS credentials (Shadow)
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ env.CI_SHADOW_SERVICE_CLIENT_ROLE }}
+          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+      - name: run Shadow service client test for MQTT5
+        working-directory: ./aws-iot-device-sdk-cpp-v2/servicetests
+        run: |
+          export PYTHONPATH=${{ github.workspace }}/aws-iot-device-sdk-cpp-v2/utils
+          python3 ./test_cases/test_shadow_update.py --config-file test_cases/mqtt5_shadow_cfg.json
+      - name: run Shadow service client test for MQTT311
+        working-directory: ./aws-iot-device-sdk-cpp-v2/servicetests
+        run: |
+          export PYTHONPATH=${{ github.workspace }}/aws-iot-device-sdk-cpp-v2/utils
+          python3 ./test_cases/test_shadow_update.py --config-file test_cases/mqtt3_shadow_cfg.json
+      - name: run Named Shadow service client test for MQTT311
+        working-directory: ./aws-iot-device-sdk-cpp-v2/servicetests
+        run: |
+          export PYTHONPATH=${{ github.workspace }}/aws-iot-device-sdk-cpp-v2/utils
+          python3 ./test_cases/test_shadow_update.py --config-file test_cases/mqtt3_named_shadow_cfg.json
+      - name: run Named Shadow service client test for MQTT5
+        working-directory: ./aws-iot-device-sdk-cpp-v2/servicetests
+        run: |
+          export PYTHONPATH=${{ github.workspace }}/aws-iot-device-sdk-cpp-v2/utils
+          python3 ./test_cases/test_shadow_update.py --config-file test_cases/mqtt5_named_shadow_cfg.json
+      - name: configure AWS credentials (Connect and PubSub)
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ env.CI_PUBSUB_ROLE }}
+          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+      - name: run Basic Connect sample
+        run: |
+          python3 ${{ env.CI_UTILS_FOLDER }}/run_sample_ci.py --file ${{ env.CI_SAMPLES_CFG_FOLDER }}/ci_run_basic_connect_cfg.json
+      - name: run Websocket Connect sample
+        run: |
+          python3 ${{ env.CI_UTILS_FOLDER }}/run_sample_ci.py --file ${{ env.CI_SAMPLES_CFG_FOLDER }}/ci_run_websocket_connect_cfg.json
+      - name: run MQTT3 PubSub sample
+        run: |
+          python3 ${{ env.CI_UTILS_FOLDER }}/run_sample_ci.py --file ${{ env.CI_SAMPLES_CFG_FOLDER }}/ci_run_pubsub_cfg.json
+      - name: run PKCS11 Connect sample
+        run: |
+          mkdir -p /tmp/tokens
+          export SOFTHSM2_CONF=/tmp/softhsm2.conf
+          echo "directories.tokendir = /tmp/tokens" > /tmp/softhsm2.conf
+          python3 ${{ env.CI_UTILS_FOLDER }}/run_sample_ci.py --file ${{ env.CI_SAMPLES_CFG_FOLDER }}/ci_run_pkcs11_connect_cfg.json
+      - name: configure AWS credentials (MQTT5)
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ env.CI_MQTT5_ROLE }}
+          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+      - name: run MQTT5 PubSub sample
+        run: |
+          python3 ${{ env.CI_UTILS_FOLDER }}/run_sample_ci.py --file ${{ env.CI_SAMPLES_CFG_FOLDER }}/ci_run_mqtt5_pubsub_cfg.json
+      - name: run MQTT5 Shared Subscription sample
+        run: |
+          python3 ${{ env.CI_UTILS_FOLDER }}/run_sample_ci.py --file ${{ env.CI_SAMPLES_CFG_FOLDER }}/ci_run_mqtt5_shared_subscription_cfg.json
+      - name: configure AWS credentials (Jobs)
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ env.CI_JOBS_ROLE }}
+          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+      - name: run Jobs sample
+        run: |
+          python3 ${{ env.CI_UTILS_FOLDER }}/run_sample_ci.py --file ${{ env.CI_SAMPLES_CFG_FOLDER }}/ci_run_jobs_cfg.json
+      - name: run Mqtt5 Jobs sample
+        run: |
+          python3 ${{ env.CI_UTILS_FOLDER }}/run_sample_ci.py --file ${{ env.CI_SAMPLES_CFG_FOLDER }}/ci_run_jobs_mqtt5_cfg.json
+      - name: configure AWS credentials (Cognito)
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ env.CI_COGNITO_ROLE }}
+          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+      - name: run CognitoConnect sample
+        run: |
+          python3 ${{ env.CI_UTILS_FOLDER }}/run_sample_ci.py --file ${{ env.CI_SAMPLES_CFG_FOLDER }}/ci_run_cognito_connect_cfg.json
+      - name: configure AWS credentials (Custom Authorizer)
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ env.CI_CUSTOM_AUTHORIZER_ROLE }}
+          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+      - name: run CustomAuthorizerConnect sample
+        run: |
+          python3 ${{ env.CI_UTILS_FOLDER }}/run_sample_ci.py --file ${{ env.CI_SAMPLES_CFG_FOLDER }}/ci_run_custom_authorizer_connect_cfg.json
+      - name: configure AWS credentials (Shadow)
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ env.CI_SHADOW_ROLE }}
+          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+      - name: run Shadow sample
+        run: |
+          python3 ${{ env.CI_UTILS_FOLDER }}/run_sample_ci.py --file ${{ env.CI_SAMPLES_CFG_FOLDER }}/ci_run_shadow_cfg.json
+      - name: run Mqtt5 Shadow sample
+        run: |
+          python3 ${{ env.CI_UTILS_FOLDER }}/run_sample_ci.py --file ${{ env.CI_SAMPLES_CFG_FOLDER }}/ci_run_shadow_mqtt5_cfg.json
+      - name: configure AWS credentials (Fleet provisioning)
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ env.CI_FLEET_PROVISIONING_ROLE }}
+          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+      - name: run Fleet Provisioning sample
+        run: |
+          echo "Generating UUID for IoT thing"
+          Sample_UUID=$(python3  -c "import uuid; print (uuid.uuid4())")
+          python3 ${{ env.CI_UTILS_FOLDER }}/run_sample_ci.py --file ${{ env.CI_SAMPLES_CFG_FOLDER }}/ci_run_fleet_provisioning_cfg.json --input_uuid ${Sample_UUID}
+          python3 ${{ env.CI_UTILS_FOLDER }}/delete_iot_thing_ci.py --thing_name "Fleet_Thing_${Sample_UUID}" --region "us-east-1"
+      - name: run Mqtt5 Fleet Provisioning sample
+        run: |
+          echo "Generating UUID for IoT thing"
+          Sample_UUID=$(python3  -c "import uuid; print (uuid.uuid4())")
+          python3 ${{ env.CI_UTILS_FOLDER }}/run_sample_ci.py --file ${{ env.CI_SAMPLES_CFG_FOLDER }}/ci_run_fleet_provisioning_mqtt5_cfg.json --input_uuid ${Sample_UUID}
+          python3 ${{ env.CI_UTILS_FOLDER }}/delete_iot_thing_ci.py --thing_name "Fleet_Thing_${Sample_UUID}" --region "us-east-1"
+      - name: configure AWS credentials (Secure tunneling)
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ env.CI_SECURE_TUNNEL }}
+          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+      # Secure Tunneling has special requirements, so it uses a different Python file
+      - name: run Secure Tunneling sample
+        run: |
+          python3 ${{ env.CI_UTILS_FOLDER }}/run_secure_tunnel_ci.py --sample_file "./aws-iot-device-sdk-cpp-v2/build/samples/secure_tunneling/secure_tunnel/secure-tunnel" --sample_region ${{ env.AWS_DEFAULT_REGION }}
+      - name: configure AWS credentials (X509)
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ env.CI_X509_ROLE }}
+          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+      - name: run X509 sample
+        run: |
+          python3 ${{ env.CI_UTILS_FOLDER }}/run_sample_ci.py --file ${{ env.CI_SAMPLES_CFG_FOLDER }}/ci_run_x509_connect_cfg.json

CMakeLists.txt

@@ -79,6 +79,8 @@ else()
     include(AwsFindPackage)
 endif()
 
+include(AwsSanitizers)
+
 aws_use_package(aws-crt-cpp)
 
 add_subdirectory(jobs)

builder.json

@@ -29,6 +29,18 @@
           "build"
         ]
     },
+    "tsan": {
+      "cmake_args": [
+        "-DENABLE_SANITIZERS=ON",
+        "-DSANITIZERS=thread"
+      ]
+    },
+    "asan": {
+      "cmake_args": [
+        "-DENABLE_SANITIZERS=ON",
+        "-DSANITIZERS=address,undefined"
+      ]
+    },
     "build_gg_samples_only": {
         "!build_steps": [
           "build",

devicedefender/CMakeLists.txt

@@ -88,7 +88,9 @@ if (BUILD_DEPS)
     endif()
 endif()
 
-target_link_libraries(IotDeviceDefender-cpp IotDeviceCommon-cpp)
+aws_add_sanitizers(IotDeviceDefender-cpp)
+
+target_link_libraries(IotDeviceDefender-cpp PUBLIC IotDeviceCommon-cpp)
 
 install(FILES ${AWS_IOTDEVICEDEFENDER_HEADERS} DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/aws/iotdevicedefender/" COMPONENT Development)
 

devicedefender/tests/CMakeLists.txt

@@ -19,4 +19,5 @@ if (UNIX AND NOT APPLE)
     add_net_test_case(Mqtt5DeviceDefenderCustomMetricSuccess)
     add_net_test_case(Mqtt5DeviceDefenderCustomMetricFail)
     generate_cpp_test_driver(${TEST_BINARY_NAME})
+    aws_add_sanitizers(${TEST_BINARY_NAME})
 endif()

discovery/CMakeLists.txt

@@ -87,7 +87,8 @@ if (BUILD_DEPS)
 	endif()
 endif()
 
-target_link_libraries(Discovery-cpp ${DEP_AWS_LIBS})
+aws_add_sanitizers(Discovery-cpp)
+target_link_libraries(Discovery-cpp PUBLIC ${DEP_AWS_LIBS})
 
 install(FILES ${AWS_DISCOVERY_HEADERS} DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/aws/discovery/" COMPONENT Development)
 

eventstream_rpc/CMakeLists.txt

@@ -85,8 +85,8 @@ if (NOT IS_SUBDIRECTORY_INCLUDE)
     aws_use_package(aws-crt-cpp)
 endif()
 
-
-target_link_libraries(EventstreamRpc-cpp ${DEP_AWS_LIBS})
+aws_add_sanitizers(EventstreamRpc-cpp)
+target_link_libraries(EventstreamRpc-cpp PUBLIC ${DEP_AWS_LIBS})
 
 install(FILES ${AWS_EVENTSTREAMRPC_HEADERS} DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/aws/eventstreamrpc/" COMPONENT Development)
 

eventstream_rpc/tests/CMakeLists.txt

@@ -36,6 +36,7 @@ add_test_case(OperateWhileDisconnected)
 #add_test_case(EchoOperation)
 #add_test_case(StressTestClient)
 generate_cpp_test_driver(${TEST_BINARY_NAME})
+aws_add_sanitizers(${TEST_BINARY_NAME})
 target_include_directories(${TEST_BINARY_NAME} PUBLIC
     $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}/include>
     $<INSTALL_INTERFACE:include>)

greengrass_ipc/CMakeLists.txt

@@ -33,7 +33,7 @@ if (WIN32)
 endif()
 
 add_library(GreengrassIpc-cpp ${AWS_GREENGRASSIPC_CPP_SRC})
-target_link_libraries(GreengrassIpc-cpp EventstreamRpc-cpp)
+target_link_libraries(GreengrassIpc-cpp PUBLIC EventstreamRpc-cpp)
 
 set_target_properties(GreengrassIpc-cpp PROPERTIES LINKER_LANGUAGE CXX)
 
@@ -93,8 +93,8 @@ if (NOT IS_SUBDIRECTORY_INCLUDE)
     aws_use_package(aws-crt-cpp)
 endif()
 
-
-target_link_libraries(GreengrassIpc-cpp ${DEP_AWS_LIBS})
+aws_add_sanitizers(GreengrassIpc-cpp)
+target_link_libraries(GreengrassIpc-cpp PUBLIC ${DEP_AWS_LIBS})
 
 install(FILES ${AWS_GREENGRASSIPC_HEADERS} DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/aws/greengrass/" COMPONENT Development)