Improve CI performance on valgrind components #6665
Conversation
Add base64 to the name, in preparation for moving the test functions from the base64 test suite to the constant_time test suite. Rename the dec test function to be closer to the library function. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Create a test suite for constant-time functions defined in constant_time.c. This follows the general organization of the project where each module has its own test suite(s). This may also make it easier to arrange tests or analyses of constant-timeness. This commit creates the new test suite and moves the existing base64 tests there. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Test functions of constant_time.c in its own test suite, as we usually do. ssl_cf_hmac gets its own test suite because it runs a large number of iterations and takes a long time. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Conditional inclusion of "mbedtls/md.h" via "constant_time_internal.h" isn't enough, because the test framework includes code to resolve constant values regardless of whether the test case is compiled in. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
tests/scripts/all.sh
Outdated
| # The following components are especially slow and don't have any constant-flow annotations, | ||
| # so disable them for better CI performance. | ||
| # It would be better to pass a list of tests that we want to run, rather than tests to skip, | ||
| # but this functionality is currently missing from run-test-suites.pl. |
There was a problem hiding this comment.
run-test-suites.pl is not involved here: this shell function is only called during builds that use cmake.
tests/scripts/all.sh
Outdated
| cmake -D CMAKE_BUILD_TYPE:String=Release . | ||
| make | ||
|
|
||
| # this only shows a summary of the results (how many of each type) | ||
| # details are left in Testing/<date>/DynamicAnalysis.xml | ||
| msg "test: main suites (full minus MBEDTLS_USE_PSA_CRYPTO, valgrind + constant flow)" | ||
| make memcheck | ||
| skip_non_constant_flow_components 0 |
There was a problem hiding this comment.
This line isn't useful: components run in a subshell, so environment variables aren't retained.
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
|
CI's still not happy. |
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
|
As mentioned on Slack, I'm not happy about moving things to I agree this PR is making resolves an inconsistency, by having functions tested in a test suite that matches the place they are defined. But I think it's resolving this inconsistency in the wrong way: by moving the tests, while it's the functions that should be moved. I understand that the purpose of the PR is to isolate test that should be run in the I won't formally object to the present approach, as solving problems with the CI is urgent so we need to get improvements in as fast as we can, but long-term I don't think things are being moved to the right place. |
|
PS: I just had a look at 78e4c6d and I think it actually supports moving things to the right place: create Again, I think it's really really wrong for SSL-specific functions, RSA-specific functions, etc, to live in |
I agree. That's why I abandoned #6273. I meant to replace it by moving the other way round, but I haven't gotten around to it yet. |
|
I can extract |
|
I'd like |
…function Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
Although |
I agree, it does look like I don't have a strong view about where the test should live, but I also don't think it is very critical. I would prefer to get this merged & help the CI reliability rather than spend time going back and forth on which test suite is best. |
| @@ -1608,6 +1608,15 @@ component_test_memsan_constant_flow () { | |||
| make test | |||
| } | |||
|
|
|||
| skip_non_constant_flow_components () { | |||
There was a problem hiding this comment.
This isn't about skipping components, it's about skipping suites.
| @@ -1,33 +1,3 @@ | |||
| mask_of_range empty (1..0) | |||
There was a problem hiding this comment.
Let's not move the base64 tests since we know we actually want them right where they are.
| @@ -1608,6 +1608,15 @@ component_test_memsan_constant_flow () { | |||
| make test | |||
| } | |||
|
|
|||
| skip_non_constant_flow_components () { | |||
| # Skip the test suites that don't have any constant-flow annotations. | |||
There was a problem hiding this comment.
Please add an explicit note that this won't catch TEST_CF_SECRET from tests/include or tests/src, if we were to add some. And, since that's not really discoverable, we should have a note in the documentation of TEST_CF_SECRET as well.
| @@ -1662,6 +1672,7 @@ component_test_valgrind_constant_flow_psa () { | |||
| msg "build: cmake release GCC, full config with constant flow testing" | |||
| scripts/config.py full | |||
| scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND | |||
| skip_non_constant_flow_components | |||
There was a problem hiding this comment.
Uh-oh, we don't have a test_valgrind_psa. So there's loss of coverage here. We should either keep this component as is or add a test_valgrind_psa.
I think this is not a good use of time. Feel free to push additional commits to this one if you feel they are really needed, but I'm concerned we are spending too much time going back and forth on polishing minor details and late feedback here rather than taking the improvement. |
|
I'm making a new PR (almost ready) because it's easier than building on the history here. |
Description
Improve CI performance for valgrind components. Ideally it would only run over the constant-flow tests, but there isn't a good existing mechanism for implementing this. For now, skip the particularly expensive tests.
Fixes #6661
Gatekeeper checklist