summaryrefslogtreecommitdiffstats
path: root/security/nss/automation
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/automation')
-rw-r--r--security/nss/automation/abi-check/expected-report-libfreebl3.so.txt0
-rw-r--r--security/nss/automation/abi-check/expected-report-libfreeblpriv3.so.txt0
-rw-r--r--security/nss/automation/abi-check/expected-report-libnspr4.so.txt0
-rw-r--r--security/nss/automation/abi-check/expected-report-libnss3.so.txt0
-rw-r--r--security/nss/automation/abi-check/expected-report-libnssckbi.so.txt0
-rw-r--r--security/nss/automation/abi-check/expected-report-libnssdbm3.so.txt0
-rw-r--r--security/nss/automation/abi-check/expected-report-libnsssysinit.so.txt0
-rw-r--r--security/nss/automation/abi-check/expected-report-libnssutil3.so.txt0
-rw-r--r--security/nss/automation/abi-check/expected-report-libplc4.so.txt0
-rw-r--r--security/nss/automation/abi-check/expected-report-libplds4.so.txt0
-rw-r--r--security/nss/automation/abi-check/expected-report-libsmime3.so.txt0
-rw-r--r--security/nss/automation/abi-check/expected-report-libsoftokn3.so.txt0
-rw-r--r--security/nss/automation/abi-check/expected-report-libssl3.so.txt0
-rw-r--r--security/nss/automation/abi-check/previous-nss-release1
-rwxr-xr-xsecurity/nss/automation/buildbot-slave/build.sh116
-rw-r--r--security/nss/automation/clang-format/Dockerfile26
-rw-r--r--security/nss/automation/clang-format/run_clang_format.sh67
-rw-r--r--security/nss/automation/clang-format/setup.sh44
-rw-r--r--security/nss/automation/ossfuzz/build.sh57
-rw-r--r--security/nss/automation/release/nspr-version.txt2
-rw-r--r--security/nss/automation/release/nss-release-helper.py36
-rw-r--r--security/nss/automation/taskcluster/docker-aarch64/Dockerfile30
-rw-r--r--security/nss/automation/taskcluster/docker-aarch64/bin/checkout.sh20
-rw-r--r--security/nss/automation/taskcluster/docker-aarch64/setup.sh42
-rwxr-xr-xsecurity/nss/automation/taskcluster/docker-arm/setup.sh1
-rw-r--r--security/nss/automation/taskcluster/docker-clang-3.9/Dockerfile30
-rw-r--r--security/nss/automation/taskcluster/docker-clang-3.9/bin/checkout.sh20
-rw-r--r--security/nss/automation/taskcluster/docker-clang-3.9/setup.sh46
-rw-r--r--security/nss/automation/taskcluster/docker-decision/setup.sh2
-rw-r--r--security/nss/automation/taskcluster/docker-fuzz/Dockerfile33
-rw-r--r--security/nss/automation/taskcluster/docker-fuzz/bin/checkout.sh20
-rw-r--r--security/nss/automation/taskcluster/docker-fuzz/setup.sh58
-rw-r--r--security/nss/automation/taskcluster/docker/Dockerfile6
-rw-r--r--security/nss/automation/taskcluster/docker/setup.sh18
-rw-r--r--security/nss/automation/taskcluster/graph/src/extend.js441
-rw-r--r--security/nss/automation/taskcluster/graph/src/queue.js22
-rw-r--r--security/nss/automation/taskcluster/graph/src/try_syntax.js40
-rwxr-xr-xsecurity/nss/automation/taskcluster/scripts/build.sh13
-rwxr-xr-xsecurity/nss/automation/taskcluster/scripts/build_gyp.sh11
-rw-r--r--security/nss/automation/taskcluster/scripts/build_nspr.sh18
-rw-r--r--security/nss/automation/taskcluster/scripts/build_nss.sh39
-rw-r--r--security/nss/automation/taskcluster/scripts/build_softoken.sh30
-rw-r--r--security/nss/automation/taskcluster/scripts/build_util.sh25
-rwxr-xr-xsecurity/nss/automation/taskcluster/scripts/extend_task_graph.sh7
-rwxr-xr-xsecurity/nss/automation/taskcluster/scripts/fuzz.sh26
-rwxr-xr-xsecurity/nss/automation/taskcluster/scripts/gen_certs.sh12
-rwxr-xr-xsecurity/nss/automation/taskcluster/scripts/run_clang_format.sh63
-rwxr-xr-xsecurity/nss/automation/taskcluster/scripts/run_scan_build.sh9
-rwxr-xr-xsecurity/nss/automation/taskcluster/scripts/run_tests.sh10
-rw-r--r--security/nss/automation/taskcluster/scripts/split.sh154
-rw-r--r--security/nss/automation/taskcluster/scripts/tools.sh10
-rw-r--r--security/nss/automation/taskcluster/windows/build.sh6
-rw-r--r--security/nss/automation/taskcluster/windows/build_gyp.sh34
-rw-r--r--security/nss/automation/taskcluster/windows/releng.manifest24
-rw-r--r--security/nss/automation/taskcluster/windows/setup.sh18
-rw-r--r--security/nss/automation/taskcluster/windows/setup32.sh10
-rw-r--r--security/nss/automation/taskcluster/windows/setup64.sh10
57 files changed, 1425 insertions, 282 deletions
diff --git a/security/nss/automation/abi-check/expected-report-libfreebl3.so.txt b/security/nss/automation/abi-check/expected-report-libfreebl3.so.txt
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/security/nss/automation/abi-check/expected-report-libfreebl3.so.txt
diff --git a/security/nss/automation/abi-check/expected-report-libfreeblpriv3.so.txt b/security/nss/automation/abi-check/expected-report-libfreeblpriv3.so.txt
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/security/nss/automation/abi-check/expected-report-libfreeblpriv3.so.txt
diff --git a/security/nss/automation/abi-check/expected-report-libnspr4.so.txt b/security/nss/automation/abi-check/expected-report-libnspr4.so.txt
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/security/nss/automation/abi-check/expected-report-libnspr4.so.txt
diff --git a/security/nss/automation/abi-check/expected-report-libnss3.so.txt b/security/nss/automation/abi-check/expected-report-libnss3.so.txt
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/security/nss/automation/abi-check/expected-report-libnss3.so.txt
diff --git a/security/nss/automation/abi-check/expected-report-libnssckbi.so.txt b/security/nss/automation/abi-check/expected-report-libnssckbi.so.txt
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/security/nss/automation/abi-check/expected-report-libnssckbi.so.txt
diff --git a/security/nss/automation/abi-check/expected-report-libnssdbm3.so.txt b/security/nss/automation/abi-check/expected-report-libnssdbm3.so.txt
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/security/nss/automation/abi-check/expected-report-libnssdbm3.so.txt
diff --git a/security/nss/automation/abi-check/expected-report-libnsssysinit.so.txt b/security/nss/automation/abi-check/expected-report-libnsssysinit.so.txt
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/security/nss/automation/abi-check/expected-report-libnsssysinit.so.txt
diff --git a/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt b/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt
diff --git a/security/nss/automation/abi-check/expected-report-libplc4.so.txt b/security/nss/automation/abi-check/expected-report-libplc4.so.txt
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/security/nss/automation/abi-check/expected-report-libplc4.so.txt
diff --git a/security/nss/automation/abi-check/expected-report-libplds4.so.txt b/security/nss/automation/abi-check/expected-report-libplds4.so.txt
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/security/nss/automation/abi-check/expected-report-libplds4.so.txt
diff --git a/security/nss/automation/abi-check/expected-report-libsmime3.so.txt b/security/nss/automation/abi-check/expected-report-libsmime3.so.txt
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/security/nss/automation/abi-check/expected-report-libsmime3.so.txt
diff --git a/security/nss/automation/abi-check/expected-report-libsoftokn3.so.txt b/security/nss/automation/abi-check/expected-report-libsoftokn3.so.txt
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/security/nss/automation/abi-check/expected-report-libsoftokn3.so.txt
diff --git a/security/nss/automation/abi-check/expected-report-libssl3.so.txt b/security/nss/automation/abi-check/expected-report-libssl3.so.txt
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/security/nss/automation/abi-check/expected-report-libssl3.so.txt
diff --git a/security/nss/automation/abi-check/previous-nss-release b/security/nss/automation/abi-check/previous-nss-release
new file mode 100644
index 000000000..b8d28cde0
--- /dev/null
+++ b/security/nss/automation/abi-check/previous-nss-release
@@ -0,0 +1 @@
+NSS_3_31_BRANCH
diff --git a/security/nss/automation/buildbot-slave/build.sh b/security/nss/automation/buildbot-slave/build.sh
index 0917cec6b..3fc914803 100755
--- a/security/nss/automation/buildbot-slave/build.sh
+++ b/security/nss/automation/buildbot-slave/build.sh
@@ -19,6 +19,9 @@ proc_args()
"--test-nss")
TEST_NSS=1
;;
+ "--check-abi")
+ CHECK_ABI=1
+ ;;
"--build-jss")
BUILD_JSS=1
;;
@@ -40,6 +43,7 @@ proc_args()
echo " --build-jss"
echo " --test-nss"
echo " --test-jss"
+ echo " --check-abi"
exit 1
;;
esac
@@ -215,6 +219,65 @@ test_nss()
return ${RET}
}
+check_abi()
+{
+ print_log "######## NSS ABI CHECK - ${BITS} bits - ${OPT} ########"
+ print_log "######## creating temporary HG clones ########"
+
+ rm -rf ${HGDIR}/baseline
+ mkdir ${HGDIR}/baseline
+ BASE_NSS=`cat ${HGDIR}/nss/automation/abi-check/previous-nss-release`
+ hg clone -u "${BASE_NSS}" "${HGDIR}/nss" "${HGDIR}/baseline/nss"
+ if [ $? -ne 0 ]; then
+ echo "invalid tag in automation/abi-check/previous-nss-release"
+ return 1
+ fi
+
+ BASE_NSPR=NSPR_$(head -1 ${HGDIR}/baseline/nss/automation/release/nspr-version.txt | cut -d . -f 1-2 | tr . _)_BRANCH
+ hg clone -u "${BASE_NSPR}" "${HGDIR}/nspr" "${HGDIR}/baseline/nspr"
+ if [ $? -ne 0 ]; then
+ echo "invalid tag ${BASE_NSPR} derived from ${BASE_NSS} automation/release/nspr-version.txt"
+ return 1
+ fi
+
+ print_log "######## building older NSPR/NSS ########"
+ pushd ${HGDIR}/baseline/nss
+
+ print_log "$ ${MAKE} ${NSS_BUILD_TARGET}"
+ ${MAKE} ${NSS_BUILD_TARGET} 2>&1 | tee -a ${LOG_ALL}
+ RET=$?
+ print_result "NSS - build - ${BITS} bits - ${OPT}" ${RET} 0
+ if [ ${RET} -ne 0 ]; then
+ tail -100 ${LOG_ALL}
+ return ${RET}
+ fi
+ popd
+
+ ABI_REPORT=${OUTPUTDIR}/abi-diff.txt
+ rm -f ${ABI_REPORT}
+ PREVDIST=${HGDIR}/baseline/dist
+ NEWDIST=${HGDIR}/dist
+ ALL_SOs="libfreebl3.so libfreeblpriv3.so libnspr4.so libnss3.so libnssckbi.so libnssdbm3.so libnsssysinit.so libnssutil3.so libplc4.so libplds4.so libsmime3.so libsoftokn3.so libssl3.so"
+ for SO in ${ALL_SOs}; do
+ if [ ! -f nss/automation/abi-check/expected-report-$SO.txt ]; then
+ touch nss/automation/abi-check/expected-report-$SO.txt
+ fi
+ abidiff --hd1 $PREVDIST/public/ --hd2 $NEWDIST/public \
+ $PREVDIST/*/lib/$SO $NEWDIST/*/lib/$SO \
+ > nss/automation/abi-check/new-report-$SO.txt
+ diff -u nss/automation/abi-check/expected-report-$SO.txt \
+ nss/automation/abi-check/new-report-$SO.txt >> ${ABI_REPORT}
+ done
+
+ if [ -s ${ABI_REPORT} ]; then
+ print_log "FAILED: there are new unexpected ABI changes"
+ cat ${ABI_REPORT}
+ return 1
+ fi
+
+ return 0
+}
+
test_jss()
{
print_log "######## JSS - tests - ${BITS} bits - ${OPT} ########"
@@ -243,6 +306,39 @@ test_jss()
return ${RET}
}
+create_objdir_dist_link()
+{
+ # compute relevant 'dist' OBJDIR_NAME subdirectory names for JSS and NSS
+ OS_TARGET=`uname -s`
+ OS_RELEASE=`uname -r | sed 's/-.*//' | sed 's/-.*//' | cut -d . -f1,2`
+ CPU_TAG=_`uname -m`
+ # OBJDIR_NAME_COMPILER appears to be defined for NSS but not JSS
+ OBJDIR_NAME_COMPILER=_cc
+ LIBC_TAG=_glibc
+ IMPL_STRATEGY=_PTH
+ if [ "${RUN_BITS}" = "64" ]; then
+ OBJDIR_TAG=_${RUN_BITS}_${RUN_OPT}.OBJ
+ else
+ OBJDIR_TAG=_${RUN_OPT}.OBJ
+ fi
+
+ # define NSS_OBJDIR_NAME
+ NSS_OBJDIR_NAME=${OS_TARGET}${OS_RELEASE}${CPU_TAG}${OBJDIR_NAME_COMPILER}
+ NSS_OBJDIR_NAME=${NSS_OBJDIR_NAME}${LIBC_TAG}${IMPL_STRATEGY}${OBJDIR_TAG}
+ print_log "create_objdir_dist_link(): NSS_OBJDIR_NAME='${NSS_OBJDIR_NAME}'"
+
+ # define JSS_OBJDIR_NAME
+ JSS_OBJDIR_NAME=${OS_TARGET}${OS_RELEASE}${CPU_TAG}
+ JSS_OBJDIR_NAME=${JSS_OBJDIR_NAME}${LIBC_TAG}${IMPL_STRATEGY}${OBJDIR_TAG}
+ print_log "create_objdir_dist_link(): JSS_OBJDIR_NAME='${JSS_OBJDIR_NAME}'"
+
+ if [ -e "${HGDIR}/dist/${NSS_OBJDIR_NAME}" ]; then
+ SOURCE=${HGDIR}/dist/${NSS_OBJDIR_NAME}
+ TARGET=${HGDIR}/dist/${JSS_OBJDIR_NAME}
+ ln -s ${SOURCE} ${TARGET} >/dev/null 2>&1
+ fi
+}
+
build_and_test()
{
if [ -n "${BUILD_NSS}" ]; then
@@ -255,7 +351,13 @@ build_and_test()
[ $? -eq 0 ] || return 1
fi
+ if [ -n "${CHECK_ABI}" ]; then
+ check_abi
+ [ $? -eq 0 ] || return 1
+ fi
+
if [ -n "${BUILD_JSS}" ]; then
+ create_objdir_dist_link
build_jss
[ $? -eq 0 ] || return 1
fi
@@ -326,6 +428,7 @@ main()
{
VALID=0
RET=1
+ FAIL=0
for BITS in 32 64; do
echo ${RUN_BITS} | grep ${BITS} > /dev/null
@@ -338,7 +441,10 @@ main()
set_env
run_all
RET=$?
- print_log "### result of run_all is ${RET}"
+ print_log "### result of run_all is ${RET}"
+ if [ ${RET} -ne 0 ]; then
+ FAIL=${RET}
+ fi
done
done
@@ -347,7 +453,7 @@ main()
return 1
fi
- return ${RET}
+ return ${FAIL}
}
#function killallsub()
@@ -375,6 +481,8 @@ echo "tinderbox args: $0 $@"
proc_args "$@"
main
-#RET=$?
+RET=$?
+print_log "### result of main is ${RET}"
+
#rm $IS_RUNNING_FILE
-#exit ${RET}
+exit ${RET}
diff --git a/security/nss/automation/clang-format/Dockerfile b/security/nss/automation/clang-format/Dockerfile
new file mode 100644
index 000000000..163c9b8fa
--- /dev/null
+++ b/security/nss/automation/clang-format/Dockerfile
@@ -0,0 +1,26 @@
+FROM ubuntu:16.04
+MAINTAINER Franziskus Kiefer <franziskuskiefer@gmail.com>
+
+RUN useradd -d /home/worker -s /bin/bash -m worker
+WORKDIR /home/worker
+
+# Install dependencies.
+ADD setup.sh /tmp/setup.sh
+RUN bash /tmp/setup.sh
+
+# Change user.
+USER worker
+
+# Env variables.
+ENV HOME /home/worker
+ENV SHELL /bin/bash
+ENV USER worker
+ENV LOGNAME worker
+ENV HOSTNAME taskcluster-worker
+ENV LANG en_US.UTF-8
+ENV LC_ALL en_US.UTF-8
+ENV HOST localhost
+ENV DOMSUF localdomain
+
+# Entrypoint.
+ENTRYPOINT ["/home/worker/nss/automation/clang-format/run_clang_format.sh"]
diff --git a/security/nss/automation/clang-format/run_clang_format.sh b/security/nss/automation/clang-format/run_clang_format.sh
new file mode 100644
index 000000000..2ba5ebeb1
--- /dev/null
+++ b/security/nss/automation/clang-format/run_clang_format.sh
@@ -0,0 +1,67 @@
+#!/usr/bin/env bash
+
+if [[ $(id -u) -eq 0 ]]; then
+ # Drop privileges by re-running this script.
+ # Note: this mangles arguments, better to avoid running scripts as root.
+ exec su worker -c "$0 $*"
+fi
+
+# Apply clang-format on the provided folder and verify that this doesn't change any file.
+# If any file differs after formatting, the script eventually exits with 1.
+# Any differences between formatted and unformatted files is printed to stdout to give a hint what's wrong.
+
+# Includes a default set of directories NOT to clang-format on.
+blacklist=(
+ "./automation" \
+ "./coreconf" \
+ "./doc" \
+ "./pkg" \
+ "./tests" \
+ "./lib/libpkix" \
+ "./lib/zlib" \
+ "./lib/sqlite" \
+ "./gtests/google_test" \
+ "./.hg" \
+ "./out" \
+)
+
+top="$(dirname $0)/../.."
+cd "$top"
+
+if [ $# -gt 0 ]; then
+ dirs=("$@")
+else
+ dirs=($(find . -maxdepth 2 -mindepth 1 -type d ! -path . \( ! -regex '.*/' \)))
+fi
+
+format_folder()
+{
+ for black in "${blacklist[@]}"; do
+ if [[ "$1" == "$black"* ]]; then
+ echo "skip $1"
+ return 1
+ fi
+ done
+ return 0
+}
+
+for dir in "${dirs[@]}"; do
+ if format_folder "$dir" ; then
+ c="${dir//[^\/]}"
+ echo "formatting $dir ..."
+ depth=""
+ if [ "${#c}" == "1" ]; then
+ depth="-maxdepth 1"
+ fi
+ find "$dir" $depth -type f \( -name '*.[ch]' -o -name '*.cc' \) -exec clang-format -i {} \+
+ fi
+done
+
+TMPFILE=$(mktemp /tmp/$(basename $0).XXXXXX)
+trap 'rm $TMPFILE' exit
+if (cd $(dirname $0); hg root >/dev/null 2>&1); then
+ hg diff --git "$top" | tee $TMPFILE
+else
+ git -C "$top" diff | tee $TMPFILE
+fi
+[[ ! -s $TMPFILE ]]
diff --git a/security/nss/automation/clang-format/setup.sh b/security/nss/automation/clang-format/setup.sh
new file mode 100644
index 000000000..9b2480e90
--- /dev/null
+++ b/security/nss/automation/clang-format/setup.sh
@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+set -v -e -x
+
+# Update packages.
+export DEBIAN_FRONTEND=noninteractive
+apt-get -y update && apt-get -y upgrade
+
+# Install packages.
+apt_packages=()
+apt_packages+=('ca-certificates')
+apt_packages+=('curl')
+apt_packages+=('xz-utils')
+apt_packages+=('mercurial')
+apt_packages+=('git')
+apt_packages+=('locales')
+apt-get install -y --no-install-recommends ${apt_packages[@]}
+
+# Download clang.
+curl -L http://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz -o clang.tar.xz
+curl -L http://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig -o clang.tar.xz.sig
+# Verify the signature.
+gpg --keyserver pool.sks-keyservers.net --recv-keys B6C8F98282B944E3B0D5C2530FC3042E345AD05D
+gpg --verify clang.tar.xz.sig
+# Install into /usr/local/.
+tar xJvf *.tar.xz -C /usr/local --strip-components=1
+
+# Cleanup.
+function cleanup() {
+ rm -f clang.tar.xz clang.tar.xz.sig
+}
+trap cleanup ERR EXIT
+
+locale-gen en_US.UTF-8
+dpkg-reconfigure locales
+
+# Cleanup.
+rm -rf ~/.ccache ~/.cache
+apt-get autoremove -y
+apt-get clean
+apt-get autoclean
+
+# We're done. Remove this script.
+rm $0
diff --git a/security/nss/automation/ossfuzz/build.sh b/security/nss/automation/ossfuzz/build.sh
new file mode 100644
index 000000000..e967ea861
--- /dev/null
+++ b/security/nss/automation/ossfuzz/build.sh
@@ -0,0 +1,57 @@
+#!/bin/bash -eu
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+################################################################################
+
+# List of targets disabled for oss-fuzz.
+declare -A disabled=([pkcs8]=1)
+
+# List of targets we want to fuzz in TLS and non-TLS mode.
+declare -A tls_targets=([tls-client]=1 [tls-server]=1 [dtls-client]=1 [dtls-server]=1)
+
+# Helper function that copies a fuzzer binary and its seed corpus.
+copy_fuzzer()
+{
+ local fuzzer=$1
+ local name=$2
+
+ # Copy the binary.
+ cp ../dist/Debug/bin/$fuzzer $OUT/$name
+
+ # Zip and copy the corpus, if any.
+ if [ -d "$SRC/nss-corpus/$name" ]; then
+ zip $OUT/${name}_seed_corpus.zip $SRC/nss-corpus/$name/*
+ else
+ zip $OUT/${name}_seed_corpus.zip $SRC/nss-corpus/*/*
+ fi
+}
+
+# Copy libFuzzer options
+cp fuzz/options/*.options $OUT/
+
+# Build the library (non-TLS fuzzing mode).
+CXX="$CXX -stdlib=libc++" LDFLAGS="$CFLAGS" \
+ ./build.sh -c -v --fuzz=oss --fuzz --disable-tests
+
+# Copy fuzzing targets.
+for fuzzer in $(find ../dist/Debug/bin -name "nssfuzz-*" -printf "%f\n"); do
+ name=${fuzzer:8}
+ if [ -z "${disabled[$name]:-}" ]; then
+ [ -n "${tls_targets[$name]:-}" ] && name="${name}-no_fuzzer_mode"
+ copy_fuzzer $fuzzer $name
+ fi
+done
+
+# Build the library again (TLS fuzzing mode).
+CXX="$CXX -stdlib=libc++" LDFLAGS="$CFLAGS" \
+ ./build.sh -c -v --fuzz=oss --fuzz=tls --disable-tests
+
+# Copy dual mode targets in TLS mode.
+for name in "${!tls_targets[@]}"; do
+ if [ -z "${disabled[$name]:-}" ]; then
+ copy_fuzzer nssfuzz-$name $name
+ fi
+done
diff --git a/security/nss/automation/release/nspr-version.txt b/security/nss/automation/release/nspr-version.txt
index 9e0c933dc..98783a615 100644
--- a/security/nss/automation/release/nspr-version.txt
+++ b/security/nss/automation/release/nspr-version.txt
@@ -1,4 +1,4 @@
-4.13.1
+4.16
# The first line of this file must contain the human readable NSPR
# version number, which is the minimum required version of NSPR
diff --git a/security/nss/automation/release/nss-release-helper.py b/security/nss/automation/release/nss-release-helper.py
index d168febde..31ea41966 100644
--- a/security/nss/automation/release/nss-release-helper.py
+++ b/security/nss/automation/release/nss-release-helper.py
@@ -10,11 +10,27 @@ import shutil
import glob
from optparse import OptionParser
from subprocess import check_call
+from subprocess import check_output
nssutil_h = "lib/util/nssutil.h"
softkver_h = "lib/softoken/softkver.h"
nss_h = "lib/nss/nss.h"
nssckbi_h = "lib/ckfw/builtins/nssckbi.h"
+abi_base_version_file = "automation/abi-check/previous-nss-release"
+
+abi_report_files = ['automation/abi-check/expected-report-libfreebl3.so.txt',
+ 'automation/abi-check/expected-report-libfreeblpriv3.so.txt',
+ 'automation/abi-check/expected-report-libnspr4.so.txt',
+ 'automation/abi-check/expected-report-libnss3.so.txt',
+ 'automation/abi-check/expected-report-libnssckbi.so.txt',
+ 'automation/abi-check/expected-report-libnssdbm3.so.txt',
+ 'automation/abi-check/expected-report-libnsssysinit.so.txt',
+ 'automation/abi-check/expected-report-libnssutil3.so.txt',
+ 'automation/abi-check/expected-report-libplc4.so.txt',
+ 'automation/abi-check/expected-report-libplds4.so.txt',
+ 'automation/abi-check/expected-report-libsmime3.so.txt',
+ 'automation/abi-check/expected-report-libsoftokn3.so.txt',
+ 'automation/abi-check/expected-report-libssl3.so.txt']
def check_call_noisy(cmd, *args, **kwargs):
print "Executing command:", cmd
@@ -132,6 +148,26 @@ def set_root_ca_version():
sed_inplace('s/^\(#define *NSS_BUILTINS_LIBRARY_VERSION_MINOR *\).*$/\\1' + minor + '/', nssckbi_h)
def set_all_lib_versions(version, major, minor, patch, build):
+ grep_major = check_output(['grep', 'define.*NSS_VMAJOR', nss_h])
+ grep_minor = check_output(['grep', 'define.*NSS_VMINOR', nss_h])
+
+ old_major = int(grep_major.split()[2]);
+ old_minor = int(grep_minor.split()[2]);
+
+ new_major = int(major)
+ new_minor = int(minor)
+
+ if (old_major < new_major or (old_major == new_major and old_minor < new_minor)):
+ print "You're increasing the minor (or major) version:"
+ print "- erasing ABI comparison expectations"
+ new_branch = "NSS_" + str(old_major) + "_" + str(old_minor) + "_BRANCH"
+ print "- setting reference branch to the branch of the previous version: " + new_branch
+ with open(abi_base_version_file, "w") as abi_base:
+ abi_base.write("%s\n" % new_branch)
+ for report_file in abi_report_files:
+ with open(report_file, "w") as report_file_handle:
+ report_file_handle.truncate()
+
set_full_lib_versions(version)
set_major_versions(major)
set_minor_versions(minor)
diff --git a/security/nss/automation/taskcluster/docker-aarch64/Dockerfile b/security/nss/automation/taskcluster/docker-aarch64/Dockerfile
new file mode 100644
index 000000000..2d7ade357
--- /dev/null
+++ b/security/nss/automation/taskcluster/docker-aarch64/Dockerfile
@@ -0,0 +1,30 @@
+FROM franziskus/xenial:aarch64
+MAINTAINER Franziskus Kiefer <franziskuskiefer@gmail.com>
+
+RUN useradd -d /home/worker -s /bin/bash -m worker
+WORKDIR /home/worker
+
+# Add build and test scripts.
+ADD bin /home/worker/bin
+RUN chmod +x /home/worker/bin/*
+
+# Install dependencies.
+ADD setup.sh /tmp/setup.sh
+RUN bash /tmp/setup.sh
+
+# Change user.
+# USER worker # See bug 1347473.
+
+# Env variables.
+ENV HOME /home/worker
+ENV SHELL /bin/bash
+ENV USER worker
+ENV LOGNAME worker
+ENV HOSTNAME taskcluster-worker
+ENV LANG en_US.UTF-8
+ENV LC_ALL en_US.UTF-8
+ENV HOST localhost
+ENV DOMSUF localdomain
+
+# Set a default command for debugging.
+CMD ["/bin/bash", "--login"]
diff --git a/security/nss/automation/taskcluster/docker-aarch64/bin/checkout.sh b/security/nss/automation/taskcluster/docker-aarch64/bin/checkout.sh
new file mode 100644
index 000000000..9167f6bda
--- /dev/null
+++ b/security/nss/automation/taskcluster/docker-aarch64/bin/checkout.sh
@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+set -v -e -x
+
+if [ $(id -u) = 0 ]; then
+ # Drop privileges by re-running this script.
+ exec su worker $0
+fi
+
+# Default values for testing.
+REVISION=${NSS_HEAD_REVISION:-default}
+REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss}
+
+# Clone NSS.
+for i in 0 2 5; do
+ sleep $i
+ hg clone -r $REVISION $REPOSITORY nss && exit 0
+ rm -rf nss
+done
+exit 1
diff --git a/security/nss/automation/taskcluster/docker-aarch64/setup.sh b/security/nss/automation/taskcluster/docker-aarch64/setup.sh
new file mode 100644
index 000000000..b76514ad5
--- /dev/null
+++ b/security/nss/automation/taskcluster/docker-aarch64/setup.sh
@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+
+set -v -e -x
+
+export DEBIAN_FRONTEND=noninteractive
+
+apt-get -y update
+apt-get -y install software-properties-common
+
+# Add more repos
+add-apt-repository "deb http://ports.ubuntu.com/ xenial main restricted universe multiverse"
+add-apt-repository "deb http://ports.ubuntu.com/ xenial-security main restricted universe multiverse"
+add-apt-repository "deb http://ports.ubuntu.com/ xenial-updates main restricted universe multiverse"
+add-apt-repository "deb http://ports.ubuntu.com/ xenial-backports main restricted universe multiverse"
+
+# Update.
+apt-get -y update
+apt-get -y dist-upgrade
+
+apt_packages=()
+apt_packages+=('build-essential')
+apt_packages+=('ca-certificates')
+apt_packages+=('curl')
+apt_packages+=('libxml2-utils')
+apt_packages+=('zlib1g-dev')
+apt_packages+=('ninja-build')
+apt_packages+=('gyp')
+apt_packages+=('mercurial')
+apt_packages+=('locales')
+
+# Install packages.
+apt-get install -y --no-install-recommends ${apt_packages[@]}
+
+locale-gen en_US.UTF-8
+dpkg-reconfigure locales
+
+# Cleanup.
+rm -rf ~/.ccache ~/.cache
+apt-get autoremove -y
+apt-get clean
+apt-get autoclean
+rm $0
diff --git a/security/nss/automation/taskcluster/docker-arm/setup.sh b/security/nss/automation/taskcluster/docker-arm/setup.sh
index 42d66a454..78c63925b 100755
--- a/security/nss/automation/taskcluster/docker-arm/setup.sh
+++ b/security/nss/automation/taskcluster/docker-arm/setup.sh
@@ -12,6 +12,7 @@ apt_packages=()
apt_packages+=('build-essential')
apt_packages+=('ca-certificates')
apt_packages+=('curl')
+apt_packages+=('locales')
apt_packages+=('python-dev')
apt_packages+=('python-pip')
apt_packages+=('python-setuptools')
diff --git a/security/nss/automation/taskcluster/docker-clang-3.9/Dockerfile b/security/nss/automation/taskcluster/docker-clang-3.9/Dockerfile
new file mode 100644
index 000000000..473ce64ba
--- /dev/null
+++ b/security/nss/automation/taskcluster/docker-clang-3.9/Dockerfile
@@ -0,0 +1,30 @@
+FROM ubuntu:16.04
+MAINTAINER Tim Taubert <ttaubert@mozilla.com>
+
+RUN useradd -d /home/worker -s /bin/bash -m worker
+WORKDIR /home/worker
+
+# Add build and test scripts.
+ADD bin /home/worker/bin
+RUN chmod +x /home/worker/bin/*
+
+# Install dependencies.
+ADD setup.sh /tmp/setup.sh
+RUN bash /tmp/setup.sh
+
+# Change user.
+USER worker
+
+# Env variables.
+ENV HOME /home/worker
+ENV SHELL /bin/bash
+ENV USER worker
+ENV LOGNAME worker
+ENV HOSTNAME taskcluster-worker
+ENV LANG en_US.UTF-8
+ENV LC_ALL en_US.UTF-8
+ENV HOST localhost
+ENV DOMSUF localdomain
+
+# Set a default command for debugging.
+CMD ["/bin/bash", "--login"]
diff --git a/security/nss/automation/taskcluster/docker-clang-3.9/bin/checkout.sh b/security/nss/automation/taskcluster/docker-clang-3.9/bin/checkout.sh
new file mode 100644
index 000000000..9167f6bda
--- /dev/null
+++ b/security/nss/automation/taskcluster/docker-clang-3.9/bin/checkout.sh
@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+set -v -e -x
+
+if [ $(id -u) = 0 ]; then
+ # Drop privileges by re-running this script.
+ exec su worker $0
+fi
+
+# Default values for testing.
+REVISION=${NSS_HEAD_REVISION:-default}
+REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss}
+
+# Clone NSS.
+for i in 0 2 5; do
+ sleep $i
+ hg clone -r $REVISION $REPOSITORY nss && exit 0
+ rm -rf nss
+done
+exit 1
diff --git a/security/nss/automation/taskcluster/docker-clang-3.9/setup.sh b/security/nss/automation/taskcluster/docker-clang-3.9/setup.sh
new file mode 100644
index 000000000..7b7d534e6
--- /dev/null
+++ b/security/nss/automation/taskcluster/docker-clang-3.9/setup.sh
@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+set -v -e -x
+
+# Update packages.
+export DEBIAN_FRONTEND=noninteractive
+apt-get -y update && apt-get -y upgrade
+
+# Need this to add keys for PPAs below.
+apt-get install -y --no-install-recommends apt-utils
+
+apt_packages=()
+apt_packages+=('ca-certificates')
+apt_packages+=('curl')
+apt_packages+=('locales')
+apt_packages+=('xz-utils')
+
+# Latest Mercurial.
+apt_packages+=('mercurial')
+apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 41BD8711B1F0EC2B0D85B91CF59CE3A8323293EE
+echo "deb http://ppa.launchpad.net/mercurial-ppa/releases/ubuntu xenial main" > /etc/apt/sources.list.d/mercurial.list
+
+# Install packages.
+apt-get -y update
+apt-get install -y --no-install-recommends ${apt_packages[@]}
+
+# Download clang.
+curl -LO http://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz
+curl -LO http://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig
+# Verify the signature.
+gpg --keyserver pool.sks-keyservers.net --recv-keys B6C8F98282B944E3B0D5C2530FC3042E345AD05D
+gpg --verify *.tar.xz.sig
+# Install into /usr/local/.
+tar xJvf *.tar.xz -C /usr/local --strip-components=1
+# Cleanup.
+rm *.tar.xz*
+
+locale-gen en_US.UTF-8
+dpkg-reconfigure locales
+
+# Cleanup.
+rm -rf ~/.ccache ~/.cache
+apt-get autoremove -y
+apt-get clean
+apt-get autoclean
+rm $0
diff --git a/security/nss/automation/taskcluster/docker-decision/setup.sh b/security/nss/automation/taskcluster/docker-decision/setup.sh
index e5a6d2019..51938529c 100644
--- a/security/nss/automation/taskcluster/docker-decision/setup.sh
+++ b/security/nss/automation/taskcluster/docker-decision/setup.sh
@@ -7,7 +7,7 @@ export DEBIAN_FRONTEND=noninteractive
apt-get -y update && apt-get -y upgrade
# Need those to install newer packages below.
-apt-get install -y --no-install-recommends apt-utils curl ca-certificates
+apt-get install -y --no-install-recommends apt-utils curl ca-certificates locales
# Latest Mercurial.
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 41BD8711B1F0EC2B0D85B91CF59CE3A8323293EE
diff --git a/security/nss/automation/taskcluster/docker-fuzz/Dockerfile b/security/nss/automation/taskcluster/docker-fuzz/Dockerfile
new file mode 100644
index 000000000..254f166c8
--- /dev/null
+++ b/security/nss/automation/taskcluster/docker-fuzz/Dockerfile
@@ -0,0 +1,33 @@
+FROM ubuntu:16.04
+MAINTAINER Tim Taubert <ttaubert@mozilla.com>
+
+RUN useradd -d /home/worker -s /bin/bash -m worker
+WORKDIR /home/worker
+
+# Add build and test scripts.
+ADD bin /home/worker/bin
+RUN chmod +x /home/worker/bin/*
+
+# Install dependencies.
+ADD setup.sh /tmp/setup.sh
+RUN bash /tmp/setup.sh
+
+# Change user.
+USER worker
+
+# Env variables.
+ENV HOME /home/worker
+ENV SHELL /bin/bash
+ENV USER worker
+ENV LOGNAME worker
+ENV HOSTNAME taskcluster-worker
+ENV LANG en_US.UTF-8
+ENV LC_ALL en_US.UTF-8
+ENV HOST localhost
+ENV DOMSUF localdomain
+
+# LLVM 4.0
+ENV PATH "${PATH}:/home/worker/third_party/llvm-build/Release+Asserts/bin/"
+
+# Set a default command for debugging.
+CMD ["/bin/bash", "--login"]
diff --git a/security/nss/automation/taskcluster/docker-fuzz/bin/checkout.sh b/security/nss/automation/taskcluster/docker-fuzz/bin/checkout.sh
new file mode 100644
index 000000000..9167f6bda
--- /dev/null
+++ b/security/nss/automation/taskcluster/docker-fuzz/bin/checkout.sh
@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+set -v -e -x
+
+if [ $(id -u) = 0 ]; then
+ # Drop privileges by re-running this script.
+ exec su worker $0
+fi
+
+# Default values for testing.
+REVISION=${NSS_HEAD_REVISION:-default}
+REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss}
+
+# Clone NSS.
+for i in 0 2 5; do
+ sleep $i
+ hg clone -r $REVISION $REPOSITORY nss && exit 0
+ rm -rf nss
+done
+exit 1
diff --git a/security/nss/automation/taskcluster/docker-fuzz/setup.sh b/security/nss/automation/taskcluster/docker-fuzz/setup.sh
new file mode 100644
index 000000000..fcb72346e
--- /dev/null
+++ b/security/nss/automation/taskcluster/docker-fuzz/setup.sh
@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+
+set -v -e -x
+
+# Update packages.
+export DEBIAN_FRONTEND=noninteractive
+apt-get -y update && apt-get -y upgrade
+
+# Need this to add keys for PPAs below.
+apt-get install -y --no-install-recommends apt-utils
+
+apt_packages=()
+apt_packages+=('build-essential')
+apt_packages+=('ca-certificates')
+apt_packages+=('curl')
+apt_packages+=('git')
+apt_packages+=('gyp')
+apt_packages+=('libssl-dev')
+apt_packages+=('libxml2-utils')
+apt_packages+=('locales')
+apt_packages+=('ninja-build')
+apt_packages+=('pkg-config')
+apt_packages+=('zlib1g-dev')
+
+# 32-bit builds
+apt_packages+=('gcc-multilib')
+apt_packages+=('g++-multilib')
+
+# Latest Mercurial.
+apt_packages+=('mercurial')
+apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 41BD8711B1F0EC2B0D85B91CF59CE3A8323293EE
+echo "deb http://ppa.launchpad.net/mercurial-ppa/releases/ubuntu xenial main" > /etc/apt/sources.list.d/mercurial.list
+
+# Install packages.
+apt-get -y update
+apt-get install -y --no-install-recommends ${apt_packages[@]}
+
+# 32-bit builds
+dpkg --add-architecture i386
+apt-get -y update
+apt-get install -y --no-install-recommends libssl-dev:i386
+
+# Install LLVM/clang-4.0.
+mkdir clang-tmp
+git clone -n --depth 1 https://chromium.googlesource.com/chromium/src/tools/clang clang-tmp/clang
+git -C clang-tmp/clang checkout HEAD scripts/update.py
+clang-tmp/clang/scripts/update.py
+rm -fr clang-tmp
+
+locale-gen en_US.UTF-8
+dpkg-reconfigure locales
+
+# Cleanup.
+rm -rf ~/.ccache ~/.cache
+apt-get autoremove -y
+apt-get clean
+apt-get autoclean
+rm $0
diff --git a/security/nss/automation/taskcluster/docker/Dockerfile b/security/nss/automation/taskcluster/docker/Dockerfile
index 35777c0b7..8a2256d12 100644
--- a/security/nss/automation/taskcluster/docker/Dockerfile
+++ b/security/nss/automation/taskcluster/docker/Dockerfile
@@ -12,6 +12,9 @@ RUN chmod +x /home/worker/bin/*
ADD setup.sh /tmp/setup.sh
RUN bash /tmp/setup.sh
+# Change user.
+USER worker
+
# Env variables.
ENV HOME /home/worker
ENV SHELL /bin/bash
@@ -23,5 +26,8 @@ ENV LC_ALL en_US.UTF-8
ENV HOST localhost
ENV DOMSUF localdomain
+# Rust + Go
+ENV PATH "${PATH}:/home/worker/.cargo/bin/:/usr/lib/go-1.6/bin"
+
# Set a default command for debugging.
CMD ["/bin/bash", "--login"]
diff --git a/security/nss/automation/taskcluster/docker/setup.sh b/security/nss/automation/taskcluster/docker/setup.sh
index 4969f4aa0..3ba4e854e 100644
--- a/security/nss/automation/taskcluster/docker/setup.sh
+++ b/security/nss/automation/taskcluster/docker/setup.sh
@@ -16,6 +16,8 @@ apt_packages+=('curl')
apt_packages+=('npm')
apt_packages+=('git')
apt_packages+=('golang-1.6')
+apt_packages+=('libxml2-utils')
+apt_packages+=('locales')
apt_packages+=('ninja-build')
apt_packages+=('pkg-config')
apt_packages+=('zlib1g-dev')
@@ -45,11 +47,19 @@ echo "deb http://ppa.launchpad.net/ubuntu-toolchain-r/test/ubuntu xenial main" >
apt-get -y update
apt-get install -y --no-install-recommends ${apt_packages[@]}
-# 32-bit builds
-ln -s /usr/include/x86_64-linux-gnu/zconf.h /usr/include
+# Download clang.
+curl -LO http://releases.llvm.org/4.0.0/clang+llvm-4.0.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz
+curl -LO http://releases.llvm.org/4.0.0/clang+llvm-4.0.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig
+# Verify the signature.
+gpg --keyserver pool.sks-keyservers.net --recv-keys B6C8F98282B944E3B0D5C2530FC3042E345AD05D
+gpg --verify *.tar.xz.sig
+# Install into /usr/local/.
+tar xJvf *.tar.xz -C /usr/local --strip-components=1
+# Cleanup.
+rm *.tar.xz*
-# Install clang-3.9 into /usr/local/.
-curl -L http://llvm.org/releases/3.9.0/clang+llvm-3.9.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz | tar xJv -C /usr/local --strip-components=1
+# Install latest Rust (stable).
+su worker -c "curl https://sh.rustup.rs -sSf | sh -s -- -y"
locale-gen en_US.UTF-8
dpkg-reconfigure locales
diff --git a/security/nss/automation/taskcluster/graph/src/extend.js b/security/nss/automation/taskcluster/graph/src/extend.js
index a6a8fcbe2..d541a1a3b 100644
--- a/security/nss/automation/taskcluster/graph/src/extend.js
+++ b/security/nss/automation/taskcluster/graph/src/extend.js
@@ -5,7 +5,20 @@
import merge from "./merge";
import * as queue from "./queue";
-const LINUX_IMAGE = {name: "linux", path: "automation/taskcluster/docker"};
+const LINUX_IMAGE = {
+ name: "linux",
+ path: "automation/taskcluster/docker"
+};
+
+const LINUX_CLANG39_IMAGE = {
+ name: "linux-clang-3.9",
+ path: "automation/taskcluster/docker-clang-3.9"
+};
+
+const FUZZ_IMAGE = {
+ name: "fuzz",
+ path: "automation/taskcluster/docker-fuzz"
+};
const WINDOWS_CHECKOUT_CMD =
"bash -c \"hg clone -r $NSS_HEAD_REVISION $NSS_HEAD_REPOSITORY nss || " +
@@ -17,33 +30,45 @@ const WINDOWS_CHECKOUT_CMD =
queue.filter(task => {
if (task.group == "Builds") {
// Remove extra builds on {A,UB}San and ARM.
- if (task.collection == "asan" || task.collection == "arm-debug" ||
- task.collection == "gyp-asan") {
+ if (task.collection == "asan" || task.platform == "aarch64") {
return false;
}
- // Remove extra builds w/o libpkix for non-linux64-debug.
- if (task.symbol == "noLibpkix" &&
- (task.platform != "linux64" || task.collection != "debug")) {
+ // Make modular builds only on Linux make.
+ if (task.symbol == "modular" && task.collection != "make") {
return false;
}
}
- if (task.tests == "bogo") {
- // No BoGo tests on Windows.
- if (task.platform == "windows2012-64") {
+ if (task.tests == "bogo" || task.tests == "interop") {
+ // No windows
+ if (task.platform == "windows2012-64" ||
+ task.platform == "windows2012-32") {
return false;
}
- // No BoGo tests on ARM.
- if (task.collection == "arm-debug") {
+ // No ARM; TODO: enable
+ if (task.platform == "aarch64") {
return false;
}
}
- // GYP builds with -Ddisable_libpkix=1 by default.
- if ((task.collection == "gyp" || task.collection == "gyp-asan") &&
- task.tests == "chains") {
+ // Only old make builds have -Ddisable_libpkix=0 and can run chain tests.
+ if (task.tests == "chains" && task.collection != "make") {
+ return false;
+ }
+
+ if (task.group == "Test") {
+ // Don't run test builds on old make platforms
+ if (task.collection == "make") {
+ return false;
+ }
+ }
+
+ // Don't run additional hardware tests on ARM (we don't have anything there).
+ if (task.group == "Cipher" && task.platform == "aarch64" && task.env &&
+ (task.env.NSS_DISABLE_PCLMUL == "1" || task.env.NSS_DISABLE_HW_AES == "1"
+ || task.env.NSS_DISABLE_AVX == "1")) {
return false;
}
@@ -51,29 +76,18 @@ queue.filter(task => {
});
queue.map(task => {
- if (task.collection == "asan" || task.collection == "gyp-asan") {
+ if (task.collection == "asan") {
// CRMF and FIPS tests still leak, unfortunately.
if (task.tests == "crmf" || task.tests == "fips") {
task.env.ASAN_OPTIONS = "detect_leaks=0";
}
}
- if (task.collection == "arm-debug") {
- // These tests take quite some time on our poor ARM devices.
- if (task.tests == "chains" || (task.tests == "ssl" && task.cycle == "standard")) {
- task.maxRunTime = 14400;
- }
- }
-
// Windows is slow.
if (task.platform == "windows2012-64" && task.tests == "chains") {
task.maxRunTime = 7200;
}
- // Enable TLS 1.3 for every task.
- task.env = task.env || {};
- task.env.NSS_ENABLE_TLS_1_3 = "1";
-
return task;
});
@@ -81,58 +95,48 @@ queue.map(task => {
export default async function main() {
await scheduleLinux("Linux 32 (opt)", {
- env: {BUILD_OPT: "1"},
platform: "linux32",
image: LINUX_IMAGE
- });
+ }, "-m32 --opt");
await scheduleLinux("Linux 32 (debug)", {
platform: "linux32",
collection: "debug",
image: LINUX_IMAGE
- });
+ }, "-m32");
await scheduleLinux("Linux 64 (opt)", {
- env: {USE_64: "1", BUILD_OPT: "1"},
platform: "linux64",
image: LINUX_IMAGE
- });
+ }, "--opt");
await scheduleLinux("Linux 64 (debug)", {
- env: {USE_64: "1"},
platform: "linux64",
collection: "debug",
image: LINUX_IMAGE
});
- await scheduleLinux("Linux 64 (debug, gyp)", {
+ await scheduleLinux("Linux 64 (debug, make)", {
+ env: {USE_64: "1"},
+ platform: "linux64",
+ image: LINUX_IMAGE,
+ collection: "make",
command: [
- "/bin/bash",
- "-c",
- "bin/checkout.sh && nss/automation/taskcluster/scripts/build_gyp.sh"
+ "/bin/bash",
+ "-c",
+ "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
],
- platform: "linux64",
- collection: "gyp",
- image: LINUX_IMAGE
});
- await scheduleLinux("Linux 64 (debug, gyp, asan, ubsan)", {
+ await scheduleLinux("Linux 32 (debug, make)", {
+ platform: "linux32",
+ image: LINUX_IMAGE,
+ collection: "make",
command: [
- "/bin/bash",
- "-c",
- "bin/checkout.sh && nss/automation/taskcluster/scripts/build_gyp.sh -g -v --ubsan --asan"
+ "/bin/bash",
+ "-c",
+ "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
],
- env: {
- ASAN_OPTIONS: "detect_odr_violation=0", // bug 1316276
- UBSAN_OPTIONS: "print_stacktrace=1",
- NSS_DISABLE_ARENA_FREE_LIST: "1",
- NSS_DISABLE_UNLOAD: "1",
- CC: "clang",
- CCC: "clang++"
- },
- platform: "linux64",
- collection: "gyp-asan",
- image: LINUX_IMAGE
});
await scheduleLinux("Linux 64 (ASan, debug)", {
@@ -142,49 +146,87 @@ export default async function main() {
NSS_DISABLE_UNLOAD: "1",
CC: "clang",
CCC: "clang++",
- USE_UBSAN: "1",
- USE_ASAN: "1",
- USE_64: "1"
},
platform: "linux64",
collection: "asan",
- image: LINUX_IMAGE
- });
+ image: LINUX_IMAGE,
+ features: ["allowPtrace"],
+ }, "--ubsan --asan");
+
+ await scheduleWindows("Windows 2012 64 (debug, make)", {
+ platform: "windows2012-64",
+ collection: "make",
+ env: {USE_64: "1"}
+ }, "build.sh");
+
+ await scheduleWindows("Windows 2012 32 (debug, make)", {
+ platform: "windows2012-32",
+ collection: "make"
+ }, "build.sh");
await scheduleWindows("Windows 2012 64 (opt)", {
- env: {BUILD_OPT: "1"}
- });
+ platform: "windows2012-64",
+ }, "build_gyp.sh --opt");
await scheduleWindows("Windows 2012 64 (debug)", {
+ platform: "windows2012-64",
collection: "debug"
- });
+ }, "build_gyp.sh");
- await scheduleFuzzing();
+ await scheduleWindows("Windows 2012 32 (opt)", {
+ platform: "windows2012-32",
+ }, "build_gyp.sh --opt -m32");
- await scheduleTestBuilds();
+ await scheduleWindows("Windows 2012 32 (debug)", {
+ platform: "windows2012-32",
+ collection: "debug"
+ }, "build_gyp.sh -m32");
+
+ await scheduleFuzzing();
+ await scheduleFuzzing32();
await scheduleTools();
- await scheduleLinux("Linux 32 (ARM, debug)", {
- image: "franziskus/nss-arm-ci",
+ let aarch64_base = {
+ image: "franziskus/nss-aarch64-ci",
provisioner: "localprovisioner",
- collection: "arm-debug",
- workerType: "nss-rpi",
- platform: "linux32",
- maxRunTime: 7200,
- tier: 3
- });
+ workerType: "nss-aarch64",
+ platform: "aarch64",
+ maxRunTime: 7200
+ };
+
+ await scheduleLinux("Linux AArch64 (debug)",
+ merge({
+ command: [
+ "/bin/bash",
+ "-c",
+ "bin/checkout.sh && nss/automation/taskcluster/scripts/build_gyp.sh"
+ ],
+ collection: "debug",
+ }, aarch64_base)
+ );
+
+ await scheduleLinux("Linux AArch64 (opt)",
+ merge({
+ command: [
+ "/bin/bash",
+ "-c",
+ "bin/checkout.sh && nss/automation/taskcluster/scripts/build_gyp.sh --opt"
+ ],
+ collection: "opt",
+ }, aarch64_base)
+ );
}
/*****************************************************************************/
-async function scheduleLinux(name, base) {
+async function scheduleLinux(name, base, args = "") {
// Build base definition.
let build_base = merge({
command: [
"/bin/bash",
"-c",
- "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
+ "bin/checkout.sh && nss/automation/taskcluster/scripts/build_gyp.sh " + args
],
artifacts: {
public: {
@@ -224,12 +266,12 @@ async function scheduleLinux(name, base) {
// Extra builds.
let extra_base = merge({group: "Builds"}, build_base);
queue.scheduleTask(merge(extra_base, {
- name: `${name} w/ clang-3.9`,
+ name: `${name} w/ clang-4.0`,
env: {
CC: "clang",
CCC: "clang++",
},
- symbol: "clang-3.9"
+ symbol: "clang-4.0"
}));
queue.scheduleTask(merge(extra_base, {
@@ -251,30 +293,54 @@ async function scheduleLinux(name, base) {
}));
queue.scheduleTask(merge(extra_base, {
- name: `${name} w/ NSS_DISABLE_LIBPKIX=1`,
- env: {NSS_DISABLE_LIBPKIX: "1"},
- symbol: "noLibpkix"
+ name: `${name} w/ modular builds`,
+ env: {NSS_BUILD_MODULAR: "1"},
+ command: [
+ "/bin/bash",
+ "-c",
+ "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh",
+ ],
+ symbol: "modular"
}));
+ await scheduleTestBuilds(merge(base, {group: "Test"}), args);
+
return queue.submit();
}
/*****************************************************************************/
+function scheduleFuzzingRun(base, name, target, max_len, symbol = null, corpus = null) {
+ const MAX_FUZZ_TIME = 300;
+
+ queue.scheduleTask(merge(base, {
+ name,
+ command: [
+ "/bin/bash",
+ "-c",
+ "bin/checkout.sh && nss/automation/taskcluster/scripts/fuzz.sh " +
+ `${target} nss/fuzz/corpus/${corpus || target} ` +
+ `-max_total_time=${MAX_FUZZ_TIME} ` +
+ `-max_len=${max_len}`
+ ],
+ symbol: symbol || name
+ }));
+}
+
async function scheduleFuzzing() {
let base = {
env: {
- // bug 1316276
- ASAN_OPTIONS: "allocator_may_return_null=1:detect_odr_violation=0",
+ ASAN_OPTIONS: "allocator_may_return_null=1:detect_stack_use_after_return=1",
UBSAN_OPTIONS: "print_stacktrace=1",
NSS_DISABLE_ARENA_FREE_LIST: "1",
NSS_DISABLE_UNLOAD: "1",
CC: "clang",
CCC: "clang++"
},
+ features: ["allowPtrace"],
platform: "linux64",
collection: "fuzz",
- image: LINUX_IMAGE
+ image: FUZZ_IMAGE
};
// Build base definition.
@@ -301,9 +367,22 @@ async function scheduleFuzzing() {
name: "Linux x64 (debug, fuzz)"
}));
+ // The task that builds NSPR+NSS (TLS fuzzing mode).
+ let task_build_tls = queue.scheduleTask(merge(build_base, {
+ name: "Linux x64 (debug, TLS fuzz)",
+ symbol: "B",
+ group: "TLS",
+ command: [
+ "/bin/bash",
+ "-c",
+ "bin/checkout.sh && " +
+ "nss/automation/taskcluster/scripts/build_gyp.sh -g -v --fuzz=tls"
+ ],
+ }));
+
// Schedule tests.
queue.scheduleTask(merge(base, {
- parent: task_build,
+ parent: task_build_tls,
name: "Gtests",
command: [
"/bin/bash",
@@ -317,56 +396,155 @@ async function scheduleFuzzing() {
kind: "test"
}));
- queue.scheduleTask(merge(base, {
- parent: task_build,
- name: "Cert",
+ // Schedule fuzzing runs.
+ let run_base = merge(base, {parent: task_build, kind: "test"});
+ scheduleFuzzingRun(run_base, "CertDN", "certDN", 4096);
+ scheduleFuzzingRun(run_base, "QuickDER", "quickder", 10000);
+
+ // Schedule MPI fuzzing runs.
+ let mpi_base = merge(run_base, {group: "MPI"});
+ let mpi_names = ["add", "addmod", "div", "expmod", "mod", "mulmod", "sqr",
+ "sqrmod", "sub", "submod"];
+ for (let name of mpi_names) {
+ scheduleFuzzingRun(mpi_base, `MPI (${name})`, `mpi-${name}`, 4096, name);
+ }
+ scheduleFuzzingRun(mpi_base, `MPI (invmod)`, `mpi-invmod`, 256, "invmod");
+
+ // Schedule TLS fuzzing runs (non-fuzzing mode).
+ let tls_base = merge(run_base, {group: "TLS"});
+ scheduleFuzzingRun(tls_base, "TLS Client", "tls-client", 20000, "client-nfm",
+ "tls-client-no_fuzzer_mode");
+ scheduleFuzzingRun(tls_base, "TLS Server", "tls-server", 20000, "server-nfm",
+ "tls-server-no_fuzzer_mode");
+ scheduleFuzzingRun(tls_base, "DTLS Client", "dtls-client", 20000,
+ "dtls-client-nfm", "dtls-client-no_fuzzer_mode");
+ scheduleFuzzingRun(tls_base, "DTLS Server", "dtls-server", 20000,
+ "dtls-server-nfm", "dtls-server-no_fuzzer_mode");
+
+ // Schedule TLS fuzzing runs (fuzzing mode).
+ let tls_fm_base = merge(tls_base, {parent: task_build_tls});
+ scheduleFuzzingRun(tls_fm_base, "TLS Client", "tls-client", 20000, "client");
+ scheduleFuzzingRun(tls_fm_base, "TLS Server", "tls-server", 20000, "server");
+ scheduleFuzzingRun(tls_fm_base, "DTLS Client", "dtls-client", 20000, "dtls-client");
+ scheduleFuzzingRun(tls_fm_base, "DTLS Server", "dtls-server", 20000, "dtls-server");
+
+ return queue.submit();
+}
+
+async function scheduleFuzzing32() {
+ let base = {
+ env: {
+ ASAN_OPTIONS: "allocator_may_return_null=1:detect_stack_use_after_return=1",
+ UBSAN_OPTIONS: "print_stacktrace=1",
+ NSS_DISABLE_ARENA_FREE_LIST: "1",
+ NSS_DISABLE_UNLOAD: "1",
+ CC: "clang",
+ CCC: "clang++"
+ },
+ features: ["allowPtrace"],
+ platform: "linux32",
+ collection: "fuzz",
+ image: FUZZ_IMAGE
+ };
+
+ // Build base definition.
+ let build_base = merge({
command: [
"/bin/bash",
"-c",
- "bin/checkout.sh && nss/automation/taskcluster/scripts/fuzz.sh " +
- "cert nss/fuzz/corpus/cert -max_total_time=300"
+ "bin/checkout.sh && " +
+ "nss/automation/taskcluster/scripts/build_gyp.sh -g -v --fuzz -m32"
],
- // Need a privileged docker container to remove this.
- env: {ASAN_OPTIONS: "detect_leaks=0"},
- symbol: "SCert",
- kind: "test"
+ artifacts: {
+ public: {
+ expires: 24 * 7,
+ type: "directory",
+ path: "/home/worker/artifacts"
+ }
+ },
+ kind: "build",
+ symbol: "B"
+ }, base);
+
+ // The task that builds NSPR+NSS.
+ let task_build = queue.scheduleTask(merge(build_base, {
+ name: "Linux 32 (debug, fuzz)"
}));
+ // The task that builds NSPR+NSS (TLS fuzzing mode).
+ let task_build_tls = queue.scheduleTask(merge(build_base, {
+ name: "Linux 32 (debug, TLS fuzz)",
+ symbol: "B",
+ group: "TLS",
+ command: [
+ "/bin/bash",
+ "-c",
+ "bin/checkout.sh && " +
+ "nss/automation/taskcluster/scripts/build_gyp.sh -g -v --fuzz=tls -m32"
+ ],
+ }));
+
+ // Schedule tests.
queue.scheduleTask(merge(base, {
- parent: task_build,
- name: "SPKI",
+ parent: task_build_tls,
+ name: "Gtests",
command: [
"/bin/bash",
"-c",
- "bin/checkout.sh && nss/automation/taskcluster/scripts/fuzz.sh " +
- "spki nss/fuzz/corpus/spki -max_total_time=300"
+ "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
],
- // Need a privileged docker container to remove this.
- env: {ASAN_OPTIONS: "detect_leaks=0"},
- symbol: "SPKI",
+ env: {GTESTFILTER: "*Fuzz*"},
+ tests: "ssl_gtests gtests",
+ cycle: "standard",
+ symbol: "Gtest",
kind: "test"
}));
+ // Schedule fuzzing runs.
+ let run_base = merge(base, {parent: task_build, kind: "test"});
+ scheduleFuzzingRun(run_base, "CertDN", "certDN", 4096);
+ scheduleFuzzingRun(run_base, "QuickDER", "quickder", 10000);
+
+ // Schedule MPI fuzzing runs.
+ let mpi_base = merge(run_base, {group: "MPI"});
+ let mpi_names = ["add", "addmod", "div", "expmod", "mod", "mulmod", "sqr",
+ "sqrmod", "sub", "submod"];
+ for (let name of mpi_names) {
+ scheduleFuzzingRun(mpi_base, `MPI (${name})`, `mpi-${name}`, 4096, name);
+ }
+ scheduleFuzzingRun(mpi_base, `MPI (invmod)`, `mpi-invmod`, 256, "invmod");
+
+ // Schedule TLS fuzzing runs (non-fuzzing mode).
+ let tls_base = merge(run_base, {group: "TLS"});
+ scheduleFuzzingRun(tls_base, "TLS Client", "tls-client", 20000, "client-nfm",
+ "tls-client-no_fuzzer_mode");
+ scheduleFuzzingRun(tls_base, "TLS Server", "tls-server", 20000, "server-nfm",
+ "tls-server-no_fuzzer_mode");
+ scheduleFuzzingRun(tls_base, "DTLS Client", "dtls-client", 20000,
+ "dtls-client-nfm", "dtls-client-no_fuzzer_mode");
+ scheduleFuzzingRun(tls_base, "DTLS Server", "dtls-server", 20000,
+ "dtls-server-nfm", "dtls-server-no_fuzzer_mode");
+
+ // Schedule TLS fuzzing runs (fuzzing mode).
+ let tls_fm_base = merge(tls_base, {parent: task_build_tls});
+ scheduleFuzzingRun(tls_fm_base, "TLS Client", "tls-client", 20000, "client");
+ scheduleFuzzingRun(tls_fm_base, "TLS Server", "tls-server", 20000, "server");
+ scheduleFuzzingRun(tls_fm_base, "DTLS Client", "dtls-client", 20000, "dtls-client");
+ scheduleFuzzingRun(tls_fm_base, "DTLS Server", "dtls-server", 20000, "dtls-server");
+
return queue.submit();
}
/*****************************************************************************/
-async function scheduleTestBuilds() {
- let base = {
- platform: "linux64",
- collection: "gyp",
- group: "Test",
- image: LINUX_IMAGE
- };
-
+async function scheduleTestBuilds(base, args = "") {
// Build base definition.
let build = merge({
command: [
"/bin/bash",
"-c",
"bin/checkout.sh && " +
- "nss/automation/taskcluster/scripts/build_gyp.sh -g -v --test"
+ "nss/automation/taskcluster/scripts/build_gyp.sh -g -v --test --ct-verif " + args
],
artifacts: {
public: {
@@ -377,7 +555,7 @@ async function scheduleTestBuilds() {
},
kind: "build",
symbol: "B",
- name: "Linux 64 (debug, gyp, test)"
+ name: "Linux 64 (debug, test)"
}, base);
// The task that builds NSPR+NSS.
@@ -397,6 +575,19 @@ async function scheduleTestBuilds() {
symbol: "mpi",
kind: "test"
}));
+ queue.scheduleTask(merge(base, {
+ parent: task_build,
+ command: [
+ "/bin/bash",
+ "-c",
+ "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
+ ],
+ name: "Gtests",
+ symbol: "Gtest",
+ tests: "gtests",
+ cycle: "standard",
+ kind: "test"
+ }));
return queue.submit();
}
@@ -404,10 +595,9 @@ async function scheduleTestBuilds() {
/*****************************************************************************/
-async function scheduleWindows(name, base) {
+async function scheduleWindows(name, base, build_script) {
base = merge(base, {
workerType: "nss-win2012r2",
- platform: "windows2012-64",
env: {
PATH: "c:\\mozilla-build\\python;c:\\mozilla-build\\msys\\local\\bin;" +
"c:\\mozilla-build\\7zip;c:\\mozilla-build\\info-zip;" +
@@ -417,7 +607,6 @@ async function scheduleWindows(name, base) {
"c:\\mozilla-build\\wget",
DOMSUF: "localdomain",
HOST: "localhost",
- USE_64: "1"
}
});
@@ -425,7 +614,7 @@ async function scheduleWindows(name, base) {
let build_base = merge(base, {
command: [
WINDOWS_CHECKOUT_CMD,
- "bash -c nss/automation/taskcluster/windows/build.sh"
+ `bash -c 'nss/automation/taskcluster/windows/${build_script}'`
],
artifacts: [{
expires: 24 * 7,
@@ -475,10 +664,25 @@ function scheduleTests(task_build, task_cert, test_base) {
name: "Bogo tests", symbol: "Bogo", tests: "bogo", cycle: "standard"
}));
queue.scheduleTask(merge(no_cert_base, {
+ name: "Interop tests", symbol: "Interop", tests: "interop", cycle: "standard"
+ }));
+ queue.scheduleTask(merge(no_cert_base, {
name: "Chains tests", symbol: "Chains", tests: "chains"
}));
queue.scheduleTask(merge(no_cert_base, {
- name: "Cipher tests", symbol: "Cipher", tests: "cipher"
+ name: "Cipher tests", symbol: "Default", tests: "cipher", group: "Cipher"
+ }));
+ queue.scheduleTask(merge(no_cert_base, {
+ name: "Cipher tests", symbol: "NoAESNI", tests: "cipher",
+ env: {NSS_DISABLE_HW_AES: "1"}, group: "Cipher"
+ }));
+ queue.scheduleTask(merge(no_cert_base, {
+ name: "Cipher tests", symbol: "NoPCLMUL", tests: "cipher",
+ env: {NSS_DISABLE_PCLMUL: "1"}, group: "Cipher"
+ }));
+ queue.scheduleTask(merge(no_cert_base, {
+ name: "Cipher tests", symbol: "NoAVX", tests: "cipher",
+ env: {NSS_DISABLE_AVX: "1"}, group: "Cipher"
}));
queue.scheduleTask(merge(no_cert_base, {
name: "EC tests", symbol: "EC", tests: "ec"
@@ -531,7 +735,6 @@ function scheduleTests(task_build, task_cert, test_base) {
async function scheduleTools() {
let base = {
- image: LINUX_IMAGE,
platform: "nss-tools",
kind: "test"
};
@@ -539,16 +742,18 @@ async function scheduleTools() {
queue.scheduleTask(merge(base, {
symbol: "clang-format-3.9",
name: "clang-format-3.9",
+ image: LINUX_CLANG39_IMAGE,
command: [
"/bin/bash",
"-c",
- "bin/checkout.sh && nss/automation/taskcluster/scripts/run_clang_format.sh"
+ "bin/checkout.sh && nss/automation/clang-format/run_clang_format.sh"
]
}));
queue.scheduleTask(merge(base, {
- symbol: "scan-build-3.9",
- name: "scan-build-3.9",
+ symbol: "scan-build-4.0",
+ name: "scan-build-4.0",
+ image: LINUX_IMAGE,
env: {
USE_64: "1",
CC: "clang",
diff --git a/security/nss/automation/taskcluster/graph/src/queue.js b/security/nss/automation/taskcluster/graph/src/queue.js
index 2a4a7b3fe..29b570729 100644
--- a/security/nss/automation/taskcluster/graph/src/queue.js
+++ b/security/nss/automation/taskcluster/graph/src/queue.js
@@ -25,10 +25,18 @@ function fromNow(hours) {
}
function parseRoutes(routes) {
- return [
+ let rv = [
`tc-treeherder.v2.${process.env.TC_PROJECT}.${process.env.NSS_HEAD_REVISION}.${process.env.NSS_PUSHLOG_ID}`,
...routes
];
+
+ // Notify about failures (except on try).
+ if (process.env.TC_PROJECT != "nss-try") {
+ rv.push(`notify.email.${process.env.TC_OWNER}.on-failed`,
+ `notify.email.${process.env.TC_OWNER}.on-exception`);
+ }
+
+ return rv;
}
function parseFeatures(list) {
@@ -80,6 +88,7 @@ function parseTreeherder(def) {
}
function convertTask(def) {
+ let scopes = [];
let dependencies = [];
let env = merge({
@@ -110,12 +119,16 @@ function convertTask(def) {
payload.image = def.image;
}
+ if (def.artifacts) {
+ payload.artifacts = parseArtifacts(def.artifacts);
+ }
+
if (def.features) {
payload.features = parseFeatures(def.features);
- }
- if (def.artifacts) {
- payload.artifacts = parseArtifacts(def.artifacts);
+ if (payload.features.allowPtrace) {
+ scopes.push("docker-worker:feature:allowPtrace");
+ }
}
return {
@@ -123,6 +136,7 @@ function convertTask(def) {
workerType: def.workerType || "hg-worker",
schedulerId: "task-graph-scheduler",
+ scopes,
created: fromNow(0),
deadline: fromNow(24),
diff --git a/security/nss/automation/taskcluster/graph/src/try_syntax.js b/security/nss/automation/taskcluster/graph/src/try_syntax.js
index 695c9e92f..7748e068a 100644
--- a/security/nss/automation/taskcluster/graph/src/try_syntax.js
+++ b/security/nss/automation/taskcluster/graph/src/try_syntax.js
@@ -22,8 +22,10 @@ function parseOptions(opts) {
}
// Parse platforms.
- let allPlatforms = ["linux", "linux64", "linux64-asan", "win64", "arm",
- "linux64-gyp", "linux64-gyp-asan", "linux64-fuzz"];
+ let allPlatforms = ["linux", "linux64", "linux64-asan",
+ "win", "win64", "win-make", "win64-make",
+ "linux64-make", "linux-make", "linux-fuzz",
+ "linux64-fuzz", "aarch64"];
let platforms = intersect(opts.platform.split(/\s*,\s*/), allPlatforms);
// If the given value is nonsense or "none" default to all platforms.
@@ -34,7 +36,7 @@ function parseOptions(opts) {
// Parse unit tests.
let aliases = {"gtests": "gtest"};
let allUnitTests = ["bogo", "crmf", "chains", "cipher", "db", "ec", "fips",
- "gtest", "lowhash", "merge", "sdr", "smime", "tools",
+ "gtest", "interop", "lowhash", "merge", "sdr", "smime", "tools",
"ssl", "mpi", "scert", "spki"];
let unittests = intersect(opts.unittests.split(/\s*,\s*/).map(t => {
return aliases[t] || t;
@@ -82,11 +84,13 @@ function filter(opts) {
// Filter unit tests.
if (task.tests) {
let found = opts.unittests.some(test => {
- // TODO: think of something more intelligent here.
- if (task.symbol.toLowerCase().startsWith("mpi") && test == "mpi") {
+ if (task.group && task.group.toLowerCase() == "ssl" && test == "ssl") {
return true;
}
- return (task.group || task.symbol).toLowerCase().startsWith(test);
+ if (task.group && task.group.toLowerCase() == "cipher" && test == "cipher") {
+ return true;
+ }
+ return task.symbol.toLowerCase().startsWith(test);
});
if (!found) {
@@ -105,12 +109,15 @@ function filter(opts) {
let found = opts.platforms.some(platform => {
let aliases = {
"linux": "linux32",
+ "linux-fuzz": "linux32",
"linux64-asan": "linux64",
"linux64-fuzz": "linux64",
- "linux64-gyp": "linux64",
- "linux64-gyp-asan": "linux64",
+ "linux64-make": "linux64",
+ "linux-make": "linux32",
+ "win64-make": "windows2012-64",
+ "win-make": "windows2012-32",
"win64": "windows2012-64",
- "arm": "linux32"
+ "win": "windows2012-32"
};
// Check the platform name.
@@ -119,13 +126,10 @@ function filter(opts) {
// Additional checks.
if (platform == "linux64-asan") {
keep &= coll("asan");
- } else if (platform == "arm") {
- keep &= coll("arm-opt") || coll("arm-debug");
- } else if (platform == "linux64-gyp") {
- keep &= coll("gyp");
- } else if (platform == "linux64-gyp-asan") {
- keep &= coll("gyp-asan");
- } else if (platform == "linux64-fuzz") {
+ } else if (platform == "linux64-make" || platform == "linux-make" ||
+ platform == "win64-make" || platform == "win-make") {
+ keep &= coll("make");
+ } else if (platform == "linux64-fuzz" || platform == "linux-fuzz") {
keep &= coll("fuzz");
} else {
keep &= coll("opt") || coll("debug");
@@ -139,8 +143,8 @@ function filter(opts) {
}
// Finally, filter by build type.
- let isDebug = coll("debug") || coll("asan") || coll("arm-debug") ||
- coll("gyp") || coll("fuzz");
+ let isDebug = coll("debug") || coll("asan") || coll("make") ||
+ coll("fuzz");
return (isDebug && opts.builds.includes("d")) ||
(!isDebug && opts.builds.includes("o"));
}
diff --git a/security/nss/automation/taskcluster/scripts/build.sh b/security/nss/automation/taskcluster/scripts/build.sh
index 69968b138..649fdaa1b 100755
--- a/security/nss/automation/taskcluster/scripts/build.sh
+++ b/security/nss/automation/taskcluster/scripts/build.sh
@@ -1,14 +1,17 @@
#!/usr/bin/env bash
-source $(dirname $0)/tools.sh
+source $(dirname "$0")/tools.sh
-if [[ $(id -u) -eq 0 ]]; then
- # Drop privileges by re-running this script.
- exec su worker $0
+if [ -n "$NSS_BUILD_MODULAR" ]; then
+ $(dirname "$0")/build_nspr.sh || exit $?
+ $(dirname "$0")/build_util.sh || exit $?
+ $(dirname "$0")/build_softoken.sh || exit $?
+ $(dirname "$0")/build_nss.sh || exit $?
+ exit
fi
# Clone NSPR if needed.
-hg_clone https://hg.mozilla.org/projects/nspr nspr default
+hg_clone https://hg.mozilla.org/projects/nspr ./nspr default
# Build.
make -C nss nss_build_all
diff --git a/security/nss/automation/taskcluster/scripts/build_gyp.sh b/security/nss/automation/taskcluster/scripts/build_gyp.sh
index 590e634a3..7190bd5c4 100755
--- a/security/nss/automation/taskcluster/scripts/build_gyp.sh
+++ b/security/nss/automation/taskcluster/scripts/build_gyp.sh
@@ -1,17 +1,12 @@
#!/usr/bin/env bash
-source $(dirname $0)/tools.sh
-
-if [[ $(id -u) -eq 0 ]]; then
- # Drop privileges by re-running this script.
- exec su worker -c "$0 $*"
-fi
+source $(dirname "$0")/tools.sh
# Clone NSPR if needed.
-hg_clone https://hg.mozilla.org/projects/nspr nspr default
+hg_clone https://hg.mozilla.org/projects/nspr ./nspr default
# Build.
-nss/build.sh ${*--g -v}
+nss/build.sh -g -v "$@"
# Package.
mkdir artifacts
diff --git a/security/nss/automation/taskcluster/scripts/build_nspr.sh b/security/nss/automation/taskcluster/scripts/build_nspr.sh
new file mode 100644
index 000000000..4d1903460
--- /dev/null
+++ b/security/nss/automation/taskcluster/scripts/build_nspr.sh
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+set -v -e -x
+
+source $(dirname $0)/tools.sh
+
+# Clone NSPR if needed.
+hg_clone https://hg.mozilla.org/projects/nspr nspr default
+
+# Build.
+rm -rf dist
+make -C nss build_nspr
+
+# Package.
+test -d artifacts || mkdir artifacts
+rm -rf dist-nspr
+mv dist dist-nspr
+tar cvfjh artifacts/dist-nspr.tar.bz2 dist-nspr
diff --git a/security/nss/automation/taskcluster/scripts/build_nss.sh b/security/nss/automation/taskcluster/scripts/build_nss.sh
new file mode 100644
index 000000000..b909bc30e
--- /dev/null
+++ b/security/nss/automation/taskcluster/scripts/build_nss.sh
@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+
+set -v -e -x
+
+source $(dirname $0)/tools.sh
+source $(dirname $0)/split.sh
+
+test -d dist-softoken || { echo "run build_softoken.sh first" 1>&2; exit 1; }
+
+rm -rf nss-nss
+split_nss nss nss-nss
+
+# Build.
+export NSS_BUILD_WITHOUT_SOFTOKEN=1
+export NSS_USE_SYSTEM_FREEBL=1
+
+platform=`make -s -C nss platform`
+
+export NSPR_LIB_DIR="$PWD/dist-nspr/$platform/lib"
+export NSSUTIL_LIB_DIR="$PWD/dist-util/$platform/lib"
+export FREEBL_LIB_DIR="$PWD/dist-softoken/$platform/lib"
+export SOFTOKEN_LIB_DIR="$PWD/dist-softoken/$platform/lib"
+export FREEBL_LIBS=-lfreebl
+
+export NSS_NO_PKCS11_BYPASS=1
+export FREEBL_NO_DEPEND=1
+
+export LIBRARY_PATH="$PWD/dist-nspr/$platform/lib:$PWD/dist-util/$platform/lib:$PWD/dist-softoken/$platform/lib"
+export LD_LIBRARY_PATH="$LIBRARY_PATH:$LD_LIBRARY_PATH"
+export INCLUDES="-I$PWD/dist-nspr/$platform/include -I$PWD/dist-util/public/nss -I$PWD/dist-softoken/public/nss"
+
+rm -rf dist
+make -C nss-nss nss_build_all
+
+# Package.
+test -d artifacts || mkdir artifacts
+rm -rf dist-nss
+mv dist dist-nss
+tar cvfjh artifacts/dist-nss.tar.bz2 dist-nss
diff --git a/security/nss/automation/taskcluster/scripts/build_softoken.sh b/security/nss/automation/taskcluster/scripts/build_softoken.sh
new file mode 100644
index 000000000..e5aaecccf
--- /dev/null
+++ b/security/nss/automation/taskcluster/scripts/build_softoken.sh
@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+set -v -e -x
+
+source $(dirname $0)/tools.sh
+source $(dirname $0)/split.sh
+
+test -d dist-util || { echo "run build_util.sh first" 1>&2; exit 1; }
+
+rm -rf nss-softoken
+split_softoken nss nss-softoken
+
+# Build.
+platform=`make -s -C nss platform`
+export LIBRARY_PATH="$PWD/dist-nspr/$platform/lib:$PWD/dist-util/$platform/lib"
+export LD_LIBRARY_PATH="$LIBRARY_PATH:$LD_LIBRARY_PATH"
+export INCLUDES="-I$PWD/dist-nspr/$platform/include -I$PWD/dist-util/public/nss"
+export NSS_BUILD_SOFTOKEN_ONLY=1
+
+rm -rf dist
+make -C nss-softoken nss_build_all
+
+mv dist/private/nss/blapi.h dist/public/nss
+mv dist/private/nss/alghmac.h dist/public/nss
+
+# Package.
+test -d artifacts || mkdir artifacts
+rm -rf dist-softoken
+mv dist dist-softoken
+tar cvfjh artifacts/dist-softoken.tar.bz2 dist-softoken
diff --git a/security/nss/automation/taskcluster/scripts/build_util.sh b/security/nss/automation/taskcluster/scripts/build_util.sh
new file mode 100644
index 000000000..0d2ecc5e8
--- /dev/null
+++ b/security/nss/automation/taskcluster/scripts/build_util.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+set -v -e -x
+
+source $(dirname $0)/tools.sh
+source $(dirname $0)/split.sh
+
+rm -rf nss-util
+split_util nss nss-util
+
+# Build.
+platform=`make -s -C nss platform`
+export LIBRARY_PATH="$PWD/dist-nspr/$platform/lib"
+export LD_LIBRARY_PATH="$LIBRARY_PATH:$LD_LIBRARY_PATH"
+export INCLUDES="-I$PWD/dist-nspr/$platform/include"
+export NSS_BUILD_UTIL_ONLY=1
+
+rm -rf dist
+make -C nss-util nss_build_all
+
+# Package.
+test -d artifacts || mkdir artifacts
+rm -rf dist-util
+mv dist dist-util
+tar cvfjh artifacts/dist-util.tar.bz2 dist-util
diff --git a/security/nss/automation/taskcluster/scripts/extend_task_graph.sh b/security/nss/automation/taskcluster/scripts/extend_task_graph.sh
index 5a3fb8d98..ade84cd60 100755
--- a/security/nss/automation/taskcluster/scripts/extend_task_graph.sh
+++ b/security/nss/automation/taskcluster/scripts/extend_task_graph.sh
@@ -1,11 +1,6 @@
#!/usr/bin/env bash
-set -v -e -x
-
-if [ $(id -u) = 0 ]; then
- # Drop privileges by re-running this script.
- exec su worker $0
-fi
+source $(dirname "$0")/tools.sh
mkdir -p /home/worker/artifacts
diff --git a/security/nss/automation/taskcluster/scripts/fuzz.sh b/security/nss/automation/taskcluster/scripts/fuzz.sh
index 5f8dd7bff..75851ff5b 100755
--- a/security/nss/automation/taskcluster/scripts/fuzz.sh
+++ b/security/nss/automation/taskcluster/scripts/fuzz.sh
@@ -1,20 +1,32 @@
#!/usr/bin/env bash
-source $(dirname $0)/tools.sh
+source $(dirname "$0")/tools.sh
-if [ $(id -u) = 0 ]; then
- # Drop privileges by re-running this script.
- exec su worker -c "$0 $*"
-fi
+type="$1"
+shift
# Fetch artifact if needed.
fetch_dist
# Clone corpus.
-./nss/fuzz/clone_corpus.sh
+./nss/fuzz/config/clone_corpus.sh
+
+# Ensure we have a corpus.
+if [ ! -d "nss/fuzz/corpus/$type" ]; then
+ mkdir -p nss/fuzz/corpus/$type
+
+ set +x
+
+ # Create a corpus out of what we have.
+ for f in $(find nss/fuzz/corpus -type f); do
+ cp $f "nss/fuzz/corpus/$type"
+ done
+
+ set -x
+fi
# Fetch objdir name.
objdir=$(cat dist/latest)
# Run nssfuzz.
-LD_LIBRARY_PATH=$LD_LIBRARY_PATH:dist/$objdir/lib dist/$objdir/bin/nssfuzz $*
+dist/$objdir/bin/nssfuzz-"$type" "$@"
diff --git a/security/nss/automation/taskcluster/scripts/gen_certs.sh b/security/nss/automation/taskcluster/scripts/gen_certs.sh
index aee100147..b8d4f60ba 100755
--- a/security/nss/automation/taskcluster/scripts/gen_certs.sh
+++ b/security/nss/automation/taskcluster/scripts/gen_certs.sh
@@ -1,16 +1,6 @@
#!/usr/bin/env bash
-set -v -e -x
-
-source $(dirname $0)/tools.sh
-
-if [ $(id -u) = 0 ]; then
- # Stupid Docker.
- echo "127.0.0.1 localhost.localdomain" >> /etc/hosts
-
- # Drop privileges by re-running this script.
- exec su worker $0
-fi
+source $(dirname "$0")/tools.sh
# Fetch artifact if needed.
fetch_dist
diff --git a/security/nss/automation/taskcluster/scripts/run_clang_format.sh b/security/nss/automation/taskcluster/scripts/run_clang_format.sh
deleted file mode 100755
index c4b60290f..000000000
--- a/security/nss/automation/taskcluster/scripts/run_clang_format.sh
+++ /dev/null
@@ -1,63 +0,0 @@
-#!/usr/bin/env bash
-
-set -v -e -x
-
-if [ $(id -u) -eq 0 ]; then
- # Drop privileges by re-running this script.
- exec su worker $0 "$@"
-fi
-
-# Apply clang-format on the provided folder and verify that this doesn't change any file.
-# If any file differs after formatting, the script eventually exits with 1.
-# Any differences between formatted and unformatted files is printed to stdout to give a hint what's wrong.
-
-# Includes a default set of directories.
-
-if [ $# -gt 0 ]; then
- dirs=("$@")
-else
- top=$(dirname $0)/../../..
- dirs=( \
- "$top/cmd" \
- "$top/fuzz" \
- "$top/lib/base" \
- "$top/lib/certdb" \
- "$top/lib/certhigh" \
- "$top/lib/ckfw" \
- "$top/lib/crmf" \
- "$top/lib/cryptohi" \
- "$top/lib/dbm" \
- "$top/lib/dev" \
- "$top/lib/freebl" \
- "$top/lib/jar" \
- "$top/lib/nss" \
- "$top/lib/pk11wrap" \
- "$top/lib/pkcs7" \
- "$top/lib/pkcs12" \
- "$top/lib/pki" \
- "$top/lib/smime" \
- "$top/lib/softoken" \
- "$top/lib/ssl" \
- "$top/lib/sysinit" \
- "$top/lib/util" \
- "$top/gtests/common" \
- "$top/gtests/der_gtest" \
- "$top/gtests/freebl_gtest" \
- "$top/gtests/pk11_gtest" \
- "$top/gtests/ssl_gtest" \
- "$top/gtests/util_gtest" \
- )
-fi
-
-for dir in "${dirs[@]}"; do
- find "$dir" -type f \( -name '*.[ch]' -o -name '*.cc' \) -exec clang-format -i {} \+
-done
-
-TMPFILE=$(mktemp /tmp/$(basename $0).XXXXXX)
-trap 'rm $TMPFILE' exit
-if (cd $(dirname $0); hg root >/dev/null 2>&1); then
- hg diff --git "$top" | tee $TMPFILE
-else
- git -C "$top" diff | tee $TMPFILE
-fi
-[[ ! -s $TMPFILE ]]
diff --git a/security/nss/automation/taskcluster/scripts/run_scan_build.sh b/security/nss/automation/taskcluster/scripts/run_scan_build.sh
index 99f80ab5f..4024c226e 100755
--- a/security/nss/automation/taskcluster/scripts/run_scan_build.sh
+++ b/security/nss/automation/taskcluster/scripts/run_scan_build.sh
@@ -1,15 +1,10 @@
#!/usr/bin/env bash
-source $(dirname $0)/tools.sh
-
-if [ $(id -u) = 0 ]; then
- # Drop privileges by re-running this script.
- exec su worker $0 $@
-fi
+source $(dirname "$0")/tools.sh
# Clone NSPR if needed.
if [ ! -d "nspr" ]; then
- hg_clone https://hg.mozilla.org/projects/nspr nspr default
+ hg_clone https://hg.mozilla.org/projects/nspr ./nspr default
fi
# Build.
diff --git a/security/nss/automation/taskcluster/scripts/run_tests.sh b/security/nss/automation/taskcluster/scripts/run_tests.sh
index 4c87e7e32..b8e26761a 100755
--- a/security/nss/automation/taskcluster/scripts/run_tests.sh
+++ b/security/nss/automation/taskcluster/scripts/run_tests.sh
@@ -1,14 +1,6 @@
#!/usr/bin/env bash
-source $(dirname $0)/tools.sh
-
-if [ $(id -u) = 0 ]; then
- # Stupid Docker.
- echo "127.0.0.1 localhost.localdomain" >> /etc/hosts
-
- # Drop privileges by re-running this script.
- exec su worker $0
-fi
+source $(dirname "$0")/tools.sh
# Fetch artifact if needed.
fetch_dist
diff --git a/security/nss/automation/taskcluster/scripts/split.sh b/security/nss/automation/taskcluster/scripts/split.sh
new file mode 100644
index 000000000..4d18385ec
--- /dev/null
+++ b/security/nss/automation/taskcluster/scripts/split.sh
@@ -0,0 +1,154 @@
+copy_top()
+{
+ srcdir_="$1"
+ dstdir_="$2"
+ files=`find "$srcdir_" -maxdepth 1 -mindepth 1 -type f`
+ for f in $files; do
+ cp -p "$f" "$dstdir_"
+ done
+}
+
+split_util() {
+ nssdir="$1"
+ dstdir="$2"
+
+ # Prepare a source tree only containing files to build nss-util:
+ #
+ # nss/dbm full directory
+ # nss/coreconf full directory
+ # nss top files only
+ # nss/lib top files only
+ # nss/lib/util full directory
+
+ # Copy everything.
+ cp -R $nssdir $dstdir
+
+ # Skip gtests when building.
+ sed '/^DIRS = /s/ cpputil gtests$//' $nssdir/manifest.mn > $dstdir/manifest.mn-t && mv $dstdir/manifest.mn-t $dstdir/manifest.mn
+
+ # Remove subdirectories that we don't want.
+ rm -rf $dstdir/cmd
+ rm -rf $dstdir/tests
+ rm -rf $dstdir/lib
+ rm -rf $dstdir/automation
+ rm -rf $dstdir/gtests
+ rm -rf $dstdir/cpputil
+ rm -rf $dstdir/doc
+
+ # Start with an empty cmd lib directories to be filled selectively.
+ mkdir $dstdir/cmd
+ cp $nssdir/cmd/Makefile $dstdir/cmd
+ cp $nssdir/cmd/manifest.mn $dstdir/cmd
+ cp $nssdir/cmd/platlibs.mk $dstdir/cmd
+ cp $nssdir/cmd/platrules.mk $dstdir/cmd
+
+ # Copy some files at the top and the util subdirectory recursively.
+ mkdir $dstdir/lib
+ cp $nssdir/lib/Makefile $dstdir/lib
+ cp $nssdir/lib/manifest.mn $dstdir/lib
+ cp -R $nssdir/lib/util $dstdir/lib/util
+}
+
+split_softoken() {
+ nssdir="$1"
+ dstdir="$2"
+
+ # Prepare a source tree only containing files to build nss-softoken:
+ #
+ # nss/dbm full directory
+ # nss/coreconf full directory
+ # nss top files only
+ # nss/lib top files only
+ # nss/lib/freebl full directory
+ # nss/lib/softoken full directory
+ # nss/lib/softoken/dbm full directory
+
+ # Copy everything.
+ cp -R $nssdir $dstdir
+
+ # Skip gtests when building.
+ sed '/^DIRS = /s/ cpputil gtests$//' $nssdir/manifest.mn > $dstdir/manifest.mn-t && mv $dstdir/manifest.mn-t $dstdir/manifest.mn
+
+ # Remove subdirectories that we don't want.
+ rm -rf $dstdir/cmd
+ rm -rf $dstdir/tests
+ rm -rf $dstdir/lib
+ rm -rf $dstdir/pkg
+ rm -rf $dstdir/automation
+ rm -rf $dstdir/gtests
+ rm -rf $dstdir/cpputil
+ rm -rf $dstdir/doc
+
+ # Start with an empty lib directory and copy only what we need.
+ mkdir $dstdir/lib
+ copy_top $nssdir/lib $dstdir/lib
+ cp -R $nssdir/lib/dbm $dstdir/lib/dbm
+ cp -R $nssdir/lib/freebl $dstdir/lib/freebl
+ cp -R $nssdir/lib/softoken $dstdir/lib/softoken
+ cp -R $nssdir/lib/sqlite $dstdir/lib/sqlite
+
+ mkdir $dstdir/cmd
+ copy_top $nssdir/cmd $dstdir/cmd
+ cp -R $nssdir/cmd/bltest $dstdir/cmd/bltest
+ cp -R $nssdir/cmd/ecperf $dstdir/cmd/ecperf
+ cp -R $nssdir/cmd/fbectest $dstdir/cmd/fbectest
+ cp -R $nssdir/cmd/fipstest $dstdir/cmd/fipstest
+ cp -R $nssdir/cmd/lib $dstdir/cmd/lib
+ cp -R $nssdir/cmd/lowhashtest $dstdir/cmd/lowhashtest
+ cp -R $nssdir/cmd/shlibsign $dstdir/cmd/shlibsign
+
+ mkdir $dstdir/tests
+ copy_top $nssdir/tests $dstdir/tests
+
+ cp -R $nssdir/tests/cipher $dstdir/tests/cipher
+ cp -R $nssdir/tests/common $dstdir/tests/common
+ cp -R $nssdir/tests/ec $dstdir/tests/ec
+ cp -R $nssdir/tests/lowhash $dstdir/tests/lowhash
+
+ cp $nssdir/lib/util/verref.h $dstdir/lib/freebl
+ cp $nssdir/lib/util/verref.h $dstdir/lib/softoken
+ cp $nssdir/lib/util/verref.h $dstdir/lib/softoken/legacydb
+}
+
+split_nss() {
+ nssdir="$1"
+ dstdir="$2"
+
+ # Prepare a source tree only containing files to build nss:
+ #
+ # nss/dbm full directory
+ # nss/coreconf full directory
+ # nss top files only
+ # nss/lib top files only
+ # nss/lib/freebl full directory
+ # nss/lib/softoken full directory
+ # nss/lib/softoken/dbm full directory
+
+ # Copy everything.
+ cp -R $nssdir $dstdir
+
+ # Remove subdirectories that we don't want.
+ rm -rf $dstdir/lib/freebl
+ rm -rf $dstdir/lib/softoken
+ rm -rf $dstdir/lib/util
+ rm -rf $dstdir/cmd/bltest
+ rm -rf $dstdir/cmd/fipstest
+ rm -rf $dstdir/cmd/rsaperf_low
+
+ # Copy these headers until the upstream bug is accepted
+ # Upstream https://bugzilla.mozilla.org/show_bug.cgi?id=820207
+ cp $nssdir/lib/softoken/lowkeyi.h $dstdir/cmd/rsaperf
+ cp $nssdir/lib/softoken/lowkeyti.h $dstdir/cmd/rsaperf
+
+ # Copy verref.h which will be needed later during the build phase.
+ cp $nssdir/lib/util/verref.h $dstdir/lib/ckfw/builtins/verref.h
+ cp $nssdir/lib/util/verref.h $dstdir/lib/nss/verref.h
+ cp $nssdir/lib/util/verref.h $dstdir/lib/smime/verref.h
+ cp $nssdir/lib/util/verref.h $dstdir/lib/ssl/verref.h
+ cp $nssdir/lib/util/templates.c $dstdir/lib/nss/templates.c
+
+ # FIXME: Skip util_gtest because it links with libnssutil.a. Note
+ # that we can't use libnssutil3.so instead, because util_gtest
+ # depends on internal symbols not exported from the shared library.
+ sed '/ util_gtest \\/d' $dstdir/gtests/manifest.mn > $dstdir/gtests/manifest.mn-t && mv $dstdir/gtests/manifest.mn-t $dstdir/gtests/manifest.mn
+}
diff --git a/security/nss/automation/taskcluster/scripts/tools.sh b/security/nss/automation/taskcluster/scripts/tools.sh
index dacfdeb28..46d567e3a 100644
--- a/security/nss/automation/taskcluster/scripts/tools.sh
+++ b/security/nss/automation/taskcluster/scripts/tools.sh
@@ -2,11 +2,21 @@
set -v -e -x
+if [[ $(id -u) -eq 0 ]]; then
+ # Drop privileges by re-running this script.
+ # Note: this mangles arguments, better to avoid running scripts as root.
+ exec su worker -c "$0 $*"
+fi
+
# Usage: hg_clone repo dir [revision=@]
hg_clone() {
repo=$1
dir=$2
rev=${3:-@}
+ if [ -d "$dir" ]; then
+ hg pull -R "$dir" -ur "$rev" "$repo" && return
+ rm -rf "$dir"
+ fi
for i in 0 2 5; do
sleep $i
hg clone -r "$rev" "$repo" "$dir" && return
diff --git a/security/nss/automation/taskcluster/windows/build.sh b/security/nss/automation/taskcluster/windows/build.sh
index 6c8a47470..46136153d 100644
--- a/security/nss/automation/taskcluster/windows/build.sh
+++ b/security/nss/automation/taskcluster/windows/build.sh
@@ -3,7 +3,11 @@
set -v -e -x
# Set up the toolchain.
-source $(dirname $0)/setup.sh
+if [ "$USE_64" = 1 ]; then
+ source $(dirname $0)/setup64.sh
+else
+ source $(dirname $0)/setup32.sh
+fi
# Clone NSPR.
hg_clone https://hg.mozilla.org/projects/nspr nspr default
diff --git a/security/nss/automation/taskcluster/windows/build_gyp.sh b/security/nss/automation/taskcluster/windows/build_gyp.sh
new file mode 100644
index 000000000..cc829ca99
--- /dev/null
+++ b/security/nss/automation/taskcluster/windows/build_gyp.sh
@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+set -v -e -x
+
+# Set up the toolchain.
+if [[ "$@" == *"-m32"* ]]; then
+ source $(dirname $0)/setup32.sh
+else
+ source $(dirname $0)/setup64.sh
+fi
+
+# Install GYP.
+cd gyp
+python -m virtualenv test-env
+test-env/Scripts/python setup.py install
+test-env/Scripts/python -m pip install --upgrade pip
+test-env/Scripts/pip install --upgrade setuptools
+cd ..
+
+export GYP_MSVS_OVERRIDE_PATH="${VSPATH}"
+export GYP_MSVS_VERSION="2015"
+export GYP="${PWD}/gyp/test-env/Scripts/gyp"
+
+# Fool GYP.
+touch "${VSPATH}/VC/vcvarsall.bat"
+
+# Clone NSPR.
+hg_clone https://hg.mozilla.org/projects/nspr nspr default
+
+# Build with gyp.
+GYP=${GYP} ./nss/build.sh -g -v "$@"
+
+# Package.
+7z a public/build/dist.7z dist
diff --git a/security/nss/automation/taskcluster/windows/releng.manifest b/security/nss/automation/taskcluster/windows/releng.manifest
index b3f449854..68d2c1d9e 100644
--- a/security/nss/automation/taskcluster/windows/releng.manifest
+++ b/security/nss/automation/taskcluster/windows/releng.manifest
@@ -1,10 +1,26 @@
[
{
- "version": "Visual Studio 2015 Update 2 / SDK 10.0.10586.0/212",
- "size": 332442800,
- "digest": "995394a4a515c7cb0f8595f26f5395361a638870dd0bbfcc22193fe1d98a0c47126057d5999cc494f3f3eac5cb49160e79757c468f83ee5797298e286ef6252c",
+ "version": "Visual Studio 2015 Update 3 14.0.25425.01 / SDK 10.0.14393.0",
+ "size": 326656969,
+ "digest": "babc414ffc0457d27f5a1ed24a8e4873afbe2f1c1a4075469a27c005e1babc3b2a788f643f825efedff95b79686664c67ec4340ed535487168a3482e68559bc7",
"algorithm": "sha512",
- "filename": "vs2015u2.zip",
+ "filename": "vs2015u3.zip",
+ "unpack": true
+ },
+ {
+ "version": "Ninja 1.7.1",
+ "size": 184821,
+ "digest": "e4f9a1ae624a2630e75264ba37d396d9c7407d6e6aea3763056210ba6e1387908bd31cf4037a6a3661a418e86c4d2761e0c333e6a3bd0d66549d2b0d72d3f43b",
+ "algorithm": "sha512",
+ "filename": "ninja171.zip",
+ "unpack": true
+ },
+ {
+ "size": 13063963,
+ "visibility": "public",
+ "digest": "47a19f8f863eab3414abab2b9e9bd901ab896c799b3d9254b456b2f59374b085b99de805e21069a0819f01eecb3f43f7e2395a8c644c04bcbfa5711261cca29d",
+ "algorithm": "sha512",
+ "filename": "gyp-2017-05-23.zip",
"unpack": true
}
]
diff --git a/security/nss/automation/taskcluster/windows/setup.sh b/security/nss/automation/taskcluster/windows/setup.sh
index 80cee2850..7def50db4 100644
--- a/security/nss/automation/taskcluster/windows/setup.sh
+++ b/security/nss/automation/taskcluster/windows/setup.sh
@@ -2,6 +2,13 @@
set -v -e -x
+export VSPATH="$(pwd)/vs2015u3"
+export NINJA_PATH="$(pwd)/ninja/bin"
+
+export WINDOWSSDKDIR="${VSPATH}/SDK"
+export VS90COMNTOOLS="${VSPATH}/VC"
+export INCLUDE="${VSPATH}/VC/include:${VSPATH}/SDK/Include/10.0.14393.0/ucrt:${VSPATH}/SDK/Include/10.0.14393.0/shared:${VSPATH}/SDK/Include/10.0.14393.0/um"
+
# Usage: hg_clone repo dir [revision=@]
hg_clone() {
repo=$1
@@ -16,15 +23,4 @@ hg_clone() {
}
hg_clone https://hg.mozilla.org/build/tools tools default
-
tools/scripts/tooltool/tooltool_wrapper.sh $(dirname $0)/releng.manifest https://api.pub.build.mozilla.org/tooltool/ non-existant-file.sh /c/mozilla-build/python/python.exe /c/builds/tooltool.py --authentication-file /c/builds/relengapi.tok -c /c/builds/tooltool_cache
-VSPATH="$(pwd)/vs2015u2"
-
-export WINDOWSSDKDIR="${VSPATH}/SDK"
-export WIN32_REDIST_DIR="${VSPATH}/VC/redist/x64/Microsoft.VC140.CRT"
-export WIN_UCRT_REDIST_DIR="${VSPATH}/SDK/Redist/ucrt/DLLs/x64"
-
-export PATH="${VSPATH}/VC/bin/amd64:${VSPATH}/VC/bin:${VSPATH}/SDK/bin/x64:${VSPATH}/VC/redist/x64/Microsoft.VC140.CRT:${VSPATH}/SDK/Redist/ucrt/DLLs/x64:${PATH}"
-
-export INCLUDE="${VSPATH}/VC/include:${VSPATH}/SDK/Include/10.0.10586.0/ucrt:${VSPATH}/SDK/Include/10.0.10586.0/shared:${VSPATH}/SDK/Include/10.0.10586.0/um"
-export LIB="${VSPATH}/VC/lib/amd64:${VSPATH}/SDK/lib/10.0.10586.0/ucrt/x64:${VSPATH}/SDK/lib/10.0.10586.0/um/x64"
diff --git a/security/nss/automation/taskcluster/windows/setup32.sh b/security/nss/automation/taskcluster/windows/setup32.sh
new file mode 100644
index 000000000..bcddabfa3
--- /dev/null
+++ b/security/nss/automation/taskcluster/windows/setup32.sh
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+set -v -e -x
+
+source $(dirname $0)/setup.sh
+
+export WIN32_REDIST_DIR="${VSPATH}/VC/redist/x86/Microsoft.VC140.CRT"
+export WIN_UCRT_REDIST_DIR="${VSPATH}/SDK/Redist/ucrt/DLLs/x86"
+export PATH="${NINJA_PATH}:${VSPATH}/VC/bin/amd64_x86:${VSPATH}/VC/bin/amd64:${VSPATH}/VC/bin:${VSPATH}/SDK/bin/x86:${VSPATH}/SDK/bin/x64:${VSPATH}/VC/redist/x86/Microsoft.VC140.CRT:${VSPATH}/VC/redist/x64/Microsoft.VC140.CRT:${VSPATH}/SDK/Redist/ucrt/DLLs/x86:${VSPATH}/SDK/Redist/ucrt/DLLs/x64:${PATH}"
+export LIB="${VSPATH}/VC/lib:${VSPATH}/SDK/lib/10.0.14393.0/ucrt/x86:${VSPATH}/SDK/lib/10.0.14393.0/um/x86"
diff --git a/security/nss/automation/taskcluster/windows/setup64.sh b/security/nss/automation/taskcluster/windows/setup64.sh
new file mode 100644
index 000000000..f308298c1
--- /dev/null
+++ b/security/nss/automation/taskcluster/windows/setup64.sh
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+set -v -e -x
+
+source $(dirname $0)/setup.sh
+
+export WIN32_REDIST_DIR="${VSPATH}/VC/redist/x64/Microsoft.VC140.CRT"
+export WIN_UCRT_REDIST_DIR="${VSPATH}/SDK/Redist/ucrt/DLLs/x64"
+export PATH="${NINJA_PATH}:${VSPATH}/VC/bin/amd64:${VSPATH}/VC/bin:${VSPATH}/SDK/bin/x64:${VSPATH}/VC/redist/x64/Microsoft.VC140.CRT:${VSPATH}/SDK/Redist/ucrt/DLLs/x64:${PATH}"
+export LIB="${VSPATH}/VC/lib/amd64:${VSPATH}/SDK/lib/10.0.14393.0/ucrt/x64:${VSPATH}/SDK/lib/10.0.14393.0/um/x64"