Ensure we don't use sccache on dependencies of shippable builds
Categories
(Firefox Build System :: Task Configuration, task)
Tracking
(firefox-esr60 wontfix, firefox-esr6870+ fixed, firefox69+ fixed, firefox70+ fixed, firefox71+ fixed)
People
(Reporter: rstewart, Assigned: rstewart)
References
Details
(Keywords: sec-other, Whiteboard: [adv-esr68.2-])
Attachments
(1 file, 1 obsolete file)
|
47 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-release+
RyanVM
:
approval-mozilla-esr68+
|
Details | Review |
|
||
Comment 1•6 years ago
|
||
This should be as simple as adding the win64-sccache toolchain to the win32-shippable and win64-shippable builds in taskcluster/ci/instrumented-build/kind.yml, and verifying that we get sccache hits on try. For reference, taskcluster/ci/build/windows.yml has sccache enabled for most Windows builds.
|
Assignee | |
Comment 2•6 years ago
|
||
|
||
Comment 3•6 years ago
|
||
|
||
Comment 4•6 years ago
|
||
I do not think we can have sccache enabled for builds used in the release process (which instrumented builds are). sccache uses S3 (or gcs) to store artifacts, and we don't have any way to verify that those artifacts aren't modified between creation and use (or to verify that they were ever created by a trusted build).
|
|
||
Comment 5•6 years ago
|
||
Morphing bug based on comment 4. Tom also pointed me at https://searchfox.org/mozilla-central/rev/45f30e1d19bde27bf07e47a0a5dd0962dd27ba18/taskcluster/taskgraph/util/verify.py#235-240 which should be adjusted to catch things like this.
|
|
Assignee | |
Comment 6•6 years ago
|
||
|
||
Updated•6 years ago
|
|
|
||
Updated•6 years ago
|
|
|
||
Comment 7•6 years ago
|
||
|
|
||
Comment 8•6 years ago
|
||
:hwine, can you provide some guidance on how to proceed here and land this? Presumably we'd also want to uplift to beta & release.
|
|
||
Comment 9•6 years ago
|
||
:catlee, can you comment on how this might impact the overall TC load? We'd be turning off sccache on the Linux & Android instrumented ("instr") builds. Historically, we didn't have sccache on the nightly PGO builds, but I think we did for the non-nightly PGO builds. Now, shippable builds and any non-shippable PGO builds use the profile data derived from the same instrumented builds, so they need to not use sccache.
|
||
Comment 10•6 years ago
|
||
(In reply to Michael Shal [:mshal] from comment #8)
:hwine, can you provide some guidance on how to proceed here and land this? Presumably we'd also want to uplift to beta & release.
I think the following 2 steps should be sufficient to land:
- check with RelEng on any potential load/performance issues and any uplift criteria they have (comment 9 addresses this)
- get a code review from RelEng and/or Taskcluster that the patch addresses all the cases we're concerned about.
|
||
Comment 11•6 years ago
|
||
I suspect this will result in a marginal but acceptable increase in load. We could mitigate that by only disabling sccache on repositories we ship from. i.e. could we leave sccache enabled for shippable builds on try and autoland?
|
|
||
Comment 12•6 years ago
|
||
Note that this is not a regression from 1-tier PGO, since we weren't running sccache with shippable builds then.
|
||
Comment 13•6 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/20516e38f03595cfee7e3533d96fbf8b1db934b2
https://hg.mozilla.org/mozilla-central/rev/20516e38f035
|
||
Comment 14•6 years ago
|
||
I want to ask why? What's the risk of the instrumented builds having their build cache tempered with? The only one I can think of is getting suboptimal optimizations as a result.
|
|
||
Comment 15•6 years ago
|
||
Comment on attachment 9094762 [details]
Fix Bug 1583368. Don't use sccache on dependencies of shippable builds
Beta/Release Uplift Approval Request
- User impact if declined: No impact to end users.
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): This change just disables sccache on instrumented builds. The builds work fine without sccache, they just take longer to complete.
- String changes made/needed:
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration:
- User impact if declined: No impact to end users.
- Fix Landed on Version:
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky):
- String or UUID changes made by this patch:
|
|
||
Comment 16•6 years ago
|
||
(In reply to Mike Hommey [:glandium] from comment #14)
I want to ask why? What's the risk of the instrumented builds having their build cache tempered with? The only one I can think of is getting suboptimal optimizations as a result.
As I understand it, the risk is that a specific object file could be crafted and injected into the cache, such that when the instrumented Firefox binary runs, it generates malformed profile data that triggers an exploit in clang to cause the final profile-use build to contain arbitrary code. Without such an exploit in clang, the risk then just becomes suboptimal optimizations.
|
||
Updated•6 years ago
|
|
||
Comment 17•6 years ago
|
||
Comment on attachment 9094762 [details]
Fix Bug 1583368. Don't use sccache on dependencies of shippable builds
Doesn't affect the builds we ship in the end, just mitigates a possible opportunity for bad actors to compromise them via sccache. Approved for all the things.
|
|
||
Updated•6 years ago
|
|
|
||
Comment 18•6 years ago
|
||
| uplift | ||
|
||
Updated•6 years ago
|
|
||
Updated•5 years ago
|
Description
•