Fix flakiness in appsec test

Author: cataphract

appsec/src/extension/ddtrace.c

@@ -75,8 +75,8 @@ static void dd_trace_load_symbols(void)
 
 #define ASSIGN_DLSYM(var, export)                                              \
     do {                                                                       \
-        var = (typeof(var))(uintptr_t)dlsym(handle, export "");                \
-        if (var == NULL && !testing) {                                         \
+        (var) = (typeof(var))(uintptr_t)dlsym(handle, export "");              \
+        if ((var) == NULL && !testing) {                                       \
             /* NOLINTNEXTLINE(concurrency-mt-unsafe) */                        \
             mlog(dd_log_error, "Failed to load %s: %s", export, dlerror());    \
         }                                                                      \

appsec/src/helper/engine.cpp

@@ -124,7 +124,7 @@ std::optional<engine::result> engine::context::publish(
         return std::nullopt;
     }
 
-    bool force_keep = limiter_.allow();
+    const bool force_keep = limiter_.allow();
     dds::engine::result res{{}, std::move(event_.data), force_keep};
     // Currently the only action the extension can perform is block
     if (event_.actions.empty()) {

appsec/src/helper/engine_settings.cpp

@@ -51,45 +51,82 @@ std::filesystem::path get_helper_path()
 
 namespace dds {
 
-const std::string &engine_settings::default_rules_file()
-{
-    struct def_rules_file {
-        def_rules_file()
-        {
-            std::filesystem::path base_path;
+namespace {
+struct def_rules_file {
+    std::atomic<std::string *> stored_file{};
+
+    def_rules_file() = default;
+    def_rules_file(const def_rules_file &) = delete;
+    def_rules_file(def_rules_file &&) = delete;
+    def_rules_file &operator=(const def_rules_file &) = delete;
+    def_rules_file &operator=(def_rules_file &&) = delete;
+
+    const std::string &get()
+    {
+        auto *cur_val = stored_file.load();
+        if (cur_val == nullptr) {
+            auto *new_val = initialize().release();
+            if (!stored_file.compare_exchange_strong(cur_val, new_val)) {
+                delete new_val; // NOLINT
+                // cur_val is now the currently stored value
+            } else {
+                cur_val = new_val;
+            }
+        }
+        return *cur_val;
+    }
+
+    static std::unique_ptr<std::string> initialize()
+    {
+        std::filesystem::path base_path;
+        std::unique_ptr<std::string> file;
 
+        try {
+            base_path = get_helper_path().parent_path();
+        } catch (const std::exception &e) {
+            file = std::make_unique<std::string>(
+                "<error resolving helper library path: " +
+                std::string(e.what()) + ">");
+
+            // try relative to the executable instead
             try {
-                base_path = get_helper_path().parent_path();
-            } catch (const std::exception &e) {
-                file = "<error resolving helper library path: " +
-                       std::string(e.what()) + ">";
-
-                // try relative to the executable instead
-                try {
-                    auto psp = std::filesystem::path{"/proc/self/exe"};
-                    if (std::filesystem::is_symlink(psp)) {
-                        psp = std::filesystem::read_symlink(psp);
-                    }
-                    base_path = psp.parent_path();
-                } catch (const std::exception &e) {
-                    file =
-                        "<error resolving both library and executable path: " +
-                        std::string(e.what()) + ">";
-                    return;
+                auto psp = std::filesystem::path{"/proc/self/exe"};
+                if (std::filesystem::is_symlink(psp)) {
+                    psp = std::filesystem::read_symlink(psp);
                 }
+                base_path = psp.parent_path();
+            } catch (const std::exception &e) {
+                file = std::make_unique<std::string>(
+                    "<error resolving both library and executable path: " +
+                    std::string(e.what()) + ">");
+                return file;
             }
+        }
 
-            file = base_path / "../etc/recommended.json";
-            if (!std::filesystem::exists(file)) {
-                // This fallback file is set by a custom/old installer on
-                // appsec repository
-                file = base_path / "../etc/dd-appsec/recommended.json";
-            }
+        file = std::make_unique<std::string>(
+            base_path / "../etc/recommended.json");
+        if (!std::filesystem::exists(*file)) {
+            // This fallback file is set by a custom/old installer on
+            // appsec repository
+            file = std::make_unique<std::string>(
+                base_path / "../etc/dd-appsec/recommended.json");
         }
-        std::string file;
-    };
 
-    static def_rules_file const drf; // NOLINT
-    return drf.file;
-}
+        return file;
+    }
+
+    ~def_rules_file()
+    {
+        auto *val = stored_file.load();
+        delete val; // NOLINT
+        stored_file.store(nullptr);
+    }
+};
+
+// can't be a local static inside default_rules_file() because those
+// register their atexit() handlers lazily, which is too late for us.
+def_rules_file drf{}; // NOLINT
+} // namespace
+
+const std::string &engine_settings::default_rules_file() { return drf.get(); }
 } // namespace dds

appsec/tests/fuzzer/CMakeLists.txt

@@ -21,7 +21,21 @@ if (CMAKE_CXX_COMPILER_ID STREQUAL "Clang" AND CMAKE_CXX_COMPILER_VERSION VERSIO
     target_compile_definitions(ddappsec_helper_fuzzer PUBLIC ZLIB_CONST=1)
     target_link_directories(ddappsec_helper_fuzzer PRIVATE ${LLVM_RUNTIME_DIR})
     target_link_libraries(ddappsec_helper_fuzzer
-        PRIVATE libddwaf_objects pthread spdlog cpp-base64 msgpack_c RapidJSON::rapidjson Boost::system libclang_rt.fuzzer_no_main-${ARCHITECTURE}.a zlibstatic)
+        PRIVATE libddwaf_objects pthread spdlog cpp-base64 msgpack_c RapidJSON::rapidjson Boost::system zlibstatic)
+
+    set(FUZZER_LIB_NAME "libclang_rt.fuzzer_no_main-${ARCHITECTURE}.a")
+    find_library(FUZZER_LIB ${FUZZER_LIB_NAME} PATHS ${LLVM_RUNTIME_DIR})
+
+    if(NOT FUZZER_LIB)
+        set(FUZZER_LIB_NAME_FALLBACK "libclang_rt.fuzzer_no_main.a")
+        find_library(FUZZER_LIB ${FUZZER_LIB_NAME_FALLBACK} PATHS ${LLVM_RUNTIME_DIR})
+    endif()
+
+    if(NOT FUZZER_LIB)
+        message(FATAL_ERROR "Could not find fuzzer library (tried ${FUZZER_LIB_NAME} and ${FUZZER_LIB_NAME_FALLBACK}); extra path ${LLVM_RUNTIME_DIR}")
+    endif()
+
+    target_link_libraries(ddappsec_helper_fuzzer PRIVATE ${FUZZER_LIB})
 
     add_executable(corpus_generator corpus_generator.cpp)
     target_link_libraries(corpus_generator PRIVATE helper_objects libddwaf_objects pthread spdlog)

appsec/tests/fuzzer/main.cpp

@@ -6,7 +6,6 @@
 
 #include "mutators.hpp"
 #include "network.hpp"
-#include "network/acceptor.hpp"
 #include <cstdlib>
 #include <iostream>
 #include <runner.hpp>
@@ -173,17 +172,26 @@ int main(int argc, char **argv)
 
     auto acceptor_ptr = std::make_unique<dds::fuzzer::acceptor>();
     acceptor = acceptor_ptr.get();
-    std::atomic<bool> interrupted{};
-    dds::runner runner{config, std::move(acceptor_ptr), interrupted};
-
-    std::thread runner_thread([&runner] { runner.run(); });
+    static std::atomic<bool> interrupted{};
+    dds::runner runner{std::move(acceptor_ptr), interrupted};
+    static std::thread *runner_thread =
+        new std::thread{[&runner] { runner.run(); }};
+
+    static auto cleanup = []() {
+        SPDLOG_INFO("atexit() hook, interrupting runner");
+        interrupted.store(true, std::memory_order_release);
+        acceptor->exit();
+
+        SPDLOG_INFO("Waiting for runner thread to finish");
+        runner_thread->join();
+        SPDLOG_INFO("Runner thread finished");
+        delete runner_thread;
+    };
+    std::atexit(cleanup);
 
     int result = LLVMFuzzerRunDriver(&argc, &argv, LLVMFuzzerTestOneInput);
 
-    interrupted.store(true, std::memory_order_release);
-    acceptor->exit();
-
-    runner_thread.join();
+    // generally not reached
 
     return result;
 }