Python projects that have Python 3.10+ syntax have broken code coverage #11419
Comments
|
@apollo13 I gave this a go -- I think the right approach is to bump Python in the base-runner in this case, unless there is a concrete need for having older Python versions as well. I think this will likely be picked up and possibly landed early Jan. |
|
Thanks, wouldn't it make sense to update the python builder as well then?
…On Fri, Dec 29, 2023, at 16:12, DavidKorczynski wrote:
@apollo13 <https://github.com/apollo13> I gave this a go -- I think the
right approach is to bump Python in the base-runner in this case,
unless there is a concrete need for having older Python versions as
well. I think this will likely be picked up and possibly landed early
Jan.
—
Reply to this email directly, view it on GitHub
<#11419 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAT5C2IR4PTMULDQMXX5I3YL3MUHAVCNFSM6AAAAABBGXT6BOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNZSGE2TSNBVHE>.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
See also #9532 |
DaveLak
added a commit
to DaveLak/oss-fuzz
that referenced
this issue
Jun 4, 2024
The changes introduced here upgrade Python from 3.8 to 3.10.14 inside the base-builder and base-runner images. ### base-builder changes: Prior to these changes, base-builder compiled Python 3.8 from source using sources downloaded from the official release servers at https://www.python.org/ftp/python/. This updates the compiled version to 3.10.14 (the latest 3.10 release) instead. ### base-runner changes: Prior to these changes, base-runner installed Python 3.8 from the default apt repository provided by the Ubuntu 20.04 image it's based on. These apt repositories do not have a version of Python 3.10 available by default. This updates the base-runner to instead use a multi-stage build to copy the same Python interpreter compiled by the base-builder image into the runner image, which ensures both Python versions remain in-sync while saving build time by re-using a pre-built version. ## Motivation - Code coverage does not work on Python projects that use Python 3.10+ syntax, and will not work until this or similar changes are landed (see google#11419) - Upgrading the base-image to use Ubuntu 22.04 (which provides more recent Python versions via apt) has been stated as being unlikely to happen any time soon (see google#3290) - Many OSS-Fuzz integrated Python projects no longer support Python 3.8 and have resorted to implementing ad-hoc workarounds to upgrade to newer Python versions, including installing Python from the Dead Snakes PPA. - This leads to fragmentation and hard to debug issues. Maintenance is easier when everyone is using the same version without issue. - With [Python 3.8 reaching end of life soon (in 2024-10)][python- versions-EOL], it is likely that more Python projects will begin dropping support for 3.8, further increasing the number of broken builds and ad-hoc workarounds. - Previous attempts at upgrading Python have stalled. ## Known & Expected Issues Several project Dockerfiles and build scripts contain hard coded references to python3.8 file system paths, and many more have implanted ad-hoc workarounds to upgrade to newer Python versions than 3.8 (typically 3.9.) Additional changes are required to each of these projects to ensure they successfully build after this upgrade to Python 3.10. ### Fuzz Introspector Caveat Fuzz Introspector currently uses Python 3.9. While an upgrade to 3.10 is not expected to introduce any new issues, it was not tested on these changes and may require additional work. ## Possible Areas of Improvement Using the base-builder image in a multi-stage build to copy the pre- compiled Python into base-runner is effective, but feels like a workaround that may be introducing tech debt. A cleaner approach would be to extract the Python compilation into a discrete base image similar to how `base-clang` works, and use that as the multi-stage builder in images that need it. --- Fixes: - google#11419 Supersedes: - google#9532 - google#11420 [python-versions-EOL]: https://devguide.python.org/versions/
DaveLak
added a commit
to DaveLak/oss-fuzz
that referenced
this issue
Jun 4, 2024
Replaces the ad-hoc workaround using the Dead Snakes PPA to install Python 3.10, with the upgraded Python 3.10 version provided by the base-builder and base-runner images, the latter of which resolves the issue mentioned in google#11419. Fixes: google#9638
|
Hello, it would be very helpful for us at Pillow because Python 3.8 is EOL in October which is when our next release is, and we've already removed support for 3.8 from the codebase. But now OSS-Fuzz is failing for every PR, so we'll probably have to remove it from our CI until it's ready. |
DaveLak
added a commit
to DaveLak/oss-fuzz
that referenced
this issue
Aug 28, 2024
Replaces the ad-hoc workaround using the Dead Snakes PPA to install Python 3.10, with the upgraded Python 3.10 version provided by the base-builder and base-runner images, the latter of which resolves the issue mentioned in google#11419. Fixes: google#9638
This was referenced Sep 26, 2024
DavidKorczynski
pushed a commit
that referenced
this issue
Sep 30, 2024
Pillow's oss-fuzz is currently failing, because Pillow main has [dropped support for Python 3.8](python-pillow/Pillow#8183). Until a global solution is provided for #11419, this installs Python 3.9 to allow Pillow to work again. cc @hugovk Co-authored-by: Andrew Murray <[email protected]>
DaveLak
added a commit
to DaveLak/oss-fuzz
that referenced
this issue
Nov 20, 2024
Replaces the ad-hoc workaround using the Dead Snakes PPA to install Python 3.10, with the upgraded Python 3.10 version provided by the base-builder and base-runner images, the latter of which resolves the issue mentioned in google#11419. Fixes: google#9638
oliverchang
added a commit
that referenced
this issue
Nov 25, 2024
#12027) > [!NOTE] > I was looking for somewhere to get feedback from maintainers about this approach to the Python 3.10 upgrade before attempting it, but the discussion surrounding a Python upgrade has been rather fragmented across many issues, PRs, and comment chains. > > For that reason, I felt it would be easier to propose with a working example and dedicated PR. #### Fixes: - #11419 - #9638 #### Supersedes: - #9532 - #11420 ## Changes The changes introduced here upgrade Python from 3.8 to 3.10.14 inside the base-builder and base-runner images. ### Base Image Changes | Image | Before Changes | After Changes | |----------------|------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | **base-builder** | Compiled Python 3.8 from source using official release servers at https://www.python.org/ftp/python/. | Compiles Python 3.10.14 (the latest 3.10 release) from source using official release servers at https://www.python.org/ftp/python/. | | **base-runner** | Installed Python 3.8 from the default apt repository provided by the Ubuntu 20.04 image. | Uses a multi-stage build to copy the Python 3.10.14 interpreter compiled by the base-builder image, ensuring version sync and saving build time by re-using a pre-built version. | ## Known Impact on Projects ### 3.9 Workarounds That Can Be Removed | Project | Fix Link | |------------|----------| | dask | DaveLak@417bbf5 | | docutils | DaveLak@e4c21ff | | dovecot | DaveLak@7ab3ab6 | | nbclassic | DaveLak@5509b4e | | pandas | DaveLak@0642a7a | | pybind11 | DaveLak@a5bbdb3 | | pyodbc | DaveLak@afa2b5e | | qpid-proton| DaveLak@f5bf756 | ### Anticipated Build Failures #### Preexisting Failures ##### Fix is Prepared | Project | Fix Link | |-----------------------|----------| | airflow | DaveLak@60a0368 | | ipython | DaveLak@21ac68e | | networkx | DaveLak@fc2f8c5 | | numpy | DaveLak@9383c87 | | tensorflow-addons | DaveLak@eed2bea | | django (coverage build)| DaveLak@c724d61 | | proto-plus-python | DaveLak@37d973e | | dnspython | The upgraded pip version in the base-builder fixes the currently failing build. | ##### Fix Requires Upstream Changes | Project | Issue | |---------|-------| | pyvex | Currently failing on python 3.9 because `archinfo` dependency requires >=3.10. Fails after the 3.10 upgrade because [the upstream build script needs `python3.9` replaced with `python3`](https://github.com/angr/pyvex/blob/f94c95636a3800c5bbd781ecf1e3fb0c0d9feec4/fuzzing/build.sh#L19-L23). | ##### Requires More Investigation | Project | Issue | |--------------------|-------| | matplotlib | Upgrading Python & Pyinstaller does resolve the build issues, but an error in the fuzz harness is exposed and must be resolved for check_build to pass. The exception: `TypeError: Parser.non_math() takes 2 positional arguments but 4 were given" in "File "fuzz_plt.py", line 43, in TestOneInput`. | | scipy | Upgrading Python & Pyinstaller does resolve the build issues, but an error in the build step causes the build to fail. The error seems related to the linking: "/usr/bin/ld: /usr/bin/ld: DWARF error: invalid or unhandled FORM value: 0x25". When `export LDFLAGS="-fuse-ld=lld"` is set, the error becomes: "`ld.lld: error: undefined symbol: __asan_report_store4`". | | pandas (Introspector only)| [This workaround in `build.sh` is the issue](https://github.com/google/oss-fuzz/blob/1515519a665756d8a50a6c46abac8b431e5462ef/projects/pandas/build.sh#L22-L32). | | pycrypto | Failing with error: "`SystemError: PY_SSIZE_T_CLEAN macro must be defined for '#' formats`". Seems like the issue described [here](https://stackoverflow.com/a/71019907). Pycrypto is deprecated and this is unlikely to be fixed upstream. | ## Possible Future Improvements Using the base-builder image in a multi-stage build to copy the pre- compiled Python into base-runner is effective, but feels like a workaround that may be introducing tech debt. A cleaner approach would be to extract the Python compilation into a discrete base image similar to how `base-clang` works, and use that as the multi-stage builder in images that need it. ### Fuzz Introspector Caveat Fuzz Introspector currently uses Python 3.9. While an upgrade to 3.10 is not expected to introduce any new issues, it was not tested on these changes and may require additional work. --- ## Motivation - Python [3.8 is reaching end of life in October 2024](https://devguide.python.org/versions/). - The [Scientific Python Community already encourages dropping 3.8 support](https://scientific-python.org/specs/spec-0000/). - This is evident when looking at which projects have resorted to upgrading to newer Pythons using ad-hoc workarounds (see `numpy`, `scipy`, `pandas`, etc.) - It is likely that more Python projects will begin dropping support for 3.8, further increasing the number of broken builds and ad-hoc workarounds. - Code coverage does not work on Python projects that use Python 3.10+ syntax. - Previous attempts at upgrading Python have stalled (see google/clusterfuzz#3290 (comment) & the issues linked under "Supersedes" above.) - In recognition of the fact that OSS-Fuzz maintainers are stretched thin, I thought I'd give it a shot. --------- Co-authored-by: Oliver Chang <[email protected]> Co-authored-by: Andrew Murray <[email protected]>
|
#12027 has now been merged. |
|
Python 3.10 is still very old. The NumPy builds were failing for a long time, worked for 2 weeks after gh-12027, and are now failing again because NumPy bumped to OSS Fuzz is testing the |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
and others
Ref: #11401 (comment)
The text was updated successfully, but these errors were encountered: