CI: Adding CTest memcheck to CodeBuild

CMakeLists.txt

@@ -19,6 +19,7 @@ set(VERSION_MAJOR 1)
 set(VERSION_MINOR 0)
 set(VERSION_PATCH 0)
 
+option(BUILD_TESTING "Enable BUILD_TESTING by default" ON)
 option(SEARCH_LIBCRYPTO "Set this if you want to let S2N search libcrypto for you,
 otherwise a crypto target needs to be defined." ON)
 option(UNSAFE_TREAT_WARNINGS_AS_ERRORS "Compiler warnings are treated as errors. Warnings may
@@ -41,9 +42,6 @@ option(TSAN "Enable ThreadSanitizer to test thread safety" OFF)
 option(ASAN "Enable AddressSanitizer to test memory safety" OFF)
 option(SECCOMP "Link with seccomp and run seccomp tests" OFF)
 
-# Turn BUILD_TESTING=ON by default
-include(CTest)
-
 file(GLOB API_HEADERS "api/*.h")
 file(GLOB API_UNSTABLE_HEADERS "api/unstable/*.h")
 
@@ -472,6 +470,31 @@ if (BUILD_TESTING)
     file (GLOB TEST_LD_PRELOAD "tests/LD_PRELOAD/*.c")
     add_library(allocator_overrides SHARED ${TEST_LD_PRELOAD})
 
+    set(VALGRIND_DEFAULT " \
+    --leak-check=full \
+    --leak-resolution=high \
+    --trace-children=yes \
+    --run-libc-freeres=no \
+    -q --error-exitcode=123 \
+    --error-limit=no \
+    --num-callers=40 \
+    --undef-value-errors=no \
+    --suppressions=valgrind.suppressions")
+
+    set(VALGRIND_PENDANTIC "${VALGRIND_DEFAULT} --errors-for-leak-kinds=all")
+
+    # Add pendentic Valgrind check for Libcrypto is openssl-1.1.1.
+    # Default Valgrind tests ignores "Still reachable" leak and we want to enable pedantic
+    # valgrind check incrementally, so we will do pedantic check for Libcrypto=openssl-1.1.1 for now.
+    # Tracking issue: https://github.com/aws/s2n-tls/issues/3758
+    if ($ENV{S2N_LIBCRYPTO} MATCHES "openssl-1.1.1")
+        set(MEMORYCHECK_COMMAND_OPTIONS ${VALGRIND_PENDANTIC})
+    else()
+        set(MEMORYCHECK_COMMAND_OPTIONS ${VALGRIND_DEFAULT})
+    endif()
+
+    set(CTEST_MEMORYCHECK_TYPE "Valgrind")
+
     set(UNIT_TEST_ENVS S2N_DONT_MLOCK=1)
     if (TSAN OR ASAN)
         set(UNIT_TEST_ENVS ${UNIT_TEST_ENVS} S2N_ADDRESS_SANITIZER=1)
@@ -677,6 +700,9 @@ if (BUILD_TESTING)
     endif()
 endif()
 
+# Turn BUILD_TESTING=ON by default
+include(CTest)
+
 #install the s2n files
 install(FILES ${API_HEADERS} DESTINATION "include/" COMPONENT Development)
 install(FILES ${API_UNSTABLE_HEADERS} DESTINATION "include/s2n/unstable" COMPONENT Development)

codebuild/spec/buildspec_valgrind.yml

@@ -0,0 +1,56 @@
+---
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You may not use
+# this file except in compliance with the License. A copy of the License is
+# located at
+#
+# http://aws.amazon.com/apache2.0/
+#
+# or in the "license" file accompanying this file. This file is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied. See the License for the specific language governing permissions and
+# limitations under the License.
+version: 0.2
+
+batch:
+  build-list:
+    - identifier: gcc_awslc
+      env:
+        compute-type: BUILD_GENERAL1_LARGE
+        variables:
+          S2N_LIBCRYPTO: awslc
+          COMPILER: gcc
+    - identifier: gcc_openssl_3_0
+      env:
+        compute-type: BUILD_GENERAL1_LARGE
+        variables:
+          S2N_LIBCRYPTO: openssl-3.0
+          COMPILER: gcc
+
+phases:
+  pre_build:
+    commands:
+      - |
+        if [ -d "third-party-src" ]; then
+          cd third-party-src;
+        fi
+      - /usr/bin/$COMPILER --version
+  build:
+    on-failure: ABORT
+    commands:
+      - |
+        cmake . -Bbuild \
+          -DCMAKE_C_COMPILER=/usr/bin/$COMPILER \
+          -DCMAKE_PREFIX_PATH=/usr/local/$S2N_LIBCRYPTO \
+          -DCMAKE_BUILD_TYPE=RelWithDebInfo
+      - cmake --build ./build -- -j $(nproc)
+  post_build:
+    on-failure: ABORT
+    commands:
+      - |
+        S2N_VALGRIND=1 \
+        CTEST_PARALLEL_LEVEL=$(nproc) \
+        CTEST_OUTPUT_ON_FAILURE=1 \
+        ctest -T memcheck \
+              --test-dir build

tests/unit/valgrind.suppressions

@@ -1,6 +1,9 @@
-# It looks like valgrind may generate false positives on pthreads: https://stackoverflow.com/a/13132968
+# Valgrind may generate false positives on pthreads: https://stackoverflow.com/a/13132968
+# Without these suppressions, the following tests will fail:
+# s2n_examples_test, s2n_fork_generation_number_test, s2n_init_test, s2n_key_update_threads_test, and s2n_random_test.
+# These are the suppressions for pthread_create in GLIBC_2.2.5.
 {
-   pthred_false_positive
+   pthread_false_positive
    Memcheck:Leak
    match-leak-kinds: possible
    fun:calloc
@@ -10,7 +13,51 @@
    fun:pthread_create@@GLIBC_2.2.5
    fun:main
 }
-
+# This block is a similar suppression to the pthread suppressions above, but for a different libc version.
+# These are the suppressions for pthread_create in GLIBC_2.34.
+# Remove the previous pthread suppression block after the new CTest memcheck is fully integrated.
+# Tracking issue: https://github.com/aws/s2n-tls/issues/4777
+{
+   pthread_false_positive_ubuntu22
+   Memcheck:Leak
+   match-leak-kinds: possible
+   fun:calloc
+   fun:calloc
+   fun:allocate_dtv
+   fun:_dl_allocate_tls
+   fun:allocate_stack
+   fun:pthread_create@@GLIBC_2.34
+   ...
+   fun:main
+}
+# This suppression is to address false positives from backtrace().
+# backtrace is loaded dynamically when first used, and dynamic loading invokes malloc.
+# https://man7.org/linux/man-pages/man3/backtrace_symbols_fd.3.html#:~:text=%E2%80%A2%20%20backtrace()%20and,is%20loaded%20beforehand.
+{
+   stacktrace_suppression
+   Memcheck:Leak
+   match-leak-kinds: possible
+   fun:malloc
+   fun:malloc
+   fun:_dlfo_mappings_segment_allocate
+   fun:_dl_find_object_update_1
+   fun:_dl_find_object_update
+   fun:dl_open_worker_begin
+   fun:_dl_catch_exception
+   fun:dl_open_worker
+   fun:_dl_catch_exception
+   fun:_dl_open
+   fun:do_dlopen
+   fun:_dl_catch_exception
+   fun:_dl_catch_error
+   fun:dlerror_run
+   fun:__libc_dlopen_mode
+   fun:__libc_unwind_link_get
+   fun:__libc_unwind_link_get
+   fun:backtrace
+   ...
+   fun:main
+}
 # TODO: fix the pedantic leak errors from s2n_fork_generation_number_test
 {
    ignore_s2n_fork_generation_number_test