Google Git
Sign in
pigweed / third_party / github / abseil / abseil-cpp / 692d9e568301b2c01a35b8da3c9915cef4055a4f / . / absl / log / stripping_test.cc
blob: 271fae1d8dc2903de46435253606b2222fc66bca [file] [log] [blame]
//
// Copyright 2022 The Abseil Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
// Tests for stripping of literal strings.
// ---------------------------------------
//
// When a `LOG` statement can be trivially proved at compile time to never fire,
// e.g. due to `ABSL_MIN_LOG_LEVEL`, `NDEBUG`, or some explicit condition, data
// streamed in can be dropped from the compiled program completely if they are
// not used elsewhere. This most commonly affects string literals, which users
// often want to strip to reduce binary size and/or redact information about
// their program's internals (e.g. in a release build).
//
// These tests log strings and then validate whether they appear in the compiled
// binary. This is done by opening the file corresponding to the running test
// and running a simple string search on its contents. The strings to be logged
// and searched for must be unique, and we must take care not to emit them into
// the binary in any other place, e.g. when searching for them. The latter is
// accomplished by computing them using base64; the source string appears in the
// binary but the target string is computed at runtime.
#include <stdio.h>
#if defined(__MACH__)
#include <mach-o/dyld.h>
#elif defined(_WIN32)
#include <Windows.h>
#include <tchar.h>
#endif
#include <algorithm>
#include <functional>
#include <memory>
#include <ostream>
#include <string>
#include "gmock/gmock.h"
#include "gtest/gtest.h"
#include "absl/base/internal/strerror.h"
#include "absl/base/log_severity.h"
#include "absl/flags/internal/program_name.h"
#include "absl/log/check.h"
#include "absl/log/internal/test_helpers.h"
#include "absl/log/log.h"
#include "absl/status/status.h"
#include "absl/strings/escaping.h"
#include "absl/strings/str_format.h"
#include "absl/strings/string_view.h"
// Set a flag that controls whether we actually execute fatal statements, but
// prevent the compiler from optimizing it out.
static volatile bool kReallyDie = false;
namespace {
using ::testing::_;
using ::testing::Eq;
using ::testing::NotNull;
using absl::log_internal::kAbslMinLogLevel;
std::string Base64UnescapeOrDie(absl::string_view data) {
std::string decoded;
CHECK(absl::Base64Unescape(data, &decoded));
return decoded;
}
// -----------------------------------------------------------------------------
// A Googletest matcher which searches the running binary for a given string
// -----------------------------------------------------------------------------
// This matcher is used to validate that literal strings streamed into
// `LOG` statements that ought to be compiled out (e.g. `LOG_IF(INFO, false)`)
// do not appear in the binary.
//
// Note that passing the string to be sought directly to `FileHasSubstr()` all
// but forces its inclusion in the binary regardless of the logging library's
// behavior. For example:
//
// LOG_IF(INFO, false) << "you're the man now dog";
// // This will always pass:
// // EXPECT_THAT(fp, FileHasSubstr("you're the man now dog"));
// // So use this instead:
// EXPECT_THAT(fp, FileHasSubstr(
// Base64UnescapeOrDie("eW91J3JlIHRoZSBtYW4gbm93IGRvZw==")));
class FileHasSubstrMatcher final : public ::testing::MatcherInterface<FILE*> {
public:
explicit FileHasSubstrMatcher(absl::string_view needle) : needle_(needle) {}
bool MatchAndExplain(
FILE* fp, ::testing::MatchResultListener* listener) const override {
std::string buf(
std::max<std::string::size_type>(needle_.size() * 2, 163840000), '\0');
size_t buf_start_offset = 0; // The file offset of the byte at `buf[0]`.
size_t buf_data_size = 0; // The number of bytes of `buf` which contain
// data.
::fseek(fp, 0, SEEK_SET);
while (true) {
// Fill the buffer to capacity or EOF:
while (buf_data_size < buf.size()) {
const size_t ret = fread(&buf[buf_data_size], sizeof(char),
buf.size() - buf_data_size, fp);
if (ret == 0) break;
buf_data_size += ret;
}
if (ferror(fp)) {
*listener << "error reading file";
return false;
}
const absl::string_view haystack(&buf[0], buf_data_size);
const auto off = haystack.find(needle_);
if (off != haystack.npos) {
*listener << "string found at offset " << buf_start_offset + off;
return true;
}
if (feof(fp)) {
*listener << "string not found";
return false;
}
// Copy the end of `buf` to the beginning so we catch matches that span
// buffer boundaries. `buf` and `buf_data_size` are always large enough
// that these ranges don't overlap.
memcpy(&buf[0], &buf[buf_data_size - needle_.size()], needle_.size());
buf_start_offset += buf_data_size - needle_.size();
buf_data_size = needle_.size();
}
}
void DescribeTo(std::ostream* os) const override {
*os << "contains the string \"" << needle_ << "\" (base64(\""
<< Base64UnescapeOrDie(needle_) << "\"))";
}
void DescribeNegationTo(std::ostream* os) const override {
*os << "does not ";
DescribeTo(os);
}
private:
std::string needle_;
};
class StrippingTest : public ::testing::Test {
protected:
void SetUp() override {
#ifndef NDEBUG
// Non-optimized builds don't necessarily eliminate dead code at all, so we
// don't attempt to validate stripping against such builds.
GTEST_SKIP() << "StrippingTests skipped since this build is not optimized";
#elif defined(__EMSCRIPTEN__)
// These tests require a way to examine the running binary and look for
// strings; there's no portable way to do that.
GTEST_SKIP()
<< "StrippingTests skipped since this platform is not optimized";
#endif
}
// Opens this program's executable file. Returns `nullptr` and writes to
// `stderr` on failure.
std::unique_ptr<FILE, std::function<void(FILE*)>> OpenTestExecutable() {
#if defined(__linux__)
std::unique_ptr<FILE, std::function<void(FILE*)>> fp(
fopen("/proc/self/exe", "rb"), [](FILE* fp) { fclose(fp); });
if (!fp) {
const std::string err = absl::base_internal::StrError(errno);
absl::FPrintF(stderr, "Failed to open /proc/self/exe: %s\n", err);
}
return fp;
#elif defined(__Fuchsia__)
// TODO(b/242579714): We need to restore the test coverage on this platform.
std::unique_ptr<FILE, std::function<void(FILE*)>> fp(
fopen(absl::StrCat("/pkg/bin/",
absl::flags_internal::ShortProgramInvocationName())
.c_str(),
"rb"),
[](FILE* fp) { fclose(fp); });
if (!fp) {
const std::string err = absl::base_internal::StrError(errno);
absl::FPrintF(stderr, "Failed to open /pkg/bin/<binary name>: %s\n", err);
}
return fp;
#elif defined(__MACH__)
uint32_t size = 0;
int ret = _NSGetExecutablePath(nullptr, &size);
if (ret != -1) {
absl::FPrintF(stderr,
"Failed to get executable path: "
"_NSGetExecutablePath(nullptr) returned %d\n",
ret);
return nullptr;
}
std::string path(size, '\0');
ret = _NSGetExecutablePath(&path[0], &size);
if (ret != 0) {
absl::FPrintF(
stderr,
"Failed to get executable path: _NSGetExecutablePath(buffer) "
"returned %d\n",
ret);
return nullptr;
}
std::unique_ptr<FILE, std::function<void(FILE*)>> fp(
fopen(path.c_str(), "rb"), [](FILE* fp) { fclose(fp); });
if (!fp) {
const std::string err = absl::base_internal::StrError(errno);
absl::FPrintF(stderr, "Failed to open executable at %s: %s\n", path, err);
}
return fp;
#elif defined(_WIN32)
std::basic_string<TCHAR> path(4096, _T('\0'));
while (true) {
const uint32_t ret = ::GetModuleFileName(nullptr, &path[0],
static_cast<DWORD>(path.size()));
if (ret == 0) {
absl::FPrintF(
stderr,
"Failed to get executable path: GetModuleFileName(buffer) "
"returned 0\n");
return nullptr;
}
if (ret < path.size()) break;
path.resize(path.size() * 2, _T('\0'));
}
std::unique_ptr<FILE, std::function<void(FILE*)>> fp(
_tfopen(path.c_str(), _T("rb")), [](FILE* fp) { fclose(fp); });
if (!fp) absl::FPrintF(stderr, "Failed to open executable\n");
return fp;
#else
absl::FPrintF(stderr,
"OpenTestExecutable() unimplemented on this platform\n");
return nullptr;
#endif
}
::testing::Matcher<FILE*> FileHasSubstr(absl::string_view needle) {
return MakeMatcher(new FileHasSubstrMatcher(needle));
}
};
// This tests whether out methodology for testing stripping works on this
// platform by looking for one string that definitely ought to be there and one
// that definitely ought not to. If this fails, none of the `StrippingTest`s
// are going to produce meaningful results.
TEST_F(StrippingTest, Control) {
constexpr char kEncodedPositiveControl[] =
"U3RyaXBwaW5nVGVzdC5Qb3NpdGl2ZUNvbnRyb2w=";
const std::string encoded_negative_control =
absl::Base64Escape("StrippingTest.NegativeControl");
// Verify this mainly so we can encode other strings and know definitely they
// won't encode to `kEncodedPositiveControl`.
EXPECT_THAT(Base64UnescapeOrDie("U3RyaXBwaW5nVGVzdC5Qb3NpdGl2ZUNvbnRyb2w="),
Eq("StrippingTest.PositiveControl"));
auto exe = OpenTestExecutable();
ASSERT_THAT(exe, NotNull());
EXPECT_THAT(exe.get(), FileHasSubstr(kEncodedPositiveControl));
EXPECT_THAT(exe.get(), Not(FileHasSubstr(encoded_negative_control)));
}
TEST_F(StrippingTest, Literal) {
// We need to load a copy of the needle string into memory (so we can search
// for it) without leaving it lying around in plaintext in the executable file
// as would happen if we used a literal. We might (or might not) leave it
// lying around later; that's what the tests are for!
const std::string needle = absl::Base64Escape("StrippingTest.Literal");
LOG(INFO) << "U3RyaXBwaW5nVGVzdC5MaXRlcmFs";
auto exe = OpenTestExecutable();
ASSERT_THAT(exe, NotNull());
if (absl::LogSeverity::kInfo >= kAbslMinLogLevel) {
EXPECT_THAT(exe.get(), FileHasSubstr(needle));
} else {
EXPECT_THAT(exe.get(), Not(FileHasSubstr(needle)));
}
}
TEST_F(StrippingTest, LiteralInExpression) {
// We need to load a copy of the needle string into memory (so we can search
// for it) without leaving it lying around in plaintext in the executable file
// as would happen if we used a literal. We might (or might not) leave it
// lying around later; that's what the tests are for!
const std::string needle =
absl::Base64Escape("StrippingTest.LiteralInExpression");
LOG(INFO) << absl::StrCat("secret: ",
"U3RyaXBwaW5nVGVzdC5MaXRlcmFsSW5FeHByZXNzaW9u");
std::unique_ptr<FILE, std::function<void(FILE*)>> exe = OpenTestExecutable();
ASSERT_THAT(exe, NotNull());
if (absl::LogSeverity::kInfo >= kAbslMinLogLevel) {
EXPECT_THAT(exe.get(), FileHasSubstr(needle));
} else {
EXPECT_THAT(exe.get(), Not(FileHasSubstr(needle)));
}
}
TEST_F(StrippingTest, Fatal) {
// We need to load a copy of the needle string into memory (so we can search
// for it) without leaving it lying around in plaintext in the executable file
// as would happen if we used a literal. We might (or might not) leave it
// lying around later; that's what the tests are for!
const std::string needle = absl::Base64Escape("StrippingTest.Fatal");
// We don't care if the LOG statement is actually executed, we're just
// checking that it's stripped.
if (kReallyDie) LOG(FATAL) << "U3RyaXBwaW5nVGVzdC5GYXRhbA==";
std::unique_ptr<FILE, std::function<void(FILE*)>> exe = OpenTestExecutable();
ASSERT_THAT(exe, NotNull());
if (absl::LogSeverity::kFatal >= kAbslMinLogLevel) {
EXPECT_THAT(exe.get(), FileHasSubstr(needle));
} else {
EXPECT_THAT(exe.get(), Not(FileHasSubstr(needle)));
}
}
TEST_F(StrippingTest, DFatal) {
// We need to load a copy of the needle string into memory (so we can search
// for it) without leaving it lying around in plaintext in the executable file
// as would happen if we used a literal. We might (or might not) leave it
// lying around later; that's what the tests are for!
const std::string needle = absl::Base64Escape("StrippingTest.DFatal");
// We don't care if the LOG statement is actually executed, we're just
// checking that it's stripped.
if (kReallyDie) LOG(DFATAL) << "U3RyaXBwaW5nVGVzdC5ERmF0YWw=";
std::unique_ptr<FILE, std::function<void(FILE*)>> exe = OpenTestExecutable();
ASSERT_THAT(exe, NotNull());
// `DFATAL` can be `ERROR` or `FATAL`, and a compile-time optimizer doesn't
// know which, because `absl::kLogDebugFatal` is declared `extern` and defined
// in another TU. Link-time optimization might do better. We have six cases:
// | `AMLL` is-> | `<=ERROR` | `FATAL` | `>FATAL` |
// | ------------------- | --------- | ------- | -------- |
// | `DFATAL` is `ERROR` | present | ? | stripped |
// | `DFATAL` is `FATAL` | present | present | stripped |
// These constexpr variables are used to suppress unreachable code warnings
// in the if-else statements below.
// "present" in the table above: `DFATAL` exceeds `ABSL_MIN_LOG_LEVEL`, so
// `DFATAL` statements should not be stripped (and they should be logged
// when executed, but that's a different testsuite).
constexpr bool kExpectPresent = absl::kLogDebugFatal >= kAbslMinLogLevel;
// "stripped" in the table above: even though the compiler may not know
// which value `DFATAL` has, it should be able to strip it since both
// possible values ought to be stripped.
constexpr bool kExpectStripped = kAbslMinLogLevel > absl::LogSeverity::kFatal;
if (kExpectPresent) {
EXPECT_THAT(exe.get(), FileHasSubstr(needle));
} else if (kExpectStripped) {
EXPECT_THAT(exe.get(), Not(FileHasSubstr(needle)));
} else {
// "?" in the table above; may or may not be stripped depending on whether
// any link-time optimization is done. Either outcome is ok.
}
}
TEST_F(StrippingTest, Level) {
const std::string needle = absl::Base64Escape("StrippingTest.Level");
volatile auto severity = absl::LogSeverity::kWarning;
// Ensure that `severity` is not a compile-time constant to prove that
// stripping works regardless:
LOG(LEVEL(severity)) << "U3RyaXBwaW5nVGVzdC5MZXZlbA==";
std::unique_ptr<FILE, std::function<void(FILE*)>> exe = OpenTestExecutable();
ASSERT_THAT(exe, NotNull());
if (absl::LogSeverity::kFatal >= kAbslMinLogLevel) {
// This can't be stripped at compile-time because it might evaluate to a
// level that shouldn't be stripped.
EXPECT_THAT(exe.get(), FileHasSubstr(needle));
} else {
#if (defined(_MSC_VER) && !defined(__clang__)) || defined(__APPLE__)
// Dead code elimination misses this case.
#else
// All levels should be stripped, so it doesn't matter what the severity
// winds up being.
EXPECT_THAT(exe.get(), Not(FileHasSubstr(needle)));
#endif
}
}
TEST_F(StrippingTest, Check) {
// Here we also need a variable name with enough entropy that it's unlikely to
// appear in the binary by chance. `volatile` keeps the tautological
// comparison (and the rest of the `CHECK`) from being optimized away.
const std::string var_needle = absl::Base64Escape("StrippingTestCheckVar");
const std::string msg_needle = absl::Base64Escape("StrippingTest.Check");
volatile int U3RyaXBwaW5nVGVzdENoZWNrVmFy = 0xCAFE;
// We don't care if the CHECK is actually executed, just that stripping works.
// Hiding it behind `kReallyDie` works around some overly aggressive
// optimizations in older versions of MSVC.
if (kReallyDie) {
CHECK(U3RyaXBwaW5nVGVzdENoZWNrVmFy != U3RyaXBwaW5nVGVzdENoZWNrVmFy)
<< "U3RyaXBwaW5nVGVzdC5DaGVjaw==";
}
std::unique_ptr<FILE, std::function<void(FILE*)>> exe = OpenTestExecutable();
ASSERT_THAT(exe, NotNull());
if (absl::LogSeverity::kFatal >= kAbslMinLogLevel) {
EXPECT_THAT(exe.get(), FileHasSubstr(var_needle));
EXPECT_THAT(exe.get(), FileHasSubstr(msg_needle));
} else {
EXPECT_THAT(exe.get(), Not(FileHasSubstr(var_needle)));
EXPECT_THAT(exe.get(), Not(FileHasSubstr(msg_needle)));
}
}
TEST_F(StrippingTest, CheckOp) {
// See `StrippingTest.Check` for some hairy implementation notes.
const std::string var_needle1 =
absl::Base64Escape("StrippingTestCheckOpVar1");
const std::string var_needle2 =
absl::Base64Escape("StrippingTestCheckOpVar2");
const std::string msg_needle = absl::Base64Escape("StrippingTest.CheckOp");
volatile int U3RyaXBwaW5nVGVzdENoZWNrT3BWYXIx = 0xFEED;
volatile int U3RyaXBwaW5nVGVzdENoZWNrT3BWYXIy = 0xCAFE;
if (kReallyDie) {
CHECK_EQ(U3RyaXBwaW5nVGVzdENoZWNrT3BWYXIx, U3RyaXBwaW5nVGVzdENoZWNrT3BWYXIy)
<< "U3RyaXBwaW5nVGVzdC5DaGVja09w";
}
std::unique_ptr<FILE, std::function<void(FILE*)>> exe = OpenTestExecutable();
ASSERT_THAT(exe, NotNull());
if (absl::LogSeverity::kFatal >= kAbslMinLogLevel) {
EXPECT_THAT(exe.get(), FileHasSubstr(var_needle1));
EXPECT_THAT(exe.get(), FileHasSubstr(var_needle2));
EXPECT_THAT(exe.get(), FileHasSubstr(msg_needle));
} else {
EXPECT_THAT(exe.get(), Not(FileHasSubstr(var_needle1)));
EXPECT_THAT(exe.get(), Not(FileHasSubstr(var_needle2)));
EXPECT_THAT(exe.get(), Not(FileHasSubstr(msg_needle)));
}
}
TEST_F(StrippingTest, CheckStrOp) {
// See `StrippingTest.Check` for some hairy implementation notes.
const std::string var_needle1 =
absl::Base64Escape("StrippingTestCheckStrOpVar1");
const std::string var_needle2 =
absl::Base64Escape("StrippingTestCheckStrOpVar2");
const std::string msg_needle = absl::Base64Escape("StrippingTest.CheckStrOp");
const char *volatile U3RyaXBwaW5nVGVzdENoZWNrU3RyT3BWYXIx = "FEED";
const char *volatile U3RyaXBwaW5nVGVzdENoZWNrU3RyT3BWYXIy = "CAFE";
if (kReallyDie) {
CHECK_STREQ(U3RyaXBwaW5nVGVzdENoZWNrU3RyT3BWYXIx,
U3RyaXBwaW5nVGVzdENoZWNrU3RyT3BWYXIy)
<< "U3RyaXBwaW5nVGVzdC5DaGVja1N0ck9w";
}
std::unique_ptr<FILE, std::function<void(FILE*)>> exe = OpenTestExecutable();
ASSERT_THAT(exe, NotNull());
if (absl::LogSeverity::kFatal >= kAbslMinLogLevel) {
EXPECT_THAT(exe.get(), FileHasSubstr(var_needle1));
EXPECT_THAT(exe.get(), FileHasSubstr(var_needle2));
EXPECT_THAT(exe.get(), FileHasSubstr(msg_needle));
} else {
EXPECT_THAT(exe.get(), Not(FileHasSubstr(var_needle1)));
EXPECT_THAT(exe.get(), Not(FileHasSubstr(var_needle2)));
EXPECT_THAT(exe.get(), Not(FileHasSubstr(msg_needle)));
}
}
TEST_F(StrippingTest, CheckOk) {
// See `StrippingTest.Check` for some hairy implementation notes.
const std::string var_needle = absl::Base64Escape("StrippingTestCheckOkVar1");
const std::string msg_needle = absl::Base64Escape("StrippingTest.CheckOk");
volatile bool x = false;
auto U3RyaXBwaW5nVGVzdENoZWNrT2tWYXIx = absl::OkStatus();
if (x) {
U3RyaXBwaW5nVGVzdENoZWNrT2tWYXIx =
absl::InvalidArgumentError("Stripping this is not my job!");
}
if (kReallyDie) {
CHECK_OK(U3RyaXBwaW5nVGVzdENoZWNrT2tWYXIx)
<< "U3RyaXBwaW5nVGVzdC5DaGVja09r";
}
std::unique_ptr<FILE, std::function<void(FILE*)>> exe = OpenTestExecutable();
ASSERT_THAT(exe, NotNull());
if (absl::LogSeverity::kFatal >= kAbslMinLogLevel) {
EXPECT_THAT(exe.get(), FileHasSubstr(var_needle));
EXPECT_THAT(exe.get(), FileHasSubstr(msg_needle));
} else {
EXPECT_THAT(exe.get(), Not(FileHasSubstr(var_needle)));
EXPECT_THAT(exe.get(), Not(FileHasSubstr(msg_needle)));
}
}
} // namespace