|
|
|
|
// Copyright (c) 2019, The Garble Authors.
|
|
|
|
|
// See LICENSE for licensing information.
|
|
|
|
|
|
|
|
|
|
package main
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"flag"
|
|
|
|
|
"fmt"
|
|
|
|
|
"go/ast"
|
|
|
|
|
"go/printer"
|
|
|
|
|
"go/token"
|
actually remove temporary directories after obfuscation
Back in February 2021, we changed the obfuscation logic so that the
entire `garble build` process would use one shared temporary directory
across all package builds, reducing the amount of files we created in
the top-level system temporary directory.
However, we made one mistake: we didn't swap os.Remove for os.RemoveAll.
Ever since then, we've been leaving temporary files behind.
Add regression tests, which failed before the fix, and fix the bug.
Note that we need to test `garble reverse` as well, as it calls
toolexecCmd separately, so it needs its own cleanup as well.
The cleanup happens via the env var, which doesn't feel worse than
having toolexecCmd return an extra string or cleanup func.
While here, also test that we support TMPDIRs with special characters.
3 years ago
|
|
|
"io/fs"
|
|
|
|
|
mathrand "math/rand"
|
|
|
|
|
"os"
|
|
|
|
|
"os/exec"
|
|
|
|
|
"path/filepath"
|
actually remove temporary directories after obfuscation
Back in February 2021, we changed the obfuscation logic so that the
entire `garble build` process would use one shared temporary directory
across all package builds, reducing the amount of files we created in
the top-level system temporary directory.
However, we made one mistake: we didn't swap os.Remove for os.RemoveAll.
Ever since then, we've been leaving temporary files behind.
Add regression tests, which failed before the fix, and fix the bug.
Note that we need to test `garble reverse` as well, as it calls
toolexecCmd separately, so it needs its own cleanup as well.
The cleanup happens via the env var, which doesn't feel worse than
having toolexecCmd return an extra string or cleanup func.
While here, also test that we support TMPDIRs with special characters.
3 years ago
|
|
|
"regexp"
|
|
|
|
|
"runtime"
|
|
|
|
|
"strings"
|
|
|
|
|
"testing"
|
|
|
|
|
"time"
|
|
|
|
|
|
|
|
|
|
"github.com/google/go-cmp/cmp"
|
|
|
|
|
"github.com/rogpeppe/go-internal/goproxytest"
|
|
|
|
|
"github.com/rogpeppe/go-internal/gotooltest"
|
|
|
|
|
"github.com/rogpeppe/go-internal/testscript"
|
|
|
|
|
|
|
|
|
|
ah "mvdan.cc/garble/internal/asthelper"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
var proxyURL string
|
|
|
|
|
|
|
|
|
|
func TestMain(m *testing.M) {
|
|
|
|
|
os.Exit(testscript.RunMain(garbleMain{m}, map[string]func() int{
|
|
|
|
|
"garble": main1,
|
|
|
|
|
}))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type garbleMain struct {
|
|
|
|
|
m *testing.M
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (m garbleMain) Run() int {
|
|
|
|
|
// Start the Go proxy server running for all tests.
|
|
|
|
|
srv, err := goproxytest.NewServer("testdata/mod", "")
|
|
|
|
|
if err != nil {
|
|
|
|
|
panic(fmt.Sprintf("cannot start proxy: %v", err))
|
|
|
|
|
}
|
|
|
|
|
proxyURL = srv.URL
|
|
|
|
|
|
|
|
|
|
return m.m.Run()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var update = flag.Bool("u", false, "update testscript output files")
|
|
|
|
|
|
|
|
|
|
func TestScript(t *testing.T) {
|
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
|
|
execPath, err := os.Executable()
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
p := testscript.Params{
|
|
|
|
|
Dir: filepath.Join("testdata", "script"),
|
|
|
|
|
Setup: func(env *testscript.Env) error {
|
|
|
|
|
env.Vars = append(env.Vars,
|
|
|
|
|
// Use testdata/mod as our module proxy.
|
|
|
|
|
"GOPROXY="+proxyURL,
|
|
|
|
|
|
|
|
|
|
// We use our own proxy, so avoid sum.golang.org.
|
|
|
|
|
"GONOSUMDB=*",
|
|
|
|
|
|
|
|
|
|
// "go build" starts many short-lived Go processes,
|
|
|
|
|
// such as asm, buildid, compile, and link.
|
|
|
|
|
// They don't allocate huge amounts of memory,
|
|
|
|
|
// and they'll exit within seconds,
|
|
|
|
|
// so using the GC is basically a waste of CPU.
|
|
|
|
|
// Turn it off entirely, releasing memory on exit.
|
|
|
|
|
//
|
|
|
|
|
// We don't want this setting always on,
|
|
|
|
|
// as it could result in memory problems for users.
|
|
|
|
|
// But it helps for our test suite,
|
|
|
|
|
// as the packages are relatively small.
|
|
|
|
|
"GOGC=off",
|
|
|
|
|
|
|
|
|
|
"gofullversion="+runtime.Version(),
|
|
|
|
|
"EXEC_PATH="+execPath,
|
|
|
|
|
)
|
make -coverprofile include toolexec processes (#216)
testscript already included magic to also account for commands in the
total code coverage. That does not happen with plain tests, since those
only include coverage from the main test process.
The main problem was that, before, indirectly executed commands did not
properly save their coverage profile anywhere for testscript to collect
it at the end. In other words, we only collected coverage from direct
garble executions like "garble -help", but not indirect ones like "go
build -toolexec=garble".
$ go test -coverprofile=cover.out
PASS
coverage: 3.6% of statements
total coverage: 16.6% of statements
ok mvdan.cc/garble 6.453s
After the delicate changes to testscript, any direct or indirect
executions of commands all go through $PATH and properly count towards
the total coverage:
$ go test -coverprofile=cover.out
PASS
coverage: 3.6% of statements
total coverage: 90.5% of statements
ok mvdan.cc/garble 33.258s
Note that we can also get rid of our code to set up $PATH, since
testscript now does it for us.
goversion.txt needed minor tweaks, since we no longer set up $WORK/.bin.
Finally, note that we disable the reuse of $GOCACHE when collecting
coverage information. This is to do "full builds", as otherwise the
cached package builds would result in lower coverage.
Fixes #35.
4 years ago
|
|
|
|
|
|
|
|
if os.Getenv("TESTSCRIPT_COVER_DIR") != "" {
|
|
|
|
|
// Don't reuse the build cache if we want to collect
|
|
|
|
|
// code coverage. Otherwise, many toolexec calls would
|
|
|
|
|
// be avoided and the coverage would be incomplete.
|
|
|
|
|
// TODO: to not make "go test" insanely slow, we could still use
|
|
|
|
|
// an empty GOCACHE, but share it between all the test scripts.
|
make -coverprofile include toolexec processes (#216)
testscript already included magic to also account for commands in the
total code coverage. That does not happen with plain tests, since those
only include coverage from the main test process.
The main problem was that, before, indirectly executed commands did not
properly save their coverage profile anywhere for testscript to collect
it at the end. In other words, we only collected coverage from direct
garble executions like "garble -help", but not indirect ones like "go
build -toolexec=garble".
$ go test -coverprofile=cover.out
PASS
coverage: 3.6% of statements
total coverage: 16.6% of statements
ok mvdan.cc/garble 6.453s
After the delicate changes to testscript, any direct or indirect
executions of commands all go through $PATH and properly count towards
the total coverage:
$ go test -coverprofile=cover.out
PASS
coverage: 3.6% of statements
total coverage: 90.5% of statements
ok mvdan.cc/garble 33.258s
Note that we can also get rid of our code to set up $PATH, since
testscript now does it for us.
goversion.txt needed minor tweaks, since we no longer set up $WORK/.bin.
Finally, note that we disable the reuse of $GOCACHE when collecting
coverage information. This is to do "full builds", as otherwise the
cached package builds would result in lower coverage.
Fixes #35.
4 years ago
|
|
|
env.Vars = append(env.Vars, "GOCACHE="+filepath.Join(env.WorkDir, "go-cache-tmp"))
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
},
|
|
|
|
|
// TODO: this condition should probably be supported by gotooltest
|
|
|
|
|
Condition: func(cond string) (bool, error) {
|
|
|
|
|
switch cond {
|
|
|
|
|
case "cgo":
|
|
|
|
|
out, err := exec.Command("go", "env", "CGO_ENABLED").CombinedOutput()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return false, err
|
|
|
|
|
}
|
|
|
|
|
result := strings.TrimSpace(string(out))
|
|
|
|
|
switch result {
|
|
|
|
|
case "0", "1":
|
|
|
|
|
return result == "1", nil
|
|
|
|
|
default:
|
|
|
|
|
return false, fmt.Errorf("unknown CGO_ENABLED: %q", result)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return false, fmt.Errorf("unknown condition")
|
|
|
|
|
},
|
|
|
|
|
Cmds: map[string]func(ts *testscript.TestScript, neg bool, args []string){
|
|
|
|
|
"sleep": sleep,
|
|
|
|
|
"binsubstr": binsubstr,
|
|
|
|
|
"bincmp": bincmp,
|
|
|
|
|
"generate-literals": generateLiterals,
|
|
|
|
|
"setenvfile": setenvfile,
|
actually remove temporary directories after obfuscation
Back in February 2021, we changed the obfuscation logic so that the
entire `garble build` process would use one shared temporary directory
across all package builds, reducing the amount of files we created in
the top-level system temporary directory.
However, we made one mistake: we didn't swap os.Remove for os.RemoveAll.
Ever since then, we've been leaving temporary files behind.
Add regression tests, which failed before the fix, and fix the bug.
Note that we need to test `garble reverse` as well, as it calls
toolexecCmd separately, so it needs its own cleanup as well.
The cleanup happens via the env var, which doesn't feel worse than
having toolexecCmd return an extra string or cleanup func.
While here, also test that we support TMPDIRs with special characters.
3 years ago
|
|
|
"grepfiles": grepfiles,
|
|
|
|
|
},
|
|
|
|
|
UpdateScripts: *update,
|
|
|
|
|
}
|
|
|
|
|
if err := gotooltest.Setup(&p); err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
testscript.Run(t, p)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func createFile(ts *testscript.TestScript, path string) *os.File {
|
|
|
|
|
file, err := os.Create(ts.MkAbs(path))
|
|
|
|
|
if err != nil {
|
|
|
|
|
ts.Fatalf("%v", err)
|
|
|
|
|
}
|
|
|
|
|
return file
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// sleep is akin to a shell's sleep builtin.
|
|
|
|
|
// Note that tests should almost never use this; it's currently only used to
|
|
|
|
|
// work around a low-level Go syscall race on Linux.
|
|
|
|
|
func sleep(ts *testscript.TestScript, neg bool, args []string) {
|
|
|
|
|
if len(args) != 1 {
|
|
|
|
|
ts.Fatalf("usage: sleep duration")
|
|
|
|
|
}
|
|
|
|
|
d, err := time.ParseDuration(args[0])
|
|
|
|
|
if err != nil {
|
|
|
|
|
ts.Fatalf("%v", err)
|
|
|
|
|
}
|
|
|
|
|
time.Sleep(d)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func binsubstr(ts *testscript.TestScript, neg bool, args []string) {
|
|
|
|
|
if len(args) < 2 {
|
|
|
|
|
ts.Fatalf("usage: binsubstr file substr...")
|
|
|
|
|
}
|
fix a data race with the global cachedBinary mechanism (#413)
Spotted by our friend "go test -race":
WARNING: DATA RACE
Write at 0x0000010522d8 by goroutine 69:
mvdan.cc/garble.readFile()
garble/main_test.go:124 +0x23a
mvdan.cc/garble.binsubstr()
garble/main_test.go:141 +0xc4
github.com/rogpeppe/go-internal/testscript.(*TestScript).run()
github.com/rogpeppe/go-internal@v1.8.1-0.20211023094830-115ce09fd6b4/testscript/testscript.go:496 +0x9e8
[...]
Previous write at 0x0000010522d8 by goroutine 60:
mvdan.cc/garble.readFile()
garble/main_test.go:124 +0x23a
mvdan.cc/garble.binsubstr()
garble/main_test.go:141 +0xc4
github.com/rogpeppe/go-internal/testscript.(*TestScript).run()
github.com/rogpeppe/go-internal@v1.8.1-0.20211023094830-115ce09fd6b4/testscript/testscript.go:496 +0x9e8
[...]
This wasn't a data race that we spotted via failures in practice,
as it only affected test code since July.
The race is due to the fact that each test script runs as a parallel
sub-test within the same Go program, sharing all globals.
As such, a single "cached binary" global is read and written with races.
Moreover, note that the caching always missed.
I briefly rewrote the code to avoid the race via a sync.Map keyed by
absolute filenames, and while that removed the data race,
the caching never actually hit.
To have a cache hit, we need an absolute path to already be in the cache
and for it to not have been modified since it was last cached. That is:
modify-bin-1 foo
binsubstr foo 'abc' # miss
binsubstr foo 'def' # hit; use the cached "/tmp/[...]/foo" entry
modify-bin-2 foo
binsubstr foo 'abc' # miss
However, the test scripts don't do contiguous binsubstr calls like
these. Instead, they join repeated binsubstr calls:
modify-bin-1 foo
binsubstr foo 'abc' 'def' # miss
modify-bin-2 foo
binsubstr foo 'abc' # miss
For that reason, remove the extra code entirely.
I didn't notice any change to the performance of "go test -short"
with a warm build cache, with:
go test -c
./garble.test -test.short #warm cache
benchcmd -n 5 TestShort ./garble.test -test.short
name old time/op new time/op delta
TestShort 4.62s ±12% 4.35s ±12% ~ (p=0.310 n=5+5)
name old user-time/op new user-time/op delta
TestShort 16.8s ± 3% 16.7s ± 3% ~ (p=0.690 n=5+5)
name old sys-time/op new sys-time/op delta
TestShort 7.28s ± 1% 7.26s ± 2% ~ (p=0.841 n=5+5)
name old peak-RSS-bytes new peak-RSS-bytes delta
TestShort 305MB ± 0% 306MB ± 0% ~ (p=0.421 n=5+5)
Finally, start using "go test -race" on Linux on CI,
which should have made the PR back in July red before merging.
3 years ago
|
|
|
data := ts.ReadFile(args[0])
|
|
|
|
|
var failed []string
|
|
|
|
|
for _, substr := range args[1:] {
|
|
|
|
|
match := strings.Contains(data, substr)
|
|
|
|
|
if match && neg {
|
|
|
|
|
failed = append(failed, substr)
|
|
|
|
|
} else if !match && !neg {
|
|
|
|
|
failed = append(failed, substr)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if len(failed) > 0 && neg {
|
|
|
|
|
ts.Fatalf("unexpected match for %q in %s", failed, args[0])
|
|
|
|
|
} else if len(failed) > 0 {
|
|
|
|
|
ts.Fatalf("expected match for %q in %s", failed, args[0])
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func bincmp(ts *testscript.TestScript, neg bool, args []string) {
|
|
|
|
|
if len(args) != 2 {
|
|
|
|
|
ts.Fatalf("usage: bincmp file1 file2")
|
|
|
|
|
}
|
|
|
|
|
for _, arg := range args {
|
|
|
|
|
switch arg {
|
|
|
|
|
case "stdout", "stderr":
|
|
|
|
|
// Note that the diffoscope call below would not deal with
|
|
|
|
|
// stdout/stderr either.
|
|
|
|
|
ts.Fatalf("bincmp is for binary files. did you mean cmp?")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
data1 := ts.ReadFile(args[0])
|
|
|
|
|
data2 := ts.ReadFile(args[1])
|
|
|
|
|
if neg {
|
|
|
|
|
if data1 == data2 {
|
|
|
|
|
ts.Fatalf("%s and %s don't differ", args[0], args[1])
|
|
|
|
|
}
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
if data1 != data2 {
|
|
|
|
|
if _, err := exec.LookPath("diffoscope"); err == nil {
|
|
|
|
|
// We'll error below; ignore the exec error here.
|
|
|
|
|
ts.Exec("diffoscope",
|
|
|
|
|
"--diff-context", "2", // down from 7 by default
|
|
|
|
|
"--max-text-report-size", "4096", // no limit (in bytes) by default; avoid huge output
|
|
|
|
|
ts.MkAbs(args[0]), ts.MkAbs(args[1]))
|
|
|
|
|
} else {
|
|
|
|
|
ts.Logf("diffoscope not found; skipping")
|
|
|
|
|
}
|
|
|
|
|
outDir := "bincmp_output"
|
|
|
|
|
err := os.MkdirAll(outDir, 0o777)
|
|
|
|
|
ts.Check(err)
|
|
|
|
|
|
|
|
|
|
file1, err := os.CreateTemp(outDir, "file1-*")
|
|
|
|
|
ts.Check(err)
|
|
|
|
|
_, err = file1.Write([]byte(data1))
|
|
|
|
|
ts.Check(err)
|
|
|
|
|
err = file1.Close()
|
|
|
|
|
ts.Check(err)
|
|
|
|
|
|
|
|
|
|
file2, err := os.CreateTemp(outDir, "file2-*")
|
|
|
|
|
ts.Check(err)
|
|
|
|
|
_, err = file2.Write([]byte(data2))
|
|
|
|
|
ts.Check(err)
|
|
|
|
|
err = file2.Close()
|
|
|
|
|
ts.Check(err)
|
|
|
|
|
|
|
|
|
|
ts.Logf("wrote files to %s and %s", file1.Name(), file2.Name())
|
|
|
|
|
sizeDiff := len(data2) - len(data1)
|
|
|
|
|
ts.Fatalf("%s and %s differ; diffoscope above, size diff: %+d",
|
|
|
|
|
args[0], args[1], sizeDiff)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
avoid using math/rand's global funcs like Seed and Intn
Go 1.20 is starting to deprecate the use of math/rand's global state,
per https://go.dev/issue/56319 and https://go.dev/issue/20661.
The reasoning is sound:
Deprecated: Programs that call Seed and then expect a specific sequence
of results from the global random source (using functions such as Int)
can be broken when a dependency changes how much it consumes from the
global random source. To avoid such breakages, programs that need a
specific result sequence should use NewRand(NewSource(seed)) to obtain a
random generator that other packages cannot access.
Aside from the tests, we used math/rand only for obfuscating literals,
which caused a deterministic series of calls like Intn. Our call to Seed
was also deterministic, per either GarbleActionID or the -seed flag.
However, our determinism was fragile. If any of our dependencies or
other packages made any calls to math/rand's global funcs, then our
determinism could be broken entirely, and it's hard to notice.
Start using separate math/rand.Rand objects for each use case.
Also make uses of crypto/rand use "cryptorand" for consistency.
Note that this requires a bit of a refactor in internal/literals
to start passing around Rand objects. We also do away with unnecessary
short funcs, especially since math/rand's Read never errors,
and we can obtain a byte via math/rand's Uint32.
2 years ago
|
|
|
var testRand = mathrand.New(mathrand.NewSource(time.Now().UnixNano()))
|
|
|
|
|
|
do not try to obfuscate huge literals (#204)
It's common for asset bundling code generators to produce huge literals,
for example in strings. Our literal obfuscators are meant for relatively
small string-like literals that a human would write, such as URLs, file
paths, and English text.
I ran some quick experiments, and it seems like "garble build -literals"
appears to hang trying to obfuscate literals starting at 5-20KiB. It's
not really hung; it's just doing a lot of busy work obfuscating those
literals. The code it produces is also far from ideal, so it also takes
some time to finally compile.
The generated code also led to crashes. For example, using "garble build
-literals -tiny" on a package containing literals of over a megabyte,
our use of asthelper to remove comments and shuffle line numbers could
run out of stack memory.
This all points in one direction: we never designed "-literals" to deal
with large sizes. Set a source-code-size limit of 2KiB.
We alter the literals.txt test as well, to include a few 128KiB string
literals. Before this fix, "go test" would seemingly hang on that test
for over a minute (I did not wait any longer). With the fix, those large
literals are not obfuscated, so the test ends in its usual 1-3s.
As said in the const comment, I don't believe any of this is a big
problem. Come Go 1.16, most developers should stop using asset-bundling
code generators and use go:embed instead. If we wanted to somehow
obfuscate those, it would be an entirely separate feature.
And, if someone wants to work on obfuscating truly large literals for
any reason, we need good tests and benchmarks to ensure garble does not
consume CPU for minutes or run out of memory.
I also simplified the generate-literals test command. The only argument
that matters to the script is the filename, since it's used later on.
Fixes #178.
4 years ago
|
|
|
func generateStringLit(size int) *ast.BasicLit {
|
|
|
|
|
buffer := make([]byte, size)
|
avoid using math/rand's global funcs like Seed and Intn
Go 1.20 is starting to deprecate the use of math/rand's global state,
per https://go.dev/issue/56319 and https://go.dev/issue/20661.
The reasoning is sound:
Deprecated: Programs that call Seed and then expect a specific sequence
of results from the global random source (using functions such as Int)
can be broken when a dependency changes how much it consumes from the
global random source. To avoid such breakages, programs that need a
specific result sequence should use NewRand(NewSource(seed)) to obtain a
random generator that other packages cannot access.
Aside from the tests, we used math/rand only for obfuscating literals,
which caused a deterministic series of calls like Intn. Our call to Seed
was also deterministic, per either GarbleActionID or the -seed flag.
However, our determinism was fragile. If any of our dependencies or
other packages made any calls to math/rand's global funcs, then our
determinism could be broken entirely, and it's hard to notice.
Start using separate math/rand.Rand objects for each use case.
Also make uses of crypto/rand use "cryptorand" for consistency.
Note that this requires a bit of a refactor in internal/literals
to start passing around Rand objects. We also do away with unnecessary
short funcs, especially since math/rand's Read never errors,
and we can obtain a byte via math/rand's Uint32.
2 years ago
|
|
|
_, err := testRand.Read(buffer)
|
|
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ah.StringLit(string(buffer))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func generateLiterals(ts *testscript.TestScript, neg bool, args []string) {
|
|
|
|
|
if neg {
|
|
|
|
|
ts.Fatalf("unsupported: ! generate-literals")
|
|
|
|
|
}
|
do not try to obfuscate huge literals (#204)
It's common for asset bundling code generators to produce huge literals,
for example in strings. Our literal obfuscators are meant for relatively
small string-like literals that a human would write, such as URLs, file
paths, and English text.
I ran some quick experiments, and it seems like "garble build -literals"
appears to hang trying to obfuscate literals starting at 5-20KiB. It's
not really hung; it's just doing a lot of busy work obfuscating those
literals. The code it produces is also far from ideal, so it also takes
some time to finally compile.
The generated code also led to crashes. For example, using "garble build
-literals -tiny" on a package containing literals of over a megabyte,
our use of asthelper to remove comments and shuffle line numbers could
run out of stack memory.
This all points in one direction: we never designed "-literals" to deal
with large sizes. Set a source-code-size limit of 2KiB.
We alter the literals.txt test as well, to include a few 128KiB string
literals. Before this fix, "go test" would seemingly hang on that test
for over a minute (I did not wait any longer). With the fix, those large
literals are not obfuscated, so the test ends in its usual 1-3s.
As said in the const comment, I don't believe any of this is a big
problem. Come Go 1.16, most developers should stop using asset-bundling
code generators and use go:embed instead. If we wanted to somehow
obfuscate those, it would be an entirely separate feature.
And, if someone wants to work on obfuscating truly large literals for
any reason, we need good tests and benchmarks to ensure garble does not
consume CPU for minutes or run out of memory.
I also simplified the generate-literals test command. The only argument
that matters to the script is the filename, since it's used later on.
Fixes #178.
4 years ago
|
|
|
if len(args) != 1 {
|
|
|
|
|
ts.Fatalf("usage: generate-literals file")
|
|
|
|
|
}
|
|
|
|
|
|
do not try to obfuscate huge literals (#204)
It's common for asset bundling code generators to produce huge literals,
for example in strings. Our literal obfuscators are meant for relatively
small string-like literals that a human would write, such as URLs, file
paths, and English text.
I ran some quick experiments, and it seems like "garble build -literals"
appears to hang trying to obfuscate literals starting at 5-20KiB. It's
not really hung; it's just doing a lot of busy work obfuscating those
literals. The code it produces is also far from ideal, so it also takes
some time to finally compile.
The generated code also led to crashes. For example, using "garble build
-literals -tiny" on a package containing literals of over a megabyte,
our use of asthelper to remove comments and shuffle line numbers could
run out of stack memory.
This all points in one direction: we never designed "-literals" to deal
with large sizes. Set a source-code-size limit of 2KiB.
We alter the literals.txt test as well, to include a few 128KiB string
literals. Before this fix, "go test" would seemingly hang on that test
for over a minute (I did not wait any longer). With the fix, those large
literals are not obfuscated, so the test ends in its usual 1-3s.
As said in the const comment, I don't believe any of this is a big
problem. Come Go 1.16, most developers should stop using asset-bundling
code generators and use go:embed instead. If we wanted to somehow
obfuscate those, it would be an entirely separate feature.
And, if someone wants to work on obfuscating truly large literals for
any reason, we need good tests and benchmarks to ensure garble does not
consume CPU for minutes or run out of memory.
I also simplified the generate-literals test command. The only argument
that matters to the script is the filename, since it's used later on.
Fixes #178.
4 years ago
|
|
|
codePath := args[0]
|
|
|
|
|
|
do not try to obfuscate huge literals (#204)
It's common for asset bundling code generators to produce huge literals,
for example in strings. Our literal obfuscators are meant for relatively
small string-like literals that a human would write, such as URLs, file
paths, and English text.
I ran some quick experiments, and it seems like "garble build -literals"
appears to hang trying to obfuscate literals starting at 5-20KiB. It's
not really hung; it's just doing a lot of busy work obfuscating those
literals. The code it produces is also far from ideal, so it also takes
some time to finally compile.
The generated code also led to crashes. For example, using "garble build
-literals -tiny" on a package containing literals of over a megabyte,
our use of asthelper to remove comments and shuffle line numbers could
run out of stack memory.
This all points in one direction: we never designed "-literals" to deal
with large sizes. Set a source-code-size limit of 2KiB.
We alter the literals.txt test as well, to include a few 128KiB string
literals. Before this fix, "go test" would seemingly hang on that test
for over a minute (I did not wait any longer). With the fix, those large
literals are not obfuscated, so the test ends in its usual 1-3s.
As said in the const comment, I don't believe any of this is a big
problem. Come Go 1.16, most developers should stop using asset-bundling
code generators and use go:embed instead. If we wanted to somehow
obfuscate those, it would be an entirely separate feature.
And, if someone wants to work on obfuscating truly large literals for
any reason, we need good tests and benchmarks to ensure garble does not
consume CPU for minutes or run out of memory.
I also simplified the generate-literals test command. The only argument
that matters to the script is the filename, since it's used later on.
Fixes #178.
4 years ago
|
|
|
// Add 100 randomly small literals.
|
|
|
|
|
var statements []ast.Stmt
|
do not try to obfuscate huge literals (#204)
It's common for asset bundling code generators to produce huge literals,
for example in strings. Our literal obfuscators are meant for relatively
small string-like literals that a human would write, such as URLs, file
paths, and English text.
I ran some quick experiments, and it seems like "garble build -literals"
appears to hang trying to obfuscate literals starting at 5-20KiB. It's
not really hung; it's just doing a lot of busy work obfuscating those
literals. The code it produces is also far from ideal, so it also takes
some time to finally compile.
The generated code also led to crashes. For example, using "garble build
-literals -tiny" on a package containing literals of over a megabyte,
our use of asthelper to remove comments and shuffle line numbers could
run out of stack memory.
This all points in one direction: we never designed "-literals" to deal
with large sizes. Set a source-code-size limit of 2KiB.
We alter the literals.txt test as well, to include a few 128KiB string
literals. Before this fix, "go test" would seemingly hang on that test
for over a minute (I did not wait any longer). With the fix, those large
literals are not obfuscated, so the test ends in its usual 1-3s.
As said in the const comment, I don't believe any of this is a big
problem. Come Go 1.16, most developers should stop using asset-bundling
code generators and use go:embed instead. If we wanted to somehow
obfuscate those, it would be an entirely separate feature.
And, if someone wants to work on obfuscating truly large literals for
any reason, we need good tests and benchmarks to ensure garble does not
consume CPU for minutes or run out of memory.
I also simplified the generate-literals test command. The only argument
that matters to the script is the filename, since it's used later on.
Fixes #178.
4 years ago
|
|
|
for i := 0; i < 100; i++ {
|
avoid using math/rand's global funcs like Seed and Intn
Go 1.20 is starting to deprecate the use of math/rand's global state,
per https://go.dev/issue/56319 and https://go.dev/issue/20661.
The reasoning is sound:
Deprecated: Programs that call Seed and then expect a specific sequence
of results from the global random source (using functions such as Int)
can be broken when a dependency changes how much it consumes from the
global random source. To avoid such breakages, programs that need a
specific result sequence should use NewRand(NewSource(seed)) to obtain a
random generator that other packages cannot access.
Aside from the tests, we used math/rand only for obfuscating literals,
which caused a deterministic series of calls like Intn. Our call to Seed
was also deterministic, per either GarbleActionID or the -seed flag.
However, our determinism was fragile. If any of our dependencies or
other packages made any calls to math/rand's global funcs, then our
determinism could be broken entirely, and it's hard to notice.
Start using separate math/rand.Rand objects for each use case.
Also make uses of crypto/rand use "cryptorand" for consistency.
Note that this requires a bit of a refactor in internal/literals
to start passing around Rand objects. We also do away with unnecessary
short funcs, especially since math/rand's Read never errors,
and we can obtain a byte via math/rand's Uint32.
2 years ago
|
|
|
literal := generateStringLit(1 + testRand.Intn(255))
|
do not try to obfuscate huge literals (#204)
It's common for asset bundling code generators to produce huge literals,
for example in strings. Our literal obfuscators are meant for relatively
small string-like literals that a human would write, such as URLs, file
paths, and English text.
I ran some quick experiments, and it seems like "garble build -literals"
appears to hang trying to obfuscate literals starting at 5-20KiB. It's
not really hung; it's just doing a lot of busy work obfuscating those
literals. The code it produces is also far from ideal, so it also takes
some time to finally compile.
The generated code also led to crashes. For example, using "garble build
-literals -tiny" on a package containing literals of over a megabyte,
our use of asthelper to remove comments and shuffle line numbers could
run out of stack memory.
This all points in one direction: we never designed "-literals" to deal
with large sizes. Set a source-code-size limit of 2KiB.
We alter the literals.txt test as well, to include a few 128KiB string
literals. Before this fix, "go test" would seemingly hang on that test
for over a minute (I did not wait any longer). With the fix, those large
literals are not obfuscated, so the test ends in its usual 1-3s.
As said in the const comment, I don't believe any of this is a big
problem. Come Go 1.16, most developers should stop using asset-bundling
code generators and use go:embed instead. If we wanted to somehow
obfuscate those, it would be an entirely separate feature.
And, if someone wants to work on obfuscating truly large literals for
any reason, we need good tests and benchmarks to ensure garble does not
consume CPU for minutes or run out of memory.
I also simplified the generate-literals test command. The only argument
that matters to the script is the filename, since it's used later on.
Fixes #178.
4 years ago
|
|
|
statements = append(statements, &ast.AssignStmt{
|
|
|
|
|
Lhs: []ast.Expr{ast.NewIdent("_")},
|
|
|
|
|
Tok: token.ASSIGN,
|
|
|
|
|
Rhs: []ast.Expr{literal},
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
// Add 5 huge literals, to make sure we don't try to obfuscate them.
|
|
|
|
|
// 5 * 128KiB is large enough that it would take a very, very long time
|
|
|
|
|
// to obfuscate those literals with our simple code.
|
|
|
|
|
for i := 0; i < 5; i++ {
|
|
|
|
|
literal := generateStringLit(128 << 10)
|
|
|
|
|
statements = append(statements, &ast.AssignStmt{
|
|
|
|
|
Lhs: []ast.Expr{ast.NewIdent("_")},
|
|
|
|
|
Tok: token.ASSIGN,
|
|
|
|
|
Rhs: []ast.Expr{literal},
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
file := &ast.File{
|
|
|
|
|
Name: ast.NewIdent("main"),
|
do not try to obfuscate huge literals (#204)
It's common for asset bundling code generators to produce huge literals,
for example in strings. Our literal obfuscators are meant for relatively
small string-like literals that a human would write, such as URLs, file
paths, and English text.
I ran some quick experiments, and it seems like "garble build -literals"
appears to hang trying to obfuscate literals starting at 5-20KiB. It's
not really hung; it's just doing a lot of busy work obfuscating those
literals. The code it produces is also far from ideal, so it also takes
some time to finally compile.
The generated code also led to crashes. For example, using "garble build
-literals -tiny" on a package containing literals of over a megabyte,
our use of asthelper to remove comments and shuffle line numbers could
run out of stack memory.
This all points in one direction: we never designed "-literals" to deal
with large sizes. Set a source-code-size limit of 2KiB.
We alter the literals.txt test as well, to include a few 128KiB string
literals. Before this fix, "go test" would seemingly hang on that test
for over a minute (I did not wait any longer). With the fix, those large
literals are not obfuscated, so the test ends in its usual 1-3s.
As said in the const comment, I don't believe any of this is a big
problem. Come Go 1.16, most developers should stop using asset-bundling
code generators and use go:embed instead. If we wanted to somehow
obfuscate those, it would be an entirely separate feature.
And, if someone wants to work on obfuscating truly large literals for
any reason, we need good tests and benchmarks to ensure garble does not
consume CPU for minutes or run out of memory.
I also simplified the generate-literals test command. The only argument
that matters to the script is the filename, since it's used later on.
Fixes #178.
4 years ago
|
|
|
Decls: []ast.Decl{&ast.FuncDecl{
|
|
|
|
|
Name: ast.NewIdent("extraLiterals"),
|
|
|
|
|
Type: &ast.FuncType{Params: &ast.FieldList{}},
|
|
|
|
|
Body: ah.BlockStmt(statements...),
|
|
|
|
|
}},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
codeFile := createFile(ts, codePath)
|
|
|
|
|
defer codeFile.Close()
|
|
|
|
|
|
|
|
|
|
if err := printer.Fprint(codeFile, token.NewFileSet(), file); err != nil {
|
|
|
|
|
ts.Fatalf("%v", err)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func setenvfile(ts *testscript.TestScript, neg bool, args []string) {
|
|
|
|
|
if neg {
|
|
|
|
|
ts.Fatalf("unsupported: ! setenvfile")
|
|
|
|
|
}
|
|
|
|
|
if len(args) != 2 {
|
|
|
|
|
ts.Fatalf("usage: setenvfile name file")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ts.Setenv(args[0], ts.ReadFile(args[1]))
|
|
|
|
|
}
|
|
|
|
|
|
actually remove temporary directories after obfuscation
Back in February 2021, we changed the obfuscation logic so that the
entire `garble build` process would use one shared temporary directory
across all package builds, reducing the amount of files we created in
the top-level system temporary directory.
However, we made one mistake: we didn't swap os.Remove for os.RemoveAll.
Ever since then, we've been leaving temporary files behind.
Add regression tests, which failed before the fix, and fix the bug.
Note that we need to test `garble reverse` as well, as it calls
toolexecCmd separately, so it needs its own cleanup as well.
The cleanup happens via the env var, which doesn't feel worse than
having toolexecCmd return an extra string or cleanup func.
While here, also test that we support TMPDIRs with special characters.
3 years ago
|
|
|
func grepfiles(ts *testscript.TestScript, neg bool, args []string) {
|
|
|
|
|
if len(args) != 2 {
|
|
|
|
|
ts.Fatalf("usage: grepfiles path pattern")
|
|
|
|
|
}
|
|
|
|
|
anyFound := false
|
|
|
|
|
path, pattern := args[0], args[1]
|
|
|
|
|
rx := regexp.MustCompile(pattern)
|
|
|
|
|
// TODO: use fs.SkipAll in Go 1.20 and later.
|
actually remove temporary directories after obfuscation
Back in February 2021, we changed the obfuscation logic so that the
entire `garble build` process would use one shared temporary directory
across all package builds, reducing the amount of files we created in
the top-level system temporary directory.
However, we made one mistake: we didn't swap os.Remove for os.RemoveAll.
Ever since then, we've been leaving temporary files behind.
Add regression tests, which failed before the fix, and fix the bug.
Note that we need to test `garble reverse` as well, as it calls
toolexecCmd separately, so it needs its own cleanup as well.
The cleanup happens via the env var, which doesn't feel worse than
having toolexecCmd return an extra string or cleanup func.
While here, also test that we support TMPDIRs with special characters.
3 years ago
|
|
|
errSkipAll := fmt.Errorf("sentinel error: stop walking")
|
|
|
|
|
if err := filepath.WalkDir(path, func(path string, d fs.DirEntry, err error) error {
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
if rx.MatchString(path) {
|
|
|
|
|
if neg {
|
|
|
|
|
return fmt.Errorf("%q matches %q", path, pattern)
|
|
|
|
|
} else {
|
|
|
|
|
anyFound = true
|
|
|
|
|
return errSkipAll
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}); err != nil && err != errSkipAll {
|
|
|
|
|
ts.Fatalf("%s", err)
|
|
|
|
|
}
|
|
|
|
|
if !neg && !anyFound {
|
|
|
|
|
ts.Fatalf("no matches for %q", pattern)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestSplitFlagsFromArgs(t *testing.T) {
|
|
|
|
|
t.Parallel()
|
|
|
|
|
tests := []struct {
|
|
|
|
|
name string
|
|
|
|
|
args []string
|
|
|
|
|
want [2][]string
|
|
|
|
|
}{
|
|
|
|
|
{"Empty", []string{}, [2][]string{{}, nil}},
|
|
|
|
|
{
|
|
|
|
|
"JustFlags",
|
|
|
|
|
[]string{"-foo", "bar", "-baz"},
|
|
|
|
|
[2][]string{{"-foo", "bar", "-baz"}, nil},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"JustArgs",
|
|
|
|
|
[]string{"some", "pkgs"},
|
|
|
|
|
[2][]string{{}, {"some", "pkgs"}},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"FlagsAndArgs",
|
|
|
|
|
[]string{"-foo=bar", "baz"},
|
|
|
|
|
[2][]string{{"-foo=bar"}, {"baz"}},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"BoolFlagsAndArgs",
|
|
|
|
|
[]string{"-race", "pkg"},
|
|
|
|
|
[2][]string{{"-race"}, {"pkg"}},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"ExplicitBoolFlag",
|
|
|
|
|
[]string{"-race=true", "pkg"},
|
|
|
|
|
[2][]string{{"-race=true"}, {"pkg"}},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
for _, test := range tests {
|
|
|
|
|
test := test
|
|
|
|
|
t.Run(test.name, func(t *testing.T) {
|
|
|
|
|
t.Parallel()
|
|
|
|
|
flags, args := splitFlagsFromArgs(test.args)
|
|
|
|
|
got := [2][]string{flags, args}
|
|
|
|
|
|
|
|
|
|
if diff := cmp.Diff(test.want, got); diff != "" {
|
|
|
|
|
t.Fatalf("splitFlagsFromArgs(%q) mismatch (-want +got):\n%s", test.args, diff)
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
fail if we are unexpectedly overwriting files (#418)
While investigating a bug report,
I noticed that garble was writing to the same temp file twice.
At best, writing to the same path on disk twice is wasteful,
as the design is careful to be deterministic and use unique paths.
At worst, the two writes could cause races at the filesystem level.
To prevent either of those situations,
we now create files with os.OpenFile and os.O_EXCL,
meaning that we will error if the file already exists.
That change uncovered a number of such unintended cases.
First, transformAsm would write obfuscated Go files twice.
This is because the Go toolchain actually runs:
[...]/asm -gensymabis [...] foo.s bar.s
[...]/asm [...] foo.s bar.s
That is, the first run is only meant to generate symbol ABIs,
which are then used by the compiler.
We need to obfuscate at that first stage,
because the symbol ABI descriptions need to use obfuscated names.
However, having already obfuscated the assembly on the first stage,
there is no need to do so again on the second stage.
If we detect gensymabis is missing, we simply reuse the previous files.
This first situation doesn't seem racy,
but obfuscating the Go assembly files twice is certainly unnecessary.
Second, saveKnownReflectAPIs wrote a gob file to the build cache.
Since the build cache can be kept between builds,
and since the build cache uses reproducible paths for each build,
running the same "garble build" twice could overwrite those files.
This could actually cause races at the filesystem level;
if two concurrent builds write to the same gob file on disk,
one of them could end up using a partially-written file.
Note that this is the only of the three cases not using temporary files.
As such, it is expected that the file may already exist.
In such a case, we simply avoid overwriting it rather than failing.
Third, when "garble build -a" was used,
and when we needed an export file not listed in importcfg,
we would end up calling roughly:
go list -export -toolexec=garble -a <dependency>
This meant we would re-build and re-obfuscate those packages.
Which is unfortunate, because the parent process already did via:
go build -toolexec=garble -a <main>
The repeated dependency builds tripped the new os.O_EXCL check,
as we would try to overwrite the same obfuscated Go files.
Beyond being wasteful, this could again cause subtle filesystem races.
To fix the problem, avoid passing flags like "-a" to nested go commands.
Overall, we should likely be using safer ways to write to disk,
be it via either atomic writes or locked files.
However, for now, catching duplicate writes is a big step.
I have left a self-assigned TODO for further improvements.
CI on the pull request found a failure on test-gotip.
The failure reproduces on master, so it seems to be related to gotip,
and not a regression introduced by this change.
For now, disable test-gotip until we can investigate.
3 years ago
|
|
|
func TestFilterForwardBuildFlags(t *testing.T) {
|
|
|
|
|
t.Parallel()
|
|
|
|
|
tests := []struct {
|
|
|
|
|
name string
|
|
|
|
|
flags []string
|
|
|
|
|
want []string
|
|
|
|
|
}{
|
|
|
|
|
{"Empty", []string{}, nil},
|
|
|
|
|
{
|
|
|
|
|
"NoBuild",
|
|
|
|
|
[]string{"-short", "-json"},
|
|
|
|
|
nil,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"Mixed",
|
|
|
|
|
[]string{"-short", "-tags", "foo", "-mod=readonly", "-json"},
|
|
|
|
|
[]string{"-tags", "foo", "-mod=readonly"},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"NonBinarySkipped",
|
|
|
|
|
[]string{"-o", "binary", "-tags", "foo"},
|
|
|
|
|
[]string{"-tags", "foo"},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
for _, test := range tests {
|
|
|
|
|
test := test
|
|
|
|
|
t.Run(test.name, func(t *testing.T) {
|
|
|
|
|
t.Parallel()
|
fail if we are unexpectedly overwriting files (#418)
While investigating a bug report,
I noticed that garble was writing to the same temp file twice.
At best, writing to the same path on disk twice is wasteful,
as the design is careful to be deterministic and use unique paths.
At worst, the two writes could cause races at the filesystem level.
To prevent either of those situations,
we now create files with os.OpenFile and os.O_EXCL,
meaning that we will error if the file already exists.
That change uncovered a number of such unintended cases.
First, transformAsm would write obfuscated Go files twice.
This is because the Go toolchain actually runs:
[...]/asm -gensymabis [...] foo.s bar.s
[...]/asm [...] foo.s bar.s
That is, the first run is only meant to generate symbol ABIs,
which are then used by the compiler.
We need to obfuscate at that first stage,
because the symbol ABI descriptions need to use obfuscated names.
However, having already obfuscated the assembly on the first stage,
there is no need to do so again on the second stage.
If we detect gensymabis is missing, we simply reuse the previous files.
This first situation doesn't seem racy,
but obfuscating the Go assembly files twice is certainly unnecessary.
Second, saveKnownReflectAPIs wrote a gob file to the build cache.
Since the build cache can be kept between builds,
and since the build cache uses reproducible paths for each build,
running the same "garble build" twice could overwrite those files.
This could actually cause races at the filesystem level;
if two concurrent builds write to the same gob file on disk,
one of them could end up using a partially-written file.
Note that this is the only of the three cases not using temporary files.
As such, it is expected that the file may already exist.
In such a case, we simply avoid overwriting it rather than failing.
Third, when "garble build -a" was used,
and when we needed an export file not listed in importcfg,
we would end up calling roughly:
go list -export -toolexec=garble -a <dependency>
This meant we would re-build and re-obfuscate those packages.
Which is unfortunate, because the parent process already did via:
go build -toolexec=garble -a <main>
The repeated dependency builds tripped the new os.O_EXCL check,
as we would try to overwrite the same obfuscated Go files.
Beyond being wasteful, this could again cause subtle filesystem races.
To fix the problem, avoid passing flags like "-a" to nested go commands.
Overall, we should likely be using safer ways to write to disk,
be it via either atomic writes or locked files.
However, for now, catching duplicate writes is a big step.
I have left a self-assigned TODO for further improvements.
CI on the pull request found a failure on test-gotip.
The failure reproduces on master, so it seems to be related to gotip,
and not a regression introduced by this change.
For now, disable test-gotip until we can investigate.
3 years ago
|
|
|
got, _ := filterForwardBuildFlags(test.flags)
|
|
|
|
|
|
|
|
|
|
if diff := cmp.Diff(test.want, got); diff != "" {
|
fail if we are unexpectedly overwriting files (#418)
While investigating a bug report,
I noticed that garble was writing to the same temp file twice.
At best, writing to the same path on disk twice is wasteful,
as the design is careful to be deterministic and use unique paths.
At worst, the two writes could cause races at the filesystem level.
To prevent either of those situations,
we now create files with os.OpenFile and os.O_EXCL,
meaning that we will error if the file already exists.
That change uncovered a number of such unintended cases.
First, transformAsm would write obfuscated Go files twice.
This is because the Go toolchain actually runs:
[...]/asm -gensymabis [...] foo.s bar.s
[...]/asm [...] foo.s bar.s
That is, the first run is only meant to generate symbol ABIs,
which are then used by the compiler.
We need to obfuscate at that first stage,
because the symbol ABI descriptions need to use obfuscated names.
However, having already obfuscated the assembly on the first stage,
there is no need to do so again on the second stage.
If we detect gensymabis is missing, we simply reuse the previous files.
This first situation doesn't seem racy,
but obfuscating the Go assembly files twice is certainly unnecessary.
Second, saveKnownReflectAPIs wrote a gob file to the build cache.
Since the build cache can be kept between builds,
and since the build cache uses reproducible paths for each build,
running the same "garble build" twice could overwrite those files.
This could actually cause races at the filesystem level;
if two concurrent builds write to the same gob file on disk,
one of them could end up using a partially-written file.
Note that this is the only of the three cases not using temporary files.
As such, it is expected that the file may already exist.
In such a case, we simply avoid overwriting it rather than failing.
Third, when "garble build -a" was used,
and when we needed an export file not listed in importcfg,
we would end up calling roughly:
go list -export -toolexec=garble -a <dependency>
This meant we would re-build and re-obfuscate those packages.
Which is unfortunate, because the parent process already did via:
go build -toolexec=garble -a <main>
The repeated dependency builds tripped the new os.O_EXCL check,
as we would try to overwrite the same obfuscated Go files.
Beyond being wasteful, this could again cause subtle filesystem races.
To fix the problem, avoid passing flags like "-a" to nested go commands.
Overall, we should likely be using safer ways to write to disk,
be it via either atomic writes or locked files.
However, for now, catching duplicate writes is a big step.
I have left a self-assigned TODO for further improvements.
CI on the pull request found a failure on test-gotip.
The failure reproduces on master, so it seems to be related to gotip,
and not a regression introduced by this change.
For now, disable test-gotip until we can investigate.
3 years ago
|
|
|
t.Fatalf("filterForwardBuildFlags(%q) mismatch (-want +got):\n%s", test.flags, diff)
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestFlagValue(t *testing.T) {
|
|
|
|
|
t.Parallel()
|
|
|
|
|
tests := []struct {
|
|
|
|
|
name string
|
|
|
|
|
flags []string
|
|
|
|
|
flagName string
|
|
|
|
|
want string
|
|
|
|
|
}{
|
|
|
|
|
{"StrSpace", []string{"-buildid", "bar"}, "-buildid", "bar"},
|
|
|
|
|
{"StrSpaceDash", []string{"-buildid", "-bar"}, "-buildid", "-bar"},
|
|
|
|
|
{"StrEqual", []string{"-buildid=bar"}, "-buildid", "bar"},
|
|
|
|
|
{"StrEqualDash", []string{"-buildid=-bar"}, "-buildid", "-bar"},
|
|
|
|
|
{"StrMissing", []string{"-foo"}, "-buildid", ""},
|
|
|
|
|
{"StrNotFollowed", []string{"-buildid"}, "-buildid", ""},
|
|
|
|
|
{"StrEmpty", []string{"-buildid="}, "-buildid", ""},
|
|
|
|
|
}
|
|
|
|
|
for _, test := range tests {
|
|
|
|
|
test := test
|
|
|
|
|
t.Run(test.name, func(t *testing.T) {
|
|
|
|
|
t.Parallel()
|
|
|
|
|
got := flagValue(test.flags, test.flagName)
|
|
|
|
|
if got != test.want {
|
|
|
|
|
t.Fatalf("flagValue(%q, %q) got %q, want %q",
|
|
|
|
|
test.flags, test.flagName, got, test.want)
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
