Merge #20476: contrib: Add test for ELF symbol-check

fanquake · fanquake · commit d0ca394596cf · 2020-12-07T15:33:37.000+08:00
ed1bbce contrib: add MACHO tests to symbol-check tests (fanquake) 5bab08d contrib: Add test for ELF symbol-check (Wladimir J. van der Laan) Pull request description: Check both failure cases: - Use a glibc symbol from a version that is too new - Use a symbol from a library that is not in the allowlist And also check a conforming binary. Adding a similar check for Windows PE can be done in a separate PR. ACKs for top commit: fanquake: ACK ed1bbce Tree-SHA512: fd437612e003922465fe1396efa1fa3a64bd1c7b0a514d2a0a7a0caaaa9fb5cb43e0ed7caec15eb0a3508692c9eb3212d7ba3c7e8180b942dd3e50616ad6e557
diff --git a/Makefile.am b/Makefile.am
@@ -353,10 +353,12 @@ clean-local: clean-docs
 test-security-check:
 if TARGET_DARWIN
 	$(AM_V_at) $(PYTHON) $(top_srcdir)/contrib/devtools/test-security-check.py TestSecurityChecks.test_MACHO
+	$(AM_V_at) $(PYTHON) $(top_srcdir)/contrib/devtools/test-symbol-check.py TestSymbolChecks.test_MACHO
 endif
 if TARGET_WINDOWS
 	$(AM_V_at) $(PYTHON) $(top_srcdir)/contrib/devtools/test-security-check.py TestSecurityChecks.test_PE
 endif
 if TARGET_LINUX
 	$(AM_V_at) $(PYTHON) $(top_srcdir)/contrib/devtools/test-security-check.py TestSecurityChecks.test_ELF
+	$(AM_V_at) $(PYTHON) $(top_srcdir)/contrib/devtools/test-symbol-check.py TestSymbolChecks.test_ELF
 endif
diff --git a/configure.ac b/configure.ac
@@ -1698,7 +1698,9 @@ AC_CONFIG_FILES([Makefile src/Makefile doc/man/Makefile share/setup.nsi share/qt
 AC_CONFIG_FILES([contrib/devtools/split-debug.sh],[chmod +x contrib/devtools/split-debug.sh])
 AM_COND_IF([HAVE_DOXYGEN], [AC_CONFIG_FILES([doc/Doxyfile])])
 AC_CONFIG_LINKS([contrib/devtools/security-check.py:contrib/devtools/security-check.py])
+AC_CONFIG_LINKS([contrib/devtools/symbol-check.py:contrib/devtools/symbol-check.py])
 AC_CONFIG_LINKS([contrib/devtools/test-security-check.py:contrib/devtools/test-security-check.py])
+AC_CONFIG_LINKS([contrib/devtools/test-symbol-check.py:contrib/devtools/test-symbol-check.py])
 AC_CONFIG_LINKS([contrib/filter-lcov.py:contrib/filter-lcov.py])
 AC_CONFIG_LINKS([test/functional/test_runner.py:test/functional/test_runner.py])
 AC_CONFIG_LINKS([test/fuzz/test_runner.py:test/fuzz/test_runner.py])
diff --git a/contrib/devtools/test-symbol-check.py b/contrib/devtools/test-symbol-check.py
@@ -0,0 +1,125 @@
+#!/usr/bin/env python3
+# Copyright (c) 2020 The Bitcoin Core developers
+# Distributed under the MIT software license, see the accompanying
+# file COPYING or http://www.opensource.org/licenses/mit-license.php.
+'''
+Test script for symbol-check.py
+'''
+import subprocess
+import unittest
+
+def call_symbol_check(cc, source, executable, options):
+    subprocess.run([cc,source,'-o',executable] + options, check=True)
+    p = subprocess.run(['./contrib/devtools/symbol-check.py',executable], stdout=subprocess.PIPE, universal_newlines=True)
+    return (p.returncode, p.stdout.rstrip())
+
+def get_machine(cc):
+    p = subprocess.run([cc,'-dumpmachine'], stdout=subprocess.PIPE, universal_newlines=True)
+    return p.stdout.rstrip()
+
+class TestSymbolChecks(unittest.TestCase):
+    def test_ELF(self):
+        source = 'test1.c'
+        executable = 'test1'
+        cc = 'gcc'
+
+        # there's no way to do this test for RISC-V at the moment; bionic's libc is 2.27
+        # and we allow all symbols from 2.27.
+        if 'riscv' in get_machine(cc):
+            self.skipTest("test not available for RISC-V")
+
+        # memfd_create was introduced in GLIBC 2.27, so is newer than the upper limit of
+        # all but RISC-V but still available on bionic
+        with open(source, 'w', encoding="utf8") as f:
+            f.write('''
+                #define _GNU_SOURCE
+                #include <sys/mman.h>
+
+                int memfd_create(const char *name, unsigned int flags);
+
+                int main()
+                {
+                    memfd_create("test", 0);
+                    return 0;
+                }
+        ''')
+
+        self.assertEqual(call_symbol_check(cc, source, executable, []),
+                (1, executable + ': symbol memfd_create from unsupported version GLIBC_2.27\n' +
+                    executable + ': failed IMPORTED_SYMBOLS'))
+
+        # -lutil is part of the libc6 package so a safe bet that it's installed
+        # it's also out of context enough that it's unlikely to ever become a real dependency
+        source = 'test2.c'
+        executable = 'test2'
+        with open(source, 'w', encoding="utf8") as f:
+            f.write('''
+                #include <utmp.h>
+
+                int main()
+                {
+                    login(0);
+                    return 0;
+                }
+        ''')
+
+        self.assertEqual(call_symbol_check(cc, source, executable, ['-lutil']),
+                (1, executable + ': NEEDED library libutil.so.1 is not allowed\n' +
+                    executable + ': failed LIBRARY_DEPENDENCIES'))
+
+        # finally, check a conforming file that simply uses a math function
+        source = 'test3.c'
+        executable = 'test3'
+        with open(source, 'w', encoding="utf8") as f:
+            f.write('''
+                #include <math.h>
+
+                int main()
+                {
+                    return (int)pow(2.0, 4.0);
+                }
+        ''')
+
+        self.assertEqual(call_symbol_check(cc, source, executable, ['-lm']),
+                (0, ''))
+
+    def test_MACHO(self):
+        source = 'test1.c'
+        executable = 'test1'
+        cc = 'clang'
+
+        with open(source, 'w', encoding="utf8") as f:
+            f.write('''
+                #include <expat.h>
+
+                int main()
+                {
+                    XML_ExpatVersion();
+                    return 0;
+                }
+
+        ''')
+
+        self.assertEqual(call_symbol_check(cc, source, executable, ['-lexpat']),
+            (1, 'libexpat.1.dylib is not in ALLOWED_LIBRARIES!\n' +
+                executable + ': failed DYNAMIC_LIBRARIES'))
+
+        source = 'test2.c'
+        executable = 'test2'
+        with open(source, 'w', encoding="utf8") as f:
+            f.write('''
+                #include <CoreGraphics/CoreGraphics.h>
+
+                int main()
+                {
+                    CGMainDisplayID();
+                    return 0;
+                }
+        ''')
+
+        self.assertEqual(call_symbol_check(cc, source, executable, ['-framework', 'CoreGraphics']),
+                (0, ''))
+
+if __name__ == '__main__':
+    unittest.main()
+
