Security unittests: add more compiler barriers

base/security_unittest.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <fcntl.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 
 #include <algorithm>
 #include <limits>
 
 #include "base/file_util.h"
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 using std::nothrow;
 using std::numeric_limits;
 
 namespace {
 
+// This function acts as a compiler optimization barrier. We use it to
+// prevent the compiler from making an expression a compile-time constant.
+// We also use it so that the compiler doesn't discard certain return values
+// as something we don't need (see the comment with calloc below).
+template <typename Type>
+Type HideValueFromCompiler(volatile Type value) {
+  return value;
+}
+
 // Check that we can not allocate a memory range that cannot be indexed
 // via an int. This is used to mitigate vulnerabilities in libraries that use
 // int instead of size_t.
 // See crbug.com/169327.
 
 // - NO_TCMALLOC because we only patched tcmalloc
 // - ADDRESS_SANITIZER because it has its own memory allocator
 // - IOS does not seem to honor nothrow in new properly
 // - OS_MACOSX does not use tcmalloc
 #if !defined(NO_TCMALLOC) && !defined(ADDRESS_SANITIZER) && \
@@ skipping 19 matching lines @@
 }
 
 // Fake test that allow to know the state of TCMalloc by looking at bots.
 TEST(SecurityTest, ALLOC_TEST(IsTCMallocDynamicallyBypassed)) {
   printf("Malloc is dynamically bypassed: %s\n",
          IsTcMallocBypassed() ? "yes." : "no.");
 }
 
 TEST(SecurityTest, ALLOC_TEST(MemoryAllocationRestrictionsMalloc)) {
   if (!IsTcMallocBypassed()) {
-    scoped_ptr<char, base::FreeDeleter>
-        ptr(static_cast<char*>(malloc(kTooBigAllocSize)));
+    scoped_ptr<char, base::FreeDeleter> ptr(static_cast<char*>(
+        HideValueFromCompiler(malloc(kTooBigAllocSize))));
     ASSERT_TRUE(ptr == NULL);

[awong, 2013/02/05 22:42:22]

drive-by nit: this would be cleaner as ASSERT_TRUE(ptr); Same in other spots.

[jln (very slow on Chromium), 2013/02/06 00:05:01]

This used to not work with scoped ptr. In general ASSERT_* are very annoying
with pointers.

I also personally prefer == NULL and != NULL to ptr, but that's personal taste.

Done anyways, but limited to the instances where it doesn't make it completely
unreadable (so I excluded some in the tests below).

   }
 }
 
 TEST(SecurityTest, ALLOC_TEST(MemoryAllocationRestrictionsCalloc)) {
   if (!IsTcMallocBypassed()) {
-    scoped_ptr<char, base::FreeDeleter>
-        ptr(static_cast<char*>(calloc(kTooBigAllocSize, 1)));
+    scoped_ptr<char, base::FreeDeleter> ptr(static_cast<char*>(
+        HideValueFromCompiler(calloc(kTooBigAllocSize, 1))));
     ASSERT_TRUE(ptr == NULL);
   }
 }
 
 TEST(SecurityTest, ALLOC_TEST(MemoryAllocationRestrictionsRealloc)) {
   if (!IsTcMallocBypassed()) {
     char* orig_ptr = static_cast<char*>(malloc(1));
     ASSERT_TRUE(orig_ptr != NULL);
-    scoped_ptr<char, base::FreeDeleter>
-        ptr(static_cast<char*>(realloc(orig_ptr, kTooBigAllocSize)));
+    scoped_ptr<char, base::FreeDeleter> ptr(static_cast<char*>(
+        HideValueFromCompiler(realloc(orig_ptr, kTooBigAllocSize))));
     ASSERT_TRUE(ptr == NULL);
     // If realloc() did not succeed, we need to free orig_ptr.
     free(orig_ptr);
   }
 }
 
 typedef struct {
   char large_array[kTooBigAllocSize];
 } VeryLargeStruct;
 
 TEST(SecurityTest, ALLOC_TEST(MemoryAllocationRestrictionsNew)) {
   if (!IsTcMallocBypassed()) {
-    scoped_ptr<VeryLargeStruct> ptr(new (nothrow) VeryLargeStruct);
+    scoped_ptr<VeryLargeStruct> ptr(
+        HideValueFromCompiler(new (nothrow) VeryLargeStruct));
     ASSERT_TRUE(ptr == NULL);
   }
 }
 
 TEST(SecurityTest, ALLOC_TEST(MemoryAllocationRestrictionsNewArray)) {
   if (!IsTcMallocBypassed()) {
-    scoped_ptr<char[]> ptr(new (nothrow) char[kTooBigAllocSize]);
+    scoped_ptr<char[]> ptr(
+        HideValueFromCompiler(new (nothrow) char[kTooBigAllocSize]));
     ASSERT_TRUE(ptr == NULL);
   }
 }
 
 // The tests bellow check for overflows in new[] and calloc().
 
 #if defined(OS_IOS) || defined(OS_WIN)
   #define DISABLE_ON_IOS_AND_WIN(function) DISABLED_##function
 #else
   #define DISABLE_ON_IOS_AND_WIN(function) function
@@ skipping 16 matching lines @@
     printf("Platform has overflow: %s\n",
            !overflow_detected ? "yes." : "no.");
 #else
     // Otherwise, fail the test. (Note: EXPECT are ok in subfunctions, ASSERT
     // aren't).
     EXPECT_TRUE(overflow_detected);
 #endif
   }
 }
 
-// This function acts as a compiler optimization barrier. We use it to
-// prevent the compiler from making an expression a compile-time constant.
-// We also use it so that the compiler doesn't discard certain return values
-// as something we don't need (see the comment with calloc below).
-template <typename Type>
-Type HideValueFromCompiler(volatile Type value) {
-  return value;
-}
-
 // Test array[TooBig][X] and array[X][TooBig] allocations for int overflows.
 // IOS doesn't honor nothrow, so disable the test there.
 // Disable on Windows, we suspect some are failing because of it.
 TEST(SecurityTest, DISABLE_ON_IOS_AND_WIN(NewOverflow)) {
   const size_t kArraySize = 4096;
   // We want something "dynamic" here, so that the compiler doesn't
   // immediately reject crazy arrays.
   const size_t kDynamicArraySize = HideValueFromCompiler(kArraySize);
   // numeric_limits are still not constexpr until we switch to C++11, so we
   // use an ugly cast.
@@ skipping 86 matching lines @@
         return;  // Test passes.
       }
     }
   }
   ASSERT_TRUE(false);  // NOTREACHED();
 }
 
 #endif  // (defined(OS_LINUX) || defined(OS_CHROMEOS)) && defined(__x86_64__)
 
 }  // namespace