Merge branch 'pr1777_squashed'

.appveyor.yml

@@ -18,7 +18,7 @@ environment:
   - target: i686-w64-mingw32
     compiler_path: mingw32
     mingw_prefix: mingw-w64-i686
-    hardening:
+    hardening: --enable-all-bugs-are-fatal
   - target: x86_64-w64-mingw32
     compiler_path: mingw64
     mingw_prefix: mingw-w64-x86_64
@@ -36,7 +36,7 @@ matrix:
       target: i686-w64-mingw32
       compiler_path: mingw32
       mingw_prefix: mingw-w64-i686
-      hardening:
+      hardening: --enable-all-bugs-are-fatal
     - image: Visual Studio 2015
       target: x86_64-w64-mingw32
       compiler_path: mingw64

.travis.yml

@@ -26,7 +26,7 @@ env:
     - MAKEFLAGS="-k -j 2"
     ## We turn on hardening by default
     ## Also known as --enable-fragile-hardening in 0.3.0.3-alpha and later
-    - HARDENING_OPTIONS="--enable-expensive-hardening"
+    - HARDENING_OPTIONS="--enable-all-bugs-are-fatal --enable-expensive-hardening"
     ## We turn off asciidoc by default, because it's slow
     - ASCIIDOC_OPTIONS="--disable-asciidoc"
     ## Our default rust version is the minimum supported version
@@ -52,7 +52,8 @@ matrix:
     - compiler: clang
       os: osx
       ## Turn off some newer features, turn on clang's -Wtypedef-redefinition
-      env: C_DIALECT_OPTIONS="-std=gnu99"
+      ## Also, disable ALL_BUGS_ARE_FATAL macro.
+      env: C_DIALECT_OPTIONS="-std=gnu99" HARDENING_OPTIONS="--enable-expensive-hardening"
 
     ## We run chutney on Linux, because it's faster than chutney on macOS
     ## Chutney is a fast job, clang is slower on Linux, so we do Chutney clang
@@ -63,9 +64,9 @@ matrix:
     - env: DISTCHECK="yes" ASCIIDOC_OPTIONS="" SKIP_MAKE_CHECK="yes"
 
     ## We check disable module relay
-    - env: MODULES_OPTIONS="--disable-module-relay"
+    - env: MODULES_OPTIONS="--disable-module-relay" HARDENING_OPTIONS="--enable-expensive-hardening"
     ## We check disable module dirauth
-    - env: MODULES_OPTIONS="--disable-module-dirauth"
+    - env: MODULES_OPTIONS="--disable-module-dirauth" HARDENING_OPTIONS="--enable-expensive-hardening"
 
     ## We run rust on Linux, because it's faster than rust on macOS
     ## We check rust offline
@@ -74,7 +75,7 @@ matrix:
     ## We check NSS
     ## Use -std=gnu99 to turn off some newer features, and maybe turn on some
     ## extra gcc warnings?
-    - env: NSS_OPTIONS="--enable-nss" C_DIALECT_OPTIONS="-std=gnu99"
+    - env: NSS_OPTIONS="--enable-nss" C_DIALECT_OPTIONS="-std=gnu99" HARDENING_OPTIONS="--enable-expensive-hardening"
 
     ## We include a single coverage build with the best options for coverage
     - env: COVERAGE_OPTIONS="--enable-coverage" HARDENING_OPTIONS="" TOR_TEST_RNG_SEED="636f766572616765"
@@ -241,7 +242,7 @@ script:
   - ./autogen.sh
   - CONFIGURE_FLAGS="$ASCIIDOC_OPTIONS $COVERAGE_OPTIONS $HARDENING_OPTIONS $MODULES_OPTIONS $NSS_OPTIONS $OPENSSL_OPTIONS $RUST_OPTIONS --enable-fatal-warnings --disable-silent-rules"
   - echo "Configure flags are $CONFIGURE_FLAGS CC=\"$CC $C_DIALECT_OPTIONS\""
-  - ./configure $CONFIGURE_FLAGS CC="$CC $C_DIALECT_OPTIONS"
+  - ./configure $CONFIGURE_FLAGS CC="$CC $C_DIALECT_OPTIONS";
   ## We run `make check` because that's what https://jenkins.torproject.org does.
   - if [[ "$SKIP_MAKE_CHECK" == "" ]]; then make check; fi
   - if [[ "$DISTCHECK" != "" ]]; then make distcheck DISTCHECK_CONFIGURE_FLAGS="$CONFIGURE_FLAGS"; fi

changes/ticket32143

@@ -0,0 +1,4 @@
+  o Minor features (continuous integration):
+    - Run unit-test and integration test (Stem, Chutney) jobs with
+      ALL_BUGS_ARE_FATAL macro being enabled on Travis and Appveyor.
+      Resolves ticket 32143.

configure.ac

@@ -228,6 +228,13 @@ if test "x$enable_expensive_hardening" = "xyes" || test "x$enable_fragile_harden
   AC_DEFINE(DEBUG_SMARTLIST, 1, [Enable smartlist debugging])
 fi
 
+AC_ARG_ENABLE(all-bugs-are-fatal,
+   AS_HELP_STRING(--enable-all-bugs-are-fatal, [force all soft asserts in Tor codebase (tor_assert_nonfatal(), BUG(), etc.) to act as hard asserts (tor_assert() and equivalents); makes Tor fragile; only recommended for dev builds]))
+
+if test "x$enable_all_bugs_are_fatal" = "xyes"; then
+  AC_DEFINE(ALL_BUGS_ARE_FATAL, 1, [All assert failures are fatal])
+fi
+
 dnl Linker hardening options
 dnl Currently these options are ELF specific - you can't use this with MacOSX
 AC_ARG_ENABLE(linker-hardening,

src/feature/dircache/conscache.c

@@ -132,6 +132,15 @@ consensus_cache_may_overallocate(consensus_cache_t *cache)
 #endif
 }
 
+// HACK: GCC on Appveyor hates that we may assert before returning. Work around
+// the error.
+#ifdef _WIN32
+#ifndef COCCI
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wsuggest-attribute=noreturn"
+#endif
+#endif
+
 /**
  * Tell the sandbox (if any) configured by <b>cfg</b> to allow the
  * operations that <b>cache</b> will need.
@@ -156,6 +165,12 @@ consensus_cache_register_with_sandbox(consensus_cache_t *cache,
   return storage_dir_register_with_sandbox(cache->dir, cfg);
 }
 
+#ifdef _WIN32
+#ifndef COCCI
+#pragma GCC diagnostic pop
+#endif
+#endif
+
 /**
  * Helper: clear all entries from <b>cache</b> (but do not delete
  * any that aren't marked for removal

src/test/test_circuitbuild.c

@@ -114,6 +114,10 @@ test_new_route_len_unhandled_exit(void *arg)
   int r;
 
   (void)arg;
+#ifdef ALL_BUGS_ARE_FATAL
+  tt_skip();
+#endif
+
   MOCK(count_acceptable_nodes, mock_count_acceptable_nodes);
 
   tor_capture_bugs_(1);

src/test/test_dir.c

@@ -3005,6 +3005,7 @@ test_dir_param_voting_lookup(void *arg)
   tt_int_op(99, OP_EQ,
             dirvote_get_intermediate_param_value(lst, "abcd", 1000));
 
+#ifndef ALL_BUGS_ARE_FATAL
   /* moomin appears twice. That's a bug. */
   tor_capture_bugs_(1);
   tt_int_op(-100, OP_EQ,
@@ -3040,6 +3041,7 @@ test_dir_param_voting_lookup(void *arg)
   tt_str_op(smartlist_get(tor_get_captured_bug_log_(), 0), OP_EQ,
             "!(!ok)");
   tor_end_capture_bugs_();
+#endif
 
  done:
   SMARTLIST_FOREACH(lst, char *, cp, tor_free(cp));
@@ -4989,6 +4991,10 @@ test_dir_purpose_needs_anonymity_returns_true_by_default(void *arg)
 {
   (void)arg;
 
+#ifdef ALL_BUGS_ARE_FATAL
+  tt_skip();
+#endif
+
   tor_capture_bugs_(1);
   setup_full_capture_of_logs(LOG_WARN);
   tt_int_op(1, OP_EQ, purpose_needs_anonymity(0, 0, NULL));

src/test/test_hs_intropoint.c

@@ -757,12 +757,15 @@ test_introduce1_validation(void *arg)
   cell = helper_create_introduce1_cell();
   tt_assert(cell);
 
+#ifndef ALL_BUGS_ARE_FATAL
   /* It should NOT be a legacy cell which will trigger a BUG(). */
   memset(cell->legacy_key_id, 'a', sizeof(cell->legacy_key_id));
   tor_capture_bugs_(1);
   ret = validate_introduce1_parsed_cell(cell);
   tor_end_capture_bugs_();
   tt_int_op(ret, OP_EQ, -1);
+#endif
+
   /* Reset legacy ID and make sure it's correct. */
   memset(cell->legacy_key_id, 0, sizeof(cell->legacy_key_id));
   ret = validate_introduce1_parsed_cell(cell);

src/test/test_protover.c

@@ -317,6 +317,7 @@ test_protover_all_supported(void *arg)
   tt_assert(protover_all_supported("Fribble=", &msg));
   tt_ptr_op(msg, OP_EQ, NULL);
 
+#ifndef ALL_BUGS_ARE_FATAL
   /* If we get a completely unparseable list, protover_all_supported should
    * hit a fatal assertion for BUG(entries == NULL). */
   tor_capture_bugs_(1);
@@ -328,9 +329,10 @@ test_protover_all_supported(void *arg)
   tor_capture_bugs_(1);
   tt_assert(protover_all_supported("Sleen=1-4294967295", &msg));
   tor_end_capture_bugs_();
+#endif /* !defined(ALL_BUGS_ARE_FATAL) */
 
   /* Protocol name too long */
-#ifndef HAVE_RUST // XXXXXX ?????
+#if !defined(HAVE_RUST) && !defined(ALL_BUGS_ARE_FATAL)
   tor_capture_bugs_(1);
   tt_assert(protover_all_supported(
                  "DoSaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
@@ -338,7 +340,7 @@ test_protover_all_supported(void *arg)
                  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
                  "aaaaaaaaaaaa=1-65536", &msg));
   tor_end_capture_bugs_();
-#endif /* !defined(HAVE_RUST) */
+#endif /* !defined(HAVE_RUST) && !defined(ALL_BUGS_ARE_FATAL) */
 
  done:
   tor_end_capture_bugs_();