test_util.c

/* Copyright (c) 2001-2004, Roger Dingledine.
 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
 * Copyright (c) 2007-2021, The Tor Project, Inc. */
/* See LICENSE for licensing information */

#include "orconfig.h"
#define COMPAT_TIME_PRIVATE
#define UTIL_MALLOC_PRIVATE
#define PROCESS_WIN32_PRIVATE
#include "lib/testsupport/testsupport.h"
#include "core/or/or.h"
#include "lib/buf/buffers.h"
#include "app/config/config.h"
#include "feature/control/control.h"
#include "feature/control/control_proto.h"
#include "feature/client/transports.h"
#include "lib/crypt_ops/crypto_format.h"
#include "lib/crypt_ops/crypto_rand.h"
#include "lib/defs/time.h"
#include "test/test.h"
#include "test/test_helpers.h"
#include "lib/memarea/memarea.h"
#include "lib/process/waitpid.h"
#include "lib/process/process_win32.h"
#include "test/log_test_helpers.h"
#include "lib/compress/compress.h"
#include "lib/compress/compress_zstd.h"
#include "lib/encoding/keyval.h"
#include "lib/fdio/fdio.h"
#include "lib/fs/winlib.h"
#include "lib/process/env.h"
#include "lib/process/pidfile.h"
#include "lib/intmath/weakrng.h"
#include "lib/intmath/muldiv.h"
#include "lib/thread/numcpus.h"
#include "lib/math/fp.h"
#include "lib/math/laplace.h"
#include "lib/meminfo/meminfo.h"
#include "lib/time/tvdiff.h"
#include "lib/encoding/confline.h"
#include "lib/net/socketpair.h"
#include "lib/malloc/map_anon.h"

#ifdef HAVE_PWD_H
#include <pwd.h>
#endif
#ifdef HAVE_SYS_UTIME_H
#include <sys/utime.h>
#endif
#ifdef HAVE_UTIME_H
#include <utime.h>
#endif
#ifdef HAVE_SYS_STAT_H
#include <sys/stat.h>
#endif
#ifdef HAVE_FCNTL_H
#include <fcntl.h>
#endif
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
#ifdef HAVE_SYS_MMAN_H
#include <sys/mman.h>
#endif
#ifdef HAVE_SYS_WAIT_H
#include <sys/wait.h>
#endif

#ifdef _WIN32
#include <tchar.h>
#endif
#include <math.h>
#include <ctype.h>
#include <float.h>

/* These platforms don't have meaningful pwdb or homedirs. */
#if defined(_WIN32) || defined(__ANDROID__)
#define DISABLE_PWDB_TESTS
#endif

static void set_file_mtime(const char *fname, time_t when);

#define INFINITY_DBL ((double)INFINITY)
#define NAN_DBL ((double)NAN)

/** Test the tor_isinf() wrapper */
static void
test_tor_isinf(void *arg)
{
  (void) arg;

  tt_assert(tor_isinf(INFINITY_DBL));

  tt_assert(!tor_isinf(NAN_DBL));
  tt_assert(!tor_isinf(DBL_EPSILON));
  tt_assert(!tor_isinf(DBL_MAX));
  tt_assert(!tor_isinf(DBL_MIN));

  tt_assert(!tor_isinf(0.0));
  tt_assert(!tor_isinf(0.1));
  tt_assert(!tor_isinf(3));
  tt_assert(!tor_isinf(3.14));

 done:
  ;
}

/* XXXX this is a minimal wrapper to make the unit tests compile with the
 * changed tor_timegm interface. */
static time_t
tor_timegm_wrapper(const struct tm *tm)
{
  time_t t;
  if (tor_timegm(tm, &t) < 0)
    return -1;
  return t;
}

#define tor_timegm tor_timegm_wrapper

static void
test_util_read_until_eof_impl(const char *fname, size_t file_len,
                              size_t read_limit)
{
  char *fifo_name = NULL;
  char *test_str = NULL;
  char *str = NULL;
  size_t sz = 9999999;
  int fd = -1;
  int r;

  fifo_name = tor_strdup(get_fname(fname));
  test_str = tor_malloc(file_len);
  crypto_rand(test_str, file_len);

  r = write_bytes_to_file(fifo_name, test_str, file_len, 1);
  tt_int_op(r, OP_EQ, 0);

  fd = open(fifo_name, O_RDONLY|O_BINARY);
  tt_int_op(fd, OP_GE, 0);
  str = read_file_to_str_until_eof(fd, read_limit, &sz);
  tt_ptr_op(str, OP_NE, NULL);

  if (read_limit < file_len)
    tt_int_op(sz, OP_EQ, read_limit);
  else
    tt_int_op(sz, OP_EQ, file_len);

  tt_mem_op(test_str, OP_EQ, str, sz);
  tt_int_op(str[sz], OP_EQ, '\0');

 done:
  unlink(fifo_name);
  tor_free(fifo_name);
  tor_free(test_str);
  tor_free(str);
  if (fd >= 0)
    close(fd);
}

static void
test_util_read_file_eof_tiny_limit(void *arg)
{
  (void)arg;
  // purposely set limit shorter than what we wrote to the FIFO to
  // test the maximum, and that it puts the NUL in the right spot

  test_util_read_until_eof_impl("tor_test_fifo_tiny", 5, 4);
}

static void
test_util_read_file_eof_one_loop_a(void *arg)
{
  (void)arg;
  test_util_read_until_eof_impl("tor_test_fifo_1ka", 1024, 1023);
}

static void
test_util_read_file_eof_one_loop_b(void *arg)
{
  (void)arg;
  test_util_read_until_eof_impl("tor_test_fifo_1kb", 1024, 1024);
}

static void
test_util_read_file_eof_two_loops(void *arg)
{
  (void)arg;
  // write more than 1024 bytes to the FIFO to test two passes through
  // the loop in the method; if the re-alloc size is changed this
  // should be updated as well.

  test_util_read_until_eof_impl("tor_test_fifo_2k", 2048, 10000);
}

static void
test_util_read_file_eof_two_loops_b(void *arg)
{
  (void)arg;

  test_util_read_until_eof_impl("tor_test_fifo_2kb", 2048, 2048);
}

static void
test_util_read_file_eof_zero_bytes(void *arg)
{
  (void)arg;
  // zero-byte fifo
  test_util_read_until_eof_impl("tor_test_fifo_empty", 0, 10000);
}

static void
test_util_read_file_endlines(void *arg)
{
  (void)arg;

  char *fname = NULL;
  char *read_content = NULL;
  int r = -1;

  /* Write a file that contains both \n and \r\n as line ending. */
  const char *file_content = "foo bar\n"
                             "foo bar baz\r\n"
                             "foo bar\r\n";

  const char *expected_file_content = "foo bar\n"
                                      "foo bar baz\n"
                                      "foo bar\n";

  fname = tor_strdup(get_fname("file_with_crlf_ending"));

  r = write_bytes_to_file(fname, file_content, strlen(file_content), 1);
  tt_int_op(r, OP_EQ, 0);

  /* Read the file in text mode: we strip \r's from the files on both Windows
   * and UNIX. */
  read_content = read_file_to_str(fname, 0, NULL);

  tt_ptr_op(read_content, OP_NE, NULL);
  tt_int_op(strlen(read_content), OP_EQ, strlen(expected_file_content));
  tt_str_op(read_content, OP_EQ, expected_file_content);

  tor_free(read_content);

  /* Read the file in binary mode: we should preserve the \r here. */
  read_content = read_file_to_str(fname, RFTS_BIN, NULL);

  tt_ptr_op(read_content, OP_NE, NULL);
  tt_int_op(strlen(read_content), OP_EQ, strlen(file_content));
  tt_str_op(read_content, OP_EQ, file_content);

  tor_free(read_content);

 done:
  unlink(fname);
  tor_free(fname);
  tor_free(read_content);
}

/* Test the basic expected behaviour for write_chunks_to_file.
 * NOTE: This will need to be updated if we ever change the tempfile location
 * or extension */
static void
test_util_write_chunks_to_file(void *arg)
{
  char *fname = NULL;
  char *tempname = NULL;
  char *str = NULL;
  int r;
  struct stat st;

  /* These should be two different sizes to ensure the data is different
   * between the data file and the temp file's 'known string' */
  int temp_str_len = 1024;
  int data_str_len = 512;
  char *data_str = tor_malloc(data_str_len);
  char *temp_str = tor_malloc(temp_str_len);

  smartlist_t *chunks = smartlist_new();
  sized_chunk_t c = {data_str, data_str_len/2};
  sized_chunk_t c2 = {data_str + data_str_len/2, data_str_len/2};
  (void)arg;

  crypto_rand(temp_str, temp_str_len);
  crypto_rand(data_str, data_str_len);

  // Ensure it can write multiple chunks

  smartlist_add(chunks, &c);
  smartlist_add(chunks, &c2);

  /*
  * Check if it writes using a tempfile
  */
  fname = tor_strdup(get_fname("write_chunks_with_tempfile"));
  tor_asprintf(&tempname, "%s.tmp", fname);

  // write a known string to a file where the tempfile will be
  r = write_bytes_to_file(tempname, temp_str, temp_str_len, 1);
  tt_int_op(r, OP_EQ, 0);

  // call write_chunks_to_file
  r = write_chunks_to_file(fname, chunks, 1, 0);
  tt_int_op(r, OP_EQ, 0);

  // assert the file has been written (expected size)
  str = read_file_to_str(fname, RFTS_BIN, &st);
  tt_assert(str != NULL);
  tt_u64_op((uint64_t)st.st_size, OP_EQ, data_str_len);
  tt_mem_op(data_str, OP_EQ, str, data_str_len);
  tor_free(str);

  // assert that the tempfile is removed (should not leave artifacts)
  str = read_file_to_str(tempname, RFTS_BIN|RFTS_IGNORE_MISSING, &st);
  tt_assert(str == NULL);

  // Remove old testfile for second test
  r = unlink(fname);
  tt_int_op(r, OP_EQ, 0);
  tor_free(fname);
  tor_free(tempname);

  /*
  *  Check if it skips using a tempfile with flags
  */
  fname = tor_strdup(get_fname("write_chunks_with_no_tempfile"));
  tor_asprintf(&tempname, "%s.tmp", fname);

  // write a known string to a file where the tempfile will be
  r = write_bytes_to_file(tempname, temp_str, temp_str_len, 1);
  tt_int_op(r, OP_EQ, 0);

  // call write_chunks_to_file with no_tempfile = true
  r = write_chunks_to_file(fname, chunks, 1, 1);
  tt_int_op(r, OP_EQ, 0);

  // assert the file has been written (expected size)
  str = read_file_to_str(fname, RFTS_BIN, &st);
  tt_assert(str != NULL);
  tt_u64_op((uint64_t)st.st_size, OP_EQ, data_str_len);
  tt_mem_op(data_str, OP_EQ, str, data_str_len);
  tor_free(str);

  // assert the tempfile still contains the known string
  str = read_file_to_str(tempname, RFTS_BIN, &st);
  tt_assert(str != NULL);
  tt_u64_op((uint64_t)st.st_size, OP_EQ, temp_str_len);
  tt_mem_op(temp_str, OP_EQ, str, temp_str_len);

 done:
  unlink(fname);
  unlink(tempname);
  smartlist_free(chunks);
  tor_free(fname);
  tor_free(tempname);
  tor_free(str);
  tor_free(data_str);
  tor_free(temp_str);
}

/* Test write_str_to_file_if_not_equal(). */
static void
test_util_write_str_if_changed(void *arg)
{
  (void)arg;
  char *fname = tor_strdup(get_fname("write_if_changed"));
  char *s = NULL;
  int rv;
  const char str1[] = "The wombat lives across the seas";
  const char str2[] = "Among the far Antipodes"; /* -- Ogden Nash */

  /* We can create files. */
  rv = write_str_to_file_if_not_equal(fname, str1);
  tt_int_op(rv, OP_EQ, 0);
  s = read_file_to_str(fname, 0, NULL);
  tt_str_op(s, OP_EQ, str1);
  tor_free(s);

  /* We can replace files. */
  rv = write_str_to_file_if_not_equal(fname, str2);
  tt_int_op(rv, OP_EQ, 0);
  s = read_file_to_str(fname, 0, NULL);
  tt_str_op(s, OP_EQ, str2);
  tor_free(s);

  /* Make sure we don't replace files when they're equal. (That's the whole
   * point of the function we're testing. */
  /* First, change the mtime of the file so that we can tell whether we
   * replaced it. */
  const time_t now = time(NULL);
  const time_t five_sec_ago = now - 5;
  set_file_mtime(fname, five_sec_ago);
  rv = write_str_to_file_if_not_equal(fname, str2);
  tt_int_op(rv, OP_EQ, 0);
  /* Make sure that the file's mtime is unchanged... */
  struct stat st;
  rv = stat(fname, &st);
  tt_int_op(rv, OP_EQ, 0);
  tt_i64_op(st.st_mtime, OP_EQ, five_sec_ago);
  /* And make sure its contents are unchanged. */
  s = read_file_to_str(fname, 0, NULL);
  tt_str_op(s, OP_EQ, str2);
  tor_free(s);

 done:
  tor_free(fname);
  tor_free(s);
}

#ifndef COCCI
#define _TFE(a, b, f)  tt_int_op((a).f, OP_EQ, (b).f)
/** test the minimum set of struct tm fields needed for a unique epoch value
 * this is also the set we use to test tor_timegm */
#define TM_EQUAL(a, b)           \
          TT_STMT_BEGIN          \
            _TFE(a, b, tm_year); \
            _TFE(a, b, tm_mon ); \
            _TFE(a, b, tm_mday); \
            _TFE(a, b, tm_hour); \
            _TFE(a, b, tm_min ); \
            _TFE(a, b, tm_sec ); \
          TT_STMT_END
#endif /* !defined(COCCI) */

static void
test_util_time(void *arg)
{
  struct timeval start, end;
  struct tm a_time, b_time;
  char timestr[128];
  time_t t_res;
  int i;
  struct timeval tv;

  /* Test tv_udiff and tv_mdiff */

  (void)arg;
  start.tv_sec = 5;
  start.tv_usec = 5000;

  end.tv_sec = 5;
  end.tv_usec = 5000;

  tt_int_op(0L,OP_EQ, tv_udiff(&start, &end));
  tt_int_op(0L,OP_EQ, tv_mdiff(&start, &end));
  tt_int_op(0L,OP_EQ, tv_udiff(&end, &start));
  tt_int_op(0L,OP_EQ, tv_mdiff(&end, &start));

  end.tv_usec = 7000;

  tt_int_op(2000L,OP_EQ, tv_udiff(&start, &end));
  tt_int_op(2L,OP_EQ, tv_mdiff(&start, &end));
  tt_int_op(-2000L,OP_EQ, tv_udiff(&end, &start));
  tt_int_op(-2L,OP_EQ, tv_mdiff(&end, &start));

  end.tv_sec = 6;

  tt_int_op(1002000L,OP_EQ, tv_udiff(&start, &end));
  tt_int_op(1002L,OP_EQ, tv_mdiff(&start, &end));
  tt_int_op(-1002000L,OP_EQ, tv_udiff(&end, &start));
  tt_int_op(-1002L,OP_EQ, tv_mdiff(&end, &start));

  end.tv_usec = 0;

  tt_int_op(995000L,OP_EQ, tv_udiff(&start, &end));
  tt_int_op(995L,OP_EQ, tv_mdiff(&start, &end));
  tt_int_op(-995000L,OP_EQ, tv_udiff(&end, &start));
  tt_int_op(-995L,OP_EQ, tv_mdiff(&end, &start));

  end.tv_sec = 4;

  tt_int_op(-1005000L,OP_EQ, tv_udiff(&start, &end));
  tt_int_op(-1005L,OP_EQ, tv_mdiff(&start, &end));
  tt_int_op(1005000L,OP_EQ, tv_udiff(&end, &start));
  tt_int_op(1005L,OP_EQ, tv_mdiff(&end, &start));

  /* Negative tv_sec values, these will break on platforms where tv_sec is
   * unsigned */

  end.tv_sec = -10;

  tt_int_op(-15005000L,OP_EQ, tv_udiff(&start, &end));
  tt_int_op(-15005L,OP_EQ, tv_mdiff(&start, &end));
  tt_int_op(15005000L,OP_EQ, tv_udiff(&end, &start));
  tt_int_op(15005L,OP_EQ, tv_mdiff(&end, &start));

  start.tv_sec = -100;

  tt_int_op(89995000L,OP_EQ, tv_udiff(&start, &end));
  tt_int_op(89995L,OP_EQ, tv_mdiff(&start, &end));
  tt_int_op(-89995000L,OP_EQ, tv_udiff(&end, &start));
  tt_int_op(-89995L,OP_EQ, tv_mdiff(&end, &start));

  /* Test that tv_usec values round away from zero when converted to msec */
  start.tv_sec = 0;
  start.tv_usec = 0;
  end.tv_sec = 10;
  end.tv_usec = 499;

  tt_int_op(10000499L, OP_EQ, tv_udiff(&start, &end));
  tt_int_op(10000L, OP_EQ, tv_mdiff(&start, &end));
  tt_int_op(-10000499L, OP_EQ, tv_udiff(&end, &start));
  tt_int_op(-10000L, OP_EQ, tv_mdiff(&end, &start));

  start.tv_sec = 0;
  start.tv_usec = 0;
  end.tv_sec = 10;
  end.tv_usec = 500;

  tt_int_op(10000500L, OP_EQ, tv_udiff(&start, &end));
  tt_int_op(10001L, OP_EQ, tv_mdiff(&start, &end));
  tt_int_op(-10000500L, OP_EQ, tv_udiff(&end, &start));
  tt_int_op(-10000L, OP_EQ, tv_mdiff(&end, &start));

  start.tv_sec = 0;
  start.tv_usec = 0;
  end.tv_sec = 10;
  end.tv_usec = 501;

  tt_int_op(10000501L, OP_EQ, tv_udiff(&start, &end));
  tt_int_op(10001L, OP_EQ, tv_mdiff(&start, &end));
  tt_int_op(-10000501L, OP_EQ, tv_udiff(&end, &start));
  tt_int_op(-10001L, OP_EQ, tv_mdiff(&end, &start));

  /* Overflow conditions */

#ifdef _WIN32
  /* Would you believe that tv_sec is a long on windows? Of course you would.*/
#define TV_SEC_MAX LONG_MAX
#define TV_SEC_MIN LONG_MIN
#else
  /* Some BSDs have struct timeval.tv_sec 64-bit, but time_t (and long) 32-bit
   * Which means TIME_MAX is not actually the maximum value of tv_sec.
   * But that's ok for the moment, because the code correctly performs 64-bit
   * calculations internally, then catches the overflow. */
#define TV_SEC_MAX TIME_MAX
#define TV_SEC_MIN TIME_MIN
#endif /* defined(_WIN32) */

/* Assume tv_usec is an unsigned integer until proven otherwise */
#define TV_USEC_MAX UINT_MAX

  /* Overflows in the result type */

  /* All comparisons work */
  start.tv_sec = 0;
  start.tv_usec = 0;
  end.tv_sec = LONG_MAX/1000 - 2;
  end.tv_usec = 0;

  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&start, &end));
  tt_int_op(end.tv_sec*1000L, OP_EQ, tv_mdiff(&start, &end));
  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&end, &start));
  tt_int_op(-end.tv_sec*1000L, OP_EQ, tv_mdiff(&end, &start));

  start.tv_sec = 0;
  start.tv_usec = 0;
  end.tv_sec = LONG_MAX/1000000 - 1;
  end.tv_usec = 0;

  tt_int_op(end.tv_sec*1000000L, OP_EQ, tv_udiff(&start, &end));
  tt_int_op(end.tv_sec*1000L, OP_EQ, tv_mdiff(&start, &end));
  tt_int_op(-end.tv_sec*1000000L, OP_EQ, tv_udiff(&end, &start));
  tt_int_op(-end.tv_sec*1000L, OP_EQ, tv_mdiff(&end, &start));

  /* No comparisons work */
  start.tv_sec = 0;
  start.tv_usec = 0;
  end.tv_sec = LONG_MAX/1000 + 1;
  end.tv_usec = 0;

  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&start, &end));
  tt_int_op(LONG_MAX, OP_EQ, tv_mdiff(&start, &end));
  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&end, &start));
  tt_int_op(LONG_MAX, OP_EQ, tv_mdiff(&end, &start));

  start.tv_sec = 0;
  start.tv_usec = 0;
  end.tv_sec = LONG_MAX/1000000 + 1;
  end.tv_usec = 0;

  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&start, &end));
  tt_int_op(end.tv_sec*1000L, OP_EQ, tv_mdiff(&start, &end));
  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&end, &start));
  tt_int_op(-end.tv_sec*1000L, OP_EQ, tv_mdiff(&end, &start));

  start.tv_sec = 0;
  start.tv_usec = 0;
  end.tv_sec = LONG_MAX/1000;
  end.tv_usec = TOR_USEC_PER_SEC;

  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&start, &end));
  tt_int_op(LONG_MAX, OP_EQ, tv_mdiff(&start, &end));
  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&end, &start));
  tt_int_op(LONG_MAX, OP_EQ, tv_mdiff(&end, &start));

  start.tv_sec = 0;
  start.tv_usec = 0;
  end.tv_sec = LONG_MAX/1000000;
  end.tv_usec = TOR_USEC_PER_SEC;

  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&start, &end));
  tt_int_op((end.tv_sec + 1)*1000L, OP_EQ, tv_mdiff(&start, &end));
  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&end, &start));
  tt_int_op(-(end.tv_sec + 1)*1000L, OP_EQ, tv_mdiff(&end, &start));

  /* Overflows on comparison to zero */

  start.tv_sec = 0;
  start.tv_usec = 0;

  end.tv_sec = TV_SEC_MAX;
  end.tv_usec = 0;

  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&start, &end));
  tt_int_op(LONG_MAX, OP_EQ, tv_mdiff(&start, &end));
  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&end, &start));
  tt_int_op(LONG_MAX, OP_EQ, tv_mdiff(&end, &start));

  end.tv_sec = TV_SEC_MAX;
  end.tv_usec = TOR_USEC_PER_SEC;

  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&start, &end));
  tt_int_op(LONG_MAX, OP_EQ, tv_mdiff(&start, &end));
  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&end, &start));
  tt_int_op(LONG_MAX, OP_EQ, tv_mdiff(&end, &start));

  end.tv_sec = 0;
  end.tv_usec = TV_USEC_MAX;

  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&start, &end));
  tt_int_op(LONG_MAX, OP_EQ, tv_mdiff(&start, &end));
  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&end, &start));
  tt_int_op(LONG_MAX, OP_EQ, tv_mdiff(&end, &start));

  end.tv_sec = TV_SEC_MAX;
  end.tv_usec = TV_USEC_MAX;

  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&start, &end));
  tt_int_op(LONG_MAX, OP_EQ, tv_mdiff(&start, &end));
  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&end, &start));
  tt_int_op(LONG_MAX, OP_EQ, tv_mdiff(&end, &start));

  end.tv_sec = 0;
  end.tv_usec = 0;

  start.tv_sec = TV_SEC_MIN;
  start.tv_usec = 0;

  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&start, &end));
  tt_int_op(LONG_MAX, OP_EQ, tv_mdiff(&start, &end));
  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&end, &start));
  tt_int_op(LONG_MAX, OP_EQ, tv_mdiff(&end, &start));

  start.tv_sec = TV_SEC_MIN;
  start.tv_usec = TOR_USEC_PER_SEC;

  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&start, &end));
  tt_int_op(LONG_MAX, OP_EQ, tv_mdiff(&start, &end));
  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&end, &start));
  tt_int_op(LONG_MAX, OP_EQ, tv_mdiff(&end, &start));

  start.tv_sec = TV_SEC_MIN;
  start.tv_usec = TV_USEC_MAX;

  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&start, &end));
  tt_int_op(LONG_MAX, OP_EQ, tv_mdiff(&start, &end));
  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&end, &start));
  tt_int_op(LONG_MAX, OP_EQ, tv_mdiff(&end, &start));

  /* overflows on comparison to maxima / minima */

  start.tv_sec = TV_SEC_MIN;
  start.tv_usec = 0;

  end.tv_sec = TV_SEC_MAX;
  end.tv_usec = 0;

  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&start, &end));
  tt_int_op(LONG_MAX, OP_EQ, tv_mdiff(&start, &end));
  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&end, &start));
  tt_int_op(LONG_MAX, OP_EQ, tv_mdiff(&end, &start));

  end.tv_sec = TV_SEC_MAX;
  end.tv_usec = TOR_USEC_PER_SEC;

  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&start, &end));
  tt_int_op(LONG_MAX, OP_EQ, tv_mdiff(&start, &end));
  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&end, &start));
  tt_int_op(LONG_MAX, OP_EQ, tv_mdiff(&end, &start));

  end.tv_sec = TV_SEC_MAX;
  end.tv_usec = 0;

  start.tv_sec = TV_SEC_MIN;
  start.tv_usec = 0;

  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&start, &end));
  tt_int_op(LONG_MAX, OP_EQ, tv_mdiff(&start, &end));
  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&end, &start));
  tt_int_op(LONG_MAX, OP_EQ, tv_mdiff(&end, &start));

  start.tv_sec = TV_SEC_MIN;
  start.tv_usec = TOR_USEC_PER_SEC;

  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&start, &end));
  tt_int_op(LONG_MAX, OP_EQ, tv_mdiff(&start, &end));
  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&end, &start));
  tt_int_op(LONG_MAX, OP_EQ, tv_mdiff(&end, &start));

  /* overflows on comparison to maxima / minima with extra usec */

  start.tv_sec = TV_SEC_MIN;
  start.tv_usec = TOR_USEC_PER_SEC;

  end.tv_sec = TV_SEC_MAX;
  end.tv_usec = 0;

  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&start, &end));
  tt_int_op(LONG_MAX, OP_EQ, tv_mdiff(&start, &end));
  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&end, &start));
  tt_int_op(LONG_MAX, OP_EQ, tv_mdiff(&end, &start));

  end.tv_sec = TV_SEC_MAX;
  end.tv_usec = TOR_USEC_PER_SEC;

  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&start, &end));
  tt_int_op(LONG_MAX, OP_EQ, tv_mdiff(&start, &end));
  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&end, &start));
  tt_int_op(LONG_MAX, OP_EQ, tv_mdiff(&end, &start));

  end.tv_sec = TV_SEC_MAX;
  end.tv_usec = TOR_USEC_PER_SEC;

  start.tv_sec = TV_SEC_MIN;
  start.tv_usec = 0;

  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&start, &end));
  tt_int_op(LONG_MAX, OP_EQ, tv_mdiff(&start, &end));
  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&end, &start));
  tt_int_op(LONG_MAX, OP_EQ, tv_mdiff(&end, &start));

  start.tv_sec = TV_SEC_MIN;
  start.tv_usec = TOR_USEC_PER_SEC;

  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&start, &end));
  tt_int_op(LONG_MAX, OP_EQ, tv_mdiff(&start, &end));
  tt_int_op(LONG_MAX, OP_EQ, tv_udiff(&end, &start));
  tt_int_op(LONG_MAX, OP_EQ, tv_mdiff(&end, &start));

  /* Test tor_timegm & tor_gmtime_r */

  /* The test values here are confirmed to be correct on a platform
   * with a working timegm & gmtime_r. */

  /* Start with known-zero a_time and b_time.
   * This avoids passing uninitialised values to TM_EQUAL in a_time.
   * Zeroing may not be needed for b_time, as long as tor_gmtime_r
   * never reads the existing values in the structure.
   * But we really don't want intermittently failing tests. */
  memset(&a_time, 0, sizeof(struct tm));
  memset(&b_time, 0, sizeof(struct tm));

  a_time.tm_year = 2003-1900;
  a_time.tm_mon = 7;
  a_time.tm_mday = 30;
  a_time.tm_hour = 6;
  a_time.tm_min = 14;
  a_time.tm_sec = 55;
  t_res = 1062224095UL;
  tt_int_op(t_res, OP_EQ, tor_timegm(&a_time));
  tor_gmtime_r(&t_res, &b_time);
  TM_EQUAL(a_time, b_time);

  a_time.tm_year = 2004-1900; /* Try a leap year, after feb. */
  t_res = 1093846495UL;
  tt_int_op(t_res, OP_EQ, tor_timegm(&a_time));
  tor_gmtime_r(&t_res, &b_time);
  TM_EQUAL(a_time, b_time);

  a_time.tm_mon = 1;          /* Try a leap year, in feb. */
  a_time.tm_mday = 10;
  t_res = 1076393695UL;
  tt_int_op(t_res, OP_EQ, tor_timegm(&a_time));
  tor_gmtime_r(&t_res, &b_time);
  TM_EQUAL(a_time, b_time);

  a_time.tm_mon = 0;
  t_res = 1073715295UL;
  tt_int_op(t_res, OP_EQ, tor_timegm(&a_time));
  tor_gmtime_r(&t_res, &b_time);
  TM_EQUAL(a_time, b_time);

  /* This value is in range with 32 bit and 64 bit time_t */
  a_time.tm_year = 2037-1900;
  t_res = 2115180895UL;
  tt_int_op(t_res, OP_EQ, tor_timegm(&a_time));
  tor_gmtime_r(&t_res, &b_time);
  TM_EQUAL(a_time, b_time);

  /* This value is out of range with 32 bit time_t, but in range for 64 bit
   * time_t */
  a_time.tm_year = 2039-1900;
#if SIZEOF_TIME_T == 4
  setup_full_capture_of_logs(LOG_WARN);
  tt_int_op((time_t) -1,OP_EQ, tor_timegm(&a_time));
  expect_single_log_msg_containing("Result does not fit in tor_timegm");
  teardown_capture_of_logs();
#elif SIZEOF_TIME_T == 8
  t_res = 2178252895UL;
  tt_int_op(t_res, OP_EQ, tor_timegm(&a_time));
  tor_gmtime_r(&t_res, &b_time);
  TM_EQUAL(a_time, b_time);
#endif /* SIZEOF_TIME_T == 4 || ... */

  /* Test tor_timegm out of range */

  /* The below tests will all cause a BUG message, so we capture, suppress,
   * and detect. */
#define CAPTURE() do {                                          \
    setup_full_capture_of_logs(LOG_WARN);                       \
  } while (0)
#define CHECK_TIMEGM_WARNING(msg) do { \
    expect_single_log_msg_containing(msg);                              \
    teardown_capture_of_logs();                                         \
  } while (0)
#define CHECK_POSSIBLE_EINVAL() do {                            \
    if (mock_saved_log_n_entries()) {                           \
      expect_single_log_msg_containing("Invalid argument");     \
    }                                                           \
    teardown_capture_of_logs();                                 \
  } while (0)

#define CHECK_TIMEGM_ARG_OUT_OF_RANGE(msg) \
    CHECK_TIMEGM_WARNING("Out-of-range argument to tor_timegm")

  /* year */

  /* Wrong year < 1970 */
  a_time.tm_year = 1969-1900;
  CAPTURE();
  tt_int_op((time_t) -1,OP_EQ, tor_timegm(&a_time));
  CHECK_TIMEGM_ARG_OUT_OF_RANGE();

  a_time.tm_year = -1-1900;
  CAPTURE();
  tt_int_op((time_t) -1,OP_EQ, tor_timegm(&a_time));
  CHECK_TIMEGM_ARG_OUT_OF_RANGE();

#if SIZEOF_INT == 4 || SIZEOF_INT == 8
    a_time.tm_year = -1*(1 << 16);
    CAPTURE();
    tt_int_op((time_t) -1,OP_EQ, tor_timegm(&a_time));
    CHECK_TIMEGM_ARG_OUT_OF_RANGE();

    /* one of the smallest tm_year values my 64 bit system supports:
     * t_res = -9223372036854775LL without clamping */
    a_time.tm_year = -292275055-1900;
    CAPTURE();
    tt_int_op((time_t) -1,OP_EQ, tor_timegm(&a_time));
    CHECK_TIMEGM_ARG_OUT_OF_RANGE();

    a_time.tm_year = INT32_MIN;
    CAPTURE();
    tt_int_op((time_t) -1,OP_EQ, tor_timegm(&a_time));
    CHECK_TIMEGM_ARG_OUT_OF_RANGE();
#endif /* SIZEOF_INT == 4 || SIZEOF_INT == 8 */

#if SIZEOF_INT == 8
    a_time.tm_year = -1*(1 << 48);
    CAPTURE();
    tt_int_op((time_t) -1,OP_EQ, tor_timegm(&a_time));
    CHECK_TIMEGM_ARG_OUT_OF_RANGE();

    /* while unlikely, the system's gmtime(_r) could return
     * a "correct" retrospective gregorian negative year value,
     * which I'm pretty sure is:
     * -1*(2^63)/60/60/24*2000/730485 + 1970 = -292277022657
     * 730485 is the number of days in two millennia, including leap days */
    a_time.tm_year = -292277022657-1900;
    CAPTURE();
    tt_int_op((time_t) -1,OP_EQ, tor_timegm(&a_time));
    CHECK_TIMEGM_ARG_OUT_OF_RANGE();

    a_time.tm_year = INT64_MIN;
    CAPTURE();
    tt_int_op((time_t) -1,OP_EQ, tor_timegm(&a_time));
    CHECK_TIMEGM_ARG_OUT_OF_RANGE();
#endif /* SIZEOF_INT == 8 */

  /* Wrong year >= INT32_MAX - 1900 */
#if SIZEOF_INT == 4 || SIZEOF_INT == 8
    a_time.tm_year = INT32_MAX-1900;
    CAPTURE();
    tt_int_op((time_t) -1,OP_EQ, tor_timegm(&a_time));
    CHECK_TIMEGM_ARG_OUT_OF_RANGE();

    a_time.tm_year = INT32_MAX;
    CAPTURE();
    tt_int_op((time_t) -1,OP_EQ, tor_timegm(&a_time));
    CHECK_TIMEGM_ARG_OUT_OF_RANGE();
#endif /* SIZEOF_INT == 4 || SIZEOF_INT == 8 */

#if SIZEOF_INT == 8
    /* one of the largest tm_year values my 64 bit system supports */
    a_time.tm_year = 292278994-1900;
    CAPTURE();
    tt_int_op((time_t) -1,OP_EQ, tor_timegm(&a_time));
    CHECK_TIMEGM_ARG_OUT_OF_RANGE();

    /* while unlikely, the system's gmtime(_r) could return
     * a "correct" proleptic gregorian year value,
     * which I'm pretty sure is:
     * (2^63-1)/60/60/24*2000/730485 + 1970 = 292277026596
     * 730485 is the number of days in two millennia, including leap days */
    a_time.tm_year = 292277026596-1900;
    CAPTURE();
    tt_int_op((time_t) -1,OP_EQ, tor_timegm(&a_time));
    CHECK_TIMEGM_ARG_OUT_OF_RANGE();

    a_time.tm_year = INT64_MAX-1900;
    CAPTURE();
    tt_int_op((time_t) -1,OP_EQ, tor_timegm(&a_time));
    CHECK_TIMEGM_ARG_OUT_OF_RANGE();

    a_time.tm_year = INT64_MAX;
    CAPTURE();
    tt_int_op((time_t) -1,OP_EQ, tor_timegm(&a_time));
    CHECK_TIMEGM_ARG_OUT_OF_RANGE();
#endif /* SIZEOF_INT == 8 */

  /* month */
  a_time.tm_year = 2007-1900;  /* restore valid year */

  a_time.tm_mon = 12;          /* Wrong month, it's 0-based */
  CAPTURE();
  tt_int_op((time_t) -1,OP_EQ, tor_timegm(&a_time));
  CHECK_TIMEGM_ARG_OUT_OF_RANGE();

  a_time.tm_mon = -1;          /* Wrong month */
  CAPTURE();
  tt_int_op((time_t) -1,OP_EQ, tor_timegm(&a_time));
  CHECK_TIMEGM_ARG_OUT_OF_RANGE();

  /* day */
  a_time.tm_mon = 6;            /* Try July */
  a_time.tm_mday = 32;          /* Wrong day */
  CAPTURE();
  tt_int_op((time_t) -1,OP_EQ, tor_timegm(&a_time));
  CHECK_TIMEGM_ARG_OUT_OF_RANGE();

  a_time.tm_mon = 5;            /* Try June */
  a_time.tm_mday = 31;          /* Wrong day */
  CAPTURE();
  tt_int_op((time_t) -1,OP_EQ, tor_timegm(&a_time));
  CHECK_TIMEGM_ARG_OUT_OF_RANGE();

  a_time.tm_year = 2008-1900;   /* Try a leap year */
  a_time.tm_mon = 1;            /* in feb. */
  a_time.tm_mday = 30;          /* Wrong day */
  CAPTURE();
  tt_int_op((time_t) -1,OP_EQ, tor_timegm(&a_time));
  CHECK_TIMEGM_ARG_OUT_OF_RANGE();

  a_time.tm_year = 2011-1900;   /* Try a non-leap year */
  a_time.tm_mon = 1;            /* in feb. */
  a_time.tm_mday = 29;          /* Wrong day */
  CAPTURE();
  tt_int_op((time_t) -1,OP_EQ, tor_timegm(&a_time));
  CHECK_TIMEGM_ARG_OUT_OF_RANGE();

  a_time.tm_mday = 0;           /* Wrong day, it's 1-based (to be different) */
  CAPTURE();
  tt_int_op((time_t) -1,OP_EQ, tor_timegm(&a_time));
  CHECK_TIMEGM_ARG_OUT_OF_RANGE();

  /* hour */
  a_time.tm_mday = 3;           /* restore valid month day */

  a_time.tm_hour = 24;          /* Wrong hour, it's 0-based */
  CAPTURE();
  tt_int_op((time_t) -1,OP_EQ, tor_timegm(&a_time));
  CHECK_TIMEGM_ARG_OUT_OF_RANGE();

  a_time.tm_hour = -1;          /* Wrong hour */
  CAPTURE();
  tt_int_op((time_t) -1,OP_EQ, tor_timegm(&a_time));
  CHECK_TIMEGM_ARG_OUT_OF_RANGE();

  /* minute */
  a_time.tm_hour = 22;          /* restore valid hour */

  a_time.tm_min = 60;           /* Wrong minute, it's 0-based */
  CAPTURE();
  tt_int_op((time_t) -1,OP_EQ, tor_timegm(&a_time));
  CHECK_TIMEGM_ARG_OUT_OF_RANGE();

  a_time.tm_min = -1;           /* Wrong minute */
  CAPTURE();
  tt_int_op((time_t) -1,OP_EQ, tor_timegm(&a_time));