Question: Release build containing local build strings

[jackfruit2]

Hi @McMartin,

Apologies for the noob question. I'm fairly new to C++, CMake, JUCE and FRUT. Gotta start somewhere right ;). Firstly thanks for this amazing tool, it great to be able to build a whole project from the commandline rather than reliance on a GUI etc.

I'm experimenting with both JUCE and FRUT at the moment, with the intention of creating a hardened release build. When running an build using the Xcode target even with STRIP_LOCAL_SYMBOLS I find strings related to the build including references to the cpp source files present in the binary. Futhermore, I also find mangled function names in clear sight that would aid a disassembler to circumvent any sort of registration process or aid other malicious intenent.

The example export target that I'm using:

jucer_export_target_configuration( "Xcode (MacOSX)" NAME "Release" DEBUG_MODE OFF BINARY_NAME "test_plugin" STRIP_LOCAL_SYMBOLS ON OPTIMISATION "-O3 (fastest with safe optimisations)" )

I used the utility program called strings (which may have been installed with Xcode) to discover this. Do you know what I might be missing? Do I require linker flags or additional compiler switches.

I'm using:
Apple clang version 13.1.6 (clang-1316.0.21.2.5)
Target: x86_64-apple-darwin21.6.0
Thread model: posix

Many thanks in advance ;)

[McMartin]

Hi @jackfruit2,

Thanks for using FRUT!

Could you please give me some examples of strings and/or function names that you found in the binary, though you didn't expect them there? I'll also try to reproduce on my side, but it will be easier for me if I know what I should be looking for.

[jackfruit2]

Hi @McMartin,

Thanks for your timely reply.

Please find the replication instructions to reproduce the issue that im facing:
Note: Im using macOS Montery

Instructions

1. Create a HelloWorld VST3 plugin using JUCE 7.0.1
2. Follow the readme instructions to create a vanilla FRUT project (found here: https://github.com/McMartin/FRUT)
3. Configure the CMakeLists.txt to include the following juce_export_target_configuration:

jucer_export_target_configuration(
"Xcode (MacOSX)"
NAME "Release"
DEBUG_MODE OFF
BINARY_NAME "Helloworld"
STRIP_LOCAL_SYMBOLS ON
LINK_TIME_OPTIMISATION ON
OPTIMISATION "-O3 (fastest with safe optimisations)"
)

5. Build the project using cmake --build . --config Release
6. Change directory to the built artifact (the VST3) ~/Library/Audio/Plug-Ins/VST3/Helloworld.vst3/Contents/MacOS
7. Execute strip just to make sure the debug symbols are removed strip -x -S Helloworld -o Helloworld.stripped
8. Execute strings Helloworld.stripped > ~/Desktop/Helloworld2.txt to output the strings found in the binary to a file.
9. Observe the file containing mangled function names and reference to cpp files including its origin in the txt file.

Sample Extract Mangled Functions

Please find below a sample of JUCE mangle functions in the binaries :

NSt3__110__function6__baseIFffffEEE
ZZN4juce17AudioParameterIntC1ERKNS_11ParameterIDERKNS_6StringEiiiRKNS_27AudioParameterIntAttributesEENK4$19clEvEUlfffE
NSt3__110__function6__funcIZZN4juce17AudioParameterIntC1ERKNS2_11ParameterIDERKNS2_6StringEiiiRKNS2_27AudioParameterIntAttributesEENK4$_19clEvEUlfffE0_NS_9allocatorISE_EEFffffEEE
ZZN4juce17AudioParameterIntC1ERKNS_11ParameterIDERKNS_6StringEiiiRKNS_27AudioParameterIntAttributesEENK4$19clEvEUlfffE0
NSt3__110__function6__funcIZZN4juce17AudioParameterIntC1ERKNS2_11ParameterIDERKNS2_6StringEiiiRKNS2_27AudioParameterIntAttributesEENK4$_19clEvEUlfffE1_NS_9allocatorISE_EEFffffEEE
ZZN4juce17AudioParameterIntC1ERKNS_11ParameterIDERKNS_6StringEiiiRKNS_27AudioParameterIntAttributesEENK4$19clEvEUlfffE1
NSt3__110__function6__funcIZZN4juce20AudioParameterChoiceC1ERKNS2_11ParameterIDERKNS2_6StringERKNS2_11StringArrayEiRKNS2_30AudioParameterChoiceAttributesEENK4$_24clEvEUlfffE_NS_9allocatorISH_EEFffffEEE
ZZN4juce20AudioParameterChoiceC1ERKNS_11ParameterIDERKNS_6StringERKNS_11StringArrayEiRKNS_30AudioParameterChoiceAttributesEENK4$24clEvEUlfffE
NSt3__110__function6__funcIZZN4juce20AudioParameterChoiceC1ERKNS2_11ParameterIDERKNS2_6StringERKNS2_11StringArrayEiRKNS2_30AudioParameterChoiceAttributesEENK4$_24clEvEUlfffE0_NS_9allocatorISH_EEFffffEEE
ZZN4juce20AudioParameterChoiceC1ERKNS_11ParameterIDERKNS_6StringERKNS_11StringArrayEiRKNS_30AudioParameterChoiceAttributesEENK4$24clEvEUlfffE0
NSt3__110__function6__funcIZZN4juce20AudioParameterChoiceC1ERKNS2_11ParameterIDERKNS2_6StringERKNS2_11StringArrayEiRKNS2_30AudioParameterChoiceAttributesEENK4$24clEvEUlfffE1_NS_9allocatorISH

Sample of Exposed Home directory

Component Controller Class
%02X
/Users/jackfruit2/SDKs/JUCE/modules/juce_audio_plugin_client/VST3/juce_VST3_Wrapper.cpp
allocator::allocate(size_t n) 'n' exceeds maximum supported size
/Users/jackfruit2/SDKs/JUCE/modules/juce_audio_plugin_client/utility/juce_CreatePluginFilter.h
*** Leaked objects detected:
instance(s) of class
/Users/jackfruit2/SDKs/JUCE/modules/juce_core/memory/juce_LeakedObjectDetector.h

Attached Artefact

Attached is my output with examples of my home directory being exposed :
Helloworld2.txt

[jackfruit2]

Hi @McMartin,

I finally figured this one out. JUCE uses RTTI so user classes potentially leak the both mangled class and function names in the binary. I used the COMPILER_FLAGS_FOR_ compiler scheme to declare the -fno-rtti flag for compilation units that don't use dynamic_casts, typeid or throw exceptions.

I was wondering if this strategy is safe to do in FRUT/JUCE?