1 //===-- asan_test.cc ------------------------------------------------------===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file is a part of AddressSanitizer, an address sanity checker. 11 // 12 //===----------------------------------------------------------------------===// 13 #include "asan_test_utils.h" 14 15 #include <errno.h> 16 #include <stdarg.h> 17 18 #ifdef _LIBCPP_GET_C_LOCALE 19 #define SANITIZER_GET_C_LOCALE _LIBCPP_GET_C_LOCALE 20 #else 21 #if defined(__FreeBSD__) 22 #define SANITIZER_GET_C_LOCALE 0 23 #elif defined(__NetBSD__) 24 #define SANITIZER_GET_C_LOCALE LC_C_LOCALE 25 #endif 26 #endif 27 28 #if defined(__sun__) && defined(__svr4__) 29 using std::_setjmp; 30 using std::_longjmp; 31 #endif 32 33 NOINLINE void *malloc_fff(size_t size) { 34 void *res = malloc/**/(size); break_optimization(0); return res;} 35 NOINLINE void *malloc_eee(size_t size) { 36 void *res = malloc_fff(size); break_optimization(0); return res;} 37 NOINLINE void *malloc_ddd(size_t size) { 38 void *res = malloc_eee(size); break_optimization(0); return res;} 39 NOINLINE void *malloc_ccc(size_t size) { 40 void *res = malloc_ddd(size); break_optimization(0); return res;} 41 NOINLINE void *malloc_bbb(size_t size) { 42 void *res = malloc_ccc(size); break_optimization(0); return res;} 43 NOINLINE void *malloc_aaa(size_t size) { 44 void *res = malloc_bbb(size); break_optimization(0); return res;} 45 46 NOINLINE void free_ccc(void *p) { free(p); break_optimization(0);} 47 NOINLINE void free_bbb(void *p) { free_ccc(p); break_optimization(0);} 48 NOINLINE void free_aaa(void *p) { free_bbb(p); break_optimization(0);} 49 50 template<typename T> 51 NOINLINE void uaf_test(int size, int off) { 52 void *p = malloc_aaa(size); 53 free_aaa(p); 54 for (int i = 1; i < 100; i++) 55 free_aaa(malloc_aaa(i)); 56 fprintf(stderr, "writing %ld byte(s) at %p with offset %d\n", 57 (long)sizeof(T), p, off); 58 asan_write((T *)((char *)p + off)); 59 } 60 61 TEST(AddressSanitizer, HasFeatureAddressSanitizerTest) { 62 #if defined(__has_feature) && __has_feature(address_sanitizer) 63 bool asan = 1; 64 #elif defined(__SANITIZE_ADDRESS__) 65 bool asan = 1; 66 #else 67 bool asan = 0; 68 #endif 69 EXPECT_EQ(true, asan); 70 } 71 72 TEST(AddressSanitizer, SimpleDeathTest) { 73 EXPECT_DEATH(exit(1), ""); 74 } 75 76 TEST(AddressSanitizer, VariousMallocsTest) { 77 int *a = (int*)malloc(100 * sizeof(int)); 78 a[50] = 0; 79 free(a); 80 81 int *r = (int*)malloc(10); 82 r = (int*)realloc(r, 2000 * sizeof(int)); 83 r[1000] = 0; 84 free(r); 85 86 int *b = new int[100]; 87 b[50] = 0; 88 delete [] b; 89 90 int *c = new int; 91 *c = 0; 92 delete c; 93 94 #if SANITIZER_TEST_HAS_POSIX_MEMALIGN 95 void *pm = 0; 96 // Valid allocation. 97 int pm_res = posix_memalign(&pm, kPageSize, kPageSize); 98 EXPECT_EQ(0, pm_res); 99 EXPECT_NE(nullptr, pm); 100 free(pm); 101 #endif // SANITIZER_TEST_HAS_POSIX_MEMALIGN 102 103 #if SANITIZER_TEST_HAS_MEMALIGN 104 int *ma = (int*)memalign(kPageSize, kPageSize); 105 EXPECT_EQ(0U, (uintptr_t)ma % kPageSize); 106 ma[123] = 0; 107 free(ma); 108 #endif // SANITIZER_TEST_HAS_MEMALIGN 109 } 110 111 TEST(AddressSanitizer, CallocTest) { 112 int *a = (int*)calloc(100, sizeof(int)); 113 EXPECT_EQ(0, a[10]); 114 free(a); 115 } 116 117 TEST(AddressSanitizer, CallocReturnsZeroMem) { 118 size_t sizes[] = {16, 1000, 10000, 100000, 2100000}; 119 for (size_t s = 0; s < sizeof(sizes)/sizeof(sizes[0]); s++) { 120 size_t size = sizes[s]; 121 for (size_t iter = 0; iter < 5; iter++) { 122 char *x = Ident((char*)calloc(1, size)); 123 EXPECT_EQ(x[0], 0); 124 EXPECT_EQ(x[size - 1], 0); 125 EXPECT_EQ(x[size / 2], 0); 126 EXPECT_EQ(x[size / 3], 0); 127 EXPECT_EQ(x[size / 4], 0); 128 memset(x, 0x42, size); 129 free(Ident(x)); 130 #if !defined(_WIN32) 131 // FIXME: OOM on Windows. We should just make this a lit test 132 // with quarantine size set to 1. 133 free(Ident(malloc(Ident(1 << 27)))); // Try to drain the quarantine. 134 #endif 135 } 136 } 137 } 138 139 // No valloc on Windows or Android. 140 #if !defined(_WIN32) && !defined(__ANDROID__) 141 TEST(AddressSanitizer, VallocTest) { 142 void *a = valloc(100); 143 EXPECT_EQ(0U, (uintptr_t)a % kPageSize); 144 free(a); 145 } 146 #endif 147 148 #if SANITIZER_TEST_HAS_PVALLOC 149 TEST(AddressSanitizer, PvallocTest) { 150 char *a = (char*)pvalloc(kPageSize + 100); 151 EXPECT_EQ(0U, (uintptr_t)a % kPageSize); 152 a[kPageSize + 101] = 1; // we should not report an error here. 153 free(a); 154 155 a = (char*)pvalloc(0); // pvalloc(0) should allocate at least one page. 156 EXPECT_EQ(0U, (uintptr_t)a % kPageSize); 157 a[101] = 1; // we should not report an error here. 158 free(a); 159 } 160 #endif // SANITIZER_TEST_HAS_PVALLOC 161 162 #if !defined(_WIN32) 163 // FIXME: Use an equivalent of pthread_setspecific on Windows. 164 void *TSDWorker(void *test_key) { 165 if (test_key) { 166 pthread_setspecific(*(pthread_key_t*)test_key, (void*)0xfeedface); 167 } 168 return NULL; 169 } 170 171 void TSDDestructor(void *tsd) { 172 // Spawning a thread will check that the current thread id is not -1. 173 pthread_t th; 174 PTHREAD_CREATE(&th, NULL, TSDWorker, NULL); 175 PTHREAD_JOIN(th, NULL); 176 } 177 178 // This tests triggers the thread-specific data destruction fiasco which occurs 179 // if we don't manage the TSD destructors ourselves. We create a new pthread 180 // key with a non-NULL destructor which is likely to be put after the destructor 181 // of AsanThread in the list of destructors. 182 // In this case the TSD for AsanThread will be destroyed before TSDDestructor 183 // is called for the child thread, and a CHECK will fail when we call 184 // pthread_create() to spawn the grandchild. 185 TEST(AddressSanitizer, DISABLED_TSDTest) { 186 pthread_t th; 187 pthread_key_t test_key; 188 pthread_key_create(&test_key, TSDDestructor); 189 PTHREAD_CREATE(&th, NULL, TSDWorker, &test_key); 190 PTHREAD_JOIN(th, NULL); 191 pthread_key_delete(test_key); 192 } 193 #endif 194 195 TEST(AddressSanitizer, UAF_char) { 196 const char *uaf_string = "AddressSanitizer:.*heap-use-after-free"; 197 EXPECT_DEATH(uaf_test<U1>(1, 0), uaf_string); 198 EXPECT_DEATH(uaf_test<U1>(10, 0), uaf_string); 199 EXPECT_DEATH(uaf_test<U1>(10, 10), uaf_string); 200 EXPECT_DEATH(uaf_test<U1>(kLargeMalloc, 0), uaf_string); 201 EXPECT_DEATH(uaf_test<U1>(kLargeMalloc, kLargeMalloc / 2), uaf_string); 202 } 203 204 TEST(AddressSanitizer, UAF_long_double) { 205 if (sizeof(long double) == sizeof(double)) return; 206 long double *p = Ident(new long double[10]); 207 EXPECT_DEATH(Ident(p)[12] = 0, "WRITE of size 1[026]"); 208 EXPECT_DEATH(Ident(p)[0] = Ident(p)[12], "READ of size 1[026]"); 209 delete [] Ident(p); 210 } 211 212 #if !defined(_WIN32) 213 struct Packed5 { 214 int x; 215 char c; 216 } __attribute__((packed)); 217 #else 218 # pragma pack(push, 1) 219 struct Packed5 { 220 int x; 221 char c; 222 }; 223 # pragma pack(pop) 224 #endif 225 226 TEST(AddressSanitizer, UAF_Packed5) { 227 static_assert(sizeof(Packed5) == 5, "Please check the keywords used"); 228 Packed5 *p = Ident(new Packed5[2]); 229 EXPECT_DEATH(p[0] = p[3], "READ of size 5"); 230 EXPECT_DEATH(p[3] = p[0], "WRITE of size 5"); 231 delete [] Ident(p); 232 } 233 234 #if ASAN_HAS_BLACKLIST 235 TEST(AddressSanitizer, IgnoreTest) { 236 int *x = Ident(new int); 237 delete Ident(x); 238 *x = 0; 239 } 240 #endif // ASAN_HAS_BLACKLIST 241 242 struct StructWithBitField { 243 int bf1:1; 244 int bf2:1; 245 int bf3:1; 246 int bf4:29; 247 }; 248 249 TEST(AddressSanitizer, BitFieldPositiveTest) { 250 StructWithBitField *x = new StructWithBitField; 251 delete Ident(x); 252 EXPECT_DEATH(x->bf1 = 0, "use-after-free"); 253 EXPECT_DEATH(x->bf2 = 0, "use-after-free"); 254 EXPECT_DEATH(x->bf3 = 0, "use-after-free"); 255 EXPECT_DEATH(x->bf4 = 0, "use-after-free"); 256 } 257 258 struct StructWithBitFields_8_24 { 259 int a:8; 260 int b:24; 261 }; 262 263 TEST(AddressSanitizer, BitFieldNegativeTest) { 264 StructWithBitFields_8_24 *x = Ident(new StructWithBitFields_8_24); 265 x->a = 0; 266 x->b = 0; 267 delete Ident(x); 268 } 269 270 #if ASAN_NEEDS_SEGV 271 namespace { 272 273 const char kSEGVCrash[] = "AddressSanitizer: SEGV on unknown address"; 274 const char kOverriddenSigactionHandler[] = "Test sigaction handler\n"; 275 const char kOverriddenSignalHandler[] = "Test signal handler\n"; 276 277 TEST(AddressSanitizer, WildAddressTest) { 278 char *c = (char*)0x123; 279 EXPECT_DEATH(*c = 0, kSEGVCrash); 280 } 281 282 void my_sigaction_sighandler(int, siginfo_t*, void*) { 283 fprintf(stderr, kOverriddenSigactionHandler); 284 exit(1); 285 } 286 287 void my_signal_sighandler(int signum) { 288 fprintf(stderr, kOverriddenSignalHandler); 289 exit(1); 290 } 291 292 TEST(AddressSanitizer, SignalTest) { 293 struct sigaction sigact; 294 memset(&sigact, 0, sizeof(sigact)); 295 sigact.sa_sigaction = my_sigaction_sighandler; 296 sigact.sa_flags = SA_SIGINFO; 297 char *c = (char *)0x123; 298 299 EXPECT_DEATH(*c = 0, kSEGVCrash); 300 301 // ASan should allow to set sigaction()... 302 EXPECT_EQ(0, sigaction(SIGSEGV, &sigact, 0)); 303 #ifdef __APPLE__ 304 EXPECT_EQ(0, sigaction(SIGBUS, &sigact, 0)); 305 #endif 306 EXPECT_DEATH(*c = 0, kOverriddenSigactionHandler); 307 308 // ... and signal(). 309 EXPECT_NE(SIG_ERR, signal(SIGSEGV, my_signal_sighandler)); 310 EXPECT_DEATH(*c = 0, kOverriddenSignalHandler); 311 } 312 } // namespace 313 #endif 314 315 static void TestLargeMalloc(size_t size) { 316 char buff[1024]; 317 sprintf(buff, "is located 1 bytes to the left of %lu-byte", (long)size); 318 EXPECT_DEATH(Ident((char*)malloc(size))[-1] = 0, buff); 319 } 320 321 TEST(AddressSanitizer, LargeMallocTest) { 322 const int max_size = (SANITIZER_WORDSIZE == 32) ? 1 << 26 : 1 << 28; 323 for (int i = 113; i < max_size; i = i * 2 + 13) { 324 TestLargeMalloc(i); 325 } 326 } 327 328 #if !GTEST_USES_SIMPLE_RE 329 TEST(AddressSanitizer, HugeMallocTest) { 330 if (SANITIZER_WORDSIZE != 64 || ASAN_AVOID_EXPENSIVE_TESTS) return; 331 size_t n_megs = 4100; 332 EXPECT_DEATH(Ident((char*)malloc(n_megs << 20))[-1] = 0, 333 "is located 1 bytes to the left|" 334 "AddressSanitizer failed to allocate"); 335 } 336 #endif 337 338 #if SANITIZER_TEST_HAS_MEMALIGN 339 void MemalignRun(size_t align, size_t size, int idx) { 340 char *p = (char *)memalign(align, size); 341 Ident(p)[idx] = 0; 342 free(p); 343 } 344 345 TEST(AddressSanitizer, memalign) { 346 for (int align = 16; align <= (1 << 23); align *= 2) { 347 size_t size = align * 5; 348 EXPECT_DEATH(MemalignRun(align, size, -1), 349 "is located 1 bytes to the left"); 350 EXPECT_DEATH(MemalignRun(align, size, size + 1), 351 "is located 1 bytes to the right"); 352 } 353 } 354 #endif // SANITIZER_TEST_HAS_MEMALIGN 355 356 void *ManyThreadsWorker(void *a) { 357 for (int iter = 0; iter < 100; iter++) { 358 for (size_t size = 100; size < 2000; size *= 2) { 359 free(Ident(malloc(size))); 360 } 361 } 362 return 0; 363 } 364 365 #if !defined(__aarch64__) && !defined(__powerpc64__) 366 // FIXME: Infinite loop in AArch64 (PR24389). 367 // FIXME: Also occasional hang on powerpc. Maybe same problem as on AArch64? 368 TEST(AddressSanitizer, ManyThreadsTest) { 369 const size_t kNumThreads = 370 (SANITIZER_WORDSIZE == 32 || ASAN_AVOID_EXPENSIVE_TESTS) ? 30 : 1000; 371 pthread_t t[kNumThreads]; 372 for (size_t i = 0; i < kNumThreads; i++) { 373 PTHREAD_CREATE(&t[i], 0, ManyThreadsWorker, (void*)i); 374 } 375 for (size_t i = 0; i < kNumThreads; i++) { 376 PTHREAD_JOIN(t[i], 0); 377 } 378 } 379 #endif 380 381 TEST(AddressSanitizer, ReallocTest) { 382 const int kMinElem = 5; 383 int *ptr = (int*)malloc(sizeof(int) * kMinElem); 384 ptr[3] = 3; 385 for (int i = 0; i < 10000; i++) { 386 ptr = (int*)realloc(ptr, 387 (my_rand() % 1000 + kMinElem) * sizeof(int)); 388 EXPECT_EQ(3, ptr[3]); 389 } 390 free(ptr); 391 // Realloc pointer returned by malloc(0). 392 int *ptr2 = Ident((int*)malloc(0)); 393 ptr2 = Ident((int*)realloc(ptr2, sizeof(*ptr2))); 394 *ptr2 = 42; 395 EXPECT_EQ(42, *ptr2); 396 free(ptr2); 397 } 398 399 TEST(AddressSanitizer, ReallocFreedPointerTest) { 400 void *ptr = Ident(malloc(42)); 401 ASSERT_TRUE(NULL != ptr); 402 free(ptr); 403 EXPECT_DEATH(ptr = realloc(ptr, 77), "attempting double-free"); 404 } 405 406 TEST(AddressSanitizer, ReallocInvalidPointerTest) { 407 void *ptr = Ident(malloc(42)); 408 EXPECT_DEATH(ptr = realloc((int*)ptr + 1, 77), "attempting free.*not malloc"); 409 free(ptr); 410 } 411 412 TEST(AddressSanitizer, ZeroSizeMallocTest) { 413 // Test that malloc(0) and similar functions don't return NULL. 414 void *ptr = Ident(malloc(0)); 415 EXPECT_TRUE(NULL != ptr); 416 free(ptr); 417 #if SANITIZER_TEST_HAS_POSIX_MEMALIGN 418 int pm_res = posix_memalign(&ptr, 1<<20, 0); 419 EXPECT_EQ(0, pm_res); 420 EXPECT_TRUE(NULL != ptr); 421 free(ptr); 422 #endif // SANITIZER_TEST_HAS_POSIX_MEMALIGN 423 int *int_ptr = new int[0]; 424 int *int_ptr2 = new int[0]; 425 EXPECT_TRUE(NULL != int_ptr); 426 EXPECT_TRUE(NULL != int_ptr2); 427 EXPECT_NE(int_ptr, int_ptr2); 428 delete[] int_ptr; 429 delete[] int_ptr2; 430 } 431 432 #if SANITIZER_TEST_HAS_MALLOC_USABLE_SIZE 433 static const char *kMallocUsableSizeErrorMsg = 434 "AddressSanitizer: attempting to call malloc_usable_size()"; 435 436 TEST(AddressSanitizer, MallocUsableSizeTest) { 437 const size_t kArraySize = 100; 438 char *array = Ident((char*)malloc(kArraySize)); 439 int *int_ptr = Ident(new int); 440 EXPECT_EQ(0U, malloc_usable_size(NULL)); 441 EXPECT_EQ(kArraySize, malloc_usable_size(array)); 442 EXPECT_EQ(sizeof(int), malloc_usable_size(int_ptr)); 443 EXPECT_DEATH(malloc_usable_size((void*)0x123), kMallocUsableSizeErrorMsg); 444 EXPECT_DEATH(malloc_usable_size(array + kArraySize / 2), 445 kMallocUsableSizeErrorMsg); 446 free(array); 447 EXPECT_DEATH(malloc_usable_size(array), kMallocUsableSizeErrorMsg); 448 delete int_ptr; 449 } 450 #endif // SANITIZER_TEST_HAS_MALLOC_USABLE_SIZE 451 452 void WrongFree() { 453 int *x = (int*)malloc(100 * sizeof(int)); 454 // Use the allocated memory, otherwise Clang will optimize it out. 455 Ident(x); 456 free(x + 1); 457 } 458 459 #if !defined(_WIN32) // FIXME: This should be a lit test. 460 TEST(AddressSanitizer, WrongFreeTest) { 461 EXPECT_DEATH(WrongFree(), ASAN_PCRE_DOTALL 462 "ERROR: AddressSanitizer: attempting free.*not malloc" 463 ".*is located 4 bytes inside of 400-byte region" 464 ".*allocated by thread"); 465 } 466 #endif 467 468 void DoubleFree() { 469 int *x = (int*)malloc(100 * sizeof(int)); 470 fprintf(stderr, "DoubleFree: x=%p\n", (void *)x); 471 free(x); 472 free(x); 473 fprintf(stderr, "should have failed in the second free(%p)\n", (void *)x); 474 abort(); 475 } 476 477 #if !defined(_WIN32) // FIXME: This should be a lit test. 478 TEST(AddressSanitizer, DoubleFreeTest) { 479 EXPECT_DEATH(DoubleFree(), ASAN_PCRE_DOTALL 480 "ERROR: AddressSanitizer: attempting double-free" 481 ".*is located 0 bytes inside of 400-byte region" 482 ".*freed by thread T0 here" 483 ".*previously allocated by thread T0 here"); 484 } 485 #endif 486 487 template<int kSize> 488 NOINLINE void SizedStackTest() { 489 char a[kSize]; 490 char *A = Ident((char*)&a); 491 const char *expected_death = "AddressSanitizer: stack-buffer-"; 492 for (size_t i = 0; i < kSize; i++) 493 A[i] = i; 494 EXPECT_DEATH(A[-1] = 0, expected_death); 495 EXPECT_DEATH(A[-5] = 0, expected_death); 496 EXPECT_DEATH(A[kSize] = 0, expected_death); 497 EXPECT_DEATH(A[kSize + 1] = 0, expected_death); 498 EXPECT_DEATH(A[kSize + 5] = 0, expected_death); 499 if (kSize > 16) 500 EXPECT_DEATH(A[kSize + 31] = 0, expected_death); 501 } 502 503 TEST(AddressSanitizer, SimpleStackTest) { 504 SizedStackTest<1>(); 505 SizedStackTest<2>(); 506 SizedStackTest<3>(); 507 SizedStackTest<4>(); 508 SizedStackTest<5>(); 509 SizedStackTest<6>(); 510 SizedStackTest<7>(); 511 SizedStackTest<16>(); 512 SizedStackTest<25>(); 513 SizedStackTest<34>(); 514 SizedStackTest<43>(); 515 SizedStackTest<51>(); 516 SizedStackTest<62>(); 517 SizedStackTest<64>(); 518 SizedStackTest<128>(); 519 } 520 521 #if !defined(_WIN32) 522 // FIXME: It's a bit hard to write multi-line death test expectations 523 // in a portable way. Anyways, this should just be turned into a lit test. 524 TEST(AddressSanitizer, ManyStackObjectsTest) { 525 char XXX[10]; 526 char YYY[20]; 527 char ZZZ[30]; 528 Ident(XXX); 529 Ident(YYY); 530 EXPECT_DEATH(Ident(ZZZ)[-1] = 0, ASAN_PCRE_DOTALL "XXX.*YYY.*ZZZ"); 531 } 532 #endif 533 534 #if 0 // This test requires online symbolizer. 535 // Moved to lit_tests/stack-oob-frames.cc. 536 // Reenable here once we have online symbolizer by default. 537 NOINLINE static void Frame0(int frame, char *a, char *b, char *c) { 538 char d[4] = {0}; 539 char *D = Ident(d); 540 switch (frame) { 541 case 3: a[5]++; break; 542 case 2: b[5]++; break; 543 case 1: c[5]++; break; 544 case 0: D[5]++; break; 545 } 546 } 547 NOINLINE static void Frame1(int frame, char *a, char *b) { 548 char c[4] = {0}; Frame0(frame, a, b, c); 549 break_optimization(0); 550 } 551 NOINLINE static void Frame2(int frame, char *a) { 552 char b[4] = {0}; Frame1(frame, a, b); 553 break_optimization(0); 554 } 555 NOINLINE static void Frame3(int frame) { 556 char a[4] = {0}; Frame2(frame, a); 557 break_optimization(0); 558 } 559 560 TEST(AddressSanitizer, GuiltyStackFrame0Test) { 561 EXPECT_DEATH(Frame3(0), "located .*in frame <.*Frame0"); 562 } 563 TEST(AddressSanitizer, GuiltyStackFrame1Test) { 564 EXPECT_DEATH(Frame3(1), "located .*in frame <.*Frame1"); 565 } 566 TEST(AddressSanitizer, GuiltyStackFrame2Test) { 567 EXPECT_DEATH(Frame3(2), "located .*in frame <.*Frame2"); 568 } 569 TEST(AddressSanitizer, GuiltyStackFrame3Test) { 570 EXPECT_DEATH(Frame3(3), "located .*in frame <.*Frame3"); 571 } 572 #endif 573 574 NOINLINE void LongJmpFunc1(jmp_buf buf) { 575 // create three red zones for these two stack objects. 576 int a; 577 int b; 578 579 int *A = Ident(&a); 580 int *B = Ident(&b); 581 *A = *B; 582 longjmp(buf, 1); 583 } 584 585 NOINLINE void TouchStackFunc() { 586 int a[100]; // long array will intersect with redzones from LongJmpFunc1. 587 int *A = Ident(a); 588 for (int i = 0; i < 100; i++) 589 A[i] = i*i; 590 } 591 592 // Test that we handle longjmp and do not report false positives on stack. 593 TEST(AddressSanitizer, LongJmpTest) { 594 static jmp_buf buf; 595 if (!setjmp(buf)) { 596 LongJmpFunc1(buf); 597 } else { 598 TouchStackFunc(); 599 } 600 } 601 602 #if !defined(_WIN32) // Only basic longjmp is available on Windows. 603 NOINLINE void UnderscopeLongJmpFunc1(jmp_buf buf) { 604 // create three red zones for these two stack objects. 605 int a; 606 int b; 607 608 int *A = Ident(&a); 609 int *B = Ident(&b); 610 *A = *B; 611 _longjmp(buf, 1); 612 } 613 614 NOINLINE void SigLongJmpFunc1(sigjmp_buf buf) { 615 // create three red zones for these two stack objects. 616 int a; 617 int b; 618 619 int *A = Ident(&a); 620 int *B = Ident(&b); 621 *A = *B; 622 siglongjmp(buf, 1); 623 } 624 625 #if !defined(__ANDROID__) && !defined(__arm__) && \ 626 !defined(__aarch64__) && !defined(__mips__) && \ 627 !defined(__mips64) && !defined(__s390__) 628 NOINLINE void BuiltinLongJmpFunc1(jmp_buf buf) { 629 // create three red zones for these two stack objects. 630 int a; 631 int b; 632 633 int *A = Ident(&a); 634 int *B = Ident(&b); 635 *A = *B; 636 __builtin_longjmp((void**)buf, 1); 637 } 638 639 // Does not work on ARM: 640 // https://github.com/google/sanitizers/issues/185 641 TEST(AddressSanitizer, BuiltinLongJmpTest) { 642 static jmp_buf buf; 643 if (!__builtin_setjmp((void**)buf)) { 644 BuiltinLongJmpFunc1(buf); 645 } else { 646 TouchStackFunc(); 647 } 648 } 649 #endif // !defined(__ANDROID__) && !defined(__arm__) && 650 // !defined(__aarch64__) && !defined(__mips__) 651 // !defined(__mips64) && !defined(__s390__) 652 653 TEST(AddressSanitizer, UnderscopeLongJmpTest) { 654 static jmp_buf buf; 655 if (!_setjmp(buf)) { 656 UnderscopeLongJmpFunc1(buf); 657 } else { 658 TouchStackFunc(); 659 } 660 } 661 662 TEST(AddressSanitizer, SigLongJmpTest) { 663 static sigjmp_buf buf; 664 if (!sigsetjmp(buf, 1)) { 665 SigLongJmpFunc1(buf); 666 } else { 667 TouchStackFunc(); 668 } 669 } 670 #endif 671 672 // FIXME: Why does clang-cl define __EXCEPTIONS? 673 #if defined(__EXCEPTIONS) && !defined(_WIN32) 674 NOINLINE void ThrowFunc() { 675 // create three red zones for these two stack objects. 676 int a; 677 int b; 678 679 int *A = Ident(&a); 680 int *B = Ident(&b); 681 *A = *B; 682 ASAN_THROW(1); 683 } 684 685 TEST(AddressSanitizer, CxxExceptionTest) { 686 if (ASAN_UAR) return; 687 // TODO(kcc): this test crashes on 32-bit for some reason... 688 if (SANITIZER_WORDSIZE == 32) return; 689 try { 690 ThrowFunc(); 691 } catch(...) {} 692 TouchStackFunc(); 693 } 694 #endif 695 696 void *ThreadStackReuseFunc1(void *unused) { 697 // create three red zones for these two stack objects. 698 int a; 699 int b; 700 701 int *A = Ident(&a); 702 int *B = Ident(&b); 703 *A = *B; 704 pthread_exit(0); 705 return 0; 706 } 707 708 void *ThreadStackReuseFunc2(void *unused) { 709 TouchStackFunc(); 710 return 0; 711 } 712 713 #if !defined(__thumb__) 714 TEST(AddressSanitizer, ThreadStackReuseTest) { 715 pthread_t t; 716 PTHREAD_CREATE(&t, 0, ThreadStackReuseFunc1, 0); 717 PTHREAD_JOIN(t, 0); 718 PTHREAD_CREATE(&t, 0, ThreadStackReuseFunc2, 0); 719 PTHREAD_JOIN(t, 0); 720 } 721 #endif 722 723 #if defined(__SSE2__) 724 #include <emmintrin.h> 725 TEST(AddressSanitizer, Store128Test) { 726 char *a = Ident((char*)malloc(Ident(12))); 727 char *p = a; 728 if (((uintptr_t)a % 16) != 0) 729 p = a + 8; 730 assert(((uintptr_t)p % 16) == 0); 731 __m128i value_wide = _mm_set1_epi16(0x1234); 732 EXPECT_DEATH(_mm_store_si128((__m128i*)p, value_wide), 733 "AddressSanitizer: heap-buffer-overflow"); 734 EXPECT_DEATH(_mm_store_si128((__m128i*)p, value_wide), 735 "WRITE of size 16"); 736 EXPECT_DEATH(_mm_store_si128((__m128i*)p, value_wide), 737 "located 0 bytes to the right of 12-byte"); 738 free(a); 739 } 740 #endif 741 742 // FIXME: All tests that use this function should be turned into lit tests. 743 string RightOOBErrorMessage(int oob_distance, bool is_write) { 744 assert(oob_distance >= 0); 745 char expected_str[100]; 746 sprintf(expected_str, ASAN_PCRE_DOTALL 747 #if !GTEST_USES_SIMPLE_RE 748 "buffer-overflow.*%s.*" 749 #endif 750 "located %d bytes to the right", 751 #if !GTEST_USES_SIMPLE_RE 752 is_write ? "WRITE" : "READ", 753 #endif 754 oob_distance); 755 return string(expected_str); 756 } 757 758 string RightOOBWriteMessage(int oob_distance) { 759 return RightOOBErrorMessage(oob_distance, /*is_write*/true); 760 } 761 762 string RightOOBReadMessage(int oob_distance) { 763 return RightOOBErrorMessage(oob_distance, /*is_write*/false); 764 } 765 766 // FIXME: All tests that use this function should be turned into lit tests. 767 string LeftOOBErrorMessage(int oob_distance, bool is_write) { 768 assert(oob_distance > 0); 769 char expected_str[100]; 770 sprintf(expected_str, 771 #if !GTEST_USES_SIMPLE_RE 772 ASAN_PCRE_DOTALL "%s.*" 773 #endif 774 "located %d bytes to the left", 775 #if !GTEST_USES_SIMPLE_RE 776 is_write ? "WRITE" : "READ", 777 #endif 778 oob_distance); 779 return string(expected_str); 780 } 781 782 string LeftOOBWriteMessage(int oob_distance) { 783 return LeftOOBErrorMessage(oob_distance, /*is_write*/true); 784 } 785 786 string LeftOOBReadMessage(int oob_distance) { 787 return LeftOOBErrorMessage(oob_distance, /*is_write*/false); 788 } 789 790 string LeftOOBAccessMessage(int oob_distance) { 791 assert(oob_distance > 0); 792 char expected_str[100]; 793 sprintf(expected_str, "located %d bytes to the left", oob_distance); 794 return string(expected_str); 795 } 796 797 char* MallocAndMemsetString(size_t size, char ch) { 798 char *s = Ident((char*)malloc(size)); 799 memset(s, ch, size); 800 return s; 801 } 802 803 char* MallocAndMemsetString(size_t size) { 804 return MallocAndMemsetString(size, 'z'); 805 } 806 807 #if defined(__linux__) && !defined(__ANDROID__) 808 #define READ_TEST(READ_N_BYTES) \ 809 char *x = new char[10]; \ 810 int fd = open("/proc/self/stat", O_RDONLY); \ 811 ASSERT_GT(fd, 0); \ 812 EXPECT_DEATH(READ_N_BYTES, \ 813 ASAN_PCRE_DOTALL \ 814 "AddressSanitizer: heap-buffer-overflow" \ 815 ".* is located 0 bytes to the right of 10-byte region"); \ 816 close(fd); \ 817 delete [] x; \ 818 819 TEST(AddressSanitizer, pread) { 820 READ_TEST(pread(fd, x, 15, 0)); 821 } 822 823 TEST(AddressSanitizer, pread64) { 824 READ_TEST(pread64(fd, x, 15, 0)); 825 } 826 827 TEST(AddressSanitizer, read) { 828 READ_TEST(read(fd, x, 15)); 829 } 830 #endif // defined(__linux__) && !defined(__ANDROID__) 831 832 // This test case fails 833 // Clang optimizes memcpy/memset calls which lead to unaligned access 834 TEST(AddressSanitizer, DISABLED_MemIntrinsicUnalignedAccessTest) { 835 int size = Ident(4096); 836 char *s = Ident((char*)malloc(size)); 837 EXPECT_DEATH(memset(s + size - 1, 0, 2), RightOOBWriteMessage(0)); 838 free(s); 839 } 840 841 NOINLINE static int LargeFunction(bool do_bad_access) { 842 int *x = new int[100]; 843 x[0]++; 844 x[1]++; 845 x[2]++; 846 x[3]++; 847 x[4]++; 848 x[5]++; 849 x[6]++; 850 x[7]++; 851 x[8]++; 852 x[9]++; 853 854 x[do_bad_access ? 100 : 0]++; int res = __LINE__; 855 856 x[10]++; 857 x[11]++; 858 x[12]++; 859 x[13]++; 860 x[14]++; 861 x[15]++; 862 x[16]++; 863 x[17]++; 864 x[18]++; 865 x[19]++; 866 867 delete[] x; 868 return res; 869 } 870 871 // Test the we have correct debug info for the failing instruction. 872 // This test requires the in-process symbolizer to be enabled by default. 873 TEST(AddressSanitizer, DISABLED_LargeFunctionSymbolizeTest) { 874 int failing_line = LargeFunction(false); 875 char expected_warning[128]; 876 sprintf(expected_warning, "LargeFunction.*asan_test.*:%d", failing_line); 877 EXPECT_DEATH(LargeFunction(true), expected_warning); 878 } 879 880 // Check that we unwind and symbolize correctly. 881 TEST(AddressSanitizer, DISABLED_MallocFreeUnwindAndSymbolizeTest) { 882 int *a = (int*)malloc_aaa(sizeof(int)); 883 *a = 1; 884 free_aaa(a); 885 EXPECT_DEATH(*a = 1, "free_ccc.*free_bbb.*free_aaa.*" 886 "malloc_fff.*malloc_eee.*malloc_ddd"); 887 } 888 889 static bool TryToSetThreadName(const char *name) { 890 #if defined(__linux__) && defined(PR_SET_NAME) 891 return 0 == prctl(PR_SET_NAME, (unsigned long)name, 0, 0, 0); 892 #else 893 return false; 894 #endif 895 } 896 897 void *ThreadedTestAlloc(void *a) { 898 EXPECT_EQ(true, TryToSetThreadName("AllocThr")); 899 int **p = (int**)a; 900 *p = new int; 901 return 0; 902 } 903 904 void *ThreadedTestFree(void *a) { 905 EXPECT_EQ(true, TryToSetThreadName("FreeThr")); 906 int **p = (int**)a; 907 delete *p; 908 return 0; 909 } 910 911 void *ThreadedTestUse(void *a) { 912 EXPECT_EQ(true, TryToSetThreadName("UseThr")); 913 int **p = (int**)a; 914 **p = 1; 915 return 0; 916 } 917 918 void ThreadedTestSpawn() { 919 pthread_t t; 920 int *x; 921 PTHREAD_CREATE(&t, 0, ThreadedTestAlloc, &x); 922 PTHREAD_JOIN(t, 0); 923 PTHREAD_CREATE(&t, 0, ThreadedTestFree, &x); 924 PTHREAD_JOIN(t, 0); 925 PTHREAD_CREATE(&t, 0, ThreadedTestUse, &x); 926 PTHREAD_JOIN(t, 0); 927 } 928 929 #if !defined(_WIN32) // FIXME: This should be a lit test. 930 TEST(AddressSanitizer, ThreadedTest) { 931 EXPECT_DEATH(ThreadedTestSpawn(), 932 ASAN_PCRE_DOTALL 933 "Thread T.*created" 934 ".*Thread T.*created" 935 ".*Thread T.*created"); 936 } 937 #endif 938 939 void *ThreadedTestFunc(void *unused) { 940 // Check if prctl(PR_SET_NAME) is supported. Return if not. 941 if (!TryToSetThreadName("TestFunc")) 942 return 0; 943 EXPECT_DEATH(ThreadedTestSpawn(), 944 ASAN_PCRE_DOTALL 945 "WRITE .*thread T. .UseThr." 946 ".*freed by thread T. .FreeThr. here:" 947 ".*previously allocated by thread T. .AllocThr. here:" 948 ".*Thread T. .UseThr. created by T.*TestFunc" 949 ".*Thread T. .FreeThr. created by T" 950 ".*Thread T. .AllocThr. created by T" 951 ""); 952 return 0; 953 } 954 955 TEST(AddressSanitizer, ThreadNamesTest) { 956 // Run ThreadedTestFunc in a separate thread because it tries to set a 957 // thread name and we don't want to change the main thread's name. 958 pthread_t t; 959 PTHREAD_CREATE(&t, 0, ThreadedTestFunc, 0); 960 PTHREAD_JOIN(t, 0); 961 } 962 963 #if ASAN_NEEDS_SEGV 964 TEST(AddressSanitizer, ShadowGapTest) { 965 #if SANITIZER_WORDSIZE == 32 966 char *addr = (char*)0x23000000; 967 #else 968 # if defined(__powerpc64__) 969 char *addr = (char*)0x024000800000; 970 # elif defined(__s390x__) 971 char *addr = (char*)0x11000000000000; 972 # else 973 char *addr = (char*)0x0000100000080000; 974 # endif 975 #endif 976 EXPECT_DEATH(*addr = 1, "AddressSanitizer: (SEGV|BUS) on unknown"); 977 } 978 #endif // ASAN_NEEDS_SEGV 979 980 extern "C" { 981 NOINLINE static void UseThenFreeThenUse() { 982 char *x = Ident((char*)malloc(8)); 983 *x = 1; 984 free_aaa(x); 985 *x = 2; 986 } 987 } 988 989 TEST(AddressSanitizer, UseThenFreeThenUseTest) { 990 EXPECT_DEATH(UseThenFreeThenUse(), "freed by thread"); 991 } 992 993 TEST(AddressSanitizer, StrDupTest) { 994 free(strdup(Ident("123"))); 995 } 996 997 // Currently we create and poison redzone at right of global variables. 998 static char static110[110]; 999 const char ConstGlob[7] = {1, 2, 3, 4, 5, 6, 7}; 1000 static const char StaticConstGlob[3] = {9, 8, 7}; 1001 1002 TEST(AddressSanitizer, GlobalTest) { 1003 static char func_static15[15]; 1004 1005 static char fs1[10]; 1006 static char fs2[10]; 1007 static char fs3[10]; 1008 1009 glob5[Ident(0)] = 0; 1010 glob5[Ident(1)] = 0; 1011 glob5[Ident(2)] = 0; 1012 glob5[Ident(3)] = 0; 1013 glob5[Ident(4)] = 0; 1014 1015 EXPECT_DEATH(glob5[Ident(5)] = 0, 1016 "0 bytes to the right of global variable.*glob5.* size 5"); 1017 EXPECT_DEATH(glob5[Ident(5+6)] = 0, 1018 "6 bytes to the right of global variable.*glob5.* size 5"); 1019 Ident(static110); // avoid optimizations 1020 static110[Ident(0)] = 0; 1021 static110[Ident(109)] = 0; 1022 EXPECT_DEATH(static110[Ident(110)] = 0, 1023 "0 bytes to the right of global variable"); 1024 EXPECT_DEATH(static110[Ident(110+7)] = 0, 1025 "7 bytes to the right of global variable"); 1026 1027 Ident(func_static15); // avoid optimizations 1028 func_static15[Ident(0)] = 0; 1029 EXPECT_DEATH(func_static15[Ident(15)] = 0, 1030 "0 bytes to the right of global variable"); 1031 EXPECT_DEATH(func_static15[Ident(15 + 9)] = 0, 1032 "9 bytes to the right of global variable"); 1033 1034 Ident(fs1); 1035 Ident(fs2); 1036 Ident(fs3); 1037 1038 // We don't create left redzones, so this is not 100% guaranteed to fail. 1039 // But most likely will. 1040 EXPECT_DEATH(fs2[Ident(-1)] = 0, "is located.*of global variable"); 1041 1042 EXPECT_DEATH(Ident(Ident(ConstGlob)[8]), 1043 "is located 1 bytes to the right of .*ConstGlob"); 1044 EXPECT_DEATH(Ident(Ident(StaticConstGlob)[5]), 1045 "is located 2 bytes to the right of .*StaticConstGlob"); 1046 1047 // call stuff from another file. 1048 GlobalsTest(0); 1049 } 1050 1051 TEST(AddressSanitizer, GlobalStringConstTest) { 1052 static const char *zoo = "FOOBAR123"; 1053 const char *p = Ident(zoo); 1054 EXPECT_DEATH(Ident(p[15]), "is ascii string 'FOOBAR123'"); 1055 } 1056 1057 TEST(AddressSanitizer, FileNameInGlobalReportTest) { 1058 static char zoo[10]; 1059 const char *p = Ident(zoo); 1060 // The file name should be present in the report. 1061 EXPECT_DEATH(Ident(p[15]), "zoo.*asan_test."); 1062 } 1063 1064 int *ReturnsPointerToALocalObject() { 1065 int a = 0; 1066 return Ident(&a); 1067 } 1068 1069 #if ASAN_UAR == 1 1070 TEST(AddressSanitizer, LocalReferenceReturnTest) { 1071 int *(*f)() = Ident(ReturnsPointerToALocalObject); 1072 int *p = f(); 1073 // Call 'f' a few more times, 'p' should still be poisoned. 1074 for (int i = 0; i < 32; i++) 1075 f(); 1076 EXPECT_DEATH(*p = 1, "AddressSanitizer: stack-use-after-return"); 1077 EXPECT_DEATH(*p = 1, "is located.*in frame .*ReturnsPointerToALocal"); 1078 } 1079 #endif 1080 1081 template <int kSize> 1082 NOINLINE static void FuncWithStack() { 1083 char x[kSize]; 1084 Ident(x)[0] = 0; 1085 Ident(x)[kSize-1] = 0; 1086 } 1087 1088 static void LotsOfStackReuse() { 1089 int LargeStack[10000]; 1090 Ident(LargeStack)[0] = 0; 1091 for (int i = 0; i < 10000; i++) { 1092 FuncWithStack<128 * 1>(); 1093 FuncWithStack<128 * 2>(); 1094 FuncWithStack<128 * 4>(); 1095 FuncWithStack<128 * 8>(); 1096 FuncWithStack<128 * 16>(); 1097 FuncWithStack<128 * 32>(); 1098 FuncWithStack<128 * 64>(); 1099 FuncWithStack<128 * 128>(); 1100 FuncWithStack<128 * 256>(); 1101 FuncWithStack<128 * 512>(); 1102 Ident(LargeStack)[0] = 0; 1103 } 1104 } 1105 1106 TEST(AddressSanitizer, StressStackReuseTest) { 1107 LotsOfStackReuse(); 1108 } 1109 1110 TEST(AddressSanitizer, ThreadedStressStackReuseTest) { 1111 const int kNumThreads = 20; 1112 pthread_t t[kNumThreads]; 1113 for (int i = 0; i < kNumThreads; i++) { 1114 PTHREAD_CREATE(&t[i], 0, (void* (*)(void *x))LotsOfStackReuse, 0); 1115 } 1116 for (int i = 0; i < kNumThreads; i++) { 1117 PTHREAD_JOIN(t[i], 0); 1118 } 1119 } 1120 1121 // pthread_exit tries to perform unwinding stuff that leads to dlopen'ing 1122 // libgcc_s.so. dlopen in its turn calls malloc to store "libgcc_s.so" string 1123 // that confuses LSan on Thumb because it fails to understand that this 1124 // allocation happens in dynamic linker and should be ignored. 1125 #if !defined(__thumb__) 1126 static void *PthreadExit(void *a) { 1127 pthread_exit(0); 1128 return 0; 1129 } 1130 1131 TEST(AddressSanitizer, PthreadExitTest) { 1132 pthread_t t; 1133 for (int i = 0; i < 1000; i++) { 1134 PTHREAD_CREATE(&t, 0, PthreadExit, 0); 1135 PTHREAD_JOIN(t, 0); 1136 } 1137 } 1138 #endif 1139 1140 // FIXME: Why does clang-cl define __EXCEPTIONS? 1141 #if defined(__EXCEPTIONS) && !defined(_WIN32) 1142 NOINLINE static void StackReuseAndException() { 1143 int large_stack[1000]; 1144 Ident(large_stack); 1145 ASAN_THROW(1); 1146 } 1147 1148 // TODO(kcc): support exceptions with use-after-return. 1149 TEST(AddressSanitizer, DISABLED_StressStackReuseAndExceptionsTest) { 1150 for (int i = 0; i < 10000; i++) { 1151 try { 1152 StackReuseAndException(); 1153 } catch(...) { 1154 } 1155 } 1156 } 1157 #endif 1158 1159 #if !defined(_WIN32) 1160 TEST(AddressSanitizer, MlockTest) { 1161 EXPECT_EQ(0, mlockall(MCL_CURRENT)); 1162 EXPECT_EQ(0, mlock((void*)0x12345, 0x5678)); 1163 EXPECT_EQ(0, munlockall()); 1164 EXPECT_EQ(0, munlock((void*)0x987, 0x654)); 1165 } 1166 #endif 1167 1168 struct LargeStruct { 1169 int foo[100]; 1170 }; 1171 1172 // Test for bug http://llvm.org/bugs/show_bug.cgi?id=11763. 1173 // Struct copy should not cause asan warning even if lhs == rhs. 1174 TEST(AddressSanitizer, LargeStructCopyTest) { 1175 LargeStruct a; 1176 *Ident(&a) = *Ident(&a); 1177 } 1178 1179 ATTRIBUTE_NO_SANITIZE_ADDRESS 1180 static void NoSanitizeAddress() { 1181 char *foo = new char[10]; 1182 Ident(foo)[10] = 0; 1183 delete [] foo; 1184 } 1185 1186 TEST(AddressSanitizer, AttributeNoSanitizeAddressTest) { 1187 Ident(NoSanitizeAddress)(); 1188 } 1189 1190 // The new/delete/etc mismatch checks don't work on Android, 1191 // as calls to new/delete go through malloc/free. 1192 // OS X support is tracked here: 1193 // https://github.com/google/sanitizers/issues/131 1194 // Windows support is tracked here: 1195 // https://github.com/google/sanitizers/issues/309 1196 #if !defined(__ANDROID__) && \ 1197 !defined(__APPLE__) && \ 1198 !defined(_WIN32) 1199 static string MismatchStr(const string &str) { 1200 return string("AddressSanitizer: alloc-dealloc-mismatch \\(") + str; 1201 } 1202 1203 static string MismatchOrNewDeleteTypeStr(const string &mismatch_str) { 1204 return "(" + MismatchStr(mismatch_str) + 1205 ")|(AddressSanitizer: new-delete-type-mismatch)"; 1206 } 1207 1208 TEST(AddressSanitizer, AllocDeallocMismatch) { 1209 EXPECT_DEATH(free(Ident(new int)), 1210 MismatchStr("operator new vs free")); 1211 EXPECT_DEATH(free(Ident(new int[2])), 1212 MismatchStr("operator new \\[\\] vs free")); 1213 EXPECT_DEATH( 1214 delete (Ident(new int[2])), 1215 MismatchOrNewDeleteTypeStr("operator new \\[\\] vs operator delete")); 1216 EXPECT_DEATH(delete (Ident((int *)malloc(2 * sizeof(int)))), 1217 MismatchOrNewDeleteTypeStr("malloc vs operator delete")); 1218 EXPECT_DEATH(delete [] (Ident(new int)), 1219 MismatchStr("operator new vs operator delete \\[\\]")); 1220 EXPECT_DEATH(delete [] (Ident((int*)malloc(2 * sizeof(int)))), 1221 MismatchStr("malloc vs operator delete \\[\\]")); 1222 } 1223 #endif 1224 1225 // ------------------ demo tests; run each one-by-one ------------- 1226 // e.g. --gtest_filter=*DemoOOBLeftHigh --gtest_also_run_disabled_tests 1227 TEST(AddressSanitizer, DISABLED_DemoThreadedTest) { 1228 ThreadedTestSpawn(); 1229 } 1230 1231 void *SimpleBugOnSTack(void *x = 0) { 1232 char a[20]; 1233 Ident(a)[20] = 0; 1234 return 0; 1235 } 1236 1237 TEST(AddressSanitizer, DISABLED_DemoStackTest) { 1238 SimpleBugOnSTack(); 1239 } 1240 1241 TEST(AddressSanitizer, DISABLED_DemoThreadStackTest) { 1242 pthread_t t; 1243 PTHREAD_CREATE(&t, 0, SimpleBugOnSTack, 0); 1244 PTHREAD_JOIN(t, 0); 1245 } 1246 1247 TEST(AddressSanitizer, DISABLED_DemoUAFLowIn) { 1248 uaf_test<U1>(10, 0); 1249 } 1250 TEST(AddressSanitizer, DISABLED_DemoUAFLowLeft) { 1251 uaf_test<U1>(10, -2); 1252 } 1253 TEST(AddressSanitizer, DISABLED_DemoUAFLowRight) { 1254 uaf_test<U1>(10, 10); 1255 } 1256 1257 TEST(AddressSanitizer, DISABLED_DemoUAFHigh) { 1258 uaf_test<U1>(kLargeMalloc, 0); 1259 } 1260 1261 TEST(AddressSanitizer, DISABLED_DemoOOM) { 1262 size_t size = SANITIZER_WORDSIZE == 64 ? (size_t)(1ULL << 40) : (0xf0000000); 1263 printf("%p\n", malloc(size)); 1264 } 1265 1266 TEST(AddressSanitizer, DISABLED_DemoDoubleFreeTest) { 1267 DoubleFree(); 1268 } 1269 1270 TEST(AddressSanitizer, DISABLED_DemoNullDerefTest) { 1271 int *a = 0; 1272 Ident(a)[10] = 0; 1273 } 1274 1275 TEST(AddressSanitizer, DISABLED_DemoFunctionStaticTest) { 1276 static char a[100]; 1277 static char b[100]; 1278 static char c[100]; 1279 Ident(a); 1280 Ident(b); 1281 Ident(c); 1282 Ident(a)[5] = 0; 1283 Ident(b)[105] = 0; 1284 Ident(a)[5] = 0; 1285 } 1286 1287 TEST(AddressSanitizer, DISABLED_DemoTooMuchMemoryTest) { 1288 const size_t kAllocSize = (1 << 28) - 1024; 1289 size_t total_size = 0; 1290 while (true) { 1291 void *x = malloc(kAllocSize); 1292 memset(x, 0, kAllocSize); 1293 total_size += kAllocSize; 1294 fprintf(stderr, "total: %ldM %p\n", (long)total_size >> 20, x); 1295 } 1296 } 1297 1298 #if !defined(__NetBSD__) && !defined(__i386__) 1299 // https://github.com/google/sanitizers/issues/66 1300 TEST(AddressSanitizer, BufferOverflowAfterManyFrees) { 1301 for (int i = 0; i < 1000000; i++) { 1302 delete [] (Ident(new char [8644])); 1303 } 1304 char *x = new char[8192]; 1305 EXPECT_DEATH(x[Ident(8192)] = 0, "AddressSanitizer: heap-buffer-overflow"); 1306 delete [] Ident(x); 1307 } 1308 #endif 1309 1310 1311 // Test that instrumentation of stack allocations takes into account 1312 // AllocSize of a type, and not its StoreSize (16 vs 10 bytes for long double). 1313 // See http://llvm.org/bugs/show_bug.cgi?id=12047 for more details. 1314 TEST(AddressSanitizer, LongDoubleNegativeTest) { 1315 long double a, b; 1316 static long double c; 1317 memcpy(Ident(&a), Ident(&b), sizeof(long double)); 1318 memcpy(Ident(&c), Ident(&b), sizeof(long double)); 1319 } 1320 1321 #if !defined(_WIN32) 1322 TEST(AddressSanitizer, pthread_getschedparam) { 1323 int policy; 1324 struct sched_param param; 1325 EXPECT_DEATH( 1326 pthread_getschedparam(pthread_self(), &policy, Ident(¶m) + 2), 1327 "AddressSanitizer: stack-buffer-.*flow"); 1328 EXPECT_DEATH( 1329 pthread_getschedparam(pthread_self(), Ident(&policy) - 1, ¶m), 1330 "AddressSanitizer: stack-buffer-.*flow"); 1331 int res = pthread_getschedparam(pthread_self(), &policy, ¶m); 1332 ASSERT_EQ(0, res); 1333 } 1334 #endif 1335 1336 #if SANITIZER_TEST_HAS_PRINTF_L 1337 static int vsnprintf_l_wrapper(char *s, size_t n, 1338 locale_t l, const char *format, ...) { 1339 va_list va; 1340 va_start(va, format); 1341 int res = vsnprintf_l(s, n , l, format, va); 1342 va_end(va); 1343 return res; 1344 } 1345 1346 TEST(AddressSanitizer, snprintf_l) { 1347 char buff[5]; 1348 // Check that snprintf_l() works fine with Asan. 1349 int res = snprintf_l(buff, 5, SANITIZER_GET_C_LOCALE, "%s", "snprintf_l()"); 1350 EXPECT_EQ(12, res); 1351 // Check that vsnprintf_l() works fine with Asan. 1352 res = vsnprintf_l_wrapper(buff, 5, SANITIZER_GET_C_LOCALE, "%s", 1353 "vsnprintf_l()"); 1354 EXPECT_EQ(13, res); 1355 1356 EXPECT_DEATH( 1357 snprintf_l(buff, 10, SANITIZER_GET_C_LOCALE, "%s", "snprintf_l()"), 1358 "AddressSanitizer: stack-buffer-overflow"); 1359 EXPECT_DEATH(vsnprintf_l_wrapper(buff, 10, SANITIZER_GET_C_LOCALE, "%s", 1360 "vsnprintf_l()"), 1361 "AddressSanitizer: stack-buffer-overflow"); 1362 } 1363 #endif 1364
Indexes created Sat Sep 20 22:09:52 GMT 2025