Home | History | Annotate | Line # | Download | only in cc
t_tsan_heap_use_after_free.sh revision 1.2
      1 # Copyright (c) 2018 The NetBSD Foundation, Inc.
      2 # All rights reserved.
      3 #
      4 # This code is derived from software contributed to The NetBSD Foundation
      5 # by Yang Zheng.
      6 #
      7 # Redistribution and use in source and binary forms, with or without
      8 # modification, are permitted provided that the following conditions
      9 # are met:
     10 # 1. Redistributions of source code must retain the above copyright
     11 #    notice, this list of conditions and the following disclaimer.
     12 # 2. Redistributions in binary form must reproduce the above copyright
     13 #    notice, this list of conditions and the following disclaimer in the
     14 #    documentation and/or other materials provided with the distribution.
     15 #
     16 # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
     17 # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
     18 # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
     19 # PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
     20 # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
     21 # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
     22 # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
     23 # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
     24 # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
     25 # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
     26 # POSSIBILITY OF SUCH DAMAGE.
     27 #
     28 
     29 test_target()
     30 {
     31 	SUPPORT='n'
     32 	if uname -m | grep -q "amd64" && command -v cc >/dev/null 2>&1 && \
     33 		   ! echo __clang__ | cc -E - | grep -q __clang__; then
     34 		# only clang with major version newer than 7 is supported
     35 		CLANG_MAJOR=`echo __clang_major__ | cc -E - | grep -o '^[[:digit:]]'`
     36 		if [ "$CLANG_MAJOR" -ge "7" ]; then
     37 			SUPPORT='y'
     38 		fi
     39 	fi
     40 }
     41 
     42 atf_test_case heap_use_after_free
     43 heap_use_after_free_head() {
     44 	atf_set "descr" "Test thread sanitizer for use-after-free condition"
     45 	atf_set "require.progs" "cc paxctl"
     46 }
     47 
     48 atf_test_case heap_use_after_free_profile
     49 heap_use_after_free_profile_head() {
     50 	atf_set "descr" "Test thread sanitizer for use-after-free with profiling option"
     51 	atf_set "require.progs" "cc paxctl"
     52 }
     53 atf_test_case heap_use_after_free_pic
     54 heap_use_after_free_pic_head() {
     55 	atf_set "descr" "Test thread sanitizer for use-after-free with position independent code (PIC) flag"
     56 	atf_set "require.progs" "cc paxctl"
     57 }
     58 atf_test_case heap_use_after_free_pie
     59 heap_use_after_free_pie_head() {
     60 	atf_set "descr" "Test thread sanitizer for use-after-free with position independent execution (PIE) flag"
     61 	atf_set "require.progs" "cc paxctl"
     62 }
     63 
     64 heap_use_after_free_body(){
     65 	cat > test.c << EOF
     66 #include <pthread.h>
     67 #include <stdlib.h>
     68 
     69 int *ptr;
     70 pthread_barrier_t barrier;
     71 void *Thread(void *a) {
     72   pthread_barrier_wait(&barrier);
     73   *ptr = 42;
     74   return 0;
     75 }
     76 
     77 int main() {
     78   pthread_t t;
     79   pthread_barrier_init(&barrier, NULL, 2);
     80   ptr = (int *)malloc(sizeof(int));
     81   pthread_create(&t, NULL, Thread, NULL);
     82   free(ptr);
     83   pthread_barrier_wait(&barrier);
     84   pthread_join(t, NULL);
     85   return 0;
     86 }
     87 EOF
     88 
     89 	cc -fsanitize=thread -o test test.c
     90 	paxctl +a test
     91 	atf_check -s ignore -o ignore -e match:"WARNING: ThreadSanitizer: heap-use-after-free" ./test
     92 }
     93 
     94 heap_use_after_free_profile_body(){
     95 	cat > test.c << EOF
     96 #include <pthread.h>
     97 #include <stdlib.h>
     98 
     99 int *ptr;
    100 pthread_barrier_t barrier;
    101 void *Thread(void *a) {
    102   pthread_barrier_wait(&barrier);
    103   *ptr = 42;
    104   return 0;
    105 }
    106 
    107 int main() {
    108   pthread_t t;
    109   pthread_barrier_init(&barrier, NULL, 2);
    110   ptr = (int *)malloc(sizeof(int));
    111   pthread_create(&t, NULL, Thread, NULL);
    112   free(ptr);
    113   pthread_barrier_wait(&barrier);
    114   pthread_join(t, NULL);
    115   return 0;
    116 }
    117 EOF
    118 
    119 	cc -fsanitize=thread -o test -pg test.c
    120 	paxctl +a test
    121 	atf_check -s ignore -o ignore -e match:"WARNING: ThreadSanitizer: heap-use-after-free" ./test
    122 }
    123 
    124 heap_use_after_free_pic_body(){
    125 	cat > test.c << EOF
    126 #include <stdio.h>
    127 #include <stdlib.h>
    128 int help(int);
    129 int main(int argc, char **argv) {return help(argc);}
    130 EOF
    131 
    132 	cat > pic.c << EOF
    133 #include <pthread.h>
    134 #include <stdlib.h>
    135 
    136 int *ptr;
    137 pthread_barrier_t barrier;
    138 void *Thread(void *a) {
    139   pthread_barrier_wait(&barrier);
    140   *ptr = 42;
    141   return 0;
    142 }
    143 
    144 int help(int argc) {
    145   pthread_t t;
    146   pthread_barrier_init(&barrier, NULL, 2);
    147   ptr = (int *)malloc(sizeof(int));
    148   pthread_create(&t, NULL, Thread, NULL);
    149   free(ptr);
    150   pthread_barrier_wait(&barrier);
    151   pthread_join(t, NULL);
    152   return 0;
    153 }
    154 EOF
    155 
    156 	cc -fsanitize=thread -fPIC -shared -o libtest.so pic.c
    157 	cc -o test test.c -fsanitize=thread -L. -ltest
    158 	paxctl +a test
    159 
    160 	export LD_LIBRARY_PATH=.
    161 	atf_check -s ignore -o ignore -e match:"WARNING: ThreadSanitizer: heap-use-after-free" ./test
    162 }
    163 heap_use_after_free_pie_body(){
    164 	
    165 	#check whether -pie flag is supported on this architecture
    166 	if ! cc -pie -dM -E - < /dev/null 2>/dev/null >/dev/null; then 
    167 		atf_set_skip "cc -pie not supported on this architecture"
    168 	fi
    169 	cat > test.c << EOF
    170 #include <pthread.h>
    171 #include <stdlib.h>
    172 
    173 int *ptr;
    174 pthread_barrier_t barrier;
    175 void *Thread(void *a) {
    176   pthread_barrier_wait(&barrier);
    177   *ptr = 42;
    178   return 0;
    179 }
    180 
    181 int main() {
    182   pthread_t t;
    183   pthread_barrier_init(&barrier, NULL, 2);
    184   ptr = (int *)malloc(sizeof(int));
    185   pthread_create(&t, NULL, Thread, NULL);
    186   free(ptr);
    187   pthread_barrier_wait(&barrier);
    188   pthread_join(t, NULL);
    189   return 0;
    190 }
    191 EOF
    192 
    193 	cc -fsanitize=thread -o test -fpie -pie test.c
    194 	paxctl +a test
    195 	atf_check -s ignore -o ignore -e match:"WARNING: ThreadSanitizer: heap-use-after-free" ./test
    196 }
    197 
    198 
    199 atf_test_case target_not_supported
    200 target_not_supported_head()
    201 {
    202 	atf_set "descr" "Test forced skip"
    203 }
    204 
    205 target_not_supported_body()
    206 {
    207 	atf_skip "Target is not supported"
    208 }
    209 
    210 atf_init_test_cases()
    211 {
    212 	test_target
    213 	test $SUPPORT = 'n' && {
    214 		atf_add_test_case target_not_supported
    215 		return 0
    216 	}
    217 	atf_add_test_case heap_use_after_free
    218 	atf_add_test_case heap_use_after_free_profile
    219 	atf_add_test_case heap_use_after_free_pie
    220 	atf_add_test_case heap_use_after_free_pic
    221 }
    222