1//===-- asan_test.cc ------------------------------------------------------===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file is a part of AddressSanitizer, an address sanity checker. 11// 12//===----------------------------------------------------------------------===// 13#include "asan_test_utils.h" 14 15#include <errno.h> 16#include <stdarg.h> 17 18#ifdef _LIBCPP_GET_C_LOCALE 19#define SANITIZER_GET_C_LOCALE _LIBCPP_GET_C_LOCALE 20#else 21#if defined(__FreeBSD__) 22#define SANITIZER_GET_C_LOCALE 0 23#elif defined(__NetBSD__) 24#define SANITIZER_GET_C_LOCALE LC_C_LOCALE 25#endif 26#endif 27 28#if defined(__sun__) && defined(__svr4__) 29using std::_setjmp; 30using std::_longjmp; 31#endif 32 33NOINLINE void *malloc_fff(size_t size) { 34 void *res = malloc/**/(size); break_optimization(0); return res;} 35NOINLINE void *malloc_eee(size_t size) { 36 void *res = malloc_fff(size); break_optimization(0); return res;} 37NOINLINE void *malloc_ddd(size_t size) { 38 void *res = malloc_eee(size); break_optimization(0); return res;} 39NOINLINE void *malloc_ccc(size_t size) { 40 void *res = malloc_ddd(size); break_optimization(0); return res;} 41NOINLINE void *malloc_bbb(size_t size) { 42 void *res = malloc_ccc(size); break_optimization(0); return res;} 43NOINLINE void *malloc_aaa(size_t size) { 44 void *res = malloc_bbb(size); break_optimization(0); return res;} 45 46NOINLINE void free_ccc(void *p) { free(p); break_optimization(0);} 47NOINLINE void free_bbb(void *p) { free_ccc(p); break_optimization(0);} 48NOINLINE void free_aaa(void *p) { free_bbb(p); break_optimization(0);} 49 50template<typename T> 51NOINLINE void uaf_test(int size, int off) { 52 void *p = malloc_aaa(size); 53 free_aaa(p); 54 for (int i = 1; i < 100; i++) 55 free_aaa(malloc_aaa(i)); 56 fprintf(stderr, "writing %ld byte(s) at %p with offset %d\n", 57 (long)sizeof(T), p, off); 58 asan_write((T *)((char *)p + off)); 59} 60 61TEST(AddressSanitizer, HasFeatureAddressSanitizerTest) { 62#if defined(__has_feature) && __has_feature(address_sanitizer) 63 bool asan = 1; 64#elif defined(__SANITIZE_ADDRESS__) 65 bool asan = 1; 66#else 67 bool asan = 0; 68#endif 69 EXPECT_EQ(true, asan); 70} 71 72TEST(AddressSanitizer, SimpleDeathTest) { 73 EXPECT_DEATH(exit(1), ""); 74} 75 76TEST(AddressSanitizer, VariousMallocsTest) { 77 int *a = (int*)malloc(100 * sizeof(int)); 78 a[50] = 0; 79 free(a); 80 81 int *r = (int*)malloc(10); 82 r = (int*)realloc(r, 2000 * sizeof(int)); 83 r[1000] = 0; 84 free(r); 85 86 int *b = new int[100]; 87 b[50] = 0; 88 delete [] b; 89 90 int *c = new int; 91 *c = 0; 92 delete c; 93 94#if SANITIZER_TEST_HAS_POSIX_MEMALIGN 95 void *pm = 0; 96 // Valid allocation. 97 int pm_res = posix_memalign(&pm, kPageSize, kPageSize); 98 EXPECT_EQ(0, pm_res); 99 EXPECT_NE(nullptr, pm); 100 free(pm); 101#endif // SANITIZER_TEST_HAS_POSIX_MEMALIGN 102 103#if SANITIZER_TEST_HAS_MEMALIGN 104 int *ma = (int*)memalign(kPageSize, kPageSize); 105 EXPECT_EQ(0U, (uintptr_t)ma % kPageSize); 106 ma[123] = 0; 107 free(ma); 108#endif // SANITIZER_TEST_HAS_MEMALIGN 109} 110 111TEST(AddressSanitizer, CallocTest) { 112 int *a = (int*)calloc(100, sizeof(int)); 113 EXPECT_EQ(0, a[10]); 114 free(a); 115} 116 117TEST(AddressSanitizer, CallocReturnsZeroMem) { 118 size_t sizes[] = {16, 1000, 10000, 100000, 2100000}; 119 for (size_t s = 0; s < sizeof(sizes)/sizeof(sizes[0]); s++) { 120 size_t size = sizes[s]; 121 for (size_t iter = 0; iter < 5; iter++) { 122 char *x = Ident((char*)calloc(1, size)); 123 EXPECT_EQ(x[0], 0); 124 EXPECT_EQ(x[size - 1], 0); 125 EXPECT_EQ(x[size / 2], 0); 126 EXPECT_EQ(x[size / 3], 0); 127 EXPECT_EQ(x[size / 4], 0); 128 memset(x, 0x42, size); 129 free(Ident(x)); 130#if !defined(_WIN32) 131 // FIXME: OOM on Windows. We should just make this a lit test 132 // with quarantine size set to 1. 133 free(Ident(malloc(Ident(1 << 27)))); // Try to drain the quarantine. 134#endif 135 } 136 } 137} 138 139// No valloc on Windows or Android. 140#if !defined(_WIN32) && !defined(__ANDROID__) 141TEST(AddressSanitizer, VallocTest) { 142 void *a = valloc(100); 143 EXPECT_EQ(0U, (uintptr_t)a % kPageSize); 144 free(a); 145} 146#endif 147 148#if SANITIZER_TEST_HAS_PVALLOC 149TEST(AddressSanitizer, PvallocTest) { 150 char *a = (char*)pvalloc(kPageSize + 100); 151 EXPECT_EQ(0U, (uintptr_t)a % kPageSize); 152 a[kPageSize + 101] = 1; // we should not report an error here. 153 free(a); 154 155 a = (char*)pvalloc(0); // pvalloc(0) should allocate at least one page. 156 EXPECT_EQ(0U, (uintptr_t)a % kPageSize); 157 a[101] = 1; // we should not report an error here. 158 free(a); 159} 160#endif // SANITIZER_TEST_HAS_PVALLOC 161 162#if !defined(_WIN32) 163// FIXME: Use an equivalent of pthread_setspecific on Windows. 164void *TSDWorker(void *test_key) { 165 if (test_key) { 166 pthread_setspecific(*(pthread_key_t*)test_key, (void*)0xfeedface); 167 } 168 return NULL; 169} 170 171void TSDDestructor(void *tsd) { 172 // Spawning a thread will check that the current thread id is not -1. 173 pthread_t th; 174 PTHREAD_CREATE(&th, NULL, TSDWorker, NULL); 175 PTHREAD_JOIN(th, NULL); 176} 177 178// This tests triggers the thread-specific data destruction fiasco which occurs 179// if we don't manage the TSD destructors ourselves. We create a new pthread 180// key with a non-NULL destructor which is likely to be put after the destructor 181// of AsanThread in the list of destructors. 182// In this case the TSD for AsanThread will be destroyed before TSDDestructor 183// is called for the child thread, and a CHECK will fail when we call 184// pthread_create() to spawn the grandchild. 185TEST(AddressSanitizer, DISABLED_TSDTest) { 186 pthread_t th; 187 pthread_key_t test_key; 188 pthread_key_create(&test_key, TSDDestructor); 189 PTHREAD_CREATE(&th, NULL, TSDWorker, &test_key); 190 PTHREAD_JOIN(th, NULL); 191 pthread_key_delete(test_key); 192} 193#endif 194 195TEST(AddressSanitizer, UAF_char) { 196 const char *uaf_string = "AddressSanitizer:.*heap-use-after-free"; 197 EXPECT_DEATH(uaf_test<U1>(1, 0), uaf_string); 198 EXPECT_DEATH(uaf_test<U1>(10, 0), uaf_string); 199 EXPECT_DEATH(uaf_test<U1>(10, 10), uaf_string); 200 EXPECT_DEATH(uaf_test<U1>(kLargeMalloc, 0), uaf_string); 201 EXPECT_DEATH(uaf_test<U1>(kLargeMalloc, kLargeMalloc / 2), uaf_string); 202} 203 204TEST(AddressSanitizer, UAF_long_double) { 205 if (sizeof(long double) == sizeof(double)) return; 206 long double *p = Ident(new long double[10]); 207 EXPECT_DEATH(Ident(p)[12] = 0, "WRITE of size 1[026]"); 208 EXPECT_DEATH(Ident(p)[0] = Ident(p)[12], "READ of size 1[026]"); 209 delete [] Ident(p); 210} 211 212#if !defined(_WIN32) 213struct Packed5 { 214 int x; 215 char c; 216} __attribute__((packed)); 217#else 218# pragma pack(push, 1) 219struct Packed5 { 220 int x; 221 char c; 222}; 223# pragma pack(pop) 224#endif 225 226TEST(AddressSanitizer, UAF_Packed5) { 227 static_assert(sizeof(Packed5) == 5, "Please check the keywords used"); 228 Packed5 *p = Ident(new Packed5[2]); 229 EXPECT_DEATH(p[0] = p[3], "READ of size 5"); 230 EXPECT_DEATH(p[3] = p[0], "WRITE of size 5"); 231 delete [] Ident(p); 232} 233 234#if ASAN_HAS_BLACKLIST 235TEST(AddressSanitizer, IgnoreTest) { 236 int *x = Ident(new int); 237 delete Ident(x); 238 *x = 0; 239} 240#endif // ASAN_HAS_BLACKLIST 241 242struct StructWithBitField { 243 int bf1:1; 244 int bf2:1; 245 int bf3:1; 246 int bf4:29; 247}; 248 249TEST(AddressSanitizer, BitFieldPositiveTest) { 250 StructWithBitField *x = new StructWithBitField; 251 delete Ident(x); 252 EXPECT_DEATH(x->bf1 = 0, "use-after-free"); 253 EXPECT_DEATH(x->bf2 = 0, "use-after-free"); 254 EXPECT_DEATH(x->bf3 = 0, "use-after-free"); 255 EXPECT_DEATH(x->bf4 = 0, "use-after-free"); 256} 257 258struct StructWithBitFields_8_24 { 259 int a:8; 260 int b:24; 261}; 262 263TEST(AddressSanitizer, BitFieldNegativeTest) { 264 StructWithBitFields_8_24 *x = Ident(new StructWithBitFields_8_24); 265 x->a = 0; 266 x->b = 0; 267 delete Ident(x); 268} 269 270#if ASAN_NEEDS_SEGV 271namespace { 272 273const char kSEGVCrash[] = "AddressSanitizer: SEGV on unknown address"; 274const char kOverriddenSigactionHandler[] = "Test sigaction handler\n"; 275const char kOverriddenSignalHandler[] = "Test signal handler\n"; 276 277TEST(AddressSanitizer, WildAddressTest) { 278 char *c = (char*)0x123; 279 EXPECT_DEATH(*c = 0, kSEGVCrash); 280} 281 282void my_sigaction_sighandler(int, siginfo_t*, void*) { 283 fprintf(stderr, kOverriddenSigactionHandler); 284 exit(1); 285} 286 287void my_signal_sighandler(int signum) { 288 fprintf(stderr, kOverriddenSignalHandler); 289 exit(1); 290} 291 292TEST(AddressSanitizer, SignalTest) { 293 struct sigaction sigact; 294 memset(&sigact, 0, sizeof(sigact)); 295 sigact.sa_sigaction = my_sigaction_sighandler; 296 sigact.sa_flags = SA_SIGINFO; 297 char *c = (char *)0x123; 298 299 EXPECT_DEATH(*c = 0, kSEGVCrash); 300 301 // ASan should allow to set sigaction()... 302 EXPECT_EQ(0, sigaction(SIGSEGV, &sigact, 0)); 303#ifdef __APPLE__ 304 EXPECT_EQ(0, sigaction(SIGBUS, &sigact, 0)); 305#endif 306 EXPECT_DEATH(*c = 0, kOverriddenSigactionHandler); 307 308 // ... and signal(). 309 EXPECT_NE(SIG_ERR, signal(SIGSEGV, my_signal_sighandler)); 310 EXPECT_DEATH(*c = 0, kOverriddenSignalHandler); 311} 312} // namespace 313#endif 314 315static void TestLargeMalloc(size_t size) { 316 char buff[1024]; 317 sprintf(buff, "is located 1 bytes to the left of %lu-byte", (long)size); 318 EXPECT_DEATH(Ident((char*)malloc(size))[-1] = 0, buff); 319} 320 321TEST(AddressSanitizer, LargeMallocTest) { 322 const int max_size = (SANITIZER_WORDSIZE == 32) ? 1 << 26 : 1 << 28; 323 for (int i = 113; i < max_size; i = i * 2 + 13) { 324 TestLargeMalloc(i); 325 } 326} 327 328#if !GTEST_USES_SIMPLE_RE 329TEST(AddressSanitizer, HugeMallocTest) { 330 if (SANITIZER_WORDSIZE != 64 || ASAN_AVOID_EXPENSIVE_TESTS) return; 331 size_t n_megs = 4100; 332 EXPECT_DEATH(Ident((char*)malloc(n_megs << 20))[-1] = 0, 333 "is located 1 bytes to the left|" 334 "AddressSanitizer failed to allocate"); 335} 336#endif 337 338#if SANITIZER_TEST_HAS_MEMALIGN 339void MemalignRun(size_t align, size_t size, int idx) { 340 char *p = (char *)memalign(align, size); 341 Ident(p)[idx] = 0; 342 free(p); 343} 344 345TEST(AddressSanitizer, memalign) { 346 for (int align = 16; align <= (1 << 23); align *= 2) { 347 size_t size = align * 5; 348 EXPECT_DEATH(MemalignRun(align, size, -1), 349 "is located 1 bytes to the left"); 350 EXPECT_DEATH(MemalignRun(align, size, size + 1), 351 "is located 1 bytes to the right"); 352 } 353} 354#endif // SANITIZER_TEST_HAS_MEMALIGN 355 356void *ManyThreadsWorker(void *a) { 357 for (int iter = 0; iter < 100; iter++) { 358 for (size_t size = 100; size < 2000; size *= 2) { 359 free(Ident(malloc(size))); 360 } 361 } 362 return 0; 363} 364 365#if !defined(__aarch64__) && !defined(__powerpc64__) 366// FIXME: Infinite loop in AArch64 (PR24389). 367// FIXME: Also occasional hang on powerpc. Maybe same problem as on AArch64? 368TEST(AddressSanitizer, ManyThreadsTest) { 369 const size_t kNumThreads = 370 (SANITIZER_WORDSIZE == 32 || ASAN_AVOID_EXPENSIVE_TESTS) ? 30 : 1000; 371 pthread_t t[kNumThreads]; 372 for (size_t i = 0; i < kNumThreads; i++) { 373 PTHREAD_CREATE(&t[i], 0, ManyThreadsWorker, (void*)i); 374 } 375 for (size_t i = 0; i < kNumThreads; i++) { 376 PTHREAD_JOIN(t[i], 0); 377 } 378} 379#endif 380 381TEST(AddressSanitizer, ReallocTest) { 382 const int kMinElem = 5; 383 int *ptr = (int*)malloc(sizeof(int) * kMinElem); 384 ptr[3] = 3; 385 for (int i = 0; i < 10000; i++) { 386 ptr = (int*)realloc(ptr, 387 (my_rand() % 1000 + kMinElem) * sizeof(int)); 388 EXPECT_EQ(3, ptr[3]); 389 } 390 free(ptr); 391 // Realloc pointer returned by malloc(0). 392 int *ptr2 = Ident((int*)malloc(0)); 393 ptr2 = Ident((int*)realloc(ptr2, sizeof(*ptr2))); 394 *ptr2 = 42; 395 EXPECT_EQ(42, *ptr2); 396 free(ptr2); 397} 398 399TEST(AddressSanitizer, ReallocFreedPointerTest) { 400 void *ptr = Ident(malloc(42)); 401 ASSERT_TRUE(NULL != ptr); 402 free(ptr); 403 EXPECT_DEATH(ptr = realloc(ptr, 77), "attempting double-free"); 404} 405 406TEST(AddressSanitizer, ReallocInvalidPointerTest) { 407 void *ptr = Ident(malloc(42)); 408 EXPECT_DEATH(ptr = realloc((int*)ptr + 1, 77), "attempting free.*not malloc"); 409 free(ptr); 410} 411 412TEST(AddressSanitizer, ZeroSizeMallocTest) { 413 // Test that malloc(0) and similar functions don't return NULL. 414 void *ptr = Ident(malloc(0)); 415 EXPECT_TRUE(NULL != ptr); 416 free(ptr); 417#if SANITIZER_TEST_HAS_POSIX_MEMALIGN 418 int pm_res = posix_memalign(&ptr, 1<<20, 0); 419 EXPECT_EQ(0, pm_res); 420 EXPECT_TRUE(NULL != ptr); 421 free(ptr); 422#endif // SANITIZER_TEST_HAS_POSIX_MEMALIGN 423 int *int_ptr = new int[0]; 424 int *int_ptr2 = new int[0]; 425 EXPECT_TRUE(NULL != int_ptr); 426 EXPECT_TRUE(NULL != int_ptr2); 427 EXPECT_NE(int_ptr, int_ptr2); 428 delete[] int_ptr; 429 delete[] int_ptr2; 430} 431 432#if SANITIZER_TEST_HAS_MALLOC_USABLE_SIZE 433static const char *kMallocUsableSizeErrorMsg = 434 "AddressSanitizer: attempting to call malloc_usable_size()"; 435 436TEST(AddressSanitizer, MallocUsableSizeTest) { 437 const size_t kArraySize = 100; 438 char *array = Ident((char*)malloc(kArraySize)); 439 int *int_ptr = Ident(new int); 440 EXPECT_EQ(0U, malloc_usable_size(NULL)); 441 EXPECT_EQ(kArraySize, malloc_usable_size(array)); 442 EXPECT_EQ(sizeof(int), malloc_usable_size(int_ptr)); 443 EXPECT_DEATH(malloc_usable_size((void*)0x123), kMallocUsableSizeErrorMsg); 444 EXPECT_DEATH(malloc_usable_size(array + kArraySize / 2), 445 kMallocUsableSizeErrorMsg); 446 free(array); 447 EXPECT_DEATH(malloc_usable_size(array), kMallocUsableSizeErrorMsg); 448 delete int_ptr; 449} 450#endif // SANITIZER_TEST_HAS_MALLOC_USABLE_SIZE 451 452void WrongFree() { 453 int *x = (int*)malloc(100 * sizeof(int)); 454 // Use the allocated memory, otherwise Clang will optimize it out. 455 Ident(x); 456 free(x + 1); 457} 458 459#if !defined(_WIN32) // FIXME: This should be a lit test. 460TEST(AddressSanitizer, WrongFreeTest) { 461 EXPECT_DEATH(WrongFree(), ASAN_PCRE_DOTALL 462 "ERROR: AddressSanitizer: attempting free.*not malloc" 463 ".*is located 4 bytes inside of 400-byte region" 464 ".*allocated by thread"); 465} 466#endif 467 468void DoubleFree() { 469 int *x = (int*)malloc(100 * sizeof(int)); 470 fprintf(stderr, "DoubleFree: x=%p\n", (void *)x); 471 free(x); 472 free(x); 473 fprintf(stderr, "should have failed in the second free(%p)\n", (void *)x); 474 abort(); 475} 476 477#if !defined(_WIN32) // FIXME: This should be a lit test. 478TEST(AddressSanitizer, DoubleFreeTest) { 479 EXPECT_DEATH(DoubleFree(), ASAN_PCRE_DOTALL 480 "ERROR: AddressSanitizer: attempting double-free" 481 ".*is located 0 bytes inside of 400-byte region" 482 ".*freed by thread T0 here" 483 ".*previously allocated by thread T0 here"); 484} 485#endif 486 487template<int kSize> 488NOINLINE void SizedStackTest() { 489 char a[kSize]; 490 char *A = Ident((char*)&a); 491 const char *expected_death = "AddressSanitizer: stack-buffer-"; 492 for (size_t i = 0; i < kSize; i++) 493 A[i] = i; 494 EXPECT_DEATH(A[-1] = 0, expected_death); 495 EXPECT_DEATH(A[-5] = 0, expected_death); 496 EXPECT_DEATH(A[kSize] = 0, expected_death); 497 EXPECT_DEATH(A[kSize + 1] = 0, expected_death); 498 EXPECT_DEATH(A[kSize + 5] = 0, expected_death); 499 if (kSize > 16) 500 EXPECT_DEATH(A[kSize + 31] = 0, expected_death); 501} 502 503TEST(AddressSanitizer, SimpleStackTest) { 504 SizedStackTest<1>(); 505 SizedStackTest<2>(); 506 SizedStackTest<3>(); 507 SizedStackTest<4>(); 508 SizedStackTest<5>(); 509 SizedStackTest<6>(); 510 SizedStackTest<7>(); 511 SizedStackTest<16>(); 512 SizedStackTest<25>(); 513 SizedStackTest<34>(); 514 SizedStackTest<43>(); 515 SizedStackTest<51>(); 516 SizedStackTest<62>(); 517 SizedStackTest<64>(); 518 SizedStackTest<128>(); 519} 520 521#if !defined(_WIN32) 522// FIXME: It's a bit hard to write multi-line death test expectations 523// in a portable way. Anyways, this should just be turned into a lit test. 524TEST(AddressSanitizer, ManyStackObjectsTest) { 525 char XXX[10]; 526 char YYY[20]; 527 char ZZZ[30]; 528 Ident(XXX); 529 Ident(YYY); 530 EXPECT_DEATH(Ident(ZZZ)[-1] = 0, ASAN_PCRE_DOTALL "XXX.*YYY.*ZZZ"); 531} 532#endif 533 534#if 0 // This test requires online symbolizer. 535// Moved to lit_tests/stack-oob-frames.cc. 536// Reenable here once we have online symbolizer by default. 537NOINLINE static void Frame0(int frame, char *a, char *b, char *c) { 538 char d[4] = {0}; 539 char *D = Ident(d); 540 switch (frame) { 541 case 3: a[5]++; break; 542 case 2: b[5]++; break; 543 case 1: c[5]++; break; 544 case 0: D[5]++; break; 545 } 546} 547NOINLINE static void Frame1(int frame, char *a, char *b) { 548 char c[4] = {0}; Frame0(frame, a, b, c); 549 break_optimization(0); 550} 551NOINLINE static void Frame2(int frame, char *a) { 552 char b[4] = {0}; Frame1(frame, a, b); 553 break_optimization(0); 554} 555NOINLINE static void Frame3(int frame) { 556 char a[4] = {0}; Frame2(frame, a); 557 break_optimization(0); 558} 559 560TEST(AddressSanitizer, GuiltyStackFrame0Test) { 561 EXPECT_DEATH(Frame3(0), "located .*in frame <.*Frame0"); 562} 563TEST(AddressSanitizer, GuiltyStackFrame1Test) { 564 EXPECT_DEATH(Frame3(1), "located .*in frame <.*Frame1"); 565} 566TEST(AddressSanitizer, GuiltyStackFrame2Test) { 567 EXPECT_DEATH(Frame3(2), "located .*in frame <.*Frame2"); 568} 569TEST(AddressSanitizer, GuiltyStackFrame3Test) { 570 EXPECT_DEATH(Frame3(3), "located .*in frame <.*Frame3"); 571} 572#endif 573 574NOINLINE void LongJmpFunc1(jmp_buf buf) { 575 // create three red zones for these two stack objects. 576 int a; 577 int b; 578 579 int *A = Ident(&a); 580 int *B = Ident(&b); 581 *A = *B; 582 longjmp(buf, 1); 583} 584 585NOINLINE void TouchStackFunc() { 586 int a[100]; // long array will intersect with redzones from LongJmpFunc1. 587 int *A = Ident(a); 588 for (int i = 0; i < 100; i++) 589 A[i] = i*i; 590} 591 592// Test that we handle longjmp and do not report false positives on stack. 593TEST(AddressSanitizer, LongJmpTest) { 594 static jmp_buf buf; 595 if (!setjmp(buf)) { 596 LongJmpFunc1(buf); 597 } else { 598 TouchStackFunc(); 599 } 600} 601 602#if !defined(_WIN32) // Only basic longjmp is available on Windows. 603NOINLINE void UnderscopeLongJmpFunc1(jmp_buf buf) { 604 // create three red zones for these two stack objects. 605 int a; 606 int b; 607 608 int *A = Ident(&a); 609 int *B = Ident(&b); 610 *A = *B; 611 _longjmp(buf, 1); 612} 613 614NOINLINE void SigLongJmpFunc1(sigjmp_buf buf) { 615 // create three red zones for these two stack objects. 616 int a; 617 int b; 618 619 int *A = Ident(&a); 620 int *B = Ident(&b); 621 *A = *B; 622 siglongjmp(buf, 1); 623} 624 625#if !defined(__ANDROID__) && !defined(__arm__) && \ 626 !defined(__aarch64__) && !defined(__mips__) && \ 627 !defined(__mips64) && !defined(__s390__) 628NOINLINE void BuiltinLongJmpFunc1(jmp_buf buf) { 629 // create three red zones for these two stack objects. 630 int a; 631 int b; 632 633 int *A = Ident(&a); 634 int *B = Ident(&b); 635 *A = *B; 636 __builtin_longjmp((void**)buf, 1); 637} 638 639// Does not work on ARM: 640// https://github.com/google/sanitizers/issues/185 641TEST(AddressSanitizer, BuiltinLongJmpTest) { 642 static jmp_buf buf; 643 if (!__builtin_setjmp((void**)buf)) { 644 BuiltinLongJmpFunc1(buf); 645 } else { 646 TouchStackFunc(); 647 } 648} 649#endif // !defined(__ANDROID__) && !defined(__arm__) && 650 // !defined(__aarch64__) && !defined(__mips__) 651 // !defined(__mips64) && !defined(__s390__) 652 653TEST(AddressSanitizer, UnderscopeLongJmpTest) { 654 static jmp_buf buf; 655 if (!_setjmp(buf)) { 656 UnderscopeLongJmpFunc1(buf); 657 } else { 658 TouchStackFunc(); 659 } 660} 661 662TEST(AddressSanitizer, SigLongJmpTest) { 663 static sigjmp_buf buf; 664 if (!sigsetjmp(buf, 1)) { 665 SigLongJmpFunc1(buf); 666 } else { 667 TouchStackFunc(); 668 } 669} 670#endif 671 672// FIXME: Why does clang-cl define __EXCEPTIONS? 673#if defined(__EXCEPTIONS) && !defined(_WIN32) 674NOINLINE void ThrowFunc() { 675 // create three red zones for these two stack objects. 676 int a; 677 int b; 678 679 int *A = Ident(&a); 680 int *B = Ident(&b); 681 *A = *B; 682 ASAN_THROW(1); 683} 684 685TEST(AddressSanitizer, CxxExceptionTest) { 686 if (ASAN_UAR) return; 687 // TODO(kcc): this test crashes on 32-bit for some reason... 688 if (SANITIZER_WORDSIZE == 32) return; 689 try { 690 ThrowFunc(); 691 } catch(...) {} 692 TouchStackFunc(); 693} 694#endif 695 696void *ThreadStackReuseFunc1(void *unused) { 697 // create three red zones for these two stack objects. 698 int a; 699 int b; 700 701 int *A = Ident(&a); 702 int *B = Ident(&b); 703 *A = *B; 704 pthread_exit(0); 705 return 0; 706} 707 708void *ThreadStackReuseFunc2(void *unused) { 709 TouchStackFunc(); 710 return 0; 711} 712 713#if !defined(__thumb__) 714TEST(AddressSanitizer, ThreadStackReuseTest) { 715 pthread_t t; 716 PTHREAD_CREATE(&t, 0, ThreadStackReuseFunc1, 0); 717 PTHREAD_JOIN(t, 0); 718 PTHREAD_CREATE(&t, 0, ThreadStackReuseFunc2, 0); 719 PTHREAD_JOIN(t, 0); 720} 721#endif 722 723#if defined(__SSE2__) 724#include <emmintrin.h> 725TEST(AddressSanitizer, Store128Test) { 726 char *a = Ident((char*)malloc(Ident(12))); 727 char *p = a; 728 if (((uintptr_t)a % 16) != 0) 729 p = a + 8; 730 assert(((uintptr_t)p % 16) == 0); 731 __m128i value_wide = _mm_set1_epi16(0x1234); 732 EXPECT_DEATH(_mm_store_si128((__m128i*)p, value_wide), 733 "AddressSanitizer: heap-buffer-overflow"); 734 EXPECT_DEATH(_mm_store_si128((__m128i*)p, value_wide), 735 "WRITE of size 16"); 736 EXPECT_DEATH(_mm_store_si128((__m128i*)p, value_wide), 737 "located 0 bytes to the right of 12-byte"); 738 free(a); 739} 740#endif 741 742// FIXME: All tests that use this function should be turned into lit tests. 743string RightOOBErrorMessage(int oob_distance, bool is_write) { 744 assert(oob_distance >= 0); 745 char expected_str[100]; 746 sprintf(expected_str, ASAN_PCRE_DOTALL 747#if !GTEST_USES_SIMPLE_RE 748 "buffer-overflow.*%s.*" 749#endif 750 "located %d bytes to the right", 751#if !GTEST_USES_SIMPLE_RE 752 is_write ? "WRITE" : "READ", 753#endif 754 oob_distance); 755 return string(expected_str); 756} 757 758string RightOOBWriteMessage(int oob_distance) { 759 return RightOOBErrorMessage(oob_distance, /*is_write*/true); 760} 761 762string RightOOBReadMessage(int oob_distance) { 763 return RightOOBErrorMessage(oob_distance, /*is_write*/false); 764} 765 766// FIXME: All tests that use this function should be turned into lit tests. 767string LeftOOBErrorMessage(int oob_distance, bool is_write) { 768 assert(oob_distance > 0); 769 char expected_str[100]; 770 sprintf(expected_str, 771#if !GTEST_USES_SIMPLE_RE 772 ASAN_PCRE_DOTALL "%s.*" 773#endif 774 "located %d bytes to the left", 775#if !GTEST_USES_SIMPLE_RE 776 is_write ? "WRITE" : "READ", 777#endif 778 oob_distance); 779 return string(expected_str); 780} 781 782string LeftOOBWriteMessage(int oob_distance) { 783 return LeftOOBErrorMessage(oob_distance, /*is_write*/true); 784} 785 786string LeftOOBReadMessage(int oob_distance) { 787 return LeftOOBErrorMessage(oob_distance, /*is_write*/false); 788} 789 790string LeftOOBAccessMessage(int oob_distance) { 791 assert(oob_distance > 0); 792 char expected_str[100]; 793 sprintf(expected_str, "located %d bytes to the left", oob_distance); 794 return string(expected_str); 795} 796 797char* MallocAndMemsetString(size_t size, char ch) { 798 char *s = Ident((char*)malloc(size)); 799 memset(s, ch, size); 800 return s; 801} 802 803char* MallocAndMemsetString(size_t size) { 804 return MallocAndMemsetString(size, 'z'); 805} 806 807#if defined(__linux__) && !defined(__ANDROID__) 808#define READ_TEST(READ_N_BYTES) \ 809 char *x = new char[10]; \ 810 int fd = open("/proc/self/stat", O_RDONLY); \ 811 ASSERT_GT(fd, 0); \ 812 EXPECT_DEATH(READ_N_BYTES, \ 813 ASAN_PCRE_DOTALL \ 814 "AddressSanitizer: heap-buffer-overflow" \ 815 ".* is located 0 bytes to the right of 10-byte region"); \ 816 close(fd); \ 817 delete [] x; \ 818 819TEST(AddressSanitizer, pread) { 820 READ_TEST(pread(fd, x, 15, 0)); 821} 822 823TEST(AddressSanitizer, pread64) { 824 READ_TEST(pread64(fd, x, 15, 0)); 825} 826 827TEST(AddressSanitizer, read) { 828 READ_TEST(read(fd, x, 15)); 829} 830#endif // defined(__linux__) && !defined(__ANDROID__) 831 832// This test case fails 833// Clang optimizes memcpy/memset calls which lead to unaligned access 834TEST(AddressSanitizer, DISABLED_MemIntrinsicUnalignedAccessTest) { 835 int size = Ident(4096); 836 char *s = Ident((char*)malloc(size)); 837 EXPECT_DEATH(memset(s + size - 1, 0, 2), RightOOBWriteMessage(0)); 838 free(s); 839} 840 841NOINLINE static int LargeFunction(bool do_bad_access) { 842 int *x = new int[100]; 843 x[0]++; 844 x[1]++; 845 x[2]++; 846 x[3]++; 847 x[4]++; 848 x[5]++; 849 x[6]++; 850 x[7]++; 851 x[8]++; 852 x[9]++; 853 854 x[do_bad_access ? 100 : 0]++; int res = __LINE__; 855 856 x[10]++; 857 x[11]++; 858 x[12]++; 859 x[13]++; 860 x[14]++; 861 x[15]++; 862 x[16]++; 863 x[17]++; 864 x[18]++; 865 x[19]++; 866 867 delete[] x; 868 return res; 869} 870 871// Test the we have correct debug info for the failing instruction. 872// This test requires the in-process symbolizer to be enabled by default. 873TEST(AddressSanitizer, DISABLED_LargeFunctionSymbolizeTest) { 874 int failing_line = LargeFunction(false); 875 char expected_warning[128]; 876 sprintf(expected_warning, "LargeFunction.*asan_test.*:%d", failing_line); 877 EXPECT_DEATH(LargeFunction(true), expected_warning); 878} 879 880// Check that we unwind and symbolize correctly. 881TEST(AddressSanitizer, DISABLED_MallocFreeUnwindAndSymbolizeTest) { 882 int *a = (int*)malloc_aaa(sizeof(int)); 883 *a = 1; 884 free_aaa(a); 885 EXPECT_DEATH(*a = 1, "free_ccc.*free_bbb.*free_aaa.*" 886 "malloc_fff.*malloc_eee.*malloc_ddd"); 887} 888 889static bool TryToSetThreadName(const char *name) { 890#if defined(__linux__) && defined(PR_SET_NAME) 891 return 0 == prctl(PR_SET_NAME, (unsigned long)name, 0, 0, 0); 892#else 893 return false; 894#endif 895} 896 897void *ThreadedTestAlloc(void *a) { 898 EXPECT_EQ(true, TryToSetThreadName("AllocThr")); 899 int **p = (int**)a; 900 *p = new int; 901 return 0; 902} 903 904void *ThreadedTestFree(void *a) { 905 EXPECT_EQ(true, TryToSetThreadName("FreeThr")); 906 int **p = (int**)a; 907 delete *p; 908 return 0; 909} 910 911void *ThreadedTestUse(void *a) { 912 EXPECT_EQ(true, TryToSetThreadName("UseThr")); 913 int **p = (int**)a; 914 **p = 1; 915 return 0; 916} 917 918void ThreadedTestSpawn() { 919 pthread_t t; 920 int *x; 921 PTHREAD_CREATE(&t, 0, ThreadedTestAlloc, &x); 922 PTHREAD_JOIN(t, 0); 923 PTHREAD_CREATE(&t, 0, ThreadedTestFree, &x); 924 PTHREAD_JOIN(t, 0); 925 PTHREAD_CREATE(&t, 0, ThreadedTestUse, &x); 926 PTHREAD_JOIN(t, 0); 927} 928 929#if !defined(_WIN32) // FIXME: This should be a lit test. 930TEST(AddressSanitizer, ThreadedTest) { 931 EXPECT_DEATH(ThreadedTestSpawn(), 932 ASAN_PCRE_DOTALL 933 "Thread T.*created" 934 ".*Thread T.*created" 935 ".*Thread T.*created"); 936} 937#endif 938 939void *ThreadedTestFunc(void *unused) { 940 // Check if prctl(PR_SET_NAME) is supported. Return if not. 941 if (!TryToSetThreadName("TestFunc")) 942 return 0; 943 EXPECT_DEATH(ThreadedTestSpawn(), 944 ASAN_PCRE_DOTALL 945 "WRITE .*thread T. .UseThr." 946 ".*freed by thread T. .FreeThr. here:" 947 ".*previously allocated by thread T. .AllocThr. here:" 948 ".*Thread T. .UseThr. created by T.*TestFunc" 949 ".*Thread T. .FreeThr. created by T" 950 ".*Thread T. .AllocThr. created by T" 951 ""); 952 return 0; 953} 954 955TEST(AddressSanitizer, ThreadNamesTest) { 956 // Run ThreadedTestFunc in a separate thread because it tries to set a 957 // thread name and we don't want to change the main thread's name. 958 pthread_t t; 959 PTHREAD_CREATE(&t, 0, ThreadedTestFunc, 0); 960 PTHREAD_JOIN(t, 0); 961} 962 963#if ASAN_NEEDS_SEGV 964TEST(AddressSanitizer, ShadowGapTest) { 965#if SANITIZER_WORDSIZE == 32 966 char *addr = (char*)0x23000000; 967#else 968# if defined(__powerpc64__) 969 char *addr = (char*)0x024000800000; 970# elif defined(__s390x__) 971 char *addr = (char*)0x11000000000000; 972# else 973 char *addr = (char*)0x0000100000080000; 974# endif 975#endif 976 EXPECT_DEATH(*addr = 1, "AddressSanitizer: (SEGV|BUS) on unknown"); 977} 978#endif // ASAN_NEEDS_SEGV 979 980extern "C" { 981NOINLINE static void UseThenFreeThenUse() { 982 char *x = Ident((char*)malloc(8)); 983 *x = 1; 984 free_aaa(x); 985 *x = 2; 986} 987} 988 989TEST(AddressSanitizer, UseThenFreeThenUseTest) { 990 EXPECT_DEATH(UseThenFreeThenUse(), "freed by thread"); 991} 992 993TEST(AddressSanitizer, StrDupTest) { 994 free(strdup(Ident("123"))); 995} 996 997// Currently we create and poison redzone at right of global variables. 998static char static110[110]; 999const char ConstGlob[7] = {1, 2, 3, 4, 5, 6, 7}; 1000static const char StaticConstGlob[3] = {9, 8, 7}; 1001 1002TEST(AddressSanitizer, GlobalTest) { 1003 static char func_static15[15]; 1004 1005 static char fs1[10]; 1006 static char fs2[10]; 1007 static char fs3[10]; 1008 1009 glob5[Ident(0)] = 0; 1010 glob5[Ident(1)] = 0; 1011 glob5[Ident(2)] = 0; 1012 glob5[Ident(3)] = 0; 1013 glob5[Ident(4)] = 0; 1014 1015 EXPECT_DEATH(glob5[Ident(5)] = 0, 1016 "0 bytes to the right of global variable.*glob5.* size 5"); 1017 EXPECT_DEATH(glob5[Ident(5+6)] = 0, 1018 "6 bytes to the right of global variable.*glob5.* size 5"); 1019 Ident(static110); // avoid optimizations 1020 static110[Ident(0)] = 0; 1021 static110[Ident(109)] = 0; 1022 EXPECT_DEATH(static110[Ident(110)] = 0, 1023 "0 bytes to the right of global variable"); 1024 EXPECT_DEATH(static110[Ident(110+7)] = 0, 1025 "7 bytes to the right of global variable"); 1026 1027 Ident(func_static15); // avoid optimizations 1028 func_static15[Ident(0)] = 0; 1029 EXPECT_DEATH(func_static15[Ident(15)] = 0, 1030 "0 bytes to the right of global variable"); 1031 EXPECT_DEATH(func_static15[Ident(15 + 9)] = 0, 1032 "9 bytes to the right of global variable"); 1033 1034 Ident(fs1); 1035 Ident(fs2); 1036 Ident(fs3); 1037 1038 // We don't create left redzones, so this is not 100% guaranteed to fail. 1039 // But most likely will. 1040 EXPECT_DEATH(fs2[Ident(-1)] = 0, "is located.*of global variable"); 1041 1042 EXPECT_DEATH(Ident(Ident(ConstGlob)[8]), 1043 "is located 1 bytes to the right of .*ConstGlob"); 1044 EXPECT_DEATH(Ident(Ident(StaticConstGlob)[5]), 1045 "is located 2 bytes to the right of .*StaticConstGlob"); 1046 1047 // call stuff from another file. 1048 GlobalsTest(0); 1049} 1050 1051TEST(AddressSanitizer, GlobalStringConstTest) { 1052 static const char *zoo = "FOOBAR123"; 1053 const char *p = Ident(zoo); 1054 EXPECT_DEATH(Ident(p[15]), "is ascii string 'FOOBAR123'"); 1055} 1056 1057TEST(AddressSanitizer, FileNameInGlobalReportTest) { 1058 static char zoo[10]; 1059 const char *p = Ident(zoo); 1060 // The file name should be present in the report. 1061 EXPECT_DEATH(Ident(p[15]), "zoo.*asan_test."); 1062} 1063 1064int *ReturnsPointerToALocalObject() { 1065 int a = 0; 1066 return Ident(&a); 1067} 1068 1069#if ASAN_UAR == 1 1070TEST(AddressSanitizer, LocalReferenceReturnTest) { 1071 int *(*f)() = Ident(ReturnsPointerToALocalObject); 1072 int *p = f(); 1073 // Call 'f' a few more times, 'p' should still be poisoned. 1074 for (int i = 0; i < 32; i++) 1075 f(); 1076 EXPECT_DEATH(*p = 1, "AddressSanitizer: stack-use-after-return"); 1077 EXPECT_DEATH(*p = 1, "is located.*in frame .*ReturnsPointerToALocal"); 1078} 1079#endif 1080 1081template <int kSize> 1082NOINLINE static void FuncWithStack() { 1083 char x[kSize]; 1084 Ident(x)[0] = 0; 1085 Ident(x)[kSize-1] = 0; 1086} 1087 1088static void LotsOfStackReuse() { 1089 int LargeStack[10000]; 1090 Ident(LargeStack)[0] = 0; 1091 for (int i = 0; i < 10000; i++) { 1092 FuncWithStack<128 * 1>(); 1093 FuncWithStack<128 * 2>(); 1094 FuncWithStack<128 * 4>(); 1095 FuncWithStack<128 * 8>(); 1096 FuncWithStack<128 * 16>(); 1097 FuncWithStack<128 * 32>(); 1098 FuncWithStack<128 * 64>(); 1099 FuncWithStack<128 * 128>(); 1100 FuncWithStack<128 * 256>(); 1101 FuncWithStack<128 * 512>(); 1102 Ident(LargeStack)[0] = 0; 1103 } 1104} 1105 1106TEST(AddressSanitizer, StressStackReuseTest) { 1107 LotsOfStackReuse(); 1108} 1109 1110TEST(AddressSanitizer, ThreadedStressStackReuseTest) { 1111 const int kNumThreads = 20; 1112 pthread_t t[kNumThreads]; 1113 for (int i = 0; i < kNumThreads; i++) { 1114 PTHREAD_CREATE(&t[i], 0, (void* (*)(void *x))LotsOfStackReuse, 0); 1115 } 1116 for (int i = 0; i < kNumThreads; i++) { 1117 PTHREAD_JOIN(t[i], 0); 1118 } 1119} 1120 1121// pthread_exit tries to perform unwinding stuff that leads to dlopen'ing 1122// libgcc_s.so. dlopen in its turn calls malloc to store "libgcc_s.so" string 1123// that confuses LSan on Thumb because it fails to understand that this 1124// allocation happens in dynamic linker and should be ignored. 1125#if !defined(__thumb__) 1126static void *PthreadExit(void *a) { 1127 pthread_exit(0); 1128 return 0; 1129} 1130 1131TEST(AddressSanitizer, PthreadExitTest) { 1132 pthread_t t; 1133 for (int i = 0; i < 1000; i++) { 1134 PTHREAD_CREATE(&t, 0, PthreadExit, 0); 1135 PTHREAD_JOIN(t, 0); 1136 } 1137} 1138#endif 1139 1140// FIXME: Why does clang-cl define __EXCEPTIONS? 1141#if defined(__EXCEPTIONS) && !defined(_WIN32) 1142NOINLINE static void StackReuseAndException() { 1143 int large_stack[1000]; 1144 Ident(large_stack); 1145 ASAN_THROW(1); 1146} 1147 1148// TODO(kcc): support exceptions with use-after-return. 1149TEST(AddressSanitizer, DISABLED_StressStackReuseAndExceptionsTest) { 1150 for (int i = 0; i < 10000; i++) { 1151 try { 1152 StackReuseAndException(); 1153 } catch(...) { 1154 } 1155 } 1156} 1157#endif 1158 1159#if !defined(_WIN32) 1160TEST(AddressSanitizer, MlockTest) { 1161 EXPECT_EQ(0, mlockall(MCL_CURRENT)); 1162 EXPECT_EQ(0, mlock((void*)0x12345, 0x5678)); 1163 EXPECT_EQ(0, munlockall()); 1164 EXPECT_EQ(0, munlock((void*)0x987, 0x654)); 1165} 1166#endif 1167 1168struct LargeStruct { 1169 int foo[100]; 1170}; 1171 1172// Test for bug http://llvm.org/bugs/show_bug.cgi?id=11763. 1173// Struct copy should not cause asan warning even if lhs == rhs. 1174TEST(AddressSanitizer, LargeStructCopyTest) { 1175 LargeStruct a; 1176 *Ident(&a) = *Ident(&a); 1177} 1178 1179ATTRIBUTE_NO_SANITIZE_ADDRESS 1180static void NoSanitizeAddress() { 1181 char *foo = new char[10]; 1182 Ident(foo)[10] = 0; 1183 delete [] foo; 1184} 1185 1186TEST(AddressSanitizer, AttributeNoSanitizeAddressTest) { 1187 Ident(NoSanitizeAddress)(); 1188} 1189 1190// The new/delete/etc mismatch checks don't work on Android, 1191// as calls to new/delete go through malloc/free. 1192// OS X support is tracked here: 1193// https://github.com/google/sanitizers/issues/131 1194// Windows support is tracked here: 1195// https://github.com/google/sanitizers/issues/309 1196#if !defined(__ANDROID__) && \ 1197 !defined(__APPLE__) && \ 1198 !defined(_WIN32) 1199static string MismatchStr(const string &str) { 1200 return string("AddressSanitizer: alloc-dealloc-mismatch \\(") + str; 1201} 1202 1203static string MismatchOrNewDeleteTypeStr(const string &mismatch_str) { 1204 return "(" + MismatchStr(mismatch_str) + 1205 ")|(AddressSanitizer: new-delete-type-mismatch)"; 1206} 1207 1208TEST(AddressSanitizer, AllocDeallocMismatch) { 1209 EXPECT_DEATH(free(Ident(new int)), 1210 MismatchStr("operator new vs free")); 1211 EXPECT_DEATH(free(Ident(new int[2])), 1212 MismatchStr("operator new \\[\\] vs free")); 1213 EXPECT_DEATH( 1214 delete (Ident(new int[2])), 1215 MismatchOrNewDeleteTypeStr("operator new \\[\\] vs operator delete")); 1216 EXPECT_DEATH(delete (Ident((int *)malloc(2 * sizeof(int)))), 1217 MismatchOrNewDeleteTypeStr("malloc vs operator delete")); 1218 EXPECT_DEATH(delete [] (Ident(new int)), 1219 MismatchStr("operator new vs operator delete \\[\\]")); 1220 EXPECT_DEATH(delete [] (Ident((int*)malloc(2 * sizeof(int)))), 1221 MismatchStr("malloc vs operator delete \\[\\]")); 1222} 1223#endif 1224 1225// ------------------ demo tests; run each one-by-one ------------- 1226// e.g. --gtest_filter=*DemoOOBLeftHigh --gtest_also_run_disabled_tests 1227TEST(AddressSanitizer, DISABLED_DemoThreadedTest) { 1228 ThreadedTestSpawn(); 1229} 1230 1231void *SimpleBugOnSTack(void *x = 0) { 1232 char a[20]; 1233 Ident(a)[20] = 0; 1234 return 0; 1235} 1236 1237TEST(AddressSanitizer, DISABLED_DemoStackTest) { 1238 SimpleBugOnSTack(); 1239} 1240 1241TEST(AddressSanitizer, DISABLED_DemoThreadStackTest) { 1242 pthread_t t; 1243 PTHREAD_CREATE(&t, 0, SimpleBugOnSTack, 0); 1244 PTHREAD_JOIN(t, 0); 1245} 1246 1247TEST(AddressSanitizer, DISABLED_DemoUAFLowIn) { 1248 uaf_test<U1>(10, 0); 1249} 1250TEST(AddressSanitizer, DISABLED_DemoUAFLowLeft) { 1251 uaf_test<U1>(10, -2); 1252} 1253TEST(AddressSanitizer, DISABLED_DemoUAFLowRight) { 1254 uaf_test<U1>(10, 10); 1255} 1256 1257TEST(AddressSanitizer, DISABLED_DemoUAFHigh) { 1258 uaf_test<U1>(kLargeMalloc, 0); 1259} 1260 1261TEST(AddressSanitizer, DISABLED_DemoOOM) { 1262 size_t size = SANITIZER_WORDSIZE == 64 ? (size_t)(1ULL << 40) : (0xf0000000); 1263 printf("%p\n", malloc(size)); 1264} 1265 1266TEST(AddressSanitizer, DISABLED_DemoDoubleFreeTest) { 1267 DoubleFree(); 1268} 1269 1270TEST(AddressSanitizer, DISABLED_DemoNullDerefTest) { 1271 int *a = 0; 1272 Ident(a)[10] = 0; 1273} 1274 1275TEST(AddressSanitizer, DISABLED_DemoFunctionStaticTest) { 1276 static char a[100]; 1277 static char b[100]; 1278 static char c[100]; 1279 Ident(a); 1280 Ident(b); 1281 Ident(c); 1282 Ident(a)[5] = 0; 1283 Ident(b)[105] = 0; 1284 Ident(a)[5] = 0; 1285} 1286 1287TEST(AddressSanitizer, DISABLED_DemoTooMuchMemoryTest) { 1288 const size_t kAllocSize = (1 << 28) - 1024; 1289 size_t total_size = 0; 1290 while (true) { 1291 void *x = malloc(kAllocSize); 1292 memset(x, 0, kAllocSize); 1293 total_size += kAllocSize; 1294 fprintf(stderr, "total: %ldM %p\n", (long)total_size >> 20, x); 1295 } 1296} 1297 1298#if !defined(__NetBSD__) && !defined(__i386__) 1299// https://github.com/google/sanitizers/issues/66 1300TEST(AddressSanitizer, BufferOverflowAfterManyFrees) { 1301 for (int i = 0; i < 1000000; i++) { 1302 delete [] (Ident(new char [8644])); 1303 } 1304 char *x = new char[8192]; 1305 EXPECT_DEATH(x[Ident(8192)] = 0, "AddressSanitizer: heap-buffer-overflow"); 1306 delete [] Ident(x); 1307} 1308#endif 1309 1310 1311// Test that instrumentation of stack allocations takes into account 1312// AllocSize of a type, and not its StoreSize (16 vs 10 bytes for long double). 1313// See http://llvm.org/bugs/show_bug.cgi?id=12047 for more details. 1314TEST(AddressSanitizer, LongDoubleNegativeTest) { 1315 long double a, b; 1316 static long double c; 1317 memcpy(Ident(&a), Ident(&b), sizeof(long double)); 1318 memcpy(Ident(&c), Ident(&b), sizeof(long double)); 1319} 1320 1321#if !defined(_WIN32) 1322TEST(AddressSanitizer, pthread_getschedparam) { 1323 int policy; 1324 struct sched_param param; 1325 EXPECT_DEATH( 1326 pthread_getschedparam(pthread_self(), &policy, Ident(¶m) + 2), 1327 "AddressSanitizer: stack-buffer-.*flow"); 1328 EXPECT_DEATH( 1329 pthread_getschedparam(pthread_self(), Ident(&policy) - 1, ¶m), 1330 "AddressSanitizer: stack-buffer-.*flow"); 1331 int res = pthread_getschedparam(pthread_self(), &policy, ¶m); 1332 ASSERT_EQ(0, res); 1333} 1334#endif 1335 1336#if SANITIZER_TEST_HAS_PRINTF_L 1337static int vsnprintf_l_wrapper(char *s, size_t n, 1338 locale_t l, const char *format, ...) { 1339 va_list va; 1340 va_start(va, format); 1341 int res = vsnprintf_l(s, n , l, format, va); 1342 va_end(va); 1343 return res; 1344} 1345 1346TEST(AddressSanitizer, snprintf_l) { 1347 char buff[5]; 1348 // Check that snprintf_l() works fine with Asan. 1349 int res = snprintf_l(buff, 5, SANITIZER_GET_C_LOCALE, "%s", "snprintf_l()"); 1350 EXPECT_EQ(12, res); 1351 // Check that vsnprintf_l() works fine with Asan. 1352 res = vsnprintf_l_wrapper(buff, 5, SANITIZER_GET_C_LOCALE, "%s", 1353 "vsnprintf_l()"); 1354 EXPECT_EQ(13, res); 1355 1356 EXPECT_DEATH( 1357 snprintf_l(buff, 10, SANITIZER_GET_C_LOCALE, "%s", "snprintf_l()"), 1358 "AddressSanitizer: stack-buffer-overflow"); 1359 EXPECT_DEATH(vsnprintf_l_wrapper(buff, 10, SANITIZER_GET_C_LOCALE, "%s", 1360 "vsnprintf_l()"), 1361 "AddressSanitizer: stack-buffer-overflow"); 1362} 1363#endif 1364