Home | History | Annotate | Download | only in tests
      1 //===-- asan_test.cc ------------------------------------------------------===//
      2 //
      3 //                     The LLVM Compiler Infrastructure
      4 //
      5 // This file is distributed under the University of Illinois Open Source
      6 // License. See LICENSE.TXT for details.
      7 //
      8 //===----------------------------------------------------------------------===//
      9 //
     10 // This file is a part of AddressSanitizer, an address sanity checker.
     11 //
     12 //===----------------------------------------------------------------------===//
     13 #include "asan_test_utils.h"
     14 
     15 NOINLINE void *malloc_fff(size_t size) {
     16   void *res = malloc/**/(size); break_optimization(0); return res;}
     17 NOINLINE void *malloc_eee(size_t size) {
     18   void *res = malloc_fff(size); break_optimization(0); return res;}
     19 NOINLINE void *malloc_ddd(size_t size) {
     20   void *res = malloc_eee(size); break_optimization(0); return res;}
     21 NOINLINE void *malloc_ccc(size_t size) {
     22   void *res = malloc_ddd(size); break_optimization(0); return res;}
     23 NOINLINE void *malloc_bbb(size_t size) {
     24   void *res = malloc_ccc(size); break_optimization(0); return res;}
     25 NOINLINE void *malloc_aaa(size_t size) {
     26   void *res = malloc_bbb(size); break_optimization(0); return res;}
     27 
     28 #ifndef __APPLE__
     29 NOINLINE void *memalign_fff(size_t alignment, size_t size) {
     30   void *res = memalign/**/(alignment, size); break_optimization(0); return res;}
     31 NOINLINE void *memalign_eee(size_t alignment, size_t size) {
     32   void *res = memalign_fff(alignment, size); break_optimization(0); return res;}
     33 NOINLINE void *memalign_ddd(size_t alignment, size_t size) {
     34   void *res = memalign_eee(alignment, size); break_optimization(0); return res;}
     35 NOINLINE void *memalign_ccc(size_t alignment, size_t size) {
     36   void *res = memalign_ddd(alignment, size); break_optimization(0); return res;}
     37 NOINLINE void *memalign_bbb(size_t alignment, size_t size) {
     38   void *res = memalign_ccc(alignment, size); break_optimization(0); return res;}
     39 NOINLINE void *memalign_aaa(size_t alignment, size_t size) {
     40   void *res = memalign_bbb(alignment, size); break_optimization(0); return res;}
     41 #endif  // __APPLE__
     42 
     43 
     44 NOINLINE void free_ccc(void *p) { free(p); break_optimization(0);}
     45 NOINLINE void free_bbb(void *p) { free_ccc(p); break_optimization(0);}
     46 NOINLINE void free_aaa(void *p) { free_bbb(p); break_optimization(0);}
     47 
     48 
     49 template<typename T>
     50 NOINLINE void uaf_test(int size, int off) {
     51   char *p = (char *)malloc_aaa(size);
     52   free_aaa(p);
     53   for (int i = 1; i < 100; i++)
     54     free_aaa(malloc_aaa(i));
     55   fprintf(stderr, "writing %ld byte(s) at %p with offset %d\n",
     56           (long)sizeof(T), p, off);
     57   asan_write((T*)(p + off));
     58 }
     59 
     60 TEST(AddressSanitizer, HasFeatureAddressSanitizerTest) {
     61 #if defined(__has_feature) && __has_feature(address_sanitizer)
     62   bool asan = 1;
     63 #elif defined(__SANITIZE_ADDRESS__)
     64   bool asan = 1;
     65 #else
     66   bool asan = 0;
     67 #endif
     68   EXPECT_EQ(true, asan);
     69 }
     70 
     71 TEST(AddressSanitizer, SimpleDeathTest) {
     72   EXPECT_DEATH(exit(1), "");
     73 }
     74 
     75 TEST(AddressSanitizer, VariousMallocsTest) {
     76   int *a = (int*)malloc(100 * sizeof(int));
     77   a[50] = 0;
     78   free(a);
     79 
     80   int *r = (int*)malloc(10);
     81   r = (int*)realloc(r, 2000 * sizeof(int));
     82   r[1000] = 0;
     83   free(r);
     84 
     85   int *b = new int[100];
     86   b[50] = 0;
     87   delete [] b;
     88 
     89   int *c = new int;
     90   *c = 0;
     91   delete c;
     92 
     93 #if !defined(__APPLE__) && !defined(ANDROID) && !defined(__ANDROID__)
     94   int *pm;
     95   int pm_res = posix_memalign((void**)&pm, kPageSize, kPageSize);
     96   EXPECT_EQ(0, pm_res);
     97   free(pm);
     98 #endif
     99 
    100 #if !defined(__APPLE__)
    101   int *ma = (int*)memalign(kPageSize, kPageSize);
    102   EXPECT_EQ(0U, (uintptr_t)ma % kPageSize);
    103   ma[123] = 0;
    104   free(ma);
    105 #endif  // __APPLE__
    106 }
    107 
    108 TEST(AddressSanitizer, CallocTest) {
    109   int *a = (int*)calloc(100, sizeof(int));
    110   EXPECT_EQ(0, a[10]);
    111   free(a);
    112 }
    113 
    114 TEST(AddressSanitizer, VallocTest) {
    115   void *a = valloc(100);
    116   EXPECT_EQ(0U, (uintptr_t)a % kPageSize);
    117   free(a);
    118 }
    119 
    120 #ifndef __APPLE__
    121 TEST(AddressSanitizer, PvallocTest) {
    122   char *a = (char*)pvalloc(kPageSize + 100);
    123   EXPECT_EQ(0U, (uintptr_t)a % kPageSize);
    124   a[kPageSize + 101] = 1;  // we should not report an error here.
    125   free(a);
    126 
    127   a = (char*)pvalloc(0);  // pvalloc(0) should allocate at least one page.
    128   EXPECT_EQ(0U, (uintptr_t)a % kPageSize);
    129   a[101] = 1;  // we should not report an error here.
    130   free(a);
    131 }
    132 #endif  // __APPLE__
    133 
    134 void *TSDWorker(void *test_key) {
    135   if (test_key) {
    136     pthread_setspecific(*(pthread_key_t*)test_key, (void*)0xfeedface);
    137   }
    138   return NULL;
    139 }
    140 
    141 void TSDDestructor(void *tsd) {
    142   // Spawning a thread will check that the current thread id is not -1.
    143   pthread_t th;
    144   PTHREAD_CREATE(&th, NULL, TSDWorker, NULL);
    145   PTHREAD_JOIN(th, NULL);
    146 }
    147 
    148 // This tests triggers the thread-specific data destruction fiasco which occurs
    149 // if we don't manage the TSD destructors ourselves. We create a new pthread
    150 // key with a non-NULL destructor which is likely to be put after the destructor
    151 // of AsanThread in the list of destructors.
    152 // In this case the TSD for AsanThread will be destroyed before TSDDestructor
    153 // is called for the child thread, and a CHECK will fail when we call
    154 // pthread_create() to spawn the grandchild.
    155 TEST(AddressSanitizer, DISABLED_TSDTest) {
    156   pthread_t th;
    157   pthread_key_t test_key;
    158   pthread_key_create(&test_key, TSDDestructor);
    159   PTHREAD_CREATE(&th, NULL, TSDWorker, &test_key);
    160   PTHREAD_JOIN(th, NULL);
    161   pthread_key_delete(test_key);
    162 }
    163 
    164 TEST(AddressSanitizer, UAF_char) {
    165   const char *uaf_string = "AddressSanitizer:.*heap-use-after-free";
    166   EXPECT_DEATH(uaf_test<U1>(1, 0), uaf_string);
    167   EXPECT_DEATH(uaf_test<U1>(10, 0), uaf_string);
    168   EXPECT_DEATH(uaf_test<U1>(10, 10), uaf_string);
    169   EXPECT_DEATH(uaf_test<U1>(kLargeMalloc, 0), uaf_string);
    170   EXPECT_DEATH(uaf_test<U1>(kLargeMalloc, kLargeMalloc / 2), uaf_string);
    171 }
    172 
    173 TEST(AddressSanitizer, UAF_long_double) {
    174   if (sizeof(long double) == sizeof(double)) return;
    175   long double *p = Ident(new long double[10]);
    176   EXPECT_DEATH(Ident(p)[12] = 0, "WRITE of size 10");
    177   EXPECT_DEATH(Ident(p)[0] = Ident(p)[12], "READ of size 10");
    178   delete [] Ident(p);
    179 }
    180 
    181 struct Packed5 {
    182   int x;
    183   char c;
    184 } __attribute__((packed));
    185 
    186 
    187 TEST(AddressSanitizer, UAF_Packed5) {
    188   Packed5 *p = Ident(new Packed5[2]);
    189   EXPECT_DEATH(p[0] = p[3], "READ of size 5");
    190   EXPECT_DEATH(p[3] = p[0], "WRITE of size 5");
    191   delete [] Ident(p);
    192 }
    193 
    194 #if ASAN_HAS_BLACKLIST
    195 TEST(AddressSanitizer, IgnoreTest) {
    196   int *x = Ident(new int);
    197   delete Ident(x);
    198   *x = 0;
    199 }
    200 #endif  // ASAN_HAS_BLACKLIST
    201 
    202 struct StructWithBitField {
    203   int bf1:1;
    204   int bf2:1;
    205   int bf3:1;
    206   int bf4:29;
    207 };
    208 
    209 TEST(AddressSanitizer, BitFieldPositiveTest) {
    210   StructWithBitField *x = new StructWithBitField;
    211   delete Ident(x);
    212   EXPECT_DEATH(x->bf1 = 0, "use-after-free");
    213   EXPECT_DEATH(x->bf2 = 0, "use-after-free");
    214   EXPECT_DEATH(x->bf3 = 0, "use-after-free");
    215   EXPECT_DEATH(x->bf4 = 0, "use-after-free");
    216 }
    217 
    218 struct StructWithBitFields_8_24 {
    219   int a:8;
    220   int b:24;
    221 };
    222 
    223 TEST(AddressSanitizer, BitFieldNegativeTest) {
    224   StructWithBitFields_8_24 *x = Ident(new StructWithBitFields_8_24);
    225   x->a = 0;
    226   x->b = 0;
    227   delete Ident(x);
    228 }
    229 
    230 TEST(AddressSanitizer, OutOfMemoryTest) {
    231   size_t size = SANITIZER_WORDSIZE == 64 ? (size_t)(1ULL << 48) : (0xf0000000);
    232   EXPECT_EQ(0, realloc(0, size));
    233   EXPECT_EQ(0, realloc(0, ~Ident(0)));
    234   EXPECT_EQ(0, malloc(size));
    235   EXPECT_EQ(0, malloc(~Ident(0)));
    236   EXPECT_EQ(0, calloc(1, size));
    237   EXPECT_EQ(0, calloc(1, ~Ident(0)));
    238 }
    239 
    240 #if ASAN_NEEDS_SEGV
    241 namespace {
    242 
    243 const char kUnknownCrash[] = "AddressSanitizer: SEGV on unknown address";
    244 const char kOverriddenHandler[] = "ASan signal handler has been overridden\n";
    245 
    246 TEST(AddressSanitizer, WildAddressTest) {
    247   char *c = (char*)0x123;
    248   EXPECT_DEATH(*c = 0, kUnknownCrash);
    249 }
    250 
    251 void my_sigaction_sighandler(int, siginfo_t*, void*) {
    252   fprintf(stderr, kOverriddenHandler);
    253   exit(1);
    254 }
    255 
    256 void my_signal_sighandler(int signum) {
    257   fprintf(stderr, kOverriddenHandler);
    258   exit(1);
    259 }
    260 
    261 TEST(AddressSanitizer, SignalTest) {
    262   struct sigaction sigact;
    263   memset(&sigact, 0, sizeof(sigact));
    264   sigact.sa_sigaction = my_sigaction_sighandler;
    265   sigact.sa_flags = SA_SIGINFO;
    266   // ASan should silently ignore sigaction()...
    267   EXPECT_EQ(0, sigaction(SIGSEGV, &sigact, 0));
    268 #ifdef __APPLE__
    269   EXPECT_EQ(0, sigaction(SIGBUS, &sigact, 0));
    270 #endif
    271   char *c = (char*)0x123;
    272   EXPECT_DEATH(*c = 0, kUnknownCrash);
    273   // ... and signal().
    274   EXPECT_EQ(0, signal(SIGSEGV, my_signal_sighandler));
    275   EXPECT_DEATH(*c = 0, kUnknownCrash);
    276 }
    277 }  // namespace
    278 #endif
    279 
    280 static void TestLargeMalloc(size_t size) {
    281   char buff[1024];
    282   sprintf(buff, "is located 1 bytes to the left of %lu-byte", (long)size);
    283   EXPECT_DEATH(Ident((char*)malloc(size))[-1] = 0, buff);
    284 }
    285 
    286 TEST(AddressSanitizer, LargeMallocTest) {
    287   const int max_size = (SANITIZER_WORDSIZE == 32) ? 1 << 26 : 1 << 28;
    288   for (int i = 113; i < max_size; i = i * 2 + 13) {
    289     TestLargeMalloc(i);
    290   }
    291 }
    292 
    293 TEST(AddressSanitizer, HugeMallocTest) {
    294   if (SANITIZER_WORDSIZE != 64) return;
    295   size_t n_megs = 4100;
    296   TestLargeMalloc(n_megs << 20);
    297 }
    298 
    299 #ifndef __APPLE__
    300 void MemalignRun(size_t align, size_t size, int idx) {
    301   char *p = (char *)memalign(align, size);
    302   Ident(p)[idx] = 0;
    303   free(p);
    304 }
    305 
    306 TEST(AddressSanitizer, memalign) {
    307   for (int align = 16; align <= (1 << 23); align *= 2) {
    308     size_t size = align * 5;
    309     EXPECT_DEATH(MemalignRun(align, size, -1),
    310                  "is located 1 bytes to the left");
    311     EXPECT_DEATH(MemalignRun(align, size, size + 1),
    312                  "is located 1 bytes to the right");
    313   }
    314 }
    315 #endif
    316 
    317 void *ManyThreadsWorker(void *a) {
    318   for (int iter = 0; iter < 100; iter++) {
    319     for (size_t size = 100; size < 2000; size *= 2) {
    320       free(Ident(malloc(size)));
    321     }
    322   }
    323   return 0;
    324 }
    325 
    326 TEST(AddressSanitizer, ManyThreadsTest) {
    327   const size_t kNumThreads =
    328       (SANITIZER_WORDSIZE == 32 || ASAN_AVOID_EXPENSIVE_TESTS) ? 30 : 1000;
    329   pthread_t t[kNumThreads];
    330   for (size_t i = 0; i < kNumThreads; i++) {
    331     PTHREAD_CREATE(&t[i], 0, ManyThreadsWorker, (void*)i);
    332   }
    333   for (size_t i = 0; i < kNumThreads; i++) {
    334     PTHREAD_JOIN(t[i], 0);
    335   }
    336 }
    337 
    338 TEST(AddressSanitizer, ReallocTest) {
    339   const int kMinElem = 5;
    340   int *ptr = (int*)malloc(sizeof(int) * kMinElem);
    341   ptr[3] = 3;
    342   for (int i = 0; i < 10000; i++) {
    343     ptr = (int*)realloc(ptr,
    344         (my_rand() % 1000 + kMinElem) * sizeof(int));
    345     EXPECT_EQ(3, ptr[3]);
    346   }
    347   free(ptr);
    348   // Realloc pointer returned by malloc(0).
    349   int *ptr2 = Ident((int*)malloc(0));
    350   ptr2 = Ident((int*)realloc(ptr2, sizeof(*ptr2)));
    351   *ptr2 = 42;
    352   EXPECT_EQ(42, *ptr2);
    353   free(ptr2);
    354 }
    355 
    356 TEST(AddressSanitizer, ZeroSizeMallocTest) {
    357   // Test that malloc(0) and similar functions don't return NULL.
    358   void *ptr = Ident(malloc(0));
    359   EXPECT_TRUE(NULL != ptr);
    360   free(ptr);
    361 #if !defined(__APPLE__) && !defined(ANDROID) && !defined(__ANDROID__)
    362   int pm_res = posix_memalign(&ptr, 1<<20, 0);
    363   EXPECT_EQ(0, pm_res);
    364   EXPECT_TRUE(NULL != ptr);
    365   free(ptr);
    366 #endif
    367   int *int_ptr = new int[0];
    368   int *int_ptr2 = new int[0];
    369   EXPECT_TRUE(NULL != int_ptr);
    370   EXPECT_TRUE(NULL != int_ptr2);
    371   EXPECT_NE(int_ptr, int_ptr2);
    372   delete[] int_ptr;
    373   delete[] int_ptr2;
    374 }
    375 
    376 #ifndef __APPLE__
    377 static const char *kMallocUsableSizeErrorMsg =
    378   "AddressSanitizer: attempting to call malloc_usable_size()";
    379 
    380 TEST(AddressSanitizer, MallocUsableSizeTest) {
    381   const size_t kArraySize = 100;
    382   char *array = Ident((char*)malloc(kArraySize));
    383   int *int_ptr = Ident(new int);
    384   EXPECT_EQ(0U, malloc_usable_size(NULL));
    385   EXPECT_EQ(kArraySize, malloc_usable_size(array));
    386   EXPECT_EQ(sizeof(int), malloc_usable_size(int_ptr));
    387   EXPECT_DEATH(malloc_usable_size((void*)0x123), kMallocUsableSizeErrorMsg);
    388   EXPECT_DEATH(malloc_usable_size(array + kArraySize / 2),
    389                kMallocUsableSizeErrorMsg);
    390   free(array);
    391   EXPECT_DEATH(malloc_usable_size(array), kMallocUsableSizeErrorMsg);
    392 }
    393 #endif
    394 
    395 void WrongFree() {
    396   int *x = (int*)malloc(100 * sizeof(int));
    397   // Use the allocated memory, otherwise Clang will optimize it out.
    398   Ident(x);
    399   free(x + 1);
    400 }
    401 
    402 TEST(AddressSanitizer, WrongFreeTest) {
    403   EXPECT_DEATH(WrongFree(),
    404                "ERROR: AddressSanitizer: attempting free.*not malloc");
    405 }
    406 
    407 void DoubleFree() {
    408   int *x = (int*)malloc(100 * sizeof(int));
    409   fprintf(stderr, "DoubleFree: x=%p\n", x);
    410   free(x);
    411   free(x);
    412   fprintf(stderr, "should have failed in the second free(%p)\n", x);
    413   abort();
    414 }
    415 
    416 TEST(AddressSanitizer, DoubleFreeTest) {
    417   EXPECT_DEATH(DoubleFree(), ASAN_PCRE_DOTALL
    418                "ERROR: AddressSanitizer: attempting double-free"
    419                ".*is located 0 bytes inside of 400-byte region"
    420                ".*freed by thread T0 here"
    421                ".*previously allocated by thread T0 here");
    422 }
    423 
    424 template<int kSize>
    425 NOINLINE void SizedStackTest() {
    426   char a[kSize];
    427   char  *A = Ident((char*)&a);
    428   for (size_t i = 0; i < kSize; i++)
    429     A[i] = i;
    430   EXPECT_DEATH(A[-1] = 0, "");
    431   EXPECT_DEATH(A[-20] = 0, "");
    432   EXPECT_DEATH(A[-31] = 0, "");
    433   EXPECT_DEATH(A[kSize] = 0, "");
    434   EXPECT_DEATH(A[kSize + 1] = 0, "");
    435   EXPECT_DEATH(A[kSize + 10] = 0, "");
    436   EXPECT_DEATH(A[kSize + 31] = 0, "");
    437 }
    438 
    439 TEST(AddressSanitizer, SimpleStackTest) {
    440   SizedStackTest<1>();
    441   SizedStackTest<2>();
    442   SizedStackTest<3>();
    443   SizedStackTest<4>();
    444   SizedStackTest<5>();
    445   SizedStackTest<6>();
    446   SizedStackTest<7>();
    447   SizedStackTest<16>();
    448   SizedStackTest<25>();
    449   SizedStackTest<34>();
    450   SizedStackTest<43>();
    451   SizedStackTest<51>();
    452   SizedStackTest<62>();
    453   SizedStackTest<64>();
    454   SizedStackTest<128>();
    455 }
    456 
    457 TEST(AddressSanitizer, ManyStackObjectsTest) {
    458   char XXX[10];
    459   char YYY[20];
    460   char ZZZ[30];
    461   Ident(XXX);
    462   Ident(YYY);
    463   EXPECT_DEATH(Ident(ZZZ)[-1] = 0, ASAN_PCRE_DOTALL "XXX.*YYY.*ZZZ");
    464 }
    465 
    466 NOINLINE static void Frame0(int frame, char *a, char *b, char *c) {
    467   char d[4] = {0};
    468   char *D = Ident(d);
    469   switch (frame) {
    470     case 3: a[5]++; break;
    471     case 2: b[5]++; break;
    472     case 1: c[5]++; break;
    473     case 0: D[5]++; break;
    474   }
    475 }
    476 NOINLINE static void Frame1(int frame, char *a, char *b) {
    477   char c[4] = {0}; Frame0(frame, a, b, c);
    478   break_optimization(0);
    479 }
    480 NOINLINE static void Frame2(int frame, char *a) {
    481   char b[4] = {0}; Frame1(frame, a, b);
    482   break_optimization(0);
    483 }
    484 NOINLINE static void Frame3(int frame) {
    485   char a[4] = {0}; Frame2(frame, a);
    486   break_optimization(0);
    487 }
    488 
    489 TEST(AddressSanitizer, GuiltyStackFrame0Test) {
    490   EXPECT_DEATH(Frame3(0), "located .*in frame <.*Frame0");
    491 }
    492 TEST(AddressSanitizer, GuiltyStackFrame1Test) {
    493   EXPECT_DEATH(Frame3(1), "located .*in frame <.*Frame1");
    494 }
    495 TEST(AddressSanitizer, GuiltyStackFrame2Test) {
    496   EXPECT_DEATH(Frame3(2), "located .*in frame <.*Frame2");
    497 }
    498 TEST(AddressSanitizer, GuiltyStackFrame3Test) {
    499   EXPECT_DEATH(Frame3(3), "located .*in frame <.*Frame3");
    500 }
    501 
    502 NOINLINE void LongJmpFunc1(jmp_buf buf) {
    503   // create three red zones for these two stack objects.
    504   int a;
    505   int b;
    506 
    507   int *A = Ident(&a);
    508   int *B = Ident(&b);
    509   *A = *B;
    510   longjmp(buf, 1);
    511 }
    512 
    513 NOINLINE void BuiltinLongJmpFunc1(jmp_buf buf) {
    514   // create three red zones for these two stack objects.
    515   int a;
    516   int b;
    517 
    518   int *A = Ident(&a);
    519   int *B = Ident(&b);
    520   *A = *B;
    521   __builtin_longjmp((void**)buf, 1);
    522 }
    523 
    524 NOINLINE void UnderscopeLongJmpFunc1(jmp_buf buf) {
    525   // create three red zones for these two stack objects.
    526   int a;
    527   int b;
    528 
    529   int *A = Ident(&a);
    530   int *B = Ident(&b);
    531   *A = *B;
    532   _longjmp(buf, 1);
    533 }
    534 
    535 NOINLINE void SigLongJmpFunc1(sigjmp_buf buf) {
    536   // create three red zones for these two stack objects.
    537   int a;
    538   int b;
    539 
    540   int *A = Ident(&a);
    541   int *B = Ident(&b);
    542   *A = *B;
    543   siglongjmp(buf, 1);
    544 }
    545 
    546 
    547 NOINLINE void TouchStackFunc() {
    548   int a[100];  // long array will intersect with redzones from LongJmpFunc1.
    549   int *A = Ident(a);
    550   for (int i = 0; i < 100; i++)
    551     A[i] = i*i;
    552 }
    553 
    554 // Test that we handle longjmp and do not report fals positives on stack.
    555 TEST(AddressSanitizer, LongJmpTest) {
    556   static jmp_buf buf;
    557   if (!setjmp(buf)) {
    558     LongJmpFunc1(buf);
    559   } else {
    560     TouchStackFunc();
    561   }
    562 }
    563 
    564 #if not defined(__ANDROID__)
    565 TEST(AddressSanitizer, BuiltinLongJmpTest) {
    566   static jmp_buf buf;
    567   if (!__builtin_setjmp((void**)buf)) {
    568     BuiltinLongJmpFunc1(buf);
    569   } else {
    570     TouchStackFunc();
    571   }
    572 }
    573 #endif  // not defined(__ANDROID__)
    574 
    575 TEST(AddressSanitizer, UnderscopeLongJmpTest) {
    576   static jmp_buf buf;
    577   if (!_setjmp(buf)) {
    578     UnderscopeLongJmpFunc1(buf);
    579   } else {
    580     TouchStackFunc();
    581   }
    582 }
    583 
    584 TEST(AddressSanitizer, SigLongJmpTest) {
    585   static sigjmp_buf buf;
    586   if (!sigsetjmp(buf, 1)) {
    587     SigLongJmpFunc1(buf);
    588   } else {
    589     TouchStackFunc();
    590   }
    591 }
    592 
    593 #ifdef __EXCEPTIONS
    594 NOINLINE void ThrowFunc() {
    595   // create three red zones for these two stack objects.
    596   int a;
    597   int b;
    598 
    599   int *A = Ident(&a);
    600   int *B = Ident(&b);
    601   *A = *B;
    602   ASAN_THROW(1);
    603 }
    604 
    605 TEST(AddressSanitizer, CxxExceptionTest) {
    606   if (ASAN_UAR) return;
    607   // TODO(kcc): this test crashes on 32-bit for some reason...
    608   if (SANITIZER_WORDSIZE == 32) return;
    609   try {
    610     ThrowFunc();
    611   } catch(...) {}
    612   TouchStackFunc();
    613 }
    614 #endif
    615 
    616 void *ThreadStackReuseFunc1(void *unused) {
    617   // create three red zones for these two stack objects.
    618   int a;
    619   int b;
    620 
    621   int *A = Ident(&a);
    622   int *B = Ident(&b);
    623   *A = *B;
    624   pthread_exit(0);
    625   return 0;
    626 }
    627 
    628 void *ThreadStackReuseFunc2(void *unused) {
    629   TouchStackFunc();
    630   return 0;
    631 }
    632 
    633 TEST(AddressSanitizer, ThreadStackReuseTest) {
    634   pthread_t t;
    635   PTHREAD_CREATE(&t, 0, ThreadStackReuseFunc1, 0);
    636   PTHREAD_JOIN(t, 0);
    637   PTHREAD_CREATE(&t, 0, ThreadStackReuseFunc2, 0);
    638   PTHREAD_JOIN(t, 0);
    639 }
    640 
    641 #if defined(__i386__) || defined(__x86_64__)
    642 TEST(AddressSanitizer, Store128Test) {
    643   char *a = Ident((char*)malloc(Ident(12)));
    644   char *p = a;
    645   if (((uintptr_t)a % 16) != 0)
    646     p = a + 8;
    647   assert(((uintptr_t)p % 16) == 0);
    648   __m128i value_wide = _mm_set1_epi16(0x1234);
    649   EXPECT_DEATH(_mm_store_si128((__m128i*)p, value_wide),
    650                "AddressSanitizer: heap-buffer-overflow");
    651   EXPECT_DEATH(_mm_store_si128((__m128i*)p, value_wide),
    652                "WRITE of size 16");
    653   EXPECT_DEATH(_mm_store_si128((__m128i*)p, value_wide),
    654                "located 0 bytes to the right of 12-byte");
    655   free(a);
    656 }
    657 #endif
    658 
    659 string RightOOBErrorMessage(int oob_distance, bool is_write) {
    660   assert(oob_distance >= 0);
    661   char expected_str[100];
    662   sprintf(expected_str, ASAN_PCRE_DOTALL
    663           "buffer-overflow.*%s.*located %d bytes to the right",
    664           is_write ? "WRITE" : "READ", oob_distance);
    665   return string(expected_str);
    666 }
    667 
    668 string RightOOBWriteMessage(int oob_distance) {
    669   return RightOOBErrorMessage(oob_distance, /*is_write*/true);
    670 }
    671 
    672 string RightOOBReadMessage(int oob_distance) {
    673   return RightOOBErrorMessage(oob_distance, /*is_write*/false);
    674 }
    675 
    676 string LeftOOBErrorMessage(int oob_distance, bool is_write) {
    677   assert(oob_distance > 0);
    678   char expected_str[100];
    679   sprintf(expected_str, ASAN_PCRE_DOTALL "%s.*located %d bytes to the left",
    680           is_write ? "WRITE" : "READ", oob_distance);
    681   return string(expected_str);
    682 }
    683 
    684 string LeftOOBWriteMessage(int oob_distance) {
    685   return LeftOOBErrorMessage(oob_distance, /*is_write*/true);
    686 }
    687 
    688 string LeftOOBReadMessage(int oob_distance) {
    689   return LeftOOBErrorMessage(oob_distance, /*is_write*/false);
    690 }
    691 
    692 string LeftOOBAccessMessage(int oob_distance) {
    693   assert(oob_distance > 0);
    694   char expected_str[100];
    695   sprintf(expected_str, "located %d bytes to the left", oob_distance);
    696   return string(expected_str);
    697 }
    698 
    699 char* MallocAndMemsetString(size_t size, char ch) {
    700   char *s = Ident((char*)malloc(size));
    701   memset(s, ch, size);
    702   return s;
    703 }
    704 
    705 char* MallocAndMemsetString(size_t size) {
    706   return MallocAndMemsetString(size, 'z');
    707 }
    708 
    709 #if defined(__linux__) && !defined(ANDROID) && !defined(__ANDROID__)
    710 #define READ_TEST(READ_N_BYTES)                                          \
    711   char *x = new char[10];                                                \
    712   int fd = open("/proc/self/stat", O_RDONLY);                            \
    713   ASSERT_GT(fd, 0);                                                      \
    714   EXPECT_DEATH(READ_N_BYTES,                                             \
    715                ASAN_PCRE_DOTALL                                          \
    716                "AddressSanitizer: heap-buffer-overflow"                  \
    717                ".* is located 0 bytes to the right of 10-byte region");  \
    718   close(fd);                                                             \
    719   delete [] x;                                                           \
    720 
    721 TEST(AddressSanitizer, pread) {
    722   READ_TEST(pread(fd, x, 15, 0));
    723 }
    724 
    725 TEST(AddressSanitizer, pread64) {
    726   READ_TEST(pread64(fd, x, 15, 0));
    727 }
    728 
    729 TEST(AddressSanitizer, read) {
    730   READ_TEST(read(fd, x, 15));
    731 }
    732 #endif  // defined(__linux__) && !defined(ANDROID) && !defined(__ANDROID__)
    733 
    734 // This test case fails
    735 // Clang optimizes memcpy/memset calls which lead to unaligned access
    736 TEST(AddressSanitizer, DISABLED_MemIntrinsicUnalignedAccessTest) {
    737   int size = Ident(4096);
    738   char *s = Ident((char*)malloc(size));
    739   EXPECT_DEATH(memset(s + size - 1, 0, 2), RightOOBWriteMessage(0));
    740   free(s);
    741 }
    742 
    743 // TODO(samsonov): Add a test with malloc(0)
    744 // TODO(samsonov): Add tests for str* and mem* functions.
    745 
    746 NOINLINE static int LargeFunction(bool do_bad_access) {
    747   int *x = new int[100];
    748   x[0]++;
    749   x[1]++;
    750   x[2]++;
    751   x[3]++;
    752   x[4]++;
    753   x[5]++;
    754   x[6]++;
    755   x[7]++;
    756   x[8]++;
    757   x[9]++;
    758 
    759   x[do_bad_access ? 100 : 0]++; int res = __LINE__;
    760 
    761   x[10]++;
    762   x[11]++;
    763   x[12]++;
    764   x[13]++;
    765   x[14]++;
    766   x[15]++;
    767   x[16]++;
    768   x[17]++;
    769   x[18]++;
    770   x[19]++;
    771 
    772   delete x;
    773   return res;
    774 }
    775 
    776 // Test the we have correct debug info for the failing instruction.
    777 // This test requires the in-process symbolizer to be enabled by default.
    778 TEST(AddressSanitizer, DISABLED_LargeFunctionSymbolizeTest) {
    779   int failing_line = LargeFunction(false);
    780   char expected_warning[128];
    781   sprintf(expected_warning, "LargeFunction.*asan_test.*:%d", failing_line);
    782   EXPECT_DEATH(LargeFunction(true), expected_warning);
    783 }
    784 
    785 // Check that we unwind and symbolize correctly.
    786 TEST(AddressSanitizer, DISABLED_MallocFreeUnwindAndSymbolizeTest) {
    787   int *a = (int*)malloc_aaa(sizeof(int));
    788   *a = 1;
    789   free_aaa(a);
    790   EXPECT_DEATH(*a = 1, "free_ccc.*free_bbb.*free_aaa.*"
    791                "malloc_fff.*malloc_eee.*malloc_ddd");
    792 }
    793 
    794 static bool TryToSetThreadName(const char *name) {
    795 #if defined(__linux__) && defined(PR_SET_NAME)
    796   return 0 == prctl(PR_SET_NAME, (unsigned long)name, 0, 0, 0);
    797 #else
    798   return false;
    799 #endif
    800 }
    801 
    802 void *ThreadedTestAlloc(void *a) {
    803   EXPECT_EQ(true, TryToSetThreadName("AllocThr"));
    804   int **p = (int**)a;
    805   *p = new int;
    806   return 0;
    807 }
    808 
    809 void *ThreadedTestFree(void *a) {
    810   EXPECT_EQ(true, TryToSetThreadName("FreeThr"));
    811   int **p = (int**)a;
    812   delete *p;
    813   return 0;
    814 }
    815 
    816 void *ThreadedTestUse(void *a) {
    817   EXPECT_EQ(true, TryToSetThreadName("UseThr"));
    818   int **p = (int**)a;
    819   **p = 1;
    820   return 0;
    821 }
    822 
    823 void ThreadedTestSpawn() {
    824   pthread_t t;
    825   int *x;
    826   PTHREAD_CREATE(&t, 0, ThreadedTestAlloc, &x);
    827   PTHREAD_JOIN(t, 0);
    828   PTHREAD_CREATE(&t, 0, ThreadedTestFree, &x);
    829   PTHREAD_JOIN(t, 0);
    830   PTHREAD_CREATE(&t, 0, ThreadedTestUse, &x);
    831   PTHREAD_JOIN(t, 0);
    832 }
    833 
    834 TEST(AddressSanitizer, ThreadedTest) {
    835   EXPECT_DEATH(ThreadedTestSpawn(),
    836                ASAN_PCRE_DOTALL
    837                "Thread T.*created"
    838                ".*Thread T.*created"
    839                ".*Thread T.*created");
    840 }
    841 
    842 void *ThreadedTestFunc(void *unused) {
    843   // Check if prctl(PR_SET_NAME) is supported. Return if not.
    844   if (!TryToSetThreadName("TestFunc"))
    845     return 0;
    846   EXPECT_DEATH(ThreadedTestSpawn(),
    847                ASAN_PCRE_DOTALL
    848                "WRITE .*thread T. .UseThr."
    849                ".*freed by thread T. .FreeThr. here:"
    850                ".*previously allocated by thread T. .AllocThr. here:"
    851                ".*Thread T. .UseThr. created by T.*TestFunc"
    852                ".*Thread T. .FreeThr. created by T"
    853                ".*Thread T. .AllocThr. created by T"
    854                "");
    855   return 0;
    856 }
    857 
    858 TEST(AddressSanitizer, ThreadNamesTest) {
    859   // Run ThreadedTestFunc in a separate thread because it tries to set a
    860   // thread name and we don't want to change the main thread's name.
    861   pthread_t t;
    862   PTHREAD_CREATE(&t, 0, ThreadedTestFunc, 0);
    863   PTHREAD_JOIN(t, 0);
    864 }
    865 
    866 #if ASAN_NEEDS_SEGV
    867 TEST(AddressSanitizer, ShadowGapTest) {
    868 #if SANITIZER_WORDSIZE == 32
    869   char *addr = (char*)0x22000000;
    870 #else
    871   char *addr = (char*)0x0000100000080000;
    872 #endif
    873   EXPECT_DEATH(*addr = 1, "AddressSanitizer: SEGV on unknown");
    874 }
    875 #endif  // ASAN_NEEDS_SEGV
    876 
    877 extern "C" {
    878 NOINLINE static void UseThenFreeThenUse() {
    879   char *x = Ident((char*)malloc(8));
    880   *x = 1;
    881   free_aaa(x);
    882   *x = 2;
    883 }
    884 }
    885 
    886 TEST(AddressSanitizer, UseThenFreeThenUseTest) {
    887   EXPECT_DEATH(UseThenFreeThenUse(), "freed by thread");
    888 }
    889 
    890 TEST(AddressSanitizer, StrDupTest) {
    891   free(strdup(Ident("123")));
    892 }
    893 
    894 // Currently we create and poison redzone at right of global variables.
    895 static char static110[110];
    896 const char ConstGlob[7] = {1, 2, 3, 4, 5, 6, 7};
    897 static const char StaticConstGlob[3] = {9, 8, 7};
    898 
    899 TEST(AddressSanitizer, GlobalTest) {
    900   static char func_static15[15];
    901 
    902   static char fs1[10];
    903   static char fs2[10];
    904   static char fs3[10];
    905 
    906   glob5[Ident(0)] = 0;
    907   glob5[Ident(1)] = 0;
    908   glob5[Ident(2)] = 0;
    909   glob5[Ident(3)] = 0;
    910   glob5[Ident(4)] = 0;
    911 
    912   EXPECT_DEATH(glob5[Ident(5)] = 0,
    913                "0 bytes to the right of global variable.*glob5.* size 5");
    914   EXPECT_DEATH(glob5[Ident(5+6)] = 0,
    915                "6 bytes to the right of global variable.*glob5.* size 5");
    916   Ident(static110);  // avoid optimizations
    917   static110[Ident(0)] = 0;
    918   static110[Ident(109)] = 0;
    919   EXPECT_DEATH(static110[Ident(110)] = 0,
    920                "0 bytes to the right of global variable");
    921   EXPECT_DEATH(static110[Ident(110+7)] = 0,
    922                "7 bytes to the right of global variable");
    923 
    924   Ident(func_static15);  // avoid optimizations
    925   func_static15[Ident(0)] = 0;
    926   EXPECT_DEATH(func_static15[Ident(15)] = 0,
    927                "0 bytes to the right of global variable");
    928   EXPECT_DEATH(func_static15[Ident(15 + 9)] = 0,
    929                "9 bytes to the right of global variable");
    930 
    931   Ident(fs1);
    932   Ident(fs2);
    933   Ident(fs3);
    934 
    935   // We don't create left redzones, so this is not 100% guaranteed to fail.
    936   // But most likely will.
    937   EXPECT_DEATH(fs2[Ident(-1)] = 0, "is located.*of global variable");
    938 
    939   EXPECT_DEATH(Ident(Ident(ConstGlob)[8]),
    940                "is located 1 bytes to the right of .*ConstGlob");
    941   EXPECT_DEATH(Ident(Ident(StaticConstGlob)[5]),
    942                "is located 2 bytes to the right of .*StaticConstGlob");
    943 
    944   // call stuff from another file.
    945   GlobalsTest(0);
    946 }
    947 
    948 TEST(AddressSanitizer, GlobalStringConstTest) {
    949   static const char *zoo = "FOOBAR123";
    950   const char *p = Ident(zoo);
    951   EXPECT_DEATH(Ident(p[15]), "is ascii string 'FOOBAR123'");
    952 }
    953 
    954 TEST(AddressSanitizer, FileNameInGlobalReportTest) {
    955   static char zoo[10];
    956   const char *p = Ident(zoo);
    957   // The file name should be present in the report.
    958   EXPECT_DEATH(Ident(p[15]), "zoo.*asan_test.");
    959 }
    960 
    961 int *ReturnsPointerToALocalObject() {
    962   int a = 0;
    963   return Ident(&a);
    964 }
    965 
    966 #if ASAN_UAR == 1
    967 TEST(AddressSanitizer, LocalReferenceReturnTest) {
    968   int *(*f)() = Ident(ReturnsPointerToALocalObject);
    969   int *p = f();
    970   // Call 'f' a few more times, 'p' should still be poisoned.
    971   for (int i = 0; i < 32; i++)
    972     f();
    973   EXPECT_DEATH(*p = 1, "AddressSanitizer: stack-use-after-return");
    974   EXPECT_DEATH(*p = 1, "is located.*in frame .*ReturnsPointerToALocal");
    975 }
    976 #endif
    977 
    978 template <int kSize>
    979 NOINLINE static void FuncWithStack() {
    980   char x[kSize];
    981   Ident(x)[0] = 0;
    982   Ident(x)[kSize-1] = 0;
    983 }
    984 
    985 static void LotsOfStackReuse() {
    986   int LargeStack[10000];
    987   Ident(LargeStack)[0] = 0;
    988   for (int i = 0; i < 10000; i++) {
    989     FuncWithStack<128 * 1>();
    990     FuncWithStack<128 * 2>();
    991     FuncWithStack<128 * 4>();
    992     FuncWithStack<128 * 8>();
    993     FuncWithStack<128 * 16>();
    994     FuncWithStack<128 * 32>();
    995     FuncWithStack<128 * 64>();
    996     FuncWithStack<128 * 128>();
    997     FuncWithStack<128 * 256>();
    998     FuncWithStack<128 * 512>();
    999     Ident(LargeStack)[0] = 0;
   1000   }
   1001 }
   1002 
   1003 TEST(AddressSanitizer, StressStackReuseTest) {
   1004   LotsOfStackReuse();
   1005 }
   1006 
   1007 TEST(AddressSanitizer, ThreadedStressStackReuseTest) {
   1008   const int kNumThreads = 20;
   1009   pthread_t t[kNumThreads];
   1010   for (int i = 0; i < kNumThreads; i++) {
   1011     PTHREAD_CREATE(&t[i], 0, (void* (*)(void *x))LotsOfStackReuse, 0);
   1012   }
   1013   for (int i = 0; i < kNumThreads; i++) {
   1014     PTHREAD_JOIN(t[i], 0);
   1015   }
   1016 }
   1017 
   1018 static void *PthreadExit(void *a) {
   1019   pthread_exit(0);
   1020   return 0;
   1021 }
   1022 
   1023 TEST(AddressSanitizer, PthreadExitTest) {
   1024   pthread_t t;
   1025   for (int i = 0; i < 1000; i++) {
   1026     PTHREAD_CREATE(&t, 0, PthreadExit, 0);
   1027     PTHREAD_JOIN(t, 0);
   1028   }
   1029 }
   1030 
   1031 #ifdef __EXCEPTIONS
   1032 NOINLINE static void StackReuseAndException() {
   1033   int large_stack[1000];
   1034   Ident(large_stack);
   1035   ASAN_THROW(1);
   1036 }
   1037 
   1038 // TODO(kcc): support exceptions with use-after-return.
   1039 TEST(AddressSanitizer, DISABLED_StressStackReuseAndExceptionsTest) {
   1040   for (int i = 0; i < 10000; i++) {
   1041     try {
   1042     StackReuseAndException();
   1043     } catch(...) {
   1044     }
   1045   }
   1046 }
   1047 #endif
   1048 
   1049 TEST(AddressSanitizer, MlockTest) {
   1050   EXPECT_EQ(0, mlockall(MCL_CURRENT));
   1051   EXPECT_EQ(0, mlock((void*)0x12345, 0x5678));
   1052   EXPECT_EQ(0, munlockall());
   1053   EXPECT_EQ(0, munlock((void*)0x987, 0x654));
   1054 }
   1055 
   1056 struct LargeStruct {
   1057   int foo[100];
   1058 };
   1059 
   1060 // Test for bug http://llvm.org/bugs/show_bug.cgi?id=11763.
   1061 // Struct copy should not cause asan warning even if lhs == rhs.
   1062 TEST(AddressSanitizer, LargeStructCopyTest) {
   1063   LargeStruct a;
   1064   *Ident(&a) = *Ident(&a);
   1065 }
   1066 
   1067 ATTRIBUTE_NO_ADDRESS_SAFETY_ANALYSIS
   1068 static void NoAddressSafety() {
   1069   char *foo = new char[10];
   1070   Ident(foo)[10] = 0;
   1071   delete [] foo;
   1072 }
   1073 
   1074 TEST(AddressSanitizer, AttributeNoAddressSafetyTest) {
   1075   Ident(NoAddressSafety)();
   1076 }
   1077 
   1078 // It doesn't work on Android, as calls to new/delete go through malloc/free.
   1079 #if !defined(ANDROID) && !defined(__ANDROID__)
   1080 static string MismatchStr(const string &str) {
   1081   return string("AddressSanitizer: alloc-dealloc-mismatch \\(") + str;
   1082 }
   1083 
   1084 TEST(AddressSanitizer, AllocDeallocMismatch) {
   1085   EXPECT_DEATH(free(Ident(new int)),
   1086                MismatchStr("operator new vs free"));
   1087   EXPECT_DEATH(free(Ident(new int[2])),
   1088                MismatchStr("operator new \\[\\] vs free"));
   1089   EXPECT_DEATH(delete (Ident(new int[2])),
   1090                MismatchStr("operator new \\[\\] vs operator delete"));
   1091   EXPECT_DEATH(delete (Ident((int*)malloc(2 * sizeof(int)))),
   1092                MismatchStr("malloc vs operator delete"));
   1093   EXPECT_DEATH(delete [] (Ident(new int)),
   1094                MismatchStr("operator new vs operator delete \\[\\]"));
   1095   EXPECT_DEATH(delete [] (Ident((int*)malloc(2 * sizeof(int)))),
   1096                MismatchStr("malloc vs operator delete \\[\\]"));
   1097 }
   1098 #endif
   1099 
   1100 // ------------------ demo tests; run each one-by-one -------------
   1101 // e.g. --gtest_filter=*DemoOOBLeftHigh --gtest_also_run_disabled_tests
   1102 TEST(AddressSanitizer, DISABLED_DemoThreadedTest) {
   1103   ThreadedTestSpawn();
   1104 }
   1105 
   1106 void *SimpleBugOnSTack(void *x = 0) {
   1107   char a[20];
   1108   Ident(a)[20] = 0;
   1109   return 0;
   1110 }
   1111 
   1112 TEST(AddressSanitizer, DISABLED_DemoStackTest) {
   1113   SimpleBugOnSTack();
   1114 }
   1115 
   1116 TEST(AddressSanitizer, DISABLED_DemoThreadStackTest) {
   1117   pthread_t t;
   1118   PTHREAD_CREATE(&t, 0, SimpleBugOnSTack, 0);
   1119   PTHREAD_JOIN(t, 0);
   1120 }
   1121 
   1122 TEST(AddressSanitizer, DISABLED_DemoUAFLowIn) {
   1123   uaf_test<U1>(10, 0);
   1124 }
   1125 TEST(AddressSanitizer, DISABLED_DemoUAFLowLeft) {
   1126   uaf_test<U1>(10, -2);
   1127 }
   1128 TEST(AddressSanitizer, DISABLED_DemoUAFLowRight) {
   1129   uaf_test<U1>(10, 10);
   1130 }
   1131 
   1132 TEST(AddressSanitizer, DISABLED_DemoUAFHigh) {
   1133   uaf_test<U1>(kLargeMalloc, 0);
   1134 }
   1135 
   1136 TEST(AddressSanitizer, DISABLED_DemoOOM) {
   1137   size_t size = SANITIZER_WORDSIZE == 64 ? (size_t)(1ULL << 40) : (0xf0000000);
   1138   printf("%p\n", malloc(size));
   1139 }
   1140 
   1141 TEST(AddressSanitizer, DISABLED_DemoDoubleFreeTest) {
   1142   DoubleFree();
   1143 }
   1144 
   1145 TEST(AddressSanitizer, DISABLED_DemoNullDerefTest) {
   1146   int *a = 0;
   1147   Ident(a)[10] = 0;
   1148 }
   1149 
   1150 TEST(AddressSanitizer, DISABLED_DemoFunctionStaticTest) {
   1151   static char a[100];
   1152   static char b[100];
   1153   static char c[100];
   1154   Ident(a);
   1155   Ident(b);
   1156   Ident(c);
   1157   Ident(a)[5] = 0;
   1158   Ident(b)[105] = 0;
   1159   Ident(a)[5] = 0;
   1160 }
   1161 
   1162 TEST(AddressSanitizer, DISABLED_DemoTooMuchMemoryTest) {
   1163   const size_t kAllocSize = (1 << 28) - 1024;
   1164   size_t total_size = 0;
   1165   while (true) {
   1166     char *x = (char*)malloc(kAllocSize);
   1167     memset(x, 0, kAllocSize);
   1168     total_size += kAllocSize;
   1169     fprintf(stderr, "total: %ldM %p\n", (long)total_size >> 20, x);
   1170   }
   1171 }
   1172 
   1173 // http://code.google.com/p/address-sanitizer/issues/detail?id=66
   1174 TEST(AddressSanitizer, BufferOverflowAfterManyFrees) {
   1175   for (int i = 0; i < 1000000; i++) {
   1176     delete [] (Ident(new char [8644]));
   1177   }
   1178   char *x = new char[8192];
   1179   EXPECT_DEATH(x[Ident(8192)] = 0, "AddressSanitizer: heap-buffer-overflow");
   1180   delete [] Ident(x);
   1181 }
   1182 
   1183 
   1184 // Test that instrumentation of stack allocations takes into account
   1185 // AllocSize of a type, and not its StoreSize (16 vs 10 bytes for long double).
   1186 // See http://llvm.org/bugs/show_bug.cgi?id=12047 for more details.
   1187 TEST(AddressSanitizer, LongDoubleNegativeTest) {
   1188   long double a, b;
   1189   static long double c;
   1190   memcpy(Ident(&a), Ident(&b), sizeof(long double));
   1191   memcpy(Ident(&c), Ident(&b), sizeof(long double));
   1192 }
   1193