1 //===-- asan_test.cc ------------------------------------------------------===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file is a part of AddressSanitizer, an address sanity checker. 11 // 12 //===----------------------------------------------------------------------===// 13 #include "asan_test_utils.h" 14 15 NOINLINE void *malloc_fff(size_t size) { 16 void *res = malloc/**/(size); break_optimization(0); return res;} 17 NOINLINE void *malloc_eee(size_t size) { 18 void *res = malloc_fff(size); break_optimization(0); return res;} 19 NOINLINE void *malloc_ddd(size_t size) { 20 void *res = malloc_eee(size); break_optimization(0); return res;} 21 NOINLINE void *malloc_ccc(size_t size) { 22 void *res = malloc_ddd(size); break_optimization(0); return res;} 23 NOINLINE void *malloc_bbb(size_t size) { 24 void *res = malloc_ccc(size); break_optimization(0); return res;} 25 NOINLINE void *malloc_aaa(size_t size) { 26 void *res = malloc_bbb(size); break_optimization(0); return res;} 27 28 #ifndef __APPLE__ 29 NOINLINE void *memalign_fff(size_t alignment, size_t size) { 30 void *res = memalign/**/(alignment, size); break_optimization(0); return res;} 31 NOINLINE void *memalign_eee(size_t alignment, size_t size) { 32 void *res = memalign_fff(alignment, size); break_optimization(0); return res;} 33 NOINLINE void *memalign_ddd(size_t alignment, size_t size) { 34 void *res = memalign_eee(alignment, size); break_optimization(0); return res;} 35 NOINLINE void *memalign_ccc(size_t alignment, size_t size) { 36 void *res = memalign_ddd(alignment, size); break_optimization(0); return res;} 37 NOINLINE void *memalign_bbb(size_t alignment, size_t size) { 38 void *res = memalign_ccc(alignment, size); break_optimization(0); return res;} 39 NOINLINE void *memalign_aaa(size_t alignment, size_t size) { 40 void *res = memalign_bbb(alignment, size); break_optimization(0); return res;} 41 #endif // __APPLE__ 42 43 44 NOINLINE void free_ccc(void *p) { free(p); break_optimization(0);} 45 NOINLINE void free_bbb(void *p) { free_ccc(p); break_optimization(0);} 46 NOINLINE void free_aaa(void *p) { free_bbb(p); break_optimization(0);} 47 48 49 template<typename T> 50 NOINLINE void uaf_test(int size, int off) { 51 char *p = (char *)malloc_aaa(size); 52 free_aaa(p); 53 for (int i = 1; i < 100; i++) 54 free_aaa(malloc_aaa(i)); 55 fprintf(stderr, "writing %ld byte(s) at %p with offset %d\n", 56 (long)sizeof(T), p, off); 57 asan_write((T*)(p + off)); 58 } 59 60 TEST(AddressSanitizer, HasFeatureAddressSanitizerTest) { 61 #if defined(__has_feature) && __has_feature(address_sanitizer) 62 bool asan = 1; 63 #elif defined(__SANITIZE_ADDRESS__) 64 bool asan = 1; 65 #else 66 bool asan = 0; 67 #endif 68 EXPECT_EQ(true, asan); 69 } 70 71 TEST(AddressSanitizer, SimpleDeathTest) { 72 EXPECT_DEATH(exit(1), ""); 73 } 74 75 TEST(AddressSanitizer, VariousMallocsTest) { 76 int *a = (int*)malloc(100 * sizeof(int)); 77 a[50] = 0; 78 free(a); 79 80 int *r = (int*)malloc(10); 81 r = (int*)realloc(r, 2000 * sizeof(int)); 82 r[1000] = 0; 83 free(r); 84 85 int *b = new int[100]; 86 b[50] = 0; 87 delete [] b; 88 89 int *c = new int; 90 *c = 0; 91 delete c; 92 93 #if !defined(__APPLE__) && !defined(ANDROID) && !defined(__ANDROID__) 94 int *pm; 95 int pm_res = posix_memalign((void**)&pm, kPageSize, kPageSize); 96 EXPECT_EQ(0, pm_res); 97 free(pm); 98 #endif 99 100 #if !defined(__APPLE__) 101 int *ma = (int*)memalign(kPageSize, kPageSize); 102 EXPECT_EQ(0U, (uintptr_t)ma % kPageSize); 103 ma[123] = 0; 104 free(ma); 105 #endif // __APPLE__ 106 } 107 108 TEST(AddressSanitizer, CallocTest) { 109 int *a = (int*)calloc(100, sizeof(int)); 110 EXPECT_EQ(0, a[10]); 111 free(a); 112 } 113 114 TEST(AddressSanitizer, VallocTest) { 115 void *a = valloc(100); 116 EXPECT_EQ(0U, (uintptr_t)a % kPageSize); 117 free(a); 118 } 119 120 #ifndef __APPLE__ 121 TEST(AddressSanitizer, PvallocTest) { 122 char *a = (char*)pvalloc(kPageSize + 100); 123 EXPECT_EQ(0U, (uintptr_t)a % kPageSize); 124 a[kPageSize + 101] = 1; // we should not report an error here. 125 free(a); 126 127 a = (char*)pvalloc(0); // pvalloc(0) should allocate at least one page. 128 EXPECT_EQ(0U, (uintptr_t)a % kPageSize); 129 a[101] = 1; // we should not report an error here. 130 free(a); 131 } 132 #endif // __APPLE__ 133 134 void *TSDWorker(void *test_key) { 135 if (test_key) { 136 pthread_setspecific(*(pthread_key_t*)test_key, (void*)0xfeedface); 137 } 138 return NULL; 139 } 140 141 void TSDDestructor(void *tsd) { 142 // Spawning a thread will check that the current thread id is not -1. 143 pthread_t th; 144 PTHREAD_CREATE(&th, NULL, TSDWorker, NULL); 145 PTHREAD_JOIN(th, NULL); 146 } 147 148 // This tests triggers the thread-specific data destruction fiasco which occurs 149 // if we don't manage the TSD destructors ourselves. We create a new pthread 150 // key with a non-NULL destructor which is likely to be put after the destructor 151 // of AsanThread in the list of destructors. 152 // In this case the TSD for AsanThread will be destroyed before TSDDestructor 153 // is called for the child thread, and a CHECK will fail when we call 154 // pthread_create() to spawn the grandchild. 155 TEST(AddressSanitizer, DISABLED_TSDTest) { 156 pthread_t th; 157 pthread_key_t test_key; 158 pthread_key_create(&test_key, TSDDestructor); 159 PTHREAD_CREATE(&th, NULL, TSDWorker, &test_key); 160 PTHREAD_JOIN(th, NULL); 161 pthread_key_delete(test_key); 162 } 163 164 TEST(AddressSanitizer, UAF_char) { 165 const char *uaf_string = "AddressSanitizer:.*heap-use-after-free"; 166 EXPECT_DEATH(uaf_test<U1>(1, 0), uaf_string); 167 EXPECT_DEATH(uaf_test<U1>(10, 0), uaf_string); 168 EXPECT_DEATH(uaf_test<U1>(10, 10), uaf_string); 169 EXPECT_DEATH(uaf_test<U1>(kLargeMalloc, 0), uaf_string); 170 EXPECT_DEATH(uaf_test<U1>(kLargeMalloc, kLargeMalloc / 2), uaf_string); 171 } 172 173 TEST(AddressSanitizer, UAF_long_double) { 174 if (sizeof(long double) == sizeof(double)) return; 175 long double *p = Ident(new long double[10]); 176 EXPECT_DEATH(Ident(p)[12] = 0, "WRITE of size 10"); 177 EXPECT_DEATH(Ident(p)[0] = Ident(p)[12], "READ of size 10"); 178 delete [] Ident(p); 179 } 180 181 struct Packed5 { 182 int x; 183 char c; 184 } __attribute__((packed)); 185 186 187 TEST(AddressSanitizer, UAF_Packed5) { 188 Packed5 *p = Ident(new Packed5[2]); 189 EXPECT_DEATH(p[0] = p[3], "READ of size 5"); 190 EXPECT_DEATH(p[3] = p[0], "WRITE of size 5"); 191 delete [] Ident(p); 192 } 193 194 #if ASAN_HAS_BLACKLIST 195 TEST(AddressSanitizer, IgnoreTest) { 196 int *x = Ident(new int); 197 delete Ident(x); 198 *x = 0; 199 } 200 #endif // ASAN_HAS_BLACKLIST 201 202 struct StructWithBitField { 203 int bf1:1; 204 int bf2:1; 205 int bf3:1; 206 int bf4:29; 207 }; 208 209 TEST(AddressSanitizer, BitFieldPositiveTest) { 210 StructWithBitField *x = new StructWithBitField; 211 delete Ident(x); 212 EXPECT_DEATH(x->bf1 = 0, "use-after-free"); 213 EXPECT_DEATH(x->bf2 = 0, "use-after-free"); 214 EXPECT_DEATH(x->bf3 = 0, "use-after-free"); 215 EXPECT_DEATH(x->bf4 = 0, "use-after-free"); 216 } 217 218 struct StructWithBitFields_8_24 { 219 int a:8; 220 int b:24; 221 }; 222 223 TEST(AddressSanitizer, BitFieldNegativeTest) { 224 StructWithBitFields_8_24 *x = Ident(new StructWithBitFields_8_24); 225 x->a = 0; 226 x->b = 0; 227 delete Ident(x); 228 } 229 230 TEST(AddressSanitizer, OutOfMemoryTest) { 231 size_t size = SANITIZER_WORDSIZE == 64 ? (size_t)(1ULL << 48) : (0xf0000000); 232 EXPECT_EQ(0, realloc(0, size)); 233 EXPECT_EQ(0, realloc(0, ~Ident(0))); 234 EXPECT_EQ(0, malloc(size)); 235 EXPECT_EQ(0, malloc(~Ident(0))); 236 EXPECT_EQ(0, calloc(1, size)); 237 EXPECT_EQ(0, calloc(1, ~Ident(0))); 238 } 239 240 #if ASAN_NEEDS_SEGV 241 namespace { 242 243 const char kUnknownCrash[] = "AddressSanitizer: SEGV on unknown address"; 244 const char kOverriddenHandler[] = "ASan signal handler has been overridden\n"; 245 246 TEST(AddressSanitizer, WildAddressTest) { 247 char *c = (char*)0x123; 248 EXPECT_DEATH(*c = 0, kUnknownCrash); 249 } 250 251 void my_sigaction_sighandler(int, siginfo_t*, void*) { 252 fprintf(stderr, kOverriddenHandler); 253 exit(1); 254 } 255 256 void my_signal_sighandler(int signum) { 257 fprintf(stderr, kOverriddenHandler); 258 exit(1); 259 } 260 261 TEST(AddressSanitizer, SignalTest) { 262 struct sigaction sigact; 263 memset(&sigact, 0, sizeof(sigact)); 264 sigact.sa_sigaction = my_sigaction_sighandler; 265 sigact.sa_flags = SA_SIGINFO; 266 // ASan should silently ignore sigaction()... 267 EXPECT_EQ(0, sigaction(SIGSEGV, &sigact, 0)); 268 #ifdef __APPLE__ 269 EXPECT_EQ(0, sigaction(SIGBUS, &sigact, 0)); 270 #endif 271 char *c = (char*)0x123; 272 EXPECT_DEATH(*c = 0, kUnknownCrash); 273 // ... and signal(). 274 EXPECT_EQ(0, signal(SIGSEGV, my_signal_sighandler)); 275 EXPECT_DEATH(*c = 0, kUnknownCrash); 276 } 277 } // namespace 278 #endif 279 280 static void TestLargeMalloc(size_t size) { 281 char buff[1024]; 282 sprintf(buff, "is located 1 bytes to the left of %lu-byte", (long)size); 283 EXPECT_DEATH(Ident((char*)malloc(size))[-1] = 0, buff); 284 } 285 286 TEST(AddressSanitizer, LargeMallocTest) { 287 const int max_size = (SANITIZER_WORDSIZE == 32) ? 1 << 26 : 1 << 28; 288 for (int i = 113; i < max_size; i = i * 2 + 13) { 289 TestLargeMalloc(i); 290 } 291 } 292 293 TEST(AddressSanitizer, HugeMallocTest) { 294 if (SANITIZER_WORDSIZE != 64) return; 295 size_t n_megs = 4100; 296 TestLargeMalloc(n_megs << 20); 297 } 298 299 #ifndef __APPLE__ 300 void MemalignRun(size_t align, size_t size, int idx) { 301 char *p = (char *)memalign(align, size); 302 Ident(p)[idx] = 0; 303 free(p); 304 } 305 306 TEST(AddressSanitizer, memalign) { 307 for (int align = 16; align <= (1 << 23); align *= 2) { 308 size_t size = align * 5; 309 EXPECT_DEATH(MemalignRun(align, size, -1), 310 "is located 1 bytes to the left"); 311 EXPECT_DEATH(MemalignRun(align, size, size + 1), 312 "is located 1 bytes to the right"); 313 } 314 } 315 #endif 316 317 void *ManyThreadsWorker(void *a) { 318 for (int iter = 0; iter < 100; iter++) { 319 for (size_t size = 100; size < 2000; size *= 2) { 320 free(Ident(malloc(size))); 321 } 322 } 323 return 0; 324 } 325 326 TEST(AddressSanitizer, ManyThreadsTest) { 327 const size_t kNumThreads = 328 (SANITIZER_WORDSIZE == 32 || ASAN_AVOID_EXPENSIVE_TESTS) ? 30 : 1000; 329 pthread_t t[kNumThreads]; 330 for (size_t i = 0; i < kNumThreads; i++) { 331 PTHREAD_CREATE(&t[i], 0, ManyThreadsWorker, (void*)i); 332 } 333 for (size_t i = 0; i < kNumThreads; i++) { 334 PTHREAD_JOIN(t[i], 0); 335 } 336 } 337 338 TEST(AddressSanitizer, ReallocTest) { 339 const int kMinElem = 5; 340 int *ptr = (int*)malloc(sizeof(int) * kMinElem); 341 ptr[3] = 3; 342 for (int i = 0; i < 10000; i++) { 343 ptr = (int*)realloc(ptr, 344 (my_rand() % 1000 + kMinElem) * sizeof(int)); 345 EXPECT_EQ(3, ptr[3]); 346 } 347 free(ptr); 348 // Realloc pointer returned by malloc(0). 349 int *ptr2 = Ident((int*)malloc(0)); 350 ptr2 = Ident((int*)realloc(ptr2, sizeof(*ptr2))); 351 *ptr2 = 42; 352 EXPECT_EQ(42, *ptr2); 353 free(ptr2); 354 } 355 356 TEST(AddressSanitizer, ZeroSizeMallocTest) { 357 // Test that malloc(0) and similar functions don't return NULL. 358 void *ptr = Ident(malloc(0)); 359 EXPECT_TRUE(NULL != ptr); 360 free(ptr); 361 #if !defined(__APPLE__) && !defined(ANDROID) && !defined(__ANDROID__) 362 int pm_res = posix_memalign(&ptr, 1<<20, 0); 363 EXPECT_EQ(0, pm_res); 364 EXPECT_TRUE(NULL != ptr); 365 free(ptr); 366 #endif 367 int *int_ptr = new int[0]; 368 int *int_ptr2 = new int[0]; 369 EXPECT_TRUE(NULL != int_ptr); 370 EXPECT_TRUE(NULL != int_ptr2); 371 EXPECT_NE(int_ptr, int_ptr2); 372 delete[] int_ptr; 373 delete[] int_ptr2; 374 } 375 376 #ifndef __APPLE__ 377 static const char *kMallocUsableSizeErrorMsg = 378 "AddressSanitizer: attempting to call malloc_usable_size()"; 379 380 TEST(AddressSanitizer, MallocUsableSizeTest) { 381 const size_t kArraySize = 100; 382 char *array = Ident((char*)malloc(kArraySize)); 383 int *int_ptr = Ident(new int); 384 EXPECT_EQ(0U, malloc_usable_size(NULL)); 385 EXPECT_EQ(kArraySize, malloc_usable_size(array)); 386 EXPECT_EQ(sizeof(int), malloc_usable_size(int_ptr)); 387 EXPECT_DEATH(malloc_usable_size((void*)0x123), kMallocUsableSizeErrorMsg); 388 EXPECT_DEATH(malloc_usable_size(array + kArraySize / 2), 389 kMallocUsableSizeErrorMsg); 390 free(array); 391 EXPECT_DEATH(malloc_usable_size(array), kMallocUsableSizeErrorMsg); 392 } 393 #endif 394 395 void WrongFree() { 396 int *x = (int*)malloc(100 * sizeof(int)); 397 // Use the allocated memory, otherwise Clang will optimize it out. 398 Ident(x); 399 free(x + 1); 400 } 401 402 TEST(AddressSanitizer, WrongFreeTest) { 403 EXPECT_DEATH(WrongFree(), 404 "ERROR: AddressSanitizer: attempting free.*not malloc"); 405 } 406 407 void DoubleFree() { 408 int *x = (int*)malloc(100 * sizeof(int)); 409 fprintf(stderr, "DoubleFree: x=%p\n", x); 410 free(x); 411 free(x); 412 fprintf(stderr, "should have failed in the second free(%p)\n", x); 413 abort(); 414 } 415 416 TEST(AddressSanitizer, DoubleFreeTest) { 417 EXPECT_DEATH(DoubleFree(), ASAN_PCRE_DOTALL 418 "ERROR: AddressSanitizer: attempting double-free" 419 ".*is located 0 bytes inside of 400-byte region" 420 ".*freed by thread T0 here" 421 ".*previously allocated by thread T0 here"); 422 } 423 424 template<int kSize> 425 NOINLINE void SizedStackTest() { 426 char a[kSize]; 427 char *A = Ident((char*)&a); 428 for (size_t i = 0; i < kSize; i++) 429 A[i] = i; 430 EXPECT_DEATH(A[-1] = 0, ""); 431 EXPECT_DEATH(A[-20] = 0, ""); 432 EXPECT_DEATH(A[-31] = 0, ""); 433 EXPECT_DEATH(A[kSize] = 0, ""); 434 EXPECT_DEATH(A[kSize + 1] = 0, ""); 435 EXPECT_DEATH(A[kSize + 10] = 0, ""); 436 EXPECT_DEATH(A[kSize + 31] = 0, ""); 437 } 438 439 TEST(AddressSanitizer, SimpleStackTest) { 440 SizedStackTest<1>(); 441 SizedStackTest<2>(); 442 SizedStackTest<3>(); 443 SizedStackTest<4>(); 444 SizedStackTest<5>(); 445 SizedStackTest<6>(); 446 SizedStackTest<7>(); 447 SizedStackTest<16>(); 448 SizedStackTest<25>(); 449 SizedStackTest<34>(); 450 SizedStackTest<43>(); 451 SizedStackTest<51>(); 452 SizedStackTest<62>(); 453 SizedStackTest<64>(); 454 SizedStackTest<128>(); 455 } 456 457 TEST(AddressSanitizer, ManyStackObjectsTest) { 458 char XXX[10]; 459 char YYY[20]; 460 char ZZZ[30]; 461 Ident(XXX); 462 Ident(YYY); 463 EXPECT_DEATH(Ident(ZZZ)[-1] = 0, ASAN_PCRE_DOTALL "XXX.*YYY.*ZZZ"); 464 } 465 466 NOINLINE static void Frame0(int frame, char *a, char *b, char *c) { 467 char d[4] = {0}; 468 char *D = Ident(d); 469 switch (frame) { 470 case 3: a[5]++; break; 471 case 2: b[5]++; break; 472 case 1: c[5]++; break; 473 case 0: D[5]++; break; 474 } 475 } 476 NOINLINE static void Frame1(int frame, char *a, char *b) { 477 char c[4] = {0}; Frame0(frame, a, b, c); 478 break_optimization(0); 479 } 480 NOINLINE static void Frame2(int frame, char *a) { 481 char b[4] = {0}; Frame1(frame, a, b); 482 break_optimization(0); 483 } 484 NOINLINE static void Frame3(int frame) { 485 char a[4] = {0}; Frame2(frame, a); 486 break_optimization(0); 487 } 488 489 TEST(AddressSanitizer, GuiltyStackFrame0Test) { 490 EXPECT_DEATH(Frame3(0), "located .*in frame <.*Frame0"); 491 } 492 TEST(AddressSanitizer, GuiltyStackFrame1Test) { 493 EXPECT_DEATH(Frame3(1), "located .*in frame <.*Frame1"); 494 } 495 TEST(AddressSanitizer, GuiltyStackFrame2Test) { 496 EXPECT_DEATH(Frame3(2), "located .*in frame <.*Frame2"); 497 } 498 TEST(AddressSanitizer, GuiltyStackFrame3Test) { 499 EXPECT_DEATH(Frame3(3), "located .*in frame <.*Frame3"); 500 } 501 502 NOINLINE void LongJmpFunc1(jmp_buf buf) { 503 // create three red zones for these two stack objects. 504 int a; 505 int b; 506 507 int *A = Ident(&a); 508 int *B = Ident(&b); 509 *A = *B; 510 longjmp(buf, 1); 511 } 512 513 NOINLINE void BuiltinLongJmpFunc1(jmp_buf buf) { 514 // create three red zones for these two stack objects. 515 int a; 516 int b; 517 518 int *A = Ident(&a); 519 int *B = Ident(&b); 520 *A = *B; 521 __builtin_longjmp((void**)buf, 1); 522 } 523 524 NOINLINE void UnderscopeLongJmpFunc1(jmp_buf buf) { 525 // create three red zones for these two stack objects. 526 int a; 527 int b; 528 529 int *A = Ident(&a); 530 int *B = Ident(&b); 531 *A = *B; 532 _longjmp(buf, 1); 533 } 534 535 NOINLINE void SigLongJmpFunc1(sigjmp_buf buf) { 536 // create three red zones for these two stack objects. 537 int a; 538 int b; 539 540 int *A = Ident(&a); 541 int *B = Ident(&b); 542 *A = *B; 543 siglongjmp(buf, 1); 544 } 545 546 547 NOINLINE void TouchStackFunc() { 548 int a[100]; // long array will intersect with redzones from LongJmpFunc1. 549 int *A = Ident(a); 550 for (int i = 0; i < 100; i++) 551 A[i] = i*i; 552 } 553 554 // Test that we handle longjmp and do not report fals positives on stack. 555 TEST(AddressSanitizer, LongJmpTest) { 556 static jmp_buf buf; 557 if (!setjmp(buf)) { 558 LongJmpFunc1(buf); 559 } else { 560 TouchStackFunc(); 561 } 562 } 563 564 #if not defined(__ANDROID__) 565 TEST(AddressSanitizer, BuiltinLongJmpTest) { 566 static jmp_buf buf; 567 if (!__builtin_setjmp((void**)buf)) { 568 BuiltinLongJmpFunc1(buf); 569 } else { 570 TouchStackFunc(); 571 } 572 } 573 #endif // not defined(__ANDROID__) 574 575 TEST(AddressSanitizer, UnderscopeLongJmpTest) { 576 static jmp_buf buf; 577 if (!_setjmp(buf)) { 578 UnderscopeLongJmpFunc1(buf); 579 } else { 580 TouchStackFunc(); 581 } 582 } 583 584 TEST(AddressSanitizer, SigLongJmpTest) { 585 static sigjmp_buf buf; 586 if (!sigsetjmp(buf, 1)) { 587 SigLongJmpFunc1(buf); 588 } else { 589 TouchStackFunc(); 590 } 591 } 592 593 #ifdef __EXCEPTIONS 594 NOINLINE void ThrowFunc() { 595 // create three red zones for these two stack objects. 596 int a; 597 int b; 598 599 int *A = Ident(&a); 600 int *B = Ident(&b); 601 *A = *B; 602 ASAN_THROW(1); 603 } 604 605 TEST(AddressSanitizer, CxxExceptionTest) { 606 if (ASAN_UAR) return; 607 // TODO(kcc): this test crashes on 32-bit for some reason... 608 if (SANITIZER_WORDSIZE == 32) return; 609 try { 610 ThrowFunc(); 611 } catch(...) {} 612 TouchStackFunc(); 613 } 614 #endif 615 616 void *ThreadStackReuseFunc1(void *unused) { 617 // create three red zones for these two stack objects. 618 int a; 619 int b; 620 621 int *A = Ident(&a); 622 int *B = Ident(&b); 623 *A = *B; 624 pthread_exit(0); 625 return 0; 626 } 627 628 void *ThreadStackReuseFunc2(void *unused) { 629 TouchStackFunc(); 630 return 0; 631 } 632 633 TEST(AddressSanitizer, ThreadStackReuseTest) { 634 pthread_t t; 635 PTHREAD_CREATE(&t, 0, ThreadStackReuseFunc1, 0); 636 PTHREAD_JOIN(t, 0); 637 PTHREAD_CREATE(&t, 0, ThreadStackReuseFunc2, 0); 638 PTHREAD_JOIN(t, 0); 639 } 640 641 #if defined(__i386__) || defined(__x86_64__) 642 TEST(AddressSanitizer, Store128Test) { 643 char *a = Ident((char*)malloc(Ident(12))); 644 char *p = a; 645 if (((uintptr_t)a % 16) != 0) 646 p = a + 8; 647 assert(((uintptr_t)p % 16) == 0); 648 __m128i value_wide = _mm_set1_epi16(0x1234); 649 EXPECT_DEATH(_mm_store_si128((__m128i*)p, value_wide), 650 "AddressSanitizer: heap-buffer-overflow"); 651 EXPECT_DEATH(_mm_store_si128((__m128i*)p, value_wide), 652 "WRITE of size 16"); 653 EXPECT_DEATH(_mm_store_si128((__m128i*)p, value_wide), 654 "located 0 bytes to the right of 12-byte"); 655 free(a); 656 } 657 #endif 658 659 string RightOOBErrorMessage(int oob_distance, bool is_write) { 660 assert(oob_distance >= 0); 661 char expected_str[100]; 662 sprintf(expected_str, ASAN_PCRE_DOTALL 663 "buffer-overflow.*%s.*located %d bytes to the right", 664 is_write ? "WRITE" : "READ", oob_distance); 665 return string(expected_str); 666 } 667 668 string RightOOBWriteMessage(int oob_distance) { 669 return RightOOBErrorMessage(oob_distance, /*is_write*/true); 670 } 671 672 string RightOOBReadMessage(int oob_distance) { 673 return RightOOBErrorMessage(oob_distance, /*is_write*/false); 674 } 675 676 string LeftOOBErrorMessage(int oob_distance, bool is_write) { 677 assert(oob_distance > 0); 678 char expected_str[100]; 679 sprintf(expected_str, ASAN_PCRE_DOTALL "%s.*located %d bytes to the left", 680 is_write ? "WRITE" : "READ", oob_distance); 681 return string(expected_str); 682 } 683 684 string LeftOOBWriteMessage(int oob_distance) { 685 return LeftOOBErrorMessage(oob_distance, /*is_write*/true); 686 } 687 688 string LeftOOBReadMessage(int oob_distance) { 689 return LeftOOBErrorMessage(oob_distance, /*is_write*/false); 690 } 691 692 string LeftOOBAccessMessage(int oob_distance) { 693 assert(oob_distance > 0); 694 char expected_str[100]; 695 sprintf(expected_str, "located %d bytes to the left", oob_distance); 696 return string(expected_str); 697 } 698 699 char* MallocAndMemsetString(size_t size, char ch) { 700 char *s = Ident((char*)malloc(size)); 701 memset(s, ch, size); 702 return s; 703 } 704 705 char* MallocAndMemsetString(size_t size) { 706 return MallocAndMemsetString(size, 'z'); 707 } 708 709 #if defined(__linux__) && !defined(ANDROID) && !defined(__ANDROID__) 710 #define READ_TEST(READ_N_BYTES) \ 711 char *x = new char[10]; \ 712 int fd = open("/proc/self/stat", O_RDONLY); \ 713 ASSERT_GT(fd, 0); \ 714 EXPECT_DEATH(READ_N_BYTES, \ 715 ASAN_PCRE_DOTALL \ 716 "AddressSanitizer: heap-buffer-overflow" \ 717 ".* is located 0 bytes to the right of 10-byte region"); \ 718 close(fd); \ 719 delete [] x; \ 720 721 TEST(AddressSanitizer, pread) { 722 READ_TEST(pread(fd, x, 15, 0)); 723 } 724 725 TEST(AddressSanitizer, pread64) { 726 READ_TEST(pread64(fd, x, 15, 0)); 727 } 728 729 TEST(AddressSanitizer, read) { 730 READ_TEST(read(fd, x, 15)); 731 } 732 #endif // defined(__linux__) && !defined(ANDROID) && !defined(__ANDROID__) 733 734 // This test case fails 735 // Clang optimizes memcpy/memset calls which lead to unaligned access 736 TEST(AddressSanitizer, DISABLED_MemIntrinsicUnalignedAccessTest) { 737 int size = Ident(4096); 738 char *s = Ident((char*)malloc(size)); 739 EXPECT_DEATH(memset(s + size - 1, 0, 2), RightOOBWriteMessage(0)); 740 free(s); 741 } 742 743 // TODO(samsonov): Add a test with malloc(0) 744 // TODO(samsonov): Add tests for str* and mem* functions. 745 746 NOINLINE static int LargeFunction(bool do_bad_access) { 747 int *x = new int[100]; 748 x[0]++; 749 x[1]++; 750 x[2]++; 751 x[3]++; 752 x[4]++; 753 x[5]++; 754 x[6]++; 755 x[7]++; 756 x[8]++; 757 x[9]++; 758 759 x[do_bad_access ? 100 : 0]++; int res = __LINE__; 760 761 x[10]++; 762 x[11]++; 763 x[12]++; 764 x[13]++; 765 x[14]++; 766 x[15]++; 767 x[16]++; 768 x[17]++; 769 x[18]++; 770 x[19]++; 771 772 delete x; 773 return res; 774 } 775 776 // Test the we have correct debug info for the failing instruction. 777 // This test requires the in-process symbolizer to be enabled by default. 778 TEST(AddressSanitizer, DISABLED_LargeFunctionSymbolizeTest) { 779 int failing_line = LargeFunction(false); 780 char expected_warning[128]; 781 sprintf(expected_warning, "LargeFunction.*asan_test.*:%d", failing_line); 782 EXPECT_DEATH(LargeFunction(true), expected_warning); 783 } 784 785 // Check that we unwind and symbolize correctly. 786 TEST(AddressSanitizer, DISABLED_MallocFreeUnwindAndSymbolizeTest) { 787 int *a = (int*)malloc_aaa(sizeof(int)); 788 *a = 1; 789 free_aaa(a); 790 EXPECT_DEATH(*a = 1, "free_ccc.*free_bbb.*free_aaa.*" 791 "malloc_fff.*malloc_eee.*malloc_ddd"); 792 } 793 794 static bool TryToSetThreadName(const char *name) { 795 #if defined(__linux__) && defined(PR_SET_NAME) 796 return 0 == prctl(PR_SET_NAME, (unsigned long)name, 0, 0, 0); 797 #else 798 return false; 799 #endif 800 } 801 802 void *ThreadedTestAlloc(void *a) { 803 EXPECT_EQ(true, TryToSetThreadName("AllocThr")); 804 int **p = (int**)a; 805 *p = new int; 806 return 0; 807 } 808 809 void *ThreadedTestFree(void *a) { 810 EXPECT_EQ(true, TryToSetThreadName("FreeThr")); 811 int **p = (int**)a; 812 delete *p; 813 return 0; 814 } 815 816 void *ThreadedTestUse(void *a) { 817 EXPECT_EQ(true, TryToSetThreadName("UseThr")); 818 int **p = (int**)a; 819 **p = 1; 820 return 0; 821 } 822 823 void ThreadedTestSpawn() { 824 pthread_t t; 825 int *x; 826 PTHREAD_CREATE(&t, 0, ThreadedTestAlloc, &x); 827 PTHREAD_JOIN(t, 0); 828 PTHREAD_CREATE(&t, 0, ThreadedTestFree, &x); 829 PTHREAD_JOIN(t, 0); 830 PTHREAD_CREATE(&t, 0, ThreadedTestUse, &x); 831 PTHREAD_JOIN(t, 0); 832 } 833 834 TEST(AddressSanitizer, ThreadedTest) { 835 EXPECT_DEATH(ThreadedTestSpawn(), 836 ASAN_PCRE_DOTALL 837 "Thread T.*created" 838 ".*Thread T.*created" 839 ".*Thread T.*created"); 840 } 841 842 void *ThreadedTestFunc(void *unused) { 843 // Check if prctl(PR_SET_NAME) is supported. Return if not. 844 if (!TryToSetThreadName("TestFunc")) 845 return 0; 846 EXPECT_DEATH(ThreadedTestSpawn(), 847 ASAN_PCRE_DOTALL 848 "WRITE .*thread T. .UseThr." 849 ".*freed by thread T. .FreeThr. here:" 850 ".*previously allocated by thread T. .AllocThr. here:" 851 ".*Thread T. .UseThr. created by T.*TestFunc" 852 ".*Thread T. .FreeThr. created by T" 853 ".*Thread T. .AllocThr. created by T" 854 ""); 855 return 0; 856 } 857 858 TEST(AddressSanitizer, ThreadNamesTest) { 859 // Run ThreadedTestFunc in a separate thread because it tries to set a 860 // thread name and we don't want to change the main thread's name. 861 pthread_t t; 862 PTHREAD_CREATE(&t, 0, ThreadedTestFunc, 0); 863 PTHREAD_JOIN(t, 0); 864 } 865 866 #if ASAN_NEEDS_SEGV 867 TEST(AddressSanitizer, ShadowGapTest) { 868 #if SANITIZER_WORDSIZE == 32 869 char *addr = (char*)0x22000000; 870 #else 871 char *addr = (char*)0x0000100000080000; 872 #endif 873 EXPECT_DEATH(*addr = 1, "AddressSanitizer: SEGV on unknown"); 874 } 875 #endif // ASAN_NEEDS_SEGV 876 877 extern "C" { 878 NOINLINE static void UseThenFreeThenUse() { 879 char *x = Ident((char*)malloc(8)); 880 *x = 1; 881 free_aaa(x); 882 *x = 2; 883 } 884 } 885 886 TEST(AddressSanitizer, UseThenFreeThenUseTest) { 887 EXPECT_DEATH(UseThenFreeThenUse(), "freed by thread"); 888 } 889 890 TEST(AddressSanitizer, StrDupTest) { 891 free(strdup(Ident("123"))); 892 } 893 894 // Currently we create and poison redzone at right of global variables. 895 static char static110[110]; 896 const char ConstGlob[7] = {1, 2, 3, 4, 5, 6, 7}; 897 static const char StaticConstGlob[3] = {9, 8, 7}; 898 899 TEST(AddressSanitizer, GlobalTest) { 900 static char func_static15[15]; 901 902 static char fs1[10]; 903 static char fs2[10]; 904 static char fs3[10]; 905 906 glob5[Ident(0)] = 0; 907 glob5[Ident(1)] = 0; 908 glob5[Ident(2)] = 0; 909 glob5[Ident(3)] = 0; 910 glob5[Ident(4)] = 0; 911 912 EXPECT_DEATH(glob5[Ident(5)] = 0, 913 "0 bytes to the right of global variable.*glob5.* size 5"); 914 EXPECT_DEATH(glob5[Ident(5+6)] = 0, 915 "6 bytes to the right of global variable.*glob5.* size 5"); 916 Ident(static110); // avoid optimizations 917 static110[Ident(0)] = 0; 918 static110[Ident(109)] = 0; 919 EXPECT_DEATH(static110[Ident(110)] = 0, 920 "0 bytes to the right of global variable"); 921 EXPECT_DEATH(static110[Ident(110+7)] = 0, 922 "7 bytes to the right of global variable"); 923 924 Ident(func_static15); // avoid optimizations 925 func_static15[Ident(0)] = 0; 926 EXPECT_DEATH(func_static15[Ident(15)] = 0, 927 "0 bytes to the right of global variable"); 928 EXPECT_DEATH(func_static15[Ident(15 + 9)] = 0, 929 "9 bytes to the right of global variable"); 930 931 Ident(fs1); 932 Ident(fs2); 933 Ident(fs3); 934 935 // We don't create left redzones, so this is not 100% guaranteed to fail. 936 // But most likely will. 937 EXPECT_DEATH(fs2[Ident(-1)] = 0, "is located.*of global variable"); 938 939 EXPECT_DEATH(Ident(Ident(ConstGlob)[8]), 940 "is located 1 bytes to the right of .*ConstGlob"); 941 EXPECT_DEATH(Ident(Ident(StaticConstGlob)[5]), 942 "is located 2 bytes to the right of .*StaticConstGlob"); 943 944 // call stuff from another file. 945 GlobalsTest(0); 946 } 947 948 TEST(AddressSanitizer, GlobalStringConstTest) { 949 static const char *zoo = "FOOBAR123"; 950 const char *p = Ident(zoo); 951 EXPECT_DEATH(Ident(p[15]), "is ascii string 'FOOBAR123'"); 952 } 953 954 TEST(AddressSanitizer, FileNameInGlobalReportTest) { 955 static char zoo[10]; 956 const char *p = Ident(zoo); 957 // The file name should be present in the report. 958 EXPECT_DEATH(Ident(p[15]), "zoo.*asan_test."); 959 } 960 961 int *ReturnsPointerToALocalObject() { 962 int a = 0; 963 return Ident(&a); 964 } 965 966 #if ASAN_UAR == 1 967 TEST(AddressSanitizer, LocalReferenceReturnTest) { 968 int *(*f)() = Ident(ReturnsPointerToALocalObject); 969 int *p = f(); 970 // Call 'f' a few more times, 'p' should still be poisoned. 971 for (int i = 0; i < 32; i++) 972 f(); 973 EXPECT_DEATH(*p = 1, "AddressSanitizer: stack-use-after-return"); 974 EXPECT_DEATH(*p = 1, "is located.*in frame .*ReturnsPointerToALocal"); 975 } 976 #endif 977 978 template <int kSize> 979 NOINLINE static void FuncWithStack() { 980 char x[kSize]; 981 Ident(x)[0] = 0; 982 Ident(x)[kSize-1] = 0; 983 } 984 985 static void LotsOfStackReuse() { 986 int LargeStack[10000]; 987 Ident(LargeStack)[0] = 0; 988 for (int i = 0; i < 10000; i++) { 989 FuncWithStack<128 * 1>(); 990 FuncWithStack<128 * 2>(); 991 FuncWithStack<128 * 4>(); 992 FuncWithStack<128 * 8>(); 993 FuncWithStack<128 * 16>(); 994 FuncWithStack<128 * 32>(); 995 FuncWithStack<128 * 64>(); 996 FuncWithStack<128 * 128>(); 997 FuncWithStack<128 * 256>(); 998 FuncWithStack<128 * 512>(); 999 Ident(LargeStack)[0] = 0; 1000 } 1001 } 1002 1003 TEST(AddressSanitizer, StressStackReuseTest) { 1004 LotsOfStackReuse(); 1005 } 1006 1007 TEST(AddressSanitizer, ThreadedStressStackReuseTest) { 1008 const int kNumThreads = 20; 1009 pthread_t t[kNumThreads]; 1010 for (int i = 0; i < kNumThreads; i++) { 1011 PTHREAD_CREATE(&t[i], 0, (void* (*)(void *x))LotsOfStackReuse, 0); 1012 } 1013 for (int i = 0; i < kNumThreads; i++) { 1014 PTHREAD_JOIN(t[i], 0); 1015 } 1016 } 1017 1018 static void *PthreadExit(void *a) { 1019 pthread_exit(0); 1020 return 0; 1021 } 1022 1023 TEST(AddressSanitizer, PthreadExitTest) { 1024 pthread_t t; 1025 for (int i = 0; i < 1000; i++) { 1026 PTHREAD_CREATE(&t, 0, PthreadExit, 0); 1027 PTHREAD_JOIN(t, 0); 1028 } 1029 } 1030 1031 #ifdef __EXCEPTIONS 1032 NOINLINE static void StackReuseAndException() { 1033 int large_stack[1000]; 1034 Ident(large_stack); 1035 ASAN_THROW(1); 1036 } 1037 1038 // TODO(kcc): support exceptions with use-after-return. 1039 TEST(AddressSanitizer, DISABLED_StressStackReuseAndExceptionsTest) { 1040 for (int i = 0; i < 10000; i++) { 1041 try { 1042 StackReuseAndException(); 1043 } catch(...) { 1044 } 1045 } 1046 } 1047 #endif 1048 1049 TEST(AddressSanitizer, MlockTest) { 1050 EXPECT_EQ(0, mlockall(MCL_CURRENT)); 1051 EXPECT_EQ(0, mlock((void*)0x12345, 0x5678)); 1052 EXPECT_EQ(0, munlockall()); 1053 EXPECT_EQ(0, munlock((void*)0x987, 0x654)); 1054 } 1055 1056 struct LargeStruct { 1057 int foo[100]; 1058 }; 1059 1060 // Test for bug http://llvm.org/bugs/show_bug.cgi?id=11763. 1061 // Struct copy should not cause asan warning even if lhs == rhs. 1062 TEST(AddressSanitizer, LargeStructCopyTest) { 1063 LargeStruct a; 1064 *Ident(&a) = *Ident(&a); 1065 } 1066 1067 ATTRIBUTE_NO_ADDRESS_SAFETY_ANALYSIS 1068 static void NoAddressSafety() { 1069 char *foo = new char[10]; 1070 Ident(foo)[10] = 0; 1071 delete [] foo; 1072 } 1073 1074 TEST(AddressSanitizer, AttributeNoAddressSafetyTest) { 1075 Ident(NoAddressSafety)(); 1076 } 1077 1078 // It doesn't work on Android, as calls to new/delete go through malloc/free. 1079 #if !defined(ANDROID) && !defined(__ANDROID__) 1080 static string MismatchStr(const string &str) { 1081 return string("AddressSanitizer: alloc-dealloc-mismatch \\(") + str; 1082 } 1083 1084 TEST(AddressSanitizer, AllocDeallocMismatch) { 1085 EXPECT_DEATH(free(Ident(new int)), 1086 MismatchStr("operator new vs free")); 1087 EXPECT_DEATH(free(Ident(new int[2])), 1088 MismatchStr("operator new \\[\\] vs free")); 1089 EXPECT_DEATH(delete (Ident(new int[2])), 1090 MismatchStr("operator new \\[\\] vs operator delete")); 1091 EXPECT_DEATH(delete (Ident((int*)malloc(2 * sizeof(int)))), 1092 MismatchStr("malloc vs operator delete")); 1093 EXPECT_DEATH(delete [] (Ident(new int)), 1094 MismatchStr("operator new vs operator delete \\[\\]")); 1095 EXPECT_DEATH(delete [] (Ident((int*)malloc(2 * sizeof(int)))), 1096 MismatchStr("malloc vs operator delete \\[\\]")); 1097 } 1098 #endif 1099 1100 // ------------------ demo tests; run each one-by-one ------------- 1101 // e.g. --gtest_filter=*DemoOOBLeftHigh --gtest_also_run_disabled_tests 1102 TEST(AddressSanitizer, DISABLED_DemoThreadedTest) { 1103 ThreadedTestSpawn(); 1104 } 1105 1106 void *SimpleBugOnSTack(void *x = 0) { 1107 char a[20]; 1108 Ident(a)[20] = 0; 1109 return 0; 1110 } 1111 1112 TEST(AddressSanitizer, DISABLED_DemoStackTest) { 1113 SimpleBugOnSTack(); 1114 } 1115 1116 TEST(AddressSanitizer, DISABLED_DemoThreadStackTest) { 1117 pthread_t t; 1118 PTHREAD_CREATE(&t, 0, SimpleBugOnSTack, 0); 1119 PTHREAD_JOIN(t, 0); 1120 } 1121 1122 TEST(AddressSanitizer, DISABLED_DemoUAFLowIn) { 1123 uaf_test<U1>(10, 0); 1124 } 1125 TEST(AddressSanitizer, DISABLED_DemoUAFLowLeft) { 1126 uaf_test<U1>(10, -2); 1127 } 1128 TEST(AddressSanitizer, DISABLED_DemoUAFLowRight) { 1129 uaf_test<U1>(10, 10); 1130 } 1131 1132 TEST(AddressSanitizer, DISABLED_DemoUAFHigh) { 1133 uaf_test<U1>(kLargeMalloc, 0); 1134 } 1135 1136 TEST(AddressSanitizer, DISABLED_DemoOOM) { 1137 size_t size = SANITIZER_WORDSIZE == 64 ? (size_t)(1ULL << 40) : (0xf0000000); 1138 printf("%p\n", malloc(size)); 1139 } 1140 1141 TEST(AddressSanitizer, DISABLED_DemoDoubleFreeTest) { 1142 DoubleFree(); 1143 } 1144 1145 TEST(AddressSanitizer, DISABLED_DemoNullDerefTest) { 1146 int *a = 0; 1147 Ident(a)[10] = 0; 1148 } 1149 1150 TEST(AddressSanitizer, DISABLED_DemoFunctionStaticTest) { 1151 static char a[100]; 1152 static char b[100]; 1153 static char c[100]; 1154 Ident(a); 1155 Ident(b); 1156 Ident(c); 1157 Ident(a)[5] = 0; 1158 Ident(b)[105] = 0; 1159 Ident(a)[5] = 0; 1160 } 1161 1162 TEST(AddressSanitizer, DISABLED_DemoTooMuchMemoryTest) { 1163 const size_t kAllocSize = (1 << 28) - 1024; 1164 size_t total_size = 0; 1165 while (true) { 1166 char *x = (char*)malloc(kAllocSize); 1167 memset(x, 0, kAllocSize); 1168 total_size += kAllocSize; 1169 fprintf(stderr, "total: %ldM %p\n", (long)total_size >> 20, x); 1170 } 1171 } 1172 1173 // http://code.google.com/p/address-sanitizer/issues/detail?id=66 1174 TEST(AddressSanitizer, BufferOverflowAfterManyFrees) { 1175 for (int i = 0; i < 1000000; i++) { 1176 delete [] (Ident(new char [8644])); 1177 } 1178 char *x = new char[8192]; 1179 EXPECT_DEATH(x[Ident(8192)] = 0, "AddressSanitizer: heap-buffer-overflow"); 1180 delete [] Ident(x); 1181 } 1182 1183 1184 // Test that instrumentation of stack allocations takes into account 1185 // AllocSize of a type, and not its StoreSize (16 vs 10 bytes for long double). 1186 // See http://llvm.org/bugs/show_bug.cgi?id=12047 for more details. 1187 TEST(AddressSanitizer, LongDoubleNegativeTest) { 1188 long double a, b; 1189 static long double c; 1190 memcpy(Ident(&a), Ident(&b), sizeof(long double)); 1191 memcpy(Ident(&c), Ident(&b), sizeof(long double)); 1192 } 1193