asan_noinst_test.cc revision 33280bba681b7bb683be01749aaba70dc06ffb6c
1//===-- asan_noinst_test.cc -----------------------------------------------===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file is a part of AddressSanitizer, an address sanity checker. 11// 12// This test file should be compiled w/o asan instrumentation. 13//===----------------------------------------------------------------------===// 14 15#include "asan_allocator.h" 16#include "asan_internal.h" 17#include "asan_mapping.h" 18#include "asan_test_utils.h" 19 20#include <assert.h> 21#include <stdio.h> 22#include <stdlib.h> 23#include <string.h> // for memset() 24#include <algorithm> 25#include <vector> 26#include <limits> 27 28 29TEST(AddressSanitizer, InternalSimpleDeathTest) { 30 EXPECT_DEATH(exit(1), ""); 31} 32 33static void MallocStress(size_t n) { 34 u32 seed = my_rand(); 35 StackTrace stack1; 36 stack1.trace[0] = 0xa123; 37 stack1.trace[1] = 0xa456; 38 stack1.size = 2; 39 40 StackTrace stack2; 41 stack2.trace[0] = 0xb123; 42 stack2.trace[1] = 0xb456; 43 stack2.size = 2; 44 45 StackTrace stack3; 46 stack3.trace[0] = 0xc123; 47 stack3.trace[1] = 0xc456; 48 stack3.size = 2; 49 50 std::vector<void *> vec; 51 for (size_t i = 0; i < n; i++) { 52 if ((i % 3) == 0) { 53 if (vec.empty()) continue; 54 size_t idx = my_rand_r(&seed) % vec.size(); 55 void *ptr = vec[idx]; 56 vec[idx] = vec.back(); 57 vec.pop_back(); 58 __asan::asan_free(ptr, &stack1, __asan::FROM_MALLOC); 59 } else { 60 size_t size = my_rand_r(&seed) % 1000 + 1; 61 switch ((my_rand_r(&seed) % 128)) { 62 case 0: size += 1024; break; 63 case 1: size += 2048; break; 64 case 2: size += 4096; break; 65 } 66 size_t alignment = 1 << (my_rand_r(&seed) % 10 + 1); 67 char *ptr = (char*)__asan::asan_memalign(alignment, size, 68 &stack2, __asan::FROM_MALLOC); 69 vec.push_back(ptr); 70 ptr[0] = 0; 71 ptr[size-1] = 0; 72 ptr[size/2] = 0; 73 } 74 } 75 for (size_t i = 0; i < vec.size(); i++) 76 __asan::asan_free(vec[i], &stack3, __asan::FROM_MALLOC); 77} 78 79 80TEST(AddressSanitizer, NoInstMallocTest) { 81 MallocStress(ASAN_LOW_MEMORY ? 300000 : 1000000); 82} 83 84TEST(AddressSanitizer, ThreadedMallocStressTest) { 85 const int kNumThreads = 4; 86 const int kNumIterations = (ASAN_LOW_MEMORY) ? 10000 : 100000; 87 pthread_t t[kNumThreads]; 88 for (int i = 0; i < kNumThreads; i++) { 89 PTHREAD_CREATE(&t[i], 0, (void* (*)(void *x))MallocStress, 90 (void*)kNumIterations); 91 } 92 for (int i = 0; i < kNumThreads; i++) { 93 PTHREAD_JOIN(t[i], 0); 94 } 95} 96 97static void PrintShadow(const char *tag, uptr ptr, size_t size) { 98 fprintf(stderr, "%s shadow: %lx size % 3ld: ", tag, (long)ptr, (long)size); 99 uptr prev_shadow = 0; 100 for (sptr i = -32; i < (sptr)size + 32; i++) { 101 uptr shadow = __asan::MemToShadow(ptr + i); 102 if (i == 0 || i == (sptr)size) 103 fprintf(stderr, "."); 104 if (shadow != prev_shadow) { 105 prev_shadow = shadow; 106 fprintf(stderr, "%02x", (int)*(u8*)shadow); 107 } 108 } 109 fprintf(stderr, "\n"); 110} 111 112TEST(AddressSanitizer, DISABLED_InternalPrintShadow) { 113 for (size_t size = 1; size <= 513; size++) { 114 char *ptr = new char[size]; 115 PrintShadow("m", (uptr)ptr, size); 116 delete [] ptr; 117 PrintShadow("f", (uptr)ptr, size); 118 } 119} 120 121static uptr pc_array[] = { 122#if SANITIZER_WORDSIZE == 64 123 0x7effbf756068ULL, 124 0x7effbf75e5abULL, 125 0x7effc0625b7cULL, 126 0x7effc05b8997ULL, 127 0x7effbf990577ULL, 128 0x7effbf990c56ULL, 129 0x7effbf992f3cULL, 130 0x7effbf950c22ULL, 131 0x7effc036dba0ULL, 132 0x7effc03638a3ULL, 133 0x7effc035be4aULL, 134 0x7effc0539c45ULL, 135 0x7effc0539a65ULL, 136 0x7effc03db9b3ULL, 137 0x7effc03db100ULL, 138 0x7effc037c7b8ULL, 139 0x7effc037bfffULL, 140 0x7effc038b777ULL, 141 0x7effc038021cULL, 142 0x7effc037c7d1ULL, 143 0x7effc037bfffULL, 144 0x7effc038b777ULL, 145 0x7effc038021cULL, 146 0x7effc037c7d1ULL, 147 0x7effc037bfffULL, 148 0x7effc038b777ULL, 149 0x7effc038021cULL, 150 0x7effc037c7d1ULL, 151 0x7effc037bfffULL, 152 0x7effc0520d26ULL, 153 0x7effc009ddffULL, 154 0x7effbf90bb50ULL, 155 0x7effbdddfa69ULL, 156 0x7effbdde1fe2ULL, 157 0x7effbdde2424ULL, 158 0x7effbdde27b3ULL, 159 0x7effbddee53bULL, 160 0x7effbdde1988ULL, 161 0x7effbdde0904ULL, 162 0x7effc106ce0dULL, 163 0x7effbcc3fa04ULL, 164 0x7effbcc3f6a4ULL, 165 0x7effbcc3e726ULL, 166 0x7effbcc40852ULL, 167 0x7effb681ec4dULL, 168#endif // SANITIZER_WORDSIZE 169 0xB0B5E768, 170 0x7B682EC1, 171 0x367F9918, 172 0xAE34E13, 173 0xBA0C6C6, 174 0x13250F46, 175 0xA0D6A8AB, 176 0x2B07C1A8, 177 0x6C844F4A, 178 0x2321B53, 179 0x1F3D4F8F, 180 0x3FE2924B, 181 0xB7A2F568, 182 0xBD23950A, 183 0x61020930, 184 0x33E7970C, 185 0x405998A1, 186 0x59F3551D, 187 0x350E3028, 188 0xBC55A28D, 189 0x361F3AED, 190 0xBEAD0F73, 191 0xAEF28479, 192 0x757E971F, 193 0xAEBA450, 194 0x43AD22F5, 195 0x8C2C50C4, 196 0x7AD8A2E1, 197 0x69EE4EE8, 198 0xC08DFF, 199 0x4BA6538, 200 0x3708AB2, 201 0xC24B6475, 202 0x7C8890D7, 203 0x6662495F, 204 0x9B641689, 205 0xD3596B, 206 0xA1049569, 207 0x44CBC16, 208 0x4D39C39F 209}; 210 211void CompressStackTraceTest(size_t n_iter) { 212 u32 seed = my_rand(); 213 const size_t kNumPcs = ARRAY_SIZE(pc_array); 214 u32 compressed[2 * kNumPcs]; 215 216 for (size_t iter = 0; iter < n_iter; iter++) { 217 std::random_shuffle(pc_array, pc_array + kNumPcs); 218 StackTrace stack0, stack1; 219 stack0.CopyFrom(pc_array, kNumPcs); 220 stack0.size = std::max((size_t)1, (size_t)(my_rand_r(&seed) % stack0.size)); 221 size_t compress_size = 222 std::max((size_t)2, (size_t)my_rand_r(&seed) % (2 * kNumPcs)); 223 size_t n_frames = 224 StackTrace::CompressStack(&stack0, compressed, compress_size); 225 Ident(n_frames); 226 assert(n_frames <= stack0.size); 227 StackTrace::UncompressStack(&stack1, compressed, compress_size); 228 assert(stack1.size == n_frames); 229 for (size_t i = 0; i < stack1.size; i++) { 230 assert(stack0.trace[i] == stack1.trace[i]); 231 } 232 } 233} 234 235TEST(AddressSanitizer, CompressStackTraceTest) { 236 CompressStackTraceTest(10000); 237} 238 239void CompressStackTraceBenchmark(size_t n_iter) { 240 const size_t kNumPcs = ARRAY_SIZE(pc_array); 241 u32 compressed[2 * kNumPcs]; 242 std::random_shuffle(pc_array, pc_array + kNumPcs); 243 244 StackTrace stack0; 245 stack0.CopyFrom(pc_array, kNumPcs); 246 stack0.size = kNumPcs; 247 for (size_t iter = 0; iter < n_iter; iter++) { 248 size_t compress_size = kNumPcs; 249 size_t n_frames = 250 StackTrace::CompressStack(&stack0, compressed, compress_size); 251 Ident(n_frames); 252 } 253} 254 255TEST(AddressSanitizer, CompressStackTraceBenchmark) { 256 CompressStackTraceBenchmark(1 << 24); 257} 258 259TEST(AddressSanitizer, QuarantineTest) { 260 StackTrace stack; 261 stack.trace[0] = 0x890; 262 stack.size = 1; 263 264 const int size = 1024; 265 void *p = __asan::asan_malloc(size, &stack); 266 __asan::asan_free(p, &stack, __asan::FROM_MALLOC); 267 size_t i; 268 size_t max_i = 1 << 30; 269 for (i = 0; i < max_i; i++) { 270 void *p1 = __asan::asan_malloc(size, &stack); 271 __asan::asan_free(p1, &stack, __asan::FROM_MALLOC); 272 if (p1 == p) break; 273 } 274 EXPECT_GE(i, 10000U); 275 EXPECT_LT(i, max_i); 276} 277 278void *ThreadedQuarantineTestWorker(void *unused) { 279 (void)unused; 280 u32 seed = my_rand(); 281 StackTrace stack; 282 stack.trace[0] = 0x890; 283 stack.size = 1; 284 285 for (size_t i = 0; i < 1000; i++) { 286 void *p = __asan::asan_malloc(1 + (my_rand_r(&seed) % 4000), &stack); 287 __asan::asan_free(p, &stack, __asan::FROM_MALLOC); 288 } 289 return NULL; 290} 291 292// Check that the thread local allocators are flushed when threads are 293// destroyed. 294TEST(AddressSanitizer, ThreadedQuarantineTest) { 295 const int n_threads = 3000; 296 size_t mmaped1 = __asan_get_heap_size(); 297 for (int i = 0; i < n_threads; i++) { 298 pthread_t t; 299 PTHREAD_CREATE(&t, NULL, ThreadedQuarantineTestWorker, 0); 300 PTHREAD_JOIN(t, 0); 301 size_t mmaped2 = __asan_get_heap_size(); 302 EXPECT_LT(mmaped2 - mmaped1, 320U * (1 << 20)); 303 } 304} 305 306void *ThreadedOneSizeMallocStress(void *unused) { 307 (void)unused; 308 StackTrace stack; 309 stack.trace[0] = 0x890; 310 stack.size = 1; 311 const size_t kNumMallocs = 1000; 312 for (int iter = 0; iter < 1000; iter++) { 313 void *p[kNumMallocs]; 314 for (size_t i = 0; i < kNumMallocs; i++) { 315 p[i] = __asan::asan_malloc(32, &stack); 316 } 317 for (size_t i = 0; i < kNumMallocs; i++) { 318 __asan::asan_free(p[i], &stack, __asan::FROM_MALLOC); 319 } 320 } 321 return NULL; 322} 323 324TEST(AddressSanitizer, ThreadedOneSizeMallocStressTest) { 325 const int kNumThreads = 4; 326 pthread_t t[kNumThreads]; 327 for (int i = 0; i < kNumThreads; i++) { 328 PTHREAD_CREATE(&t[i], 0, ThreadedOneSizeMallocStress, 0); 329 } 330 for (int i = 0; i < kNumThreads; i++) { 331 PTHREAD_JOIN(t[i], 0); 332 } 333} 334 335TEST(AddressSanitizer, MemsetWildAddressTest) { 336 using __asan::kHighMemEnd; 337 typedef void*(*memset_p)(void*, int, size_t); 338 // Prevent inlining of memset(). 339 volatile memset_p libc_memset = (memset_p)memset; 340 EXPECT_DEATH(libc_memset((void*)(kLowShadowBeg + 200), 0, 100), 341 (kLowShadowEnd == 0) ? "unknown-crash.*shadow gap" 342 : "unknown-crash.*low shadow"); 343 EXPECT_DEATH(libc_memset((void*)(kShadowGapBeg + 200), 0, 100), 344 "unknown-crash.*shadow gap"); 345 EXPECT_DEATH(libc_memset((void*)(kHighShadowBeg + 200), 0, 100), 346 "unknown-crash.*high shadow"); 347} 348 349TEST(AddressSanitizerInterface, GetEstimatedAllocatedSize) { 350 EXPECT_EQ(0U, __asan_get_estimated_allocated_size(0)); 351 const size_t sizes[] = { 1, 30, 1<<30 }; 352 for (size_t i = 0; i < 3; i++) { 353 EXPECT_EQ(sizes[i], __asan_get_estimated_allocated_size(sizes[i])); 354 } 355} 356 357static const char* kGetAllocatedSizeErrorMsg = 358 "attempting to call __asan_get_allocated_size()"; 359 360TEST(AddressSanitizerInterface, GetAllocatedSizeAndOwnershipTest) { 361 const size_t kArraySize = 100; 362 char *array = Ident((char*)malloc(kArraySize)); 363 int *int_ptr = Ident(new int); 364 365 // Allocated memory is owned by allocator. Allocated size should be 366 // equal to requested size. 367 EXPECT_EQ(true, __asan_get_ownership(array)); 368 EXPECT_EQ(kArraySize, __asan_get_allocated_size(array)); 369 EXPECT_EQ(true, __asan_get_ownership(int_ptr)); 370 EXPECT_EQ(sizeof(int), __asan_get_allocated_size(int_ptr)); 371 372 // We cannot call GetAllocatedSize from the memory we didn't map, 373 // and from the interior pointers (not returned by previous malloc). 374 void *wild_addr = (void*)0x1; 375 EXPECT_FALSE(__asan_get_ownership(wild_addr)); 376 EXPECT_DEATH(__asan_get_allocated_size(wild_addr), kGetAllocatedSizeErrorMsg); 377 EXPECT_FALSE(__asan_get_ownership(array + kArraySize / 2)); 378 EXPECT_DEATH(__asan_get_allocated_size(array + kArraySize / 2), 379 kGetAllocatedSizeErrorMsg); 380 381 // NULL is not owned, but is a valid argument for __asan_get_allocated_size(). 382 EXPECT_FALSE(__asan_get_ownership(NULL)); 383 EXPECT_EQ(0U, __asan_get_allocated_size(NULL)); 384 385 // When memory is freed, it's not owned, and call to GetAllocatedSize 386 // is forbidden. 387 free(array); 388 EXPECT_FALSE(__asan_get_ownership(array)); 389 EXPECT_DEATH(__asan_get_allocated_size(array), kGetAllocatedSizeErrorMsg); 390 delete int_ptr; 391 392 void *zero_alloc = Ident(malloc(0)); 393 if (zero_alloc != 0) { 394 // If malloc(0) is not null, this pointer is owned and should have valid 395 // allocated size. 396 EXPECT_TRUE(__asan_get_ownership(zero_alloc)); 397 // Allocated size is 0 or 1 depending on the allocator used. 398 EXPECT_LT(__asan_get_allocated_size(zero_alloc), 2U); 399 } 400 free(zero_alloc); 401} 402 403TEST(AddressSanitizerInterface, GetCurrentAllocatedBytesTest) { 404 size_t before_malloc, after_malloc, after_free; 405 char *array; 406 const size_t kMallocSize = 100; 407 before_malloc = __asan_get_current_allocated_bytes(); 408 409 array = Ident((char*)malloc(kMallocSize)); 410 after_malloc = __asan_get_current_allocated_bytes(); 411 EXPECT_EQ(before_malloc + kMallocSize, after_malloc); 412 413 free(array); 414 after_free = __asan_get_current_allocated_bytes(); 415 EXPECT_EQ(before_malloc, after_free); 416} 417 418static void DoDoubleFree() { 419 int *x = Ident(new int); 420 delete Ident(x); 421 delete Ident(x); 422} 423 424TEST(AddressSanitizerInterface, GetHeapSizeTest) { 425 // asan_allocator2 does not keep huge chunks in free list, but unmaps them. 426 // The chunk should be greater than the quarantine size, 427 // otherwise it will be stuck in quarantine instead of being unmaped. 428 static const size_t kLargeMallocSize = (1 << 28) + 1; // 256M 429 free(Ident(malloc(kLargeMallocSize))); // Drain quarantine. 430 uptr old_heap_size = __asan_get_heap_size(); 431 for (int i = 0; i < 3; i++) { 432 // fprintf(stderr, "allocating %zu bytes:\n", kLargeMallocSize); 433 free(Ident(malloc(kLargeMallocSize))); 434 EXPECT_EQ(old_heap_size, __asan_get_heap_size()); 435 } 436} 437 438static const size_t kManyThreadsMallocSizes[] = {5, 1UL<<10, 1UL<<14, 357}; 439static const size_t kManyThreadsIterations = 250; 440static const size_t kManyThreadsNumThreads = 441 (SANITIZER_WORDSIZE == 32) ? 40 : 200; 442 443void *ManyThreadsWithStatsWorker(void *arg) { 444 (void)arg; 445 for (size_t iter = 0; iter < kManyThreadsIterations; iter++) { 446 for (size_t size_index = 0; size_index < 4; size_index++) { 447 free(Ident(malloc(kManyThreadsMallocSizes[size_index]))); 448 } 449 } 450 // Just one large allocation. 451 free(Ident(malloc(1 << 20))); 452 return 0; 453} 454 455TEST(AddressSanitizerInterface, ManyThreadsWithStatsStressTest) { 456 size_t before_test, after_test, i; 457 pthread_t threads[kManyThreadsNumThreads]; 458 before_test = __asan_get_current_allocated_bytes(); 459 for (i = 0; i < kManyThreadsNumThreads; i++) { 460 PTHREAD_CREATE(&threads[i], 0, 461 (void* (*)(void *x))ManyThreadsWithStatsWorker, (void*)i); 462 } 463 for (i = 0; i < kManyThreadsNumThreads; i++) { 464 PTHREAD_JOIN(threads[i], 0); 465 } 466 after_test = __asan_get_current_allocated_bytes(); 467 // ASan stats also reflect memory usage of internal ASan RTL structs, 468 // so we can't check for equality here. 469 EXPECT_LT(after_test, before_test + (1UL<<20)); 470} 471 472TEST(AddressSanitizerInterface, ExitCode) { 473 int original_exit_code = __asan_set_error_exit_code(7); 474 EXPECT_EXIT(DoDoubleFree(), ::testing::ExitedWithCode(7), ""); 475 EXPECT_EQ(7, __asan_set_error_exit_code(8)); 476 EXPECT_EXIT(DoDoubleFree(), ::testing::ExitedWithCode(8), ""); 477 EXPECT_EQ(8, __asan_set_error_exit_code(original_exit_code)); 478 EXPECT_EXIT(DoDoubleFree(), 479 ::testing::ExitedWithCode(original_exit_code), ""); 480} 481 482static void MyDeathCallback() { 483 fprintf(stderr, "MyDeathCallback\n"); 484} 485 486TEST(AddressSanitizerInterface, DeathCallbackTest) { 487 __asan_set_death_callback(MyDeathCallback); 488 EXPECT_DEATH(DoDoubleFree(), "MyDeathCallback"); 489 __asan_set_death_callback(NULL); 490} 491 492static const char* kUseAfterPoisonErrorMessage = "use-after-poison"; 493 494#define GOOD_ACCESS(ptr, offset) \ 495 EXPECT_FALSE(__asan::AddressIsPoisoned((uptr)(ptr + offset))) 496 497#define BAD_ACCESS(ptr, offset) \ 498 EXPECT_TRUE(__asan::AddressIsPoisoned((uptr)(ptr + offset))) 499 500TEST(AddressSanitizerInterface, SimplePoisonMemoryRegionTest) { 501 char *array = Ident((char*)malloc(120)); 502 // poison array[40..80) 503 __asan_poison_memory_region(array + 40, 40); 504 GOOD_ACCESS(array, 39); 505 GOOD_ACCESS(array, 80); 506 BAD_ACCESS(array, 40); 507 BAD_ACCESS(array, 60); 508 BAD_ACCESS(array, 79); 509 EXPECT_DEATH(__asan_report_error(0, 0, 0, (uptr)(array + 40), true, 1), 510 kUseAfterPoisonErrorMessage); 511 __asan_unpoison_memory_region(array + 40, 40); 512 // access previously poisoned memory. 513 GOOD_ACCESS(array, 40); 514 GOOD_ACCESS(array, 79); 515 free(array); 516} 517 518TEST(AddressSanitizerInterface, OverlappingPoisonMemoryRegionTest) { 519 char *array = Ident((char*)malloc(120)); 520 // Poison [0..40) and [80..120) 521 __asan_poison_memory_region(array, 40); 522 __asan_poison_memory_region(array + 80, 40); 523 BAD_ACCESS(array, 20); 524 GOOD_ACCESS(array, 60); 525 BAD_ACCESS(array, 100); 526 // Poison whole array - [0..120) 527 __asan_poison_memory_region(array, 120); 528 BAD_ACCESS(array, 60); 529 // Unpoison [24..96) 530 __asan_unpoison_memory_region(array + 24, 72); 531 BAD_ACCESS(array, 23); 532 GOOD_ACCESS(array, 24); 533 GOOD_ACCESS(array, 60); 534 GOOD_ACCESS(array, 95); 535 BAD_ACCESS(array, 96); 536 free(array); 537} 538 539TEST(AddressSanitizerInterface, PushAndPopWithPoisoningTest) { 540 // Vector of capacity 20 541 char *vec = Ident((char*)malloc(20)); 542 __asan_poison_memory_region(vec, 20); 543 for (size_t i = 0; i < 7; i++) { 544 // Simulate push_back. 545 __asan_unpoison_memory_region(vec + i, 1); 546 GOOD_ACCESS(vec, i); 547 BAD_ACCESS(vec, i + 1); 548 } 549 for (size_t i = 7; i > 0; i--) { 550 // Simulate pop_back. 551 __asan_poison_memory_region(vec + i - 1, 1); 552 BAD_ACCESS(vec, i - 1); 553 if (i > 1) GOOD_ACCESS(vec, i - 2); 554 } 555 free(vec); 556} 557 558TEST(AddressSanitizerInterface, GlobalRedzones) { 559 GOOD_ACCESS(glob1, 1 - 1); 560 GOOD_ACCESS(glob2, 2 - 1); 561 GOOD_ACCESS(glob3, 3 - 1); 562 GOOD_ACCESS(glob4, 4 - 1); 563 GOOD_ACCESS(glob5, 5 - 1); 564 GOOD_ACCESS(glob6, 6 - 1); 565 GOOD_ACCESS(glob7, 7 - 1); 566 GOOD_ACCESS(glob8, 8 - 1); 567 GOOD_ACCESS(glob9, 9 - 1); 568 GOOD_ACCESS(glob10, 10 - 1); 569 GOOD_ACCESS(glob11, 11 - 1); 570 GOOD_ACCESS(glob12, 12 - 1); 571 GOOD_ACCESS(glob13, 13 - 1); 572 GOOD_ACCESS(glob14, 14 - 1); 573 GOOD_ACCESS(glob15, 15 - 1); 574 GOOD_ACCESS(glob16, 16 - 1); 575 GOOD_ACCESS(glob17, 17 - 1); 576 GOOD_ACCESS(glob1000, 1000 - 1); 577 GOOD_ACCESS(glob10000, 10000 - 1); 578 GOOD_ACCESS(glob100000, 100000 - 1); 579 580 BAD_ACCESS(glob1, 1); 581 BAD_ACCESS(glob2, 2); 582 BAD_ACCESS(glob3, 3); 583 BAD_ACCESS(glob4, 4); 584 BAD_ACCESS(glob5, 5); 585 BAD_ACCESS(glob6, 6); 586 BAD_ACCESS(glob7, 7); 587 BAD_ACCESS(glob8, 8); 588 BAD_ACCESS(glob9, 9); 589 BAD_ACCESS(glob10, 10); 590 BAD_ACCESS(glob11, 11); 591 BAD_ACCESS(glob12, 12); 592 BAD_ACCESS(glob13, 13); 593 BAD_ACCESS(glob14, 14); 594 BAD_ACCESS(glob15, 15); 595 BAD_ACCESS(glob16, 16); 596 BAD_ACCESS(glob17, 17); 597 BAD_ACCESS(glob1000, 1000); 598 BAD_ACCESS(glob1000, 1100); // Redzone is at least 101 bytes. 599 BAD_ACCESS(glob10000, 10000); 600 BAD_ACCESS(glob10000, 11000); // Redzone is at least 1001 bytes. 601 BAD_ACCESS(glob100000, 100000); 602 BAD_ACCESS(glob100000, 110000); // Redzone is at least 10001 bytes. 603} 604 605// Make sure that each aligned block of size "2^granularity" doesn't have 606// "true" value before "false" value. 607static void MakeShadowValid(bool *shadow, int length, int granularity) { 608 bool can_be_poisoned = true; 609 for (int i = length - 1; i >= 0; i--) { 610 if (!shadow[i]) 611 can_be_poisoned = false; 612 if (!can_be_poisoned) 613 shadow[i] = false; 614 if (i % (1 << granularity) == 0) { 615 can_be_poisoned = true; 616 } 617 } 618} 619 620TEST(AddressSanitizerInterface, PoisoningStressTest) { 621 const size_t kSize = 24; 622 bool expected[kSize]; 623 char *arr = Ident((char*)malloc(kSize)); 624 for (size_t l1 = 0; l1 < kSize; l1++) { 625 for (size_t s1 = 1; l1 + s1 <= kSize; s1++) { 626 for (size_t l2 = 0; l2 < kSize; l2++) { 627 for (size_t s2 = 1; l2 + s2 <= kSize; s2++) { 628 // Poison [l1, l1+s1), [l2, l2+s2) and check result. 629 __asan_unpoison_memory_region(arr, kSize); 630 __asan_poison_memory_region(arr + l1, s1); 631 __asan_poison_memory_region(arr + l2, s2); 632 memset(expected, false, kSize); 633 memset(expected + l1, true, s1); 634 MakeShadowValid(expected, kSize, /*granularity*/ 3); 635 memset(expected + l2, true, s2); 636 MakeShadowValid(expected, kSize, /*granularity*/ 3); 637 for (size_t i = 0; i < kSize; i++) { 638 ASSERT_EQ(expected[i], __asan_address_is_poisoned(arr + i)); 639 } 640 // Unpoison [l1, l1+s1) and [l2, l2+s2) and check result. 641 __asan_poison_memory_region(arr, kSize); 642 __asan_unpoison_memory_region(arr + l1, s1); 643 __asan_unpoison_memory_region(arr + l2, s2); 644 memset(expected, true, kSize); 645 memset(expected + l1, false, s1); 646 MakeShadowValid(expected, kSize, /*granularity*/ 3); 647 memset(expected + l2, false, s2); 648 MakeShadowValid(expected, kSize, /*granularity*/ 3); 649 for (size_t i = 0; i < kSize; i++) { 650 ASSERT_EQ(expected[i], __asan_address_is_poisoned(arr + i)); 651 } 652 } 653 } 654 } 655 } 656} 657 658TEST(AddressSanitizerInterface, PoisonedRegion) { 659 size_t rz = 16; 660 for (size_t size = 1; size <= 64; size++) { 661 char *p = new char[size]; 662 uptr x = reinterpret_cast<uptr>(p); 663 for (size_t beg = 0; beg < size + rz; beg++) { 664 for (size_t end = beg; end < size + rz; end++) { 665 uptr first_poisoned = __asan_region_is_poisoned(x + beg, end - beg); 666 if (beg == end) { 667 EXPECT_FALSE(first_poisoned); 668 } else if (beg < size && end <= size) { 669 EXPECT_FALSE(first_poisoned); 670 } else if (beg >= size) { 671 EXPECT_EQ(x + beg, first_poisoned); 672 } else { 673 EXPECT_GT(end, size); 674 EXPECT_EQ(x + size, first_poisoned); 675 } 676 } 677 } 678 delete [] p; 679 } 680} 681 682// This is a performance benchmark for manual runs. 683// asan's memset interceptor calls mem_is_zero for the entire shadow region. 684// the profile should look like this: 685// 89.10% [.] __memset_sse2 686// 10.50% [.] __sanitizer::mem_is_zero 687// I.e. mem_is_zero should consume ~ SHADOW_GRANULARITY less CPU cycles 688// than memset itself. 689TEST(AddressSanitizerInterface, DISABLED_StressLargeMemset) { 690 size_t size = 1 << 20; 691 char *x = new char[size]; 692 for (int i = 0; i < 100000; i++) 693 Ident(memset)(x, 0, size); 694 delete [] x; 695} 696 697// Same here, but we run memset with small sizes. 698TEST(AddressSanitizerInterface, DISABLED_StressSmallMemset) { 699 size_t size = 32; 700 char *x = new char[size]; 701 for (int i = 0; i < 100000000; i++) 702 Ident(memset)(x, 0, size); 703 delete [] x; 704} 705 706static const char *kInvalidPoisonMessage = "invalid-poison-memory-range"; 707static const char *kInvalidUnpoisonMessage = "invalid-unpoison-memory-range"; 708 709TEST(AddressSanitizerInterface, DISABLED_InvalidPoisonAndUnpoisonCallsTest) { 710 char *array = Ident((char*)malloc(120)); 711 __asan_unpoison_memory_region(array, 120); 712 // Try to unpoison not owned memory 713 EXPECT_DEATH(__asan_unpoison_memory_region(array, 121), 714 kInvalidUnpoisonMessage); 715 EXPECT_DEATH(__asan_unpoison_memory_region(array - 1, 120), 716 kInvalidUnpoisonMessage); 717 718 __asan_poison_memory_region(array, 120); 719 // Try to poison not owned memory. 720 EXPECT_DEATH(__asan_poison_memory_region(array, 121), kInvalidPoisonMessage); 721 EXPECT_DEATH(__asan_poison_memory_region(array - 1, 120), 722 kInvalidPoisonMessage); 723 free(array); 724} 725 726static void ErrorReportCallbackOneToZ(const char *report) { 727 int report_len = strlen(report); 728 ASSERT_EQ(6, write(2, "ABCDEF", 6)); 729 ASSERT_EQ(report_len, write(2, report, report_len)); 730 ASSERT_EQ(6, write(2, "ABCDEF", 6)); 731 _exit(1); 732} 733 734TEST(AddressSanitizerInterface, SetErrorReportCallbackTest) { 735 __asan_set_error_report_callback(ErrorReportCallbackOneToZ); 736 EXPECT_DEATH(__asan_report_error(0, 0, 0, 0, true, 1), 737 ASAN_PCRE_DOTALL "ABCDEF.*AddressSanitizer.*WRITE.*ABCDEF"); 738 __asan_set_error_report_callback(NULL); 739} 740 741TEST(AddressSanitizerInterface, GetOwnershipStressTest) { 742 std::vector<char *> pointers; 743 std::vector<size_t> sizes; 744 const size_t kNumMallocs = 1 << 9; 745 for (size_t i = 0; i < kNumMallocs; i++) { 746 size_t size = i * 100 + 1; 747 pointers.push_back((char*)malloc(size)); 748 sizes.push_back(size); 749 } 750 for (size_t i = 0; i < 4000000; i++) { 751 EXPECT_FALSE(__asan_get_ownership(&pointers)); 752 EXPECT_FALSE(__asan_get_ownership((void*)0x1234)); 753 size_t idx = i % kNumMallocs; 754 EXPECT_TRUE(__asan_get_ownership(pointers[idx])); 755 EXPECT_EQ(sizes[idx], __asan_get_allocated_size(pointers[idx])); 756 } 757 for (size_t i = 0, n = pointers.size(); i < n; i++) 758 free(pointers[i]); 759} 760 761TEST(AddressSanitizerInterface, CallocOverflow) { 762 size_t kArraySize = 4096; 763 volatile size_t kMaxSizeT = std::numeric_limits<size_t>::max(); 764 volatile size_t kArraySize2 = kMaxSizeT / kArraySize + 10; 765 void *p = calloc(kArraySize, kArraySize2); // Should return 0. 766 EXPECT_EQ(0L, Ident(p)); 767} 768 769TEST(AddressSanitizerInterface, CallocOverflow2) { 770#if SANITIZER_WORDSIZE == 32 771 size_t kArraySize = 112; 772 volatile size_t kArraySize2 = 43878406; 773 void *p = calloc(kArraySize, kArraySize2); // Should return 0. 774 EXPECT_EQ(0L, Ident(p)); 775#endif 776} 777 778TEST(AddressSanitizerInterface, CallocReturnsZeroMem) { 779 size_t sizes[] = {16, 1000, 10000, 100000, 2100000}; 780 for (size_t s = 0; s < ARRAY_SIZE(sizes); s++) { 781 size_t size = sizes[s]; 782 for (size_t iter = 0; iter < 5; iter++) { 783 char *x = Ident((char*)calloc(1, size)); 784 EXPECT_EQ(x[0], 0); 785 EXPECT_EQ(x[size - 1], 0); 786 EXPECT_EQ(x[size / 2], 0); 787 EXPECT_EQ(x[size / 3], 0); 788 EXPECT_EQ(x[size / 4], 0); 789 memset(x, 0x42, size); 790 free(Ident(x)); 791 free(Ident(malloc(Ident(1 << 27)))); // Try to drain the quarantine. 792 } 793 } 794} 795