asan_test.cc revision 0b770b48e4ae053a7d0610e1c682405afba58fda
1//===-- asan_test.cc ------------------------------------------------------===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file is a part of AddressSanitizer, an address sanity checker. 11// 12//===----------------------------------------------------------------------===// 13#include <stdio.h> 14#include <signal.h> 15#include <stdlib.h> 16#include <string.h> 17#include <strings.h> 18#include <pthread.h> 19#include <stdint.h> 20#include <setjmp.h> 21#include <assert.h> 22 23#ifdef __linux__ 24# include <sys/prctl.h> 25# include <sys/types.h> 26# include <sys/stat.h> 27# include <fcntl.h> 28#endif 29 30#if defined(__i386__) || defined(__x86_64__) 31#include <emmintrin.h> 32#endif 33 34#include "asan_test_utils.h" 35 36#ifndef __APPLE__ 37#include <malloc.h> 38#else 39#include <malloc/malloc.h> 40#include <AvailabilityMacros.h> // For MAC_OS_X_VERSION_* 41#include <CoreFoundation/CFString.h> 42#endif // __APPLE__ 43 44#if ASAN_HAS_EXCEPTIONS 45# define ASAN_THROW(x) throw (x) 46#else 47# define ASAN_THROW(x) 48#endif 49 50#include <sys/mman.h> 51 52typedef uint8_t U1; 53typedef uint16_t U2; 54typedef uint32_t U4; 55typedef uint64_t U8; 56 57static const int kPageSize = 4096; 58 59// Simple stand-alone pseudorandom number generator. 60// Current algorithm is ANSI C linear congruential PRNG. 61static inline uint32_t my_rand(uint32_t* state) { 62 return (*state = *state * 1103515245 + 12345) >> 16; 63} 64 65static uint32_t global_seed = 0; 66 67const size_t kLargeMalloc = 1 << 24; 68 69template<typename T> 70NOINLINE void asan_write(T *a) { 71 *a = 0; 72} 73 74NOINLINE void asan_write_sized_aligned(uint8_t *p, size_t size) { 75 EXPECT_EQ(0U, ((uintptr_t)p % size)); 76 if (size == 1) asan_write((uint8_t*)p); 77 else if (size == 2) asan_write((uint16_t*)p); 78 else if (size == 4) asan_write((uint32_t*)p); 79 else if (size == 8) asan_write((uint64_t*)p); 80} 81 82NOINLINE void *malloc_fff(size_t size) { 83 void *res = malloc/**/(size); break_optimization(0); return res;} 84NOINLINE void *malloc_eee(size_t size) { 85 void *res = malloc_fff(size); break_optimization(0); return res;} 86NOINLINE void *malloc_ddd(size_t size) { 87 void *res = malloc_eee(size); break_optimization(0); return res;} 88NOINLINE void *malloc_ccc(size_t size) { 89 void *res = malloc_ddd(size); break_optimization(0); return res;} 90NOINLINE void *malloc_bbb(size_t size) { 91 void *res = malloc_ccc(size); break_optimization(0); return res;} 92NOINLINE void *malloc_aaa(size_t size) { 93 void *res = malloc_bbb(size); break_optimization(0); return res;} 94 95#ifndef __APPLE__ 96NOINLINE void *memalign_fff(size_t alignment, size_t size) { 97 void *res = memalign/**/(alignment, size); break_optimization(0); return res;} 98NOINLINE void *memalign_eee(size_t alignment, size_t size) { 99 void *res = memalign_fff(alignment, size); break_optimization(0); return res;} 100NOINLINE void *memalign_ddd(size_t alignment, size_t size) { 101 void *res = memalign_eee(alignment, size); break_optimization(0); return res;} 102NOINLINE void *memalign_ccc(size_t alignment, size_t size) { 103 void *res = memalign_ddd(alignment, size); break_optimization(0); return res;} 104NOINLINE void *memalign_bbb(size_t alignment, size_t size) { 105 void *res = memalign_ccc(alignment, size); break_optimization(0); return res;} 106NOINLINE void *memalign_aaa(size_t alignment, size_t size) { 107 void *res = memalign_bbb(alignment, size); break_optimization(0); return res;} 108#endif // __APPLE__ 109 110 111NOINLINE void free_ccc(void *p) { free(p); break_optimization(0);} 112NOINLINE void free_bbb(void *p) { free_ccc(p); break_optimization(0);} 113NOINLINE void free_aaa(void *p) { free_bbb(p); break_optimization(0);} 114 115template<typename T> 116NOINLINE void oob_test(int size, int off) { 117 char *p = (char*)malloc_aaa(size); 118 // fprintf(stderr, "writing %d byte(s) into [%p,%p) with offset %d\n", 119 // sizeof(T), p, p + size, off); 120 asan_write((T*)(p + off)); 121 free_aaa(p); 122} 123 124 125template<typename T> 126NOINLINE void uaf_test(int size, int off) { 127 char *p = (char *)malloc_aaa(size); 128 free_aaa(p); 129 for (int i = 1; i < 100; i++) 130 free_aaa(malloc_aaa(i)); 131 fprintf(stderr, "writing %ld byte(s) at %p with offset %d\n", 132 (long)sizeof(T), p, off); 133 asan_write((T*)(p + off)); 134} 135 136TEST(AddressSanitizer, HasFeatureAddressSanitizerTest) { 137#if defined(__has_feature) && __has_feature(address_sanitizer) 138 bool asan = 1; 139#elif defined(__SANITIZE_ADDRESS__) 140 bool asan = 1; 141#else 142 bool asan = 0; 143#endif 144 EXPECT_EQ(true, asan); 145} 146 147TEST(AddressSanitizer, SimpleDeathTest) { 148 EXPECT_DEATH(exit(1), ""); 149} 150 151TEST(AddressSanitizer, VariousMallocsTest) { 152 int *a = (int*)malloc(100 * sizeof(int)); 153 a[50] = 0; 154 free(a); 155 156 int *r = (int*)malloc(10); 157 r = (int*)realloc(r, 2000 * sizeof(int)); 158 r[1000] = 0; 159 free(r); 160 161 int *b = new int[100]; 162 b[50] = 0; 163 delete [] b; 164 165 int *c = new int; 166 *c = 0; 167 delete c; 168 169#if !defined(__APPLE__) && !defined(ANDROID) && !defined(__ANDROID__) 170 int *pm; 171 int pm_res = posix_memalign((void**)&pm, kPageSize, kPageSize); 172 EXPECT_EQ(0, pm_res); 173 free(pm); 174#endif 175 176#if !defined(__APPLE__) 177 int *ma = (int*)memalign(kPageSize, kPageSize); 178 EXPECT_EQ(0U, (uintptr_t)ma % kPageSize); 179 ma[123] = 0; 180 free(ma); 181#endif // __APPLE__ 182} 183 184TEST(AddressSanitizer, CallocTest) { 185 int *a = (int*)calloc(100, sizeof(int)); 186 EXPECT_EQ(0, a[10]); 187 free(a); 188} 189 190TEST(AddressSanitizer, VallocTest) { 191 void *a = valloc(100); 192 EXPECT_EQ(0U, (uintptr_t)a % kPageSize); 193 free(a); 194} 195 196#ifndef __APPLE__ 197TEST(AddressSanitizer, PvallocTest) { 198 char *a = (char*)pvalloc(kPageSize + 100); 199 EXPECT_EQ(0U, (uintptr_t)a % kPageSize); 200 a[kPageSize + 101] = 1; // we should not report an error here. 201 free(a); 202 203 a = (char*)pvalloc(0); // pvalloc(0) should allocate at least one page. 204 EXPECT_EQ(0U, (uintptr_t)a % kPageSize); 205 a[101] = 1; // we should not report an error here. 206 free(a); 207} 208#endif // __APPLE__ 209 210void *TSDWorker(void *test_key) { 211 if (test_key) { 212 pthread_setspecific(*(pthread_key_t*)test_key, (void*)0xfeedface); 213 } 214 return NULL; 215} 216 217void TSDDestructor(void *tsd) { 218 // Spawning a thread will check that the current thread id is not -1. 219 pthread_t th; 220 PTHREAD_CREATE(&th, NULL, TSDWorker, NULL); 221 PTHREAD_JOIN(th, NULL); 222} 223 224// This tests triggers the thread-specific data destruction fiasco which occurs 225// if we don't manage the TSD destructors ourselves. We create a new pthread 226// key with a non-NULL destructor which is likely to be put after the destructor 227// of AsanThread in the list of destructors. 228// In this case the TSD for AsanThread will be destroyed before TSDDestructor 229// is called for the child thread, and a CHECK will fail when we call 230// pthread_create() to spawn the grandchild. 231TEST(AddressSanitizer, DISABLED_TSDTest) { 232 pthread_t th; 233 pthread_key_t test_key; 234 pthread_key_create(&test_key, TSDDestructor); 235 PTHREAD_CREATE(&th, NULL, TSDWorker, &test_key); 236 PTHREAD_JOIN(th, NULL); 237 pthread_key_delete(test_key); 238} 239 240template<typename T> 241void OOBTest() { 242 char expected_str[100]; 243 for (int size = sizeof(T); size < 20; size += 5) { 244 for (int i = -5; i < 0; i++) { 245 const char *str = 246 "is located.*%d byte.*to the left"; 247 sprintf(expected_str, str, abs(i)); 248 EXPECT_DEATH(oob_test<T>(size, i), expected_str); 249 } 250 251 for (int i = 0; i < (int)(size - sizeof(T) + 1); i++) 252 oob_test<T>(size, i); 253 254 for (int i = size - sizeof(T) + 1; i <= (int)(size + 3 * sizeof(T)); i++) { 255 const char *str = 256 "is located.*%d byte.*to the right"; 257 int off = i >= size ? (i - size) : 0; 258 // we don't catch unaligned partially OOB accesses. 259 if (i % sizeof(T)) continue; 260 sprintf(expected_str, str, off); 261 EXPECT_DEATH(oob_test<T>(size, i), expected_str); 262 } 263 } 264 265 EXPECT_DEATH(oob_test<T>(kLargeMalloc, -1), 266 "is located.*1 byte.*to the left"); 267 EXPECT_DEATH(oob_test<T>(kLargeMalloc, kLargeMalloc), 268 "is located.*0 byte.*to the right"); 269} 270 271// TODO(glider): the following tests are EXTREMELY slow on Darwin: 272// AddressSanitizer.OOB_char (125503 ms) 273// AddressSanitizer.OOB_int (126890 ms) 274// AddressSanitizer.OOBRightTest (315605 ms) 275// AddressSanitizer.SimpleStackTest (366559 ms) 276 277TEST(AddressSanitizer, OOB_char) { 278 OOBTest<U1>(); 279} 280 281TEST(AddressSanitizer, OOB_int) { 282 OOBTest<U4>(); 283} 284 285TEST(AddressSanitizer, OOBRightTest) { 286 for (size_t access_size = 1; access_size <= 8; access_size *= 2) { 287 for (size_t alloc_size = 1; alloc_size <= 8; alloc_size++) { 288 for (size_t offset = 0; offset <= 8; offset += access_size) { 289 void *p = malloc(alloc_size); 290 // allocated: [p, p + alloc_size) 291 // accessed: [p + offset, p + offset + access_size) 292 uint8_t *addr = (uint8_t*)p + offset; 293 if (offset + access_size <= alloc_size) { 294 asan_write_sized_aligned(addr, access_size); 295 } else { 296 int outside_bytes = offset > alloc_size ? (offset - alloc_size) : 0; 297 const char *str = 298 "is located.%d *byte.*to the right"; 299 char expected_str[100]; 300 sprintf(expected_str, str, outside_bytes); 301 EXPECT_DEATH(asan_write_sized_aligned(addr, access_size), 302 expected_str); 303 } 304 free(p); 305 } 306 } 307 } 308} 309 310TEST(AddressSanitizer, UAF_char) { 311 const char *uaf_string = "AddressSanitizer:.*heap-use-after-free"; 312 EXPECT_DEATH(uaf_test<U1>(1, 0), uaf_string); 313 EXPECT_DEATH(uaf_test<U1>(10, 0), uaf_string); 314 EXPECT_DEATH(uaf_test<U1>(10, 10), uaf_string); 315 EXPECT_DEATH(uaf_test<U1>(kLargeMalloc, 0), uaf_string); 316 EXPECT_DEATH(uaf_test<U1>(kLargeMalloc, kLargeMalloc / 2), uaf_string); 317} 318 319#if ASAN_HAS_BLACKLIST 320TEST(AddressSanitizer, IgnoreTest) { 321 int *x = Ident(new int); 322 delete Ident(x); 323 *x = 0; 324} 325#endif // ASAN_HAS_BLACKLIST 326 327struct StructWithBitField { 328 int bf1:1; 329 int bf2:1; 330 int bf3:1; 331 int bf4:29; 332}; 333 334TEST(AddressSanitizer, BitFieldPositiveTest) { 335 StructWithBitField *x = new StructWithBitField; 336 delete Ident(x); 337 EXPECT_DEATH(x->bf1 = 0, "use-after-free"); 338 EXPECT_DEATH(x->bf2 = 0, "use-after-free"); 339 EXPECT_DEATH(x->bf3 = 0, "use-after-free"); 340 EXPECT_DEATH(x->bf4 = 0, "use-after-free"); 341} 342 343struct StructWithBitFields_8_24 { 344 int a:8; 345 int b:24; 346}; 347 348TEST(AddressSanitizer, BitFieldNegativeTest) { 349 StructWithBitFields_8_24 *x = Ident(new StructWithBitFields_8_24); 350 x->a = 0; 351 x->b = 0; 352 delete Ident(x); 353} 354 355TEST(AddressSanitizer, OutOfMemoryTest) { 356 size_t size = SANITIZER_WORDSIZE == 64 ? (size_t)(1ULL << 48) : (0xf0000000); 357 EXPECT_EQ(0, realloc(0, size)); 358 EXPECT_EQ(0, realloc(0, ~Ident(0))); 359 EXPECT_EQ(0, malloc(size)); 360 EXPECT_EQ(0, malloc(~Ident(0))); 361 EXPECT_EQ(0, calloc(1, size)); 362 EXPECT_EQ(0, calloc(1, ~Ident(0))); 363} 364 365#if ASAN_NEEDS_SEGV 366namespace { 367 368const char kUnknownCrash[] = "AddressSanitizer: SEGV on unknown address"; 369const char kOverriddenHandler[] = "ASan signal handler has been overridden\n"; 370 371TEST(AddressSanitizer, WildAddressTest) { 372 char *c = (char*)0x123; 373 EXPECT_DEATH(*c = 0, kUnknownCrash); 374} 375 376void my_sigaction_sighandler(int, siginfo_t*, void*) { 377 fprintf(stderr, kOverriddenHandler); 378 exit(1); 379} 380 381void my_signal_sighandler(int signum) { 382 fprintf(stderr, kOverriddenHandler); 383 exit(1); 384} 385 386TEST(AddressSanitizer, SignalTest) { 387 struct sigaction sigact; 388 memset(&sigact, 0, sizeof(sigact)); 389 sigact.sa_sigaction = my_sigaction_sighandler; 390 sigact.sa_flags = SA_SIGINFO; 391 // ASan should silently ignore sigaction()... 392 EXPECT_EQ(0, sigaction(SIGSEGV, &sigact, 0)); 393#ifdef __APPLE__ 394 EXPECT_EQ(0, sigaction(SIGBUS, &sigact, 0)); 395#endif 396 char *c = (char*)0x123; 397 EXPECT_DEATH(*c = 0, kUnknownCrash); 398 // ... and signal(). 399 EXPECT_EQ(0, signal(SIGSEGV, my_signal_sighandler)); 400 EXPECT_DEATH(*c = 0, kUnknownCrash); 401} 402} // namespace 403#endif 404 405static void MallocStress(size_t n) { 406 uint32_t seed = my_rand(&global_seed); 407 for (size_t iter = 0; iter < 10; iter++) { 408 vector<void *> vec; 409 for (size_t i = 0; i < n; i++) { 410 if ((i % 3) == 0) { 411 if (vec.empty()) continue; 412 size_t idx = my_rand(&seed) % vec.size(); 413 void *ptr = vec[idx]; 414 vec[idx] = vec.back(); 415 vec.pop_back(); 416 free_aaa(ptr); 417 } else { 418 size_t size = my_rand(&seed) % 1000 + 1; 419#ifndef __APPLE__ 420 size_t alignment = 1 << (my_rand(&seed) % 7 + 3); 421 char *ptr = (char*)memalign_aaa(alignment, size); 422#else 423 char *ptr = (char*) malloc_aaa(size); 424#endif 425 vec.push_back(ptr); 426 ptr[0] = 0; 427 ptr[size-1] = 0; 428 ptr[size/2] = 0; 429 } 430 } 431 for (size_t i = 0; i < vec.size(); i++) 432 free_aaa(vec[i]); 433 } 434} 435 436TEST(AddressSanitizer, MallocStressTest) { 437 MallocStress((ASAN_LOW_MEMORY) ? 20000 : 200000); 438} 439 440static void TestLargeMalloc(size_t size) { 441 char buff[1024]; 442 sprintf(buff, "is located 1 bytes to the left of %lu-byte", (long)size); 443 EXPECT_DEATH(Ident((char*)malloc(size))[-1] = 0, buff); 444} 445 446TEST(AddressSanitizer, LargeMallocTest) { 447 for (int i = 113; i < (1 << 28); i = i * 2 + 13) { 448 TestLargeMalloc(i); 449 } 450} 451 452#if ASAN_LOW_MEMORY != 1 453TEST(AddressSanitizer, HugeMallocTest) { 454#ifdef __APPLE__ 455 // It was empirically found out that 1215 megabytes is the maximum amount of 456 // memory available to the process under AddressSanitizer on 32-bit Mac 10.6. 457 // 32-bit Mac 10.7 gives even less (< 1G). 458 // (the libSystem malloc() allows allocating up to 2300 megabytes without 459 // ASan). 460 size_t n_megs = SANITIZER_WORDSIZE == 32 ? 500 : 4100; 461#else 462 size_t n_megs = SANITIZER_WORDSIZE == 32 ? 2600 : 4100; 463#endif 464 TestLargeMalloc(n_megs << 20); 465} 466#endif 467 468TEST(AddressSanitizer, ThreadedMallocStressTest) { 469 const int kNumThreads = 4; 470 const int kNumIterations = (ASAN_LOW_MEMORY) ? 10000 : 100000; 471 pthread_t t[kNumThreads]; 472 for (int i = 0; i < kNumThreads; i++) { 473 PTHREAD_CREATE(&t[i], 0, (void* (*)(void *x))MallocStress, 474 (void*)kNumIterations); 475 } 476 for (int i = 0; i < kNumThreads; i++) { 477 PTHREAD_JOIN(t[i], 0); 478 } 479} 480 481void *ManyThreadsWorker(void *a) { 482 for (int iter = 0; iter < 100; iter++) { 483 for (size_t size = 100; size < 2000; size *= 2) { 484 free(Ident(malloc(size))); 485 } 486 } 487 return 0; 488} 489 490TEST(AddressSanitizer, ManyThreadsTest) { 491 const size_t kNumThreads = 492 (SANITIZER_WORDSIZE == 32 || ASAN_AVOID_EXPENSIVE_TESTS) ? 30 : 1000; 493 pthread_t t[kNumThreads]; 494 for (size_t i = 0; i < kNumThreads; i++) { 495 PTHREAD_CREATE(&t[i], 0, ManyThreadsWorker, (void*)i); 496 } 497 for (size_t i = 0; i < kNumThreads; i++) { 498 PTHREAD_JOIN(t[i], 0); 499 } 500} 501 502TEST(AddressSanitizer, ReallocTest) { 503 const int kMinElem = 5; 504 int *ptr = (int*)malloc(sizeof(int) * kMinElem); 505 ptr[3] = 3; 506 for (int i = 0; i < 10000; i++) { 507 ptr = (int*)realloc(ptr, 508 (my_rand(&global_seed) % 1000 + kMinElem) * sizeof(int)); 509 EXPECT_EQ(3, ptr[3]); 510 } 511} 512 513#ifndef __APPLE__ 514static const char *kMallocUsableSizeErrorMsg = 515 "AddressSanitizer: attempting to call malloc_usable_size()"; 516 517TEST(AddressSanitizer, MallocUsableSizeTest) { 518 const size_t kArraySize = 100; 519 char *array = Ident((char*)malloc(kArraySize)); 520 int *int_ptr = Ident(new int); 521 EXPECT_EQ(0U, malloc_usable_size(NULL)); 522 EXPECT_EQ(kArraySize, malloc_usable_size(array)); 523 EXPECT_EQ(sizeof(int), malloc_usable_size(int_ptr)); 524 EXPECT_DEATH(malloc_usable_size((void*)0x123), kMallocUsableSizeErrorMsg); 525 EXPECT_DEATH(malloc_usable_size(array + kArraySize / 2), 526 kMallocUsableSizeErrorMsg); 527 free(array); 528 EXPECT_DEATH(malloc_usable_size(array), kMallocUsableSizeErrorMsg); 529} 530#endif 531 532void WrongFree() { 533 int *x = (int*)malloc(100 * sizeof(int)); 534 // Use the allocated memory, otherwise Clang will optimize it out. 535 Ident(x); 536 free(x + 1); 537} 538 539TEST(AddressSanitizer, WrongFreeTest) { 540 EXPECT_DEATH(WrongFree(), 541 "ERROR: AddressSanitizer: attempting free.*not malloc"); 542} 543 544void DoubleFree() { 545 int *x = (int*)malloc(100 * sizeof(int)); 546 fprintf(stderr, "DoubleFree: x=%p\n", x); 547 free(x); 548 free(x); 549 fprintf(stderr, "should have failed in the second free(%p)\n", x); 550 abort(); 551} 552 553TEST(AddressSanitizer, DoubleFreeTest) { 554 EXPECT_DEATH(DoubleFree(), ASAN_PCRE_DOTALL 555 "ERROR: AddressSanitizer: attempting double-free" 556 ".*is located 0 bytes inside of 400-byte region" 557 ".*freed by thread T0 here" 558 ".*previously allocated by thread T0 here"); 559} 560 561template<int kSize> 562NOINLINE void SizedStackTest() { 563 char a[kSize]; 564 char *A = Ident((char*)&a); 565 for (size_t i = 0; i < kSize; i++) 566 A[i] = i; 567 EXPECT_DEATH(A[-1] = 0, ""); 568 EXPECT_DEATH(A[-20] = 0, ""); 569 EXPECT_DEATH(A[-31] = 0, ""); 570 EXPECT_DEATH(A[kSize] = 0, ""); 571 EXPECT_DEATH(A[kSize + 1] = 0, ""); 572 EXPECT_DEATH(A[kSize + 10] = 0, ""); 573 EXPECT_DEATH(A[kSize + 31] = 0, ""); 574} 575 576TEST(AddressSanitizer, SimpleStackTest) { 577 SizedStackTest<1>(); 578 SizedStackTest<2>(); 579 SizedStackTest<3>(); 580 SizedStackTest<4>(); 581 SizedStackTest<5>(); 582 SizedStackTest<6>(); 583 SizedStackTest<7>(); 584 SizedStackTest<16>(); 585 SizedStackTest<25>(); 586 SizedStackTest<34>(); 587 SizedStackTest<43>(); 588 SizedStackTest<51>(); 589 SizedStackTest<62>(); 590 SizedStackTest<64>(); 591 SizedStackTest<128>(); 592} 593 594TEST(AddressSanitizer, ManyStackObjectsTest) { 595 char XXX[10]; 596 char YYY[20]; 597 char ZZZ[30]; 598 Ident(XXX); 599 Ident(YYY); 600 EXPECT_DEATH(Ident(ZZZ)[-1] = 0, ASAN_PCRE_DOTALL "XXX.*YYY.*ZZZ"); 601} 602 603NOINLINE static void Frame0(int frame, char *a, char *b, char *c) { 604 char d[4] = {0}; 605 char *D = Ident(d); 606 switch (frame) { 607 case 3: a[5]++; break; 608 case 2: b[5]++; break; 609 case 1: c[5]++; break; 610 case 0: D[5]++; break; 611 } 612} 613NOINLINE static void Frame1(int frame, char *a, char *b) { 614 char c[4] = {0}; Frame0(frame, a, b, c); 615 break_optimization(0); 616} 617NOINLINE static void Frame2(int frame, char *a) { 618 char b[4] = {0}; Frame1(frame, a, b); 619 break_optimization(0); 620} 621NOINLINE static void Frame3(int frame) { 622 char a[4] = {0}; Frame2(frame, a); 623 break_optimization(0); 624} 625 626TEST(AddressSanitizer, GuiltyStackFrame0Test) { 627 EXPECT_DEATH(Frame3(0), "located .*in frame <.*Frame0"); 628} 629TEST(AddressSanitizer, GuiltyStackFrame1Test) { 630 EXPECT_DEATH(Frame3(1), "located .*in frame <.*Frame1"); 631} 632TEST(AddressSanitizer, GuiltyStackFrame2Test) { 633 EXPECT_DEATH(Frame3(2), "located .*in frame <.*Frame2"); 634} 635TEST(AddressSanitizer, GuiltyStackFrame3Test) { 636 EXPECT_DEATH(Frame3(3), "located .*in frame <.*Frame3"); 637} 638 639NOINLINE void LongJmpFunc1(jmp_buf buf) { 640 // create three red zones for these two stack objects. 641 int a; 642 int b; 643 644 int *A = Ident(&a); 645 int *B = Ident(&b); 646 *A = *B; 647 longjmp(buf, 1); 648} 649 650NOINLINE void BuiltinLongJmpFunc1(jmp_buf buf) { 651 // create three red zones for these two stack objects. 652 int a; 653 int b; 654 655 int *A = Ident(&a); 656 int *B = Ident(&b); 657 *A = *B; 658 __builtin_longjmp((void**)buf, 1); 659} 660 661NOINLINE void UnderscopeLongJmpFunc1(jmp_buf buf) { 662 // create three red zones for these two stack objects. 663 int a; 664 int b; 665 666 int *A = Ident(&a); 667 int *B = Ident(&b); 668 *A = *B; 669 _longjmp(buf, 1); 670} 671 672NOINLINE void SigLongJmpFunc1(sigjmp_buf buf) { 673 // create three red zones for these two stack objects. 674 int a; 675 int b; 676 677 int *A = Ident(&a); 678 int *B = Ident(&b); 679 *A = *B; 680 siglongjmp(buf, 1); 681} 682 683 684NOINLINE void TouchStackFunc() { 685 int a[100]; // long array will intersect with redzones from LongJmpFunc1. 686 int *A = Ident(a); 687 for (int i = 0; i < 100; i++) 688 A[i] = i*i; 689} 690 691// Test that we handle longjmp and do not report fals positives on stack. 692TEST(AddressSanitizer, LongJmpTest) { 693 static jmp_buf buf; 694 if (!setjmp(buf)) { 695 LongJmpFunc1(buf); 696 } else { 697 TouchStackFunc(); 698 } 699} 700 701#if not defined(__ANDROID__) 702TEST(AddressSanitizer, BuiltinLongJmpTest) { 703 static jmp_buf buf; 704 if (!__builtin_setjmp((void**)buf)) { 705 BuiltinLongJmpFunc1(buf); 706 } else { 707 TouchStackFunc(); 708 } 709} 710#endif // not defined(__ANDROID__) 711 712TEST(AddressSanitizer, UnderscopeLongJmpTest) { 713 static jmp_buf buf; 714 if (!_setjmp(buf)) { 715 UnderscopeLongJmpFunc1(buf); 716 } else { 717 TouchStackFunc(); 718 } 719} 720 721TEST(AddressSanitizer, SigLongJmpTest) { 722 static sigjmp_buf buf; 723 if (!sigsetjmp(buf, 1)) { 724 SigLongJmpFunc1(buf); 725 } else { 726 TouchStackFunc(); 727 } 728} 729 730#ifdef __EXCEPTIONS 731NOINLINE void ThrowFunc() { 732 // create three red zones for these two stack objects. 733 int a; 734 int b; 735 736 int *A = Ident(&a); 737 int *B = Ident(&b); 738 *A = *B; 739 ASAN_THROW(1); 740} 741 742TEST(AddressSanitizer, CxxExceptionTest) { 743 if (ASAN_UAR) return; 744 // TODO(kcc): this test crashes on 32-bit for some reason... 745 if (SANITIZER_WORDSIZE == 32) return; 746 try { 747 ThrowFunc(); 748 } catch(...) {} 749 TouchStackFunc(); 750} 751#endif 752 753void *ThreadStackReuseFunc1(void *unused) { 754 // create three red zones for these two stack objects. 755 int a; 756 int b; 757 758 int *A = Ident(&a); 759 int *B = Ident(&b); 760 *A = *B; 761 pthread_exit(0); 762 return 0; 763} 764 765void *ThreadStackReuseFunc2(void *unused) { 766 TouchStackFunc(); 767 return 0; 768} 769 770TEST(AddressSanitizer, ThreadStackReuseTest) { 771 pthread_t t; 772 PTHREAD_CREATE(&t, 0, ThreadStackReuseFunc1, 0); 773 PTHREAD_JOIN(t, 0); 774 PTHREAD_CREATE(&t, 0, ThreadStackReuseFunc2, 0); 775 PTHREAD_JOIN(t, 0); 776} 777 778#if defined(__i386__) || defined(__x86_64__) 779TEST(AddressSanitizer, Store128Test) { 780 char *a = Ident((char*)malloc(Ident(12))); 781 char *p = a; 782 if (((uintptr_t)a % 16) != 0) 783 p = a + 8; 784 assert(((uintptr_t)p % 16) == 0); 785 __m128i value_wide = _mm_set1_epi16(0x1234); 786 EXPECT_DEATH(_mm_store_si128((__m128i*)p, value_wide), 787 "AddressSanitizer: heap-buffer-overflow"); 788 EXPECT_DEATH(_mm_store_si128((__m128i*)p, value_wide), 789 "WRITE of size 16"); 790 EXPECT_DEATH(_mm_store_si128((__m128i*)p, value_wide), 791 "located 0 bytes to the right of 12-byte"); 792 free(a); 793} 794#endif 795 796static string RightOOBErrorMessage(int oob_distance, bool is_write) { 797 assert(oob_distance >= 0); 798 char expected_str[100]; 799 sprintf(expected_str, ASAN_PCRE_DOTALL "%s.*located %d bytes to the right", 800 is_write ? "WRITE" : "READ", oob_distance); 801 return string(expected_str); 802} 803 804static string RightOOBWriteMessage(int oob_distance) { 805 return RightOOBErrorMessage(oob_distance, /*is_write*/true); 806} 807 808static string RightOOBReadMessage(int oob_distance) { 809 return RightOOBErrorMessage(oob_distance, /*is_write*/false); 810} 811 812static string LeftOOBErrorMessage(int oob_distance, bool is_write) { 813 assert(oob_distance > 0); 814 char expected_str[100]; 815 sprintf(expected_str, ASAN_PCRE_DOTALL "%s.*located %d bytes to the left", 816 is_write ? "WRITE" : "READ", oob_distance); 817 return string(expected_str); 818} 819 820static string LeftOOBWriteMessage(int oob_distance) { 821 return LeftOOBErrorMessage(oob_distance, /*is_write*/true); 822} 823 824static string LeftOOBReadMessage(int oob_distance) { 825 return LeftOOBErrorMessage(oob_distance, /*is_write*/false); 826} 827 828static string LeftOOBAccessMessage(int oob_distance) { 829 assert(oob_distance > 0); 830 char expected_str[100]; 831 sprintf(expected_str, "located %d bytes to the left", oob_distance); 832 return string(expected_str); 833} 834 835template<typename T> 836void MemSetOOBTestTemplate(size_t length) { 837 if (length == 0) return; 838 size_t size = Ident(sizeof(T) * length); 839 T *array = Ident((T*)malloc(size)); 840 int element = Ident(42); 841 int zero = Ident(0); 842 // memset interval inside array 843 memset(array, element, size); 844 memset(array, element, size - 1); 845 memset(array + length - 1, element, sizeof(T)); 846 memset(array, element, 1); 847 848 // memset 0 bytes 849 memset(array - 10, element, zero); 850 memset(array - 1, element, zero); 851 memset(array, element, zero); 852 memset(array + length, 0, zero); 853 memset(array + length + 1, 0, zero); 854 855 // try to memset bytes to the right of array 856 EXPECT_DEATH(memset(array, 0, size + 1), 857 RightOOBWriteMessage(0)); 858 EXPECT_DEATH(memset((char*)(array + length) - 1, element, 6), 859 RightOOBWriteMessage(4)); 860 EXPECT_DEATH(memset(array + 1, element, size + sizeof(T)), 861 RightOOBWriteMessage(2 * sizeof(T) - 1)); 862 // whole interval is to the right 863 EXPECT_DEATH(memset(array + length + 1, 0, 10), 864 RightOOBWriteMessage(sizeof(T))); 865 866 // try to memset bytes to the left of array 867 EXPECT_DEATH(memset((char*)array - 1, element, size), 868 LeftOOBWriteMessage(1)); 869 EXPECT_DEATH(memset((char*)array - 5, 0, 6), 870 LeftOOBWriteMessage(5)); 871 EXPECT_DEATH(memset(array - 5, element, size + 5 * sizeof(T)), 872 LeftOOBWriteMessage(5 * sizeof(T))); 873 // whole interval is to the left 874 EXPECT_DEATH(memset(array - 2, 0, sizeof(T)), 875 LeftOOBWriteMessage(2 * sizeof(T))); 876 877 // try to memset bytes both to the left & to the right 878 EXPECT_DEATH(memset((char*)array - 2, element, size + 4), 879 LeftOOBWriteMessage(2)); 880 881 free(array); 882} 883 884TEST(AddressSanitizer, MemSetOOBTest) { 885 MemSetOOBTestTemplate<char>(100); 886 MemSetOOBTestTemplate<int>(5); 887 MemSetOOBTestTemplate<double>(256); 888 // We can test arrays of structres/classes here, but what for? 889} 890 891// Same test for memcpy and memmove functions 892template <typename T, class M> 893void MemTransferOOBTestTemplate(size_t length) { 894 if (length == 0) return; 895 size_t size = Ident(sizeof(T) * length); 896 T *src = Ident((T*)malloc(size)); 897 T *dest = Ident((T*)malloc(size)); 898 int zero = Ident(0); 899 900 // valid transfer of bytes between arrays 901 M::transfer(dest, src, size); 902 M::transfer(dest + 1, src, size - sizeof(T)); 903 M::transfer(dest, src + length - 1, sizeof(T)); 904 M::transfer(dest, src, 1); 905 906 // transfer zero bytes 907 M::transfer(dest - 1, src, 0); 908 M::transfer(dest + length, src, zero); 909 M::transfer(dest, src - 1, zero); 910 M::transfer(dest, src, zero); 911 912 // try to change mem to the right of dest 913 EXPECT_DEATH(M::transfer(dest + 1, src, size), 914 RightOOBWriteMessage(sizeof(T) - 1)); 915 EXPECT_DEATH(M::transfer((char*)(dest + length) - 1, src, 5), 916 RightOOBWriteMessage(3)); 917 918 // try to change mem to the left of dest 919 EXPECT_DEATH(M::transfer(dest - 2, src, size), 920 LeftOOBWriteMessage(2 * sizeof(T))); 921 EXPECT_DEATH(M::transfer((char*)dest - 3, src, 4), 922 LeftOOBWriteMessage(3)); 923 924 // try to access mem to the right of src 925 EXPECT_DEATH(M::transfer(dest, src + 2, size), 926 RightOOBReadMessage(2 * sizeof(T) - 1)); 927 EXPECT_DEATH(M::transfer(dest, (char*)(src + length) - 3, 6), 928 RightOOBReadMessage(2)); 929 930 // try to access mem to the left of src 931 EXPECT_DEATH(M::transfer(dest, src - 1, size), 932 LeftOOBReadMessage(sizeof(T))); 933 EXPECT_DEATH(M::transfer(dest, (char*)src - 6, 7), 934 LeftOOBReadMessage(6)); 935 936 // Generally we don't need to test cases where both accessing src and writing 937 // to dest address to poisoned memory. 938 939 T *big_src = Ident((T*)malloc(size * 2)); 940 T *big_dest = Ident((T*)malloc(size * 2)); 941 // try to change mem to both sides of dest 942 EXPECT_DEATH(M::transfer(dest - 1, big_src, size * 2), 943 LeftOOBWriteMessage(sizeof(T))); 944 // try to access mem to both sides of src 945 EXPECT_DEATH(M::transfer(big_dest, src - 2, size * 2), 946 LeftOOBReadMessage(2 * sizeof(T))); 947 948 free(src); 949 free(dest); 950 free(big_src); 951 free(big_dest); 952} 953 954class MemCpyWrapper { 955 public: 956 static void* transfer(void *to, const void *from, size_t size) { 957 return memcpy(to, from, size); 958 } 959}; 960TEST(AddressSanitizer, MemCpyOOBTest) { 961 MemTransferOOBTestTemplate<char, MemCpyWrapper>(100); 962 MemTransferOOBTestTemplate<int, MemCpyWrapper>(1024); 963} 964 965class MemMoveWrapper { 966 public: 967 static void* transfer(void *to, const void *from, size_t size) { 968 return memmove(to, from, size); 969 } 970}; 971TEST(AddressSanitizer, MemMoveOOBTest) { 972 MemTransferOOBTestTemplate<char, MemMoveWrapper>(100); 973 MemTransferOOBTestTemplate<int, MemMoveWrapper>(1024); 974} 975 976// Tests for string functions 977 978// Used for string functions tests 979static char global_string[] = "global"; 980static size_t global_string_length = 6; 981 982// Input to a test is a zero-terminated string str with given length 983// Accesses to the bytes to the left and to the right of str 984// are presumed to produce OOB errors 985void StrLenOOBTestTemplate(char *str, size_t length, bool is_global) { 986 // Normal strlen calls 987 EXPECT_EQ(strlen(str), length); 988 if (length > 0) { 989 EXPECT_EQ(length - 1, strlen(str + 1)); 990 EXPECT_EQ(0U, strlen(str + length)); 991 } 992 // Arg of strlen is not malloced, OOB access 993 if (!is_global) { 994 // We don't insert RedZones to the left of global variables 995 EXPECT_DEATH(Ident(strlen(str - 1)), LeftOOBReadMessage(1)); 996 EXPECT_DEATH(Ident(strlen(str - 5)), LeftOOBReadMessage(5)); 997 } 998 EXPECT_DEATH(Ident(strlen(str + length + 1)), RightOOBReadMessage(0)); 999 // Overwrite terminator 1000 str[length] = 'a'; 1001 // String is not zero-terminated, strlen will lead to OOB access 1002 EXPECT_DEATH(Ident(strlen(str)), RightOOBReadMessage(0)); 1003 EXPECT_DEATH(Ident(strlen(str + length)), RightOOBReadMessage(0)); 1004 // Restore terminator 1005 str[length] = 0; 1006} 1007TEST(AddressSanitizer, StrLenOOBTest) { 1008 // Check heap-allocated string 1009 size_t length = Ident(10); 1010 char *heap_string = Ident((char*)malloc(length + 1)); 1011 char stack_string[10 + 1]; 1012 break_optimization(&stack_string); 1013 for (size_t i = 0; i < length; i++) { 1014 heap_string[i] = 'a'; 1015 stack_string[i] = 'b'; 1016 } 1017 heap_string[length] = 0; 1018 stack_string[length] = 0; 1019 StrLenOOBTestTemplate(heap_string, length, false); 1020 // TODO(samsonov): Fix expected messages in StrLenOOBTestTemplate to 1021 // make test for stack_string work. Or move it to output tests. 1022 // StrLenOOBTestTemplate(stack_string, length, false); 1023 StrLenOOBTestTemplate(global_string, global_string_length, true); 1024 free(heap_string); 1025} 1026 1027static inline char* MallocAndMemsetString(size_t size, char ch) { 1028 char *s = Ident((char*)malloc(size)); 1029 memset(s, ch, size); 1030 return s; 1031} 1032static inline char* MallocAndMemsetString(size_t size) { 1033 return MallocAndMemsetString(size, 'z'); 1034} 1035 1036#ifndef __APPLE__ 1037TEST(AddressSanitizer, StrNLenOOBTest) { 1038 size_t size = Ident(123); 1039 char *str = MallocAndMemsetString(size); 1040 // Normal strnlen calls. 1041 Ident(strnlen(str - 1, 0)); 1042 Ident(strnlen(str, size)); 1043 Ident(strnlen(str + size - 1, 1)); 1044 str[size - 1] = '\0'; 1045 Ident(strnlen(str, 2 * size)); 1046 // Argument points to not allocated memory. 1047 EXPECT_DEATH(Ident(strnlen(str - 1, 1)), LeftOOBReadMessage(1)); 1048 EXPECT_DEATH(Ident(strnlen(str + size, 1)), RightOOBReadMessage(0)); 1049 // Overwrite the terminating '\0' and hit unallocated memory. 1050 str[size - 1] = 'z'; 1051 EXPECT_DEATH(Ident(strnlen(str, size + 1)), RightOOBReadMessage(0)); 1052 free(str); 1053} 1054#endif 1055 1056TEST(AddressSanitizer, StrDupOOBTest) { 1057 size_t size = Ident(42); 1058 char *str = MallocAndMemsetString(size); 1059 char *new_str; 1060 // Normal strdup calls. 1061 str[size - 1] = '\0'; 1062 new_str = strdup(str); 1063 free(new_str); 1064 new_str = strdup(str + size - 1); 1065 free(new_str); 1066 // Argument points to not allocated memory. 1067 EXPECT_DEATH(Ident(strdup(str - 1)), LeftOOBReadMessage(1)); 1068 EXPECT_DEATH(Ident(strdup(str + size)), RightOOBReadMessage(0)); 1069 // Overwrite the terminating '\0' and hit unallocated memory. 1070 str[size - 1] = 'z'; 1071 EXPECT_DEATH(Ident(strdup(str)), RightOOBReadMessage(0)); 1072 free(str); 1073} 1074 1075TEST(AddressSanitizer, StrCpyOOBTest) { 1076 size_t to_size = Ident(30); 1077 size_t from_size = Ident(6); // less than to_size 1078 char *to = Ident((char*)malloc(to_size)); 1079 char *from = Ident((char*)malloc(from_size)); 1080 // Normal strcpy calls. 1081 strcpy(from, "hello"); 1082 strcpy(to, from); 1083 strcpy(to + to_size - from_size, from); 1084 // Length of "from" is too small. 1085 EXPECT_DEATH(Ident(strcpy(from, "hello2")), RightOOBWriteMessage(0)); 1086 // "to" or "from" points to not allocated memory. 1087 EXPECT_DEATH(Ident(strcpy(to - 1, from)), LeftOOBWriteMessage(1)); 1088 EXPECT_DEATH(Ident(strcpy(to, from - 1)), LeftOOBReadMessage(1)); 1089 EXPECT_DEATH(Ident(strcpy(to, from + from_size)), RightOOBReadMessage(0)); 1090 EXPECT_DEATH(Ident(strcpy(to + to_size, from)), RightOOBWriteMessage(0)); 1091 // Overwrite the terminating '\0' character and hit unallocated memory. 1092 from[from_size - 1] = '!'; 1093 EXPECT_DEATH(Ident(strcpy(to, from)), RightOOBReadMessage(0)); 1094 free(to); 1095 free(from); 1096} 1097 1098TEST(AddressSanitizer, StrNCpyOOBTest) { 1099 size_t to_size = Ident(20); 1100 size_t from_size = Ident(6); // less than to_size 1101 char *to = Ident((char*)malloc(to_size)); 1102 // From is a zero-terminated string "hello\0" of length 6 1103 char *from = Ident((char*)malloc(from_size)); 1104 strcpy(from, "hello"); 1105 // copy 0 bytes 1106 strncpy(to, from, 0); 1107 strncpy(to - 1, from - 1, 0); 1108 // normal strncpy calls 1109 strncpy(to, from, from_size); 1110 strncpy(to, from, to_size); 1111 strncpy(to, from + from_size - 1, to_size); 1112 strncpy(to + to_size - 1, from, 1); 1113 // One of {to, from} points to not allocated memory 1114 EXPECT_DEATH(Ident(strncpy(to, from - 1, from_size)), 1115 LeftOOBReadMessage(1)); 1116 EXPECT_DEATH(Ident(strncpy(to - 1, from, from_size)), 1117 LeftOOBWriteMessage(1)); 1118 EXPECT_DEATH(Ident(strncpy(to, from + from_size, 1)), 1119 RightOOBReadMessage(0)); 1120 EXPECT_DEATH(Ident(strncpy(to + to_size, from, 1)), 1121 RightOOBWriteMessage(0)); 1122 // Length of "to" is too small 1123 EXPECT_DEATH(Ident(strncpy(to + to_size - from_size + 1, from, from_size)), 1124 RightOOBWriteMessage(0)); 1125 EXPECT_DEATH(Ident(strncpy(to + 1, from, to_size)), 1126 RightOOBWriteMessage(0)); 1127 // Overwrite terminator in from 1128 from[from_size - 1] = '!'; 1129 // normal strncpy call 1130 strncpy(to, from, from_size); 1131 // Length of "from" is too small 1132 EXPECT_DEATH(Ident(strncpy(to, from, to_size)), 1133 RightOOBReadMessage(0)); 1134 free(to); 1135 free(from); 1136} 1137 1138// Users may have different definitions of "strchr" and "index", so provide 1139// function pointer typedefs and overload RunStrChrTest implementation. 1140// We can't use macro for RunStrChrTest body here, as this macro would 1141// confuse EXPECT_DEATH gtest macro. 1142typedef char*(*PointerToStrChr1)(const char*, int); 1143typedef char*(*PointerToStrChr2)(char*, int); 1144 1145USED static void RunStrChrTest(PointerToStrChr1 StrChr) { 1146 size_t size = Ident(100); 1147 char *str = MallocAndMemsetString(size); 1148 str[10] = 'q'; 1149 str[11] = '\0'; 1150 EXPECT_EQ(str, StrChr(str, 'z')); 1151 EXPECT_EQ(str + 10, StrChr(str, 'q')); 1152 EXPECT_EQ(NULL, StrChr(str, 'a')); 1153 // StrChr argument points to not allocated memory. 1154 EXPECT_DEATH(Ident(StrChr(str - 1, 'z')), LeftOOBReadMessage(1)); 1155 EXPECT_DEATH(Ident(StrChr(str + size, 'z')), RightOOBReadMessage(0)); 1156 // Overwrite the terminator and hit not allocated memory. 1157 str[11] = 'z'; 1158 EXPECT_DEATH(Ident(StrChr(str, 'a')), RightOOBReadMessage(0)); 1159 free(str); 1160} 1161USED static void RunStrChrTest(PointerToStrChr2 StrChr) { 1162 size_t size = Ident(100); 1163 char *str = MallocAndMemsetString(size); 1164 str[10] = 'q'; 1165 str[11] = '\0'; 1166 EXPECT_EQ(str, StrChr(str, 'z')); 1167 EXPECT_EQ(str + 10, StrChr(str, 'q')); 1168 EXPECT_EQ(NULL, StrChr(str, 'a')); 1169 // StrChr argument points to not allocated memory. 1170 EXPECT_DEATH(Ident(StrChr(str - 1, 'z')), LeftOOBReadMessage(1)); 1171 EXPECT_DEATH(Ident(StrChr(str + size, 'z')), RightOOBReadMessage(0)); 1172 // Overwrite the terminator and hit not allocated memory. 1173 str[11] = 'z'; 1174 EXPECT_DEATH(Ident(StrChr(str, 'a')), RightOOBReadMessage(0)); 1175 free(str); 1176} 1177 1178TEST(AddressSanitizer, StrChrAndIndexOOBTest) { 1179 RunStrChrTest(&strchr); 1180 RunStrChrTest(&index); 1181} 1182 1183TEST(AddressSanitizer, StrCmpAndFriendsLogicTest) { 1184 // strcmp 1185 EXPECT_EQ(0, strcmp("", "")); 1186 EXPECT_EQ(0, strcmp("abcd", "abcd")); 1187 EXPECT_GT(0, strcmp("ab", "ac")); 1188 EXPECT_GT(0, strcmp("abc", "abcd")); 1189 EXPECT_LT(0, strcmp("acc", "abc")); 1190 EXPECT_LT(0, strcmp("abcd", "abc")); 1191 1192 // strncmp 1193 EXPECT_EQ(0, strncmp("a", "b", 0)); 1194 EXPECT_EQ(0, strncmp("abcd", "abcd", 10)); 1195 EXPECT_EQ(0, strncmp("abcd", "abcef", 3)); 1196 EXPECT_GT(0, strncmp("abcde", "abcfa", 4)); 1197 EXPECT_GT(0, strncmp("a", "b", 5)); 1198 EXPECT_GT(0, strncmp("bc", "bcde", 4)); 1199 EXPECT_LT(0, strncmp("xyz", "xyy", 10)); 1200 EXPECT_LT(0, strncmp("baa", "aaa", 1)); 1201 EXPECT_LT(0, strncmp("zyx", "", 2)); 1202 1203 // strcasecmp 1204 EXPECT_EQ(0, strcasecmp("", "")); 1205 EXPECT_EQ(0, strcasecmp("zzz", "zzz")); 1206 EXPECT_EQ(0, strcasecmp("abCD", "ABcd")); 1207 EXPECT_GT(0, strcasecmp("aB", "Ac")); 1208 EXPECT_GT(0, strcasecmp("ABC", "ABCd")); 1209 EXPECT_LT(0, strcasecmp("acc", "abc")); 1210 EXPECT_LT(0, strcasecmp("ABCd", "abc")); 1211 1212 // strncasecmp 1213 EXPECT_EQ(0, strncasecmp("a", "b", 0)); 1214 EXPECT_EQ(0, strncasecmp("abCD", "ABcd", 10)); 1215 EXPECT_EQ(0, strncasecmp("abCd", "ABcef", 3)); 1216 EXPECT_GT(0, strncasecmp("abcde", "ABCfa", 4)); 1217 EXPECT_GT(0, strncasecmp("a", "B", 5)); 1218 EXPECT_GT(0, strncasecmp("bc", "BCde", 4)); 1219 EXPECT_LT(0, strncasecmp("xyz", "xyy", 10)); 1220 EXPECT_LT(0, strncasecmp("Baa", "aaa", 1)); 1221 EXPECT_LT(0, strncasecmp("zyx", "", 2)); 1222 1223 // memcmp 1224 EXPECT_EQ(0, memcmp("a", "b", 0)); 1225 EXPECT_EQ(0, memcmp("ab\0c", "ab\0c", 4)); 1226 EXPECT_GT(0, memcmp("\0ab", "\0ac", 3)); 1227 EXPECT_GT(0, memcmp("abb\0", "abba", 4)); 1228 EXPECT_LT(0, memcmp("ab\0cd", "ab\0c\0", 5)); 1229 EXPECT_LT(0, memcmp("zza", "zyx", 3)); 1230} 1231 1232typedef int(*PointerToStrCmp)(const char*, const char*); 1233void RunStrCmpTest(PointerToStrCmp StrCmp) { 1234 size_t size = Ident(100); 1235 char *s1 = MallocAndMemsetString(size); 1236 char *s2 = MallocAndMemsetString(size); 1237 s1[size - 1] = '\0'; 1238 s2[size - 1] = '\0'; 1239 // Normal StrCmp calls 1240 Ident(StrCmp(s1, s2)); 1241 Ident(StrCmp(s1, s2 + size - 1)); 1242 Ident(StrCmp(s1 + size - 1, s2 + size - 1)); 1243 s1[size - 1] = 'z'; 1244 s2[size - 1] = 'x'; 1245 Ident(StrCmp(s1, s2)); 1246 // One of arguments points to not allocated memory. 1247 EXPECT_DEATH(Ident(StrCmp)(s1 - 1, s2), LeftOOBReadMessage(1)); 1248 EXPECT_DEATH(Ident(StrCmp)(s1, s2 - 1), LeftOOBReadMessage(1)); 1249 EXPECT_DEATH(Ident(StrCmp)(s1 + size, s2), RightOOBReadMessage(0)); 1250 EXPECT_DEATH(Ident(StrCmp)(s1, s2 + size), RightOOBReadMessage(0)); 1251 // Hit unallocated memory and die. 1252 s2[size - 1] = 'z'; 1253 EXPECT_DEATH(Ident(StrCmp)(s1, s1), RightOOBReadMessage(0)); 1254 EXPECT_DEATH(Ident(StrCmp)(s1 + size - 1, s2), RightOOBReadMessage(0)); 1255 free(s1); 1256 free(s2); 1257} 1258 1259TEST(AddressSanitizer, StrCmpOOBTest) { 1260 RunStrCmpTest(&strcmp); 1261} 1262 1263TEST(AddressSanitizer, StrCaseCmpOOBTest) { 1264 RunStrCmpTest(&strcasecmp); 1265} 1266 1267typedef int(*PointerToStrNCmp)(const char*, const char*, size_t); 1268void RunStrNCmpTest(PointerToStrNCmp StrNCmp) { 1269 size_t size = Ident(100); 1270 char *s1 = MallocAndMemsetString(size); 1271 char *s2 = MallocAndMemsetString(size); 1272 s1[size - 1] = '\0'; 1273 s2[size - 1] = '\0'; 1274 // Normal StrNCmp calls 1275 Ident(StrNCmp(s1, s2, size + 2)); 1276 s1[size - 1] = 'z'; 1277 s2[size - 1] = 'x'; 1278 Ident(StrNCmp(s1 + size - 2, s2 + size - 2, size)); 1279 s2[size - 1] = 'z'; 1280 Ident(StrNCmp(s1 - 1, s2 - 1, 0)); 1281 Ident(StrNCmp(s1 + size - 1, s2 + size - 1, 1)); 1282 // One of arguments points to not allocated memory. 1283 EXPECT_DEATH(Ident(StrNCmp)(s1 - 1, s2, 1), LeftOOBReadMessage(1)); 1284 EXPECT_DEATH(Ident(StrNCmp)(s1, s2 - 1, 1), LeftOOBReadMessage(1)); 1285 EXPECT_DEATH(Ident(StrNCmp)(s1 + size, s2, 1), RightOOBReadMessage(0)); 1286 EXPECT_DEATH(Ident(StrNCmp)(s1, s2 + size, 1), RightOOBReadMessage(0)); 1287 // Hit unallocated memory and die. 1288 EXPECT_DEATH(Ident(StrNCmp)(s1 + 1, s2 + 1, size), RightOOBReadMessage(0)); 1289 EXPECT_DEATH(Ident(StrNCmp)(s1 + size - 1, s2, 2), RightOOBReadMessage(0)); 1290 free(s1); 1291 free(s2); 1292} 1293 1294TEST(AddressSanitizer, StrNCmpOOBTest) { 1295 RunStrNCmpTest(&strncmp); 1296} 1297 1298TEST(AddressSanitizer, StrNCaseCmpOOBTest) { 1299 RunStrNCmpTest(&strncasecmp); 1300} 1301 1302TEST(AddressSanitizer, MemCmpOOBTest) { 1303 size_t size = Ident(100); 1304 char *s1 = MallocAndMemsetString(size); 1305 char *s2 = MallocAndMemsetString(size); 1306 // Normal memcmp calls. 1307 Ident(memcmp(s1, s2, size)); 1308 Ident(memcmp(s1 + size - 1, s2 + size - 1, 1)); 1309 Ident(memcmp(s1 - 1, s2 - 1, 0)); 1310 // One of arguments points to not allocated memory. 1311 EXPECT_DEATH(Ident(memcmp)(s1 - 1, s2, 1), LeftOOBReadMessage(1)); 1312 EXPECT_DEATH(Ident(memcmp)(s1, s2 - 1, 1), LeftOOBReadMessage(1)); 1313 EXPECT_DEATH(Ident(memcmp)(s1 + size, s2, 1), RightOOBReadMessage(0)); 1314 EXPECT_DEATH(Ident(memcmp)(s1, s2 + size, 1), RightOOBReadMessage(0)); 1315 // Hit unallocated memory and die. 1316 EXPECT_DEATH(Ident(memcmp)(s1 + 1, s2 + 1, size), RightOOBReadMessage(0)); 1317 EXPECT_DEATH(Ident(memcmp)(s1 + size - 1, s2, 2), RightOOBReadMessage(0)); 1318 // Zero bytes are not terminators and don't prevent from OOB. 1319 s1[size - 1] = '\0'; 1320 s2[size - 1] = '\0'; 1321 EXPECT_DEATH(Ident(memcmp)(s1, s2, size + 1), RightOOBReadMessage(0)); 1322 free(s1); 1323 free(s2); 1324} 1325 1326TEST(AddressSanitizer, StrCatOOBTest) { 1327 // strcat() reads strlen(to) bytes from |to| before concatenating. 1328 size_t to_size = Ident(100); 1329 char *to = MallocAndMemsetString(to_size); 1330 to[0] = '\0'; 1331 size_t from_size = Ident(20); 1332 char *from = MallocAndMemsetString(from_size); 1333 from[from_size - 1] = '\0'; 1334 // Normal strcat calls. 1335 strcat(to, from); 1336 strcat(to, from); 1337 strcat(to + from_size, from + from_size - 2); 1338 // Passing an invalid pointer is an error even when concatenating an empty 1339 // string. 1340 EXPECT_DEATH(strcat(to - 1, from + from_size - 1), LeftOOBAccessMessage(1)); 1341 // One of arguments points to not allocated memory. 1342 EXPECT_DEATH(strcat(to - 1, from), LeftOOBAccessMessage(1)); 1343 EXPECT_DEATH(strcat(to, from - 1), LeftOOBReadMessage(1)); 1344 EXPECT_DEATH(strcat(to + to_size, from), RightOOBWriteMessage(0)); 1345 EXPECT_DEATH(strcat(to, from + from_size), RightOOBReadMessage(0)); 1346 1347 // "from" is not zero-terminated. 1348 from[from_size - 1] = 'z'; 1349 EXPECT_DEATH(strcat(to, from), RightOOBReadMessage(0)); 1350 from[from_size - 1] = '\0'; 1351 // "to" is not zero-terminated. 1352 memset(to, 'z', to_size); 1353 EXPECT_DEATH(strcat(to, from), RightOOBWriteMessage(0)); 1354 // "to" is too short to fit "from". 1355 to[to_size - from_size + 1] = '\0'; 1356 EXPECT_DEATH(strcat(to, from), RightOOBWriteMessage(0)); 1357 // length of "to" is just enough. 1358 strcat(to, from + 1); 1359 1360 free(to); 1361 free(from); 1362} 1363 1364TEST(AddressSanitizer, StrNCatOOBTest) { 1365 // strncat() reads strlen(to) bytes from |to| before concatenating. 1366 size_t to_size = Ident(100); 1367 char *to = MallocAndMemsetString(to_size); 1368 to[0] = '\0'; 1369 size_t from_size = Ident(20); 1370 char *from = MallocAndMemsetString(from_size); 1371 // Normal strncat calls. 1372 strncat(to, from, 0); 1373 strncat(to, from, from_size); 1374 from[from_size - 1] = '\0'; 1375 strncat(to, from, 2 * from_size); 1376 // Catenating empty string with an invalid string is still an error. 1377 EXPECT_DEATH(strncat(to - 1, from, 0), LeftOOBAccessMessage(1)); 1378 strncat(to, from + from_size - 1, 10); 1379 // One of arguments points to not allocated memory. 1380 EXPECT_DEATH(strncat(to - 1, from, 2), LeftOOBAccessMessage(1)); 1381 EXPECT_DEATH(strncat(to, from - 1, 2), LeftOOBReadMessage(1)); 1382 EXPECT_DEATH(strncat(to + to_size, from, 2), RightOOBWriteMessage(0)); 1383 EXPECT_DEATH(strncat(to, from + from_size, 2), RightOOBReadMessage(0)); 1384 1385 memset(from, 'z', from_size); 1386 memset(to, 'z', to_size); 1387 to[0] = '\0'; 1388 // "from" is too short. 1389 EXPECT_DEATH(strncat(to, from, from_size + 1), RightOOBReadMessage(0)); 1390 // "to" is not zero-terminated. 1391 EXPECT_DEATH(strncat(to + 1, from, 1), RightOOBWriteMessage(0)); 1392 // "to" is too short to fit "from". 1393 to[0] = 'z'; 1394 to[to_size - from_size + 1] = '\0'; 1395 EXPECT_DEATH(strncat(to, from, from_size - 1), RightOOBWriteMessage(0)); 1396 // "to" is just enough. 1397 strncat(to, from, from_size - 2); 1398 1399 free(to); 1400 free(from); 1401} 1402 1403static string OverlapErrorMessage(const string &func) { 1404 return func + "-param-overlap"; 1405} 1406 1407TEST(AddressSanitizer, StrArgsOverlapTest) { 1408 size_t size = Ident(100); 1409 char *str = Ident((char*)malloc(size)); 1410 1411// Do not check memcpy() on OS X 10.7 and later, where it actually aliases 1412// memmove(). 1413#if !defined(__APPLE__) || !defined(MAC_OS_X_VERSION_10_7) || \ 1414 (MAC_OS_X_VERSION_MAX_ALLOWED < MAC_OS_X_VERSION_10_7) 1415 // Check "memcpy". Use Ident() to avoid inlining. 1416 memset(str, 'z', size); 1417 Ident(memcpy)(str + 1, str + 11, 10); 1418 Ident(memcpy)(str, str, 0); 1419 EXPECT_DEATH(Ident(memcpy)(str, str + 14, 15), OverlapErrorMessage("memcpy")); 1420 EXPECT_DEATH(Ident(memcpy)(str + 14, str, 15), OverlapErrorMessage("memcpy")); 1421#endif 1422 1423 // We do not treat memcpy with to==from as a bug. 1424 // See http://llvm.org/bugs/show_bug.cgi?id=11763. 1425 // EXPECT_DEATH(Ident(memcpy)(str + 20, str + 20, 1), 1426 // OverlapErrorMessage("memcpy")); 1427 1428 // Check "strcpy". 1429 memset(str, 'z', size); 1430 str[9] = '\0'; 1431 strcpy(str + 10, str); 1432 EXPECT_DEATH(strcpy(str + 9, str), OverlapErrorMessage("strcpy")); 1433 EXPECT_DEATH(strcpy(str, str + 4), OverlapErrorMessage("strcpy")); 1434 strcpy(str, str + 5); 1435 1436 // Check "strncpy". 1437 memset(str, 'z', size); 1438 strncpy(str, str + 10, 10); 1439 EXPECT_DEATH(strncpy(str, str + 9, 10), OverlapErrorMessage("strncpy")); 1440 EXPECT_DEATH(strncpy(str + 9, str, 10), OverlapErrorMessage("strncpy")); 1441 str[10] = '\0'; 1442 strncpy(str + 11, str, 20); 1443 EXPECT_DEATH(strncpy(str + 10, str, 20), OverlapErrorMessage("strncpy")); 1444 1445 // Check "strcat". 1446 memset(str, 'z', size); 1447 str[10] = '\0'; 1448 str[20] = '\0'; 1449 strcat(str, str + 10); 1450 EXPECT_DEATH(strcat(str, str + 11), OverlapErrorMessage("strcat")); 1451 str[10] = '\0'; 1452 strcat(str + 11, str); 1453 EXPECT_DEATH(strcat(str, str + 9), OverlapErrorMessage("strcat")); 1454 EXPECT_DEATH(strcat(str + 9, str), OverlapErrorMessage("strcat")); 1455 EXPECT_DEATH(strcat(str + 10, str), OverlapErrorMessage("strcat")); 1456 1457 // Check "strncat". 1458 memset(str, 'z', size); 1459 str[10] = '\0'; 1460 strncat(str, str + 10, 10); // from is empty 1461 EXPECT_DEATH(strncat(str, str + 11, 10), OverlapErrorMessage("strncat")); 1462 str[10] = '\0'; 1463 str[20] = '\0'; 1464 strncat(str + 5, str, 5); 1465 str[10] = '\0'; 1466 EXPECT_DEATH(strncat(str + 5, str, 6), OverlapErrorMessage("strncat")); 1467 EXPECT_DEATH(strncat(str, str + 9, 10), OverlapErrorMessage("strncat")); 1468 1469 free(str); 1470} 1471 1472void CallAtoi(const char *nptr) { 1473 Ident(atoi(nptr)); 1474} 1475void CallAtol(const char *nptr) { 1476 Ident(atol(nptr)); 1477} 1478void CallAtoll(const char *nptr) { 1479 Ident(atoll(nptr)); 1480} 1481typedef void(*PointerToCallAtoi)(const char*); 1482 1483void RunAtoiOOBTest(PointerToCallAtoi Atoi) { 1484 char *array = MallocAndMemsetString(10, '1'); 1485 // Invalid pointer to the string. 1486 EXPECT_DEATH(Atoi(array + 11), RightOOBReadMessage(1)); 1487 EXPECT_DEATH(Atoi(array - 1), LeftOOBReadMessage(1)); 1488 // Die if a buffer doesn't have terminating NULL. 1489 EXPECT_DEATH(Atoi(array), RightOOBReadMessage(0)); 1490 // Make last symbol a terminating NULL or other non-digit. 1491 array[9] = '\0'; 1492 Atoi(array); 1493 array[9] = 'a'; 1494 Atoi(array); 1495 Atoi(array + 9); 1496 // Sometimes we need to detect overflow if no digits are found. 1497 memset(array, ' ', 10); 1498 EXPECT_DEATH(Atoi(array), RightOOBReadMessage(0)); 1499 array[9] = '-'; 1500 EXPECT_DEATH(Atoi(array), RightOOBReadMessage(0)); 1501 EXPECT_DEATH(Atoi(array + 9), RightOOBReadMessage(0)); 1502 array[8] = '-'; 1503 Atoi(array); 1504 delete array; 1505} 1506 1507TEST(AddressSanitizer, AtoiAndFriendsOOBTest) { 1508 RunAtoiOOBTest(&CallAtoi); 1509 RunAtoiOOBTest(&CallAtol); 1510 RunAtoiOOBTest(&CallAtoll); 1511} 1512 1513void CallStrtol(const char *nptr, char **endptr, int base) { 1514 Ident(strtol(nptr, endptr, base)); 1515} 1516void CallStrtoll(const char *nptr, char **endptr, int base) { 1517 Ident(strtoll(nptr, endptr, base)); 1518} 1519typedef void(*PointerToCallStrtol)(const char*, char**, int); 1520 1521void RunStrtolOOBTest(PointerToCallStrtol Strtol) { 1522 char *array = MallocAndMemsetString(3); 1523 char *endptr = NULL; 1524 array[0] = '1'; 1525 array[1] = '2'; 1526 array[2] = '3'; 1527 // Invalid pointer to the string. 1528 EXPECT_DEATH(Strtol(array + 3, NULL, 0), RightOOBReadMessage(0)); 1529 EXPECT_DEATH(Strtol(array - 1, NULL, 0), LeftOOBReadMessage(1)); 1530 // Buffer overflow if there is no terminating null (depends on base). 1531 Strtol(array, &endptr, 3); 1532 EXPECT_EQ(array + 2, endptr); 1533 EXPECT_DEATH(Strtol(array, NULL, 0), RightOOBReadMessage(0)); 1534 array[2] = 'z'; 1535 Strtol(array, &endptr, 35); 1536 EXPECT_EQ(array + 2, endptr); 1537 EXPECT_DEATH(Strtol(array, NULL, 36), RightOOBReadMessage(0)); 1538 // Add terminating zero to get rid of overflow. 1539 array[2] = '\0'; 1540 Strtol(array, NULL, 36); 1541 // Don't check for overflow if base is invalid. 1542 Strtol(array - 1, NULL, -1); 1543 Strtol(array + 3, NULL, 1); 1544 // Sometimes we need to detect overflow if no digits are found. 1545 array[0] = array[1] = array[2] = ' '; 1546 EXPECT_DEATH(Strtol(array, NULL, 0), RightOOBReadMessage(0)); 1547 array[2] = '+'; 1548 EXPECT_DEATH(Strtol(array, NULL, 0), RightOOBReadMessage(0)); 1549 array[2] = '-'; 1550 EXPECT_DEATH(Strtol(array, NULL, 0), RightOOBReadMessage(0)); 1551 array[1] = '+'; 1552 Strtol(array, NULL, 0); 1553 array[1] = array[2] = 'z'; 1554 Strtol(array, &endptr, 0); 1555 EXPECT_EQ(array, endptr); 1556 Strtol(array + 2, NULL, 0); 1557 EXPECT_EQ(array, endptr); 1558 delete array; 1559} 1560 1561TEST(AddressSanitizer, StrtollOOBTest) { 1562 RunStrtolOOBTest(&CallStrtoll); 1563} 1564TEST(AddressSanitizer, StrtolOOBTest) { 1565 RunStrtolOOBTest(&CallStrtol); 1566} 1567 1568// At the moment we instrument memcpy/memove/memset calls at compile time so we 1569// can't handle OOB error if these functions are called by pointer, see disabled 1570// MemIntrinsicCallByPointerTest below 1571typedef void*(*PointerToMemTransfer)(void*, const void*, size_t); 1572typedef void*(*PointerToMemSet)(void*, int, size_t); 1573 1574void CallMemSetByPointer(PointerToMemSet MemSet) { 1575 size_t size = Ident(100); 1576 char *array = Ident((char*)malloc(size)); 1577 EXPECT_DEATH(MemSet(array, 0, 101), RightOOBWriteMessage(0)); 1578 free(array); 1579} 1580 1581void CallMemTransferByPointer(PointerToMemTransfer MemTransfer) { 1582 size_t size = Ident(100); 1583 char *src = Ident((char*)malloc(size)); 1584 char *dst = Ident((char*)malloc(size)); 1585 EXPECT_DEATH(MemTransfer(dst, src, 101), RightOOBWriteMessage(0)); 1586 free(src); 1587 free(dst); 1588} 1589 1590TEST(AddressSanitizer, DISABLED_MemIntrinsicCallByPointerTest) { 1591 CallMemSetByPointer(&memset); 1592 CallMemTransferByPointer(&memcpy); 1593 CallMemTransferByPointer(&memmove); 1594} 1595 1596#ifdef __linux__ 1597TEST(AddressSanitizer, pread) { 1598 char *x = new char[10]; 1599 int fd = open("/proc/self/stat", O_RDONLY); 1600 ASSERT_GT(fd, 0); 1601 EXPECT_DEATH(pread(fd, x, 15, 0), 1602 ASAN_PCRE_DOTALL 1603 "AddressSanitizer: heap-buffer-overflow" 1604 ".* is located 4 bytes to the right of 10-byte region"); 1605 close(fd); 1606 delete x; 1607} 1608 1609# if !defined(ANDROID) && !defined(__ANDROID__) 1610TEST(AddressSanitizer, pread64) { 1611 char *x = new char[10]; 1612 int fd = open("/proc/self/stat", O_RDONLY); 1613 ASSERT_GT(fd, 0); 1614 EXPECT_DEATH(pread64(fd, x, 15, 0), 1615 ASAN_PCRE_DOTALL 1616 "AddressSanitizer: heap-buffer-overflow" 1617 ".* is located 4 bytes to the right of 10-byte region"); 1618 close(fd); 1619 delete x; 1620} 1621# endif // !defined(ANDROID) && !defined(__ANDROID__) 1622 1623TEST(AddressSanitizer, read) { 1624 char *x = new char[10]; 1625 int fd = open("/proc/self/stat", O_RDONLY); 1626 ASSERT_GT(fd, 0); 1627 EXPECT_DEATH(read(fd, x, 15), 1628 ASAN_PCRE_DOTALL 1629 "AddressSanitizer: heap-buffer-overflow" 1630 ".* is located 4 bytes to the right of 10-byte region"); 1631 close(fd); 1632 delete x; 1633} 1634 1635#endif // __linux__ 1636 1637// This test case fails 1638// Clang optimizes memcpy/memset calls which lead to unaligned access 1639TEST(AddressSanitizer, DISABLED_MemIntrinsicUnalignedAccessTest) { 1640 int size = Ident(4096); 1641 char *s = Ident((char*)malloc(size)); 1642 EXPECT_DEATH(memset(s + size - 1, 0, 2), RightOOBWriteMessage(0)); 1643 free(s); 1644} 1645 1646// TODO(samsonov): Add a test with malloc(0) 1647// TODO(samsonov): Add tests for str* and mem* functions. 1648 1649NOINLINE static int LargeFunction(bool do_bad_access) { 1650 int *x = new int[100]; 1651 x[0]++; 1652 x[1]++; 1653 x[2]++; 1654 x[3]++; 1655 x[4]++; 1656 x[5]++; 1657 x[6]++; 1658 x[7]++; 1659 x[8]++; 1660 x[9]++; 1661 1662 x[do_bad_access ? 100 : 0]++; int res = __LINE__; 1663 1664 x[10]++; 1665 x[11]++; 1666 x[12]++; 1667 x[13]++; 1668 x[14]++; 1669 x[15]++; 1670 x[16]++; 1671 x[17]++; 1672 x[18]++; 1673 x[19]++; 1674 1675 delete x; 1676 return res; 1677} 1678 1679// Test the we have correct debug info for the failing instruction. 1680// This test requires the in-process symbolizer to be enabled by default. 1681TEST(AddressSanitizer, DISABLED_LargeFunctionSymbolizeTest) { 1682 int failing_line = LargeFunction(false); 1683 char expected_warning[128]; 1684 sprintf(expected_warning, "LargeFunction.*asan_test.*:%d", failing_line); 1685 EXPECT_DEATH(LargeFunction(true), expected_warning); 1686} 1687 1688// Check that we unwind and symbolize correctly. 1689TEST(AddressSanitizer, DISABLED_MallocFreeUnwindAndSymbolizeTest) { 1690 int *a = (int*)malloc_aaa(sizeof(int)); 1691 *a = 1; 1692 free_aaa(a); 1693 EXPECT_DEATH(*a = 1, "free_ccc.*free_bbb.*free_aaa.*" 1694 "malloc_fff.*malloc_eee.*malloc_ddd"); 1695} 1696 1697static void TryToSetThreadName(const char *name) { 1698#ifdef __linux__ 1699 prctl(PR_SET_NAME, (unsigned long)name, 0, 0, 0); 1700#endif 1701} 1702 1703void *ThreadedTestAlloc(void *a) { 1704 TryToSetThreadName("AllocThr"); 1705 int **p = (int**)a; 1706 *p = new int; 1707 return 0; 1708} 1709 1710void *ThreadedTestFree(void *a) { 1711 TryToSetThreadName("FreeThr"); 1712 int **p = (int**)a; 1713 delete *p; 1714 return 0; 1715} 1716 1717void *ThreadedTestUse(void *a) { 1718 TryToSetThreadName("UseThr"); 1719 int **p = (int**)a; 1720 **p = 1; 1721 return 0; 1722} 1723 1724void ThreadedTestSpawn() { 1725 pthread_t t; 1726 int *x; 1727 PTHREAD_CREATE(&t, 0, ThreadedTestAlloc, &x); 1728 PTHREAD_JOIN(t, 0); 1729 PTHREAD_CREATE(&t, 0, ThreadedTestFree, &x); 1730 PTHREAD_JOIN(t, 0); 1731 PTHREAD_CREATE(&t, 0, ThreadedTestUse, &x); 1732 PTHREAD_JOIN(t, 0); 1733} 1734 1735TEST(AddressSanitizer, ThreadedTest) { 1736 EXPECT_DEATH(ThreadedTestSpawn(), 1737 ASAN_PCRE_DOTALL 1738 "Thread T.*created" 1739 ".*Thread T.*created" 1740 ".*Thread T.*created"); 1741} 1742 1743#ifdef __linux__ 1744TEST(AddressSanitizer, ThreadNamesTest) { 1745 // ThreadedTestSpawn(); 1746 EXPECT_DEATH(ThreadedTestSpawn(), 1747 ASAN_PCRE_DOTALL 1748 "WRITE .*thread T. .UseThr." 1749 ".*freed by thread T. .FreeThr. here:" 1750 ".*previously allocated by thread T. .AllocThr. here:" 1751 ".*Thread T. .UseThr. created by T. here:" 1752 ".*Thread T. .FreeThr. created by T. here:" 1753 ".*Thread T. .AllocThr. created by T. here:" 1754 ""); 1755} 1756#endif 1757 1758#if ASAN_NEEDS_SEGV 1759TEST(AddressSanitizer, ShadowGapTest) { 1760#if SANITIZER_WORDSIZE == 32 1761 char *addr = (char*)0x22000000; 1762#else 1763 char *addr = (char*)0x0000100000080000; 1764#endif 1765 EXPECT_DEATH(*addr = 1, "AddressSanitizer: SEGV on unknown"); 1766} 1767#endif // ASAN_NEEDS_SEGV 1768 1769extern "C" { 1770NOINLINE static void UseThenFreeThenUse() { 1771 char *x = Ident((char*)malloc(8)); 1772 *x = 1; 1773 free_aaa(x); 1774 *x = 2; 1775} 1776} 1777 1778TEST(AddressSanitizer, UseThenFreeThenUseTest) { 1779 EXPECT_DEATH(UseThenFreeThenUse(), "freed by thread"); 1780} 1781 1782TEST(AddressSanitizer, StrDupTest) { 1783 free(strdup(Ident("123"))); 1784} 1785 1786// Currently we create and poison redzone at right of global variables. 1787char glob5[5]; 1788static char static110[110]; 1789const char ConstGlob[7] = {1, 2, 3, 4, 5, 6, 7}; 1790static const char StaticConstGlob[3] = {9, 8, 7}; 1791extern int GlobalsTest(int x); 1792 1793TEST(AddressSanitizer, GlobalTest) { 1794 static char func_static15[15]; 1795 1796 static char fs1[10]; 1797 static char fs2[10]; 1798 static char fs3[10]; 1799 1800 glob5[Ident(0)] = 0; 1801 glob5[Ident(1)] = 0; 1802 glob5[Ident(2)] = 0; 1803 glob5[Ident(3)] = 0; 1804 glob5[Ident(4)] = 0; 1805 1806 EXPECT_DEATH(glob5[Ident(5)] = 0, 1807 "0 bytes to the right of global variable.*glob5.* size 5"); 1808 EXPECT_DEATH(glob5[Ident(5+6)] = 0, 1809 "6 bytes to the right of global variable.*glob5.* size 5"); 1810 Ident(static110); // avoid optimizations 1811 static110[Ident(0)] = 0; 1812 static110[Ident(109)] = 0; 1813 EXPECT_DEATH(static110[Ident(110)] = 0, 1814 "0 bytes to the right of global variable"); 1815 EXPECT_DEATH(static110[Ident(110+7)] = 0, 1816 "7 bytes to the right of global variable"); 1817 1818 Ident(func_static15); // avoid optimizations 1819 func_static15[Ident(0)] = 0; 1820 EXPECT_DEATH(func_static15[Ident(15)] = 0, 1821 "0 bytes to the right of global variable"); 1822 EXPECT_DEATH(func_static15[Ident(15 + 9)] = 0, 1823 "9 bytes to the right of global variable"); 1824 1825 Ident(fs1); 1826 Ident(fs2); 1827 Ident(fs3); 1828 1829 // We don't create left redzones, so this is not 100% guaranteed to fail. 1830 // But most likely will. 1831 EXPECT_DEATH(fs2[Ident(-1)] = 0, "is located.*of global variable"); 1832 1833 EXPECT_DEATH(Ident(Ident(ConstGlob)[8]), 1834 "is located 1 bytes to the right of .*ConstGlob"); 1835 EXPECT_DEATH(Ident(Ident(StaticConstGlob)[5]), 1836 "is located 2 bytes to the right of .*StaticConstGlob"); 1837 1838 // call stuff from another file. 1839 GlobalsTest(0); 1840} 1841 1842TEST(AddressSanitizer, GlobalStringConstTest) { 1843 static const char *zoo = "FOOBAR123"; 1844 const char *p = Ident(zoo); 1845 EXPECT_DEATH(Ident(p[15]), "is ascii string 'FOOBAR123'"); 1846} 1847 1848TEST(AddressSanitizer, FileNameInGlobalReportTest) { 1849 static char zoo[10]; 1850 const char *p = Ident(zoo); 1851 // The file name should be present in the report. 1852 EXPECT_DEATH(Ident(p[15]), "zoo.*asan_test."); 1853} 1854 1855int *ReturnsPointerToALocalObject() { 1856 int a = 0; 1857 return Ident(&a); 1858} 1859 1860#if ASAN_UAR == 1 1861TEST(AddressSanitizer, LocalReferenceReturnTest) { 1862 int *(*f)() = Ident(ReturnsPointerToALocalObject); 1863 int *p = f(); 1864 // Call 'f' a few more times, 'p' should still be poisoned. 1865 for (int i = 0; i < 32; i++) 1866 f(); 1867 EXPECT_DEATH(*p = 1, "AddressSanitizer: stack-use-after-return"); 1868 EXPECT_DEATH(*p = 1, "is located.*in frame .*ReturnsPointerToALocal"); 1869} 1870#endif 1871 1872template <int kSize> 1873NOINLINE static void FuncWithStack() { 1874 char x[kSize]; 1875 Ident(x)[0] = 0; 1876 Ident(x)[kSize-1] = 0; 1877} 1878 1879static void LotsOfStackReuse() { 1880 int LargeStack[10000]; 1881 Ident(LargeStack)[0] = 0; 1882 for (int i = 0; i < 10000; i++) { 1883 FuncWithStack<128 * 1>(); 1884 FuncWithStack<128 * 2>(); 1885 FuncWithStack<128 * 4>(); 1886 FuncWithStack<128 * 8>(); 1887 FuncWithStack<128 * 16>(); 1888 FuncWithStack<128 * 32>(); 1889 FuncWithStack<128 * 64>(); 1890 FuncWithStack<128 * 128>(); 1891 FuncWithStack<128 * 256>(); 1892 FuncWithStack<128 * 512>(); 1893 Ident(LargeStack)[0] = 0; 1894 } 1895} 1896 1897TEST(AddressSanitizer, StressStackReuseTest) { 1898 LotsOfStackReuse(); 1899} 1900 1901TEST(AddressSanitizer, ThreadedStressStackReuseTest) { 1902 const int kNumThreads = 20; 1903 pthread_t t[kNumThreads]; 1904 for (int i = 0; i < kNumThreads; i++) { 1905 PTHREAD_CREATE(&t[i], 0, (void* (*)(void *x))LotsOfStackReuse, 0); 1906 } 1907 for (int i = 0; i < kNumThreads; i++) { 1908 PTHREAD_JOIN(t[i], 0); 1909 } 1910} 1911 1912static void *PthreadExit(void *a) { 1913 pthread_exit(0); 1914 return 0; 1915} 1916 1917TEST(AddressSanitizer, PthreadExitTest) { 1918 pthread_t t; 1919 for (int i = 0; i < 1000; i++) { 1920 PTHREAD_CREATE(&t, 0, PthreadExit, 0); 1921 PTHREAD_JOIN(t, 0); 1922 } 1923} 1924 1925#ifdef __EXCEPTIONS 1926NOINLINE static void StackReuseAndException() { 1927 int large_stack[1000]; 1928 Ident(large_stack); 1929 ASAN_THROW(1); 1930} 1931 1932// TODO(kcc): support exceptions with use-after-return. 1933TEST(AddressSanitizer, DISABLED_StressStackReuseAndExceptionsTest) { 1934 for (int i = 0; i < 10000; i++) { 1935 try { 1936 StackReuseAndException(); 1937 } catch(...) { 1938 } 1939 } 1940} 1941#endif 1942 1943TEST(AddressSanitizer, MlockTest) { 1944 EXPECT_EQ(0, mlockall(MCL_CURRENT)); 1945 EXPECT_EQ(0, mlock((void*)0x12345, 0x5678)); 1946 EXPECT_EQ(0, munlockall()); 1947 EXPECT_EQ(0, munlock((void*)0x987, 0x654)); 1948} 1949 1950struct LargeStruct { 1951 int foo[100]; 1952}; 1953 1954// Test for bug http://llvm.org/bugs/show_bug.cgi?id=11763. 1955// Struct copy should not cause asan warning even if lhs == rhs. 1956TEST(AddressSanitizer, LargeStructCopyTest) { 1957 LargeStruct a; 1958 *Ident(&a) = *Ident(&a); 1959} 1960 1961ATTRIBUTE_NO_ADDRESS_SAFETY_ANALYSIS 1962static void NoAddressSafety() { 1963 char *foo = new char[10]; 1964 Ident(foo)[10] = 0; 1965 delete [] foo; 1966} 1967 1968TEST(AddressSanitizer, AttributeNoAddressSafetyTest) { 1969 Ident(NoAddressSafety)(); 1970} 1971 1972// ------------------ demo tests; run each one-by-one ------------- 1973// e.g. --gtest_filter=*DemoOOBLeftHigh --gtest_also_run_disabled_tests 1974TEST(AddressSanitizer, DISABLED_DemoThreadedTest) { 1975 ThreadedTestSpawn(); 1976} 1977 1978void *SimpleBugOnSTack(void *x = 0) { 1979 char a[20]; 1980 Ident(a)[20] = 0; 1981 return 0; 1982} 1983 1984TEST(AddressSanitizer, DISABLED_DemoStackTest) { 1985 SimpleBugOnSTack(); 1986} 1987 1988TEST(AddressSanitizer, DISABLED_DemoThreadStackTest) { 1989 pthread_t t; 1990 PTHREAD_CREATE(&t, 0, SimpleBugOnSTack, 0); 1991 PTHREAD_JOIN(t, 0); 1992} 1993 1994TEST(AddressSanitizer, DISABLED_DemoUAFLowIn) { 1995 uaf_test<U1>(10, 0); 1996} 1997TEST(AddressSanitizer, DISABLED_DemoUAFLowLeft) { 1998 uaf_test<U1>(10, -2); 1999} 2000TEST(AddressSanitizer, DISABLED_DemoUAFLowRight) { 2001 uaf_test<U1>(10, 10); 2002} 2003 2004TEST(AddressSanitizer, DISABLED_DemoUAFHigh) { 2005 uaf_test<U1>(kLargeMalloc, 0); 2006} 2007 2008TEST(AddressSanitizer, DISABLED_DemoOOBLeftLow) { 2009 oob_test<U1>(10, -1); 2010} 2011 2012TEST(AddressSanitizer, DISABLED_DemoOOBLeftHigh) { 2013 oob_test<U1>(kLargeMalloc, -1); 2014} 2015 2016TEST(AddressSanitizer, DISABLED_DemoOOBRightLow) { 2017 oob_test<U1>(10, 10); 2018} 2019 2020TEST(AddressSanitizer, DISABLED_DemoOOBRightHigh) { 2021 oob_test<U1>(kLargeMalloc, kLargeMalloc); 2022} 2023 2024TEST(AddressSanitizer, DISABLED_DemoOOM) { 2025 size_t size = SANITIZER_WORDSIZE == 64 ? (size_t)(1ULL << 40) : (0xf0000000); 2026 printf("%p\n", malloc(size)); 2027} 2028 2029TEST(AddressSanitizer, DISABLED_DemoDoubleFreeTest) { 2030 DoubleFree(); 2031} 2032 2033TEST(AddressSanitizer, DISABLED_DemoNullDerefTest) { 2034 int *a = 0; 2035 Ident(a)[10] = 0; 2036} 2037 2038TEST(AddressSanitizer, DISABLED_DemoFunctionStaticTest) { 2039 static char a[100]; 2040 static char b[100]; 2041 static char c[100]; 2042 Ident(a); 2043 Ident(b); 2044 Ident(c); 2045 Ident(a)[5] = 0; 2046 Ident(b)[105] = 0; 2047 Ident(a)[5] = 0; 2048} 2049 2050TEST(AddressSanitizer, DISABLED_DemoTooMuchMemoryTest) { 2051 const size_t kAllocSize = (1 << 28) - 1024; 2052 size_t total_size = 0; 2053 while (true) { 2054 char *x = (char*)malloc(kAllocSize); 2055 memset(x, 0, kAllocSize); 2056 total_size += kAllocSize; 2057 fprintf(stderr, "total: %ldM %p\n", (long)total_size >> 20, x); 2058 } 2059} 2060 2061// http://code.google.com/p/address-sanitizer/issues/detail?id=66 2062TEST(AddressSanitizer, BufferOverflowAfterManyFrees) { 2063 for (int i = 0; i < 1000000; i++) { 2064 delete [] (Ident(new char [8644])); 2065 } 2066 char *x = new char[8192]; 2067 EXPECT_DEATH(x[Ident(8192)] = 0, "AddressSanitizer: heap-buffer-overflow"); 2068 delete [] Ident(x); 2069} 2070 2071#ifdef __APPLE__ 2072#include "asan_mac_test.h" 2073TEST(AddressSanitizerMac, CFAllocatorDefaultDoubleFree) { 2074 EXPECT_DEATH( 2075 CFAllocatorDefaultDoubleFree(NULL), 2076 "attempting double-free"); 2077} 2078 2079void CFAllocator_DoubleFreeOnPthread() { 2080 pthread_t child; 2081 PTHREAD_CREATE(&child, NULL, CFAllocatorDefaultDoubleFree, NULL); 2082 PTHREAD_JOIN(child, NULL); // Shouldn't be reached. 2083} 2084 2085TEST(AddressSanitizerMac, CFAllocatorDefaultDoubleFree_ChildPhread) { 2086 EXPECT_DEATH(CFAllocator_DoubleFreeOnPthread(), "attempting double-free"); 2087} 2088 2089namespace { 2090 2091void *GLOB; 2092 2093void *CFAllocatorAllocateToGlob(void *unused) { 2094 GLOB = CFAllocatorAllocate(NULL, 100, /*hint*/0); 2095 return NULL; 2096} 2097 2098void *CFAllocatorDeallocateFromGlob(void *unused) { 2099 char *p = (char*)GLOB; 2100 p[100] = 'A'; // ASan should report an error here. 2101 CFAllocatorDeallocate(NULL, GLOB); 2102 return NULL; 2103} 2104 2105void CFAllocator_PassMemoryToAnotherThread() { 2106 pthread_t th1, th2; 2107 PTHREAD_CREATE(&th1, NULL, CFAllocatorAllocateToGlob, NULL); 2108 PTHREAD_JOIN(th1, NULL); 2109 PTHREAD_CREATE(&th2, NULL, CFAllocatorDeallocateFromGlob, NULL); 2110 PTHREAD_JOIN(th2, NULL); 2111} 2112 2113TEST(AddressSanitizerMac, CFAllocator_PassMemoryToAnotherThread) { 2114 EXPECT_DEATH(CFAllocator_PassMemoryToAnotherThread(), 2115 "heap-buffer-overflow"); 2116} 2117 2118} // namespace 2119 2120// TODO(glider): figure out whether we still need these tests. Is it correct 2121// to intercept the non-default CFAllocators? 2122TEST(AddressSanitizerMac, DISABLED_CFAllocatorSystemDefaultDoubleFree) { 2123 EXPECT_DEATH( 2124 CFAllocatorSystemDefaultDoubleFree(), 2125 "attempting double-free"); 2126} 2127 2128// We're intercepting malloc, so kCFAllocatorMalloc is routed to ASan. 2129TEST(AddressSanitizerMac, CFAllocatorMallocDoubleFree) { 2130 EXPECT_DEATH(CFAllocatorMallocDoubleFree(), "attempting double-free"); 2131} 2132 2133TEST(AddressSanitizerMac, DISABLED_CFAllocatorMallocZoneDoubleFree) { 2134 EXPECT_DEATH(CFAllocatorMallocZoneDoubleFree(), "attempting double-free"); 2135} 2136 2137// For libdispatch tests below we check that ASan got to the shadow byte 2138// legend, i.e. managed to print the thread stacks (this almost certainly 2139// means that the libdispatch task creation has been intercepted correctly). 2140TEST(AddressSanitizerMac, GCDDispatchAsync) { 2141 // Make sure the whole ASan report is printed, i.e. that we don't die 2142 // on a CHECK. 2143 EXPECT_DEATH(TestGCDDispatchAsync(), "Shadow byte legend"); 2144} 2145 2146TEST(AddressSanitizerMac, GCDDispatchSync) { 2147 // Make sure the whole ASan report is printed, i.e. that we don't die 2148 // on a CHECK. 2149 EXPECT_DEATH(TestGCDDispatchSync(), "Shadow byte legend"); 2150} 2151 2152 2153TEST(AddressSanitizerMac, GCDReuseWqthreadsAsync) { 2154 // Make sure the whole ASan report is printed, i.e. that we don't die 2155 // on a CHECK. 2156 EXPECT_DEATH(TestGCDReuseWqthreadsAsync(), "Shadow byte legend"); 2157} 2158 2159TEST(AddressSanitizerMac, GCDReuseWqthreadsSync) { 2160 // Make sure the whole ASan report is printed, i.e. that we don't die 2161 // on a CHECK. 2162 EXPECT_DEATH(TestGCDReuseWqthreadsSync(), "Shadow byte legend"); 2163} 2164 2165TEST(AddressSanitizerMac, GCDDispatchAfter) { 2166 // Make sure the whole ASan report is printed, i.e. that we don't die 2167 // on a CHECK. 2168 EXPECT_DEATH(TestGCDDispatchAfter(), "Shadow byte legend"); 2169} 2170 2171TEST(AddressSanitizerMac, GCDSourceEvent) { 2172 // Make sure the whole ASan report is printed, i.e. that we don't die 2173 // on a CHECK. 2174 EXPECT_DEATH(TestGCDSourceEvent(), "Shadow byte legend"); 2175} 2176 2177TEST(AddressSanitizerMac, GCDSourceCancel) { 2178 // Make sure the whole ASan report is printed, i.e. that we don't die 2179 // on a CHECK. 2180 EXPECT_DEATH(TestGCDSourceCancel(), "Shadow byte legend"); 2181} 2182 2183TEST(AddressSanitizerMac, GCDGroupAsync) { 2184 // Make sure the whole ASan report is printed, i.e. that we don't die 2185 // on a CHECK. 2186 EXPECT_DEATH(TestGCDGroupAsync(), "Shadow byte legend"); 2187} 2188 2189void *MallocIntrospectionLockWorker(void *_) { 2190 const int kNumPointers = 100; 2191 int i; 2192 void *pointers[kNumPointers]; 2193 for (i = 0; i < kNumPointers; i++) { 2194 pointers[i] = malloc(i + 1); 2195 } 2196 for (i = 0; i < kNumPointers; i++) { 2197 free(pointers[i]); 2198 } 2199 2200 return NULL; 2201} 2202 2203void *MallocIntrospectionLockForker(void *_) { 2204 pid_t result = fork(); 2205 if (result == -1) { 2206 perror("fork"); 2207 } 2208 assert(result != -1); 2209 if (result == 0) { 2210 // Call malloc in the child process to make sure we won't deadlock. 2211 void *ptr = malloc(42); 2212 free(ptr); 2213 exit(0); 2214 } else { 2215 // Return in the parent process. 2216 return NULL; 2217 } 2218} 2219 2220TEST(AddressSanitizerMac, MallocIntrospectionLock) { 2221 // Incorrect implementation of force_lock and force_unlock in our malloc zone 2222 // will cause forked processes to deadlock. 2223 // TODO(glider): need to detect that none of the child processes deadlocked. 2224 const int kNumWorkers = 5, kNumIterations = 100; 2225 int i, iter; 2226 for (iter = 0; iter < kNumIterations; iter++) { 2227 pthread_t workers[kNumWorkers], forker; 2228 for (i = 0; i < kNumWorkers; i++) { 2229 PTHREAD_CREATE(&workers[i], 0, MallocIntrospectionLockWorker, 0); 2230 } 2231 PTHREAD_CREATE(&forker, 0, MallocIntrospectionLockForker, 0); 2232 for (i = 0; i < kNumWorkers; i++) { 2233 PTHREAD_JOIN(workers[i], 0); 2234 } 2235 PTHREAD_JOIN(forker, 0); 2236 } 2237} 2238 2239void *TSDAllocWorker(void *test_key) { 2240 if (test_key) { 2241 void *mem = malloc(10); 2242 pthread_setspecific(*(pthread_key_t*)test_key, mem); 2243 } 2244 return NULL; 2245} 2246 2247TEST(AddressSanitizerMac, DISABLED_TSDWorkqueueTest) { 2248 pthread_t th; 2249 pthread_key_t test_key; 2250 pthread_key_create(&test_key, CallFreeOnWorkqueue); 2251 PTHREAD_CREATE(&th, NULL, TSDAllocWorker, &test_key); 2252 PTHREAD_JOIN(th, NULL); 2253 pthread_key_delete(test_key); 2254} 2255 2256// Test that CFStringCreateCopy does not copy constant strings. 2257TEST(AddressSanitizerMac, CFStringCreateCopy) { 2258 CFStringRef str = CFSTR("Hello world!\n"); 2259 CFStringRef str2 = CFStringCreateCopy(0, str); 2260 EXPECT_EQ(str, str2); 2261} 2262 2263TEST(AddressSanitizerMac, NSObjectOOB) { 2264 // Make sure that our allocators are used for NSObjects. 2265 EXPECT_DEATH(TestOOBNSObjects(), "heap-buffer-overflow"); 2266} 2267 2268// Make sure that correct pointer is passed to free() when deallocating a 2269// NSURL object. 2270// See http://code.google.com/p/address-sanitizer/issues/detail?id=70. 2271TEST(AddressSanitizerMac, NSURLDeallocation) { 2272 TestNSURLDeallocation(); 2273} 2274 2275// See http://code.google.com/p/address-sanitizer/issues/detail?id=109. 2276TEST(AddressSanitizerMac, Mstats) { 2277 malloc_statistics_t stats1, stats2; 2278 malloc_zone_statistics(/*all zones*/NULL, &stats1); 2279 const int kMallocSize = 100000; 2280 void *alloc = Ident(malloc(kMallocSize)); 2281 malloc_zone_statistics(/*all zones*/NULL, &stats2); 2282 EXPECT_GT(stats2.blocks_in_use, stats1.blocks_in_use); 2283 EXPECT_GE(stats2.size_in_use - stats1.size_in_use, kMallocSize); 2284 free(alloc); 2285 // Even the default OSX allocator may not change the stats after free(). 2286} 2287#endif // __APPLE__ 2288 2289// Test that instrumentation of stack allocations takes into account 2290// AllocSize of a type, and not its StoreSize (16 vs 10 bytes for long double). 2291// See http://llvm.org/bugs/show_bug.cgi?id=12047 for more details. 2292TEST(AddressSanitizer, LongDoubleNegativeTest) { 2293 long double a, b; 2294 static long double c; 2295 memcpy(Ident(&a), Ident(&b), sizeof(long double)); 2296 memcpy(Ident(&c), Ident(&b), sizeof(long double)); 2297} 2298