msan_test.cc revision b9bf700ae7fe59e25976e0abe9636150f3a39cd2
1//===-- msan_test.cc ------------------------------------------------------===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file is a part of MemorySanitizer. 11// 12// MemorySanitizer unit tests. 13//===----------------------------------------------------------------------===// 14 15#include "sanitizer/msan_interface.h" 16#include "msandr_test_so.h" 17#include "gtest/gtest.h" 18 19#include <stdlib.h> 20#include <stdarg.h> 21#include <stdio.h> 22#include <assert.h> 23#include <wchar.h> 24#include <math.h> 25 26#include <dlfcn.h> 27#include <unistd.h> 28#include <limits.h> 29#include <sys/time.h> 30#include <sys/types.h> 31#include <sys/stat.h> 32#include <fcntl.h> 33#include <sys/resource.h> 34#include <sys/ioctl.h> 35#include <sys/utsname.h> 36#include <sys/mman.h> 37#include <sys/vfs.h> 38#include <sys/types.h> 39#include <dirent.h> 40 41#if defined(__i386__) || defined(__x86_64__) 42# include <emmintrin.h> 43# define MSAN_HAS_M128 1 44#else 45# define MSAN_HAS_M128 0 46#endif 47 48typedef unsigned char U1; 49typedef unsigned short U2; // NOLINT 50typedef unsigned int U4; 51typedef unsigned long long U8; // NOLINT 52typedef signed char S1; 53typedef signed short S2; // NOLINT 54typedef signed int S4; 55typedef signed long long S8; // NOLINT 56#define NOINLINE __attribute__((noinline)) 57#define INLINE __attribute__((always_inline)) 58 59static bool TrackingOrigins() { 60 S8 x; 61 __msan_set_origin(&x, sizeof(x), 0x1234); 62 U4 origin = __msan_get_origin(&x); 63 __msan_set_origin(&x, sizeof(x), 0); 64 return origin == 0x1234; 65} 66 67#define EXPECT_UMR(action) \ 68 do { \ 69 __msan_set_expect_umr(1); \ 70 action; \ 71 __msan_set_expect_umr(0); \ 72 } while (0) 73 74#define EXPECT_UMR_O(action, origin) \ 75 do { \ 76 __msan_set_expect_umr(1); \ 77 action; \ 78 __msan_set_expect_umr(0); \ 79 if (TrackingOrigins()) \ 80 EXPECT_EQ(origin, __msan_get_umr_origin()); \ 81 } while (0) 82 83#define EXPECT_UMR_S(action, stack_origin) \ 84 do { \ 85 __msan_set_expect_umr(1); \ 86 action; \ 87 __msan_set_expect_umr(0); \ 88 U4 id = __msan_get_umr_origin(); \ 89 const char *str = __msan_get_origin_descr_if_stack(id); \ 90 if (!str || strcmp(str, stack_origin)) { \ 91 fprintf(stderr, "EXPECT_POISONED_S: id=%u %s, %s", \ 92 id, stack_origin, str); \ 93 EXPECT_EQ(1, 0); \ 94 } \ 95 } while (0) 96 97#define EXPECT_POISONED(x) ExpectPoisoned(x) 98 99template<typename T> 100void ExpectPoisoned(const T& t) { 101 EXPECT_NE(-1, __msan_test_shadow((void*)&t, sizeof(t))); 102} 103 104#define EXPECT_POISONED_O(x, origin) \ 105 ExpectPoisonedWithOrigin(x, origin) 106 107template<typename T> 108void ExpectPoisonedWithOrigin(const T& t, unsigned origin) { 109 EXPECT_NE(-1, __msan_test_shadow((void*)&t, sizeof(t))); 110 if (TrackingOrigins()) 111 EXPECT_EQ(origin, __msan_get_origin((void*)&t)); 112} 113 114#define EXPECT_POISONED_S(x, stack_origin) \ 115 ExpectPoisonedWithStackOrigin(x, stack_origin) 116 117template<typename T> 118void ExpectPoisonedWithStackOrigin(const T& t, const char *stack_origin) { 119 EXPECT_NE(-1, __msan_test_shadow((void*)&t, sizeof(t))); 120 U4 id = __msan_get_origin((void*)&t); 121 const char *str = __msan_get_origin_descr_if_stack(id); 122 if (!str || strcmp(str, stack_origin)) { 123 fprintf(stderr, "EXPECT_POISONED_S: id=%u %s, %s", 124 id, stack_origin, str); 125 EXPECT_EQ(1, 0); 126 } 127} 128 129#define EXPECT_NOT_POISONED(x) ExpectNotPoisoned(x) 130 131template<typename T> 132void ExpectNotPoisoned(const T& t) { 133 EXPECT_EQ(-1, __msan_test_shadow((void*)&t, sizeof(t))); 134} 135 136static U8 poisoned_array[100]; 137template<class T> 138T *GetPoisoned(int i = 0, T val = 0) { 139 T *res = (T*)&poisoned_array[i]; 140 *res = val; 141 __msan_poison(&poisoned_array[i], sizeof(T)); 142 return res; 143} 144 145template<class T> 146T *GetPoisonedO(int i, U4 origin, T val = 0) { 147 T *res = (T*)&poisoned_array[i]; 148 *res = val; 149 __msan_poison(&poisoned_array[i], sizeof(T)); 150 __msan_set_origin(&poisoned_array[i], sizeof(T), origin); 151 return res; 152} 153 154// This function returns its parameter but in such a way that compiler 155// can not prove it. 156template<class T> 157NOINLINE 158static T Ident(T t) { 159 volatile T ret = t; 160 return ret; 161} 162 163template<class T> NOINLINE T ReturnPoisoned() { return *GetPoisoned<T>(); } 164 165static volatile int g_one = 1; 166static volatile int g_zero = 0; 167static volatile int g_0 = 0; 168static volatile int g_1 = 1; 169 170S4 a_s4[100]; 171S8 a_s8[100]; 172 173// Check that malloc poisons memory. 174// A lot of tests below depend on this. 175TEST(MemorySanitizerSanity, PoisonInMalloc) { 176 int *x = (int*)malloc(sizeof(int)); 177 EXPECT_POISONED(*x); 178 free(x); 179} 180 181TEST(MemorySanitizer, NegativeTest1) { 182 S4 *x = GetPoisoned<S4>(); 183 if (g_one) 184 *x = 0; 185 EXPECT_NOT_POISONED(*x); 186} 187 188TEST(MemorySanitizer, PositiveTest1) { 189 // Load to store. 190 EXPECT_POISONED(*GetPoisoned<S1>()); 191 EXPECT_POISONED(*GetPoisoned<S2>()); 192 EXPECT_POISONED(*GetPoisoned<S4>()); 193 EXPECT_POISONED(*GetPoisoned<S8>()); 194 195 // S->S conversions. 196 EXPECT_POISONED(*GetPoisoned<S1>()); 197 EXPECT_POISONED(*GetPoisoned<S1>()); 198 EXPECT_POISONED(*GetPoisoned<S1>()); 199 200 EXPECT_POISONED(*GetPoisoned<S2>()); 201 EXPECT_POISONED(*GetPoisoned<S2>()); 202 EXPECT_POISONED(*GetPoisoned<S2>()); 203 204 EXPECT_POISONED(*GetPoisoned<S4>()); 205 EXPECT_POISONED(*GetPoisoned<S4>()); 206 EXPECT_POISONED(*GetPoisoned<S4>()); 207 208 EXPECT_POISONED(*GetPoisoned<S8>()); 209 EXPECT_POISONED(*GetPoisoned<S8>()); 210 EXPECT_POISONED(*GetPoisoned<S8>()); 211 212 // ZExt 213 EXPECT_POISONED(*GetPoisoned<U1>()); 214 EXPECT_POISONED(*GetPoisoned<U1>()); 215 EXPECT_POISONED(*GetPoisoned<U1>()); 216 EXPECT_POISONED(*GetPoisoned<U2>()); 217 EXPECT_POISONED(*GetPoisoned<U2>()); 218 EXPECT_POISONED(*GetPoisoned<U4>()); 219 220 // Unary ops. 221 EXPECT_POISONED(- *GetPoisoned<S4>()); 222 223 EXPECT_UMR(a_s4[g_zero] = 100 / *GetPoisoned<S4>(0, 1)); 224 225 226 a_s4[g_zero] = 1 - *GetPoisoned<S4>(); 227 a_s4[g_zero] = 1 + *GetPoisoned<S4>(); 228} 229 230TEST(MemorySanitizer, Phi1) { 231 S4 c; 232 if (g_one) { 233 c = *GetPoisoned<S4>(); 234 } else { 235 break_optimization(0); 236 c = 0; 237 } 238 EXPECT_POISONED(c); 239} 240 241TEST(MemorySanitizer, Phi2) { 242 S4 i = *GetPoisoned<S4>(); 243 S4 n = g_one; 244 EXPECT_UMR(for (; i < g_one; i++);); 245 EXPECT_POISONED(i); 246} 247 248NOINLINE void Arg1ExpectUMR(S4 a1) { EXPECT_POISONED(a1); } 249NOINLINE void Arg2ExpectUMR(S4 a1, S4 a2) { EXPECT_POISONED(a2); } 250NOINLINE void Arg3ExpectUMR(S1 a1, S4 a2, S8 a3) { EXPECT_POISONED(a3); } 251 252TEST(MemorySanitizer, ArgTest) { 253 Arg1ExpectUMR(*GetPoisoned<S4>()); 254 Arg2ExpectUMR(0, *GetPoisoned<S4>()); 255 Arg3ExpectUMR(0, 1, *GetPoisoned<S8>()); 256} 257 258 259TEST(MemorySanitizer, CallAndRet) { 260 if (!__msan_has_dynamic_component()) return; 261 ReturnPoisoned<S1>(); 262 ReturnPoisoned<S2>(); 263 ReturnPoisoned<S4>(); 264 ReturnPoisoned<S8>(); 265 266 EXPECT_POISONED(ReturnPoisoned<S1>()); 267 EXPECT_POISONED(ReturnPoisoned<S2>()); 268 EXPECT_POISONED(ReturnPoisoned<S4>()); 269 EXPECT_POISONED(ReturnPoisoned<S8>()); 270} 271 272// malloc() in the following test may be optimized to produce a compile-time 273// undef value. Check that we trap on the volatile assignment anyway. 274TEST(MemorySanitizer, DISABLED_MallocNoIdent) { 275 S4 *x = (int*)malloc(sizeof(S4)); 276 EXPECT_POISONED(*x); 277 free(x); 278} 279 280TEST(MemorySanitizer, Malloc) { 281 S4 *x = (int*)Ident(malloc(sizeof(S4))); 282 EXPECT_POISONED(*x); 283 free(x); 284} 285 286TEST(MemorySanitizer, Realloc) { 287 S4 *x = (int*)Ident(realloc(0, sizeof(S4))); 288 EXPECT_POISONED(x[0]); 289 x[0] = 1; 290 x = (int*)Ident(realloc(x, 2 * sizeof(S4))); 291 EXPECT_NOT_POISONED(x[0]); // Ok, was inited before. 292 EXPECT_POISONED(x[1]); 293 x = (int*)Ident(realloc(x, 3 * sizeof(S4))); 294 EXPECT_NOT_POISONED(x[0]); // Ok, was inited before. 295 EXPECT_POISONED(x[2]); 296 EXPECT_POISONED(x[1]); 297 x[2] = 1; // Init this here. Check that after realloc it is poisoned again. 298 x = (int*)Ident(realloc(x, 2 * sizeof(S4))); 299 EXPECT_NOT_POISONED(x[0]); // Ok, was inited before. 300 EXPECT_POISONED(x[1]); 301 x = (int*)Ident(realloc(x, 3 * sizeof(S4))); 302 EXPECT_POISONED(x[1]); 303 EXPECT_POISONED(x[2]); 304 free(x); 305} 306 307TEST(MemorySanitizer, Calloc) { 308 S4 *x = (int*)Ident(calloc(1, sizeof(S4))); 309 EXPECT_NOT_POISONED(*x); // Should not be poisoned. 310 // EXPECT_EQ(0, *x); 311 free(x); 312} 313 314TEST(MemorySanitizer, AndOr) { 315 U4 *p = GetPoisoned<U4>(); 316 // We poison two bytes in the midle of a 4-byte word to make the test 317 // correct regardless of endianness. 318 ((U1*)p)[1] = 0; 319 ((U1*)p)[2] = 0xff; 320 EXPECT_NOT_POISONED(*p & 0x00ffff00); 321 EXPECT_NOT_POISONED(*p & 0x00ff0000); 322 EXPECT_NOT_POISONED(*p & 0x0000ff00); 323 EXPECT_POISONED(*p & 0xff000000); 324 EXPECT_POISONED(*p & 0x000000ff); 325 EXPECT_POISONED(*p & 0x0000ffff); 326 EXPECT_POISONED(*p & 0xffff0000); 327 328 EXPECT_NOT_POISONED(*p | 0xff0000ff); 329 EXPECT_NOT_POISONED(*p | 0xff00ffff); 330 EXPECT_NOT_POISONED(*p | 0xffff00ff); 331 EXPECT_POISONED(*p | 0xff000000); 332 EXPECT_POISONED(*p | 0x000000ff); 333 EXPECT_POISONED(*p | 0x0000ffff); 334 EXPECT_POISONED(*p | 0xffff0000); 335 336 EXPECT_POISONED(*GetPoisoned<bool>() & *GetPoisoned<bool>()); 337} 338 339template<class T> 340static bool applyNot(T value, T shadow) { 341 __msan_partial_poison(&value, &shadow, sizeof(T)); 342 return !value; 343} 344 345TEST(MemorySanitizer, Not) { 346 EXPECT_NOT_POISONED(applyNot<U4>(0x0, 0x0)); 347 EXPECT_NOT_POISONED(applyNot<U4>(0xFFFFFFFF, 0x0)); 348 EXPECT_POISONED(applyNot<U4>(0xFFFFFFFF, 0xFFFFFFFF)); 349 EXPECT_NOT_POISONED(applyNot<U4>(0xFF000000, 0x0FFFFFFF)); 350 EXPECT_NOT_POISONED(applyNot<U4>(0xFF000000, 0x00FFFFFF)); 351 EXPECT_NOT_POISONED(applyNot<U4>(0xFF000000, 0x0000FFFF)); 352 EXPECT_NOT_POISONED(applyNot<U4>(0xFF000000, 0x00000000)); 353 EXPECT_POISONED(applyNot<U4>(0xFF000000, 0xFF000000)); 354 EXPECT_NOT_POISONED(applyNot<U4>(0xFF800000, 0xFF000000)); 355 EXPECT_POISONED(applyNot<U4>(0x00008000, 0x00008000)); 356 357 EXPECT_NOT_POISONED(applyNot<U1>(0x0, 0x0)); 358 EXPECT_NOT_POISONED(applyNot<U1>(0xFF, 0xFE)); 359 EXPECT_NOT_POISONED(applyNot<U1>(0xFF, 0x0)); 360 EXPECT_POISONED(applyNot<U1>(0xFF, 0xFF)); 361 362 EXPECT_POISONED(applyNot<void*>((void*)0xFFFFFF, (void*)(-1))); 363 EXPECT_NOT_POISONED(applyNot<void*>((void*)0xFFFFFF, (void*)(-2))); 364} 365 366TEST(MemorySanitizer, Shift) { 367 U4 *up = GetPoisoned<U4>(); 368 ((U1*)up)[0] = 0; 369 ((U1*)up)[3] = 0xff; 370 EXPECT_NOT_POISONED(*up >> 30); 371 EXPECT_NOT_POISONED(*up >> 24); 372 EXPECT_POISONED(*up >> 23); 373 EXPECT_POISONED(*up >> 10); 374 375 EXPECT_NOT_POISONED(*up << 30); 376 EXPECT_NOT_POISONED(*up << 24); 377 EXPECT_POISONED(*up << 23); 378 EXPECT_POISONED(*up << 10); 379 380 S4 *sp = (S4*)up; 381 EXPECT_NOT_POISONED(*sp >> 30); 382 EXPECT_NOT_POISONED(*sp >> 24); 383 EXPECT_POISONED(*sp >> 23); 384 EXPECT_POISONED(*sp >> 10); 385 386 sp = GetPoisoned<S4>(); 387 ((S1*)sp)[1] = 0; 388 ((S1*)sp)[2] = 0; 389 EXPECT_POISONED(*sp >> 31); 390 391 EXPECT_POISONED(100 >> *GetPoisoned<S4>()); 392 EXPECT_POISONED(100U >> *GetPoisoned<S4>()); 393} 394 395NOINLINE static int GetPoisonedZero() { 396 int *zero = new int; 397 *zero = 0; 398 __msan_poison(zero, sizeof(*zero)); 399 int res = *zero; 400 delete zero; 401 return res; 402} 403 404TEST(MemorySanitizer, LoadFromDirtyAddress) { 405 int *a = new int; 406 *a = 0; 407 EXPECT_UMR(break_optimization((void*)(U8)a[GetPoisonedZero()])); 408 delete a; 409} 410 411TEST(MemorySanitizer, StoreToDirtyAddress) { 412 int *a = new int; 413 EXPECT_UMR(a[GetPoisonedZero()] = 0); 414 break_optimization(a); 415 delete a; 416} 417 418 419NOINLINE void StackTestFunc() { 420 S4 p4; 421 S4 ok4 = 1; 422 S2 p2; 423 S2 ok2 = 1; 424 S1 p1; 425 S1 ok1 = 1; 426 break_optimization(&p4); 427 break_optimization(&ok4); 428 break_optimization(&p2); 429 break_optimization(&ok2); 430 break_optimization(&p1); 431 break_optimization(&ok1); 432 433 EXPECT_POISONED(p4); 434 EXPECT_POISONED(p2); 435 EXPECT_POISONED(p1); 436 EXPECT_NOT_POISONED(ok1); 437 EXPECT_NOT_POISONED(ok2); 438 EXPECT_NOT_POISONED(ok4); 439} 440 441TEST(MemorySanitizer, StackTest) { 442 StackTestFunc(); 443} 444 445NOINLINE void StackStressFunc() { 446 int foo[10000]; 447 break_optimization(foo); 448} 449 450TEST(MemorySanitizer, DISABLED_StackStressTest) { 451 for (int i = 0; i < 1000000; i++) 452 StackStressFunc(); 453} 454 455template<class T> 456void TestFloatingPoint() { 457 static volatile T v; 458 static T g[100]; 459 break_optimization(&g); 460 T *x = GetPoisoned<T>(); 461 T *y = GetPoisoned<T>(1); 462 EXPECT_POISONED(*x); 463 EXPECT_POISONED((long long)*x); 464 EXPECT_POISONED((int)*x); 465 g[0] = *x; 466 g[1] = *x + *y; 467 g[2] = *x - *y; 468 g[3] = *x * *y; 469} 470 471TEST(MemorySanitizer, FloatingPointTest) { 472 TestFloatingPoint<float>(); 473 TestFloatingPoint<double>(); 474} 475 476TEST(MemorySanitizer, DynMem) { 477 S4 x = 0; 478 S4 *y = GetPoisoned<S4>(); 479 memcpy(y, &x, g_one * sizeof(S4)); 480 EXPECT_NOT_POISONED(*y); 481} 482 483static char *DynRetTestStr; 484 485TEST(MemorySanitizer, DynRet) { 486 if (!__msan_has_dynamic_component()) return; 487 ReturnPoisoned<S8>(); 488 EXPECT_NOT_POISONED(clearenv()); 489} 490 491 492TEST(MemorySanitizer, DynRet1) { 493 if (!__msan_has_dynamic_component()) return; 494 ReturnPoisoned<S8>(); 495} 496 497struct LargeStruct { 498 S4 x[10]; 499}; 500 501NOINLINE 502LargeStruct LargeRetTest() { 503 LargeStruct res; 504 res.x[0] = *GetPoisoned<S4>(); 505 res.x[1] = *GetPoisoned<S4>(); 506 res.x[2] = *GetPoisoned<S4>(); 507 res.x[3] = *GetPoisoned<S4>(); 508 res.x[4] = *GetPoisoned<S4>(); 509 res.x[5] = *GetPoisoned<S4>(); 510 res.x[6] = *GetPoisoned<S4>(); 511 res.x[7] = *GetPoisoned<S4>(); 512 res.x[8] = *GetPoisoned<S4>(); 513 res.x[9] = *GetPoisoned<S4>(); 514 return res; 515} 516 517TEST(MemorySanitizer, LargeRet) { 518 LargeStruct a = LargeRetTest(); 519 EXPECT_POISONED(a.x[0]); 520 EXPECT_POISONED(a.x[9]); 521} 522 523TEST(MemorySanitizer, fread) { 524 char *x = new char[32]; 525 FILE *f = fopen("/proc/self/stat", "r"); 526 assert(f); 527 fread(x, 1, 32, f); 528 EXPECT_NOT_POISONED(x[0]); 529 EXPECT_NOT_POISONED(x[16]); 530 EXPECT_NOT_POISONED(x[31]); 531 fclose(f); 532 delete x; 533} 534 535TEST(MemorySanitizer, read) { 536 char *x = new char[32]; 537 int fd = open("/proc/self/stat", O_RDONLY); 538 assert(fd > 0); 539 int sz = read(fd, x, 32); 540 assert(sz == 32); 541 EXPECT_NOT_POISONED(x[0]); 542 EXPECT_NOT_POISONED(x[16]); 543 EXPECT_NOT_POISONED(x[31]); 544 close(fd); 545 delete x; 546} 547 548TEST(MemorySanitizer, pread) { 549 char *x = new char[32]; 550 int fd = open("/proc/self/stat", O_RDONLY); 551 assert(fd > 0); 552 int sz = pread(fd, x, 32, 0); 553 assert(sz == 32); 554 EXPECT_NOT_POISONED(x[0]); 555 EXPECT_NOT_POISONED(x[16]); 556 EXPECT_NOT_POISONED(x[31]); 557 close(fd); 558 delete x; 559} 560 561// FIXME: fails now. 562TEST(MemorySanitizer, DISABLED_ioctl) { 563 struct winsize ws; 564 EXPECT_EQ(ioctl(2, TIOCGWINSZ, &ws), 0); 565 EXPECT_NOT_POISONED(ws.ws_col); 566} 567 568TEST(MemorySanitizer, readlink) { 569 char *x = new char[1000]; 570 readlink("/proc/self/exe", x, 1000); 571 EXPECT_NOT_POISONED(x[0]); 572 delete [] x; 573} 574 575 576TEST(MemorySanitizer, stat) { 577 struct stat* st = new struct stat; 578 int res = stat("/proc/self/stat", st); 579 assert(!res); 580 EXPECT_NOT_POISONED(st->st_dev); 581 EXPECT_NOT_POISONED(st->st_mode); 582 EXPECT_NOT_POISONED(st->st_size); 583} 584 585TEST(MemorySanitizer, statfs) { 586 struct statfs* st = new struct statfs; 587 int res = statfs("/", st); 588 assert(!res); 589 EXPECT_NOT_POISONED(st->f_type); 590 EXPECT_NOT_POISONED(st->f_bfree); 591 EXPECT_NOT_POISONED(st->f_namelen); 592} 593 594TEST(MemorySanitizer, pipe) { 595 int* pipefd = new int[2]; 596 int res = pipe(pipefd); 597 assert(!res); 598 EXPECT_NOT_POISONED(pipefd[0]); 599 EXPECT_NOT_POISONED(pipefd[1]); 600 close(pipefd[0]); 601 close(pipefd[1]); 602} 603 604TEST(MemorySanitizer, getcwd) { 605 char path[PATH_MAX + 1]; 606 char* res = getcwd(path, sizeof(path)); 607 assert(res); 608 EXPECT_NOT_POISONED(path[0]); 609} 610 611TEST(MemorySanitizer, getcwd_gnu) { 612 char* res = getcwd(NULL, 0); 613 assert(res); 614 EXPECT_NOT_POISONED(res[0]); 615 free(res); 616} 617 618TEST(MemorySanitizer, readdir) { 619 DIR *dir = opendir("."); 620 struct dirent *d = readdir(dir); 621 assert(d); 622 EXPECT_NOT_POISONED(d->d_name[0]); 623 closedir(dir); 624} 625 626TEST(MemorySanitizer, realpath) { 627 const char* relpath = "."; 628 char path[PATH_MAX + 1]; 629 char* res = realpath(relpath, path); 630 assert(res); 631 EXPECT_NOT_POISONED(path[0]); 632} 633 634TEST(MemorySanitizer, memcpy) { 635 char* x = new char[2]; 636 char* y = new char[2]; 637 x[0] = 1; 638 x[1] = *GetPoisoned<char>(); 639 memcpy(y, x, 2); 640 EXPECT_NOT_POISONED(y[0]); 641 EXPECT_POISONED(y[1]); 642} 643 644TEST(MemorySanitizer, memmove) { 645 char* x = new char[2]; 646 char* y = new char[2]; 647 x[0] = 1; 648 x[1] = *GetPoisoned<char>(); 649 memmove(y, x, 2); 650 EXPECT_NOT_POISONED(y[0]); 651 EXPECT_POISONED(y[1]); 652} 653 654TEST(MemorySanitizer, strdup) { 655 char buf[4] = "abc"; 656 __msan_poison(buf + 2, sizeof(*buf)); 657 char *x = strdup(buf); 658 EXPECT_NOT_POISONED(x[0]); 659 EXPECT_NOT_POISONED(x[1]); 660 EXPECT_POISONED(x[2]); 661 EXPECT_NOT_POISONED(x[3]); 662 free(x); 663} 664 665TEST(MemorySanitizer, strndup) { 666 char buf[4] = "abc"; 667 __msan_poison(buf + 2, sizeof(*buf)); 668 char *x = strndup(buf, 3); 669 EXPECT_NOT_POISONED(x[0]); 670 EXPECT_NOT_POISONED(x[1]); 671 EXPECT_POISONED(x[2]); 672 EXPECT_NOT_POISONED(x[3]); 673 free(x); 674} 675 676TEST(MemorySanitizer, strndup_short) { 677 char buf[4] = "abc"; 678 __msan_poison(buf + 1, sizeof(*buf)); 679 __msan_poison(buf + 2, sizeof(*buf)); 680 char *x = strndup(buf, 2); 681 EXPECT_NOT_POISONED(x[0]); 682 EXPECT_POISONED(x[1]); 683 EXPECT_NOT_POISONED(x[2]); 684 free(x); 685} 686 687 688template<class T, int size> 689void TestOverlapMemmove() { 690 T *x = new T[size]; 691 assert(size >= 3); 692 x[2] = 0; 693 memmove(x, x + 1, (size - 1) * sizeof(T)); 694 EXPECT_NOT_POISONED(x[1]); 695 if (!__msan_has_dynamic_component()) { 696 // FIXME: under DR we will lose this information 697 // because accesses in memmove will unpoisin the shadow. 698 // We need to use our own memove implementation instead of libc's. 699 EXPECT_POISONED(x[0]); 700 EXPECT_POISONED(x[2]); 701 } 702 delete [] x; 703} 704 705TEST(MemorySanitizer, overlap_memmove) { 706 TestOverlapMemmove<U1, 10>(); 707 TestOverlapMemmove<U1, 1000>(); 708 TestOverlapMemmove<U8, 4>(); 709 TestOverlapMemmove<U8, 1000>(); 710} 711 712TEST(MemorySanitizer, strcpy) { // NOLINT 713 char* x = new char[3]; 714 char* y = new char[3]; 715 x[0] = 'a'; 716 x[1] = *GetPoisoned<char>(1, 1); 717 x[2] = 0; 718 strcpy(y, x); // NOLINT 719 EXPECT_NOT_POISONED(y[0]); 720 EXPECT_POISONED(y[1]); 721 EXPECT_NOT_POISONED(y[2]); 722} 723 724TEST(MemorySanitizer, strncpy) { // NOLINT 725 char* x = new char[3]; 726 char* y = new char[3]; 727 x[0] = 'a'; 728 x[1] = *GetPoisoned<char>(1, 1); 729 x[2] = 0; 730 strncpy(y, x, 2); // NOLINT 731 EXPECT_NOT_POISONED(y[0]); 732 EXPECT_POISONED(y[1]); 733 EXPECT_POISONED(y[2]); 734} 735 736TEST(MemorySanitizer, strtol) { 737 char *e; 738 assert(1 == strtol("1", &e, 10)); 739 EXPECT_NOT_POISONED((S8) e); 740} 741 742TEST(MemorySanitizer, strtoll) { 743 char *e; 744 assert(1 == strtoll("1", &e, 10)); 745 EXPECT_NOT_POISONED((S8) e); 746} 747 748TEST(MemorySanitizer, strtoul) { 749 char *e; 750 assert(1 == strtoul("1", &e, 10)); 751 EXPECT_NOT_POISONED((S8) e); 752} 753 754TEST(MemorySanitizer, strtoull) { 755 char *e; 756 assert(1 == strtoull("1", &e, 10)); 757 EXPECT_NOT_POISONED((S8) e); 758} 759 760TEST(MemorySanitizer, strtod) { 761 char *e; 762 assert(0 != strtod("1.5", &e)); 763 EXPECT_NOT_POISONED((S8) e); 764} 765 766TEST(MemorySanitizer, strtof) { 767 char *e; 768 assert(0 != strtof("1.5", &e)); 769 EXPECT_NOT_POISONED((S8) e); 770} 771 772TEST(MemorySanitizer, strtold) { 773 char *e; 774 assert(0 != strtold("1.5", &e)); 775 EXPECT_NOT_POISONED((S8) e); 776} 777 778TEST(MemorySanitizer, sprintf) { // NOLINT 779 char buff[10]; 780 break_optimization(buff); 781 EXPECT_POISONED(buff[0]); 782 int res = sprintf(buff, "%d", 1234567); // NOLINT 783 assert(res == 7); 784 assert(buff[0] == '1'); 785 assert(buff[1] == '2'); 786 assert(buff[2] == '3'); 787 assert(buff[6] == '7'); 788 assert(buff[7] == 0); 789 EXPECT_POISONED(buff[8]); 790} 791 792TEST(MemorySanitizer, snprintf) { 793 char buff[10]; 794 break_optimization(buff); 795 EXPECT_POISONED(buff[0]); 796 int res = snprintf(buff, sizeof(buff), "%d", 1234567); 797 assert(res == 7); 798 assert(buff[0] == '1'); 799 assert(buff[1] == '2'); 800 assert(buff[2] == '3'); 801 assert(buff[6] == '7'); 802 assert(buff[7] == 0); 803 EXPECT_POISONED(buff[8]); 804} 805 806TEST(MemorySanitizer, swprintf) { 807 wchar_t buff[10]; 808 assert(sizeof(wchar_t) == 4); 809 break_optimization(buff); 810 EXPECT_POISONED(buff[0]); 811 int res = swprintf(buff, 9, L"%d", 1234567); 812 assert(res == 7); 813 assert(buff[0] == '1'); 814 assert(buff[1] == '2'); 815 assert(buff[2] == '3'); 816 assert(buff[6] == '7'); 817 assert(buff[7] == 0); 818 EXPECT_POISONED(buff[8]); 819} 820 821TEST(MemorySanitizer, wcstombs) { 822 const wchar_t *x = L"abc"; 823 char buff[10]; 824 int res = wcstombs(buff, x, 4); 825 EXPECT_EQ(res, 3); 826 EXPECT_EQ(buff[0], 'a'); 827 EXPECT_EQ(buff[1], 'b'); 828 EXPECT_EQ(buff[2], 'c'); 829} 830 831TEST(MemorySanitizer, gettimeofday) { 832 struct timeval tv; 833 struct timezone tz; 834 break_optimization(&tv); 835 break_optimization(&tz); 836 assert(sizeof(tv) == 16); 837 assert(sizeof(tz) == 8); 838 EXPECT_POISONED(tv.tv_sec); 839 EXPECT_POISONED(tv.tv_usec); 840 EXPECT_POISONED(tz.tz_minuteswest); 841 EXPECT_POISONED(tz.tz_dsttime); 842 assert(0 == gettimeofday(&tv, &tz)); 843 EXPECT_NOT_POISONED(tv.tv_sec); 844 EXPECT_NOT_POISONED(tv.tv_usec); 845 EXPECT_NOT_POISONED(tz.tz_minuteswest); 846 EXPECT_NOT_POISONED(tz.tz_dsttime); 847} 848 849TEST(MemorySanitizer, localtime) { 850 time_t t = 123; 851 struct tm *time = localtime(&t); 852 assert(time != 0); 853 EXPECT_NOT_POISONED(time->tm_sec); 854 EXPECT_NOT_POISONED(time->tm_hour); 855 EXPECT_NOT_POISONED(time->tm_year); 856 EXPECT_NOT_POISONED(time->tm_isdst); 857} 858 859TEST(MemorySanitizer, localtime_r) { 860 time_t t = 123; 861 struct tm time; 862 struct tm *res = localtime_r(&t, &time); 863 assert(res != 0); 864 EXPECT_NOT_POISONED(time.tm_sec); 865 EXPECT_NOT_POISONED(time.tm_hour); 866 EXPECT_NOT_POISONED(time.tm_year); 867 EXPECT_NOT_POISONED(time.tm_isdst); 868} 869 870TEST(MemorySanitizer, mmap) { 871 const int size = 4096; 872 void *p1, *p2; 873 p1 = mmap(0, size, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0); 874 __msan_poison(p1, size); 875 munmap(p1, size); 876 for (int i = 0; i < 1000; i++) { 877 p2 = mmap(0, size, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0); 878 if (p2 == p1) 879 break; 880 else 881 munmap(p2, size); 882 } 883 if (p1 == p2) { 884 EXPECT_NOT_POISONED(*(char*)p2); 885 munmap(p2, size); 886 } 887} 888 889// FIXME: enable and add ecvt. 890// FIXME: check why msandr does nt handle fcvt. 891TEST(MemorySanitizer, fcvt) { 892 int a, b; 893 break_optimization(&a); 894 break_optimization(&b); 895 EXPECT_POISONED(a); 896 EXPECT_POISONED(b); 897 char *str = fcvt(12345.6789, 10, &a, &b); 898 EXPECT_NOT_POISONED(a); 899 EXPECT_NOT_POISONED(b); 900} 901 902TEST(MemorySanitizer, frexp) { 903 int x; 904 x = *GetPoisoned<int>(); 905 double r = frexp(1.1, &x); 906 EXPECT_NOT_POISONED(r); 907 EXPECT_NOT_POISONED(x); 908 909 x = *GetPoisoned<int>(); 910 float rf = frexpf(1.1, &x); 911 EXPECT_NOT_POISONED(rf); 912 EXPECT_NOT_POISONED(x); 913 914 x = *GetPoisoned<int>(); 915 double rl = frexpl(1.1, &x); 916 EXPECT_NOT_POISONED(rl); 917 EXPECT_NOT_POISONED(x); 918} 919 920struct StructWithDtor { 921 ~StructWithDtor(); 922}; 923 924NOINLINE StructWithDtor::~StructWithDtor() { 925 break_optimization(0); 926} 927 928TEST(MemorySanitizer, Invoke) { 929 StructWithDtor s; // Will cause the calls to become invokes. 930 EXPECT_NOT_POISONED(0); 931 EXPECT_POISONED(*GetPoisoned<int>()); 932 EXPECT_NOT_POISONED(0); 933 EXPECT_POISONED(*GetPoisoned<int>()); 934 EXPECT_POISONED(ReturnPoisoned<S4>()); 935} 936 937TEST(MemorySanitizer, ptrtoint) { 938 // Test that shadow is propagated through pointer-to-integer conversion. 939 void* p = (void*)0xABCD; 940 __msan_poison(((char*)&p) + 1, sizeof(p)); 941 EXPECT_NOT_POISONED((((uintptr_t)p) & 0xFF) == 0); 942 943 void* q = (void*)0xABCD; 944 __msan_poison(&q, sizeof(q) - 1); 945 EXPECT_POISONED((((uintptr_t)q) & 0xFF) == 0); 946} 947 948static void vaargsfn2(int guard, ...) { 949 va_list vl; 950 va_start(vl, guard); 951 EXPECT_NOT_POISONED(va_arg(vl, int)); 952 EXPECT_NOT_POISONED(va_arg(vl, int)); 953 EXPECT_NOT_POISONED(va_arg(vl, int)); 954 EXPECT_POISONED(va_arg(vl, double)); 955 va_end(vl); 956} 957 958static void vaargsfn(int guard, ...) { 959 va_list vl; 960 va_start(vl, guard); 961 EXPECT_NOT_POISONED(va_arg(vl, int)); 962 EXPECT_POISONED(va_arg(vl, int)); 963 // The following call will overwrite __msan_param_tls. 964 // Checks after it test that arg shadow was somehow saved across the call. 965 vaargsfn2(1, 2, 3, 4, *GetPoisoned<double>()); 966 EXPECT_NOT_POISONED(va_arg(vl, int)); 967 EXPECT_POISONED(va_arg(vl, int)); 968 va_end(vl); 969} 970 971TEST(MemorySanitizer, VAArgTest) { 972 int* x = GetPoisoned<int>(); 973 int* y = GetPoisoned<int>(4); 974 vaargsfn(1, 13, *x, 42, *y); 975} 976 977static void vaargsfn_many(int guard, ...) { 978 va_list vl; 979 va_start(vl, guard); 980 EXPECT_NOT_POISONED(va_arg(vl, int)); 981 EXPECT_POISONED(va_arg(vl, int)); 982 EXPECT_NOT_POISONED(va_arg(vl, int)); 983 EXPECT_NOT_POISONED(va_arg(vl, int)); 984 EXPECT_NOT_POISONED(va_arg(vl, int)); 985 EXPECT_NOT_POISONED(va_arg(vl, int)); 986 EXPECT_NOT_POISONED(va_arg(vl, int)); 987 EXPECT_NOT_POISONED(va_arg(vl, int)); 988 EXPECT_NOT_POISONED(va_arg(vl, int)); 989 EXPECT_POISONED(va_arg(vl, int)); 990 va_end(vl); 991} 992 993TEST(MemorySanitizer, VAArgManyTest) { 994 int* x = GetPoisoned<int>(); 995 int* y = GetPoisoned<int>(4); 996 vaargsfn_many(1, 2, *x, 3, 4, 5, 6, 7, 8, 9, *y); 997} 998 999static void vaargsfn_pass2(va_list vl) { 1000 EXPECT_NOT_POISONED(va_arg(vl, int)); 1001 EXPECT_NOT_POISONED(va_arg(vl, int)); 1002 EXPECT_POISONED(va_arg(vl, int)); 1003} 1004 1005static void vaargsfn_pass(int guard, ...) { 1006 va_list vl; 1007 va_start(vl, guard); 1008 EXPECT_POISONED(va_arg(vl, int)); 1009 vaargsfn_pass2(vl); 1010 va_end(vl); 1011} 1012 1013TEST(MemorySanitizer, VAArgPass) { 1014 int* x = GetPoisoned<int>(); 1015 int* y = GetPoisoned<int>(4); 1016 vaargsfn_pass(1, *x, 2, 3, *y); 1017} 1018 1019static void vaargsfn_copy2(va_list vl) { 1020 EXPECT_NOT_POISONED(va_arg(vl, int)); 1021 EXPECT_POISONED(va_arg(vl, int)); 1022} 1023 1024static void vaargsfn_copy(int guard, ...) { 1025 va_list vl; 1026 va_start(vl, guard); 1027 EXPECT_NOT_POISONED(va_arg(vl, int)); 1028 EXPECT_POISONED(va_arg(vl, int)); 1029 va_list vl2; 1030 va_copy(vl2, vl); 1031 vaargsfn_copy2(vl2); 1032 EXPECT_NOT_POISONED(va_arg(vl, int)); 1033 EXPECT_POISONED(va_arg(vl, int)); 1034 va_end(vl); 1035} 1036 1037TEST(MemorySanitizer, VAArgCopy) { 1038 int* x = GetPoisoned<int>(); 1039 int* y = GetPoisoned<int>(4); 1040 vaargsfn_copy(1, 2, *x, 3, *y); 1041} 1042 1043static void vaargsfn_ptr(int guard, ...) { 1044 va_list vl; 1045 va_start(vl, guard); 1046 EXPECT_NOT_POISONED(va_arg(vl, int*)); 1047 EXPECT_POISONED(va_arg(vl, int*)); 1048 EXPECT_NOT_POISONED(va_arg(vl, int*)); 1049 EXPECT_POISONED(va_arg(vl, double*)); 1050 va_end(vl); 1051} 1052 1053TEST(MemorySanitizer, VAArgPtr) { 1054 int** x = GetPoisoned<int*>(); 1055 double** y = GetPoisoned<double*>(8); 1056 int z; 1057 vaargsfn_ptr(1, &z, *x, &z, *y); 1058} 1059 1060static void vaargsfn_overflow(int guard, ...) { 1061 va_list vl; 1062 va_start(vl, guard); 1063 EXPECT_NOT_POISONED(va_arg(vl, int)); 1064 EXPECT_NOT_POISONED(va_arg(vl, int)); 1065 EXPECT_POISONED(va_arg(vl, int)); 1066 EXPECT_NOT_POISONED(va_arg(vl, int)); 1067 EXPECT_NOT_POISONED(va_arg(vl, int)); 1068 EXPECT_NOT_POISONED(va_arg(vl, int)); 1069 1070 EXPECT_NOT_POISONED(va_arg(vl, double)); 1071 EXPECT_NOT_POISONED(va_arg(vl, double)); 1072 EXPECT_NOT_POISONED(va_arg(vl, double)); 1073 EXPECT_POISONED(va_arg(vl, double)); 1074 EXPECT_NOT_POISONED(va_arg(vl, double)); 1075 EXPECT_POISONED(va_arg(vl, int*)); 1076 EXPECT_NOT_POISONED(va_arg(vl, double)); 1077 EXPECT_NOT_POISONED(va_arg(vl, double)); 1078 1079 EXPECT_POISONED(va_arg(vl, int)); 1080 EXPECT_POISONED(va_arg(vl, double)); 1081 EXPECT_POISONED(va_arg(vl, int*)); 1082 1083 EXPECT_NOT_POISONED(va_arg(vl, int)); 1084 EXPECT_NOT_POISONED(va_arg(vl, double)); 1085 EXPECT_NOT_POISONED(va_arg(vl, int*)); 1086 1087 EXPECT_POISONED(va_arg(vl, int)); 1088 EXPECT_POISONED(va_arg(vl, double)); 1089 EXPECT_POISONED(va_arg(vl, int*)); 1090 1091 va_end(vl); 1092} 1093 1094TEST(MemorySanitizer, VAArgOverflow) { 1095 int* x = GetPoisoned<int>(); 1096 double* y = GetPoisoned<double>(8); 1097 int** p = GetPoisoned<int*>(16); 1098 int z; 1099 vaargsfn_overflow(1, 1100 1, 2, *x, 4, 5, 6, 1101 1.1, 2.2, 3.3, *y, 5.5, *p, 7.7, 8.8, 1102 // the following args will overflow for sure 1103 *x, *y, *p, 1104 7, 9.9, &z, 1105 *x, *y, *p); 1106} 1107 1108static void vaargsfn_tlsoverwrite2(int guard, ...) { 1109 va_list vl; 1110 va_start(vl, guard); 1111 EXPECT_NOT_POISONED(va_arg(vl, int)); 1112 va_end(vl); 1113} 1114 1115static void vaargsfn_tlsoverwrite(int guard, ...) { 1116 // This call will overwrite TLS contents unless it's backed up somewhere. 1117 vaargsfn_tlsoverwrite2(2, 42); 1118 va_list vl; 1119 va_start(vl, guard); 1120 EXPECT_POISONED(va_arg(vl, int)); 1121 va_end(vl); 1122} 1123 1124TEST(MemorySanitizer, VAArgTLSOverwrite) { 1125 int* x = GetPoisoned<int>(); 1126 vaargsfn_tlsoverwrite(1, *x); 1127} 1128 1129struct StructByVal { 1130 int a, b, c, d, e, f; 1131}; 1132 1133NOINLINE void StructByValTestFunc(struct StructByVal s) { 1134 EXPECT_NOT_POISONED(s.a); 1135 EXPECT_POISONED(s.b); 1136 EXPECT_NOT_POISONED(s.c); 1137 EXPECT_POISONED(s.d); 1138 EXPECT_NOT_POISONED(s.e); 1139 EXPECT_POISONED(s.f); 1140} 1141 1142NOINLINE void StructByValTestFunc1(struct StructByVal s) { 1143 StructByValTestFunc(s); 1144} 1145 1146NOINLINE void StructByValTestFunc2(int z, struct StructByVal s) { 1147 StructByValTestFunc(s); 1148} 1149 1150TEST(MemorySanitizer, StructByVal) { 1151 // Large aggregates are passed as "byval" pointer argument in LLVM. 1152 struct StructByVal s; 1153 s.a = 1; 1154 s.b = *GetPoisoned<int>(); 1155 s.c = 2; 1156 s.d = *GetPoisoned<int>(); 1157 s.e = 3; 1158 s.f = *GetPoisoned<int>(); 1159 StructByValTestFunc(s); 1160 StructByValTestFunc1(s); 1161 StructByValTestFunc2(0, s); 1162} 1163 1164 1165#if MSAN_HAS_M128 1166NOINLINE __m128i m128Eq(__m128i *a, __m128i *b) { return *a == *b; } 1167NOINLINE __m128i m128Lt(__m128i *a, __m128i *b) { return *a < *b; } 1168TEST(MemorySanitizer, m128) { 1169 __m128i a = _mm_set1_epi16(0x1234); 1170 __m128i b = _mm_set1_epi16(0x7890); 1171 EXPECT_NOT_POISONED(m128Eq(&a, &b)); 1172 EXPECT_NOT_POISONED(m128Lt(&a, &b)); 1173} 1174// FIXME: add more tests for __m128i. 1175#endif // MSAN_HAS_M128 1176 1177// We should not complain when copying this poisoned hole. 1178struct StructWithHole { 1179 U4 a; 1180 // 4-byte hole. 1181 U8 b; 1182}; 1183 1184NOINLINE StructWithHole ReturnStructWithHole() { 1185 StructWithHole res; 1186 __msan_poison(&res, sizeof(res)); 1187 res.a = 1; 1188 res.b = 2; 1189 return res; 1190} 1191 1192TEST(MemorySanitizer, StructWithHole) { 1193 StructWithHole a = ReturnStructWithHole(); 1194 break_optimization(&a); 1195} 1196 1197template <class T> 1198NOINLINE T ReturnStruct() { 1199 T res; 1200 __msan_poison(&res, sizeof(res)); 1201 res.a = 1; 1202 return res; 1203} 1204 1205template <class T> 1206NOINLINE void TestReturnStruct() { 1207 T s1 = ReturnStruct<T>(); 1208 EXPECT_NOT_POISONED(s1.a); 1209 EXPECT_POISONED(s1.b); 1210} 1211 1212struct SSS1 { 1213 int a, b, c; 1214}; 1215struct SSS2 { 1216 int b, a, c; 1217}; 1218struct SSS3 { 1219 int b, c, a; 1220}; 1221struct SSS4 { 1222 int c, b, a; 1223}; 1224 1225struct SSS5 { 1226 int a; 1227 float b; 1228}; 1229struct SSS6 { 1230 int a; 1231 double b; 1232}; 1233struct SSS7 { 1234 S8 b; 1235 int a; 1236}; 1237struct SSS8 { 1238 S2 b; 1239 S8 a; 1240}; 1241 1242TEST(MemorySanitizer, IntStruct3) { 1243 TestReturnStruct<SSS1>(); 1244 TestReturnStruct<SSS2>(); 1245 TestReturnStruct<SSS3>(); 1246 TestReturnStruct<SSS4>(); 1247 TestReturnStruct<SSS5>(); 1248 TestReturnStruct<SSS6>(); 1249 TestReturnStruct<SSS7>(); 1250 TestReturnStruct<SSS8>(); 1251} 1252 1253struct LongStruct { 1254 U1 a1, b1; 1255 U2 a2, b2; 1256 U4 a4, b4; 1257 U8 a8, b8; 1258}; 1259 1260NOINLINE LongStruct ReturnLongStruct1() { 1261 LongStruct res; 1262 __msan_poison(&res, sizeof(res)); 1263 res.a1 = res.a2 = res.a4 = res.a8 = 111; 1264 // leaves b1, .., b8 poisoned. 1265 return res; 1266} 1267 1268NOINLINE LongStruct ReturnLongStruct2() { 1269 LongStruct res; 1270 __msan_poison(&res, sizeof(res)); 1271 res.b1 = res.b2 = res.b4 = res.b8 = 111; 1272 // leaves a1, .., a8 poisoned. 1273 return res; 1274} 1275 1276TEST(MemorySanitizer, LongStruct) { 1277 LongStruct s1 = ReturnLongStruct1(); 1278 __msan_print_shadow(&s1, sizeof(s1)); 1279 EXPECT_NOT_POISONED(s1.a1); 1280 EXPECT_NOT_POISONED(s1.a2); 1281 EXPECT_NOT_POISONED(s1.a4); 1282 EXPECT_NOT_POISONED(s1.a8); 1283 1284 EXPECT_POISONED(s1.b1); 1285 EXPECT_POISONED(s1.b2); 1286 EXPECT_POISONED(s1.b4); 1287 EXPECT_POISONED(s1.b8); 1288 1289 LongStruct s2 = ReturnLongStruct2(); 1290 __msan_print_shadow(&s2, sizeof(s2)); 1291 EXPECT_NOT_POISONED(s2.b1); 1292 EXPECT_NOT_POISONED(s2.b2); 1293 EXPECT_NOT_POISONED(s2.b4); 1294 EXPECT_NOT_POISONED(s2.b8); 1295 1296 EXPECT_POISONED(s2.a1); 1297 EXPECT_POISONED(s2.a2); 1298 EXPECT_POISONED(s2.a4); 1299 EXPECT_POISONED(s2.a8); 1300} 1301 1302TEST(MemorySanitizer, getrlimit) { 1303 struct rlimit limit; 1304 __msan_poison(&limit, sizeof(limit)); 1305 int result = getrlimit(RLIMIT_DATA, &limit); 1306 assert(result == 0); 1307 volatile rlim_t t; 1308 t = limit.rlim_cur; 1309 t = limit.rlim_max; 1310} 1311 1312TEST(MemorySanitizer, getrusage) { 1313 struct rusage usage; 1314 __msan_poison(&usage, sizeof(usage)); 1315 int result = getrusage(RUSAGE_SELF, &usage); 1316 assert(result == 0); 1317 volatile struct timeval t; 1318 EXPECT_NOT_POISONED(usage.ru_utime.tv_sec); 1319 EXPECT_NOT_POISONED(usage.ru_utime.tv_usec); 1320 EXPECT_NOT_POISONED(usage.ru_stime.tv_sec); 1321 EXPECT_NOT_POISONED(usage.ru_stime.tv_usec); 1322 EXPECT_NOT_POISONED(usage.ru_maxrss); 1323 EXPECT_NOT_POISONED(usage.ru_minflt); 1324 EXPECT_NOT_POISONED(usage.ru_majflt); 1325 EXPECT_NOT_POISONED(usage.ru_inblock); 1326 EXPECT_NOT_POISONED(usage.ru_oublock); 1327 EXPECT_NOT_POISONED(usage.ru_nvcsw); 1328 EXPECT_NOT_POISONED(usage.ru_nivcsw); 1329} 1330 1331static void dladdr_testfn() {} 1332 1333TEST(MemorySanitizer, dladdr) { 1334 Dl_info info; 1335 __msan_poison(&info, sizeof(info)); 1336 int result = dladdr((const void*)dladdr_testfn, &info); 1337 assert(result != 0); 1338 EXPECT_NOT_POISONED((unsigned long)info.dli_fname); 1339 if (info.dli_fname) 1340 EXPECT_NOT_POISONED(strlen(info.dli_fname)); 1341 EXPECT_NOT_POISONED((unsigned long)info.dli_fbase); 1342 EXPECT_NOT_POISONED((unsigned long)info.dli_sname); 1343 if (info.dli_sname) 1344 EXPECT_NOT_POISONED(strlen(info.dli_sname)); 1345 EXPECT_NOT_POISONED((unsigned long)info.dli_saddr); 1346} 1347 1348#ifdef __GLIBC__ 1349extern "C" { 1350 extern void *__libc_stack_end; 1351} 1352 1353static char **GetArgv(void) { 1354 uintptr_t *stack_end = (uintptr_t *)__libc_stack_end; 1355 return (char**)(stack_end + 1); 1356} 1357 1358#else // __GLIBC__ 1359# error "TODO: port this" 1360#endif 1361 1362TEST(MemorySanitizer, dlopen) { 1363 // Compute the path to our loadable DSO. We assume it's in the same 1364 // directory. Only use string routines that we intercept so far to do this. 1365 char **argv = GetArgv(); 1366 const char *basename = "libmsan_loadable.x86_64.so"; 1367 size_t path_max = strlen(argv[0]) + 1 + strlen(basename) + 1; 1368 char *path = new char[path_max]; 1369 char *last_slash = strrchr(argv[0], '/'); 1370 assert(last_slash); 1371 snprintf(path, path_max, "%.*s/%s", int(last_slash - argv[0]), 1372 argv[0], basename); 1373 1374 // We need to clear shadow for globals when doing dlopen. In order to test 1375 // this, we have to poison the shadow for the DSO before we load it. In 1376 // general this is difficult, but the loader tends to reload things in the 1377 // same place, so we open, close, and then reopen. The global should always 1378 // start out clean after dlopen. 1379 for (int i = 0; i < 2; i++) { 1380 void *lib = dlopen(path, RTLD_LAZY); 1381 if (lib == NULL) { 1382 printf("dlerror: %s\n", dlerror()); 1383 assert(lib != NULL); 1384 } 1385 void **(*get_dso_global)() = (void **(*)())dlsym(lib, "get_dso_global"); 1386 assert(get_dso_global); 1387 void **dso_global = get_dso_global(); 1388 EXPECT_NOT_POISONED(*dso_global); 1389 __msan_poison(dso_global, sizeof(*dso_global)); 1390 EXPECT_POISONED(*dso_global); 1391 dlclose(lib); 1392 } 1393 1394 delete[] path; 1395} 1396 1397TEST(MemorySanitizer, scanf) { 1398 const char *input = "42 hello"; 1399 int* d = new int; 1400 char* s = new char[7]; 1401 int res = sscanf(input, "%d %5s", d, s); 1402 printf("res %d\n", res); 1403 assert(res == 2); 1404 EXPECT_NOT_POISONED(*d); 1405 EXPECT_NOT_POISONED(s[0]); 1406 EXPECT_NOT_POISONED(s[1]); 1407 EXPECT_NOT_POISONED(s[2]); 1408 EXPECT_NOT_POISONED(s[3]); 1409 EXPECT_NOT_POISONED(s[4]); 1410 EXPECT_NOT_POISONED(s[5]); 1411 EXPECT_POISONED(s[6]); 1412 delete s; 1413 delete d; 1414} 1415 1416static void *SimpleThread_threadfn(void* data) { 1417 return new int; 1418} 1419 1420TEST(MemorySanitizer, SimpleThread) { 1421 pthread_t t; 1422 void *p; 1423 int res = pthread_create(&t, NULL, SimpleThread_threadfn, NULL); 1424 assert(!res); 1425 res = pthread_join(t, &p); 1426 assert(!res); 1427 if (!__msan_has_dynamic_component()) // FIXME: intercept pthread_join (?). 1428 __msan_unpoison(&p, sizeof(p)); 1429 delete (int*)p; 1430} 1431 1432static void *SmallStackThread_threadfn(void* data) { 1433 return 0; 1434} 1435 1436TEST(MemorySanitizer, SmallStackThread) { 1437 pthread_attr_t attr; 1438 pthread_t t; 1439 void *p; 1440 int res; 1441 res = pthread_attr_init(&attr); 1442 ASSERT_EQ(0, res); 1443 res = pthread_attr_setstacksize(&attr, 64 * 1024); 1444 ASSERT_EQ(0, res); 1445 res = pthread_create(&t, &attr, SmallStackThread_threadfn, NULL); 1446 ASSERT_EQ(0, res); 1447 res = pthread_join(t, &p); 1448 ASSERT_EQ(0, res); 1449 res = pthread_attr_destroy(&attr); 1450 ASSERT_EQ(0, res); 1451} 1452 1453TEST(MemorySanitizer, PreAllocatedStackThread) { 1454 pthread_attr_t attr; 1455 pthread_t t; 1456 int res; 1457 res = pthread_attr_init(&attr); 1458 ASSERT_EQ(0, res); 1459 void *stack; 1460 const size_t kStackSize = 64 * 1024; 1461 res = posix_memalign(&stack, 4096, kStackSize); 1462 ASSERT_EQ(0, res); 1463 res = pthread_attr_setstack(&attr, stack, kStackSize); 1464 ASSERT_EQ(0, res); 1465 // A small self-allocated stack can not be extended by the tool. 1466 // In this case pthread_create is expected to fail. 1467 res = pthread_create(&t, &attr, SmallStackThread_threadfn, NULL); 1468 EXPECT_NE(0, res); 1469 res = pthread_attr_destroy(&attr); 1470 ASSERT_EQ(0, res); 1471} 1472 1473TEST(MemorySanitizer, uname) { 1474 struct utsname u; 1475 int res = uname(&u); 1476 assert(!res); 1477 EXPECT_NOT_POISONED(strlen(u.sysname)); 1478 EXPECT_NOT_POISONED(strlen(u.nodename)); 1479 EXPECT_NOT_POISONED(strlen(u.release)); 1480 EXPECT_NOT_POISONED(strlen(u.version)); 1481 EXPECT_NOT_POISONED(strlen(u.machine)); 1482} 1483 1484TEST(MemorySanitizer, gethostname) { 1485 char buf[100]; 1486 int res = gethostname(buf, 100); 1487 assert(!res); 1488 EXPECT_NOT_POISONED(strlen(buf)); 1489} 1490 1491template<class T> 1492static bool applySlt(T value, T shadow) { 1493 __msan_partial_poison(&value, &shadow, sizeof(T)); 1494 volatile bool zzz = true; 1495 // This "|| zzz" trick somehow makes LLVM emit "icmp slt" instead of 1496 // a shift-and-trunc to get at the highest bit. 1497 volatile bool v = value < 0 || zzz; 1498 return v; 1499} 1500 1501TEST(MemorySanitizer, SignedCompareWithZero) { 1502 EXPECT_NOT_POISONED(applySlt<S4>(0xF, 0xF)); 1503 EXPECT_NOT_POISONED(applySlt<S4>(0xF, 0xFF)); 1504 EXPECT_NOT_POISONED(applySlt<S4>(0xF, 0xFFFFFF)); 1505 EXPECT_NOT_POISONED(applySlt<S4>(0xF, 0x7FFFFFF)); 1506 EXPECT_UMR(applySlt<S4>(0xF, 0x80FFFFFF)); 1507 EXPECT_UMR(applySlt<S4>(0xF, 0xFFFFFFFF)); 1508} 1509 1510template <class T, class S> 1511static T poisoned(T Va, S Sa) { 1512 char SIZE_CHECK1[(ssize_t)sizeof(T) - (ssize_t)sizeof(S)]; 1513 char SIZE_CHECK2[(ssize_t)sizeof(S) - (ssize_t)sizeof(T)]; 1514 T a; 1515 a = Va; 1516 __msan_partial_poison(&a, &Sa, sizeof(T)); 1517 return a; 1518} 1519 1520TEST(MemorySanitizer, ICmpRelational) { 1521 EXPECT_NOT_POISONED(poisoned(0, 0) < poisoned(0, 0)); 1522 EXPECT_NOT_POISONED(poisoned(0U, 0) < poisoned(0U, 0)); 1523 EXPECT_NOT_POISONED(poisoned(0LL, 0LLU) < poisoned(0LL, 0LLU)); 1524 EXPECT_NOT_POISONED(poisoned(0LLU, 0LLU) < poisoned(0LLU, 0LLU)); 1525 EXPECT_POISONED(poisoned(0xFF, 0xFF) < poisoned(0xFF, 0xFF)); 1526 EXPECT_POISONED(poisoned(0xFFFFFFFFU, 0xFFFFFFFFU) < 1527 poisoned(0xFFFFFFFFU, 0xFFFFFFFFU)); 1528 EXPECT_POISONED(poisoned(-1, 0xFFFFFFFFU) < 1529 poisoned(-1, 0xFFFFFFFFU)); 1530 1531 EXPECT_NOT_POISONED(poisoned(0, 0) <= poisoned(0, 0)); 1532 EXPECT_NOT_POISONED(poisoned(0U, 0) <= poisoned(0U, 0)); 1533 EXPECT_NOT_POISONED(poisoned(0LL, 0LLU) <= poisoned(0LL, 0LLU)); 1534 EXPECT_NOT_POISONED(poisoned(0LLU, 0LLU) <= poisoned(0LLU, 0LLU)); 1535 EXPECT_POISONED(poisoned(0xFF, 0xFF) <= poisoned(0xFF, 0xFF)); 1536 EXPECT_POISONED(poisoned(0xFFFFFFFFU, 0xFFFFFFFFU) <= 1537 poisoned(0xFFFFFFFFU, 0xFFFFFFFFU)); 1538 EXPECT_POISONED(poisoned(-1, 0xFFFFFFFFU) <= 1539 poisoned(-1, 0xFFFFFFFFU)); 1540 1541 EXPECT_NOT_POISONED(poisoned(0, 0) > poisoned(0, 0)); 1542 EXPECT_NOT_POISONED(poisoned(0U, 0) > poisoned(0U, 0)); 1543 EXPECT_NOT_POISONED(poisoned(0LL, 0LLU) > poisoned(0LL, 0LLU)); 1544 EXPECT_NOT_POISONED(poisoned(0LLU, 0LLU) > poisoned(0LLU, 0LLU)); 1545 EXPECT_POISONED(poisoned(0xFF, 0xFF) > poisoned(0xFF, 0xFF)); 1546 EXPECT_POISONED(poisoned(0xFFFFFFFFU, 0xFFFFFFFFU) > 1547 poisoned(0xFFFFFFFFU, 0xFFFFFFFFU)); 1548 EXPECT_POISONED(poisoned(-1, 0xFFFFFFFFU) > 1549 poisoned(-1, 0xFFFFFFFFU)); 1550 1551 EXPECT_NOT_POISONED(poisoned(0, 0) >= poisoned(0, 0)); 1552 EXPECT_NOT_POISONED(poisoned(0U, 0) >= poisoned(0U, 0)); 1553 EXPECT_NOT_POISONED(poisoned(0LL, 0LLU) >= poisoned(0LL, 0LLU)); 1554 EXPECT_NOT_POISONED(poisoned(0LLU, 0LLU) >= poisoned(0LLU, 0LLU)); 1555 EXPECT_POISONED(poisoned(0xFF, 0xFF) >= poisoned(0xFF, 0xFF)); 1556 EXPECT_POISONED(poisoned(0xFFFFFFFFU, 0xFFFFFFFFU) >= 1557 poisoned(0xFFFFFFFFU, 0xFFFFFFFFU)); 1558 EXPECT_POISONED(poisoned(-1, 0xFFFFFFFFU) >= 1559 poisoned(-1, 0xFFFFFFFFU)); 1560 1561 EXPECT_POISONED(poisoned(6, 0xF) > poisoned(7, 0)); 1562 EXPECT_POISONED(poisoned(0xF, 0xF) > poisoned(7, 0)); 1563 1564 EXPECT_NOT_POISONED(poisoned(-1, 0x80000000U) >= poisoned(-1, 0U)); 1565} 1566 1567#if MSAN_HAS_M128 1568TEST(MemorySanitizer, ICmpVectorRelational) { 1569 EXPECT_NOT_POISONED(poisoned(_mm_set1_epi16(0), _mm_set1_epi16(0)) < 1570 poisoned(_mm_set1_epi16(0), _mm_set1_epi16(0))); 1571 EXPECT_NOT_POISONED(poisoned(_mm_set1_epi32(0), _mm_set1_epi32(0)) < 1572 poisoned(_mm_set1_epi32(0), _mm_set1_epi32(0))); 1573 EXPECT_POISONED(poisoned(_mm_set1_epi16(0), _mm_set1_epi16(0xFFFF)) < 1574 poisoned(_mm_set1_epi16(0), _mm_set1_epi16(0xFFFF))); 1575 EXPECT_POISONED(poisoned(_mm_set1_epi16(6), _mm_set1_epi16(0xF)) > 1576 poisoned(_mm_set1_epi16(7), _mm_set1_epi16(0))); 1577} 1578#endif 1579 1580// Volatile bitfield store is implemented as load-mask-store 1581// Test that we don't warn on the store of (uninitialized) padding. 1582struct VolatileBitfieldStruct { 1583 volatile unsigned x : 1; 1584 unsigned y : 1; 1585}; 1586 1587TEST(MemorySanitizer, VolatileBitfield) { 1588 VolatileBitfieldStruct *S = new VolatileBitfieldStruct; 1589 S->x = 1; 1590 EXPECT_NOT_POISONED((unsigned)S->x); 1591 EXPECT_POISONED((unsigned)S->y); 1592} 1593 1594TEST(MemorySanitizerDr, StoreInDSOTest) { 1595 if (!__msan_has_dynamic_component()) return; 1596 char* s = new char[10]; 1597 dso_memfill(s, 9); 1598 EXPECT_NOT_POISONED(s[5]); 1599 EXPECT_POISONED(s[9]); 1600} 1601 1602int return_poisoned_int() { 1603 return ReturnPoisoned<U8>(); 1604} 1605 1606TEST(MemorySanitizerDr, ReturnFromDSOTest) { 1607 if (!__msan_has_dynamic_component()) return; 1608 EXPECT_NOT_POISONED(dso_callfn(return_poisoned_int)); 1609} 1610 1611NOINLINE int TrashParamTLS(long long x, long long y, long long z) { //NOLINT 1612 EXPECT_POISONED(x); 1613 EXPECT_POISONED(y); 1614 EXPECT_POISONED(z); 1615 return 0; 1616} 1617 1618static int CheckParamTLS(long long x, long long y, long long z) { //NOLINT 1619 EXPECT_NOT_POISONED(x); 1620 EXPECT_NOT_POISONED(y); 1621 EXPECT_NOT_POISONED(z); 1622 return 0; 1623} 1624 1625TEST(MemorySanitizerDr, CallFromDSOTest) { 1626 if (!__msan_has_dynamic_component()) return; 1627 S8* x = GetPoisoned<S8>(); 1628 S8* y = GetPoisoned<S8>(); 1629 S8* z = GetPoisoned<S8>(); 1630 EXPECT_NOT_POISONED(TrashParamTLS(*x, *y, *z)); 1631 EXPECT_NOT_POISONED(dso_callfn1(CheckParamTLS)); 1632} 1633 1634static void StackStoreInDSOFn(int* x, int* y) { 1635 EXPECT_NOT_POISONED(*x); 1636 EXPECT_NOT_POISONED(*y); 1637} 1638 1639TEST(MemorySanitizerDr, StackStoreInDSOTest) { 1640 if (!__msan_has_dynamic_component()) return; 1641 dso_stack_store(StackStoreInDSOFn, 1); 1642} 1643 1644TEST(MemorySanitizerOrigins, SetGet) { 1645 EXPECT_EQ(TrackingOrigins(), __msan_get_track_origins()); 1646 if (!TrackingOrigins()) return; 1647 int x; 1648 __msan_set_origin(&x, sizeof(x), 1234); 1649 EXPECT_EQ(1234, __msan_get_origin(&x)); 1650 __msan_set_origin(&x, sizeof(x), 5678); 1651 EXPECT_EQ(5678, __msan_get_origin(&x)); 1652 __msan_set_origin(&x, sizeof(x), 0); 1653 EXPECT_EQ(0, __msan_get_origin(&x)); 1654} 1655 1656namespace { 1657struct S { 1658 U4 dummy; 1659 U2 a; 1660 U2 b; 1661}; 1662 1663// http://code.google.com/p/memory-sanitizer/issues/detail?id=6 1664TEST(MemorySanitizerOrigins, DISABLED_InitializedStoreDoesNotChangeOrigin) { 1665 if (!TrackingOrigins()) return; 1666 1667 S s; 1668 U4 origin = rand(); // NOLINT 1669 s.a = *GetPoisonedO<U2>(0, origin); 1670 EXPECT_EQ(origin, __msan_get_origin(&s.a)); 1671 EXPECT_EQ(origin, __msan_get_origin(&s.b)); 1672 1673 s.b = 42; 1674 EXPECT_EQ(origin, __msan_get_origin(&s.a)); 1675 EXPECT_EQ(origin, __msan_get_origin(&s.b)); 1676} 1677} // namespace 1678 1679template<class T, class BinaryOp> 1680INLINE 1681void BinaryOpOriginTest(BinaryOp op) { 1682 U4 ox = rand(); //NOLINT 1683 U4 oy = rand(); //NOLINT 1684 T *x = GetPoisonedO<T>(0, ox, 0); 1685 T *y = GetPoisonedO<T>(1, oy, 0); 1686 T *z = GetPoisonedO<T>(2, 0, 0); 1687 1688 *z = op(*x, *y); 1689 U4 origin = __msan_get_origin(z); 1690 EXPECT_POISONED_O(*z, origin); 1691 EXPECT_EQ(true, origin == ox || origin == oy); 1692 1693 // y is poisoned, x is not. 1694 *x = 10101; 1695 *y = *GetPoisonedO<T>(1, oy); 1696 break_optimization(x); 1697 __msan_set_origin(z, sizeof(*z), 0); 1698 *z = op(*x, *y); 1699 EXPECT_POISONED_O(*z, oy); 1700 EXPECT_EQ(__msan_get_origin(z), oy); 1701 1702 // x is poisoned, y is not. 1703 *x = *GetPoisonedO<T>(0, ox); 1704 *y = 10101010; 1705 break_optimization(y); 1706 __msan_set_origin(z, sizeof(*z), 0); 1707 *z = op(*x, *y); 1708 EXPECT_POISONED_O(*z, ox); 1709 EXPECT_EQ(__msan_get_origin(z), ox); 1710} 1711 1712template<class T> INLINE T XOR(const T &a, const T&b) { return a ^ b; } 1713template<class T> INLINE T ADD(const T &a, const T&b) { return a + b; } 1714template<class T> INLINE T SUB(const T &a, const T&b) { return a - b; } 1715template<class T> INLINE T MUL(const T &a, const T&b) { return a * b; } 1716template<class T> INLINE T AND(const T &a, const T&b) { return a & b; } 1717template<class T> INLINE T OR (const T &a, const T&b) { return a | b; } 1718 1719TEST(MemorySanitizerOrigins, BinaryOp) { 1720 if (!TrackingOrigins()) return; 1721 BinaryOpOriginTest<S8>(XOR<S8>); 1722 BinaryOpOriginTest<U8>(ADD<U8>); 1723 BinaryOpOriginTest<S4>(SUB<S4>); 1724 BinaryOpOriginTest<S4>(MUL<S4>); 1725 BinaryOpOriginTest<U4>(OR<U4>); 1726 BinaryOpOriginTest<U4>(AND<U4>); 1727 BinaryOpOriginTest<double>(ADD<U4>); 1728 BinaryOpOriginTest<float>(ADD<S4>); 1729 BinaryOpOriginTest<double>(ADD<double>); 1730 BinaryOpOriginTest<float>(ADD<double>); 1731} 1732 1733TEST(MemorySanitizerOrigins, Unary) { 1734 if (!TrackingOrigins()) return; 1735 EXPECT_POISONED_O(*GetPoisonedO<S8>(0, __LINE__), __LINE__); 1736 EXPECT_POISONED_O(*GetPoisonedO<S8>(0, __LINE__), __LINE__); 1737 EXPECT_POISONED_O(*GetPoisonedO<S8>(0, __LINE__), __LINE__); 1738 EXPECT_POISONED_O(*GetPoisonedO<S8>(0, __LINE__), __LINE__); 1739 1740 EXPECT_POISONED_O(*GetPoisonedO<S4>(0, __LINE__), __LINE__); 1741 EXPECT_POISONED_O(*GetPoisonedO<S4>(0, __LINE__), __LINE__); 1742 EXPECT_POISONED_O(*GetPoisonedO<S4>(0, __LINE__), __LINE__); 1743 EXPECT_POISONED_O(*GetPoisonedO<S4>(0, __LINE__), __LINE__); 1744 1745 EXPECT_POISONED_O(*GetPoisonedO<U4>(0, __LINE__), __LINE__); 1746 EXPECT_POISONED_O(*GetPoisonedO<U4>(0, __LINE__), __LINE__); 1747 EXPECT_POISONED_O(*GetPoisonedO<U4>(0, __LINE__), __LINE__); 1748 EXPECT_POISONED_O(*GetPoisonedO<U4>(0, __LINE__), __LINE__); 1749 1750 EXPECT_POISONED_O(*GetPoisonedO<S4>(0, __LINE__), __LINE__); 1751 EXPECT_POISONED_O(*GetPoisonedO<S4>(0, __LINE__), __LINE__); 1752 EXPECT_POISONED_O(*GetPoisonedO<S4>(0, __LINE__), __LINE__); 1753 EXPECT_POISONED_O(*GetPoisonedO<S4>(0, __LINE__), __LINE__); 1754 1755 EXPECT_POISONED_O((void*)*GetPoisonedO<S8>(0, __LINE__), __LINE__); 1756 EXPECT_POISONED_O((U8)*GetPoisonedO<void*>(0, __LINE__), __LINE__); 1757} 1758 1759TEST(MemorySanitizerOrigins, EQ) { 1760 if (!TrackingOrigins()) return; 1761 EXPECT_POISONED_O(*GetPoisonedO<S4>(0, __LINE__) <= 11, __LINE__); 1762 EXPECT_POISONED_O(*GetPoisonedO<S4>(0, __LINE__) == 11, __LINE__); 1763 EXPECT_POISONED_O(*GetPoisonedO<float>(0, __LINE__) == 1.1, __LINE__); 1764} 1765 1766TEST(MemorySanitizerOrigins, DIV) { 1767 if (!TrackingOrigins()) return; 1768 EXPECT_POISONED_O(*GetPoisonedO<U8>(0, __LINE__) / 100, __LINE__); 1769 unsigned o = __LINE__; 1770 EXPECT_UMR_O(volatile unsigned y = 100 / *GetPoisonedO<S4>(0, o, 1), o); 1771} 1772 1773TEST(MemorySanitizerOrigins, SHIFT) { 1774 if (!TrackingOrigins()) return; 1775 EXPECT_POISONED_O(*GetPoisonedO<U8>(0, __LINE__) >> 10, __LINE__); 1776 EXPECT_POISONED_O(*GetPoisonedO<S8>(0, __LINE__) >> 10, __LINE__); 1777 EXPECT_POISONED_O(*GetPoisonedO<S8>(0, __LINE__) << 10, __LINE__); 1778 EXPECT_POISONED_O(10U << *GetPoisonedO<U8>(0, __LINE__), __LINE__); 1779 EXPECT_POISONED_O(-10 >> *GetPoisonedO<S8>(0, __LINE__), __LINE__); 1780 EXPECT_POISONED_O(-10 << *GetPoisonedO<S8>(0, __LINE__), __LINE__); 1781} 1782 1783template<class T, int N> 1784void MemCpyTest() { 1785 int ox = __LINE__; 1786 T *x = new T[N]; 1787 T *y = new T[N]; 1788 T *z = new T[N]; 1789 __msan_poison(x, N * sizeof(T)); 1790 __msan_set_origin(x, N * sizeof(T), ox); 1791 __msan_set_origin(y, N * sizeof(T), 777777); 1792 __msan_set_origin(z, N * sizeof(T), 888888); 1793 EXPECT_NOT_POISONED(x); 1794 memcpy(y, x, N * sizeof(T)); 1795 EXPECT_POISONED_O(y[0], ox); 1796 EXPECT_POISONED_O(y[N/2], ox); 1797 EXPECT_POISONED_O(y[N-1], ox); 1798 EXPECT_NOT_POISONED(x); 1799 memmove(z, x, N * sizeof(T)); 1800 EXPECT_POISONED_O(z[0], ox); 1801 EXPECT_POISONED_O(z[N/2], ox); 1802 EXPECT_POISONED_O(z[N-1], ox); 1803} 1804 1805TEST(MemorySanitizerOrigins, LargeMemCpy) { 1806 if (!TrackingOrigins()) return; 1807 MemCpyTest<U1, 10000>(); 1808 MemCpyTest<U8, 10000>(); 1809} 1810 1811TEST(MemorySanitizerOrigins, SmallMemCpy) { 1812 if (!TrackingOrigins()) return; 1813 MemCpyTest<U8, 1>(); 1814 MemCpyTest<U8, 2>(); 1815 MemCpyTest<U8, 3>(); 1816} 1817 1818TEST(MemorySanitizerOrigins, Select) { 1819 if (!TrackingOrigins()) return; 1820 EXPECT_NOT_POISONED(g_one ? 1 : *GetPoisonedO<S4>(0, __LINE__)); 1821 EXPECT_POISONED_O(*GetPoisonedO<S4>(0, __LINE__), __LINE__); 1822 S4 x; 1823 break_optimization(&x); 1824 x = g_1 ? *GetPoisonedO<S4>(0, __LINE__) : 0; 1825 1826 EXPECT_POISONED_O(g_1 ? *GetPoisonedO<S4>(0, __LINE__) : 1, __LINE__); 1827 EXPECT_POISONED_O(g_0 ? 1 : *GetPoisonedO<S4>(0, __LINE__), __LINE__); 1828} 1829 1830extern "C" 1831NOINLINE char AllocaTO() { 1832 int ar[100]; 1833 break_optimization(ar); 1834 return ar[10]; 1835 // fprintf(stderr, "Descr: %s\n", 1836 // __msan_get_origin_descr_if_stack(__msan_get_origin_tls())); 1837} 1838 1839TEST(MemorySanitizerOrigins, Alloca) { 1840 if (!TrackingOrigins()) return; 1841 EXPECT_POISONED_S(AllocaTO(), "ar@AllocaTO"); 1842 EXPECT_POISONED_S(AllocaTO(), "ar@AllocaTO"); 1843 EXPECT_POISONED_S(AllocaTO(), "ar@AllocaTO"); 1844 EXPECT_POISONED_S(AllocaTO(), "ar@AllocaTO"); 1845} 1846 1847// FIXME: replace with a lit-like test. 1848TEST(MemorySanitizerOrigins, DISABLED_AllocaDeath) { 1849 if (!TrackingOrigins()) return; 1850 EXPECT_DEATH(AllocaTO(), "ORIGIN: stack allocation: ar@AllocaTO"); 1851} 1852 1853NOINLINE int RetvalOriginTest(U4 origin) { 1854 int *a = new int; 1855 break_optimization(a); 1856 __msan_set_origin(a, sizeof(*a), origin); 1857 int res = *a; 1858 delete a; 1859 return res; 1860} 1861 1862TEST(MemorySanitizerOrigins, Retval) { 1863 if (!TrackingOrigins()) return; 1864 EXPECT_POISONED_O(RetvalOriginTest(__LINE__), __LINE__); 1865} 1866 1867NOINLINE void ParamOriginTest(int param, U4 origin) { 1868 EXPECT_POISONED_O(param, origin); 1869} 1870 1871TEST(MemorySanitizerOrigins, Param) { 1872 if (!TrackingOrigins()) return; 1873 int *a = new int; 1874 U4 origin = __LINE__; 1875 break_optimization(a); 1876 __msan_set_origin(a, sizeof(*a), origin); 1877 ParamOriginTest(*a, origin); 1878 delete a; 1879} 1880 1881TEST(MemorySanitizerOrigins, Invoke) { 1882 if (!TrackingOrigins()) return; 1883 StructWithDtor s; // Will cause the calls to become invokes. 1884 EXPECT_POISONED_O(RetvalOriginTest(__LINE__), __LINE__); 1885} 1886 1887TEST(MemorySanitizerOrigins, strlen) { 1888 S8 alignment; 1889 break_optimization(&alignment); 1890 char x[4] = {'a', 'b', 0, 0}; 1891 __msan_poison(&x[2], 1); 1892 U4 origin = __LINE__; 1893 __msan_set_origin(x, sizeof(x), origin); 1894 EXPECT_UMR_O(volatile unsigned y = strlen(x), origin); 1895} 1896 1897TEST(MemorySanitizerOrigins, wcslen) { 1898 wchar_t w[3] = {'a', 'b', 0}; 1899 U4 origin = __LINE__; 1900 __msan_set_origin(w, sizeof(w), origin); 1901 __msan_poison(&w[2], sizeof(wchar_t)); 1902 EXPECT_UMR_O(volatile unsigned y = wcslen(w), origin); 1903} 1904 1905#if MSAN_HAS_M128 1906TEST(MemorySanitizerOrigins, StoreIntrinsic) { 1907 __m128 x, y; 1908 U4 origin = __LINE__; 1909 __msan_set_origin(&x, sizeof(x), origin); 1910 __msan_poison(&x, sizeof(x)); 1911 __builtin_ia32_storeups((float*)&y, x); 1912 EXPECT_POISONED_O(y, origin); 1913} 1914#endif 1915 1916NOINLINE void RecursiveMalloc(int depth) { 1917 static int count; 1918 count++; 1919 if ((count % (1024 * 1024)) == 0) 1920 printf("RecursiveMalloc: %d\n", count); 1921 int *x1 = new int; 1922 int *x2 = new int; 1923 break_optimization(x1); 1924 break_optimization(x2); 1925 if (depth > 0) { 1926 RecursiveMalloc(depth-1); 1927 RecursiveMalloc(depth-1); 1928 } 1929 delete x1; 1930 delete x2; 1931} 1932 1933TEST(MemorySanitizer, CallocOverflow) { 1934 size_t kArraySize = 4096; 1935 volatile size_t kMaxSizeT = std::numeric_limits<size_t>::max(); 1936 volatile size_t kArraySize2 = kMaxSizeT / kArraySize + 10; 1937 void *p = calloc(kArraySize, kArraySize2); // Should return 0. 1938 EXPECT_EQ(0L, Ident(p)); 1939} 1940 1941TEST(MemorySanitizerStress, DISABLED_MallocStackTrace) { 1942 RecursiveMalloc(22); 1943} 1944 1945int main(int argc, char **argv) { 1946 testing::InitGoogleTest(&argc, argv); 1947 int res = RUN_ALL_TESTS(); 1948 return res; 1949} 1950