1//===-- asan_test.cc ------------------------------------------------------===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file is a part of AddressSanitizer, an address sanity checker. 11// 12//===----------------------------------------------------------------------===// 13#include "asan_test_utils.h" 14 15NOINLINE void *malloc_fff(size_t size) { 16 void *res = malloc/**/(size); break_optimization(0); return res;} 17NOINLINE void *malloc_eee(size_t size) { 18 void *res = malloc_fff(size); break_optimization(0); return res;} 19NOINLINE void *malloc_ddd(size_t size) { 20 void *res = malloc_eee(size); break_optimization(0); return res;} 21NOINLINE void *malloc_ccc(size_t size) { 22 void *res = malloc_ddd(size); break_optimization(0); return res;} 23NOINLINE void *malloc_bbb(size_t size) { 24 void *res = malloc_ccc(size); break_optimization(0); return res;} 25NOINLINE void *malloc_aaa(size_t size) { 26 void *res = malloc_bbb(size); break_optimization(0); return res;} 27 28NOINLINE void free_ccc(void *p) { free(p); break_optimization(0);} 29NOINLINE void free_bbb(void *p) { free_ccc(p); break_optimization(0);} 30NOINLINE void free_aaa(void *p) { free_bbb(p); break_optimization(0);} 31 32template<typename T> 33NOINLINE void uaf_test(int size, int off) { 34 void *p = malloc_aaa(size); 35 free_aaa(p); 36 for (int i = 1; i < 100; i++) 37 free_aaa(malloc_aaa(i)); 38 fprintf(stderr, "writing %ld byte(s) at %p with offset %d\n", 39 (long)sizeof(T), p, off); 40 asan_write((T *)((char *)p + off)); 41} 42 43TEST(AddressSanitizer, HasFeatureAddressSanitizerTest) { 44#if defined(__has_feature) && __has_feature(address_sanitizer) 45 bool asan = 1; 46#elif defined(__SANITIZE_ADDRESS__) 47 bool asan = 1; 48#else 49 bool asan = 0; 50#endif 51 EXPECT_EQ(true, asan); 52} 53 54TEST(AddressSanitizer, SimpleDeathTest) { 55 EXPECT_DEATH(exit(1), ""); 56} 57 58TEST(AddressSanitizer, VariousMallocsTest) { 59 int *a = (int*)malloc(100 * sizeof(int)); 60 a[50] = 0; 61 free(a); 62 63 int *r = (int*)malloc(10); 64 r = (int*)realloc(r, 2000 * sizeof(int)); 65 r[1000] = 0; 66 free(r); 67 68 int *b = new int[100]; 69 b[50] = 0; 70 delete [] b; 71 72 int *c = new int; 73 *c = 0; 74 delete c; 75 76#if SANITIZER_TEST_HAS_POSIX_MEMALIGN 77 int *pm; 78 int pm_res = posix_memalign((void**)&pm, kPageSize, kPageSize); 79 EXPECT_EQ(0, pm_res); 80 free(pm); 81#endif // SANITIZER_TEST_HAS_POSIX_MEMALIGN 82 83#if SANITIZER_TEST_HAS_MEMALIGN 84 int *ma = (int*)memalign(kPageSize, kPageSize); 85 EXPECT_EQ(0U, (uintptr_t)ma % kPageSize); 86 ma[123] = 0; 87 free(ma); 88#endif // SANITIZER_TEST_HAS_MEMALIGN 89} 90 91TEST(AddressSanitizer, CallocTest) { 92 int *a = (int*)calloc(100, sizeof(int)); 93 EXPECT_EQ(0, a[10]); 94 free(a); 95} 96 97TEST(AddressSanitizer, CallocReturnsZeroMem) { 98 size_t sizes[] = {16, 1000, 10000, 100000, 2100000}; 99 for (size_t s = 0; s < sizeof(sizes)/sizeof(sizes[0]); s++) { 100 size_t size = sizes[s]; 101 for (size_t iter = 0; iter < 5; iter++) { 102 char *x = Ident((char*)calloc(1, size)); 103 EXPECT_EQ(x[0], 0); 104 EXPECT_EQ(x[size - 1], 0); 105 EXPECT_EQ(x[size / 2], 0); 106 EXPECT_EQ(x[size / 3], 0); 107 EXPECT_EQ(x[size / 4], 0); 108 memset(x, 0x42, size); 109 free(Ident(x)); 110#if !defined(_WIN32) 111 // FIXME: OOM on Windows. We should just make this a lit test 112 // with quarantine size set to 1. 113 free(Ident(malloc(Ident(1 << 27)))); // Try to drain the quarantine. 114#endif 115 } 116 } 117} 118 119// No valloc on Windows or Android. 120#if !defined(_WIN32) && !defined(__ANDROID__) 121TEST(AddressSanitizer, VallocTest) { 122 void *a = valloc(100); 123 EXPECT_EQ(0U, (uintptr_t)a % kPageSize); 124 free(a); 125} 126#endif 127 128#if SANITIZER_TEST_HAS_PVALLOC 129TEST(AddressSanitizer, PvallocTest) { 130 char *a = (char*)pvalloc(kPageSize + 100); 131 EXPECT_EQ(0U, (uintptr_t)a % kPageSize); 132 a[kPageSize + 101] = 1; // we should not report an error here. 133 free(a); 134 135 a = (char*)pvalloc(0); // pvalloc(0) should allocate at least one page. 136 EXPECT_EQ(0U, (uintptr_t)a % kPageSize); 137 a[101] = 1; // we should not report an error here. 138 free(a); 139} 140#endif // SANITIZER_TEST_HAS_PVALLOC 141 142#if !defined(_WIN32) 143// FIXME: Use an equivalent of pthread_setspecific on Windows. 144void *TSDWorker(void *test_key) { 145 if (test_key) { 146 pthread_setspecific(*(pthread_key_t*)test_key, (void*)0xfeedface); 147 } 148 return NULL; 149} 150 151void TSDDestructor(void *tsd) { 152 // Spawning a thread will check that the current thread id is not -1. 153 pthread_t th; 154 PTHREAD_CREATE(&th, NULL, TSDWorker, NULL); 155 PTHREAD_JOIN(th, NULL); 156} 157 158// This tests triggers the thread-specific data destruction fiasco which occurs 159// if we don't manage the TSD destructors ourselves. We create a new pthread 160// key with a non-NULL destructor which is likely to be put after the destructor 161// of AsanThread in the list of destructors. 162// In this case the TSD for AsanThread will be destroyed before TSDDestructor 163// is called for the child thread, and a CHECK will fail when we call 164// pthread_create() to spawn the grandchild. 165TEST(AddressSanitizer, DISABLED_TSDTest) { 166 pthread_t th; 167 pthread_key_t test_key; 168 pthread_key_create(&test_key, TSDDestructor); 169 PTHREAD_CREATE(&th, NULL, TSDWorker, &test_key); 170 PTHREAD_JOIN(th, NULL); 171 pthread_key_delete(test_key); 172} 173#endif 174 175TEST(AddressSanitizer, UAF_char) { 176 const char *uaf_string = "AddressSanitizer:.*heap-use-after-free"; 177 EXPECT_DEATH(uaf_test<U1>(1, 0), uaf_string); 178 EXPECT_DEATH(uaf_test<U1>(10, 0), uaf_string); 179 EXPECT_DEATH(uaf_test<U1>(10, 10), uaf_string); 180 EXPECT_DEATH(uaf_test<U1>(kLargeMalloc, 0), uaf_string); 181 EXPECT_DEATH(uaf_test<U1>(kLargeMalloc, kLargeMalloc / 2), uaf_string); 182} 183 184TEST(AddressSanitizer, UAF_long_double) { 185 if (sizeof(long double) == sizeof(double)) return; 186 long double *p = Ident(new long double[10]); 187 EXPECT_DEATH(Ident(p)[12] = 0, "WRITE of size 1[026]"); 188 EXPECT_DEATH(Ident(p)[0] = Ident(p)[12], "READ of size 1[026]"); 189 delete [] Ident(p); 190} 191 192#if !defined(_WIN32) 193struct Packed5 { 194 int x; 195 char c; 196} __attribute__((packed)); 197#else 198# pragma pack(push, 1) 199struct Packed5 { 200 int x; 201 char c; 202}; 203# pragma pack(pop) 204#endif 205 206TEST(AddressSanitizer, UAF_Packed5) { 207 static_assert(sizeof(Packed5) == 5, "Please check the keywords used"); 208 Packed5 *p = Ident(new Packed5[2]); 209 EXPECT_DEATH(p[0] = p[3], "READ of size 5"); 210 EXPECT_DEATH(p[3] = p[0], "WRITE of size 5"); 211 delete [] Ident(p); 212} 213 214#if ASAN_HAS_BLACKLIST 215TEST(AddressSanitizer, IgnoreTest) { 216 int *x = Ident(new int); 217 delete Ident(x); 218 *x = 0; 219} 220#endif // ASAN_HAS_BLACKLIST 221 222struct StructWithBitField { 223 int bf1:1; 224 int bf2:1; 225 int bf3:1; 226 int bf4:29; 227}; 228 229TEST(AddressSanitizer, BitFieldPositiveTest) { 230 StructWithBitField *x = new StructWithBitField; 231 delete Ident(x); 232 EXPECT_DEATH(x->bf1 = 0, "use-after-free"); 233 EXPECT_DEATH(x->bf2 = 0, "use-after-free"); 234 EXPECT_DEATH(x->bf3 = 0, "use-after-free"); 235 EXPECT_DEATH(x->bf4 = 0, "use-after-free"); 236} 237 238struct StructWithBitFields_8_24 { 239 int a:8; 240 int b:24; 241}; 242 243TEST(AddressSanitizer, BitFieldNegativeTest) { 244 StructWithBitFields_8_24 *x = Ident(new StructWithBitFields_8_24); 245 x->a = 0; 246 x->b = 0; 247 delete Ident(x); 248} 249 250#if ASAN_NEEDS_SEGV 251namespace { 252 253const char kSEGVCrash[] = "AddressSanitizer: SEGV on unknown address"; 254const char kOverriddenHandler[] = "ASan signal handler has been overridden\n"; 255 256TEST(AddressSanitizer, WildAddressTest) { 257 char *c = (char*)0x123; 258 EXPECT_DEATH(*c = 0, kSEGVCrash); 259} 260 261void my_sigaction_sighandler(int, siginfo_t*, void*) { 262 fprintf(stderr, kOverriddenHandler); 263 exit(1); 264} 265 266void my_signal_sighandler(int signum) { 267 fprintf(stderr, kOverriddenHandler); 268 exit(1); 269} 270 271TEST(AddressSanitizer, SignalTest) { 272 struct sigaction sigact; 273 memset(&sigact, 0, sizeof(sigact)); 274 sigact.sa_sigaction = my_sigaction_sighandler; 275 sigact.sa_flags = SA_SIGINFO; 276 // ASan should silently ignore sigaction()... 277 EXPECT_EQ(0, sigaction(SIGSEGV, &sigact, 0)); 278#ifdef __APPLE__ 279 EXPECT_EQ(0, sigaction(SIGBUS, &sigact, 0)); 280#endif 281 char *c = (char*)0x123; 282 EXPECT_DEATH(*c = 0, kSEGVCrash); 283 // ... and signal(). 284 EXPECT_EQ(0, signal(SIGSEGV, my_signal_sighandler)); 285 EXPECT_DEATH(*c = 0, kSEGVCrash); 286} 287} // namespace 288#endif 289 290static void TestLargeMalloc(size_t size) { 291 char buff[1024]; 292 sprintf(buff, "is located 1 bytes to the left of %lu-byte", (long)size); 293 EXPECT_DEATH(Ident((char*)malloc(size))[-1] = 0, buff); 294} 295 296TEST(AddressSanitizer, LargeMallocTest) { 297 const int max_size = (SANITIZER_WORDSIZE == 32) ? 1 << 26 : 1 << 28; 298 for (int i = 113; i < max_size; i = i * 2 + 13) { 299 TestLargeMalloc(i); 300 } 301} 302 303TEST(AddressSanitizer, HugeMallocTest) { 304 if (SANITIZER_WORDSIZE != 64 || ASAN_AVOID_EXPENSIVE_TESTS) return; 305 size_t n_megs = 4100; 306 EXPECT_DEATH(Ident((char*)malloc(n_megs << 20))[-1] = 0, 307 "is located 1 bytes to the left|" 308 "AddressSanitizer failed to allocate"); 309} 310 311#if SANITIZER_TEST_HAS_MEMALIGN 312void MemalignRun(size_t align, size_t size, int idx) { 313 char *p = (char *)memalign(align, size); 314 Ident(p)[idx] = 0; 315 free(p); 316} 317 318TEST(AddressSanitizer, memalign) { 319 for (int align = 16; align <= (1 << 23); align *= 2) { 320 size_t size = align * 5; 321 EXPECT_DEATH(MemalignRun(align, size, -1), 322 "is located 1 bytes to the left"); 323 EXPECT_DEATH(MemalignRun(align, size, size + 1), 324 "is located 1 bytes to the right"); 325 } 326} 327#endif // SANITIZER_TEST_HAS_MEMALIGN 328 329void *ManyThreadsWorker(void *a) { 330 for (int iter = 0; iter < 100; iter++) { 331 for (size_t size = 100; size < 2000; size *= 2) { 332 free(Ident(malloc(size))); 333 } 334 } 335 return 0; 336} 337 338#if !defined(__aarch64__) 339// FIXME: Infinite loop in AArch64 (PR24389). 340TEST(AddressSanitizer, ManyThreadsTest) { 341 const size_t kNumThreads = 342 (SANITIZER_WORDSIZE == 32 || ASAN_AVOID_EXPENSIVE_TESTS) ? 30 : 1000; 343 pthread_t t[kNumThreads]; 344 for (size_t i = 0; i < kNumThreads; i++) { 345 PTHREAD_CREATE(&t[i], 0, ManyThreadsWorker, (void*)i); 346 } 347 for (size_t i = 0; i < kNumThreads; i++) { 348 PTHREAD_JOIN(t[i], 0); 349 } 350} 351#endif 352 353TEST(AddressSanitizer, ReallocTest) { 354 const int kMinElem = 5; 355 int *ptr = (int*)malloc(sizeof(int) * kMinElem); 356 ptr[3] = 3; 357 for (int i = 0; i < 10000; i++) { 358 ptr = (int*)realloc(ptr, 359 (my_rand() % 1000 + kMinElem) * sizeof(int)); 360 EXPECT_EQ(3, ptr[3]); 361 } 362 free(ptr); 363 // Realloc pointer returned by malloc(0). 364 int *ptr2 = Ident((int*)malloc(0)); 365 ptr2 = Ident((int*)realloc(ptr2, sizeof(*ptr2))); 366 *ptr2 = 42; 367 EXPECT_EQ(42, *ptr2); 368 free(ptr2); 369} 370 371TEST(AddressSanitizer, ReallocFreedPointerTest) { 372 void *ptr = Ident(malloc(42)); 373 ASSERT_TRUE(NULL != ptr); 374 free(ptr); 375 EXPECT_DEATH(ptr = realloc(ptr, 77), "attempting double-free"); 376} 377 378TEST(AddressSanitizer, ReallocInvalidPointerTest) { 379 void *ptr = Ident(malloc(42)); 380 EXPECT_DEATH(ptr = realloc((int*)ptr + 1, 77), "attempting free.*not malloc"); 381 free(ptr); 382} 383 384TEST(AddressSanitizer, ZeroSizeMallocTest) { 385 // Test that malloc(0) and similar functions don't return NULL. 386 void *ptr = Ident(malloc(0)); 387 EXPECT_TRUE(NULL != ptr); 388 free(ptr); 389#if SANITIZER_TEST_HAS_POSIX_MEMALIGN 390 int pm_res = posix_memalign(&ptr, 1<<20, 0); 391 EXPECT_EQ(0, pm_res); 392 EXPECT_TRUE(NULL != ptr); 393 free(ptr); 394#endif // SANITIZER_TEST_HAS_POSIX_MEMALIGN 395 int *int_ptr = new int[0]; 396 int *int_ptr2 = new int[0]; 397 EXPECT_TRUE(NULL != int_ptr); 398 EXPECT_TRUE(NULL != int_ptr2); 399 EXPECT_NE(int_ptr, int_ptr2); 400 delete[] int_ptr; 401 delete[] int_ptr2; 402} 403 404#if SANITIZER_TEST_HAS_MALLOC_USABLE_SIZE 405static const char *kMallocUsableSizeErrorMsg = 406 "AddressSanitizer: attempting to call malloc_usable_size()"; 407 408TEST(AddressSanitizer, MallocUsableSizeTest) { 409 const size_t kArraySize = 100; 410 char *array = Ident((char*)malloc(kArraySize)); 411 int *int_ptr = Ident(new int); 412 EXPECT_EQ(0U, malloc_usable_size(NULL)); 413 EXPECT_EQ(kArraySize, malloc_usable_size(array)); 414 EXPECT_EQ(sizeof(int), malloc_usable_size(int_ptr)); 415 EXPECT_DEATH(malloc_usable_size((void*)0x123), kMallocUsableSizeErrorMsg); 416 EXPECT_DEATH(malloc_usable_size(array + kArraySize / 2), 417 kMallocUsableSizeErrorMsg); 418 free(array); 419 EXPECT_DEATH(malloc_usable_size(array), kMallocUsableSizeErrorMsg); 420 delete int_ptr; 421} 422#endif // SANITIZER_TEST_HAS_MALLOC_USABLE_SIZE 423 424void WrongFree() { 425 int *x = (int*)malloc(100 * sizeof(int)); 426 // Use the allocated memory, otherwise Clang will optimize it out. 427 Ident(x); 428 free(x + 1); 429} 430 431#if !defined(_WIN32) // FIXME: This should be a lit test. 432TEST(AddressSanitizer, WrongFreeTest) { 433 EXPECT_DEATH(WrongFree(), ASAN_PCRE_DOTALL 434 "ERROR: AddressSanitizer: attempting free.*not malloc" 435 ".*is located 4 bytes inside of 400-byte region" 436 ".*allocated by thread"); 437} 438#endif 439 440void DoubleFree() { 441 int *x = (int*)malloc(100 * sizeof(int)); 442 fprintf(stderr, "DoubleFree: x=%p\n", (void *)x); 443 free(x); 444 free(x); 445 fprintf(stderr, "should have failed in the second free(%p)\n", (void *)x); 446 abort(); 447} 448 449#if !defined(_WIN32) // FIXME: This should be a lit test. 450TEST(AddressSanitizer, DoubleFreeTest) { 451 EXPECT_DEATH(DoubleFree(), ASAN_PCRE_DOTALL 452 "ERROR: AddressSanitizer: attempting double-free" 453 ".*is located 0 bytes inside of 400-byte region" 454 ".*freed by thread T0 here" 455 ".*previously allocated by thread T0 here"); 456} 457#endif 458 459template<int kSize> 460NOINLINE void SizedStackTest() { 461 char a[kSize]; 462 char *A = Ident((char*)&a); 463 const char *expected_death = "AddressSanitizer: stack-buffer-"; 464 for (size_t i = 0; i < kSize; i++) 465 A[i] = i; 466 EXPECT_DEATH(A[-1] = 0, expected_death); 467 EXPECT_DEATH(A[-5] = 0, expected_death); 468 EXPECT_DEATH(A[kSize] = 0, expected_death); 469 EXPECT_DEATH(A[kSize + 1] = 0, expected_death); 470 EXPECT_DEATH(A[kSize + 5] = 0, expected_death); 471 if (kSize > 16) 472 EXPECT_DEATH(A[kSize + 31] = 0, expected_death); 473} 474 475TEST(AddressSanitizer, SimpleStackTest) { 476 SizedStackTest<1>(); 477 SizedStackTest<2>(); 478 SizedStackTest<3>(); 479 SizedStackTest<4>(); 480 SizedStackTest<5>(); 481 SizedStackTest<6>(); 482 SizedStackTest<7>(); 483 SizedStackTest<16>(); 484 SizedStackTest<25>(); 485 SizedStackTest<34>(); 486 SizedStackTest<43>(); 487 SizedStackTest<51>(); 488 SizedStackTest<62>(); 489 SizedStackTest<64>(); 490 SizedStackTest<128>(); 491} 492 493#if !defined(_WIN32) 494// FIXME: It's a bit hard to write multi-line death test expectations 495// in a portable way. Anyways, this should just be turned into a lit test. 496TEST(AddressSanitizer, ManyStackObjectsTest) { 497 char XXX[10]; 498 char YYY[20]; 499 char ZZZ[30]; 500 Ident(XXX); 501 Ident(YYY); 502 EXPECT_DEATH(Ident(ZZZ)[-1] = 0, ASAN_PCRE_DOTALL "XXX.*YYY.*ZZZ"); 503} 504#endif 505 506#if 0 // This test requires online symbolizer. 507// Moved to lit_tests/stack-oob-frames.cc. 508// Reenable here once we have online symbolizer by default. 509NOINLINE static void Frame0(int frame, char *a, char *b, char *c) { 510 char d[4] = {0}; 511 char *D = Ident(d); 512 switch (frame) { 513 case 3: a[5]++; break; 514 case 2: b[5]++; break; 515 case 1: c[5]++; break; 516 case 0: D[5]++; break; 517 } 518} 519NOINLINE static void Frame1(int frame, char *a, char *b) { 520 char c[4] = {0}; Frame0(frame, a, b, c); 521 break_optimization(0); 522} 523NOINLINE static void Frame2(int frame, char *a) { 524 char b[4] = {0}; Frame1(frame, a, b); 525 break_optimization(0); 526} 527NOINLINE static void Frame3(int frame) { 528 char a[4] = {0}; Frame2(frame, a); 529 break_optimization(0); 530} 531 532TEST(AddressSanitizer, GuiltyStackFrame0Test) { 533 EXPECT_DEATH(Frame3(0), "located .*in frame <.*Frame0"); 534} 535TEST(AddressSanitizer, GuiltyStackFrame1Test) { 536 EXPECT_DEATH(Frame3(1), "located .*in frame <.*Frame1"); 537} 538TEST(AddressSanitizer, GuiltyStackFrame2Test) { 539 EXPECT_DEATH(Frame3(2), "located .*in frame <.*Frame2"); 540} 541TEST(AddressSanitizer, GuiltyStackFrame3Test) { 542 EXPECT_DEATH(Frame3(3), "located .*in frame <.*Frame3"); 543} 544#endif 545 546NOINLINE void LongJmpFunc1(jmp_buf buf) { 547 // create three red zones for these two stack objects. 548 int a; 549 int b; 550 551 int *A = Ident(&a); 552 int *B = Ident(&b); 553 *A = *B; 554 longjmp(buf, 1); 555} 556 557NOINLINE void TouchStackFunc() { 558 int a[100]; // long array will intersect with redzones from LongJmpFunc1. 559 int *A = Ident(a); 560 for (int i = 0; i < 100; i++) 561 A[i] = i*i; 562} 563 564// Test that we handle longjmp and do not report false positives on stack. 565TEST(AddressSanitizer, LongJmpTest) { 566 static jmp_buf buf; 567 if (!setjmp(buf)) { 568 LongJmpFunc1(buf); 569 } else { 570 TouchStackFunc(); 571 } 572} 573 574#if !defined(_WIN32) // Only basic longjmp is available on Windows. 575NOINLINE void UnderscopeLongJmpFunc1(jmp_buf buf) { 576 // create three red zones for these two stack objects. 577 int a; 578 int b; 579 580 int *A = Ident(&a); 581 int *B = Ident(&b); 582 *A = *B; 583 _longjmp(buf, 1); 584} 585 586NOINLINE void SigLongJmpFunc1(sigjmp_buf buf) { 587 // create three red zones for these two stack objects. 588 int a; 589 int b; 590 591 int *A = Ident(&a); 592 int *B = Ident(&b); 593 *A = *B; 594 siglongjmp(buf, 1); 595} 596 597#if !defined(__ANDROID__) && !defined(__arm__) && \ 598 !defined(__powerpc64__) && !defined(__powerpc__) && \ 599 !defined(__aarch64__) && !defined(__mips__) && \ 600 !defined(__mips64) 601NOINLINE void BuiltinLongJmpFunc1(jmp_buf buf) { 602 // create three red zones for these two stack objects. 603 int a; 604 int b; 605 606 int *A = Ident(&a); 607 int *B = Ident(&b); 608 *A = *B; 609 __builtin_longjmp((void**)buf, 1); 610} 611 612// Does not work on Power and ARM: 613// https://github.com/google/sanitizers/issues/185 614TEST(AddressSanitizer, BuiltinLongJmpTest) { 615 static jmp_buf buf; 616 if (!__builtin_setjmp((void**)buf)) { 617 BuiltinLongJmpFunc1(buf); 618 } else { 619 TouchStackFunc(); 620 } 621} 622#endif // !defined(__ANDROID__) && !defined(__powerpc64__) && 623 // !defined(__powerpc__) && !defined(__arm__) && 624 // !defined(__mips__) && !defined(__mips64) 625 626TEST(AddressSanitizer, UnderscopeLongJmpTest) { 627 static jmp_buf buf; 628 if (!_setjmp(buf)) { 629 UnderscopeLongJmpFunc1(buf); 630 } else { 631 TouchStackFunc(); 632 } 633} 634 635TEST(AddressSanitizer, SigLongJmpTest) { 636 static sigjmp_buf buf; 637 if (!sigsetjmp(buf, 1)) { 638 SigLongJmpFunc1(buf); 639 } else { 640 TouchStackFunc(); 641 } 642} 643#endif 644 645// FIXME: Why does clang-cl define __EXCEPTIONS? 646#if defined(__EXCEPTIONS) && !defined(_WIN32) 647NOINLINE void ThrowFunc() { 648 // create three red zones for these two stack objects. 649 int a; 650 int b; 651 652 int *A = Ident(&a); 653 int *B = Ident(&b); 654 *A = *B; 655 ASAN_THROW(1); 656} 657 658TEST(AddressSanitizer, CxxExceptionTest) { 659 if (ASAN_UAR) return; 660 // TODO(kcc): this test crashes on 32-bit for some reason... 661 if (SANITIZER_WORDSIZE == 32) return; 662 try { 663 ThrowFunc(); 664 } catch(...) {} 665 TouchStackFunc(); 666} 667#endif 668 669void *ThreadStackReuseFunc1(void *unused) { 670 // create three red zones for these two stack objects. 671 int a; 672 int b; 673 674 int *A = Ident(&a); 675 int *B = Ident(&b); 676 *A = *B; 677 pthread_exit(0); 678 return 0; 679} 680 681void *ThreadStackReuseFunc2(void *unused) { 682 TouchStackFunc(); 683 return 0; 684} 685 686TEST(AddressSanitizer, ThreadStackReuseTest) { 687 pthread_t t; 688 PTHREAD_CREATE(&t, 0, ThreadStackReuseFunc1, 0); 689 PTHREAD_JOIN(t, 0); 690 PTHREAD_CREATE(&t, 0, ThreadStackReuseFunc2, 0); 691 PTHREAD_JOIN(t, 0); 692} 693 694#if defined(__i686__) || defined(__x86_64__) 695#include <emmintrin.h> 696TEST(AddressSanitizer, Store128Test) { 697 char *a = Ident((char*)malloc(Ident(12))); 698 char *p = a; 699 if (((uintptr_t)a % 16) != 0) 700 p = a + 8; 701 assert(((uintptr_t)p % 16) == 0); 702 __m128i value_wide = _mm_set1_epi16(0x1234); 703 EXPECT_DEATH(_mm_store_si128((__m128i*)p, value_wide), 704 "AddressSanitizer: heap-buffer-overflow"); 705 EXPECT_DEATH(_mm_store_si128((__m128i*)p, value_wide), 706 "WRITE of size 16"); 707 EXPECT_DEATH(_mm_store_si128((__m128i*)p, value_wide), 708 "located 0 bytes to the right of 12-byte"); 709 free(a); 710} 711#endif 712 713// FIXME: All tests that use this function should be turned into lit tests. 714string RightOOBErrorMessage(int oob_distance, bool is_write) { 715 assert(oob_distance >= 0); 716 char expected_str[100]; 717 sprintf(expected_str, ASAN_PCRE_DOTALL 718#if !GTEST_USES_SIMPLE_RE 719 "buffer-overflow.*%s.*" 720#endif 721 "located %d bytes to the right", 722#if !GTEST_USES_SIMPLE_RE 723 is_write ? "WRITE" : "READ", 724#endif 725 oob_distance); 726 return string(expected_str); 727} 728 729string RightOOBWriteMessage(int oob_distance) { 730 return RightOOBErrorMessage(oob_distance, /*is_write*/true); 731} 732 733string RightOOBReadMessage(int oob_distance) { 734 return RightOOBErrorMessage(oob_distance, /*is_write*/false); 735} 736 737// FIXME: All tests that use this function should be turned into lit tests. 738string LeftOOBErrorMessage(int oob_distance, bool is_write) { 739 assert(oob_distance > 0); 740 char expected_str[100]; 741 sprintf(expected_str, 742#if !GTEST_USES_SIMPLE_RE 743 ASAN_PCRE_DOTALL "%s.*" 744#endif 745 "located %d bytes to the left", 746#if !GTEST_USES_SIMPLE_RE 747 is_write ? "WRITE" : "READ", 748#endif 749 oob_distance); 750 return string(expected_str); 751} 752 753string LeftOOBWriteMessage(int oob_distance) { 754 return LeftOOBErrorMessage(oob_distance, /*is_write*/true); 755} 756 757string LeftOOBReadMessage(int oob_distance) { 758 return LeftOOBErrorMessage(oob_distance, /*is_write*/false); 759} 760 761string LeftOOBAccessMessage(int oob_distance) { 762 assert(oob_distance > 0); 763 char expected_str[100]; 764 sprintf(expected_str, "located %d bytes to the left", oob_distance); 765 return string(expected_str); 766} 767 768char* MallocAndMemsetString(size_t size, char ch) { 769 char *s = Ident((char*)malloc(size)); 770 memset(s, ch, size); 771 return s; 772} 773 774char* MallocAndMemsetString(size_t size) { 775 return MallocAndMemsetString(size, 'z'); 776} 777 778#if defined(__linux__) && !defined(__ANDROID__) 779#define READ_TEST(READ_N_BYTES) \ 780 char *x = new char[10]; \ 781 int fd = open("/proc/self/stat", O_RDONLY); \ 782 ASSERT_GT(fd, 0); \ 783 EXPECT_DEATH(READ_N_BYTES, \ 784 ASAN_PCRE_DOTALL \ 785 "AddressSanitizer: heap-buffer-overflow" \ 786 ".* is located 0 bytes to the right of 10-byte region"); \ 787 close(fd); \ 788 delete [] x; \ 789 790TEST(AddressSanitizer, pread) { 791 READ_TEST(pread(fd, x, 15, 0)); 792} 793 794TEST(AddressSanitizer, pread64) { 795 READ_TEST(pread64(fd, x, 15, 0)); 796} 797 798TEST(AddressSanitizer, read) { 799 READ_TEST(read(fd, x, 15)); 800} 801#endif // defined(__linux__) && !defined(__ANDROID__) 802 803// This test case fails 804// Clang optimizes memcpy/memset calls which lead to unaligned access 805TEST(AddressSanitizer, DISABLED_MemIntrinsicUnalignedAccessTest) { 806 int size = Ident(4096); 807 char *s = Ident((char*)malloc(size)); 808 EXPECT_DEATH(memset(s + size - 1, 0, 2), RightOOBWriteMessage(0)); 809 free(s); 810} 811 812// TODO(samsonov): Add a test with malloc(0) 813// TODO(samsonov): Add tests for str* and mem* functions. 814 815NOINLINE static int LargeFunction(bool do_bad_access) { 816 int *x = new int[100]; 817 x[0]++; 818 x[1]++; 819 x[2]++; 820 x[3]++; 821 x[4]++; 822 x[5]++; 823 x[6]++; 824 x[7]++; 825 x[8]++; 826 x[9]++; 827 828 x[do_bad_access ? 100 : 0]++; int res = __LINE__; 829 830 x[10]++; 831 x[11]++; 832 x[12]++; 833 x[13]++; 834 x[14]++; 835 x[15]++; 836 x[16]++; 837 x[17]++; 838 x[18]++; 839 x[19]++; 840 841 delete[] x; 842 return res; 843} 844 845// Test the we have correct debug info for the failing instruction. 846// This test requires the in-process symbolizer to be enabled by default. 847TEST(AddressSanitizer, DISABLED_LargeFunctionSymbolizeTest) { 848 int failing_line = LargeFunction(false); 849 char expected_warning[128]; 850 sprintf(expected_warning, "LargeFunction.*asan_test.*:%d", failing_line); 851 EXPECT_DEATH(LargeFunction(true), expected_warning); 852} 853 854// Check that we unwind and symbolize correctly. 855TEST(AddressSanitizer, DISABLED_MallocFreeUnwindAndSymbolizeTest) { 856 int *a = (int*)malloc_aaa(sizeof(int)); 857 *a = 1; 858 free_aaa(a); 859 EXPECT_DEATH(*a = 1, "free_ccc.*free_bbb.*free_aaa.*" 860 "malloc_fff.*malloc_eee.*malloc_ddd"); 861} 862 863static bool TryToSetThreadName(const char *name) { 864#if defined(__linux__) && defined(PR_SET_NAME) 865 return 0 == prctl(PR_SET_NAME, (unsigned long)name, 0, 0, 0); 866#else 867 return false; 868#endif 869} 870 871void *ThreadedTestAlloc(void *a) { 872 EXPECT_EQ(true, TryToSetThreadName("AllocThr")); 873 int **p = (int**)a; 874 *p = new int; 875 return 0; 876} 877 878void *ThreadedTestFree(void *a) { 879 EXPECT_EQ(true, TryToSetThreadName("FreeThr")); 880 int **p = (int**)a; 881 delete *p; 882 return 0; 883} 884 885void *ThreadedTestUse(void *a) { 886 EXPECT_EQ(true, TryToSetThreadName("UseThr")); 887 int **p = (int**)a; 888 **p = 1; 889 return 0; 890} 891 892void ThreadedTestSpawn() { 893 pthread_t t; 894 int *x; 895 PTHREAD_CREATE(&t, 0, ThreadedTestAlloc, &x); 896 PTHREAD_JOIN(t, 0); 897 PTHREAD_CREATE(&t, 0, ThreadedTestFree, &x); 898 PTHREAD_JOIN(t, 0); 899 PTHREAD_CREATE(&t, 0, ThreadedTestUse, &x); 900 PTHREAD_JOIN(t, 0); 901} 902 903#if !defined(_WIN32) // FIXME: This should be a lit test. 904TEST(AddressSanitizer, ThreadedTest) { 905 EXPECT_DEATH(ThreadedTestSpawn(), 906 ASAN_PCRE_DOTALL 907 "Thread T.*created" 908 ".*Thread T.*created" 909 ".*Thread T.*created"); 910} 911#endif 912 913void *ThreadedTestFunc(void *unused) { 914 // Check if prctl(PR_SET_NAME) is supported. Return if not. 915 if (!TryToSetThreadName("TestFunc")) 916 return 0; 917 EXPECT_DEATH(ThreadedTestSpawn(), 918 ASAN_PCRE_DOTALL 919 "WRITE .*thread T. .UseThr." 920 ".*freed by thread T. .FreeThr. here:" 921 ".*previously allocated by thread T. .AllocThr. here:" 922 ".*Thread T. .UseThr. created by T.*TestFunc" 923 ".*Thread T. .FreeThr. created by T" 924 ".*Thread T. .AllocThr. created by T" 925 ""); 926 return 0; 927} 928 929TEST(AddressSanitizer, ThreadNamesTest) { 930 // Run ThreadedTestFunc in a separate thread because it tries to set a 931 // thread name and we don't want to change the main thread's name. 932 pthread_t t; 933 PTHREAD_CREATE(&t, 0, ThreadedTestFunc, 0); 934 PTHREAD_JOIN(t, 0); 935} 936 937#if ASAN_NEEDS_SEGV 938TEST(AddressSanitizer, ShadowGapTest) { 939#if SANITIZER_WORDSIZE == 32 940 char *addr = (char*)0x22000000; 941#else 942# if defined(__powerpc64__) 943 char *addr = (char*)0x024000800000; 944# else 945 char *addr = (char*)0x0000100000080000; 946# endif 947#endif 948 EXPECT_DEATH(*addr = 1, "AddressSanitizer: SEGV on unknown"); 949} 950#endif // ASAN_NEEDS_SEGV 951 952extern "C" { 953NOINLINE static void UseThenFreeThenUse() { 954 char *x = Ident((char*)malloc(8)); 955 *x = 1; 956 free_aaa(x); 957 *x = 2; 958} 959} 960 961TEST(AddressSanitizer, UseThenFreeThenUseTest) { 962 EXPECT_DEATH(UseThenFreeThenUse(), "freed by thread"); 963} 964 965TEST(AddressSanitizer, StrDupTest) { 966 free(strdup(Ident("123"))); 967} 968 969// Currently we create and poison redzone at right of global variables. 970static char static110[110]; 971const char ConstGlob[7] = {1, 2, 3, 4, 5, 6, 7}; 972static const char StaticConstGlob[3] = {9, 8, 7}; 973 974TEST(AddressSanitizer, GlobalTest) { 975 static char func_static15[15]; 976 977 static char fs1[10]; 978 static char fs2[10]; 979 static char fs3[10]; 980 981 glob5[Ident(0)] = 0; 982 glob5[Ident(1)] = 0; 983 glob5[Ident(2)] = 0; 984 glob5[Ident(3)] = 0; 985 glob5[Ident(4)] = 0; 986 987 EXPECT_DEATH(glob5[Ident(5)] = 0, 988 "0 bytes to the right of global variable.*glob5.* size 5"); 989 EXPECT_DEATH(glob5[Ident(5+6)] = 0, 990 "6 bytes to the right of global variable.*glob5.* size 5"); 991 Ident(static110); // avoid optimizations 992 static110[Ident(0)] = 0; 993 static110[Ident(109)] = 0; 994 EXPECT_DEATH(static110[Ident(110)] = 0, 995 "0 bytes to the right of global variable"); 996 EXPECT_DEATH(static110[Ident(110+7)] = 0, 997 "7 bytes to the right of global variable"); 998 999 Ident(func_static15); // avoid optimizations 1000 func_static15[Ident(0)] = 0; 1001 EXPECT_DEATH(func_static15[Ident(15)] = 0, 1002 "0 bytes to the right of global variable"); 1003 EXPECT_DEATH(func_static15[Ident(15 + 9)] = 0, 1004 "9 bytes to the right of global variable"); 1005 1006 Ident(fs1); 1007 Ident(fs2); 1008 Ident(fs3); 1009 1010 // We don't create left redzones, so this is not 100% guaranteed to fail. 1011 // But most likely will. 1012 EXPECT_DEATH(fs2[Ident(-1)] = 0, "is located.*of global variable"); 1013 1014 EXPECT_DEATH(Ident(Ident(ConstGlob)[8]), 1015 "is located 1 bytes to the right of .*ConstGlob"); 1016 EXPECT_DEATH(Ident(Ident(StaticConstGlob)[5]), 1017 "is located 2 bytes to the right of .*StaticConstGlob"); 1018 1019 // call stuff from another file. 1020 GlobalsTest(0); 1021} 1022 1023TEST(AddressSanitizer, GlobalStringConstTest) { 1024 static const char *zoo = "FOOBAR123"; 1025 const char *p = Ident(zoo); 1026 EXPECT_DEATH(Ident(p[15]), "is ascii string 'FOOBAR123'"); 1027} 1028 1029TEST(AddressSanitizer, FileNameInGlobalReportTest) { 1030 static char zoo[10]; 1031 const char *p = Ident(zoo); 1032 // The file name should be present in the report. 1033 EXPECT_DEATH(Ident(p[15]), "zoo.*asan_test."); 1034} 1035 1036int *ReturnsPointerToALocalObject() { 1037 int a = 0; 1038 return Ident(&a); 1039} 1040 1041#if ASAN_UAR == 1 1042TEST(AddressSanitizer, LocalReferenceReturnTest) { 1043 int *(*f)() = Ident(ReturnsPointerToALocalObject); 1044 int *p = f(); 1045 // Call 'f' a few more times, 'p' should still be poisoned. 1046 for (int i = 0; i < 32; i++) 1047 f(); 1048 EXPECT_DEATH(*p = 1, "AddressSanitizer: stack-use-after-return"); 1049 EXPECT_DEATH(*p = 1, "is located.*in frame .*ReturnsPointerToALocal"); 1050} 1051#endif 1052 1053template <int kSize> 1054NOINLINE static void FuncWithStack() { 1055 char x[kSize]; 1056 Ident(x)[0] = 0; 1057 Ident(x)[kSize-1] = 0; 1058} 1059 1060static void LotsOfStackReuse() { 1061 int LargeStack[10000]; 1062 Ident(LargeStack)[0] = 0; 1063 for (int i = 0; i < 10000; i++) { 1064 FuncWithStack<128 * 1>(); 1065 FuncWithStack<128 * 2>(); 1066 FuncWithStack<128 * 4>(); 1067 FuncWithStack<128 * 8>(); 1068 FuncWithStack<128 * 16>(); 1069 FuncWithStack<128 * 32>(); 1070 FuncWithStack<128 * 64>(); 1071 FuncWithStack<128 * 128>(); 1072 FuncWithStack<128 * 256>(); 1073 FuncWithStack<128 * 512>(); 1074 Ident(LargeStack)[0] = 0; 1075 } 1076} 1077 1078TEST(AddressSanitizer, StressStackReuseTest) { 1079 LotsOfStackReuse(); 1080} 1081 1082TEST(AddressSanitizer, ThreadedStressStackReuseTest) { 1083 const int kNumThreads = 20; 1084 pthread_t t[kNumThreads]; 1085 for (int i = 0; i < kNumThreads; i++) { 1086 PTHREAD_CREATE(&t[i], 0, (void* (*)(void *x))LotsOfStackReuse, 0); 1087 } 1088 for (int i = 0; i < kNumThreads; i++) { 1089 PTHREAD_JOIN(t[i], 0); 1090 } 1091} 1092 1093static void *PthreadExit(void *a) { 1094 pthread_exit(0); 1095 return 0; 1096} 1097 1098TEST(AddressSanitizer, PthreadExitTest) { 1099 pthread_t t; 1100 for (int i = 0; i < 1000; i++) { 1101 PTHREAD_CREATE(&t, 0, PthreadExit, 0); 1102 PTHREAD_JOIN(t, 0); 1103 } 1104} 1105 1106// FIXME: Why does clang-cl define __EXCEPTIONS? 1107#if defined(__EXCEPTIONS) && !defined(_WIN32) 1108NOINLINE static void StackReuseAndException() { 1109 int large_stack[1000]; 1110 Ident(large_stack); 1111 ASAN_THROW(1); 1112} 1113 1114// TODO(kcc): support exceptions with use-after-return. 1115TEST(AddressSanitizer, DISABLED_StressStackReuseAndExceptionsTest) { 1116 for (int i = 0; i < 10000; i++) { 1117 try { 1118 StackReuseAndException(); 1119 } catch(...) { 1120 } 1121 } 1122} 1123#endif 1124 1125#if !defined(_WIN32) 1126TEST(AddressSanitizer, MlockTest) { 1127 EXPECT_EQ(0, mlockall(MCL_CURRENT)); 1128 EXPECT_EQ(0, mlock((void*)0x12345, 0x5678)); 1129 EXPECT_EQ(0, munlockall()); 1130 EXPECT_EQ(0, munlock((void*)0x987, 0x654)); 1131} 1132#endif 1133 1134struct LargeStruct { 1135 int foo[100]; 1136}; 1137 1138// Test for bug http://llvm.org/bugs/show_bug.cgi?id=11763. 1139// Struct copy should not cause asan warning even if lhs == rhs. 1140TEST(AddressSanitizer, LargeStructCopyTest) { 1141 LargeStruct a; 1142 *Ident(&a) = *Ident(&a); 1143} 1144 1145ATTRIBUTE_NO_SANITIZE_ADDRESS 1146static void NoSanitizeAddress() { 1147 char *foo = new char[10]; 1148 Ident(foo)[10] = 0; 1149 delete [] foo; 1150} 1151 1152TEST(AddressSanitizer, AttributeNoSanitizeAddressTest) { 1153 Ident(NoSanitizeAddress)(); 1154} 1155 1156// The new/delete/etc mismatch checks don't work on Android, 1157// as calls to new/delete go through malloc/free. 1158// OS X support is tracked here: 1159// https://github.com/google/sanitizers/issues/131 1160// Windows support is tracked here: 1161// https://github.com/google/sanitizers/issues/309 1162#if !defined(__ANDROID__) && \ 1163 !defined(__APPLE__) && \ 1164 !defined(_WIN32) 1165static string MismatchStr(const string &str) { 1166 return string("AddressSanitizer: alloc-dealloc-mismatch \\(") + str; 1167} 1168 1169TEST(AddressSanitizer, AllocDeallocMismatch) { 1170 EXPECT_DEATH(free(Ident(new int)), 1171 MismatchStr("operator new vs free")); 1172 EXPECT_DEATH(free(Ident(new int[2])), 1173 MismatchStr("operator new \\[\\] vs free")); 1174 EXPECT_DEATH(delete (Ident(new int[2])), 1175 MismatchStr("operator new \\[\\] vs operator delete")); 1176 EXPECT_DEATH(delete (Ident((int*)malloc(2 * sizeof(int)))), 1177 MismatchStr("malloc vs operator delete")); 1178 EXPECT_DEATH(delete [] (Ident(new int)), 1179 MismatchStr("operator new vs operator delete \\[\\]")); 1180 EXPECT_DEATH(delete [] (Ident((int*)malloc(2 * sizeof(int)))), 1181 MismatchStr("malloc vs operator delete \\[\\]")); 1182} 1183#endif 1184 1185// ------------------ demo tests; run each one-by-one ------------- 1186// e.g. --gtest_filter=*DemoOOBLeftHigh --gtest_also_run_disabled_tests 1187TEST(AddressSanitizer, DISABLED_DemoThreadedTest) { 1188 ThreadedTestSpawn(); 1189} 1190 1191void *SimpleBugOnSTack(void *x = 0) { 1192 char a[20]; 1193 Ident(a)[20] = 0; 1194 return 0; 1195} 1196 1197TEST(AddressSanitizer, DISABLED_DemoStackTest) { 1198 SimpleBugOnSTack(); 1199} 1200 1201TEST(AddressSanitizer, DISABLED_DemoThreadStackTest) { 1202 pthread_t t; 1203 PTHREAD_CREATE(&t, 0, SimpleBugOnSTack, 0); 1204 PTHREAD_JOIN(t, 0); 1205} 1206 1207TEST(AddressSanitizer, DISABLED_DemoUAFLowIn) { 1208 uaf_test<U1>(10, 0); 1209} 1210TEST(AddressSanitizer, DISABLED_DemoUAFLowLeft) { 1211 uaf_test<U1>(10, -2); 1212} 1213TEST(AddressSanitizer, DISABLED_DemoUAFLowRight) { 1214 uaf_test<U1>(10, 10); 1215} 1216 1217TEST(AddressSanitizer, DISABLED_DemoUAFHigh) { 1218 uaf_test<U1>(kLargeMalloc, 0); 1219} 1220 1221TEST(AddressSanitizer, DISABLED_DemoOOM) { 1222 size_t size = SANITIZER_WORDSIZE == 64 ? (size_t)(1ULL << 40) : (0xf0000000); 1223 printf("%p\n", malloc(size)); 1224} 1225 1226TEST(AddressSanitizer, DISABLED_DemoDoubleFreeTest) { 1227 DoubleFree(); 1228} 1229 1230TEST(AddressSanitizer, DISABLED_DemoNullDerefTest) { 1231 int *a = 0; 1232 Ident(a)[10] = 0; 1233} 1234 1235TEST(AddressSanitizer, DISABLED_DemoFunctionStaticTest) { 1236 static char a[100]; 1237 static char b[100]; 1238 static char c[100]; 1239 Ident(a); 1240 Ident(b); 1241 Ident(c); 1242 Ident(a)[5] = 0; 1243 Ident(b)[105] = 0; 1244 Ident(a)[5] = 0; 1245} 1246 1247TEST(AddressSanitizer, DISABLED_DemoTooMuchMemoryTest) { 1248 const size_t kAllocSize = (1 << 28) - 1024; 1249 size_t total_size = 0; 1250 while (true) { 1251 void *x = malloc(kAllocSize); 1252 memset(x, 0, kAllocSize); 1253 total_size += kAllocSize; 1254 fprintf(stderr, "total: %ldM %p\n", (long)total_size >> 20, x); 1255 } 1256} 1257 1258// https://github.com/google/sanitizers/issues/66 1259TEST(AddressSanitizer, BufferOverflowAfterManyFrees) { 1260 for (int i = 0; i < 1000000; i++) { 1261 delete [] (Ident(new char [8644])); 1262 } 1263 char *x = new char[8192]; 1264 EXPECT_DEATH(x[Ident(8192)] = 0, "AddressSanitizer: heap-buffer-overflow"); 1265 delete [] Ident(x); 1266} 1267 1268 1269// Test that instrumentation of stack allocations takes into account 1270// AllocSize of a type, and not its StoreSize (16 vs 10 bytes for long double). 1271// See http://llvm.org/bugs/show_bug.cgi?id=12047 for more details. 1272TEST(AddressSanitizer, LongDoubleNegativeTest) { 1273 long double a, b; 1274 static long double c; 1275 memcpy(Ident(&a), Ident(&b), sizeof(long double)); 1276 memcpy(Ident(&c), Ident(&b), sizeof(long double)); 1277} 1278 1279#if !defined(_WIN32) 1280TEST(AddressSanitizer, pthread_getschedparam) { 1281 int policy; 1282 struct sched_param param; 1283 EXPECT_DEATH( 1284 pthread_getschedparam(pthread_self(), &policy, Ident(¶m) + 2), 1285 "AddressSanitizer: stack-buffer-.*flow"); 1286 EXPECT_DEATH( 1287 pthread_getschedparam(pthread_self(), Ident(&policy) - 1, ¶m), 1288 "AddressSanitizer: stack-buffer-.*flow"); 1289 int res = pthread_getschedparam(pthread_self(), &policy, ¶m); 1290 ASSERT_EQ(0, res); 1291} 1292#endif 1293 1294#if SANITIZER_TEST_HAS_PRINTF_L 1295static int vsnprintf_l_wrapper(char *s, size_t n, 1296 locale_t l, const char *format, ...) { 1297 va_list va; 1298 va_start(va, format); 1299 int res = vsnprintf_l(s, n , l, format, va); 1300 va_end(va); 1301 return res; 1302} 1303 1304TEST(AddressSanitizer, snprintf_l) { 1305 char buff[5]; 1306 // Check that snprintf_l() works fine with Asan. 1307 int res = snprintf_l(buff, 5, 1308 _LIBCPP_GET_C_LOCALE, "%s", "snprintf_l()"); 1309 EXPECT_EQ(12, res); 1310 // Check that vsnprintf_l() works fine with Asan. 1311 res = vsnprintf_l_wrapper(buff, 5, 1312 _LIBCPP_GET_C_LOCALE, "%s", "vsnprintf_l()"); 1313 EXPECT_EQ(13, res); 1314 1315 EXPECT_DEATH(snprintf_l(buff, 10, 1316 _LIBCPP_GET_C_LOCALE, "%s", "snprintf_l()"), 1317 "AddressSanitizer: stack-buffer-overflow"); 1318 EXPECT_DEATH(vsnprintf_l_wrapper(buff, 10, 1319 _LIBCPP_GET_C_LOCALE, "%s", "vsnprintf_l()"), 1320 "AddressSanitizer: stack-buffer-overflow"); 1321} 1322#endif 1323