1 //===-- asan_noinst_test.cc -----------------------------------------------===//
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This file is a part of AddressSanitizer, an address sanity checker.
11 //
12 // This test file should be compiled w/o asan instrumentation.
13 //===----------------------------------------------------------------------===//
14
15 #include "asan_allocator.h"
16 #include "asan_internal.h"
17 #include "asan_mapping.h"
18 #include "asan_test_utils.h"
19
20 #include <assert.h>
21 #include <stdio.h>
22 #include <stdlib.h>
23 #include <string.h> // for memset()
24 #include <algorithm>
25 #include <vector>
26 #include <limits>
27
28
TEST(AddressSanitizer,InternalSimpleDeathTest)29 TEST(AddressSanitizer, InternalSimpleDeathTest) {
30 EXPECT_DEATH(exit(1), "");
31 }
32
MallocStress(size_t n)33 static void MallocStress(size_t n) {
34 u32 seed = my_rand();
35 StackTrace stack1;
36 stack1.trace[0] = 0xa123;
37 stack1.trace[1] = 0xa456;
38 stack1.size = 2;
39
40 StackTrace stack2;
41 stack2.trace[0] = 0xb123;
42 stack2.trace[1] = 0xb456;
43 stack2.size = 2;
44
45 StackTrace stack3;
46 stack3.trace[0] = 0xc123;
47 stack3.trace[1] = 0xc456;
48 stack3.size = 2;
49
50 std::vector<void *> vec;
51 for (size_t i = 0; i < n; i++) {
52 if ((i % 3) == 0) {
53 if (vec.empty()) continue;
54 size_t idx = my_rand_r(&seed) % vec.size();
55 void *ptr = vec[idx];
56 vec[idx] = vec.back();
57 vec.pop_back();
58 __asan::asan_free(ptr, &stack1, __asan::FROM_MALLOC);
59 } else {
60 size_t size = my_rand_r(&seed) % 1000 + 1;
61 switch ((my_rand_r(&seed) % 128)) {
62 case 0: size += 1024; break;
63 case 1: size += 2048; break;
64 case 2: size += 4096; break;
65 }
66 size_t alignment = 1 << (my_rand_r(&seed) % 10 + 1);
67 char *ptr = (char*)__asan::asan_memalign(alignment, size,
68 &stack2, __asan::FROM_MALLOC);
69 EXPECT_EQ(size, __asan::asan_malloc_usable_size(ptr, &stack2));
70 vec.push_back(ptr);
71 ptr[0] = 0;
72 ptr[size-1] = 0;
73 ptr[size/2] = 0;
74 }
75 }
76 for (size_t i = 0; i < vec.size(); i++)
77 __asan::asan_free(vec[i], &stack3, __asan::FROM_MALLOC);
78 }
79
80
TEST(AddressSanitizer,NoInstMallocTest)81 TEST(AddressSanitizer, NoInstMallocTest) {
82 MallocStress(ASAN_LOW_MEMORY ? 300000 : 1000000);
83 }
84
TEST(AddressSanitizer,ThreadedMallocStressTest)85 TEST(AddressSanitizer, ThreadedMallocStressTest) {
86 const int kNumThreads = 4;
87 const int kNumIterations = (ASAN_LOW_MEMORY) ? 10000 : 100000;
88 pthread_t t[kNumThreads];
89 for (int i = 0; i < kNumThreads; i++) {
90 PTHREAD_CREATE(&t[i], 0, (void* (*)(void *x))MallocStress,
91 (void*)kNumIterations);
92 }
93 for (int i = 0; i < kNumThreads; i++) {
94 PTHREAD_JOIN(t[i], 0);
95 }
96 }
97
PrintShadow(const char * tag,uptr ptr,size_t size)98 static void PrintShadow(const char *tag, uptr ptr, size_t size) {
99 fprintf(stderr, "%s shadow: %lx size % 3ld: ", tag, (long)ptr, (long)size);
100 uptr prev_shadow = 0;
101 for (sptr i = -32; i < (sptr)size + 32; i++) {
102 uptr shadow = __asan::MemToShadow(ptr + i);
103 if (i == 0 || i == (sptr)size)
104 fprintf(stderr, ".");
105 if (shadow != prev_shadow) {
106 prev_shadow = shadow;
107 fprintf(stderr, "%02x", (int)*(u8*)shadow);
108 }
109 }
110 fprintf(stderr, "\n");
111 }
112
TEST(AddressSanitizer,DISABLED_InternalPrintShadow)113 TEST(AddressSanitizer, DISABLED_InternalPrintShadow) {
114 for (size_t size = 1; size <= 513; size++) {
115 char *ptr = new char[size];
116 PrintShadow("m", (uptr)ptr, size);
117 delete [] ptr;
118 PrintShadow("f", (uptr)ptr, size);
119 }
120 }
121
122 static uptr pc_array[] = {
123 #if SANITIZER_WORDSIZE == 64
124 0x7effbf756068ULL,
125 0x7effbf75e5abULL,
126 0x7effc0625b7cULL,
127 0x7effc05b8997ULL,
128 0x7effbf990577ULL,
129 0x7effbf990c56ULL,
130 0x7effbf992f3cULL,
131 0x7effbf950c22ULL,
132 0x7effc036dba0ULL,
133 0x7effc03638a3ULL,
134 0x7effc035be4aULL,
135 0x7effc0539c45ULL,
136 0x7effc0539a65ULL,
137 0x7effc03db9b3ULL,
138 0x7effc03db100ULL,
139 0x7effc037c7b8ULL,
140 0x7effc037bfffULL,
141 0x7effc038b777ULL,
142 0x7effc038021cULL,
143 0x7effc037c7d1ULL,
144 0x7effc037bfffULL,
145 0x7effc038b777ULL,
146 0x7effc038021cULL,
147 0x7effc037c7d1ULL,
148 0x7effc037bfffULL,
149 0x7effc038b777ULL,
150 0x7effc038021cULL,
151 0x7effc037c7d1ULL,
152 0x7effc037bfffULL,
153 0x7effc0520d26ULL,
154 0x7effc009ddffULL,
155 0x7effbf90bb50ULL,
156 0x7effbdddfa69ULL,
157 0x7effbdde1fe2ULL,
158 0x7effbdde2424ULL,
159 0x7effbdde27b3ULL,
160 0x7effbddee53bULL,
161 0x7effbdde1988ULL,
162 0x7effbdde0904ULL,
163 0x7effc106ce0dULL,
164 0x7effbcc3fa04ULL,
165 0x7effbcc3f6a4ULL,
166 0x7effbcc3e726ULL,
167 0x7effbcc40852ULL,
168 0x7effb681ec4dULL,
169 #endif // SANITIZER_WORDSIZE
170 0xB0B5E768,
171 0x7B682EC1,
172 0x367F9918,
173 0xAE34E13,
174 0xBA0C6C6,
175 0x13250F46,
176 0xA0D6A8AB,
177 0x2B07C1A8,
178 0x6C844F4A,
179 0x2321B53,
180 0x1F3D4F8F,
181 0x3FE2924B,
182 0xB7A2F568,
183 0xBD23950A,
184 0x61020930,
185 0x33E7970C,
186 0x405998A1,
187 0x59F3551D,
188 0x350E3028,
189 0xBC55A28D,
190 0x361F3AED,
191 0xBEAD0F73,
192 0xAEF28479,
193 0x757E971F,
194 0xAEBA450,
195 0x43AD22F5,
196 0x8C2C50C4,
197 0x7AD8A2E1,
198 0x69EE4EE8,
199 0xC08DFF,
200 0x4BA6538,
201 0x3708AB2,
202 0xC24B6475,
203 0x7C8890D7,
204 0x6662495F,
205 0x9B641689,
206 0xD3596B,
207 0xA1049569,
208 0x44CBC16,
209 0x4D39C39F
210 };
211
CompressStackTraceTest(size_t n_iter)212 void CompressStackTraceTest(size_t n_iter) {
213 u32 seed = my_rand();
214 const size_t kNumPcs = ARRAY_SIZE(pc_array);
215 u32 compressed[2 * kNumPcs];
216
217 for (size_t iter = 0; iter < n_iter; iter++) {
218 std::random_shuffle(pc_array, pc_array + kNumPcs);
219 StackTrace stack0, stack1;
220 stack0.CopyFrom(pc_array, kNumPcs);
221 stack0.size = std::max((size_t)1, (size_t)(my_rand_r(&seed) % stack0.size));
222 size_t compress_size =
223 std::max((size_t)2, (size_t)my_rand_r(&seed) % (2 * kNumPcs));
224 size_t n_frames =
225 StackTrace::CompressStack(&stack0, compressed, compress_size);
226 Ident(n_frames);
227 assert(n_frames <= stack0.size);
228 StackTrace::UncompressStack(&stack1, compressed, compress_size);
229 assert(stack1.size == n_frames);
230 for (size_t i = 0; i < stack1.size; i++) {
231 assert(stack0.trace[i] == stack1.trace[i]);
232 }
233 }
234 }
235
TEST(AddressSanitizer,CompressStackTraceTest)236 TEST(AddressSanitizer, CompressStackTraceTest) {
237 CompressStackTraceTest(10000);
238 }
239
CompressStackTraceBenchmark(size_t n_iter)240 void CompressStackTraceBenchmark(size_t n_iter) {
241 const size_t kNumPcs = ARRAY_SIZE(pc_array);
242 u32 compressed[2 * kNumPcs];
243 std::random_shuffle(pc_array, pc_array + kNumPcs);
244
245 StackTrace stack0;
246 stack0.CopyFrom(pc_array, kNumPcs);
247 stack0.size = kNumPcs;
248 for (size_t iter = 0; iter < n_iter; iter++) {
249 size_t compress_size = kNumPcs;
250 size_t n_frames =
251 StackTrace::CompressStack(&stack0, compressed, compress_size);
252 Ident(n_frames);
253 }
254 }
255
TEST(AddressSanitizer,CompressStackTraceBenchmark)256 TEST(AddressSanitizer, CompressStackTraceBenchmark) {
257 CompressStackTraceBenchmark(1 << 24);
258 }
259
TEST(AddressSanitizer,QuarantineTest)260 TEST(AddressSanitizer, QuarantineTest) {
261 StackTrace stack;
262 stack.trace[0] = 0x890;
263 stack.size = 1;
264
265 const int size = 1024;
266 void *p = __asan::asan_malloc(size, &stack);
267 __asan::asan_free(p, &stack, __asan::FROM_MALLOC);
268 size_t i;
269 size_t max_i = 1 << 30;
270 for (i = 0; i < max_i; i++) {
271 void *p1 = __asan::asan_malloc(size, &stack);
272 __asan::asan_free(p1, &stack, __asan::FROM_MALLOC);
273 if (p1 == p) break;
274 }
275 EXPECT_GE(i, 10000U);
276 EXPECT_LT(i, max_i);
277 }
278
ThreadedQuarantineTestWorker(void * unused)279 void *ThreadedQuarantineTestWorker(void *unused) {
280 (void)unused;
281 u32 seed = my_rand();
282 StackTrace stack;
283 stack.trace[0] = 0x890;
284 stack.size = 1;
285
286 for (size_t i = 0; i < 1000; i++) {
287 void *p = __asan::asan_malloc(1 + (my_rand_r(&seed) % 4000), &stack);
288 __asan::asan_free(p, &stack, __asan::FROM_MALLOC);
289 }
290 return NULL;
291 }
292
293 // Check that the thread local allocators are flushed when threads are
294 // destroyed.
TEST(AddressSanitizer,ThreadedQuarantineTest)295 TEST(AddressSanitizer, ThreadedQuarantineTest) {
296 const int n_threads = 3000;
297 size_t mmaped1 = __asan_get_heap_size();
298 for (int i = 0; i < n_threads; i++) {
299 pthread_t t;
300 PTHREAD_CREATE(&t, NULL, ThreadedQuarantineTestWorker, 0);
301 PTHREAD_JOIN(t, 0);
302 size_t mmaped2 = __asan_get_heap_size();
303 EXPECT_LT(mmaped2 - mmaped1, 320U * (1 << 20));
304 }
305 }
306
ThreadedOneSizeMallocStress(void * unused)307 void *ThreadedOneSizeMallocStress(void *unused) {
308 (void)unused;
309 StackTrace stack;
310 stack.trace[0] = 0x890;
311 stack.size = 1;
312 const size_t kNumMallocs = 1000;
313 for (int iter = 0; iter < 1000; iter++) {
314 void *p[kNumMallocs];
315 for (size_t i = 0; i < kNumMallocs; i++) {
316 p[i] = __asan::asan_malloc(32, &stack);
317 }
318 for (size_t i = 0; i < kNumMallocs; i++) {
319 __asan::asan_free(p[i], &stack, __asan::FROM_MALLOC);
320 }
321 }
322 return NULL;
323 }
324
TEST(AddressSanitizer,ThreadedOneSizeMallocStressTest)325 TEST(AddressSanitizer, ThreadedOneSizeMallocStressTest) {
326 const int kNumThreads = 4;
327 pthread_t t[kNumThreads];
328 for (int i = 0; i < kNumThreads; i++) {
329 PTHREAD_CREATE(&t[i], 0, ThreadedOneSizeMallocStress, 0);
330 }
331 for (int i = 0; i < kNumThreads; i++) {
332 PTHREAD_JOIN(t[i], 0);
333 }
334 }
335
TEST(AddressSanitizer,MemsetWildAddressTest)336 TEST(AddressSanitizer, MemsetWildAddressTest) {
337 using __asan::kHighMemEnd;
338 typedef void*(*memset_p)(void*, int, size_t);
339 // Prevent inlining of memset().
340 volatile memset_p libc_memset = (memset_p)memset;
341 EXPECT_DEATH(libc_memset((void*)(kLowShadowBeg + 200), 0, 100),
342 (kLowShadowEnd == 0) ? "unknown-crash.*shadow gap"
343 : "unknown-crash.*low shadow");
344 EXPECT_DEATH(libc_memset((void*)(kShadowGapBeg + 200), 0, 100),
345 "unknown-crash.*shadow gap");
346 EXPECT_DEATH(libc_memset((void*)(kHighShadowBeg + 200), 0, 100),
347 "unknown-crash.*high shadow");
348 }
349
TEST(AddressSanitizerInterface,GetEstimatedAllocatedSize)350 TEST(AddressSanitizerInterface, GetEstimatedAllocatedSize) {
351 EXPECT_EQ(0U, __asan_get_estimated_allocated_size(0));
352 const size_t sizes[] = { 1, 30, 1<<30 };
353 for (size_t i = 0; i < 3; i++) {
354 EXPECT_EQ(sizes[i], __asan_get_estimated_allocated_size(sizes[i]));
355 }
356 }
357
358 static const char* kGetAllocatedSizeErrorMsg =
359 "attempting to call __asan_get_allocated_size()";
360
TEST(AddressSanitizerInterface,GetAllocatedSizeAndOwnershipTest)361 TEST(AddressSanitizerInterface, GetAllocatedSizeAndOwnershipTest) {
362 const size_t kArraySize = 100;
363 char *array = Ident((char*)malloc(kArraySize));
364 int *int_ptr = Ident(new int);
365
366 // Allocated memory is owned by allocator. Allocated size should be
367 // equal to requested size.
368 EXPECT_EQ(true, __asan_get_ownership(array));
369 EXPECT_EQ(kArraySize, __asan_get_allocated_size(array));
370 EXPECT_EQ(true, __asan_get_ownership(int_ptr));
371 EXPECT_EQ(sizeof(int), __asan_get_allocated_size(int_ptr));
372
373 // We cannot call GetAllocatedSize from the memory we didn't map,
374 // and from the interior pointers (not returned by previous malloc).
375 void *wild_addr = (void*)0x1;
376 EXPECT_FALSE(__asan_get_ownership(wild_addr));
377 EXPECT_DEATH(__asan_get_allocated_size(wild_addr), kGetAllocatedSizeErrorMsg);
378 EXPECT_FALSE(__asan_get_ownership(array + kArraySize / 2));
379 EXPECT_DEATH(__asan_get_allocated_size(array + kArraySize / 2),
380 kGetAllocatedSizeErrorMsg);
381
382 // NULL is not owned, but is a valid argument for __asan_get_allocated_size().
383 EXPECT_FALSE(__asan_get_ownership(NULL));
384 EXPECT_EQ(0U, __asan_get_allocated_size(NULL));
385
386 // When memory is freed, it's not owned, and call to GetAllocatedSize
387 // is forbidden.
388 free(array);
389 EXPECT_FALSE(__asan_get_ownership(array));
390 EXPECT_DEATH(__asan_get_allocated_size(array), kGetAllocatedSizeErrorMsg);
391 delete int_ptr;
392
393 void *zero_alloc = Ident(malloc(0));
394 if (zero_alloc != 0) {
395 // If malloc(0) is not null, this pointer is owned and should have valid
396 // allocated size.
397 EXPECT_TRUE(__asan_get_ownership(zero_alloc));
398 // Allocated size is 0 or 1 depending on the allocator used.
399 EXPECT_LT(__asan_get_allocated_size(zero_alloc), 2U);
400 }
401 free(zero_alloc);
402 }
403
TEST(AddressSanitizerInterface,GetCurrentAllocatedBytesTest)404 TEST(AddressSanitizerInterface, GetCurrentAllocatedBytesTest) {
405 size_t before_malloc, after_malloc, after_free;
406 char *array;
407 const size_t kMallocSize = 100;
408 before_malloc = __asan_get_current_allocated_bytes();
409
410 array = Ident((char*)malloc(kMallocSize));
411 after_malloc = __asan_get_current_allocated_bytes();
412 EXPECT_EQ(before_malloc + kMallocSize, after_malloc);
413
414 free(array);
415 after_free = __asan_get_current_allocated_bytes();
416 EXPECT_EQ(before_malloc, after_free);
417 }
418
DoDoubleFree()419 static void DoDoubleFree() {
420 int *x = Ident(new int);
421 delete Ident(x);
422 delete Ident(x);
423 }
424
TEST(AddressSanitizerInterface,GetHeapSizeTest)425 TEST(AddressSanitizerInterface, GetHeapSizeTest) {
426 // asan_allocator2 does not keep huge chunks in free list, but unmaps them.
427 // The chunk should be greater than the quarantine size,
428 // otherwise it will be stuck in quarantine instead of being unmaped.
429 static const size_t kLargeMallocSize = (1 << 28) + 1; // 256M
430 free(Ident(malloc(kLargeMallocSize))); // Drain quarantine.
431 uptr old_heap_size = __asan_get_heap_size();
432 for (int i = 0; i < 3; i++) {
433 // fprintf(stderr, "allocating %zu bytes:\n", kLargeMallocSize);
434 free(Ident(malloc(kLargeMallocSize)));
435 EXPECT_EQ(old_heap_size, __asan_get_heap_size());
436 }
437 }
438
439 static const size_t kManyThreadsMallocSizes[] = {5, 1UL<<10, 1UL<<14, 357};
440 static const size_t kManyThreadsIterations = 250;
441 static const size_t kManyThreadsNumThreads =
442 (SANITIZER_WORDSIZE == 32) ? 40 : 200;
443
ManyThreadsWithStatsWorker(void * arg)444 void *ManyThreadsWithStatsWorker(void *arg) {
445 (void)arg;
446 for (size_t iter = 0; iter < kManyThreadsIterations; iter++) {
447 for (size_t size_index = 0; size_index < 4; size_index++) {
448 free(Ident(malloc(kManyThreadsMallocSizes[size_index])));
449 }
450 }
451 // Just one large allocation.
452 free(Ident(malloc(1 << 20)));
453 return 0;
454 }
455
TEST(AddressSanitizerInterface,ManyThreadsWithStatsStressTest)456 TEST(AddressSanitizerInterface, ManyThreadsWithStatsStressTest) {
457 size_t before_test, after_test, i;
458 pthread_t threads[kManyThreadsNumThreads];
459 before_test = __asan_get_current_allocated_bytes();
460 for (i = 0; i < kManyThreadsNumThreads; i++) {
461 PTHREAD_CREATE(&threads[i], 0,
462 (void* (*)(void *x))ManyThreadsWithStatsWorker, (void*)i);
463 }
464 for (i = 0; i < kManyThreadsNumThreads; i++) {
465 PTHREAD_JOIN(threads[i], 0);
466 }
467 after_test = __asan_get_current_allocated_bytes();
468 // ASan stats also reflect memory usage of internal ASan RTL structs,
469 // so we can't check for equality here.
470 EXPECT_LT(after_test, before_test + (1UL<<20));
471 }
472
TEST(AddressSanitizerInterface,ExitCode)473 TEST(AddressSanitizerInterface, ExitCode) {
474 int original_exit_code = __asan_set_error_exit_code(7);
475 EXPECT_EXIT(DoDoubleFree(), ::testing::ExitedWithCode(7), "");
476 EXPECT_EQ(7, __asan_set_error_exit_code(8));
477 EXPECT_EXIT(DoDoubleFree(), ::testing::ExitedWithCode(8), "");
478 EXPECT_EQ(8, __asan_set_error_exit_code(original_exit_code));
479 EXPECT_EXIT(DoDoubleFree(),
480 ::testing::ExitedWithCode(original_exit_code), "");
481 }
482
MyDeathCallback()483 static void MyDeathCallback() {
484 fprintf(stderr, "MyDeathCallback\n");
485 }
486
TEST(AddressSanitizerInterface,DeathCallbackTest)487 TEST(AddressSanitizerInterface, DeathCallbackTest) {
488 __asan_set_death_callback(MyDeathCallback);
489 EXPECT_DEATH(DoDoubleFree(), "MyDeathCallback");
490 __asan_set_death_callback(NULL);
491 }
492
493 static const char* kUseAfterPoisonErrorMessage = "use-after-poison";
494
495 #define GOOD_ACCESS(ptr, offset) \
496 EXPECT_FALSE(__asan::AddressIsPoisoned((uptr)(ptr + offset)))
497
498 #define BAD_ACCESS(ptr, offset) \
499 EXPECT_TRUE(__asan::AddressIsPoisoned((uptr)(ptr + offset)))
500
TEST(AddressSanitizerInterface,SimplePoisonMemoryRegionTest)501 TEST(AddressSanitizerInterface, SimplePoisonMemoryRegionTest) {
502 char *array = Ident((char*)malloc(120));
503 // poison array[40..80)
504 __asan_poison_memory_region(array + 40, 40);
505 GOOD_ACCESS(array, 39);
506 GOOD_ACCESS(array, 80);
507 BAD_ACCESS(array, 40);
508 BAD_ACCESS(array, 60);
509 BAD_ACCESS(array, 79);
510 EXPECT_DEATH(__asan_report_error(0, 0, 0, (uptr)(array + 40), true, 1),
511 kUseAfterPoisonErrorMessage);
512 __asan_unpoison_memory_region(array + 40, 40);
513 // access previously poisoned memory.
514 GOOD_ACCESS(array, 40);
515 GOOD_ACCESS(array, 79);
516 free(array);
517 }
518
TEST(AddressSanitizerInterface,OverlappingPoisonMemoryRegionTest)519 TEST(AddressSanitizerInterface, OverlappingPoisonMemoryRegionTest) {
520 char *array = Ident((char*)malloc(120));
521 // Poison [0..40) and [80..120)
522 __asan_poison_memory_region(array, 40);
523 __asan_poison_memory_region(array + 80, 40);
524 BAD_ACCESS(array, 20);
525 GOOD_ACCESS(array, 60);
526 BAD_ACCESS(array, 100);
527 // Poison whole array - [0..120)
528 __asan_poison_memory_region(array, 120);
529 BAD_ACCESS(array, 60);
530 // Unpoison [24..96)
531 __asan_unpoison_memory_region(array + 24, 72);
532 BAD_ACCESS(array, 23);
533 GOOD_ACCESS(array, 24);
534 GOOD_ACCESS(array, 60);
535 GOOD_ACCESS(array, 95);
536 BAD_ACCESS(array, 96);
537 free(array);
538 }
539
TEST(AddressSanitizerInterface,PushAndPopWithPoisoningTest)540 TEST(AddressSanitizerInterface, PushAndPopWithPoisoningTest) {
541 // Vector of capacity 20
542 char *vec = Ident((char*)malloc(20));
543 __asan_poison_memory_region(vec, 20);
544 for (size_t i = 0; i < 7; i++) {
545 // Simulate push_back.
546 __asan_unpoison_memory_region(vec + i, 1);
547 GOOD_ACCESS(vec, i);
548 BAD_ACCESS(vec, i + 1);
549 }
550 for (size_t i = 7; i > 0; i--) {
551 // Simulate pop_back.
552 __asan_poison_memory_region(vec + i - 1, 1);
553 BAD_ACCESS(vec, i - 1);
554 if (i > 1) GOOD_ACCESS(vec, i - 2);
555 }
556 free(vec);
557 }
558
TEST(AddressSanitizerInterface,GlobalRedzones)559 TEST(AddressSanitizerInterface, GlobalRedzones) {
560 GOOD_ACCESS(glob1, 1 - 1);
561 GOOD_ACCESS(glob2, 2 - 1);
562 GOOD_ACCESS(glob3, 3 - 1);
563 GOOD_ACCESS(glob4, 4 - 1);
564 GOOD_ACCESS(glob5, 5 - 1);
565 GOOD_ACCESS(glob6, 6 - 1);
566 GOOD_ACCESS(glob7, 7 - 1);
567 GOOD_ACCESS(glob8, 8 - 1);
568 GOOD_ACCESS(glob9, 9 - 1);
569 GOOD_ACCESS(glob10, 10 - 1);
570 GOOD_ACCESS(glob11, 11 - 1);
571 GOOD_ACCESS(glob12, 12 - 1);
572 GOOD_ACCESS(glob13, 13 - 1);
573 GOOD_ACCESS(glob14, 14 - 1);
574 GOOD_ACCESS(glob15, 15 - 1);
575 GOOD_ACCESS(glob16, 16 - 1);
576 GOOD_ACCESS(glob17, 17 - 1);
577 GOOD_ACCESS(glob1000, 1000 - 1);
578 GOOD_ACCESS(glob10000, 10000 - 1);
579 GOOD_ACCESS(glob100000, 100000 - 1);
580
581 BAD_ACCESS(glob1, 1);
582 BAD_ACCESS(glob2, 2);
583 BAD_ACCESS(glob3, 3);
584 BAD_ACCESS(glob4, 4);
585 BAD_ACCESS(glob5, 5);
586 BAD_ACCESS(glob6, 6);
587 BAD_ACCESS(glob7, 7);
588 BAD_ACCESS(glob8, 8);
589 BAD_ACCESS(glob9, 9);
590 BAD_ACCESS(glob10, 10);
591 BAD_ACCESS(glob11, 11);
592 BAD_ACCESS(glob12, 12);
593 BAD_ACCESS(glob13, 13);
594 BAD_ACCESS(glob14, 14);
595 BAD_ACCESS(glob15, 15);
596 BAD_ACCESS(glob16, 16);
597 BAD_ACCESS(glob17, 17);
598 BAD_ACCESS(glob1000, 1000);
599 BAD_ACCESS(glob1000, 1100); // Redzone is at least 101 bytes.
600 BAD_ACCESS(glob10000, 10000);
601 BAD_ACCESS(glob10000, 11000); // Redzone is at least 1001 bytes.
602 BAD_ACCESS(glob100000, 100000);
603 BAD_ACCESS(glob100000, 110000); // Redzone is at least 10001 bytes.
604 }
605
606 // Make sure that each aligned block of size "2^granularity" doesn't have
607 // "true" value before "false" value.
MakeShadowValid(bool * shadow,int length,int granularity)608 static void MakeShadowValid(bool *shadow, int length, int granularity) {
609 bool can_be_poisoned = true;
610 for (int i = length - 1; i >= 0; i--) {
611 if (!shadow[i])
612 can_be_poisoned = false;
613 if (!can_be_poisoned)
614 shadow[i] = false;
615 if (i % (1 << granularity) == 0) {
616 can_be_poisoned = true;
617 }
618 }
619 }
620
TEST(AddressSanitizerInterface,PoisoningStressTest)621 TEST(AddressSanitizerInterface, PoisoningStressTest) {
622 const size_t kSize = 24;
623 bool expected[kSize];
624 char *arr = Ident((char*)malloc(kSize));
625 for (size_t l1 = 0; l1 < kSize; l1++) {
626 for (size_t s1 = 1; l1 + s1 <= kSize; s1++) {
627 for (size_t l2 = 0; l2 < kSize; l2++) {
628 for (size_t s2 = 1; l2 + s2 <= kSize; s2++) {
629 // Poison [l1, l1+s1), [l2, l2+s2) and check result.
630 __asan_unpoison_memory_region(arr, kSize);
631 __asan_poison_memory_region(arr + l1, s1);
632 __asan_poison_memory_region(arr + l2, s2);
633 memset(expected, false, kSize);
634 memset(expected + l1, true, s1);
635 MakeShadowValid(expected, kSize, /*granularity*/ 3);
636 memset(expected + l2, true, s2);
637 MakeShadowValid(expected, kSize, /*granularity*/ 3);
638 for (size_t i = 0; i < kSize; i++) {
639 ASSERT_EQ(expected[i], __asan_address_is_poisoned(arr + i));
640 }
641 // Unpoison [l1, l1+s1) and [l2, l2+s2) and check result.
642 __asan_poison_memory_region(arr, kSize);
643 __asan_unpoison_memory_region(arr + l1, s1);
644 __asan_unpoison_memory_region(arr + l2, s2);
645 memset(expected, true, kSize);
646 memset(expected + l1, false, s1);
647 MakeShadowValid(expected, kSize, /*granularity*/ 3);
648 memset(expected + l2, false, s2);
649 MakeShadowValid(expected, kSize, /*granularity*/ 3);
650 for (size_t i = 0; i < kSize; i++) {
651 ASSERT_EQ(expected[i], __asan_address_is_poisoned(arr + i));
652 }
653 }
654 }
655 }
656 }
657 }
658
TEST(AddressSanitizerInterface,PoisonedRegion)659 TEST(AddressSanitizerInterface, PoisonedRegion) {
660 size_t rz = 16;
661 for (size_t size = 1; size <= 64; size++) {
662 char *p = new char[size];
663 uptr x = reinterpret_cast<uptr>(p);
664 for (size_t beg = 0; beg < size + rz; beg++) {
665 for (size_t end = beg; end < size + rz; end++) {
666 uptr first_poisoned = __asan_region_is_poisoned(x + beg, end - beg);
667 if (beg == end) {
668 EXPECT_FALSE(first_poisoned);
669 } else if (beg < size && end <= size) {
670 EXPECT_FALSE(first_poisoned);
671 } else if (beg >= size) {
672 EXPECT_EQ(x + beg, first_poisoned);
673 } else {
674 EXPECT_GT(end, size);
675 EXPECT_EQ(x + size, first_poisoned);
676 }
677 }
678 }
679 delete [] p;
680 }
681 }
682
683 // This is a performance benchmark for manual runs.
684 // asan's memset interceptor calls mem_is_zero for the entire shadow region.
685 // the profile should look like this:
686 // 89.10% [.] __memset_sse2
687 // 10.50% [.] __sanitizer::mem_is_zero
688 // I.e. mem_is_zero should consume ~ SHADOW_GRANULARITY less CPU cycles
689 // than memset itself.
TEST(AddressSanitizerInterface,DISABLED_StressLargeMemset)690 TEST(AddressSanitizerInterface, DISABLED_StressLargeMemset) {
691 size_t size = 1 << 20;
692 char *x = new char[size];
693 for (int i = 0; i < 100000; i++)
694 Ident(memset)(x, 0, size);
695 delete [] x;
696 }
697
698 // Same here, but we run memset with small sizes.
TEST(AddressSanitizerInterface,DISABLED_StressSmallMemset)699 TEST(AddressSanitizerInterface, DISABLED_StressSmallMemset) {
700 size_t size = 32;
701 char *x = new char[size];
702 for (int i = 0; i < 100000000; i++)
703 Ident(memset)(x, 0, size);
704 delete [] x;
705 }
706
707 static const char *kInvalidPoisonMessage = "invalid-poison-memory-range";
708 static const char *kInvalidUnpoisonMessage = "invalid-unpoison-memory-range";
709
TEST(AddressSanitizerInterface,DISABLED_InvalidPoisonAndUnpoisonCallsTest)710 TEST(AddressSanitizerInterface, DISABLED_InvalidPoisonAndUnpoisonCallsTest) {
711 char *array = Ident((char*)malloc(120));
712 __asan_unpoison_memory_region(array, 120);
713 // Try to unpoison not owned memory
714 EXPECT_DEATH(__asan_unpoison_memory_region(array, 121),
715 kInvalidUnpoisonMessage);
716 EXPECT_DEATH(__asan_unpoison_memory_region(array - 1, 120),
717 kInvalidUnpoisonMessage);
718
719 __asan_poison_memory_region(array, 120);
720 // Try to poison not owned memory.
721 EXPECT_DEATH(__asan_poison_memory_region(array, 121), kInvalidPoisonMessage);
722 EXPECT_DEATH(__asan_poison_memory_region(array - 1, 120),
723 kInvalidPoisonMessage);
724 free(array);
725 }
726
ErrorReportCallbackOneToZ(const char * report)727 static void ErrorReportCallbackOneToZ(const char *report) {
728 int report_len = strlen(report);
729 ASSERT_EQ(6, write(2, "ABCDEF", 6));
730 ASSERT_EQ(report_len, write(2, report, report_len));
731 ASSERT_EQ(6, write(2, "ABCDEF", 6));
732 _exit(1);
733 }
734
TEST(AddressSanitizerInterface,SetErrorReportCallbackTest)735 TEST(AddressSanitizerInterface, SetErrorReportCallbackTest) {
736 __asan_set_error_report_callback(ErrorReportCallbackOneToZ);
737 EXPECT_DEATH(__asan_report_error(0, 0, 0, 0, true, 1),
738 ASAN_PCRE_DOTALL "ABCDEF.*AddressSanitizer.*WRITE.*ABCDEF");
739 __asan_set_error_report_callback(NULL);
740 }
741
TEST(AddressSanitizerInterface,GetOwnershipStressTest)742 TEST(AddressSanitizerInterface, GetOwnershipStressTest) {
743 std::vector<char *> pointers;
744 std::vector<size_t> sizes;
745 const size_t kNumMallocs = 1 << 9;
746 for (size_t i = 0; i < kNumMallocs; i++) {
747 size_t size = i * 100 + 1;
748 pointers.push_back((char*)malloc(size));
749 sizes.push_back(size);
750 }
751 for (size_t i = 0; i < 4000000; i++) {
752 EXPECT_FALSE(__asan_get_ownership(&pointers));
753 EXPECT_FALSE(__asan_get_ownership((void*)0x1234));
754 size_t idx = i % kNumMallocs;
755 EXPECT_TRUE(__asan_get_ownership(pointers[idx]));
756 EXPECT_EQ(sizes[idx], __asan_get_allocated_size(pointers[idx]));
757 }
758 for (size_t i = 0, n = pointers.size(); i < n; i++)
759 free(pointers[i]);
760 }
761
TEST(AddressSanitizerInterface,CallocOverflow)762 TEST(AddressSanitizerInterface, CallocOverflow) {
763 size_t kArraySize = 4096;
764 volatile size_t kMaxSizeT = std::numeric_limits<size_t>::max();
765 volatile size_t kArraySize2 = kMaxSizeT / kArraySize + 10;
766 void *p = calloc(kArraySize, kArraySize2); // Should return 0.
767 EXPECT_EQ(0L, Ident(p));
768 }
769
TEST(AddressSanitizerInterface,CallocOverflow2)770 TEST(AddressSanitizerInterface, CallocOverflow2) {
771 #if SANITIZER_WORDSIZE == 32
772 size_t kArraySize = 112;
773 volatile size_t kArraySize2 = 43878406;
774 void *p = calloc(kArraySize, kArraySize2); // Should return 0.
775 EXPECT_EQ(0L, Ident(p));
776 #endif
777 }
778
TEST(AddressSanitizerInterface,CallocReturnsZeroMem)779 TEST(AddressSanitizerInterface, CallocReturnsZeroMem) {
780 size_t sizes[] = {16, 1000, 10000, 100000, 2100000};
781 for (size_t s = 0; s < ARRAY_SIZE(sizes); s++) {
782 size_t size = sizes[s];
783 for (size_t iter = 0; iter < 5; iter++) {
784 char *x = Ident((char*)calloc(1, size));
785 EXPECT_EQ(x[0], 0);
786 EXPECT_EQ(x[size - 1], 0);
787 EXPECT_EQ(x[size / 2], 0);
788 EXPECT_EQ(x[size / 3], 0);
789 EXPECT_EQ(x[size / 4], 0);
790 memset(x, 0x42, size);
791 free(Ident(x));
792 free(Ident(malloc(Ident(1 << 27)))); // Try to drain the quarantine.
793 }
794 }
795 }
796