diff options
author | Dimitry Andric <dim@FreeBSD.org> | 2015-01-07 19:55:37 +0000 |
---|---|---|
committer | Dimitry Andric <dim@FreeBSD.org> | 2015-01-07 19:55:37 +0000 |
commit | ca9211ecdede9bdedb812b2243a4abdb8dacd1b9 (patch) | |
tree | 9b19e801150082c33e9152275829a6ce90614b55 /test/asan/TestCases | |
parent | 8ef50bf3d1c287b5013c3168de77a462dfce3495 (diff) | |
download | src-ca9211ecdede9bdedb812b2243a4abdb8dacd1b9.tar.gz src-ca9211ecdede9bdedb812b2243a4abdb8dacd1b9.zip |
Import compiler-rt trunk r224034.vendor/compiler-rt/compiler-rt-r224034
Notes
Notes:
svn path=/vendor/compiler-rt/dist/; revision=276789
svn path=/vendor/compiler-rt/compiler-rt-r224034/; revision=276790; tag=vendor/compiler-rt/compiler-rt-r224034
Diffstat (limited to 'test/asan/TestCases')
276 files changed, 8410 insertions, 0 deletions
diff --git a/test/asan/TestCases/Android/coverage-android.cc b/test/asan/TestCases/Android/coverage-android.cc new file mode 100644 index 000000000000..071a2e3e1faa --- /dev/null +++ b/test/asan/TestCases/Android/coverage-android.cc @@ -0,0 +1,67 @@ +// Test for direct coverage writing with dlopen. + +// Test normal exit. +// RUN: %clangxx_asan -mllvm -asan-coverage=1 -DSHARED %s -shared -o %T/libcoverage_android_test_1.so -fPIC +// RUN: %clangxx_asan -mllvm -asan-coverage=1 -DSO_DIR=\"%device\" %s -o %t + +// RUN: adb shell rm -rf %device/coverage-android +// RUN: rm -rf %T/coverage-android + +// RUN: adb shell mkdir -p %device/coverage-android/direct +// RUN: mkdir -p %T/coverage-android/direct +// RUN: ASAN_OPTIONS=coverage=1:coverage_direct=1:coverage_dir=%device/coverage-android/direct:verbosity=1 %run %t +// RUN: adb pull %device/coverage-android/direct %T/coverage-android/direct +// RUN: ls; pwd +// RUN: cd %T/coverage-android/direct +// RUN: %sancov rawunpack *.sancov.raw +// RUN: %sancov print *.sancov |& FileCheck %s + + +// Test sudden death. +// RUN: %clangxx_asan -mllvm -asan-coverage=1 -DSHARED -DKILL %s -shared -o %T/libcoverage_android_test_1.so -fPIC +// RUN: %clangxx_asan -mllvm -asan-coverage=1 -DSO_DIR=\"%device\" %s -o %t + +// RUN: adb shell rm -rf %device/coverage-android-kill +// RUN: rm -rf %T/coverage-android-kill + +// RUN: adb shell mkdir -p %device/coverage-android-kill/direct +// RUN: mkdir -p %T/coverage-android-kill/direct +// RUN: ASAN_OPTIONS=coverage=1:coverage_direct=1:coverage_dir=%device/coverage-android-kill/direct:verbosity=1 not %run %t +// RUN: adb pull %device/coverage-android-kill/direct %T/coverage-android-kill/direct +// RUN: ls; pwd +// RUN: cd %T/coverage-android-kill/direct +// RUN: %sancov rawunpack *.sancov.raw +// RUN: %sancov print *.sancov |& FileCheck %s + +#include <assert.h> +#include <dlfcn.h> +#include <stdio.h> +#include <unistd.h> +#include <sys/types.h> +#include <signal.h> + +#ifdef SHARED +extern "C" { +void bar() { + printf("bar\n"); +#ifdef KILL + kill(getpid(), SIGKILL); +#endif +} +} +#else + +int main(int argc, char **argv) { + fprintf(stderr, "PID: %d\n", getpid()); + void *handle1 = + dlopen(SO_DIR "/libcoverage_android_test_1.so", RTLD_LAZY); + assert(handle1); + void (*bar1)() = (void (*)())dlsym(handle1, "bar"); + assert(bar1); + bar1(); + + return 0; +} +#endif + +// CHECK: 2 PCs total diff --git a/test/asan/TestCases/Android/lit.local.cfg b/test/asan/TestCases/Android/lit.local.cfg new file mode 100644 index 000000000000..42513dd3aa61 --- /dev/null +++ b/test/asan/TestCases/Android/lit.local.cfg @@ -0,0 +1,11 @@ +def getRoot(config): + if not config.parent: + return config + return getRoot(config.parent) + +root = getRoot(config) + +if root.android != "TRUE": + config.unsupported = True + +config.substitutions.append( ("%device", "/data/local/tmp/Output") ) diff --git a/test/asan/TestCases/Darwin/asan_gen_prefixes.cc b/test/asan/TestCases/Darwin/asan_gen_prefixes.cc new file mode 100644 index 000000000000..13363ac47255 --- /dev/null +++ b/test/asan/TestCases/Darwin/asan_gen_prefixes.cc @@ -0,0 +1,14 @@ +// Make sure __asan_gen_* strings have the correct prefixes on Darwin +// ("L" in __TEXT,__cstring, "l" in __TEXT,__const + +// RUN: %clang_asan %s -S -o %t.s +// RUN: cat %t.s | FileCheck %s || exit 1 + +int x, y, z; +int main() { return 0; } +// CHECK: .section{{.*}}__TEXT,__const +// CHECK: l___asan_gen_ +// CHECK: .section{{.*}}__TEXT,__cstring,cstring_literals +// CHECK: L___asan_gen_ +// CHECK: L___asan_gen_ +// CHECK: L___asan_gen_ diff --git a/test/asan/TestCases/Darwin/cstring_literals_regtest.mm b/test/asan/TestCases/Darwin/cstring_literals_regtest.mm new file mode 100644 index 000000000000..bcb15d8f39b0 --- /dev/null +++ b/test/asan/TestCases/Darwin/cstring_literals_regtest.mm @@ -0,0 +1,23 @@ +// Regression test for +// https://code.google.com/p/address-sanitizer/issues/detail?id=274. + +// RUN: %clang_asan %s -framework Foundation -o %t +// RUN: %run %t 2>&1 | FileCheck %s +#import <Foundation/Foundation.h> + +#include <stdio.h> + +int main() { + NSString* version_file = @"MAJOR=35\n"; + int major = 0, minor = 0, build = 0, patch = 0; + NSScanner* scanner = [NSScanner scannerWithString:version_file]; + NSString *res = nil; + if ([scanner scanString:@"MAJOR=" intoString:nil] && + [scanner scanInt:&major]) { + res = [NSString stringWithFormat:@"%d.%d.%d.%d", + major, minor, build, patch]; + } + printf("%s\n", [res UTF8String]); + // CHECK: 35.0.0.0 + return 0; +} diff --git a/test/asan/TestCases/Darwin/dyld_insert_libraries_reexec.cc b/test/asan/TestCases/Darwin/dyld_insert_libraries_reexec.cc new file mode 100644 index 000000000000..b1bb4567f900 --- /dev/null +++ b/test/asan/TestCases/Darwin/dyld_insert_libraries_reexec.cc @@ -0,0 +1,33 @@ +// When DYLD-inserting the ASan dylib from a different location than the +// original, make sure we don't try to reexec. + +// RUN: mkdir -p %T/dyld_insert_libraries_reexec +// RUN: cp `%clang_asan %s -fsanitize=address -### 2>&1 \ +// RUN: | grep "libclang_rt.asan_osx_dynamic.dylib" \ +// RUN: | sed -e 's/.*"\(.*libclang_rt.asan_osx_dynamic.dylib\)".*/\1/'` \ +// RUN: %T/dyld_insert_libraries_reexec/libclang_rt.asan_osx_dynamic.dylib +// RUN: %clangxx_asan %s -o %T/dyld_insert_libraries_reexec/a.out +// RUN: DYLD_INSERT_LIBRARIES=@executable_path/libclang_rt.asan_osx_dynamic.dylib \ +// RUN: ASAN_OPTIONS=verbosity=1 %run %T/dyld_insert_libraries_reexec/a.out 2>&1 \ +// RUN: | FileCheck %s +// RUN: ASAN_OPTIONS=verbosity=1 %run %T/dyld_insert_libraries_reexec/a.out 2>&1 \ +// RUN: | FileCheck --check-prefix=CHECK-NOINSERT %s + +#include <stdio.h> + +int main() { + printf("Passed\n"); + return 0; +} + +// CHECK-NOINSERT: Parsed ASAN_OPTIONS: verbosity=1 +// CHECK-NOINSERT: exec()-ing the program with +// CHECK-NOINSERT: DYLD_INSERT_LIBRARIES +// CHECK-NOINSERT: to enable ASan wrappers. +// CHECK-NOINSERT: Passed + +// CHECK: Parsed ASAN_OPTIONS: verbosity=1 +// CHECK-NOT: exec()-ing the program with +// CHECK-NOT: DYLD_INSERT_LIBRARIES +// CHECK-NOT: to enable ASan wrappers. +// CHECK: Passed diff --git a/test/asan/TestCases/Darwin/interception-in-shared-lib-test.cc b/test/asan/TestCases/Darwin/interception-in-shared-lib-test.cc new file mode 100644 index 000000000000..e472a9dc6972 --- /dev/null +++ b/test/asan/TestCases/Darwin/interception-in-shared-lib-test.cc @@ -0,0 +1,32 @@ +// Check that memset() call from a shared library gets intercepted. +// Please always keep this file in sync with +// ../Linux/interception-in-shared-lib-test.cc. + +// RUN: %clangxx_asan -O0 %s -DSHARED_LIB \ +// RUN: -shared -o %T/libinterception-in-shared-lib-test.so \ +// RUN: -fPIC +// TODO(glider): figure out how to set rpath in a more portable way and unite +// this test with ../Linux/interception-in-shared-lib-test.cc. +// RUN: %clangxx_asan -O0 %s -o %t -Wl,-rpath,@executable-path -L%T -linterception-in-shared-lib-test && \ +// RUN: not %run %t 2>&1 | FileCheck %s + +#include <stdio.h> +#include <string.h> + +#if defined(SHARED_LIB) +extern "C" +void my_memset(void *p, size_t sz) { + memset(p, 0, sz); +} +#else +extern "C" void my_memset(void *p, size_t sz); + +int main(int argc, char *argv[]) { + char buf[10]; + my_memset(buf, 11); + // CHECK: {{.*ERROR: AddressSanitizer: stack-buffer-overflow}} + // CHECK: {{WRITE of size 11 at 0x.* thread T0}} + // CHECK: {{0x.* in my_memset .*interception-in-shared-lib-test.cc:19}} + return 0; +} +#endif diff --git a/test/asan/TestCases/Darwin/interface_symbols_darwin.c b/test/asan/TestCases/Darwin/interface_symbols_darwin.c new file mode 100644 index 000000000000..8680d678cf91 --- /dev/null +++ b/test/asan/TestCases/Darwin/interface_symbols_darwin.c @@ -0,0 +1,39 @@ +// Check the presence of interface symbols in the ASan runtime dylib. +// If you're changing this file, please also change +// ../Linux/interface_symbols.c + +// RUN: %clang_asan -dead_strip -O2 %s -o %t.exe +// RUN: rm -f %t.symbols %t.interface + +// RUN: nm -g `%clang_asan %s -fsanitize=address -### 2>&1 | grep "libclang_rt.asan_osx_dynamic.dylib" | sed -e 's/.*"\(.*libclang_rt.asan_osx_dynamic.dylib\)".*/\1/'` \ +// RUN: | grep " T " | sed "s/.* T //" \ +// RUN: | grep "__asan_" | sed "s/___asan_/__asan_/" \ +// RUN: | sed -E "s/__asan_init_v[0-9]+/__asan_init/" \ +// RUN: | grep -v "__asan_default_options" \ +// RUN: | grep -v "__asan_on_error" > %t.symbols + +// RUN: cat %p/../../../../lib/asan/asan_interface_internal.h \ +// RUN: | sed "s/\/\/.*//" | sed "s/typedef.*//" \ +// RUN: | grep -v "OPTIONAL" \ +// RUN: | grep "__asan_.*(" | sed "s/.* __asan_/__asan_/;s/(.*//" \ +// RUN: > %t.interface +// RUN: echo __asan_report_load1 >> %t.interface +// RUN: echo __asan_report_load2 >> %t.interface +// RUN: echo __asan_report_load4 >> %t.interface +// RUN: echo __asan_report_load8 >> %t.interface +// RUN: echo __asan_report_load16 >> %t.interface +// RUN: echo __asan_report_store1 >> %t.interface +// RUN: echo __asan_report_store2 >> %t.interface +// RUN: echo __asan_report_store4 >> %t.interface +// RUN: echo __asan_report_store8 >> %t.interface +// RUN: echo __asan_report_store16 >> %t.interface +// RUN: echo __asan_report_load_n >> %t.interface +// RUN: echo __asan_report_store_n >> %t.interface +// RUN: echo __asan_get_current_fake_stack >> %t.interface +// RUN: echo __asan_addr_is_in_fake_stack >> %t.interface +// RUN: for i in `jot - 0 10`; do echo __asan_stack_malloc_$i >> %t.interface; done +// RUN: for i in `jot - 0 10`; do echo __asan_stack_free_$i >> %t.interface; done + +// RUN: cat %t.interface | sort -u | diff %t.symbols - + +int main() { return 0; } diff --git a/test/asan/TestCases/Darwin/lit.local.cfg b/test/asan/TestCases/Darwin/lit.local.cfg new file mode 100644 index 000000000000..a85dfcd24c08 --- /dev/null +++ b/test/asan/TestCases/Darwin/lit.local.cfg @@ -0,0 +1,9 @@ +def getRoot(config): + if not config.parent: + return config + return getRoot(config.parent) + +root = getRoot(config) + +if root.host_os not in ['Darwin']: + config.unsupported = True diff --git a/test/asan/TestCases/Darwin/malloc_set_zone_name-mprotect.cc b/test/asan/TestCases/Darwin/malloc_set_zone_name-mprotect.cc new file mode 100644 index 000000000000..2c643bc03c52 --- /dev/null +++ b/test/asan/TestCases/Darwin/malloc_set_zone_name-mprotect.cc @@ -0,0 +1,51 @@ +// Regression test for a bug in malloc_create_zone() +// (https://code.google.com/p/address-sanitizer/issues/detail?id=203) +// The old implementation of malloc_create_zone() didn't always return a +// page-aligned address, so we can only test on a best-effort basis. + +// RUN: %clangxx_asan %s -o %t +// RUN: %run %t 2>&1 + +#include <malloc/malloc.h> +#include <stdlib.h> +#include <string.h> +#include <stdio.h> + +const int kNumIter = 4096; +const int kNumZones = 100; +int main() { + char *mem[kNumIter * 2]; + // Allocate memory chunks from different size classes up to 1 page. + // (For the case malloc() returns memory chunks in descending order) + for (int i = 0; i < kNumIter; i++) { + mem[i] = (char*)malloc(8 * i); + } + // Try to allocate a page-aligned malloc zone. Otherwise the mprotect() call + // in malloc_set_zone_name() will silently fail. + malloc_zone_t *zone = NULL; + bool aligned = false; + for (int i = 0; i < kNumZones; i++) { + zone = malloc_create_zone(0, 0); + if (((uintptr_t)zone & (~0xfff)) == (uintptr_t)zone) { + aligned = true; + break; + } + } + if (!aligned) { + printf("Warning: couldn't allocate a page-aligned zone."); + return 0; + } + // malloc_set_zone_name() calls mprotect(zone, 4096, PROT_READ | PROT_WRITE), + // modifies the zone contents and then calls mprotect(zone, 4096, PROT_READ). + malloc_set_zone_name(zone, "foobar"); + // Allocate memory chunks from different size classes again. + for (int i = 0; i < kNumIter; i++) { + mem[i + kNumIter] = (char*)malloc(8 * i); + } + // Access the allocated memory chunks and free them. + for (int i = 0; i < kNumIter * 2; i++) { + memset(mem[i], 'a', 8 * (i % kNumIter)); + free(mem[i]); + } + return 0; +} diff --git a/test/asan/TestCases/Darwin/malloc_zone-protected.cc b/test/asan/TestCases/Darwin/malloc_zone-protected.cc new file mode 100644 index 000000000000..362b60e20b55 --- /dev/null +++ b/test/asan/TestCases/Darwin/malloc_zone-protected.cc @@ -0,0 +1,20 @@ +// Make sure the zones created by malloc_create_zone() are write-protected. +#include <malloc/malloc.h> +#include <stdio.h> + +// RUN: %clangxx_asan %s -o %t +// RUN: not %run %t 2>&1 | FileCheck %s + + +void *pwn(malloc_zone_t *unused_zone, size_t unused_size) { + printf("PWNED\n"); + return NULL; +} + +int main() { + malloc_zone_t *zone = malloc_create_zone(0, 0); + zone->malloc = pwn; + void *v = malloc_zone_malloc(zone, 1); + // CHECK-NOT: PWNED + return 0; +} diff --git a/test/asan/TestCases/Darwin/objc-odr.mm b/test/asan/TestCases/Darwin/objc-odr.mm new file mode 100644 index 000000000000..72bc39c80dd4 --- /dev/null +++ b/test/asan/TestCases/Darwin/objc-odr.mm @@ -0,0 +1,23 @@ +// Regression test for +// https://code.google.com/p/address-sanitizer/issues/detail?id=360. + +// RUN: %clang_asan %s -o %t -framework Foundation +// RUN: %run %t 2>&1 | FileCheck %s + +#import <Foundation/Foundation.h> + +void f() { + int y = 7; + dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_BACKGROUND, 0), ^{ + dispatch_sync(dispatch_get_main_queue(), ^{ + printf("num = %d\n", y); + }); + }); +} + +int main() { + NSLog(@"Hello world"); +} + +// CHECK-NOT: AddressSanitizer: odr-violation +// CHECK: Hello world diff --git a/test/asan/TestCases/Darwin/reexec-insert-libraries-env.cc b/test/asan/TestCases/Darwin/reexec-insert-libraries-env.cc new file mode 100644 index 000000000000..59ddd634b400 --- /dev/null +++ b/test/asan/TestCases/Darwin/reexec-insert-libraries-env.cc @@ -0,0 +1,25 @@ +// Make sure ASan doesn't hang in an exec loop if DYLD_INSERT_LIBRARIES is set. +// This is a regression test for +// https://code.google.com/p/address-sanitizer/issues/detail?id=159 + +// RUN: %clangxx_asan %s -o %t +// RUN: %clangxx -DSHARED_LIB %s \ +// RUN: -dynamiclib -o darwin-dummy-shared-lib-so.dylib + +// FIXME: the following command line may hang in the case of a regression. +// RUN: DYLD_INSERT_LIBRARIES=darwin-dummy-shared-lib-so.dylib \ +// RUN: %run %t 2>&1 | FileCheck %s || exit 1 + +#if !defined(SHARED_LIB) +#include <stdio.h> +#include <stdlib.h> + +int main() { + const char kEnvName[] = "DYLD_INSERT_LIBRARIES"; + printf("%s=%s\n", kEnvName, getenv(kEnvName)); + // CHECK: {{DYLD_INSERT_LIBRARIES=.*darwin-dummy-shared-lib-so.dylib.*}} + return 0; +} +#else // SHARED_LIB +void foo() {} +#endif // SHARED_LIB diff --git a/test/asan/TestCases/Darwin/suppressions-darwin.cc b/test/asan/TestCases/Darwin/suppressions-darwin.cc new file mode 100644 index 000000000000..9a8f56d5dc50 --- /dev/null +++ b/test/asan/TestCases/Darwin/suppressions-darwin.cc @@ -0,0 +1,34 @@ +// Check that without suppressions, we catch the issue. +// RUN: %clangxx_asan -O0 %s -o %t -framework Foundation +// RUN: not %run %t 2>&1 | FileCheck --check-prefix=CHECK-CRASH %s + +// Check that suppressing the interceptor by name works. +// RUN: echo "interceptor_name:memmove" > %t.supp +// RUN: ASAN_OPTIONS=suppressions=%t.supp %run %t 2>&1 | FileCheck --check-prefix=CHECK-IGNORE %s + +// Check that suppressing by interceptor name works even without the symbolizer +// RUN: ASAN_OPTIONS=suppressions=%t.supp:symbolize=false %run %t 2>&1 | FileCheck --check-prefix=CHECK-IGNORE %s + +// Check that suppressing all reports from a library works. +// RUN: echo "interceptor_via_lib:CoreFoundation" > %t.supp +// RUN: ASAN_OPTIONS=suppressions=%t.supp %run %t 2>&1 | FileCheck --check-prefix=CHECK-IGNORE %s + +// Check that suppressing library works even without the symbolizer. +// RUN: ASAN_OPTIONS=suppressions=%t.supp:symbolize=false %run %t 2>&1 | FileCheck --check-prefix=CHECK-IGNORE %s + +#include <CoreFoundation/CoreFoundation.h> + +int main() { + char *a = (char *)malloc(6); + strcpy(a, "hello"); + CFStringRef str = + CFStringCreateWithBytes(kCFAllocatorDefault, (unsigned char *)a, 10, + kCFStringEncodingUTF8, FALSE); // BOOM + fprintf(stderr, "Ignored.\n"); + free(a); +} + +// CHECK-CRASH: AddressSanitizer: heap-buffer-overflow +// CHECK-CRASH-NOT: Ignored. +// CHECK-IGNORE-NOT: AddressSanitizer: heap-buffer-overflow +// CHECK-IGNORE: Ignored. diff --git a/test/asan/TestCases/Darwin/unset-insert-libraries-on-exec.cc b/test/asan/TestCases/Darwin/unset-insert-libraries-on-exec.cc new file mode 100644 index 000000000000..ed476b223af3 --- /dev/null +++ b/test/asan/TestCases/Darwin/unset-insert-libraries-on-exec.cc @@ -0,0 +1,25 @@ +// Make sure ASan removes the runtime library from DYLD_INSERT_LIBRARIES before +// executing other programs. + +// RUN: %clangxx_asan %s -o %t +// RUN: %clangxx %p/../Helpers/echo-env.cc -o %T/echo-env +// RUN: %clangxx -DSHARED_LIB %s \ +// RUN: -dynamiclib -o %t-darwin-dummy-shared-lib-so.dylib + +// Make sure DYLD_INSERT_LIBRARIES doesn't contain the runtime library before +// execl(). + +// RUN: %run %t %T/echo-env >/dev/null 2>&1 +// RUN: DYLD_INSERT_LIBRARIES=%t-darwin-dummy-shared-lib-so.dylib \ +// RUN: %run %t %T/echo-env 2>&1 | FileCheck %s || exit 1 + +#if !defined(SHARED_LIB) +#include <unistd.h> +int main(int argc, char *argv[]) { + execl(argv[1], argv[1], "DYLD_INSERT_LIBRARIES", NULL); + // CHECK: {{DYLD_INSERT_LIBRARIES = .*darwin-dummy-shared-lib-so.dylib.*}} + return 0; +} +#else // SHARED_LIB +void foo() {} +#endif // SHARED_LIB diff --git a/test/asan/TestCases/Helpers/blacklist-extra.cc b/test/asan/TestCases/Helpers/blacklist-extra.cc new file mode 100644 index 000000000000..627115cdda2b --- /dev/null +++ b/test/asan/TestCases/Helpers/blacklist-extra.cc @@ -0,0 +1,5 @@ +// This function is broken, but this file is blacklisted +int externalBrokenFunction(int argc) { + char x[10] = {0}; + return x[argc * 10]; // BOOM +} diff --git a/test/asan/TestCases/Helpers/echo-env.cc b/test/asan/TestCases/Helpers/echo-env.cc new file mode 100644 index 000000000000..65e91c155c84 --- /dev/null +++ b/test/asan/TestCases/Helpers/echo-env.cc @@ -0,0 +1,19 @@ +// Helper binary for +// lit_tests/TestCases/Darwin/unset-insert-libraries-on-exec.cc +// Prints the environment variable with the given name. +#include <stdio.h> +#include <stdlib.h> + +int main(int argc, char *argv[]) { + if (argc != 2) { + printf("Usage: %s ENVNAME\n", argv[0]); + exit(1); + } + const char *value = getenv(argv[1]); + if (value) { + printf("%s = %s\n", argv[1], value); + } else { + printf("%s not set.\n", argv[1]); + } + return 0; +} diff --git a/test/asan/TestCases/Helpers/init-order-atexit-extra.cc b/test/asan/TestCases/Helpers/init-order-atexit-extra.cc new file mode 100644 index 000000000000..e4189d19d099 --- /dev/null +++ b/test/asan/TestCases/Helpers/init-order-atexit-extra.cc @@ -0,0 +1,16 @@ +#include <stdio.h> + +class C { + public: + C() { value = 42; } + ~C() { } + int value; +}; + +C c; + +void AccessC() { + printf("C value: %d\n", c.value); +} + +int main() { return 0; } diff --git a/test/asan/TestCases/Helpers/init-order-pthread-create-extra.cc b/test/asan/TestCases/Helpers/init-order-pthread-create-extra.cc new file mode 100644 index 000000000000..d4606f0afb52 --- /dev/null +++ b/test/asan/TestCases/Helpers/init-order-pthread-create-extra.cc @@ -0,0 +1,2 @@ +void *bar(void *input); +void *glob2 = bar((void*)0x2345); diff --git a/test/asan/TestCases/Helpers/initialization-blacklist-extra.cc b/test/asan/TestCases/Helpers/initialization-blacklist-extra.cc new file mode 100644 index 000000000000..09aed2112d5e --- /dev/null +++ b/test/asan/TestCases/Helpers/initialization-blacklist-extra.cc @@ -0,0 +1,15 @@ +int zero_init() { return 0; } +int badGlobal = zero_init(); +int readBadGlobal() { return badGlobal; } + +namespace badNamespace { +class BadClass { + public: + BadClass() { value = 0; } + int value; +}; +// Global object with non-trivial constructor. +BadClass bad_object; +} // namespace badNamespace + +int accessBadObject() { return badNamespace::bad_object.value; } diff --git a/test/asan/TestCases/Helpers/initialization-blacklist-extra2.cc b/test/asan/TestCases/Helpers/initialization-blacklist-extra2.cc new file mode 100644 index 000000000000..69455a0a6fc9 --- /dev/null +++ b/test/asan/TestCases/Helpers/initialization-blacklist-extra2.cc @@ -0,0 +1,4 @@ +int zero_init(); +int badSrcGlobal = zero_init(); +int readBadSrcGlobal() { return badSrcGlobal; } + diff --git a/test/asan/TestCases/Helpers/initialization-blacklist.txt b/test/asan/TestCases/Helpers/initialization-blacklist.txt new file mode 100644 index 000000000000..83294635622d --- /dev/null +++ b/test/asan/TestCases/Helpers/initialization-blacklist.txt @@ -0,0 +1,3 @@ +global:*badGlobal*=init +type:*badNamespace::BadClass*=init +src:*initialization-blacklist-extra2.cc=init diff --git a/test/asan/TestCases/Helpers/initialization-bug-extra.cc b/test/asan/TestCases/Helpers/initialization-bug-extra.cc new file mode 100644 index 000000000000..3c4cb411defa --- /dev/null +++ b/test/asan/TestCases/Helpers/initialization-bug-extra.cc @@ -0,0 +1,5 @@ +// This file simply declares a dynamically initialized var by the name of 'y'. +int initY() { + return 5; +} +int y = initY(); diff --git a/test/asan/TestCases/Helpers/initialization-bug-extra2.cc b/test/asan/TestCases/Helpers/initialization-bug-extra2.cc new file mode 100644 index 000000000000..a3d8f190e58b --- /dev/null +++ b/test/asan/TestCases/Helpers/initialization-bug-extra2.cc @@ -0,0 +1,6 @@ +// 'z' is dynamically initialized global from different TU. +extern int z; +int __attribute__((noinline)) initY() { + return z + 1; +} +int y = initY(); diff --git a/test/asan/TestCases/Helpers/initialization-constexpr-extra.cc b/test/asan/TestCases/Helpers/initialization-constexpr-extra.cc new file mode 100644 index 000000000000..b32466a981b3 --- /dev/null +++ b/test/asan/TestCases/Helpers/initialization-constexpr-extra.cc @@ -0,0 +1,3 @@ +// Constexpr: +int getCoolestInteger(); +static int coolest_integer = getCoolestInteger(); diff --git a/test/asan/TestCases/Helpers/initialization-nobug-extra.cc b/test/asan/TestCases/Helpers/initialization-nobug-extra.cc new file mode 100644 index 000000000000..886165affd76 --- /dev/null +++ b/test/asan/TestCases/Helpers/initialization-nobug-extra.cc @@ -0,0 +1,9 @@ +// Linker initialized: +int getAB(); +static int ab = getAB(); +// Function local statics: +int countCalls(); +static int one = countCalls(); +// Trivial constructor, non-trivial destructor: +int getStructWithDtorValue(); +static int val = getStructWithDtorValue(); diff --git a/test/asan/TestCases/Helpers/lit.local.cfg b/test/asan/TestCases/Helpers/lit.local.cfg new file mode 100644 index 000000000000..2fc4d99456b0 --- /dev/null +++ b/test/asan/TestCases/Helpers/lit.local.cfg @@ -0,0 +1,3 @@ +# Sources in this directory are helper files for tests which test functionality +# involving multiple translation units. +config.suffixes = [] diff --git a/test/asan/TestCases/Linux/asan-asm-stacktrace-test.cc b/test/asan/TestCases/Linux/asan-asm-stacktrace-test.cc new file mode 100644 index 000000000000..5332c992a0db --- /dev/null +++ b/test/asan/TestCases/Linux/asan-asm-stacktrace-test.cc @@ -0,0 +1,33 @@ +// Check that a stack unwinding algorithm works corretly even with the assembly +// instrumentation. + +// REQUIRES: x86_64-supported-target +// RUN: %clangxx_asan -g -O1 %s -fno-inline-functions -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -mllvm -asan-instrument-assembly -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -g -O1 %s -fno-inline-functions -fomit-frame-pointer -momit-leaf-frame-pointer -mllvm -asan-instrument-assembly -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -g0 -O1 %s -fno-unwind-tables -fno-asynchronous-unwind-tables -fno-exceptions -fno-inline-functions -fomit-frame-pointer -momit-leaf-frame-pointer -mllvm -asan-instrument-assembly -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-nounwind + +#include <cstddef> + +// CHECK: READ of size 4 +// CHECK-NEXT: {{#0 0x[0-9a-fA-F]+ in foo}} +// CHECK-NEXT: {{#1 0x[0-9a-fA-F]+ in main}} + +// CHECK-nounwind: READ of size 4 +// CHECK-nounwind-NEXT: {{#0 0x[0-9a-fA-F]+ in foo}} + +__attribute__((noinline)) int foo(size_t n, int *buffer) { + int r; + __asm__("movl (%[buffer], %[n], 4), %[r] \n\t" + : [r] "=r"(r) + : [buffer] "r"(buffer), [n] "r"(n) + : "memory"); + return r; +} + +int main() { + const size_t n = 16; + int *buffer = new int[n]; + foo(n, buffer); + delete[] buffer; + return 0; +} diff --git a/test/asan/TestCases/Linux/asan_dlopen_test.cc b/test/asan/TestCases/Linux/asan_dlopen_test.cc new file mode 100644 index 000000000000..f1e31b0a0553 --- /dev/null +++ b/test/asan/TestCases/Linux/asan_dlopen_test.cc @@ -0,0 +1,15 @@ +// Test that dlopen of dynamic runtime is prohibited. +// +// RUN: %clangxx %s -DRT=\"%shared_libasan\" -o %t -ldl +// RUN: not %run %t 2>&1 | FileCheck %s +// REQUIRES: asan-dynamic-runtime +// XFAIL: android + +#include <dlfcn.h> + +int main(int argc, char **argv) { + dlopen(RT, RTLD_LAZY); + return 0; +} + +// CHECK: ASan runtime does not come first in initial library list diff --git a/test/asan/TestCases/Linux/asan_prelink_test.cc b/test/asan/TestCases/Linux/asan_prelink_test.cc new file mode 100644 index 000000000000..6145c01f7342 --- /dev/null +++ b/test/asan/TestCases/Linux/asan_prelink_test.cc @@ -0,0 +1,29 @@ +// Test if asan works with prelink. +// It does not actually use prelink, but relies on ld's flag -Ttext-segment +// or gold's flag -Ttext (we try the first flag first, if that fails we +// try the second flag). +// +// RUN: %clangxx_asan -c %s -o %t.o +// RUN: %clangxx_asan -DBUILD_SO=1 -fPIC -shared %s -o %t.so -Wl,-Ttext-segment=0x3600000000 ||\ +// RUN: %clangxx_asan -DBUILD_SO=1 -fPIC -shared %s -o %t.so -Wl,-Ttext=0x3600000000 +// RUN: %clangxx_asan %t.o %t.so -Wl,-R. -o %t +// RUN: ASAN_OPTIONS=verbosity=1 %run %t 2>&1 | FileCheck %s + +// GNU driver doesn't handle .so files properly. +// REQUIRES: x86_64-supported-target, asan-64-bits, Clang +#if BUILD_SO +int G; +int *getG() { + return &G; +} +#else +#include <stdio.h> +extern int *getG(); +int main(int argc, char **argv) { + long p = (long)getG(); + printf("SO mapped at %lx\n", p & ~0xffffffffUL); + *getG() = 0; +} +#endif +// CHECK: 0x003000000000, 0x004fffffffff{{.*}} MidMem +// CHECK: SO mapped at 3600000000 diff --git a/test/asan/TestCases/Linux/asan_preload_test-1.cc b/test/asan/TestCases/Linux/asan_preload_test-1.cc new file mode 100644 index 000000000000..e5eab5545b83 --- /dev/null +++ b/test/asan/TestCases/Linux/asan_preload_test-1.cc @@ -0,0 +1,30 @@ +// Test that non-sanitized executables work with sanitized shared libs +// and preloaded runtime. +// +// RUN: %clangxx -DBUILD_SO=1 -fPIC -shared %s -o %t.so +// RUN: %clangxx %s %t.so -o %t +// +// RUN: %clangxx_asan -DBUILD_SO=1 -fPIC -shared %s -o %t.so +// RUN: LD_PRELOAD=%shared_libasan not %run %t 2>&1 | FileCheck %s + +// REQUIRES: asan-dynamic-runtime + +// This way of setting LD_PRELOAD does not work with Android test runner. +// REQUIRES: not-android + +#if BUILD_SO +char dummy; +void do_access(const void *p) { + // CHECK: AddressSanitizer: heap-buffer-overflow + dummy = ((const char *)p)[1]; +} +#else +#include <stdlib.h> +extern void do_access(const void *p); +int main(int argc, char **argv) { + void *p = malloc(1); + do_access(p); + free(p); + return 0; +} +#endif diff --git a/test/asan/TestCases/Linux/asan_preload_test-2.cc b/test/asan/TestCases/Linux/asan_preload_test-2.cc new file mode 100644 index 000000000000..00b32e15d17d --- /dev/null +++ b/test/asan/TestCases/Linux/asan_preload_test-2.cc @@ -0,0 +1,24 @@ +// Test that preloaded runtime works with unsanitized executables. +// +// RUN: %clangxx %s -o %t +// RUN: LD_PRELOAD=%shared_libasan not %run %t 2>&1 | FileCheck %s + +// REQUIRES: asan-dynamic-runtime + +// This way of setting LD_PRELOAD does not work with Android test runner. +// REQUIRES: not-android + +#include <stdlib.h> + +extern "C" void *memset(void *p, int val, size_t n); + +void do_access(void *p) { + // CHECK: AddressSanitizer: heap-buffer-overflow + memset(p, 0, 2); +} + +int main(int argc, char **argv) { + void *p = malloc(1); + do_access(p); + return 0; +} diff --git a/test/asan/TestCases/Linux/asan_rt_confict_test-1.cc b/test/asan/TestCases/Linux/asan_rt_confict_test-1.cc new file mode 100644 index 000000000000..30f1c17700c8 --- /dev/null +++ b/test/asan/TestCases/Linux/asan_rt_confict_test-1.cc @@ -0,0 +1,13 @@ +// Test that preloading dynamic runtime to statically sanitized +// executable is prohibited. +// +// RUN: %clangxx_asan_static %s -o %t +// RUN: LD_PRELOAD=%shared_libasan not %run %t 2>&1 | FileCheck %s + +// REQUIRES: asan-dynamic-runtime +// XFAIL: android + +#include <stdlib.h> +int main(int argc, char **argv) { return 0; } + +// CHECK: Your application is linked against incompatible ASan runtimes diff --git a/test/asan/TestCases/Linux/asan_rt_confict_test-2.cc b/test/asan/TestCases/Linux/asan_rt_confict_test-2.cc new file mode 100644 index 000000000000..4c935e2b0f3b --- /dev/null +++ b/test/asan/TestCases/Linux/asan_rt_confict_test-2.cc @@ -0,0 +1,25 @@ +// Test that mixed static/dynamic sanitization of program objects +// is prohibited. +// +// RUN: %clangxx_asan -DBUILD_SO=1 -fPIC -shared %s -o %t.so +// RUN: %clangxx_asan_static %s %t.so -o %t +// RUN: not %run %t 2>&1 | FileCheck %s + +// REQUIRES: asan-dynamic-runtime +// XFAIL: android + +#if BUILD_SO +char dummy; +void do_access(const void *p) { dummy = ((const char *)p)[1]; } +#else +#include <stdlib.h> +extern void do_access(const void *p); +int main(int argc, char **argv) { + void *p = malloc(1); + do_access(p); + free(p); + return 0; +} +#endif + +// CHECK: Your application is linked against incompatible ASan runtimes diff --git a/test/asan/TestCases/Linux/clang_gcc_abi.cc b/test/asan/TestCases/Linux/clang_gcc_abi.cc new file mode 100644 index 000000000000..e833881661d2 --- /dev/null +++ b/test/asan/TestCases/Linux/clang_gcc_abi.cc @@ -0,0 +1,44 @@ +// RUN: %clangxx_asan -O0 -x c %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O1 -x c %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O2 -x c %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O3 -x c %s -o %t && not %run %t 2>&1 | FileCheck %s + +// REQUIRES: arm-supported-target +// XFAIL: armv7l-unknown-linux-gnueabihf + +#include <stdlib.h> + +int boom() { + volatile int three = 3; + char *s = (char *)malloc(three); +// CHECK: #1 0x{{.*}} in boom {{.*}}clang_gcc_abi.cc:[[@LINE-1]] + return s[three]; //BOOM +} + +__attribute__((naked, noinline)) void gcc_abi() { +// CHECK: #2 0x{{.*}} in gcc_abi {{.*}}clang_gcc_abi.cc:[[@LINE+1]] + asm volatile("str fp, [sp, #-8]!\n\t" + "str lr, [sp, #4]\n\t" + "add fp, sp, #4\n\t" + "bl boom\n\t" + "sub sp, fp, #4\n\t" + "ldr fp, [sp]\n\t" + "add sp, sp, #4\n\t" + "ldr pc, [sp], #4\n\t" + ); +} + +__attribute__((naked, noinline)) void clang_abi() { +// CHECK: #3 0x{{.*}} in clang_abi {{.*}}clang_gcc_abi.cc:[[@LINE+1]] + asm volatile("push {r11, lr}\n\t" + "mov r11, sp\n\t" + "bl gcc_abi\n\t" + "add r0, r0, #1\n\t" + "pop {r11, pc}\n\t" + ); +} + +int main() { + clang_abi(); +// CHECK: #4 0x{{.*}} in main {{.*}}clang_gcc_abi.cc:[[@LINE-1]] +} diff --git a/test/asan/TestCases/Linux/clone_test.cc b/test/asan/TestCases/Linux/clone_test.cc new file mode 100644 index 000000000000..e9c1f166eb45 --- /dev/null +++ b/test/asan/TestCases/Linux/clone_test.cc @@ -0,0 +1,45 @@ +// Regression test for: +// http://code.google.com/p/address-sanitizer/issues/detail?id=37 + +// RUN: %clangxx_asan -O0 %s -o %t && %run %t | FileCheck %s +// RUN: %clangxx_asan -O1 %s -o %t && %run %t | FileCheck %s +// RUN: %clangxx_asan -O2 %s -o %t && %run %t | FileCheck %s +// RUN: %clangxx_asan -O3 %s -o %t && %run %t | FileCheck %s +// XFAIL: arm-linux-gnueabi + +#include <stdio.h> +#include <sched.h> +#include <sys/syscall.h> +#include <sys/types.h> +#include <sys/wait.h> +#include <unistd.h> + +int Child(void *arg) { + char x[32] = {0}; // Stack gets poisoned. + printf("Child: %p\n", x); + _exit(1); // NoReturn, stack will remain unpoisoned unless we do something. +} + +int main(int argc, char **argv) { + const int kStackSize = 1 << 20; + char child_stack[kStackSize + 1]; + char *sp = child_stack + kStackSize; // Stack grows down. + printf("Parent: %p\n", sp); + pid_t clone_pid = clone(Child, sp, CLONE_FILES | CLONE_VM, NULL); + int status; + pid_t wait_result = waitpid(clone_pid, &status, __WCLONE); + if (wait_result < 0) { + perror("waitpid"); + return 0; + } + if (wait_result == clone_pid && WIFEXITED(status)) { + // Make sure the child stack was indeed unpoisoned. + for (int i = 0; i < kStackSize; i++) + child_stack[i] = i; + int ret = child_stack[argc - 1]; + printf("PASSED\n"); + // CHECK: PASSED + return ret; + } + return 0; +} diff --git a/test/asan/TestCases/Linux/coverage-and-lsan.cc b/test/asan/TestCases/Linux/coverage-and-lsan.cc new file mode 100644 index 000000000000..4cb8e2af3084 --- /dev/null +++ b/test/asan/TestCases/Linux/coverage-and-lsan.cc @@ -0,0 +1,20 @@ +// Make sure coverage is dumped even if there are reported leaks. +// +// RUN: %clangxx_asan -fsanitize-coverage=1 %s -o %t +// +// RUN: rm -rf %T/coverage-and-lsan +// +// RUN: mkdir -p %T/coverage-and-lsan/normal +// RUN: ASAN_OPTIONS=coverage=1:coverage_dir=%T/coverage-and-lsan:verbosity=1 not %run %t 2>&1 | FileCheck %s +// RUN: %sancov print %T/coverage-and-lsan/*.sancov 2>&1 +// +// REQUIRES: leak-detection + +int *g = new int; +int main(int argc, char **argv) { + g = 0; + return 0; +} + +// CHECK: LeakSanitizer: detected memory leaks +// CHECK: CovDump: diff --git a/test/asan/TestCases/Linux/coverage-caller-callee-total-count.cc b/test/asan/TestCases/Linux/coverage-caller-callee-total-count.cc new file mode 100644 index 000000000000..0201425106f9 --- /dev/null +++ b/test/asan/TestCases/Linux/coverage-caller-callee-total-count.cc @@ -0,0 +1,41 @@ +// Test __sanitizer_get_total_unique_coverage for caller-callee coverage + +// RUN: %clangxx_asan -fsanitize-coverage=4 %s -o %t +// RUN: ASAN_OPTIONS=coverage=1 %run %t +// RUN: rm -f caller-callee*.sancov +// +// REQUIRES: asan-64-bits + +#include <sanitizer/common_interface_defs.h> +#include <stdio.h> +#include <assert.h> +int P = 0; +struct Foo {virtual void f() {if (P) printf("Foo::f()\n");}}; +struct Foo1 : Foo {virtual void f() {if (P) printf("%d\n", __LINE__);}}; +struct Foo2 : Foo {virtual void f() {if (P) printf("%d\n", __LINE__);}}; + +Foo *foo[3] = {new Foo, new Foo1, new Foo2}; + +uintptr_t CheckNewTotalUniqueCoverageIsLargerAndReturnIt(uintptr_t old_total) { + uintptr_t new_total = __sanitizer_get_total_unique_coverage(); + assert(new_total > old_total); + return new_total; +} + +int main(int argc, char **argv) { + uintptr_t total = CheckNewTotalUniqueCoverageIsLargerAndReturnIt(0); + foo[0]->f(); + total = CheckNewTotalUniqueCoverageIsLargerAndReturnIt(total); + foo[1]->f(); + total = CheckNewTotalUniqueCoverageIsLargerAndReturnIt(total); + foo[2]->f(); + total = CheckNewTotalUniqueCoverageIsLargerAndReturnIt(total); + // Ok, called every function once. + // Now call them again from another call site. Should get new coverage. + foo[0]->f(); + total = CheckNewTotalUniqueCoverageIsLargerAndReturnIt(total); + foo[1]->f(); + total = CheckNewTotalUniqueCoverageIsLargerAndReturnIt(total); + foo[2]->f(); + total = CheckNewTotalUniqueCoverageIsLargerAndReturnIt(total); +} diff --git a/test/asan/TestCases/Linux/coverage-caller-callee.cc b/test/asan/TestCases/Linux/coverage-caller-callee.cc new file mode 100644 index 000000000000..cd318962b8e0 --- /dev/null +++ b/test/asan/TestCases/Linux/coverage-caller-callee.cc @@ -0,0 +1,74 @@ +// Test caller-callee coverage with large number of threads +// and various numbers of callers and callees. + +// RUN: %clangxx_asan -fsanitize-coverage=4 %s -o %t +// RUN: ASAN_OPTIONS=coverage=1:verbosity=1 %run %t 10 1 2>&1 | FileCheck %s --check-prefix=CHECK-10-1 +// RUN: ASAN_OPTIONS=coverage=1:verbosity=1 %run %t 9 2 2>&1 | FileCheck %s --check-prefix=CHECK-9-2 +// RUN: ASAN_OPTIONS=coverage=1:verbosity=1 %run %t 7 3 2>&1 | FileCheck %s --check-prefix=CHECK-7-3 +// RUN: ASAN_OPTIONS=coverage=1:verbosity=1 %run %t 17 1 2>&1 | FileCheck %s --check-prefix=CHECK-17-1 +// RUN: ASAN_OPTIONS=coverage=1:verbosity=1 %run %t 15 2 2>&1 | FileCheck %s --check-prefix=CHECK-15-2 +// RUN: ASAN_OPTIONS=coverage=1:verbosity=1 %run %t 18 3 2>&1 | FileCheck %s --check-prefix=CHECK-18-3 +// RUN: rm -f caller-callee*.sancov +// +// REQUIRES: asan-64-bits +// +// CHECK-10-1: CovDump: 10 caller-callee pairs written +// CHECK-9-2: CovDump: 18 caller-callee pairs written +// CHECK-7-3: CovDump: 21 caller-callee pairs written +// CHECK-17-1: CovDump: 14 caller-callee pairs written +// CHECK-15-2: CovDump: 28 caller-callee pairs written +// CHECK-18-3: CovDump: 42 caller-callee pairs written + +#include <stdio.h> +#include <stdlib.h> +#include <pthread.h> +int P = 0; +struct Foo {virtual void f() {if (P) printf("Foo::f()\n");}}; +struct Foo1 : Foo {virtual void f() {if (P) printf("%d\n", __LINE__);}}; +struct Foo2 : Foo {virtual void f() {if (P) printf("%d\n", __LINE__);}}; +struct Foo3 : Foo {virtual void f() {if (P) printf("%d\n", __LINE__);}}; +struct Foo4 : Foo {virtual void f() {if (P) printf("%d\n", __LINE__);}}; +struct Foo5 : Foo {virtual void f() {if (P) printf("%d\n", __LINE__);}}; +struct Foo6 : Foo {virtual void f() {if (P) printf("%d\n", __LINE__);}}; +struct Foo7 : Foo {virtual void f() {if (P) printf("%d\n", __LINE__);}}; +struct Foo8 : Foo {virtual void f() {if (P) printf("%d\n", __LINE__);}}; +struct Foo9 : Foo {virtual void f() {if (P) printf("%d\n", __LINE__);}}; +struct Foo10 : Foo {virtual void f() {if (P) printf("%d\n", __LINE__);}}; +struct Foo11 : Foo {virtual void f() {if (P) printf("%d\n", __LINE__);}}; +struct Foo12 : Foo {virtual void f() {if (P) printf("%d\n", __LINE__);}}; +struct Foo13 : Foo {virtual void f() {if (P) printf("%d\n", __LINE__);}}; +struct Foo14 : Foo {virtual void f() {if (P) printf("%d\n", __LINE__);}}; +struct Foo15 : Foo {virtual void f() {if (P) printf("%d\n", __LINE__);}}; +struct Foo16 : Foo {virtual void f() {if (P) printf("%d\n", __LINE__);}}; +struct Foo17 : Foo {virtual void f() {if (P) printf("%d\n", __LINE__);}}; +struct Foo18 : Foo {virtual void f() {if (P) printf("%d\n", __LINE__);}}; +struct Foo19 : Foo {virtual void f() {if (P) printf("%d\n", __LINE__);}}; + +Foo *foo[20] = { + new Foo, new Foo1, new Foo2, new Foo3, new Foo4, new Foo5, new Foo6, + new Foo7, new Foo8, new Foo9, new Foo10, new Foo11, new Foo12, new Foo13, + new Foo14, new Foo15, new Foo16, new Foo17, new Foo18, new Foo19, +}; + +int n_functions = 10; +int n_callers = 2; + +void *Thread(void *arg) { + if (n_callers >= 1) for (int i = 0; i < 2000; i++) foo[i % n_functions]->f(); + if (n_callers >= 2) for (int i = 0; i < 2000; i++) foo[i % n_functions]->f(); + if (n_callers >= 3) for (int i = 0; i < 2000; i++) foo[i % n_functions]->f(); + return arg; +} + +int main(int argc, char **argv) { + if (argc >= 2) + n_functions = atoi(argv[1]); + if (argc >= 3) + n_callers = atoi(argv[2]); + const int kNumThreads = 16; + pthread_t t[kNumThreads]; + for (int i = 0; i < kNumThreads; i++) + pthread_create(&t[i], 0, Thread, 0); + for (int i = 0; i < kNumThreads; i++) + pthread_join(t[i], 0); +} diff --git a/test/asan/TestCases/Linux/coverage-direct-large.cc b/test/asan/TestCases/Linux/coverage-direct-large.cc new file mode 100644 index 000000000000..78aa68621ad1 --- /dev/null +++ b/test/asan/TestCases/Linux/coverage-direct-large.cc @@ -0,0 +1,45 @@ +// Test for direct coverage writing with lots of data. +// Current implementation maps output file in chunks of 64K. This test overflows +// 1 chunk. +// RUN: %clangxx_asan -fsanitize-coverage=1 -O0 %s -o %t + +// RUN: rm -rf %T/coverage-direct-large + +// RUN: mkdir -p %T/coverage-direct-large/normal && cd %T/coverage-direct-large/normal +// RUN: ASAN_OPTIONS=coverage=1:coverage_direct=0:verbosity=1 %run %t +// RUN: %sancov print *.sancov >out.txt +// RUN: cd ../.. + +// RUN: mkdir -p %T/coverage-direct-large/direct && cd %T/coverage-direct-large/direct +// RUN: ASAN_OPTIONS=coverage=1:coverage_direct=1:verbosity=1 %run %t +// RUN: %sancov rawunpack *.sancov.raw +// RUN: %sancov print *.sancov >out.txt +// RUN: cd ../.. + +// RUN: diff -u coverage-direct-large/normal/out.txt coverage-direct-large/direct/out.txt +// +// XFAIL: android + +#define F0(Q, x) Q(x) +#define F1(Q, x) \ + F0(Q, x##0) F0(Q, x##1) F0(Q, x##2) F0(Q, x##3) F0(Q, x##4) F0(Q, x##5) \ + F0(Q, x##6) F0(Q, x##7) F0(Q, x##8) F0(Q, x##9) +#define F2(Q, x) \ + F1(Q, x##0) F1(Q, x##1) F1(Q, x##2) F1(Q, x##3) F1(Q, x##4) F1(Q, x##5) \ + F1(Q, x##6) F1(Q, x##7) F1(Q, x##8) F1(Q, x##9) +#define F3(Q, x) \ + F2(Q, x##0) F2(Q, x##1) F2(Q, x##2) F2(Q, x##3) F2(Q, x##4) F2(Q, x##5) \ + F2(Q, x##6) F2(Q, x##7) F2(Q, x##8) F2(Q, x##9) +#define F4(Q, x) \ + F3(Q, x##0) F3(Q, x##1) F3(Q, x##2) F3(Q, x##3) F3(Q, x##4) F3(Q, x##5) \ + F3(Q, x##6) F3(Q, x##7) F3(Q, x##8) F3(Q, x##9) + +#define DECL(x) __attribute__((noinline)) void x() {} +#define CALL(x) x(); + +F4(DECL, f) + +int main(void) { + F4(CALL, f) + return 0; +} diff --git a/test/asan/TestCases/Linux/coverage-direct.cc b/test/asan/TestCases/Linux/coverage-direct.cc new file mode 100644 index 000000000000..2cc1aed0a0fa --- /dev/null +++ b/test/asan/TestCases/Linux/coverage-direct.cc @@ -0,0 +1,44 @@ +// Test for direct coverage writing with dlopen. +// RUN: %clangxx_asan -fsanitize-coverage=1 -DSHARED %s -shared -o %T/libcoverage_direct_test_1.so -fPIC +// RUN: %clangxx_asan -fsanitize-coverage=1 -DSO_DIR=\"%T\" %s -o %t + +// RUN: rm -rf %T/coverage-direct + +// RUN: mkdir -p %T/coverage-direct/normal +// RUN: ASAN_OPTIONS=coverage=1:coverage_direct=0:coverage_dir=%T/coverage-direct/normal:verbosity=1 %run %t +// RUN: %sancov print %T/coverage-direct/normal/*.sancov >%T/coverage-direct/normal/out.txt + +// RUN: mkdir -p %T/coverage-direct/direct +// RUN: ASAN_OPTIONS=coverage=1:coverage_direct=1:coverage_dir=%T/coverage-direct/direct:verbosity=1 %run %t +// RUN: cd %T/coverage-direct/direct +// RUN: %sancov rawunpack *.sancov.raw +// RUN: %sancov print *.sancov >out.txt +// RUN: cd ../.. + +// RUN: diff -u coverage-direct/normal/out.txt coverage-direct/direct/out.txt +// +// XFAIL: android + +#include <assert.h> +#include <dlfcn.h> +#include <stdio.h> +#include <unistd.h> + +#ifdef SHARED +extern "C" { +void bar() { printf("bar\n"); } +} +#else + +int main(int argc, char **argv) { + fprintf(stderr, "PID: %d\n", getpid()); + void *handle1 = + dlopen(SO_DIR "/libcoverage_direct_test_1.so", RTLD_LAZY); + assert(handle1); + void (*bar1)() = (void (*)())dlsym(handle1, "bar"); + assert(bar1); + bar1(); + + return 0; +} +#endif diff --git a/test/asan/TestCases/Linux/coverage-disabled.cc b/test/asan/TestCases/Linux/coverage-disabled.cc new file mode 100644 index 000000000000..a75b26dc02e9 --- /dev/null +++ b/test/asan/TestCases/Linux/coverage-disabled.cc @@ -0,0 +1,18 @@ +// Test that no data is collected without a runtime flag. +// +// RUN: %clangxx_asan -fsanitize-coverage=1 %s -o %t +// +// RUN: rm -rf %T/coverage-disabled +// +// RUN: mkdir -p %T/coverage-disabled/normal +// RUN: ASAN_OPTIONS=coverage_direct=0:coverage_dir=%T/coverage-disabled/normal:verbosity=1 %run %t +// RUN: not %sancov print %T/coverage-disabled/normal/*.sancov 2>&1 +// +// RUN: mkdir -p %T/coverage-disabled/direct +// RUN: ASAN_OPTIONS=coverage_direct=1:coverage_dir=%T/coverage-disabled/direct:verbosity=1 %run %t +// RUN: cd %T/coverage-disabled/direct +// RUN: not %sancov rawunpack *.sancov + +int main(int argc, char **argv) { + return 0; +} diff --git a/test/asan/TestCases/Linux/coverage-fork-direct.cc b/test/asan/TestCases/Linux/coverage-fork-direct.cc new file mode 100644 index 000000000000..51cbbd821b8e --- /dev/null +++ b/test/asan/TestCases/Linux/coverage-fork-direct.cc @@ -0,0 +1,38 @@ +// RUN: %clangxx_asan -fsanitize-coverage=1 %s -o %t +// RUN: rm -rf %T/coverage-fork-direct +// RUN: mkdir -p %T/coverage-fork-direct && cd %T/coverage-fork-direct +// RUN: (ASAN_OPTIONS=coverage=1:coverage_direct=1:verbosity=1 %run %t; \ +// RUN: %sancov rawunpack *.sancov.raw; %sancov print *.sancov) 2>&1 +// +// XFAIL: android + +#include <stdio.h> +#include <string.h> +#include <unistd.h> + +__attribute__((noinline)) +void foo() { printf("foo\n"); } + +__attribute__((noinline)) +void bar() { printf("bar\n"); } + +__attribute__((noinline)) +void baz() { printf("baz\n"); } + +int main(int argc, char **argv) { + pid_t child_pid = fork(); + if (child_pid == 0) { + fprintf(stderr, "Child PID: %d\n", getpid()); + baz(); + } else { + fprintf(stderr, "Parent PID: %d\n", getpid()); + foo(); + bar(); + } + return 0; +} + +// CHECK-DAG: Child PID: [[ChildPID:[0-9]+]] +// CHECK-DAG: Parent PID: [[ParentPID:[0-9]+]] +// CHECK-DAG: read 3 PCs from {{.*}}.[[ParentPID]].sancov +// CHECK-DAG: read 1 PCs from {{.*}}.[[ChildPID]].sancov diff --git a/test/asan/TestCases/Linux/coverage-fork.cc b/test/asan/TestCases/Linux/coverage-fork.cc new file mode 100644 index 000000000000..38c200942609 --- /dev/null +++ b/test/asan/TestCases/Linux/coverage-fork.cc @@ -0,0 +1,38 @@ +// RUN: %clangxx_asan -fsanitize-coverage=1 %s -o %t +// RUN: export ASAN_OPTIONS=coverage=1:coverage_direct=0:verbosity=1 +// RUN: rm -rf %T/coverage-fork +// RUN: mkdir -p %T/coverage-fork && cd %T/coverage-fork +// RUN: %run %t 2>&1 | FileCheck %s +// +// XFAIL: android + +#include <stdio.h> +#include <string.h> +#include <unistd.h> + +__attribute__((noinline)) +void foo() { printf("foo\n"); } + +__attribute__((noinline)) +void bar() { printf("bar\n"); } + +__attribute__((noinline)) +void baz() { printf("baz\n"); } + +int main(int argc, char **argv) { + pid_t child_pid = fork(); + if (child_pid == 0) { + fprintf(stderr, "Child PID: %d\n", getpid()); + baz(); + } else { + fprintf(stderr, "Parent PID: %d\n", getpid()); + foo(); + bar(); + } + return 0; +} + +// CHECK-DAG: Child PID: [[ChildPID:[0-9]+]] +// CHECK-DAG: [[ChildPID]].sancov: 1 PCs written +// CHECK-DAG: Parent PID: [[ParentPID:[0-9]+]] +// CHECK-DAG: [[ParentPID]].sancov: 3 PCs written diff --git a/test/asan/TestCases/Linux/coverage-levels.cc b/test/asan/TestCases/Linux/coverage-levels.cc new file mode 100644 index 000000000000..748ef1f08db5 --- /dev/null +++ b/test/asan/TestCases/Linux/coverage-levels.cc @@ -0,0 +1,20 @@ +// Test various levels of coverage +// +// RUN: %clangxx_asan -O1 -fsanitize-coverage=1 %s -o %t +// RUN: ASAN_OPTIONS=coverage=1:verbosity=1 %run %t 2>&1 | FileCheck %s --check-prefix=CHECK1 +// RUN: %clangxx_asan -O1 -fsanitize-coverage=2 %s -o %t +// RUN: ASAN_OPTIONS=coverage=1:verbosity=1 %run %t 2>&1 | FileCheck %s --check-prefix=CHECK2 +// RUN: %clangxx_asan -O1 -fsanitize-coverage=3 %s -o %t +// RUN: ASAN_OPTIONS=coverage=1:verbosity=1 %run %t 2>&1 | FileCheck %s --check-prefix=CHECK3 +// +// REQUIRES: asan-64-bits + +volatile int sink; +int main(int argc, char **argv) { + if (argc == 0) + sink = 0; +} + +// CHECK1: 1 PCs written +// CHECK2: 2 PCs written +// CHECK3: 3 PCs written diff --git a/test/asan/TestCases/Linux/coverage-maybe-open-file.cc b/test/asan/TestCases/Linux/coverage-maybe-open-file.cc new file mode 100644 index 000000000000..4664cef7f5af --- /dev/null +++ b/test/asan/TestCases/Linux/coverage-maybe-open-file.cc @@ -0,0 +1,31 @@ +// FIXME: https://code.google.com/p/address-sanitizer/issues/detail?id=316 +// XFAIL: android +// +// RUN: %clangxx_asan -fsanitize-coverage=1 %s -o %t +// RUN: rm -rf %T/coverage-maybe-open-file +// RUN: mkdir -p %T/coverage-maybe-open-file && cd %T/coverage-maybe-open-file +// RUN: ASAN_OPTIONS=coverage=1 %run %t | FileCheck %s --check-prefix=CHECK-success +// RUN: ASAN_OPTIONS=coverage=0 %run %t | FileCheck %s --check-prefix=CHECK-fail +// RUN: [ "$(cat test.sancov.packed)" == "test" ] +// RUN: cd .. && rm -rf %T/coverage-maybe-open-file + +#include <stdio.h> +#include <string.h> +#include <unistd.h> + +#include <sanitizer/common_interface_defs.h> + +int main(int argc, char **argv) { + int fd = __sanitizer_maybe_open_cov_file("test"); + if (fd > 0) { + printf("SUCCESS\n"); + const char s[] = "test\n"; + write(fd, s, strlen(s)); + close(fd); + } else { + printf("FAIL\n"); + } +} + +// CHECK-success: SUCCESS +// CHECK-fail: FAIL diff --git a/test/asan/TestCases/Linux/coverage-module-unloaded.cc b/test/asan/TestCases/Linux/coverage-module-unloaded.cc new file mode 100644 index 000000000000..449841e78189 --- /dev/null +++ b/test/asan/TestCases/Linux/coverage-module-unloaded.cc @@ -0,0 +1,56 @@ +// Check that unloading a module doesn't break coverage dumping for remaining +// modules. +// RUN: %clangxx_asan -fsanitize-coverage=1 -DSHARED %s -shared -o %T/libcoverage_module_unloaded_test_1.so -fPIC +// RUN: %clangxx_asan -fsanitize-coverage=1 -DSHARED %s -shared -o %T/libcoverage_module_unloaded_test_2.so -fPIC +// RUN: %clangxx_asan -fsanitize-coverage=1 -DSO_DIR=\"%T\" %s -o %t +// RUN: export ASAN_OPTIONS=coverage=1:verbosity=1 +// RUN: mkdir -p %T/coverage-module-unloaded && cd %T/coverage-module-unloaded +// RUN: %run %t 2>&1 | FileCheck %s +// RUN: %run %t foo 2>&1 | FileCheck %s +// RUN: cd .. && rm coverage-module-unloaded -r +// +// https://code.google.com/p/address-sanitizer/issues/detail?id=263 +// XFAIL: android + +#include <assert.h> +#include <dlfcn.h> +#include <stdio.h> +#include <unistd.h> + +#ifdef SHARED +extern "C" { +void bar() { printf("bar\n"); } +} +#else + +int main(int argc, char **argv) { + fprintf(stderr, "PID: %d\n", getpid()); + void *handle1 = + dlopen(SO_DIR "/libcoverage_module_unloaded_test_1.so", RTLD_LAZY); + assert(handle1); + void (*bar1)() = (void (*)())dlsym(handle1, "bar"); + assert(bar1); + bar1(); + void *handle2 = + dlopen(SO_DIR "/libcoverage_module_unloaded_test_2.so", RTLD_LAZY); + assert(handle2); + void (*bar2)() = (void (*)())dlsym(handle2, "bar"); + assert(bar2); + bar2(); + + // It matters whether the unloaded module has a higher or lower address range + // than the remaining one. Make sure to test both cases. + if (argc < 2) + dlclose(bar1 < bar2 ? handle1 : handle2); + else + dlclose(bar1 < bar2 ? handle2 : handle1); + return 0; +} +#endif + +// CHECK: PID: [[PID:[0-9]+]] +// CHECK: [[PID]].sancov: 1 PCs written +// CHECK: .so.[[PID]] +// If we get coverage for both DSOs, it means the module wasn't unloaded and +// this test is useless. +// CHECK-NOT: .so.[[PID]] diff --git a/test/asan/TestCases/Linux/coverage-sandboxing.cc b/test/asan/TestCases/Linux/coverage-sandboxing.cc new file mode 100644 index 000000000000..56f9c40f4cc0 --- /dev/null +++ b/test/asan/TestCases/Linux/coverage-sandboxing.cc @@ -0,0 +1,85 @@ +// RUN: %clangxx_asan -fsanitize-coverage=2 -DSHARED %s -shared -o %T/libcoverage_sandboxing_test.so -fPIC +// RUN: %clangxx_asan -fsanitize-coverage=1 %s -o %t -Wl,-R,\$ORIGIN -L%T -lcoverage_sandboxing_test +// RUN: export ASAN_OPTIONS=coverage=1:verbosity=1 +// RUN: rm -rf %T/coverage_sandboxing_test +// RUN: mkdir %T/coverage_sandboxing_test && cd %T/coverage_sandboxing_test +// RUN: mkdir vanilla && cd vanilla +// RUN: %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-vanilla +// RUN: mkdir ../sandbox1 && cd ../sandbox1 +// RUN: %run %t a 2>&1 | FileCheck %s --check-prefix=CHECK-sandbox +// RUN: %sancov unpack coverage_sandboxing_test.sancov.packed +// RUN: mkdir ../sandbox2 && cd ../sandbox2 +// RUN: %run %t a b 2>&1 | FileCheck %s --check-prefix=CHECK-sandbox +// RUN: %sancov unpack coverage_sandboxing_test.sancov.packed +// RUN: cd .. +// RUN: %sancov print vanilla/libcoverage_sandboxing_test.so.*.sancov > vanilla.txt +// RUN: %sancov print sandbox1/libcoverage_sandboxing_test.so.*.sancov > sandbox1.txt +// RUN: %sancov print sandbox2/libcoverage_sandboxing_test.so.*.sancov > sandbox2.txt +// RUN: diff vanilla.txt sandbox1.txt +// RUN: diff vanilla.txt sandbox2.txt +// RUN: cd ../ && rm coverage_sandboxing_test -r +// https://code.google.com/p/address-sanitizer/issues/detail?id=263 +// XFAIL: android + +#include <assert.h> +#include <fcntl.h> +#include <stdio.h> +#include <string.h> +#include <unistd.h> + +#include <sanitizer/common_interface_defs.h> + +#define bb0(n) \ + case n: \ + fprintf(stderr, "foo: %d\n", n); \ + break; + +#define bb1(n) bb0(n) bb0(n + 1) +#define bb2(n) bb1(n) bb1(n + 2) +#define bb3(n) bb2(n) bb2(n + 4) +#define bb4(n) bb3(n) bb3(n + 8) +#define bb5(n) bb4(n) bb4(n + 16) +#define bb6(n) bb5(n) bb5(n + 32) +#define bb7(n) bb6(n) bb6(n + 64) +#define bb8(n) bb7(n) bb7(n + 128) + +#ifdef SHARED +void foo(int i) { + switch(i) { + // 256 basic blocks + bb8(0) + } +} +#else +extern void foo(int i); + +int main(int argc, char **argv) { + assert(argc <= 3); + for (int i = 0; i < 256; i++) foo(i); + fprintf(stderr, "PID: %d\n", getpid()); + if (argc == 1) { + // Vanilla mode, dump to individual files. + return 0; + } + // Dump to packed file. + int fd = creat("coverage_sandboxing_test.sancov.packed", 0660); + __sanitizer_sandbox_arguments args = {0}; + args.coverage_sandboxed = 1; + args.coverage_fd = fd; + if (argc == 2) + // Write to packed file, do not split into blocks. + args.coverage_max_block_size = 0; + else if (argc == 3) + // Write to packed file, split into blocks (as if writing to a socket). + args.coverage_max_block_size = 100; + __sanitizer_sandbox_on_notify(&args); + return 0; +} +#endif + +// CHECK-vanilla: PID: [[PID:[0-9]+]] +// CHECK-vanilla: [[PID]].sancov: 1 PCs written +// CHECK-vanilla: .so.[[PID]].sancov: 258 PCs written + +// CHECK-sandbox: PID: [[PID:[0-9]+]] +// CHECK-sandbox: 258 PCs written to packed file diff --git a/test/asan/TestCases/Linux/coverage-tracing.cc b/test/asan/TestCases/Linux/coverage-tracing.cc new file mode 100644 index 000000000000..89ab0d283add --- /dev/null +++ b/test/asan/TestCases/Linux/coverage-tracing.cc @@ -0,0 +1,22 @@ +// Test -mllvm -sanitizer-coverage-experimental-tracing +// +// RUN: %clangxx_asan -O1 -fsanitize-coverage=1 -mllvm -sanitizer-coverage-experimental-tracing %s -o %t +// RUN: rm -rf %T/coverage-tracing +// RUN: mkdir -p %T/coverage-tracing +// RUN: ASAN_OPTIONS=coverage=1:coverage_dir=%T/coverage-tracing:verbosity=1 %run %t 1 2 3 4 2>&1 | FileCheck %s +// RUN: rm -rf %T/coverage-tracing +// +// REQUIRES: asan-64-bits + +volatile int sink; +int main(int argc, char **argv) { + volatile int i = 0; + do { + sink = 0; + i++; + } while (i < argc); + return 0; +} + +// CHECK: CovDump: Trace: {{[3-9]}} PCs written +// CHECK: CovDump: Trace: {{[6-9]}} Events written diff --git a/test/asan/TestCases/Linux/coverage.cc b/test/asan/TestCases/Linux/coverage.cc new file mode 100644 index 000000000000..f6eb0ae9285b --- /dev/null +++ b/test/asan/TestCases/Linux/coverage.cc @@ -0,0 +1,71 @@ +// RUN: %clangxx_asan -fsanitize-coverage=1 -DSHARED %s -shared -o %T/libcoverage_test.so -fPIC +// RUN: %clangxx_asan -fsanitize-coverage=1 %s -o %t -Wl,-R,\$ORIGIN -L%T -lcoverage_test +// RUN: export ASAN_OPTIONS=coverage=1:verbosity=1 +// RUN: mkdir -p %T/coverage && cd %T/coverage +// RUN: %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-main +// RUN: %run %t foo 2>&1 | FileCheck %s --check-prefix=CHECK-foo +// RUN: %run %t bar 2>&1 | FileCheck %s --check-prefix=CHECK-bar +// RUN: %run %t foo bar 2>&1 | FileCheck %s --check-prefix=CHECK-foo-bar +// RUN: not %run %t foo bar 4 2>&1 | FileCheck %s --check-prefix=CHECK-report +// RUN: not %run %t foo bar 4 5 2>&1 | FileCheck %s --check-prefix=CHECK-segv +// RUN: cd .. && rm coverage -r +// +// https://code.google.com/p/address-sanitizer/issues/detail?id=263 +// XFAIL: android + +#include "sanitizer/common_interface_defs.h" +#include <assert.h> +#include <stdio.h> +#include <string.h> +#include <unistd.h> + +#ifdef SHARED +void bar() { printf("bar\n"); } +#else +__attribute__((noinline)) +void foo() { printf("foo\n"); } +extern void bar(); + +int G[4]; + +int main(int argc, char **argv) { + fprintf(stderr, "PID: %d\n", getpid()); + for (int i = 1; i < argc; i++) { + if (!strcmp(argv[i], "foo")) { + uintptr_t old_coverage = __sanitizer_get_total_unique_coverage(); + foo(); + uintptr_t new_coverage = __sanitizer_get_total_unique_coverage(); + assert(new_coverage > old_coverage); + } + if (!strcmp(argv[i], "bar")) + bar(); + } + if (argc == 5) { + static volatile char *zero = 0; + *zero = 0; // SEGV if argc == 5. + } + return G[argc]; // Buffer overflow if argc >= 4. +} +#endif + +// CHECK-main: PID: [[PID:[0-9]+]] +// CHECK-main: [[PID]].sancov: 1 PCs written +// CHECK-main-NOT: .so.[[PID]] +// +// CHECK-foo: PID: [[PID:[0-9]+]] +// CHECK-foo: [[PID]].sancov: 2 PCs written +// CHECK-foo-NOT: .so.[[PID]] +// +// CHECK-bar: PID: [[PID:[0-9]+]] +// CHECK-bar: [[PID]].sancov: 1 PCs written +// CHECK-bar: .so.[[PID]].sancov: 1 PCs written +// +// CHECK-foo-bar: PID: [[PID:[0-9]+]] +// CHECK-foo-bar: [[PID]].sancov: 2 PCs written +// CHECK-foo-bar: so.[[PID]].sancov: 1 PCs written +// +// CHECK-report: AddressSanitizer: global-buffer-overflow +// CHECK-report: PCs written +// +// CHECK-segv: AddressSanitizer: SEGV +// CHECK-segv: PCs written diff --git a/test/asan/TestCases/Linux/function-sections-are-bad.cc b/test/asan/TestCases/Linux/function-sections-are-bad.cc new file mode 100644 index 000000000000..15aaccbc957f --- /dev/null +++ b/test/asan/TestCases/Linux/function-sections-are-bad.cc @@ -0,0 +1,41 @@ +// Check that --gc-sections does not throw away (or localize) parts of sanitizer +// interface. +// RUN: %clang_asan %s -Wl,--gc-sections -ldl -o %t +// RUN: %clang_asan %s -DBUILD_SO -fPIC -o %t-so.so -shared +// RUN: %run %t 2>&1 + +// REQUIRES: asan-64-bits + +#ifndef BUILD_SO +#include <assert.h> +#include <dlfcn.h> +#include <stdio.h> +#include <stdlib.h> + +int main(int argc, char *argv[]) { + char path[4096]; + snprintf(path, sizeof(path), "%s-so.so", argv[0]); + + void *handle = dlopen(path, RTLD_LAZY); + if (!handle) fprintf(stderr, "%s\n", dlerror()); + assert(handle != 0); + + typedef void (*F)(); + F f = (F)dlsym(handle, "call_rtl_from_dso"); + printf("%s\n", dlerror()); + assert(dlerror() == 0); + f(); + + dlclose(handle); + return 0; +} + +#else // BUILD_SO + +#include <sanitizer/asan_interface.h> +extern "C" void call_rtl_from_dso() { + volatile int32_t x; + volatile int32_t y = __sanitizer_unaligned_load32((void *)&x); +} + +#endif // BUILD_SO diff --git a/test/asan/TestCases/Linux/globals-gc-sections.cc b/test/asan/TestCases/Linux/globals-gc-sections.cc new file mode 100644 index 000000000000..72a9e9498f85 --- /dev/null +++ b/test/asan/TestCases/Linux/globals-gc-sections.cc @@ -0,0 +1,13 @@ +// RUN: %clangxx_asan %s -o %t -Wl,--gc-sections -ffunction-sections -mllvm -asan-globals=0 +// RUN: %clangxx_asan %s -o %t -Wl,--gc-sections -ffunction-sections -mllvm -asan-globals=1 + +// https://code.google.com/p/address-sanitizer/issues/detail?id=260 +// XFAIL: * + +int undefined(); + +int (*unused)() = undefined; + +int main() { + return 0; +} diff --git a/test/asan/TestCases/Linux/initialization-bug-any-order.cc b/test/asan/TestCases/Linux/initialization-bug-any-order.cc new file mode 100644 index 000000000000..a462f4a163f1 --- /dev/null +++ b/test/asan/TestCases/Linux/initialization-bug-any-order.cc @@ -0,0 +1,36 @@ +// Test to make sure basic initialization order errors are caught. +// Check that on Linux initialization order bugs are caught +// independently on order in which we list source files (if we specify +// strict init-order checking). + +// RUN: %clangxx_asan -O0 %s %p/../Helpers/initialization-bug-extra.cc -o %t +// RUN: ASAN_OPTIONS=strict_init_order=true not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O0 %p/../Helpers/initialization-bug-extra.cc %s -o %t +// RUN: ASAN_OPTIONS=strict_init_order=true not %run %t 2>&1 | FileCheck %s + +// Do not test with optimization -- the error may be optimized away. + +#include <cstdio> + +// 'y' is a dynamically initialized global residing in a different TU. This +// dynamic initializer will read the value of 'y' before main starts. The +// result is undefined behavior, which should be caught by initialization order +// checking. +extern int y; +int __attribute__((noinline)) initX() { + return y + 1; + // CHECK: {{AddressSanitizer: initialization-order-fiasco}} + // CHECK: {{READ of size .* at 0x.* thread T0}} + // CHECK: {{#0 0x.* in .*initX.* .*initialization-bug-any-order.cc:}}[[@LINE-3]] + // CHECK: {{0x.* is located 0 bytes inside of global variable .*y.*}} +} + +// This initializer begins our initialization order problems. +static int x = initX(); + +int main() { + // ASan should have caused an exit before main runs. + printf("PASS\n"); + // CHECK-NOT: PASS + return 0; +} diff --git a/test/asan/TestCases/Linux/interception-in-shared-lib-test.cc b/test/asan/TestCases/Linux/interception-in-shared-lib-test.cc new file mode 100644 index 000000000000..b828d5524ee0 --- /dev/null +++ b/test/asan/TestCases/Linux/interception-in-shared-lib-test.cc @@ -0,0 +1,32 @@ +// Check that memset() call from a shared library gets intercepted. +// Please always keep this file in sync with +// ../Darwin/interception-in-shared-lib-test.cc. + +// RUN: %clangxx_asan -O0 %s -DSHARED_LIB \ +// RUN: -shared -o %T/libinterception-in-shared-lib-test.so \ +// RUN: -fPIC +// TODO(glider): figure out how to set rpath in a more portable way and unite +// this test with ../Darwin/interception-in-shared-lib-test.cc. +// RUN: %clangxx_asan -O0 %s -o %t -Wl,-R,\$ORIGIN -L%T -linterception-in-shared-lib-test && \ +// RUN: not %run %t 2>&1 | FileCheck %s + +#include <stdio.h> +#include <string.h> + +#if defined(SHARED_LIB) +extern "C" +void my_memset(void *p, size_t sz) { + memset(p, 0, sz); +} +#else +extern "C" void my_memset(void *p, size_t sz); + +int main(int argc, char *argv[]) { + char buf[10]; + my_memset(buf, 11); + // CHECK: {{.*ERROR: AddressSanitizer: stack-buffer-overflow}} + // CHECK: {{WRITE of size 11 at 0x.* thread T0}} + // CHECK: {{0x.* in my_memset .*interception-in-shared-lib-test.cc:19}} + return 0; +} +#endif diff --git a/test/asan/TestCases/Linux/interception_malloc_test.cc b/test/asan/TestCases/Linux/interception_malloc_test.cc new file mode 100644 index 000000000000..f6d6d340bd9c --- /dev/null +++ b/test/asan/TestCases/Linux/interception_malloc_test.cc @@ -0,0 +1,23 @@ +// ASan interceptor can be accessed with __interceptor_ prefix. + +// RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O1 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O2 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O3 %s -o %t && not %run %t 2>&1 | FileCheck %s +#include <stdlib.h> +#include <stdio.h> +#include <unistd.h> + +extern "C" void *__interceptor_malloc(size_t size); +extern "C" void *malloc(size_t size) { + write(2, "malloc call\n", sizeof("malloc call\n") - 1); + return __interceptor_malloc(size); +} + +int main() { + char *x = (char*)malloc(10 * sizeof(char)); + free(x); + return (int)strtol(x, 0, 10); + // CHECK: malloc call + // CHECK: heap-use-after-free +} diff --git a/test/asan/TestCases/Linux/interception_readdir_r_test.cc b/test/asan/TestCases/Linux/interception_readdir_r_test.cc new file mode 100644 index 000000000000..93b553c3744f --- /dev/null +++ b/test/asan/TestCases/Linux/interception_readdir_r_test.cc @@ -0,0 +1,62 @@ +// FIXME: https://code.google.com/p/address-sanitizer/issues/detail?id=316 +// XFAIL: android +// +// RUN: %clangxx_asan -O0 %s -DTEMP_DIR='"'"%T"'"' -o %t && %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O1 %s -DTEMP_DIR='"'"%T"'"' -o %t && %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O2 %s -DTEMP_DIR='"'"%T"'"' -o %t && %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O3 %s -DTEMP_DIR='"'"%T"'"' -o %t && %run %t 2>&1 | FileCheck %s +// +// RUN: %clangxx_asan -O0 %s -D_FILE_OFFSET_BITS=64 -DTEMP_DIR='"'"%T"'"' -o %t && %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O1 %s -D_FILE_OFFSET_BITS=64 -DTEMP_DIR='"'"%T"'"' -o %t && %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O2 %s -D_FILE_OFFSET_BITS=64 -DTEMP_DIR='"'"%T"'"' -o %t && %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O3 %s -D_FILE_OFFSET_BITS=64 -DTEMP_DIR='"'"%T"'"' -o %t && %run %t 2>&1 | FileCheck %s + +#include <dirent.h> +#include <memory.h> +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> + + +int main() { + // Ensure the readdir_r interceptor doesn't erroneously mark the entire dirent + // as written when the end of the directory pointer is reached. + fputs("test1: reading the " TEMP_DIR " directory...\n", stderr); + DIR *d = opendir(TEMP_DIR); + struct dirent *result = (struct dirent *)(0xfeedbeef); + // We assume the temp dir for this test doesn't have crazy long file names. + char entry_buffer[4096]; + memset(entry_buffer, 0xab, sizeof(entry_buffer)); + unsigned count = 0; + do { + // Stamp the entry struct to try to trick the interceptor. + ((struct dirent *)entry_buffer)->d_reclen = 9999; + if (readdir_r(d, (struct dirent *)entry_buffer, &result) != 0) + abort(); + ++count; + } while (result != NULL); + fprintf(stderr, "read %d entries\n", count); + closedir(d); + // CHECK: test1: reading the {{.*}} directory... + // CHECK-NOT: stack-buffer-overflow + // CHECK: read {{.*}} entries + + // Ensure the readdir64_r interceptor doesn't have the bug either. + fputs("test2: reading the " TEMP_DIR " directory...\n", stderr); + d = opendir(TEMP_DIR); + struct dirent64 *result64; + memset(entry_buffer, 0xab, sizeof(entry_buffer)); + count = 0; + do { + // Stamp the entry struct to try to trick the interceptor. + ((struct dirent64 *)entry_buffer)->d_reclen = 9999; + if (readdir64_r(d, (struct dirent64 *)entry_buffer, &result64) != 0) + abort(); + ++count; + } while (result64 != NULL); + fprintf(stderr, "read %d entries\n", count); + closedir(d); + // CHECK: test2: reading the {{.*}} directory... + // CHECK-NOT: stack-buffer-overflow + // CHECK: read {{.*}} entries +} diff --git a/test/asan/TestCases/Linux/interception_test.cc b/test/asan/TestCases/Linux/interception_test.cc new file mode 100644 index 000000000000..fb9d01cfe6d7 --- /dev/null +++ b/test/asan/TestCases/Linux/interception_test.cc @@ -0,0 +1,22 @@ +// ASan interceptor can be accessed with __interceptor_ prefix. + +// RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O1 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O2 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O3 %s -o %t && not %run %t 2>&1 | FileCheck %s +#include <stdlib.h> +#include <stdio.h> + +extern "C" long __interceptor_strtol(const char *nptr, char **endptr, int base); +extern "C" long strtol(const char *nptr, char **endptr, int base) { + fprintf(stderr, "my_strtol_interceptor\n"); + return __interceptor_strtol(nptr, endptr, base); +} + +int main() { + char *x = (char*)malloc(10 * sizeof(char)); + free(x); + return (int)strtol(x, 0, 10); + // CHECK: my_strtol_interceptor + // CHECK: heap-use-after-free +} diff --git a/test/asan/TestCases/Linux/interface_symbols_linux.c b/test/asan/TestCases/Linux/interface_symbols_linux.c new file mode 100644 index 000000000000..a616732ff9f8 --- /dev/null +++ b/test/asan/TestCases/Linux/interface_symbols_linux.c @@ -0,0 +1,35 @@ +// Check the presence of interface symbols in compiled file. + +// RUN: %clang_asan -O2 %s -o %t.exe +// RUN: nm -D %t.exe | grep " T " | sed "s/.* T //" \ +// RUN: | grep "__asan_" | sed "s/___asan_/__asan_/" \ +// RUN: | sed -E "s/__asan_init_v[0-9]+/__asan_init/" \ +// RUN: | grep -v "__asan_default_options" \ +// RUN: | grep -v "__asan_stack_" \ +// RUN: | grep -v "__asan_on_error" > %t.symbols +// RUN: cat %p/../../../../lib/asan/asan_interface_internal.h \ +// RUN: | sed "s/\/\/.*//" | sed "s/typedef.*//" \ +// RUN: | grep -v "OPTIONAL" \ +// RUN: | grep "__asan_.*(" | sed "s/.* __asan_/__asan_/;s/(.*//" \ +// RUN: > %t.interface +// RUN: echo __asan_report_load1 >> %t.interface +// RUN: echo __asan_report_load2 >> %t.interface +// RUN: echo __asan_report_load4 >> %t.interface +// RUN: echo __asan_report_load8 >> %t.interface +// RUN: echo __asan_report_load16 >> %t.interface +// RUN: echo __asan_report_store1 >> %t.interface +// RUN: echo __asan_report_store2 >> %t.interface +// RUN: echo __asan_report_store4 >> %t.interface +// RUN: echo __asan_report_store8 >> %t.interface +// RUN: echo __asan_report_store16 >> %t.interface +// RUN: echo __asan_report_load_n >> %t.interface +// RUN: echo __asan_report_store_n >> %t.interface +// RUN: echo __asan_get_current_fake_stack >> %t.interface +// RUN: echo __asan_addr_is_in_fake_stack >> %t.interface +// RUN: cat %t.interface | sort -u | diff %t.symbols - + +// FIXME: nm -D on powerpc somewhy shows ASan interface symbols residing +// in "initialized data section". +// REQUIRES: x86_64-supported-target,i386-supported-target,asan-static-runtime + +int main() { return 0; } diff --git a/test/asan/TestCases/Linux/kernel-area.cc b/test/asan/TestCases/Linux/kernel-area.cc new file mode 100644 index 000000000000..8dd509f84975 --- /dev/null +++ b/test/asan/TestCases/Linux/kernel-area.cc @@ -0,0 +1,24 @@ +// FIXME: https://code.google.com/p/address-sanitizer/issues/detail?id=316 +// XFAIL: android +// +// Test that kernel area is not sanitized on 32-bit machines. +// +// RUN: %clangxx_asan %s -o %t +// RUN: ASAN_OPTIONS=verbosity=1 %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-%kernel_bits +// RUN: ASAN_OPTIONS=verbosity=1:full_address_space=0 %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-%kernel_bits +// RUN: ASAN_OPTIONS=verbosity=1:full_address_space=1 %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-kernel-64-bits +// +// CHECK-kernel-32-bits: || `[0x38000000, 0xbfffffff]` || HighMem || +// CHECK-kernel-32-bits: || `[0x27000000, 0x37ffffff]` || HighShadow || +// CHECK-kernel-32-bits: || `[0x24000000, 0x26ffffff]` || ShadowGap || +// +// CHECK-kernel-64-bits: || `[0x40000000, 0xffffffff]` || HighMem || +// CHECK-kernel-64-bits: || `[0x28000000, 0x3fffffff]` || HighShadow || +// CHECK-kernel-64-bits: || `[0x24000000, 0x27ffffff]` || ShadowGap || +// +// REQUIRES: asan-32-bits + +int main() { + return 0; +} + diff --git a/test/asan/TestCases/Linux/leak.cc b/test/asan/TestCases/Linux/leak.cc new file mode 100644 index 000000000000..36dc6ddb8adf --- /dev/null +++ b/test/asan/TestCases/Linux/leak.cc @@ -0,0 +1,16 @@ +// Minimal test for LeakSanitizer+AddressSanitizer. +// REQUIRES: leak-detection +// +// RUN: %clangxx_asan %s -o %t +// RUN: ASAN_OPTIONS=detect_leaks=1 not %run %t 2>&1 | FileCheck %s +// RUN: ASAN_OPTIONS="" not %run %t 2>&1 | FileCheck %s +// RUN: ASAN_OPTIONS=detect_leaks=0 %run %t +#include <stdio.h> +int *t; + +int main(int argc, char **argv) { + t = new int[argc - 1]; + printf("t: %p\n", t); + t = 0; +} +// CHECK: LeakSanitizer: detected memory leaks diff --git a/test/asan/TestCases/Linux/lit.local.cfg b/test/asan/TestCases/Linux/lit.local.cfg new file mode 100644 index 000000000000..57271b8078a4 --- /dev/null +++ b/test/asan/TestCases/Linux/lit.local.cfg @@ -0,0 +1,9 @@ +def getRoot(config): + if not config.parent: + return config + return getRoot(config.parent) + +root = getRoot(config) + +if root.host_os not in ['Linux']: + config.unsupported = True diff --git a/test/asan/TestCases/Linux/malloc-in-qsort.cc b/test/asan/TestCases/Linux/malloc-in-qsort.cc new file mode 100644 index 000000000000..545bc7e42a17 --- /dev/null +++ b/test/asan/TestCases/Linux/malloc-in-qsort.cc @@ -0,0 +1,56 @@ +// RUN: %clangxx_asan -O2 %s -o %t +// RUN: ASAN_OPTIONS=fast_unwind_on_malloc=1 not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-FAST +// RUN: ASAN_OPTIONS=fast_unwind_on_malloc=0 not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-SLOW + +// Test how well we unwind in presence of qsort in the stack +// (i.e. if we can unwind through a function compiled w/o frame pointers). +// https://code.google.com/p/address-sanitizer/issues/detail?id=137 + +// Fast unwinder is only available on x86_64 and i386. +// REQUIRES: x86_64-supported-target + +// REQUIRES: compiler-rt-optimized + +#include <stdlib.h> +#include <stdio.h> + +int *GlobalPtr; + +extern "C" { +int QsortCallback(const void *a, const void *b) { + char *x = (char*)a; + char *y = (char*)b; + printf("Calling QsortCallback\n"); + GlobalPtr = new int[10]; + return (int)*x - (int)*y; +} + +__attribute__((noinline)) +void MyQsort(char *a, size_t size) { + printf("Calling qsort\n"); + qsort(a, size, sizeof(char), QsortCallback); + printf("Done\n"); // Avoid tail call. +} +} // extern "C" + +int main() { + char a[2] = {1, 2}; + MyQsort(a, 2); + return GlobalPtr[10]; +} + +// Fast unwind: can not unwind through qsort. +// FIXME: this test does not properly work with slow unwind yet. + +// CHECK-FAST: ERROR: AddressSanitizer: heap-buffer-overflow +// CHECK-FAST: is located 0 bytes to the right +// CHECK-FAST: #0{{.*}}operator new +// CHECK-FAST-NEXT: #1{{.*}}QsortCallback +// CHECK-FAST-NOT: MyQsort +// +// CHECK-SLOW: ERROR: AddressSanitizer: heap-buffer-overflow +// CHECK-SLOW: is located 0 bytes to the right +// CHECK-SLOW: #0{{.*}}operator new +// CHECK-SLOW-NEXT: #1{{.*}}QsortCallback +// CHECK-SLOW: #{{.*}}MyQsort +// CHECK-SLOW-NEXT: #{{.*}}main diff --git a/test/asan/TestCases/Linux/malloc_delete_mismatch.cc b/test/asan/TestCases/Linux/malloc_delete_mismatch.cc new file mode 100644 index 000000000000..18d65ce0008f --- /dev/null +++ b/test/asan/TestCases/Linux/malloc_delete_mismatch.cc @@ -0,0 +1,33 @@ +// Check that we detect malloc/delete mismatch only if the approptiate flag +// is set. + +// RUN: %clangxx_asan -g %s -o %t 2>&1 + +// Find error and provide malloc context. +// RUN: ASAN_OPTIONS=alloc_dealloc_mismatch=1 not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK --check-prefix=ALLOC-STACK + +// No error here. +// RUN: ASAN_OPTIONS=alloc_dealloc_mismatch=0 %run %t + +// Also works if no malloc context is available. +// RUN: ASAN_OPTIONS=alloc_dealloc_mismatch=1:malloc_context_size=0:fast_unwind_on_malloc=0 not %run %t 2>&1 | FileCheck %s +// RUN: ASAN_OPTIONS=alloc_dealloc_mismatch=1:malloc_context_size=0:fast_unwind_on_malloc=1 not %run %t 2>&1 | FileCheck %s +// XFAIL: arm-linux-gnueabi +// XFAIL: armv7l-unknown-linux-gnueabihf +#include <stdlib.h> + +static volatile char *x; + +int main() { + x = (char*)malloc(10); + x[0] = 0; + delete x; +} +// CHECK: ERROR: AddressSanitizer: alloc-dealloc-mismatch (malloc vs operator delete) on 0x +// CHECK-NEXT: #0{{.*}}operator delete +// CHECK: #{{.*}}main +// CHECK: is located 0 bytes inside of 10-byte region +// CHECK-NEXT: allocated by thread T0 here: +// ALLOC-STACK-NEXT: #0{{.*}}malloc +// ALLOC-STACK: #{{.*}}main +// CHECK: HINT: {{.*}} you may set ASAN_OPTIONS=alloc_dealloc_mismatch=0 diff --git a/test/asan/TestCases/Linux/odr-violation.cc b/test/asan/TestCases/Linux/odr-violation.cc new file mode 100644 index 000000000000..ddc68a2db0f1 --- /dev/null +++ b/test/asan/TestCases/Linux/odr-violation.cc @@ -0,0 +1,42 @@ +// FIXME: https://code.google.com/p/address-sanitizer/issues/detail?id=316 +// XFAIL: android +// +// Different size: detect a bug if detect_odr_violation>=1 +// RUN: %clangxx_asan -DBUILD_SO=1 -fPIC -shared %s -o %t-ODR-SO.so +// RUN: %clangxx_asan %s %t-ODR-SO.so -Wl,-R. -o %t-ODR-EXE +// RUN: ASAN_OPTIONS=detect_odr_violation=1 not %run %t-ODR-EXE 2>&1 | FileCheck %s +// RUN: ASAN_OPTIONS=detect_odr_violation=2 not %run %t-ODR-EXE 2>&1 | FileCheck %s +// RUN: ASAN_OPTIONS=detect_odr_violation=0 %run %t-ODR-EXE 2>&1 | FileCheck %s --check-prefix=DISABLED +// RUN: not %run %t-ODR-EXE 2>&1 | FileCheck %s +// +// Same size: report a bug only if detect_odr_violation>=2. +// RUN: %clangxx_asan -DBUILD_SO=1 -fPIC -shared %s -o %t-ODR-SO.so -DSZ=100 +// RUN: ASAN_OPTIONS=detect_odr_violation=1 %run %t-ODR-EXE 2>&1 | FileCheck %s --check-prefix=DISABLED +// RUN: ASAN_OPTIONS=detect_odr_violation=2 not %run %t-ODR-EXE 2>&1 | FileCheck %s +// RUN: not %run %t-ODR-EXE 2>&1 | FileCheck %s + +// GNU driver doesn't handle .so files properly. +// REQUIRES: Clang + +#ifndef SZ +# define SZ 4 +#endif + +#if BUILD_SO +namespace foo { char G[SZ]; } +#else +#include <stdio.h> +namespace foo { char G[100]; } +// CHECK: ERROR: AddressSanitizer: odr-violation +// CHECK: size=100 'foo::G' {{.*}}odr-violation.cc:[[@LINE-2]]:22 +// CHECK: size={{4|100}} 'foo::G' +int main(int argc, char **argv) { + printf("PASS: %p\n", &foo::G); +} +#endif + +// CHECK: These globals were registered at these points: +// CHECK: ODR-EXE +// CHECK: ODR-SO +// CHECK: SUMMARY: AddressSanitizer: odr-violation: global 'foo::G' at {{.*}}odr-violation.cc +// DISABLED: PASS diff --git a/test/asan/TestCases/Linux/overflow-in-qsort.cc b/test/asan/TestCases/Linux/overflow-in-qsort.cc new file mode 100644 index 000000000000..79b654e117cd --- /dev/null +++ b/test/asan/TestCases/Linux/overflow-in-qsort.cc @@ -0,0 +1,51 @@ +// RUN: %clangxx_asan -O2 %s -o %t +// RUN: ASAN_OPTIONS=fast_unwind_on_fatal=1 not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-FAST +// RUN: ASAN_OPTIONS=fast_unwind_on_fatal=0 not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-SLOW + +// Test how well we unwind in presence of qsort in the stack +// (i.e. if we can unwind through a function compiled w/o frame pointers). +// https://code.google.com/p/address-sanitizer/issues/detail?id=137 + +// Fast unwinder is only available on x86_64 and i386. +// REQUIRES: x86_64-supported-target + +#include <stdlib.h> +#include <stdio.h> + +int global_array[10]; +volatile int one = 1; + +extern "C" { +int QsortCallback(const void *a, const void *b) { + char *x = (char*)a; + char *y = (char*)b; + printf("Calling QsortCallback\n"); + global_array[one * 10] = 0; // BOOM + return (int)*x - (int)*y; +} + +__attribute__((noinline)) +void MyQsort(char *a, size_t size) { + printf("Calling qsort\n"); + qsort(a, size, sizeof(char), QsortCallback); + printf("Done\n"); // Avoid tail call. +} +} // extern "C" + +int main() { + char a[2] = {1, 2}; + MyQsort(a, 2); +} + +// Fast unwind: can not unwind through qsort. + +// CHECK-FAST: ERROR: AddressSanitizer: global-buffer-overflow +// CHECK-FAST: #0{{.*}} in QsortCallback +// CHECK-FAST-NOT: MyQsort +// CHECK-FAST: is located 0 bytes to the right of global variable 'global_array + +// CHECK-SLOW: ERROR: AddressSanitizer: global-buffer-overflow +// CHECK-SLOW: #0{{.*}} in QsortCallback +// CHECK-SLOW: #{{.*}} in MyQsort +// CHECK-SLOW: #{{.*}} in main +// CHECK-SLOW: is located 0 bytes to the right of global variable 'global_array diff --git a/test/asan/TestCases/Linux/preinit_test.cc b/test/asan/TestCases/Linux/preinit_test.cc new file mode 100644 index 000000000000..10dde67d6a9b --- /dev/null +++ b/test/asan/TestCases/Linux/preinit_test.cc @@ -0,0 +1,33 @@ +// FIXME: https://code.google.com/p/address-sanitizer/issues/detail?id=316 +// XFAIL: android +// +// RUN: %clangxx -DFUNC=zzzz %s -shared -o %t.so -fPIC +// RUN: %clangxx_asan -DFUNC=main %s -o %t -Wl,-R. %t.so +// RUN: %run %t + +// GNU driver doesn't handle .so files properly. +// REQUIRES: Clang + +// This test ensures that we call __asan_init early enough. +// We build a shared library w/o asan instrumentation +// and the binary with asan instrumentation. +// Both files include the same header (emulated by -DFUNC here) +// with C++ template magic which runs global initializer at library load time. +// The function get() is instrumented with asan, but called +// before the usual constructors are run. +// So, we must make sure that __asan_init is executed even earlier. +// +// See http://gcc.gnu.org/bugzilla/show_bug.cgi?id=56393 + +struct A { + int foo() const { return 0; } +}; +A get () { return A(); } +template <class> struct O { + static A const e; +}; +template <class T> A const O <T>::e = get(); +int FUNC() { + return O<int>::e.foo(); +} + diff --git a/test/asan/TestCases/Linux/ptrace.cc b/test/asan/TestCases/Linux/ptrace.cc new file mode 100644 index 000000000000..7e5acb64c7a1 --- /dev/null +++ b/test/asan/TestCases/Linux/ptrace.cc @@ -0,0 +1,56 @@ +// FIXME: https://code.google.com/p/address-sanitizer/issues/detail?id=316 +// XFAIL: android +// +// RUN: %clangxx_asan -O0 %s -o %t && %run %t +// RUN: %clangxx_asan -DPOSITIVE -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s +// REQUIRES: x86_64-supported-target,i386-supported-target + +#include <assert.h> +#include <stdio.h> +#include <sys/ptrace.h> +#include <sys/types.h> +#include <sys/user.h> +#include <sys/wait.h> +#include <unistd.h> + +int main(void) { + pid_t pid; + pid = fork(); + if (pid == 0) { // child + ptrace(PTRACE_TRACEME, 0, NULL, NULL); + execl("/bin/true", "true", NULL); + } else { + wait(NULL); + user_regs_struct regs; + int res; + user_regs_struct * volatile pregs = ®s; +#ifdef POSITIVE + ++pregs; +#endif + res = ptrace(PTRACE_GETREGS, pid, NULL, pregs); + // CHECK: AddressSanitizer: stack-buffer-overflow + // CHECK: {{.*ptrace.cc:}}[[@LINE-2]] + assert(!res); +#if __WORDSIZE == 64 + printf("%zx\n", regs.rip); +#else + printf("%lx\n", regs.eip); +#endif + + user_fpregs_struct fpregs; + res = ptrace(PTRACE_GETFPREGS, pid, NULL, &fpregs); + assert(!res); + printf("%lx\n", (unsigned long)fpregs.cwd); + +#if __WORDSIZE == 32 + user_fpxregs_struct fpxregs; + res = ptrace(PTRACE_GETFPXREGS, pid, NULL, &fpxregs); + assert(!res); + printf("%lx\n", (unsigned long)fpxregs.mxcsr); +#endif + + ptrace(PTRACE_CONT, pid, NULL, NULL); + wait(NULL); + } + return 0; +} diff --git a/test/asan/TestCases/Linux/rlimit_mmap_test.cc b/test/asan/TestCases/Linux/rlimit_mmap_test.cc new file mode 100644 index 000000000000..7f37727b2eeb --- /dev/null +++ b/test/asan/TestCases/Linux/rlimit_mmap_test.cc @@ -0,0 +1,16 @@ +// Check that we properly report mmap failure. +// RUN: %clangxx_asan %s -o %t && not %run %t 2>&1 | FileCheck %s +#include <stdlib.h> +#include <assert.h> +#include <sys/time.h> +#include <sys/resource.h> + +static volatile void *x; + +int main(int argc, char **argv) { + struct rlimit mmap_resource_limit = { 0, 0 }; + assert(0 == setrlimit(RLIMIT_AS, &mmap_resource_limit)); + x = malloc(10000000); +// CHECK: ERROR: Failed to mmap + return 0; +} diff --git a/test/asan/TestCases/Linux/shmctl.cc b/test/asan/TestCases/Linux/shmctl.cc new file mode 100644 index 000000000000..e1752bc894c0 --- /dev/null +++ b/test/asan/TestCases/Linux/shmctl.cc @@ -0,0 +1,27 @@ +// FIXME: https://code.google.com/p/address-sanitizer/issues/detail?id=316 +// XFAIL: android +// +// RUN: %clangxx_asan -O1 %s -o %t && %run %t 2>&1 +// Regression test for +// https://code.google.com/p/address-sanitizer/issues/detail?id=250 +#include <stdio.h> +#include <sys/ipc.h> +#include <sys/shm.h> +#include <assert.h> + +int main() { + int id = shmget(IPC_PRIVATE, 4096, 0644 | IPC_CREAT); + assert(id > -1); + struct shmid_ds ds; + int res = shmctl(id, IPC_STAT, &ds); + assert(res > -1); + printf("shm_segsz: %zd\n", ds.shm_segsz); + assert(ds.shm_segsz == 4096); + assert(-1 != shmctl(id, IPC_RMID, 0)); + + struct shm_info shmInfo; + res = shmctl(0, SHM_INFO, (struct shmid_ds *)&shmInfo); + assert(res > -1); + + return 0; +} diff --git a/test/asan/TestCases/Linux/sized_delete_test.cc b/test/asan/TestCases/Linux/sized_delete_test.cc new file mode 100644 index 000000000000..823e3c0bf88e --- /dev/null +++ b/test/asan/TestCases/Linux/sized_delete_test.cc @@ -0,0 +1,93 @@ +// RUN: %clangxx_asan -Xclang -fsized-deallocation -O0 %s -o %t +// RUN: not %run %t scalar 2>&1 | FileCheck %s -check-prefix=SCALAR +// RUN: ASAN_OPTIONS=new_delete_type_mismatch=1 not %run %t scalar 2>&1 | FileCheck %s -check-prefix=SCALAR +// RUN: not %run %t array 2>&1 | FileCheck %s -check-prefix=ARRAY +// RUN: ASAN_OPTIONS=new_delete_type_mismatch=1 not %run %t array 2>&1 | FileCheck %s -check-prefix=ARRAY +// RUN: ASAN_OPTIONS=new_delete_type_mismatch=0 %run %t scalar +// RUN: ASAN_OPTIONS=new_delete_type_mismatch=0 %run %t array + +// Sized-delete is implemented with a weak delete() definition. +// Weak symbols are kind of broken on Android. +// XFAIL: android + +#include <new> +#include <stdio.h> +#include <string> + +inline void break_optimization(void *arg) { + __asm__ __volatile__("" : : "r" (arg) : "memory"); +} + +struct S12 { + int a, b, c; +}; + +struct S20 { + int a, b, c, d, e; +}; + +struct D1 { + int a, b, c; + ~D1() { fprintf(stderr, "D1::~D1\n"); } +}; + +struct D2 { + int a, b, c, d, e; + ~D2() { fprintf(stderr, "D2::~D2\n"); } +}; + +void Del12(S12 *x) { + break_optimization(x); + delete x; +} +void Del12NoThrow(S12 *x) { + break_optimization(x); + operator delete(x, std::nothrow); +} +void Del12Ar(S12 *x) { + break_optimization(x); + delete [] x; +} +void Del12ArNoThrow(S12 *x) { + break_optimization(x); + operator delete[](x, std::nothrow); +} + +int main(int argc, char **argv) { + if (argc != 2) return 1; + std::string flag = argv[1]; + // These are correct. + Del12(new S12); + Del12NoThrow(new S12); + Del12Ar(new S12[100]); + Del12ArNoThrow(new S12[100]); + + // Here we pass wrong type of pointer to delete, + // but [] and nothrow variants of delete are not sized. + Del12Ar(reinterpret_cast<S12*>(new S20[100])); + Del12NoThrow(reinterpret_cast<S12*>(new S20)); + Del12ArNoThrow(reinterpret_cast<S12*>(new S20[100])); + fprintf(stderr, "OK SO FAR\n"); + // SCALAR: OK SO FAR + // ARRAY: OK SO FAR + if (flag == "scalar") { + // Here asan should bark as we are passing a wrong type of pointer + // to sized delete. + Del12(reinterpret_cast<S12*>(new S20)); + // SCALAR: AddressSanitizer: new-delete-type-mismatch + // SCALAR: object passed to delete has wrong type: + // SCALAR: size of the allocated type: 20 bytes; + // SCALAR: size of the deallocated type: 12 bytes. + // SCALAR: is located 0 bytes inside of 20-byte region + // SCALAR: SUMMARY: AddressSanitizer: new-delete-type-mismatch + } else if (flag == "array") { + D1 *d1 = reinterpret_cast<D1*>(new D2[10]); + break_optimization(d1); + delete [] d1; + // ARRAY-NOT: D2::~D2 + // ARRAY: D1::~D1 + // ARRAY: AddressSanitizer: new-delete-type-mismatch + // ARRAY: size of the allocated type: 20{{4|8}} bytes; + // ARRAY: size of the deallocated type: 12{{4|8}} bytes. + } +} diff --git a/test/asan/TestCases/Linux/stack-trace-dlclose.cc b/test/asan/TestCases/Linux/stack-trace-dlclose.cc new file mode 100644 index 000000000000..e494e5661d1d --- /dev/null +++ b/test/asan/TestCases/Linux/stack-trace-dlclose.cc @@ -0,0 +1,45 @@ +// FIXME: https://code.google.com/p/address-sanitizer/issues/detail?id=316 +// XFAIL: android +// +// RUN: %clangxx_asan -DSHARED %s -shared -o %T/stack_trace_dlclose.so -fPIC +// RUN: %clangxx_asan -DSO_DIR=\"%T\" %s -o %t +// RUN: ASAN_OPTIONS=exitcode=0 %run %t 2>&1 | FileCheck %s +// XFAIL: arm-linux-gnueabi +// XFAIL: armv7l-unknown-linux-gnueabihf + +#include <assert.h> +#include <dlfcn.h> +#include <stdlib.h> +#include <stdio.h> +#include <unistd.h> + +#include <sanitizer/common_interface_defs.h> + +#ifdef SHARED +extern "C" { +void *foo() { + return malloc(1); +} +} +#else +void *handle; + +int main(int argc, char **argv) { + void *handle = dlopen(SO_DIR "/stack_trace_dlclose.so", RTLD_LAZY); + assert(handle); + void *(*foo)() = (void *(*)())dlsym(handle, "foo"); + assert(foo); + void *p = foo(); + assert(p); + dlclose(handle); + + free(p); + free(p); // double-free + + return 0; +} +#endif + +// CHECK: {{ #0 0x.* in malloc}} +// CHECK: {{ #1 0x.* \(<unknown module>\)}} +// CHECK: {{ #2 0x.* in main}} diff --git a/test/asan/TestCases/Linux/stress_dtls.c b/test/asan/TestCases/Linux/stress_dtls.c new file mode 100644 index 000000000000..cb901ee59953 --- /dev/null +++ b/test/asan/TestCases/Linux/stress_dtls.c @@ -0,0 +1,116 @@ +// REQUIRES: asan-64-bits +// Stress test dynamic TLS + dlopen + threads. +// +// Note that glibc 2.15 seems utterly broken on this test, +// it fails with ~17 DSOs dlopen-ed. +// glibc 2.19 seems fine. +// +// +// RUN: %clangxx_asan -x c -DSO_NAME=f0 %s -shared -o %t-f0.so -fPIC +// RUN: %clangxx_asan -x c -DSO_NAME=f1 %s -shared -o %t-f1.so -fPIC +// RUN: %clangxx_asan -x c -DSO_NAME=f2 %s -shared -o %t-f2.so -fPIC +// RUN: %clangxx_asan %s -ldl -pthread -o %t +// RUN: %run %t 0 3 +// RUN: %run %t 2 3 +// RUN: ASAN_OPTIONS=verbosity=2 %run %t 10 2 2>&1 | FileCheck %s +// RUN: ASAN_OPTIONS=verbosity=2:intercept_tls_get_addr=1 %run %t 10 2 2>&1 | FileCheck %s +// RUN: ASAN_OPTIONS=verbosity=2:intercept_tls_get_addr=0 %run %t 10 2 2>&1 | FileCheck %s --check-prefix=CHECK0 +// CHECK: __tls_get_addr +// CHECK: Creating thread 0 +// CHECK: __tls_get_addr +// CHECK: Creating thread 1 +// CHECK: __tls_get_addr +// CHECK: Creating thread 2 +// CHECK: __tls_get_addr +// CHECK: Creating thread 3 +// CHECK: __tls_get_addr +// Make sure that TLS slots don't leak +// CHECK-NOT: num_live_dtls 5 +// +// CHECK0-NOT: __tls_get_addr +/* +cc=your-compiler + +$cc stress_dtls.c -pthread -ldl +for((i=0;i<100;i++)); do + $cc -fPIC -shared -DSO_NAME=f$i -o a.out-f$i.so stress_dtls.c; +done +./a.out 2 4 # <<<<<< 2 threads, 4 libs +./a.out 3 50 # <<<<<< 3 threads, 50 libs +*/ +#ifndef SO_NAME +#define _GNU_SOURCE +#include <assert.h> +#include <dlfcn.h> +#include <stdio.h> +#include <stdlib.h> +#include <pthread.h> +#include <stdint.h> + +typedef void **(*f_t)(); + +__thread int my_tls; + +#define MAX_N_FUNCTIONS 1000 +f_t Functions[MAX_N_FUNCTIONS]; + +void *PrintStuff(void *unused) { + uintptr_t stack; + // fprintf(stderr, "STACK: %p TLS: %p SELF: %p\n", &stack, &my_tls, + // (void *)pthread_self()); + int i; + for (i = 0; i < MAX_N_FUNCTIONS; i++) { + if (!Functions[i]) break; + uintptr_t dtls = (uintptr_t)Functions[i](); + fprintf(stderr, " dtls[%03d]: %lx\n", i, dtls); + *(long*)dtls = 42; // check that this is writable. + } + return NULL; +} + +int main(int argc, char *argv[]) { + int num_threads = 1; + int num_libs = 1; + if (argc >= 2) + num_threads = atoi(argv[1]); + if (argc >= 3) + num_libs = atoi(argv[2]); + assert(num_libs <= MAX_N_FUNCTIONS); + + int lib; + for (lib = 0; lib < num_libs; lib++) { + char buf[4096]; + snprintf(buf, sizeof(buf), "%s-f%d.so", argv[0], lib); + void *handle = dlopen(buf, RTLD_LAZY); + if (!handle) { + fprintf(stderr, "%s\n", dlerror()); + exit(1); + } + snprintf(buf, sizeof(buf), "f%d", lib); + Functions[lib] = (f_t)dlsym(handle, buf); + if (!Functions[lib]) { + fprintf(stderr, "%s\n", dlerror()); + exit(1); + } + fprintf(stderr, "LIB[%03d] %s: %p\n", lib, buf, Functions[lib]); + PrintStuff(0); + + int i; + for (i = 0; i < num_threads; i++) { + pthread_t t; + fprintf(stderr, "Creating thread %d\n", i); + pthread_create(&t, 0, PrintStuff, 0); + pthread_join(t, 0); + } + } + return 0; +} +#else // SO_NAME +#ifndef DTLS_SIZE +# define DTLS_SIZE (1 << 17) +#endif +__thread void *huge_thread_local_array[DTLS_SIZE]; +void **SO_NAME() { + return &huge_thread_local_array[0]; +} +#endif diff --git a/test/asan/TestCases/Linux/swapcontext_test.cc b/test/asan/TestCases/Linux/swapcontext_test.cc new file mode 100644 index 000000000000..86ed5930bcf4 --- /dev/null +++ b/test/asan/TestCases/Linux/swapcontext_test.cc @@ -0,0 +1,90 @@ +// Check that ASan plays well with easy cases of makecontext/swapcontext. + +// RUN: %clangxx_asan -O0 %s -o %t && %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O1 %s -o %t && %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O2 %s -o %t && %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O3 %s -o %t && %run %t 2>&1 | FileCheck %s +// +// This test is too sublte to try on non-x86 arch for now. +// REQUIRES: x86_64-supported-target,i386-supported-target + +#include <stdio.h> +#include <ucontext.h> +#include <unistd.h> + +ucontext_t orig_context; +ucontext_t child_context; + +const int kStackSize = 1 << 20; + +__attribute__((noinline)) +void Throw() { + throw 1; +} + +__attribute__((noinline)) +void ThrowAndCatch() { + try { + Throw(); + } catch(int a) { + printf("ThrowAndCatch: %d\n", a); + } +} + +void Child(int mode) { + char x[32] = {0}; // Stack gets poisoned. + printf("Child: %p\n", x); + ThrowAndCatch(); // Simulate __asan_handle_no_return(). + // (a) Do nothing, just return to parent function. + // (b) Jump into the original function. Stack remains poisoned unless we do + // something. + if (mode == 1) { + if (swapcontext(&child_context, &orig_context) < 0) { + perror("swapcontext"); + _exit(0); + } + } +} + +int Run(int arg, int mode, char *child_stack) { + printf("Child stack: %p\n", child_stack); + // Setup child context. + getcontext(&child_context); + child_context.uc_stack.ss_sp = child_stack; + child_context.uc_stack.ss_size = kStackSize / 2; + if (mode == 0) { + child_context.uc_link = &orig_context; + } + makecontext(&child_context, (void (*)())Child, 1, mode); + if (swapcontext(&orig_context, &child_context) < 0) { + perror("swapcontext"); + return 0; + } + // Touch childs's stack to make sure it's unpoisoned. + for (int i = 0; i < kStackSize; i++) { + child_stack[i] = i; + } + return child_stack[arg]; +} + +int main(int argc, char **argv) { + char stack[kStackSize + 1]; + // CHECK: WARNING: ASan doesn't fully support makecontext/swapcontext + int ret = 0; + ret += Run(argc - 1, 0, stack); + printf("Test1 passed\n"); + // CHECK: Test1 passed + ret += Run(argc - 1, 1, stack); + printf("Test2 passed\n"); + // CHECK: Test2 passed + char *heap = new char[kStackSize + 1]; + ret += Run(argc - 1, 0, heap); + printf("Test3 passed\n"); + // CHECK: Test3 passed + ret += Run(argc - 1, 1, heap); + printf("Test4 passed\n"); + // CHECK: Test4 passed + + delete [] heap; + return ret; +} diff --git a/test/asan/TestCases/Linux/syscalls.cc b/test/asan/TestCases/Linux/syscalls.cc new file mode 100644 index 000000000000..bcdd5bc82119 --- /dev/null +++ b/test/asan/TestCases/Linux/syscalls.cc @@ -0,0 +1,25 @@ +// FIXME: https://code.google.com/p/address-sanitizer/issues/detail?id=316 +// XFAIL: android +// +// RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O3 %s -o %t && not %run %t 2>&1 | FileCheck %s + +#include <assert.h> +#include <errno.h> +#include <glob.h> +#include <stdio.h> +#include <string.h> + +#include <sanitizer/linux_syscall_hooks.h> + +/* Test the presence of __sanitizer_syscall_ in the tool runtime, and general + sanity of their behaviour. */ + +int main(int argc, char *argv[]) { + char buf[1000]; + __sanitizer_syscall_pre_recvmsg(0, buf - 1, 0); + // CHECK: AddressSanitizer: stack-buffer-{{.*}}erflow + // CHECK: READ of size {{.*}} at {{.*}} thread T0 + // CHECK: #0 {{.*}} in __sanitizer_syscall{{.*}}recvmsg + return 0; +} diff --git a/test/asan/TestCases/Linux/uar_signals.cc b/test/asan/TestCases/Linux/uar_signals.cc new file mode 100644 index 000000000000..f42c3f666554 --- /dev/null +++ b/test/asan/TestCases/Linux/uar_signals.cc @@ -0,0 +1,70 @@ +// This test checks that the implementation of use-after-return +// is async-signal-safe. +// RUN: %clangxx_asan -O1 %s -o %t -pthread && %run %t +// REQUIRES: stable-runtime +#include <signal.h> +#include <stdlib.h> +#include <stdio.h> +#include <sys/time.h> +#include <pthread.h> + +int *g; +int n_signals; + +typedef void (*Sigaction)(int, siginfo_t *, void *); + +void SignalHandler(int, siginfo_t*, void*) { + int local; + g = &local; + n_signals++; + // printf("s: %p\n", &local); +} + +static void EnableSigprof(Sigaction SignalHandler) { + struct sigaction sa; + sa.sa_sigaction = SignalHandler; + sa.sa_flags = SA_RESTART | SA_SIGINFO; + sigemptyset(&sa.sa_mask); + if (sigaction(SIGPROF, &sa, NULL) != 0) { + perror("sigaction"); + abort(); + } + struct itimerval timer; + timer.it_interval.tv_sec = 0; + timer.it_interval.tv_usec = 1; + timer.it_value = timer.it_interval; + if (setitimer(ITIMER_PROF, &timer, 0) != 0) { + perror("setitimer"); + abort(); + } +} + +void RecursiveFunction(int depth) { + if (depth == 0) return; + int local; + g = &local; + // printf("r: %p\n", &local); + // printf("[%2d] n_signals: %d\n", depth, n_signals); + RecursiveFunction(depth - 1); + RecursiveFunction(depth - 1); +} + +void *Thread(void *) { + RecursiveFunction(18); + return NULL; +} + +int main(int argc, char **argv) { + EnableSigprof(SignalHandler); + + for (int i = 0; i < 4; i++) { + fprintf(stderr, "."); + const int kNumThread = sizeof(void*) == 8 ? 16 : 8; + pthread_t t[kNumThread]; + for (int i = 0; i < kNumThread; i++) + pthread_create(&t[i], 0, Thread, 0); + for (int i = 0; i < kNumThread; i++) + pthread_join(t[i], 0); + } + fprintf(stderr, "\n"); +} diff --git a/test/asan/TestCases/Linux/unpoison_tls.cc b/test/asan/TestCases/Linux/unpoison_tls.cc new file mode 100644 index 000000000000..9c1d74b28e5f --- /dev/null +++ b/test/asan/TestCases/Linux/unpoison_tls.cc @@ -0,0 +1,35 @@ +// Test that TLS is unpoisoned on thread death. +// REQUIRES: x86_64-supported-target,i386-supported-target + +// RUN: %clangxx_asan -O1 %s -pthread -o %t && %run %t 2>&1 + +#include <assert.h> +#include <pthread.h> +#include <stdio.h> + +#include <sanitizer/asan_interface.h> + +__thread int64_t tls_var[2]; + +volatile int64_t *p_tls_var; + +void *first(void *arg) { + ASAN_POISON_MEMORY_REGION(&tls_var, sizeof(tls_var)); + p_tls_var = tls_var; + return 0; +} + +void *second(void *arg) { + assert(tls_var == p_tls_var); + *p_tls_var = 1; + return 0; +} + +int main(int argc, char *argv[]) { + pthread_t p; + assert(0 == pthread_create(&p, 0, first, 0)); + assert(0 == pthread_join(p, 0)); + assert(0 == pthread_create(&p, 0, second, 0)); + assert(0 == pthread_join(p, 0)); + return 0; +} diff --git a/test/asan/TestCases/Posix/allow_user_segv.cc b/test/asan/TestCases/Posix/allow_user_segv.cc new file mode 100644 index 000000000000..b6443fab85df --- /dev/null +++ b/test/asan/TestCases/Posix/allow_user_segv.cc @@ -0,0 +1,59 @@ +// Regression test for +// https://code.google.com/p/address-sanitizer/issues/detail?id=180 + +// RUN: %clangxx_asan -O0 %s -o %t && ASAN_OPTIONS=allow_user_segv_handler=true not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O2 %s -o %t && ASAN_OPTIONS=allow_user_segv_handler=true not %run %t 2>&1 | FileCheck %s + +#include <signal.h> +#include <stdio.h> +#include <stdlib.h> + +struct sigaction original_sigaction_sigbus; +struct sigaction original_sigaction_sigsegv; + +void User_OnSIGSEGV(int signum, siginfo_t *siginfo, void *context) { + fprintf(stderr, "User sigaction called\n"); + struct sigaction original_sigaction; + if (signum == SIGBUS) + original_sigaction = original_sigaction_sigbus; + else if (signum == SIGSEGV) + original_sigaction = original_sigaction_sigsegv; + else { + printf("Invalid signum"); + exit(1); + } + if (original_sigaction.sa_flags | SA_SIGINFO) + original_sigaction.sa_sigaction(signum, siginfo, context); + else + original_sigaction.sa_handler(signum); +} + +int DoSEGV() { + volatile int *x = 0; + return *x; +} + +int InstallHandler(int signum, struct sigaction *original_sigaction) { + struct sigaction user_sigaction; + user_sigaction.sa_sigaction = User_OnSIGSEGV; + user_sigaction.sa_flags = SA_SIGINFO; + if (sigaction(signum, &user_sigaction, original_sigaction)) { + perror("sigaction"); + return 1; + } + return 0; +} + +int main() { + // Let's install handlers for both SIGSEGV and SIGBUS, since pre-Yosemite + // 32-bit Darwin triggers SIGBUS instead. + if (InstallHandler(SIGSEGV, &original_sigaction_sigsegv)) return 1; + if (InstallHandler(SIGBUS, &original_sigaction_sigbus)) return 1; + fprintf(stderr, "User sigaction installed\n"); + return DoSEGV(); +} + +// CHECK: User sigaction installed +// CHECK-NEXT: User sigaction called +// CHECK-NEXT: ASAN:SIGSEGV +// CHECK: AddressSanitizer: SEGV on unknown address diff --git a/test/asan/TestCases/Posix/asan-symbolize-sanity-test.cc b/test/asan/TestCases/Posix/asan-symbolize-sanity-test.cc new file mode 100644 index 000000000000..6ed02f4d5374 --- /dev/null +++ b/test/asan/TestCases/Posix/asan-symbolize-sanity-test.cc @@ -0,0 +1,63 @@ +// FIXME: https://code.google.com/p/address-sanitizer/issues/detail?id=316 +// XFAIL: android +// +// Check that asan_symbolize.py script works (for binaries, ASan RTL and +// shared object files. + +// RUN: %clangxx_asan -O0 -DSHARED_LIB %s -fPIC -shared -o %t-so.so +// RUN: %clangxx_asan -O0 %s -o %t +// RUN: env ASAN_OPTIONS=symbolize=0 not %run %t 2>&1 | %asan_symbolize | FileCheck %s +// XFAIL: arm-linux-gnueabi +// XFAIL: armv7l-unknown-linux-gnueabihf + +#if !defined(SHARED_LIB) +#include <dlfcn.h> +#include <stdio.h> +#include <stdlib.h> + +#include <string> + +using std::string; + +typedef void (fun_t)(int*, int); + +int main(int argc, char *argv[]) { + string path = string(argv[0]) + "-so.so"; + printf("opening %s ... \n", path.c_str()); + void *lib = dlopen(path.c_str(), RTLD_NOW); + if (!lib) { + printf("error in dlopen(): %s\n", dlerror()); + return 1; + } + fun_t *inc2 = (fun_t*)dlsym(lib, "inc2"); + if (!inc2) return 1; + printf("ok\n"); + int *array = (int*)malloc(40); + inc2(array, 1); + inc2(array, -1); // BOOM + // CHECK: ERROR: AddressSanitizer: heap-buffer-overflow + // CHECK: READ of size 4 at 0x{{.*}} + // CHECK: #0 {{.*}} in inc2 {{.*}}asan-symbolize-sanity-test.cc:[[@LINE+21]] + // CHECK: #1 {{.*}} in main {{.*}}asan-symbolize-sanity-test.cc:[[@LINE-4]] + // CHECK: allocated by thread T{{.*}} here: + // CHECK: #{{.*}} in {{(wrap_|__interceptor_)?}}malloc + // CHECK: #{{.*}} in main {{.*}}asan-symbolize-sanity-test.cc:[[@LINE-9]] + return 0; +} +#else // SHARED_LIBS +#include <stdio.h> +#include <string.h> + +int pad[10]; +int GLOB[10] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; + +extern "C" +void inc(int index) { + GLOB[index]++; +} + +extern "C" +void inc2(int *a, int index) { + a[index]++; +} +#endif // SHARED_LIBS diff --git a/test/asan/TestCases/Posix/asprintf.cc b/test/asan/TestCases/Posix/asprintf.cc new file mode 100644 index 000000000000..6946e5013d2c --- /dev/null +++ b/test/asan/TestCases/Posix/asprintf.cc @@ -0,0 +1,20 @@ +// RUN: %clangxx_asan -O0 %s -o %t && %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O3 %s -o %t && %run %t 2>&1 | FileCheck %s + +#ifndef _GNU_SOURCE +#define _GNU_SOURCE +#endif + +#include <stdio.h> +#include <stdlib.h> + +int main(int argc, char **argv) { + char *p; + int res = asprintf(&p, "%d", argc); + fprintf(stderr, "x%d %sx\n", res, p); + // CHECK: x1 1x + free(p); + fprintf(stderr, "DONE\n"); + // CHECK: DONE + return 0; +} diff --git a/test/asan/TestCases/Posix/assign_large_valloc_to_global.cc b/test/asan/TestCases/Posix/assign_large_valloc_to_global.cc new file mode 100644 index 000000000000..ad547ce0ce1b --- /dev/null +++ b/test/asan/TestCases/Posix/assign_large_valloc_to_global.cc @@ -0,0 +1,9 @@ +// Make sure we don't report a leak nor hang. +// RUN: %clangxx_asan -O3 %s -o %t && %run %t +#include <stdlib.h> +#include <unistd.h> +#if !defined(__APPLE__) && !defined(__FreeBSD__) +# include <malloc.h> +#endif // !__APPLE__ && !__FreeBSD__ +int *p = (int*)valloc(1 << 20); +int main() { } diff --git a/test/asan/TestCases/Posix/glob.cc b/test/asan/TestCases/Posix/glob.cc new file mode 100644 index 000000000000..e0eeb33cca24 --- /dev/null +++ b/test/asan/TestCases/Posix/glob.cc @@ -0,0 +1,33 @@ +// FIXME: https://code.google.com/p/address-sanitizer/issues/detail?id=316 +// XFAIL: android +// +// RUN: %clangxx_asan -O0 %s -o %t && %run %t %p 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O3 %s -o %t && %run %t %p 2>&1 | FileCheck %s +// XFAIL: arm-linux-gnueabi + +#include <assert.h> +#include <glob.h> +#include <stdio.h> +#include <string.h> +#include <errno.h> +#include <string> + + +int main(int argc, char *argv[]) { + std::string path = argv[1]; + std::string pattern = path + "/glob_test_root/*a"; + printf("pattern: %s\n", pattern.c_str()); + + glob_t globbuf; + int res = glob(pattern.c_str(), 0, 0, &globbuf); + + printf("%d %s\n", errno, strerror(errno)); + assert(res == 0); + assert(globbuf.gl_pathc == 2); + printf("%zu\n", strlen(globbuf.gl_pathv[0])); + printf("%zu\n", strlen(globbuf.gl_pathv[1])); + globfree(&globbuf); + printf("PASS\n"); + // CHECK: PASS + return 0; +} diff --git a/test/asan/TestCases/Posix/glob_test_root/aa b/test/asan/TestCases/Posix/glob_test_root/aa new file mode 100644 index 000000000000..e69de29bb2d1 --- /dev/null +++ b/test/asan/TestCases/Posix/glob_test_root/aa diff --git a/test/asan/TestCases/Posix/glob_test_root/ab b/test/asan/TestCases/Posix/glob_test_root/ab new file mode 100644 index 000000000000..e69de29bb2d1 --- /dev/null +++ b/test/asan/TestCases/Posix/glob_test_root/ab diff --git a/test/asan/TestCases/Posix/glob_test_root/ba b/test/asan/TestCases/Posix/glob_test_root/ba new file mode 100644 index 000000000000..e69de29bb2d1 --- /dev/null +++ b/test/asan/TestCases/Posix/glob_test_root/ba diff --git a/test/asan/TestCases/Posix/init-order-dlopen.cc b/test/asan/TestCases/Posix/init-order-dlopen.cc new file mode 100644 index 000000000000..6f204775eb4e --- /dev/null +++ b/test/asan/TestCases/Posix/init-order-dlopen.cc @@ -0,0 +1,72 @@ +// Regression test for +// https://code.google.com/p/address-sanitizer/issues/detail?id=178 + +// Assume we're on Darwin and try to pass -U to the linker. If this flag is +// unsupported, don't use it. +// RUN: %clangxx_asan -O0 -DSHARED_LIB %s \ +// RUN: -fPIC -shared -o %t-so.so -Wl,-U,_inc_global || \ +// RUN: %clangxx_asan -O0 -DSHARED_LIB %s \ +// RUN: -fPIC -shared -o %t-so.so +// If the linker doesn't support --export-dynamic (which is ELF-specific), +// try to link without that option. +// FIXME: find a better solution. +// RUN: %clangxx_asan -O0 %s -pthread -o %t -Wl,--export-dynamic || \ +// RUN: %clangxx_asan -O0 %s -pthread -o %t +// RUN: ASAN_OPTIONS=strict_init_order=true %run %t 2>&1 | FileCheck %s +#if !defined(SHARED_LIB) +#include <dlfcn.h> +#include <pthread.h> +#include <stdio.h> +#include <unistd.h> + +#include <string> + +using std::string; + +int foo() { + return 42; +} +int global = foo(); + +__attribute__((visibility("default"))) +extern "C" +void inc_global() { + global++; +} + +void *global_poller(void *arg) { + while (true) { + if (global != 42) + break; + usleep(100); + } + return 0; +} + +int main(int argc, char *argv[]) { + pthread_t p; + pthread_create(&p, 0, global_poller, 0); + string path = string(argv[0]) + "-so.so"; + if (0 == dlopen(path.c_str(), RTLD_NOW)) { + fprintf(stderr, "dlerror: %s\n", dlerror()); + return 1; + } + pthread_join(p, 0); + printf("PASSED\n"); + // CHECK: PASSED + return 0; +} +#else // SHARED_LIB +#include <stdio.h> +#include <unistd.h> + +extern "C" void inc_global(); + +int slow_init() { + sleep(1); + inc_global(); + return 42; +} + +int slowly_init_glob = slow_init(); +#endif // SHARED_LIB diff --git a/test/asan/TestCases/Posix/ioctl.cc b/test/asan/TestCases/Posix/ioctl.cc new file mode 100644 index 000000000000..78f152fe93fe --- /dev/null +++ b/test/asan/TestCases/Posix/ioctl.cc @@ -0,0 +1,24 @@ +// RUN: %clangxx_asan -O0 -g %s -o %t && ASAN_OPTIONS=handle_ioctl=1 not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O3 -g %s -o %t && ASAN_OPTIONS=handle_ioctl=1 not %run %t 2>&1 | FileCheck %s + +// RUN: %clangxx_asan -O0 -g %s -o %t && %run %t +// RUN: %clangxx_asan -O3 -g %s -o %t && %run %t + +#include <assert.h> +#include <stdlib.h> +#include <sys/ioctl.h> +#include <sys/socket.h> +#include <unistd.h> + +int main(int argc, char **argv) { + int fd = socket(AF_INET, SOCK_DGRAM, 0); + + int nonblock; + int res = ioctl(fd, FIONBIO, &nonblock + 1); + // CHECK: AddressSanitizer: stack-buffer-overflow + // CHECK: READ of size 4 at + // CHECK: {{#.* in main .*ioctl.cc:}}[[@LINE-3]] + assert(res == 0); + close(fd); + return 0; +} diff --git a/test/asan/TestCases/Posix/large_allocator_unpoisons_on_free.cc b/test/asan/TestCases/Posix/large_allocator_unpoisons_on_free.cc new file mode 100644 index 000000000000..0a4998049cb0 --- /dev/null +++ b/test/asan/TestCases/Posix/large_allocator_unpoisons_on_free.cc @@ -0,0 +1,39 @@ +// Test that LargeAllocator unpoisons memory before releasing it to the OS. +// RUN: %clangxx_asan %s -o %t +// The memory is released only when the deallocated chunk leaves the quarantine, +// otherwise the mmap(p, ...) call overwrites the malloc header. +// RUN: ASAN_OPTIONS=quarantine_size=1 %run %t + +#include <assert.h> +#include <string.h> +#include <sys/mman.h> +#include <stdlib.h> +#include <unistd.h> + +#ifdef __ANDROID__ +#include <malloc.h> +void *my_memalign(size_t boundary, size_t size) { + return memalign(boundary, size); +} +#else +void *my_memalign(size_t boundary, size_t size) { + void *p; + posix_memalign(&p, boundary, size); + return p; +} +#endif + +int main() { + const long kPageSize = sysconf(_SC_PAGESIZE); + void *p = my_memalign(kPageSize, 1024 * 1024); + free(p); + + char *q = (char *)mmap(p, kPageSize, PROT_READ | PROT_WRITE, + MAP_PRIVATE | MAP_ANON | MAP_FIXED, -1, 0); + assert(q == p); + + memset(q, 42, kPageSize); + + munmap(q, kPageSize); + return 0; +} diff --git a/test/asan/TestCases/Posix/lit.local.cfg b/test/asan/TestCases/Posix/lit.local.cfg new file mode 100644 index 000000000000..60a9460820a6 --- /dev/null +++ b/test/asan/TestCases/Posix/lit.local.cfg @@ -0,0 +1,9 @@ +def getRoot(config): + if not config.parent: + return config + return getRoot(config.parent) + +root = getRoot(config) + +if root.host_os in ['Windows']: + config.unsupported = True diff --git a/test/asan/TestCases/Posix/new_array_cookie_test.cc b/test/asan/TestCases/Posix/new_array_cookie_test.cc new file mode 100644 index 000000000000..85d51f361835 --- /dev/null +++ b/test/asan/TestCases/Posix/new_array_cookie_test.cc @@ -0,0 +1,24 @@ +// REQUIRES: asan-64-bits +// RUN: %clangxx_asan -O3 %s -o %t +// RUN: not %run %t 2>&1 | FileCheck %s +// RUN: ASAN_OPTIONS=poison_array_cookie=1 not %run %t 2>&1 | FileCheck %s +// RUN: ASAN_OPTIONS=poison_array_cookie=0 not %run %t 2>&1 | FileCheck %s --check-prefix=NO_COOKIE +#include <stdio.h> +#include <stdlib.h> +struct C { + int x; + ~C() { + fprintf(stderr, "ZZZZZZZZ\n"); + exit(1); + } +}; + +int main(int argc, char **argv) { + C *buffer = new C[argc]; + buffer[-2].x = 10; +// CHECK: AddressSanitizer: heap-buffer-overflow +// CHECK: in main {{.*}}new_array_cookie_test.cc:[[@LINE-2]] +// CHECK: is located 0 bytes inside of 12-byte region +// NO_COOKIE: ZZZZZZZZ + delete [] buffer; +} diff --git a/test/asan/TestCases/Posix/new_array_cookie_uaf_test.cc b/test/asan/TestCases/Posix/new_array_cookie_uaf_test.cc new file mode 100644 index 000000000000..c35ccebb8c79 --- /dev/null +++ b/test/asan/TestCases/Posix/new_array_cookie_uaf_test.cc @@ -0,0 +1,38 @@ +// REQUIRES: asan-64-bits +// RUN: %clangxx_asan -O3 %s -o %t +// RUN: ASAN_OPTIONS=poison_array_cookie=1 not %run %t 2>&1 | FileCheck %s --check-prefix=COOKIE +// RUN: ASAN_OPTIONS=poison_array_cookie=0 not %run %t 2>&1 | FileCheck %s --check-prefix=NO_COOKIE +#include <stdio.h> +#include <stdlib.h> +#include <assert.h> +int dtor_counter; +struct C { + int x; + ~C() { + dtor_counter++; + fprintf(stderr, "DTOR %d\n", dtor_counter); + } +}; + +__attribute__((noinline)) void Delete(C *c) { delete[] c; } +__attribute__((no_sanitize_address)) void Write42ToCookie(C *c) { + long *p = reinterpret_cast<long*>(c); + p[-1] = 42; +} + +int main(int argc, char **argv) { + C *buffer = new C[argc]; + delete [] buffer; + Write42ToCookie(buffer); + delete [] buffer; +// COOKIE: DTOR 1 +// COOKIE-NOT: DTOR 2 +// COOKIE: AddressSanitizer: loaded array cookie from free-d memory +// COOKIE: AddressSanitizer: attempting double-free +// NO_COOKIE: DTOR 1 +// NO_COOKIE: DTOR 43 +// NO_COOKIE-NOT: DTOR 44 +// NO_COOKIE-NOT: AddressSanitizer: loaded array cookie from free-d memory +// NO_COOKIE: AddressSanitizer: attempting double-free + +} diff --git a/test/asan/TestCases/Posix/new_array_cookie_with_new_from_class.cc b/test/asan/TestCases/Posix/new_array_cookie_with_new_from_class.cc new file mode 100644 index 000000000000..1cea6f68adb2 --- /dev/null +++ b/test/asan/TestCases/Posix/new_array_cookie_with_new_from_class.cc @@ -0,0 +1,38 @@ +// Test that we do not poison the array cookie if the operator new is defined +// inside the class. +// RUN: %clangxx_asan %s -o %t && %run %t +// +// XFAIL: android +// XFAIL: armv7l-unknown-linux-gnueabihf +#include <new> +#include <stdlib.h> +#include <stdint.h> +#include <stdio.h> +#include <assert.h> +struct Foo { + void *operator new(size_t s) { return Allocate(s); } + void *operator new[] (size_t s) { return Allocate(s); } + ~Foo(); + static void *allocated; + static void *Allocate(size_t s) { + assert(!allocated); + return allocated = ::new char[s]; + } +}; + +Foo::~Foo() {} +void *Foo::allocated; + +Foo *getFoo(size_t n) { + return new Foo[n]; +} + +int main() { + Foo *foo = getFoo(10); + fprintf(stderr, "foo : %p\n", foo); + fprintf(stderr, "alloc: %p\n", Foo::allocated); + assert(reinterpret_cast<uintptr_t>(foo) == + reinterpret_cast<uintptr_t>(Foo::allocated) + sizeof(void*)); + *reinterpret_cast<uintptr_t*>(Foo::allocated) = 42; + return 0; +} diff --git a/test/asan/TestCases/Posix/readv.cc b/test/asan/TestCases/Posix/readv.cc new file mode 100644 index 000000000000..27436a1ad3d9 --- /dev/null +++ b/test/asan/TestCases/Posix/readv.cc @@ -0,0 +1,32 @@ +// RUN: %clangxx_asan -O0 %s -o %t && %run %t +// RUN: %clangxx_asan -O0 %s -DPOSITIVE -o %t && not %run %t 2>&1 | FileCheck %s + +// Test the readv() interceptor. + +#include <assert.h> +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> +#include <fcntl.h> +#include <sys/uio.h> +#include <time.h> + +int main() { + char buf[2011]; + struct iovec iov[2]; +#ifdef POSITIVE + char * volatile buf_ = buf; + iov[0].iov_base = buf_ - 1; +#else + iov[0].iov_base = buf + 1; +#endif + iov[0].iov_len = 5; + iov[1].iov_base = buf + 10; + iov[1].iov_len = 2000; + int fd = open("/etc/hosts", O_RDONLY); + assert(fd > 0); + readv(fd, iov, 2); + // CHECK: WRITE of size 5 at + close(fd); + return 0; +} diff --git a/test/asan/TestCases/Posix/shared-lib-test.cc b/test/asan/TestCases/Posix/shared-lib-test.cc new file mode 100644 index 000000000000..a0827b5fefbf --- /dev/null +++ b/test/asan/TestCases/Posix/shared-lib-test.cc @@ -0,0 +1,57 @@ +// RUN: %clangxx_asan -O0 -DSHARED_LIB %s -fPIC -shared -o %t-so.so +// RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O1 -DSHARED_LIB %s -fPIC -shared -o %t-so.so +// RUN: %clangxx_asan -O1 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O2 -DSHARED_LIB %s -fPIC -shared -o %t-so.so +// RUN: %clangxx_asan -O2 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O3 -DSHARED_LIB %s -fPIC -shared -o %t-so.so +// RUN: %clangxx_asan -O3 %s -o %t && not %run %t 2>&1 | FileCheck %s +// XFAIL: arm-linux-gnueabi + +#if !defined(SHARED_LIB) +#include <dlfcn.h> +#include <stdio.h> +#include <string.h> + +#include <string> + +using std::string; + +typedef void (fun_t)(int x); + +int main(int argc, char *argv[]) { + string path = string(argv[0]) + "-so.so"; + printf("opening %s ... \n", path.c_str()); + void *lib = dlopen(path.c_str(), RTLD_NOW); + if (!lib) { + printf("error in dlopen(): %s\n", dlerror()); + return 1; + } + fun_t *inc = (fun_t*)dlsym(lib, "inc"); + if (!inc) return 1; + printf("ok\n"); + inc(1); + inc(-1); // BOOM + // CHECK: {{.*ERROR: AddressSanitizer: global-buffer-overflow}} + // CHECK: {{READ of size 4 at 0x.* thread T0}} + // CHECK: {{ #0 0x.*}} + // CHECK: {{ #1 0x.* in main .*shared-lib-test.cc:}}[[@LINE-4]] + return 0; +} +#else // SHARED_LIB +#include <stdio.h> +#include <string.h> + +int pad[10]; +int GLOB[10] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; + +extern "C" +void inc(int index) { + GLOB[index]++; +} + +extern "C" +void inc2(int *a, int index) { + a[index]++; +} +#endif // SHARED_LIB diff --git a/test/asan/TestCases/Posix/start-deactivated.cc b/test/asan/TestCases/Posix/start-deactivated.cc new file mode 100644 index 000000000000..d60677a8a5bb --- /dev/null +++ b/test/asan/TestCases/Posix/start-deactivated.cc @@ -0,0 +1,69 @@ +// Test for ASAN_OPTIONS=start_deactivated=1 mode. +// Main executable is uninstrumented, but linked to ASan runtime. The shared +// library is instrumented. Memory errors before dlopen are not detected. + +// RUN: %clangxx_asan -O0 -DSHARED_LIB %s -fPIC -shared -o %t-so.so +// RUN: %clangxx -O0 %s -c -o %t.o +// RUN: %clangxx_asan -O0 %t.o -o %t +// RUN: ASAN_OPTIONS=start_deactivated=1 not %run %t 2>&1 | FileCheck %s +// XFAIL: arm-linux-gnueabi +// XFAIL: armv7l-unknown-linux-gnueabihf + +#if !defined(SHARED_LIB) +#include <dlfcn.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> + +#include <string> + +#include "sanitizer/asan_interface.h" + +void test_malloc_shadow() { + char *p = (char *)malloc(100); + char *q = (char *)__asan_region_is_poisoned(p + 95, 8); + fprintf(stderr, "=%zd=\n", q ? q - (p + 95) : -1); + free(p); +} + +typedef void (*Fn)(); + +int main(int argc, char *argv[]) { + test_malloc_shadow(); + // CHECK: =-1= + + std::string path = std::string(argv[0]) + "-so.so"; + void *dso = dlopen(path.c_str(), RTLD_NOW); + if (!dso) { + fprintf(stderr, "dlopen failed: %s\n", dlerror()); + return 1; + } + + test_malloc_shadow(); + // CHECK: =5= + + void *fn = dlsym(dso, "do_another_bad_thing"); + if (!fn) { + fprintf(stderr, "dlsym failed: %s\n", dlerror()); + return 1; + } + + ((Fn)fn)(); + // CHECK: AddressSanitizer: heap-buffer-overflow + // CHECK: READ of size 1 + // CHECK: {{#0 .* in do_another_bad_thing}} + // CHECK: is located 5 bytes to the right of 100-byte region + // CHECK: in do_another_bad_thing + + return 0; +} +#else // SHARED_LIB +#include <stdio.h> +#include <stdlib.h> + +extern "C" void do_another_bad_thing() { + char *volatile p = (char *)malloc(100); + printf("%hhx\n", p[105]); +} +#endif // SHARED_LIB diff --git a/test/asan/TestCases/Posix/strerror_r_test.cc b/test/asan/TestCases/Posix/strerror_r_test.cc new file mode 100644 index 000000000000..e6df441770df --- /dev/null +++ b/test/asan/TestCases/Posix/strerror_r_test.cc @@ -0,0 +1,14 @@ +// RUN: %clangxx_asan -O0 %s -o %t && %run %t + +// Regression test for PR17138. + +#include <assert.h> +#include <string.h> +#include <stdio.h> + +int main() { + char buf[1024]; + char *res = (char *)strerror_r(300, buf, sizeof(buf)); + printf("%p\n", res); + return 0; +} diff --git a/test/asan/TestCases/Posix/tsd_dtor_leak.cc b/test/asan/TestCases/Posix/tsd_dtor_leak.cc new file mode 100644 index 000000000000..32253afc8b25 --- /dev/null +++ b/test/asan/TestCases/Posix/tsd_dtor_leak.cc @@ -0,0 +1,39 @@ +// Regression test for a leak in tsd: +// https://code.google.com/p/address-sanitizer/issues/detail?id=233 +// RUN: %clangxx_asan -O1 %s -pthread -o %t +// RUN: ASAN_OPTIONS=quarantine_size=1 %run %t +#include <pthread.h> +#include <stdio.h> +#include <stdlib.h> +#include <assert.h> +#include <sanitizer/allocator_interface.h> + +static pthread_key_t tsd_key; + +void *Thread(void *) { + pthread_setspecific(tsd_key, malloc(10)); + return 0; +} + +static volatile void *v; + +void Dtor(void *tsd) { + v = malloc(10000); + free(tsd); + free((void*)v); // The bug was that this was leaking. +} + +int main() { + assert(0 == pthread_key_create(&tsd_key, Dtor)); + size_t old_heap_size = 0; + for (int i = 0; i < 10; i++) { + pthread_t t; + pthread_create(&t, 0, Thread, 0); + pthread_join(t, 0); + size_t new_heap_size = __sanitizer_get_heap_size(); + fprintf(stderr, "heap size: new: %zd old: %zd\n", new_heap_size, old_heap_size); + if (old_heap_size) + assert(old_heap_size == new_heap_size); + old_heap_size = new_heap_size; + } +} diff --git a/test/asan/TestCases/Posix/wait.cc b/test/asan/TestCases/Posix/wait.cc new file mode 100644 index 000000000000..99d0212acfab --- /dev/null +++ b/test/asan/TestCases/Posix/wait.cc @@ -0,0 +1,45 @@ +// RUN: %clangxx_asan -DWAIT -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -DWAIT -O3 %s -o %t && not %run %t 2>&1 | FileCheck %s + +// RUN: %clangxx_asan -DWAITPID -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -DWAITPID -O3 %s -o %t && not %run %t 2>&1 | FileCheck %s + +// RUN: %clangxx_asan -DWAIT3 -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -DWAIT3 -O3 %s -o %t && not %run %t 2>&1 | FileCheck %s + +// RUN: %clangxx_asan -DWAIT3_RUSAGE -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -DWAIT3_RUSAGE -O3 %s -o %t && not %run %t 2>&1 | FileCheck %s + + +#include <assert.h> +#include <sys/wait.h> +#include <unistd.h> + +int main(int argc, char **argv) { + pid_t pid = fork(); + if (pid) { // parent + int x[3]; + int *status = x + argc * 3; + int res; +#if defined(WAIT) + res = wait(status); +#elif defined(WAITPID) + res = waitpid(pid, status, WNOHANG); +#elif defined(WAIT3) + res = wait3(status, WNOHANG, NULL); +#elif defined(WAIT3_RUSAGE) + struct rusage *ru = (struct rusage*)(x + argc * 3); + int good_status; + res = wait3(&good_status, WNOHANG, ru); +#endif + // CHECK: stack-buffer-overflow + // CHECK: {{WRITE of size .* at 0x.* thread T0}} + // CHECK: {{in .*wait}} + // CHECK: {{in main .*wait.cc:}} + // CHECK: is located in stack of thread T0 at offset + // CHECK: {{in main}} + return res == -1 ? 1 : 0; + } + // child + return 0; +} diff --git a/test/asan/TestCases/Posix/wait4.cc b/test/asan/TestCases/Posix/wait4.cc new file mode 100644 index 000000000000..b95246efa0e4 --- /dev/null +++ b/test/asan/TestCases/Posix/wait4.cc @@ -0,0 +1,43 @@ +// RUN: %clangxx_asan -DWAIT4 -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -DWAIT4 -O3 %s -o %t && not %run %t 2>&1 | FileCheck %s + +// RUN: %clangxx_asan -DWAIT4_RUSAGE -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -DWAIT4_RUSAGE -O3 %s -o %t && not %run %t 2>&1 | FileCheck %s + +// XFAIL: android + +#include <assert.h> +#include <sys/wait.h> +#include <unistd.h> + +int main(int argc, char **argv) { + // This test passes on some versions of Android NDK and fails on other. + // https://code.google.com/p/memory-sanitizer/issues/detail?id=64 + // Make it fail unconditionally on Android. +#ifdef __ANDROID__ + return 0; +#endif + + pid_t pid = fork(); + if (pid) { // parent + int x[3]; + int *status = x + argc * 3; + int res; +#if defined(WAIT4) + res = wait4(pid, status, WNOHANG, NULL); +#elif defined(WAIT4_RUSAGE) + struct rusage *ru = (struct rusage*)(x + argc * 3); + int good_status; + res = wait4(pid, &good_status, WNOHANG, ru); +#endif + // CHECK: stack-buffer-overflow + // CHECK: {{WRITE of size .* at 0x.* thread T0}} + // CHECK: {{in .*wait}} + // CHECK: {{in main .*wait4.cc:}} + // CHECK: is located in stack of thread T0 at offset + // CHECK: {{in main}} + return res == -1 ? 1 : 0; + } + // child + return 0; +} diff --git a/test/asan/TestCases/Posix/waitid.cc b/test/asan/TestCases/Posix/waitid.cc new file mode 100644 index 000000000000..8b516dca9086 --- /dev/null +++ b/test/asan/TestCases/Posix/waitid.cc @@ -0,0 +1,28 @@ +// RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O3 %s -o %t && not %run %t 2>&1 | FileCheck %s + +#include <assert.h> +#include <sys/wait.h> +#include <unistd.h> +#include <signal.h> + +int main(int argc, char **argv) { + pid_t pid = fork(); + if (pid) { // parent + int x[3]; + int *status = x + argc * 3; + int res; + + siginfo_t *si = (siginfo_t*)(x + argc * 3); + res = waitid(P_ALL, 0, si, WEXITED | WNOHANG); + // CHECK: stack-buffer-overflow + // CHECK: {{WRITE of size .* at 0x.* thread T0}} + // CHECK: {{in .*waitid}} + // CHECK: {{in main .*waitid.cc:}} + // CHECK: is located in stack of thread T0 at offset + // CHECK: {{in main}} + return res != -1; + } + // child + return 0; +} diff --git a/test/asan/TestCases/Windows/aligned_mallocs.cc b/test/asan/TestCases/Windows/aligned_mallocs.cc new file mode 100644 index 000000000000..df740b64e51c --- /dev/null +++ b/test/asan/TestCases/Windows/aligned_mallocs.cc @@ -0,0 +1,29 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: %run %t + +#include <windows.h> + +#define CHECK_ALIGNED(ptr,alignment) \ + do { \ + if (((uintptr_t)(ptr) % (alignment)) != 0) \ + return __LINE__; \ + } \ + while(0) + +int main(void) { + int *p = (int*)_aligned_malloc(1024 * sizeof(int), 32); + CHECK_ALIGNED(p, 32); + p[512] = 0; + _aligned_free(p); + + p = (int*)_aligned_malloc(128, 128); + CHECK_ALIGNED(p, 128); + p = (int*)_aligned_realloc(p, 2048 * sizeof(int), 128); + CHECK_ALIGNED(p, 128); + p[1024] = 0; + if (_aligned_msize(p, 128, 0) != 2048 * sizeof(int)) + return __LINE__; + _aligned_free(p); + + return 0; +} diff --git a/test/asan/TestCases/Windows/allocators_sanity.cc b/test/asan/TestCases/Windows/allocators_sanity.cc new file mode 100644 index 000000000000..66a862d7aca5 --- /dev/null +++ b/test/asan/TestCases/Windows/allocators_sanity.cc @@ -0,0 +1,37 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: %run %t | FileCheck %s + +#include <malloc.h> +#include <stdio.h> + +int main() { + int *p = (int*)malloc(1024 * sizeof(int)); + p[512] = 0; + free(p); + + p = (int*)malloc(128); + p = (int*)realloc(p, 2048 * sizeof(int)); + p[1024] = 0; + free(p); + + p = (int*)calloc(16, sizeof(int)); + if (p[8] != 0) + return 1; + p[15]++; + if (16 * sizeof(int) != _msize(p)) + return 2; + free(p); + + p = new int; + *p = 42; + delete p; + + p = new int[42]; + p[15]++; + delete [] p; + + printf("All ok\n"); +// CHECK: All ok + + return 0; +} diff --git a/test/asan/TestCases/Windows/beginthreadex.cc b/test/asan/TestCases/Windows/beginthreadex.cc new file mode 100644 index 000000000000..f2b2b4511ad8 --- /dev/null +++ b/test/asan/TestCases/Windows/beginthreadex.cc @@ -0,0 +1,21 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: %run %t + +#include <windows.h> +#include <process.h> + +unsigned WINAPI thread_proc(void *) { + volatile char stack_buffer[42]; + for (int i = 0; i < sizeof(stack_buffer); ++i) + stack_buffer[i] = 42; + return 0; +} + +int main() { + HANDLE thr = (HANDLE)_beginthreadex(NULL, 0, thread_proc, NULL, 0, NULL); + if (thr == 0) + return 1; + if (WAIT_OBJECT_0 != WaitForSingleObject(thr, INFINITE)) + return 2; + CloseHandle(thr); +} diff --git a/test/asan/TestCases/Windows/bitfield.cc b/test/asan/TestCases/Windows/bitfield.cc new file mode 100644 index 000000000000..253a759b98df --- /dev/null +++ b/test/asan/TestCases/Windows/bitfield.cc @@ -0,0 +1,21 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: %run %t + +#include <windows.h> + +typedef struct _S { + unsigned int bf1:1; + unsigned int bf2:2; + unsigned int bf3:3; + unsigned int bf4:4; +} S; + +int main(void) { + S *s = (S*)malloc(sizeof(S)); + s->bf1 = 1; + s->bf2 = 2; + s->bf3 = 3; + s->bf4 = 4; + free(s); + return 0; +} diff --git a/test/asan/TestCases/Windows/bitfield_uaf.cc b/test/asan/TestCases/Windows/bitfield_uaf.cc new file mode 100644 index 000000000000..f49d671e3eb3 --- /dev/null +++ b/test/asan/TestCases/Windows/bitfield_uaf.cc @@ -0,0 +1,34 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: not %run %t 2>&1 | FileCheck %s + +#include <windows.h> + +typedef struct _S { + unsigned int bf1:1; + unsigned int bf2:2; + unsigned int bf3:3; + unsigned int bf4:4; +} S; + +void make_access(S *s) { + s->bf2 = 2; +// CHECK: AddressSanitizer: heap-use-after-free on address [[ADDR:0x[0-9a-f]+]] +// CHECK: READ of size {{[124]}} at [[ADDR]] +// CHECK: {{#0 .* make_access .*bitfield_uaf.cc}}:[[@LINE-3]] +// CHECK: {{#1 .* main}} +} + +int main(void) { + S *s = (S*)malloc(sizeof(S)); + free(s); +// CHECK: [[ADDR]] is located 0 bytes inside of 4-byte region +// CHECK-LABEL: freed by thread T0 here: +// CHECK: {{#0 .* free }} +// CHECK: {{#1 .* main .*bitfield_uaf.cc}}:[[@LINE-4]] +// CHECK-LABEL: previously allocated by thread T0 here: +// CHECK: {{#0 .* malloc }} +// CHECK: {{#1 .* main .*bitfield_uaf.cc}}:[[@LINE-8]] + make_access(s); + return 0; +} + diff --git a/test/asan/TestCases/Windows/calloc_left_oob.cc b/test/asan/TestCases/Windows/calloc_left_oob.cc new file mode 100644 index 000000000000..459025bde92c --- /dev/null +++ b/test/asan/TestCases/Windows/calloc_left_oob.cc @@ -0,0 +1,17 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: not %run %t 2>&1 | FileCheck %s + +#include <malloc.h> + +int main() { + int *buffer = (int*)calloc(42, sizeof(int)); + buffer[-1] = 42; +// CHECK: AddressSanitizer: heap-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 4 at [[ADDR]] thread T0 +// CHECK-NEXT: {{#0 .* main .*calloc_left_oob.cc}}:[[@LINE-3]] +// CHECK: [[ADDR]] is located 4 bytes to the left of 168-byte region +// CHECK: allocated by thread T0 here: +// CHECK-NEXT: {{#0 .* calloc }} +// CHECK-NEXT: {{#1 .* main .*calloc_left_oob.cc}}:[[@LINE-8]] + free(buffer); +} diff --git a/test/asan/TestCases/Windows/calloc_right_oob.cc b/test/asan/TestCases/Windows/calloc_right_oob.cc new file mode 100644 index 000000000000..c976b87d9707 --- /dev/null +++ b/test/asan/TestCases/Windows/calloc_right_oob.cc @@ -0,0 +1,17 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: not %run %t 2>&1 | FileCheck %s + +#include <malloc.h> + +int main() { + int *buffer = (int*)calloc(42, sizeof(int)); + buffer[42] = 42; +// CHECK: AddressSanitizer: heap-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 4 at [[ADDR]] thread T0 +// CHECK-NEXT: {{#0 .* main .*calloc_right_oob.cc}}:[[@LINE-3]] +// CHECK: [[ADDR]] is located 0 bytes to the right of 168-byte region +// CHECK: allocated by thread T0 here: +// CHECK-NEXT: {{#0 .* calloc }} +// CHECK-NEXT: {{#1 .* main .*calloc_right_oob.cc}}:[[@LINE-8]] + free(buffer); +} diff --git a/test/asan/TestCases/Windows/calloc_uaf.cc b/test/asan/TestCases/Windows/calloc_uaf.cc new file mode 100644 index 000000000000..db5e70741b72 --- /dev/null +++ b/test/asan/TestCases/Windows/calloc_uaf.cc @@ -0,0 +1,20 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: not %run %t 2>&1 | FileCheck %s + +#include <malloc.h> + +int main() { + int *buffer = (int*)calloc(42, sizeof(int)); + free(buffer); + buffer[0] = 42; +// CHECK: AddressSanitizer: heap-use-after-free on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 4 at [[ADDR]] thread T0 +// CHECK-NEXT: {{#0 .* main .*calloc_uaf.cc}}:[[@LINE-3]] +// CHECK: [[ADDR]] is located 0 bytes inside of 168-byte region +// CHECK: freed by thread T0 here: +// CHECK-NEXT: {{#0 .* free }} +// CHECK-NEXT: {{#1 .* main .*calloc_uaf.cc}}:[[@LINE-8]] +// CHECK: previously allocated by thread T0 here: +// CHECK-NEXT: {{#0 .* calloc }} +// CHECK-NEXT: {{#1 .* main .*calloc_uaf.cc}}:[[@LINE-12]] +} diff --git a/test/asan/TestCases/Windows/crt_initializers.cc b/test/asan/TestCases/Windows/crt_initializers.cc new file mode 100644 index 000000000000..084f8a45e18a --- /dev/null +++ b/test/asan/TestCases/Windows/crt_initializers.cc @@ -0,0 +1,31 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: %run %t | FileCheck %s + +// This is a test for http://code.google.com/p/address-sanitizer/issues/detail?id=305 + +#include <stdio.h> + +typedef void (*FPTR)(); + +// __xi_a and __xi_z are defined in VC/crt/src/crt0dat.c +// and are located in .CRT$XIA and .CRT$XIZ respectively. +extern "C" FPTR __xi_a, __xi_z; + +int main() { + unsigned count = 0; + + // Iterate through CRT initializers. + for (FPTR* it = &__xi_a; it < &__xi_z; ++it) { + if (*it) + count++; + } + + printf("Number of nonzero CRT initializers: %u\n", count); +// CHECK: Number of nonzero CRT initializers +} + +void call_me_maybe() {} + +#pragma data_seg(".CRT$XIB") +// Add an initializer that shouldn't get its own redzone. +FPTR run_on_startup = call_me_maybe; diff --git a/test/asan/TestCases/Windows/demangled_names.cc b/test/asan/TestCases/Windows/demangled_names.cc new file mode 100644 index 000000000000..a528555b1e16 --- /dev/null +++ b/test/asan/TestCases/Windows/demangled_names.cc @@ -0,0 +1,50 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: not %run %t 2>&1 | FileCheck %s +// +// This test makes sure ASan symbolizes stack traces the way they are typically +// symbolized on Windows. +#include <malloc.h> + +namespace foo { +// A template function in a namespace. +template<int x> +void bar(char *p) { + *p = x; +} + +// A regular function in a namespace. +void spam(char *p) { + bar<42>(p); +} +} + +// A multi-argument template with a bool template parameter. +template<typename T, bool U> +void baz(T t) { + if (U) + foo::spam(t); +} + +template<typename T> +struct A { + A(T v) { v_ = v; } + ~A(); + char *v_; +}; + +// A destructor of a template class. +template<> +A<char*>::~A() { + baz<char*, true>(v_); +} + +int main() { + char *buffer = (char*)malloc(42); + free(buffer); + A<char*> a(buffer); +// CHECK: AddressSanitizer: heap-use-after-free on address [[ADDR:0x[0-9a-f]+]] +// CHECK: foo::bar<42> {{.*}}demangled_names.cc +// CHECK: foo::spam {{.*}}demangled_names.cc +// CHECK: baz<char *,1> {{.*}}demangled_names.cc +// CHECK: A<char *>::~A<char *> {{.*}}demangled_names.cc +} diff --git a/test/asan/TestCases/Windows/dll_aligned_mallocs.cc b/test/asan/TestCases/Windows/dll_aligned_mallocs.cc new file mode 100644 index 000000000000..8b2c4d6dd957 --- /dev/null +++ b/test/asan/TestCases/Windows/dll_aligned_mallocs.cc @@ -0,0 +1,34 @@ +// RUN: %clang_cl_asan -O0 %p/dll_host.cc -Fe%t +// RUN: %clang_cl_asan -LD -O0 %s -Fe%t.dll +// RUN: %run %t %t.dll | FileCheck %s + +#include <malloc.h> +#include <stdio.h> + +#define CHECK_ALIGNED(ptr,alignment) \ + do { \ + if (((uintptr_t)(ptr) % (alignment)) != 0) \ + return __LINE__; \ + } \ + while(0) + +extern "C" __declspec(dllexport) +int test_function() { + int *p = (int*)_aligned_malloc(1024 * sizeof(int), 32); + CHECK_ALIGNED(p, 32); + p[512] = 0; + _aligned_free(p); + + p = (int*)_aligned_malloc(128, 128); + CHECK_ALIGNED(p, 128); + p = (int*)_aligned_realloc(p, 2048 * sizeof(int), 128); + CHECK_ALIGNED(p, 128); + p[1024] = 0; + if (_aligned_msize(p, 128, 0) != 2048 * sizeof(int)) + return __LINE__; + _aligned_free(p); + + printf("All ok\n"); +// CHECK: All ok + return 0; +} diff --git a/test/asan/TestCases/Windows/dll_allocators_sanity.cc b/test/asan/TestCases/Windows/dll_allocators_sanity.cc new file mode 100644 index 000000000000..1d31f37ca904 --- /dev/null +++ b/test/asan/TestCases/Windows/dll_allocators_sanity.cc @@ -0,0 +1,39 @@ +// RUN: %clang_cl_asan -O0 %p/dll_host.cc -Fe%t +// RUN: %clang_cl_asan -LD -O0 %s -Fe%t.dll +// RUN: %run %t %t.dll | FileCheck %s + +#include <malloc.h> +#include <stdio.h> + +extern "C" __declspec(dllexport) +int test_function() { + int *p = (int*)malloc(1024 * sizeof(int)); + p[512] = 0; + free(p); + + p = (int*)malloc(128); + p = (int*)realloc(p, 2048 * sizeof(int)); + p[1024] = 0; + free(p); + + p = (int*)calloc(16, sizeof(int)); + if (p[8] != 0) + return 1; + p[15]++; + if (16 * sizeof(int) != _msize(p)) + return 2; + free(p); + + p = new int; + *p = 42; + delete p; + + p = new int[42]; + p[15]++; + delete [] p; + + printf("All ok\n"); +// CHECK: All ok + + return 0; +} diff --git a/test/asan/TestCases/Windows/dll_and_lib.cc b/test/asan/TestCases/Windows/dll_and_lib.cc new file mode 100644 index 000000000000..bddaa32df73b --- /dev/null +++ b/test/asan/TestCases/Windows/dll_and_lib.cc @@ -0,0 +1,19 @@ +// Just make sure we can link an implib into another DLL +// This used to fail between r212699 and r212814. +// RUN: %clang_cl_asan -DCONFIG=1 %s -c -Fo%t.1.obj +// RUN: link /nologo /DLL /OUT:%t.1.dll %t.1.obj %asan_dll_thunk +// RUN: %clang_cl_asan -DCONFIG=2 %s -c -Fo%t.2.obj +// RUN: link /nologo /DLL /OUT:%t.2.dll %t.2.obj %t.1.lib %asan_dll_thunk +// REQUIRES: asan-static-runtime + +#if CONFIG==1 +extern "C" __declspec(dllexport) int f1() { + int x = 0; + return 1; +} +#else +extern "C" __declspec(dllexport) int f2() { + int x = 0; + return 2; +} +#endif diff --git a/test/asan/TestCases/Windows/dll_cerr.cc b/test/asan/TestCases/Windows/dll_cerr.cc new file mode 100644 index 000000000000..8f1a699ba801 --- /dev/null +++ b/test/asan/TestCases/Windows/dll_cerr.cc @@ -0,0 +1,23 @@ +// RUN: %clang_cl_asan -O0 %p/dll_host.cc -Fe%t +// RUN: %clang_cl_asan -LD -O0 %s -Fe%t.dll +// RUN: %run %t %t.dll 2>&1 | FileCheck %s + +// Test that it works correctly even with ICF enabled. +// RUN: %clang_cl_asan -LD -O0 %s -Fe%t.dll -link /OPT:REF /OPT:ICF +// RUN: %run %t %t.dll 2>&1 | FileCheck %s + +#include <iostream> + +extern "C" __declspec(dllexport) +int test_function() { + // Just make sure we can use cout. + std::cout << "All ok\n"; +// CHECK: All ok + + // This line forces a declaration of some global basic_ostream internal object that + // calls memcpy() in its constructor. This doesn't work if __asan_init is not + // called early enough. + std::cout << 42; +// CHECK: 42 + return 0; +} diff --git a/test/asan/TestCases/Windows/dll_host.cc b/test/asan/TestCases/Windows/dll_host.cc new file mode 100644 index 000000000000..d3b4c149d009 --- /dev/null +++ b/test/asan/TestCases/Windows/dll_host.cc @@ -0,0 +1,49 @@ +// This is a host program for DLL tests. +// +// Just make sure we can compile this. +// The actual compile&run sequence is to be done by the DLL tests. +// RUN: %clang_cl_asan -O0 %s -Fe%t +// +// Get the list of ASan wrappers exported by the main module RTL: +// RUN: dumpbin /EXPORTS %t | grep -o "__asan_wrap[^ ]*" | grep -v @ | sort | uniq > %t.exported_wrappers +// +// Get the list of ASan wrappers imported by the DLL RTL: +// RUN: grep INTERCEPT_LIBRARY_FUNCTION %p/../../../../lib/asan/asan_win_dll_thunk.cc | grep -v define | sed "s/.*(\(.*\)).*/__asan_wrap_\1/" | sort | uniq > %t.dll_imports +// +// Now make sure the DLL thunk imports everything: +// RUN: echo +// RUN: echo "=== NOTE === If you see a mismatch below, please update asan_win_dll_thunk.cc" +// RUN: diff %t.dll_imports %t.exported_wrappers +// REQUIRES: asan-static-runtime + +#include <stdio.h> +#include <windows.h> + +int main(int argc, char **argv) { + if (argc != 2) { + printf("Usage: %s [client].dll\n", argv[0]); + return 101; + } + + const char *dll_name = argv[1]; + + HMODULE h = LoadLibrary(dll_name); + if (!h) { + printf("Could not load DLL: %s (code: %lu)!\n", + dll_name, GetLastError()); + return 102; + } + + typedef int (*test_function)(); + test_function gf = (test_function)GetProcAddress(h, "test_function"); + if (!gf) { + printf("Could not locate test_function in the DLL!\n"); + FreeLibrary(h); + return 103; + } + + int ret = gf(); + + FreeLibrary(h); + return ret; +} diff --git a/test/asan/TestCases/Windows/dll_intercept_memchr.cc b/test/asan/TestCases/Windows/dll_intercept_memchr.cc new file mode 100644 index 000000000000..1435bdc50127 --- /dev/null +++ b/test/asan/TestCases/Windows/dll_intercept_memchr.cc @@ -0,0 +1,21 @@ +// RUN: %clang_cl_asan -O0 %p/dll_host.cc -Fe%t +// RUN: %clang_cl_asan -LD -O0 %s -Fe%t.dll +// RUN: not %run %t %t.dll 2>&1 | FileCheck %s + +#include <string.h> + +extern "C" __declspec(dllexport) +int test_function() { + char buff[6] = "Hello"; + + memchr(buff, 'z', 7); +// CHECK: AddressSanitizer: stack-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// CHECK: READ of size 7 at [[ADDR]] thread T0 +// CHECK-NEXT: __asan_wrap_memchr +// CHECK-NEXT: memchr +// CHECK-NEXT: test_function {{.*}}dll_intercept_memchr.cc:[[@LINE-5]] +// CHECK: Address [[ADDR]] is located in stack of thread T0 at offset {{.*}} in frame +// CHECK-NEXT: test_function {{.*}}dll_intercept_memchr.cc +// CHECK: 'buff' <== Memory access at offset {{.*}} overflows this variable + return 0; +} diff --git a/test/asan/TestCases/Windows/dll_intercept_memcpy.cc b/test/asan/TestCases/Windows/dll_intercept_memcpy.cc new file mode 100644 index 000000000000..736e6969d521 --- /dev/null +++ b/test/asan/TestCases/Windows/dll_intercept_memcpy.cc @@ -0,0 +1,32 @@ +// RUN: %clang_cl_asan -O0 %p/dll_host.cc -Fe%t +// RUN: %clang_cl_asan -LD -O0 %s -Fe%t.dll +// RUN: not %run %t %t.dll 2>&1 | FileCheck %s + +// Test that it works correctly even with ICF enabled. +// RUN: %clang_cl_asan -LD -O0 %s -Fe%t.dll -link /OPT:REF /OPT:ICF +// RUN: not %run %t %t.dll 2>&1 | FileCheck %s + +#include <stdio.h> +#include <string.h> + +extern "C" __declspec(dllexport) +int test_function() { + char buff1[6] = "Hello", buff2[5]; + + memcpy(buff2, buff1, 5); + if (buff1[2] != buff2[2]) + return 2; + printf("Initial test OK\n"); + fflush(0); +// CHECK: Initial test OK + + memcpy(buff2, buff1, 6); +// CHECK: AddressSanitizer: stack-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 6 at [[ADDR]] thread T0 +// CHECK-NEXT: __asan_{{.*}}memcpy +// CHECK-NEXT: test_function {{.*}}dll_intercept_memcpy.cc:[[@LINE-4]] +// CHECK: Address [[ADDR]] is located in stack of thread T0 at offset {{.*}} in frame +// CHECK-NEXT: test_function {{.*}}dll_intercept_memcpy.cc +// CHECK: 'buff2' <== Memory access at offset {{.*}} overflows this variable + return 0; +} diff --git a/test/asan/TestCases/Windows/dll_intercept_memcpy_indirect.cc b/test/asan/TestCases/Windows/dll_intercept_memcpy_indirect.cc new file mode 100644 index 000000000000..c5f44df3faaf --- /dev/null +++ b/test/asan/TestCases/Windows/dll_intercept_memcpy_indirect.cc @@ -0,0 +1,34 @@ +// RUN: %clang_cl_asan -O0 %p/dll_host.cc -Fe%t +// RUN: %clang_cl_asan -LD -O0 %s -Fe%t.dll +// RUN: not %run %t %t.dll 2>&1 | FileCheck %s + +#include <stdio.h> +#include <string.h> + +void call_memcpy(void* (*f)(void *, const void *, size_t), + void *a, const void *b, size_t c) { + f(a, b, c); +} + +extern "C" __declspec(dllexport) +int test_function() { + char buff1[6] = "Hello", buff2[5]; + + call_memcpy(&memcpy, buff2, buff1, 5); + if (buff1[2] != buff2[2]) + return 2; + printf("Initial test OK\n"); + fflush(0); +// CHECK: Initial test OK + + call_memcpy(&memcpy, buff2, buff1, 6); +// CHECK: AddressSanitizer: stack-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 6 at [[ADDR]] thread T0 +// CHECK-NEXT: __asan_{{.*}}memcpy +// CHECK-NEXT: call_memcpy +// CHECK-NEXT: test_function {{.*}}dll_intercept_memcpy_indirect.cc:[[@LINE-5]] +// CHECK: Address [[ADDR]] is located in stack of thread T0 at offset {{.*}} in frame +// CHECK-NEXT: test_function {{.*}}dll_intercept_memcpy_indirect.cc +// CHECK: 'buff2' <== Memory access at offset {{.*}} overflows this variable + return 0; +} diff --git a/test/asan/TestCases/Windows/dll_intercept_memset.cc b/test/asan/TestCases/Windows/dll_intercept_memset.cc new file mode 100644 index 000000000000..d4be376f2458 --- /dev/null +++ b/test/asan/TestCases/Windows/dll_intercept_memset.cc @@ -0,0 +1,32 @@ +// RUN: %clang_cl_asan -O0 %p/dll_host.cc -Fe%t +// RUN: %clang_cl_asan -LD -O0 %s -Fe%t.dll +// RUN: not %run %t %t.dll 2>&1 | FileCheck %s + +// Test that it works correctly even with ICF enabled. +// RUN: %clang_cl_asan -LD -O0 %s -Fe%t.dll -link /OPT:REF /OPT:ICF +// RUN: not %run %t %t.dll 2>&1 | FileCheck %s + +#include <stdio.h> +#include <string.h> + +extern "C" __declspec(dllexport) +int test_function() { + char buff[5] = "aaaa"; + + memset(buff, 'b', 5); + if (buff[2] != 'b') + return 2; + printf("Initial test OK\n"); + fflush(0); +// CHECK: Initial test OK + + memset(buff, 'c', 6); +// CHECK: AddressSanitizer: stack-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 6 at [[ADDR]] thread T0 +// CHECK-NEXT: __asan_memset +// CHECK-NEXT: test_function {{.*}}dll_intercept_memset.cc:[[@LINE-4]] +// CHECK: Address [[ADDR]] is located in stack of thread T0 at offset {{.*}} in frame +// CHECK-NEXT: test_function {{.*}}dll_intercept_memset.cc +// CHECK: 'buff' <== Memory access at offset {{.*}} overflows this variable + return 0; +} diff --git a/test/asan/TestCases/Windows/dll_intercept_strlen.cc b/test/asan/TestCases/Windows/dll_intercept_strlen.cc new file mode 100644 index 000000000000..f41d47858bee --- /dev/null +++ b/test/asan/TestCases/Windows/dll_intercept_strlen.cc @@ -0,0 +1,28 @@ +// RUN: %clang_cl_asan -O0 %p/dll_host.cc -Fe%t +// RUN: %clang_cl_asan -LD -O0 %s -Fe%t.dll +// RUN: not %run %t %t.dll 2>&1 | FileCheck %s + +#include <stdio.h> +#include <string.h> + +extern "C" __declspec(dllexport) +int test_function() { + char str[] = "Hello!"; + if (6 != strlen(str)) + return 1; + printf("Initial test OK\n"); + fflush(0); +// CHECK: Initial test OK + + str[6] = '!'; // Removes '\0' at the end! + int len = strlen(str); +// CHECK: AddressSanitizer: stack-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// FIXME: Should be READ of size 1, see issue 155. +// CHECK: READ of size {{[0-9]+}} at [[ADDR]] thread T0 +// CHECK-NEXT: {{#0 .*}}strlen +// CHECK-NEXT: {{#1 .* test_function .*}}dll_intercept_strlen.cc:[[@LINE-5]] +// +// CHECK: Address [[ADDR]] is located in stack of thread T0 at offset {{.*}} in frame +// CHECK-NEXT: test_function {{.*}}dll_intercept_strlen.cc: + return len > 42; +} diff --git a/test/asan/TestCases/Windows/dll_large_function.cc b/test/asan/TestCases/Windows/dll_large_function.cc new file mode 100644 index 000000000000..039d01f84ba5 --- /dev/null +++ b/test/asan/TestCases/Windows/dll_large_function.cc @@ -0,0 +1,12 @@ +// Make sure we can link a DLL with large functions which would mean +// functions such as __asan_loadN and __asan_storeN will be called +// from the DLL. We simulate the large function with +// -mllvm -asan-instrumentation-with-call-threshold=0. +// RUN: %clang_cl_asan %s -c -Fo%t.obj -mllvm -asan-instrumentation-with-call-threshold=0 +// RUN: link /nologo /DLL /OUT:%t.dll %t.obj %asan_dll_thunk +// REQUIRES: asan-static-runtime + +void f(long* foo, long* bar) { + // One load and one store + *foo = *bar; +} diff --git a/test/asan/TestCases/Windows/dll_malloc_left_oob.cc b/test/asan/TestCases/Windows/dll_malloc_left_oob.cc new file mode 100644 index 000000000000..0653ea45f6ef --- /dev/null +++ b/test/asan/TestCases/Windows/dll_malloc_left_oob.cc @@ -0,0 +1,23 @@ +// RUN: %clang_cl_asan -O0 %p/dll_host.cc -Fe%t +// RUN: %clang_cl_asan -LD -O0 %s -Fe%t.dll +// RUN: not %run %t %t.dll 2>&1 | FileCheck %s + +#include <malloc.h> +extern "C" __declspec(dllexport) +int test_function() { + char *buffer = (char*)malloc(42); + buffer[-1] = 42; +// CHECK: AddressSanitizer: heap-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 1 at [[ADDR]] thread T0 +// CHECK-NEXT: test_function {{.*}}dll_malloc_left_oob.cc:[[@LINE-3]] +// CHECK-NEXT: main {{.*}}dll_host.cc +// +// CHECK: [[ADDR]] is located 1 bytes to the left of 42-byte region +// CHECK-LABEL: allocated by thread T0 here: +// CHECK-NEXT: malloc +// CHECK-NEXT: test_function {{.*}}dll_malloc_left_oob.cc:[[@LINE-10]] +// CHECK-NEXT: main {{.*}}dll_host.cc +// CHECK-LABEL: SUMMARY + free(buffer); + return 0; +} diff --git a/test/asan/TestCases/Windows/dll_malloc_uaf.cc b/test/asan/TestCases/Windows/dll_malloc_uaf.cc new file mode 100644 index 000000000000..b286380ac445 --- /dev/null +++ b/test/asan/TestCases/Windows/dll_malloc_uaf.cc @@ -0,0 +1,28 @@ +// RUN: %clang_cl_asan -O0 %p/dll_host.cc -Fe%t +// RUN: %clang_cl_asan -LD -O0 %s -Fe%t.dll +// RUN: not %run %t %t.dll 2>&1 | FileCheck %s + +#include <malloc.h> + +extern "C" __declspec(dllexport) +int test_function() { + int *buffer = (int*)malloc(42); + free(buffer); + buffer[0] = 42; +// CHECK: AddressSanitizer: heap-use-after-free on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 4 at [[ADDR]] thread T0 +// CHECK-NEXT: test_function {{.*}}dll_malloc_uaf.cc:[[@LINE-3]] +// CHECK-NEXT: main {{.*}}dll_host +// +// CHECK: [[ADDR]] is located 0 bytes inside of 42-byte region +// CHECK-LABEL: freed by thread T0 here: +// CHECK-NEXT: free +// CHECK-NEXT: test_function {{.*}}dll_malloc_uaf.cc:[[@LINE-10]] +// CHECK-NEXT: main {{.*}}dll_host +// +// CHECK-LABEL: previously allocated by thread T0 here: +// CHECK-NEXT: malloc +// CHECK-NEXT: test_function {{.*}}dll_malloc_uaf.cc:[[@LINE-16]] +// CHECK-NEXT: main {{.*}}dll_host + return 0; +} diff --git a/test/asan/TestCases/Windows/dll_noreturn.cc b/test/asan/TestCases/Windows/dll_noreturn.cc new file mode 100644 index 000000000000..6ec90725145f --- /dev/null +++ b/test/asan/TestCases/Windows/dll_noreturn.cc @@ -0,0 +1,28 @@ +// RUN: %clang_cl_asan -O0 %p/dll_host.cc -Fe%t +// RUN: %clang_cl_asan -LD -O0 %s -Fe%t.dll +// RUN: not %run %t %t.dll 2>&1 | FileCheck %s + +#include <process.h> + +void noreturn_f() { + int subscript = -1; + char buffer[42]; + buffer[subscript] = 42; + _exit(1); +// CHECK: AddressSanitizer: stack-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 1 at [[ADDR]] thread T0 +// CHECK-NEXT: noreturn_f {{.*}}dll_noreturn.cc:[[@LINE-4]] +// CHECK-NEXT: test_function {{.*}}dll_noreturn.cc +// CHECK-NEXT: main {{.*}}dll_host.cc +// +// CHECK: Address [[ADDR]] is located in stack of thread T0 at offset [[OFFSET:.*]] in frame +// CHECK-NEXT: noreturn_f {{.*}}dll_noreturn.cc +// CHECK: 'buffer' <== Memory access at offset [[OFFSET]] underflows this variable +// CHECK-LABEL: SUMMARY +} + +extern "C" __declspec(dllexport) +int test_function() { + noreturn_f(); + return 0; +} diff --git a/test/asan/TestCases/Windows/dll_null_deref.cc b/test/asan/TestCases/Windows/dll_null_deref.cc new file mode 100644 index 000000000000..0fb18de29163 --- /dev/null +++ b/test/asan/TestCases/Windows/dll_null_deref.cc @@ -0,0 +1,18 @@ +// RUN: %clang_cl_asan -O0 %p/dll_host.cc -Fe%t +// RUN: %clang_cl_asan -LD -O0 %s -Fe%t.dll +// RUN: not %run %t %t.dll 2>&1 | FileCheck %s + +__attribute__((noinline)) +static void NullDeref(int *ptr) { + // CHECK: ERROR: AddressSanitizer: access-violation on unknown address + // CHECK: {{0x0*000.. .*pc 0x.*}} + ptr[10]++; // BOOM +} + +extern "C" __declspec(dllexport) +int test_function() { + NullDeref((int*)0); + // CHECK: {{ #1 0x.* in test_function .*\dll_null_deref.cc:}}[[@LINE-1]] + // CHECK: AddressSanitizer can not provide additional info. + return 0; +} diff --git a/test/asan/TestCases/Windows/dll_operator_array_new_left_oob.cc b/test/asan/TestCases/Windows/dll_operator_array_new_left_oob.cc new file mode 100644 index 000000000000..736ce80cc32a --- /dev/null +++ b/test/asan/TestCases/Windows/dll_operator_array_new_left_oob.cc @@ -0,0 +1,25 @@ +// RUN: %clang_cl_asan -O0 %p/dll_host.cc -Fe%t +// RUN: %clang_cl_asan -LD -O0 %s -Fe%t.dll +// RUN: not %run %t %t.dll 2>&1 | FileCheck %s + +extern "C" __declspec(dllexport) +int test_function() { + char *buffer = new char[42]; + buffer[-1] = 42; +// CHECK: AddressSanitizer: heap-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 1 at [[ADDR]] thread T0 +// CHECK-NEXT: test_function {{.*}}dll_operator_array_new_left_oob.cc:[[@LINE-3]] +// CHECK-NEXT: main {{.*}}dll_host.cc +// +// CHECK: [[ADDR]] is located 1 bytes to the left of 42-byte region +// CHECK-LABEL: allocated by thread T0 here: +// FIXME: Should get rid of the malloc/free frames called from the inside of +// operator new/delete in DLLs when using -MT CRT. +// FIXME: The 'operator new' frame should have []. +// CHECK: operator new +// CHECK-NEXT: test_function {{.*}}dll_operator_array_new_left_oob.cc:[[@LINE-13]] +// CHECK-NEXT: main {{.*}}dll_host.cc +// CHECK-LABEL: SUMMARY + delete [] buffer; + return 0; +} diff --git a/test/asan/TestCases/Windows/dll_operator_array_new_with_dtor_left_oob.cc b/test/asan/TestCases/Windows/dll_operator_array_new_with_dtor_left_oob.cc new file mode 100644 index 000000000000..8306a737bfff --- /dev/null +++ b/test/asan/TestCases/Windows/dll_operator_array_new_with_dtor_left_oob.cc @@ -0,0 +1,33 @@ +// RUN: %clang_cl_asan -O0 %p/dll_host.cc -Fe%t +// RUN: %clang_cl_asan -LD -O0 %s -Fe%t.dll +// RUN: not %run %t %t.dll 2>&1 | FileCheck %s + +struct C { + int x; + ~C() {} +}; + +extern "C" __declspec(dllexport) +int test_function() { + C *buffer = new C[42]; + buffer[-2].x = 42; +// CHECK: AddressSanitizer: heap-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 4 at [[ADDR]] thread T0 +// CHECK-NEXT: test_function {{.*}}dll_operator_array_new_with_dtor_left_oob.cc:[[@LINE-3]] +// CHECK-NEXT: main {{.*}}dll_host.cc +// +// FIXME: Currently it says "4 bytes ... left of 172-byte region", +// should be "8 bytes ... left of 168-byte region", see +// https://code.google.com/p/address-sanitizer/issues/detail?id=314 +// CHECK: [[ADDR]] is located {{.*}} bytes to the left of 172-byte region +// FIXME: Should get rid of the malloc/free frames called from the inside of +// operator new/delete in DLLs when using -MT CRT. +// FIXME: The operator new frame should have []. +// CHECK-LABEL: allocated by thread T0 here: +// CHECK: operator new +// CHECK-NEXT: test_function {{.*}}dll_operator_array_new_with_dtor_left_oob.cc:[[@LINE-16]] +// CHECK-NEXT: main {{.*}}dll_host.cc +// CHECK-LABEL: SUMMARY + delete [] buffer; + return 0; +} diff --git a/test/asan/TestCases/Windows/dll_poison_unpoison.cc b/test/asan/TestCases/Windows/dll_poison_unpoison.cc new file mode 100644 index 000000000000..d486cb122251 --- /dev/null +++ b/test/asan/TestCases/Windows/dll_poison_unpoison.cc @@ -0,0 +1,35 @@ +// RUN: %clang_cl_asan -O0 %p/dll_host.cc -Fe%t +// RUN: %clang_cl_asan -LD -O0 %s -Fe%t.dll +// RUN: not %run %t %t.dll 2>&1 | FileCheck %s + +#include <sanitizer/asan_interface.h> + +void should_not_crash(volatile char *c) { + *c = 42; +} + +void should_crash(volatile char *c) { + *c = 42; +} + +extern "C" __declspec(dllexport) +int test_function() { + char buffer[256]; + should_not_crash(&buffer[0]); + __asan_poison_memory_region(buffer, 128); + should_not_crash(&buffer[192]); + __asan_unpoison_memory_region(buffer, 64); + should_not_crash(&buffer[32]); + + should_crash(&buffer[96]); +// CHECK: AddressSanitizer: use-after-poison on address [[ADDR:0x[0-9a-f]+]] +// CHECK-NEXT: WRITE of size 1 at [[ADDR]] thread T0 +// CHECK-NEXT: should_crash {{.*}}\dll_poison_unpoison.cc +// CHECK-NEXT: test_function {{.*}}\dll_poison_unpoison.cc:[[@LINE-4]] +// CHECK-NEXT: main +// +// CHECK: [[ADDR]] is located in stack of thread T0 at offset [[OFFSET:.*]] in frame +// CHECK-NEXT: test_function {{.*}}\dll_poison_unpoison.cc +// CHECK: 'buffer' <== Memory access at offset [[OFFSET]] is inside this variable + return 0; +} diff --git a/test/asan/TestCases/Windows/dll_seh.cc b/test/asan/TestCases/Windows/dll_seh.cc new file mode 100644 index 000000000000..6e4c724e504d --- /dev/null +++ b/test/asan/TestCases/Windows/dll_seh.cc @@ -0,0 +1,60 @@ +// Clang doesn't support SEH on Windows yet, so for the time being we +// build this program in two parts: the code with SEH is built with CL, +// the rest is built with Clang. This represents the typical scenario when we +// build a large project using "clang-cl -fallback -fsanitize=address". +// +// RUN: %clang_cl_asan -O0 %p/dll_host.cc -Fe%t +// +// Check both -GS and -GS- builds: +// RUN: cl -LD -c %s -Fo%t.obj +// RUN: %clang_cl_asan -LD -O0 %s -Fe%t.dll %t.obj +// RUN: %run %t %t.dll +// +// RUN: cl -LD -GS- -c %s -Fo%t.obj +// RUN: %clang_cl_asan -LD -O0 %s -Fe%t.dll %t.obj +// RUN: %run %t %t.dll + +#include <windows.h> +#include <assert.h> +#include <stdio.h> + +// Should just "#include <sanitizer/asan_interface.h>" when C++ exceptions are +// supported and we don't need to use CL. +extern "C" bool __asan_address_is_poisoned(void *p); + +void ThrowAndCatch(); + +#if !defined(__clang__) +__declspec(noinline) +void Throw() { + int local, zero = 0; + fprintf(stderr, "Throw: %p\n", &local); + local = 5 / zero; +} + +__declspec(noinline) +void ThrowAndCatch() { + int local; + __try { + Throw(); + } __except(EXCEPTION_EXECUTE_HANDLER) { + fprintf(stderr, "__except: %p\n", &local); + } +} +#else + +extern "C" __declspec(dllexport) +int test_function() { + char x[32]; + fprintf(stderr, "Before: %p poisoned: %d\n", &x, + __asan_address_is_poisoned(x + 32)); + assert(__asan_address_is_poisoned(x + 32)); + ThrowAndCatch(); + fprintf(stderr, "After: %p poisoned: %d\n", &x, + __asan_address_is_poisoned(x + 32)); + // FIXME: Invert this assertion once we fix + // https://code.google.com/p/address-sanitizer/issues/detail?id=258 + assert(!__asan_address_is_poisoned(x + 32)); + return 0; +} +#endif diff --git a/test/asan/TestCases/Windows/dll_stack_use_after_return.cc b/test/asan/TestCases/Windows/dll_stack_use_after_return.cc new file mode 100644 index 000000000000..6cd74c265b8f --- /dev/null +++ b/test/asan/TestCases/Windows/dll_stack_use_after_return.cc @@ -0,0 +1,28 @@ +// RUN: %clang_cl_asan -O0 %p/dll_host.cc -Fe%t +// RUN: %clang_cl_asan -LD -O0 %s -Fe%t.dll +// RUN: env ASAN_OPTIONS=detect_stack_use_after_return=1 not %run %t %t.dll 2>&1 | FileCheck %s + +#include <malloc.h> + +char *x; + +void foo() { + char stack_buffer[42]; + x = &stack_buffer[13]; +} + +extern "C" __declspec(dllexport) +int test_function() { + foo(); + *x = 42; +// CHECK: AddressSanitizer: stack-use-after-return +// CHECK: WRITE of size 1 at [[ADDR:.*]] thread T0 +// CHECK-NEXT: test_function {{.*}}dll_stack_use_after_return.cc:[[@LINE-3]] +// CHECK-NEXT: main +// +// CHECK: Address [[ADDR]] is located in stack of thread T0 at offset [[OFFSET:.*]] in frame +// CHECK-NEXT: #0 {{.*}} foo {{.*}}dll_stack_use_after_return.cc +// CHECK: 'stack_buffer' <== Memory access at offset [[OFFSET]] is inside this variable + return 0; +} + diff --git a/test/asan/TestCases/Windows/dll_thread_stack_array_left_oob.cc b/test/asan/TestCases/Windows/dll_thread_stack_array_left_oob.cc new file mode 100644 index 000000000000..8f53623419ce --- /dev/null +++ b/test/asan/TestCases/Windows/dll_thread_stack_array_left_oob.cc @@ -0,0 +1,36 @@ +// RUN: %clang_cl_asan -O0 %p/dll_host.cc -Fe%t +// RUN: %clang_cl_asan -LD -O0 %s -Fe%t.dll +// RUN: not %run %t %t.dll 2>&1 | FileCheck %s + +#include <windows.h> +#include <malloc.h> + +DWORD WINAPI thread_proc(void *context) { + int subscript = -1; + char stack_buffer[42]; + stack_buffer[subscript] = 42; +// CHECK: AddressSanitizer: stack-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 1 at [[ADDR]] thread T1 +// CHECK-NEXT: thread_proc {{.*}}dll_thread_stack_array_left_oob.cc:[[@LINE-3]] +// +// CHECK: Address [[ADDR]] is located in stack of thread T1 at offset [[OFFSET:.*]] in frame +// CHECK-NEXT: thread_proc {{.*}}dll_thread_stack_array_left_oob.cc +// +// CHECK: 'stack_buffer' <== Memory access at offset [[OFFSET]] underflows this variable + + return 0; +} + +extern "C" __declspec(dllexport) +int test_function() { + HANDLE thr = CreateThread(NULL, 0, thread_proc, NULL, 0, NULL); +// CHECK-LABEL: Thread T1 created by T0 here: +// CHECK: test_function {{.*}}dll_thread_stack_array_left_oob.cc:[[@LINE-2]] +// CHECK-NEXT: main {{.*}}dll_host.cc +// CHECK-LABEL: SUMMARY + if (thr == 0) + return 1; + if (WAIT_OBJECT_0 != WaitForSingleObject(thr, INFINITE)) + return 2; + return 0; +} diff --git a/test/asan/TestCases/Windows/double_free.cc b/test/asan/TestCases/Windows/double_free.cc new file mode 100644 index 000000000000..18a9fcb44a75 --- /dev/null +++ b/test/asan/TestCases/Windows/double_free.cc @@ -0,0 +1,21 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: not %run %t 2>&1 | FileCheck %s + +#include <malloc.h> + +int main() { + int *x = (int*)malloc(42 * sizeof(int)); + free(x); + free(x); +// CHECK: AddressSanitizer: attempting double-free on [[ADDR:0x[0-9a-f]+]] +// CHECK-NEXT: {{#0 .* free }} +// CHECK-NEXT: {{#1 .* main .*double_free.cc}}:[[@LINE-3]] +// CHECK: [[ADDR]] is located 0 bytes inside of 168-byte region +// CHECK-LABEL: freed by thread T0 here: +// CHECK-NEXT: {{#0 .* free }} +// CHECK-NEXT: {{#1 .* main .*double_free.cc}}:[[@LINE-8]] +// CHECK-LABEL: previously allocated by thread T0 here: +// CHECK-NEXT: {{#0 .* malloc }} +// CHECK-NEXT: {{#1 .* main .*double_free.cc}}:[[@LINE-12]] + return 0; +} diff --git a/test/asan/TestCases/Windows/double_operator_delete.cc b/test/asan/TestCases/Windows/double_operator_delete.cc new file mode 100644 index 000000000000..eae4a64c2b92 --- /dev/null +++ b/test/asan/TestCases/Windows/double_operator_delete.cc @@ -0,0 +1,25 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: not %run %t 2>&1 | FileCheck %s + +#include <malloc.h> + +int main() { + int *x = new int[42]; + delete [] x; + delete [] x; +// CHECK: AddressSanitizer: attempting double-free on [[ADDR:0x[0-9a-f]+]] +// FIXME: The 'operator delete' frame should have []. +// CHECK-NEXT: {{#0 .* operator delete}} +// CHECK-NEXT: {{#1 .* main .*double_operator_delete.cc}}:[[@LINE-4]] +// CHECK: [[ADDR]] is located 0 bytes inside of 168-byte region +// CHECK-LABEL: freed by thread T0 here: +// FIXME: The 'operator delete' frame should have []. +// CHECK-NEXT: {{#0 .* operator delete}} +// CHECK-NEXT: {{#1 .* main .*double_operator_delete.cc}}:[[@LINE-10]] +// CHECK-LABEL: previously allocated by thread T0 here: +// FIXME: The 'operator new' frame should have []. +// CHECK-NEXT: {{#0 .* operator new}} +// CHECK-NEXT: {{#1 .* main .*double_operator_delete.cc}}:[[@LINE-15]] + return 0; +} + diff --git a/test/asan/TestCases/Windows/global_const_string.cc b/test/asan/TestCases/Windows/global_const_string.cc new file mode 100644 index 000000000000..8c147c917c88 --- /dev/null +++ b/test/asan/TestCases/Windows/global_const_string.cc @@ -0,0 +1,12 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: %run %t | FileCheck %s + +#include <windows.h> +#include <stdio.h> + +int main(void) { + static const char *foo = "foobarspam"; + printf("Global string is `%s`\n", foo); +// CHECK: Global string is `foobarspam` + return 0; +} diff --git a/test/asan/TestCases/Windows/global_const_string_oob.cc b/test/asan/TestCases/Windows/global_const_string_oob.cc new file mode 100644 index 000000000000..b39e3dbb3b4e --- /dev/null +++ b/test/asan/TestCases/Windows/global_const_string_oob.cc @@ -0,0 +1,20 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: not %run %t 2>&1 | FileCheck %s + +#include <windows.h> +#include <stdio.h> + +extern "C" const char *foo = "foobarspam"; + +int main(void) { + if (foo[16]) + printf("Boo\n"); +// CHECK-NOT: Boo +// CHECK: AddressSanitizer: global-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// CHECK: READ of size 1 at [[ADDR]] thread T0 +// CHECK-NEXT: {{#0 .* main .*global_const_string_oob.cc:}}[[@LINE-5]] +// CHECK: [[ADDR]] is located 5 bytes to the right of global variable [[STR:.*]] defined in {{'.*global_const_string_oob.cc:7:.*' .*}} of size 11 +// CHECK: [[STR]] is ascii string 'foobarspam' + return 0; +} + diff --git a/test/asan/TestCases/Windows/hello_world.cc b/test/asan/TestCases/Windows/hello_world.cc new file mode 100644 index 000000000000..400ca1b3eacc --- /dev/null +++ b/test/asan/TestCases/Windows/hello_world.cc @@ -0,0 +1,9 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: %run %t | FileCheck %s + +#include <stdio.h> + +int main() { + printf("Hello, world!\n"); +// CHECK: Hello, world! +} diff --git a/test/asan/TestCases/Windows/intercept_memcpy.cc b/test/asan/TestCases/Windows/intercept_memcpy.cc new file mode 100644 index 000000000000..9ee984b1873d --- /dev/null +++ b/test/asan/TestCases/Windows/intercept_memcpy.cc @@ -0,0 +1,31 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: not %run %t 2>&1 | FileCheck %s + +#include <stdio.h> +#include <string.h> + +void call_memcpy(void* (*f)(void *, const void *, size_t), + void *a, const void *b, size_t c) { + f(a, b, c); +} + +int main() { + char buff1[6] = "Hello", buff2[5]; + + call_memcpy(&memcpy, buff2, buff1, 5); + if (buff1[2] != buff2[2]) + return 2; + printf("Initial test OK\n"); + fflush(0); +// CHECK: Initial test OK + + call_memcpy(&memcpy, buff2, buff1, 6); +// CHECK: AddressSanitizer: stack-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 6 at [[ADDR]] thread T0 +// CHECK-NEXT: __asan_{{.*}}memcpy +// CHECK-NEXT: call_memcpy +// CHECK-NEXT: main {{.*}}intercept_memcpy.cc:[[@LINE-5]] +// CHECK: Address [[ADDR]] is located in stack of thread T0 at offset {{.*}} in frame +// CHECK-NEXT: #0 {{.*}} main +// CHECK: 'buff2' <== Memory access at offset {{.*}} overflows this variable +} diff --git a/test/asan/TestCases/Windows/intercept_strdup.cc b/test/asan/TestCases/Windows/intercept_strdup.cc new file mode 100644 index 000000000000..edb1f2f99245 --- /dev/null +++ b/test/asan/TestCases/Windows/intercept_strdup.cc @@ -0,0 +1,27 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: not %run %t 2>&1 | FileCheck %s + +#include <stdio.h> +#include <string.h> +#include <malloc.h> + +int main() { + char *ptr = _strdup("Hello"); + int subscript = 1; + ptr[subscript] = '3'; + printf("%s\n", ptr); + fflush(0); +// CHECK: H3llo + + subscript = -1; + ptr[subscript] = 42; +// CHECK: AddressSanitizer: heap-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 1 at [[ADDR]] thread T0 +// CHECK: {{#0 .* main .*}}intercept_strdup.cc:[[@LINE-3]] +// CHECK: [[ADDR]] is located 1 bytes to the left of 6-byte region +// CHECK: allocated by thread T0 here: +// CHECK: {{#0 .* malloc }} +// CHECK: {{#1 .*strdup}} +// CHECK: {{#2 .* main .*}}intercept_strdup.cc:[[@LINE-16]] + free(ptr); +} diff --git a/test/asan/TestCases/Windows/intercept_strlen.cc b/test/asan/TestCases/Windows/intercept_strlen.cc new file mode 100644 index 000000000000..928a286bedfa --- /dev/null +++ b/test/asan/TestCases/Windows/intercept_strlen.cc @@ -0,0 +1,27 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: not %run %t 2>&1 | FileCheck %s + +#include <stdio.h> +#include <string.h> + +int main() { + char str[] = "Hello"; + if (5 != strlen(str)) + return 1; + + printf("Initial test OK\n"); + fflush(0); +// CHECK: Initial test OK + + str[5] = '!'; // Losing '\0' at the end. + int len = strlen(str); +// CHECK: AddressSanitizer: stack-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// FIXME: Should be READ of size 1, see issue 155. +// CHECK: READ of size {{[0-9]+}} at [[ADDR]] thread T0 +// CHECK: strlen +// CHECK-NEXT: main {{.*}}intercept_strlen.cc:[[@LINE-5]] +// CHECK: Address [[ADDR]] is located in stack of thread T0 at offset {{.*}} in frame +// CHECK-NEXT: main {{.*}}intercept_strlen.cc +// CHECK: 'str' <== Memory access at offset {{.*}} overflows this variable + return len < 6; +} diff --git a/test/asan/TestCases/Windows/lit.local.cfg b/test/asan/TestCases/Windows/lit.local.cfg new file mode 100644 index 000000000000..13ef6d428251 --- /dev/null +++ b/test/asan/TestCases/Windows/lit.local.cfg @@ -0,0 +1,14 @@ +def getRoot(config): + if not config.parent: + return config + return getRoot(config.parent) + +root = getRoot(config) + +# We only run a small set of tests on Windows for now. +# Override the parent directory's "unsupported" decision until we can handle +# all of its tests. +if root.host_os in ['Windows']: + config.unsupported = False +else: + config.unsupported = True diff --git a/test/asan/TestCases/Windows/longjmp.cc b/test/asan/TestCases/Windows/longjmp.cc new file mode 100644 index 000000000000..443933e8ab62 --- /dev/null +++ b/test/asan/TestCases/Windows/longjmp.cc @@ -0,0 +1,26 @@ +// RUN: %clangxx_asan -O %s -o %t && %run %t + +// FIXME: merge this with the common longjmp test when we can run common +// tests on Windows. + +#include <assert.h> +#include <setjmp.h> +#include <stdio.h> +#include <sanitizer/asan_interface.h> + +static jmp_buf buf; + +int main() { + char x[32]; + fprintf(stderr, "\nTestLongJmp\n"); + fprintf(stderr, "Before: %p poisoned: %d\n", &x, + __asan_address_is_poisoned(x + 32)); + assert(__asan_address_is_poisoned(x + 32)); + if (0 == setjmp(buf)) + longjmp(buf, 1); + fprintf(stderr, "After: %p poisoned: %d\n", &x, + __asan_address_is_poisoned(x + 32)); + // FIXME: Invert this assertion once we fix + // https://code.google.com/p/address-sanitizer/issues/detail?id=258 + assert(!__asan_address_is_poisoned(x + 32)); +} diff --git a/test/asan/TestCases/Windows/malloc_left_oob.cc b/test/asan/TestCases/Windows/malloc_left_oob.cc new file mode 100644 index 000000000000..ec133c393da2 --- /dev/null +++ b/test/asan/TestCases/Windows/malloc_left_oob.cc @@ -0,0 +1,17 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: not %run %t 2>&1 | FileCheck %s + +#include <malloc.h> + +int main() { + char *buffer = (char*)malloc(42); + buffer[-1] = 42; +// CHECK: AddressSanitizer: heap-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 1 at [[ADDR]] thread T0 +// CHECK-NEXT: {{#0 .* main .*malloc_left_oob.cc}}:[[@LINE-3]] +// CHECK: [[ADDR]] is located 1 bytes to the left of 42-byte region +// CHECK: allocated by thread T0 here: +// CHECK-NEXT: {{#0 .* malloc }} +// CHECK-NEXT: {{#1 .* main .*malloc_left_oob.cc}}:[[@LINE-8]] + free(buffer); +} diff --git a/test/asan/TestCases/Windows/malloc_right_oob.cc b/test/asan/TestCases/Windows/malloc_right_oob.cc new file mode 100644 index 000000000000..9975316d3e02 --- /dev/null +++ b/test/asan/TestCases/Windows/malloc_right_oob.cc @@ -0,0 +1,17 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: not %run %t 2>&1 | FileCheck %s + +#include <malloc.h> + +int main() { + char *buffer = (char*)malloc(42); + buffer[42] = 42; +// CHECK: AddressSanitizer: heap-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 1 at [[ADDR]] thread T0 +// CHECK-NEXT: {{#0 .* main .*malloc_right_oob.cc}}:[[@LINE-3]] +// CHECK: [[ADDR]] is located 0 bytes to the right of 42-byte region +// CHECK: allocated by thread T0 here: +// CHECK-NEXT: {{#0 .* malloc }} +// CHECK-NEXT: {{#1 .* main .*malloc_right_oob.cc}}:[[@LINE-8]] + free(buffer); +} diff --git a/test/asan/TestCases/Windows/malloc_uaf.cc b/test/asan/TestCases/Windows/malloc_uaf.cc new file mode 100644 index 000000000000..f58478947bf4 --- /dev/null +++ b/test/asan/TestCases/Windows/malloc_uaf.cc @@ -0,0 +1,20 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: not %run %t 2>&1 | FileCheck %s + +#include <malloc.h> + +int main() { + char *buffer = (char*)malloc(42); + free(buffer); + buffer[0] = 42; +// CHECK: AddressSanitizer: heap-use-after-free on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 1 at [[ADDR]] thread T0 +// CHECK-NEXT: {{#0 .* main .*malloc_uaf.cc}}:[[@LINE-3]] +// CHECK: [[ADDR]] is located 0 bytes inside of 42-byte region +// CHECK: freed by thread T0 here: +// CHECK-NEXT: {{#0 .* free }} +// CHECK-NEXT: {{#1 .* main .*malloc_uaf.cc}}:[[@LINE-8]] +// CHECK: previously allocated by thread T0 here: +// CHECK-NEXT: {{#0 .* malloc }} +// CHECK-NEXT: {{#1 .* main .*malloc_uaf.cc}}:[[@LINE-12]] +} diff --git a/test/asan/TestCases/Windows/null_deref.cc b/test/asan/TestCases/Windows/null_deref.cc new file mode 100644 index 000000000000..202000f59db7 --- /dev/null +++ b/test/asan/TestCases/Windows/null_deref.cc @@ -0,0 +1,15 @@ +// RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s +// FIXME: merge this with the common null_deref test when we can run common +// tests on Windows. + +__attribute__((noinline)) +static void NullDeref(int *ptr) { + // CHECK: ERROR: AddressSanitizer: access-violation on unknown address + // CHECK: {{0x0*000.. .*pc 0x.*}} + ptr[10]++; // BOOM +} +int main() { + NullDeref((int*)0); + // CHECK: {{ #1 0x.* in main.*null_deref.cc:}}[[@LINE-1]] + // CHECK: AddressSanitizer can not provide additional info. +} diff --git a/test/asan/TestCases/Windows/null_deref_multiple_dlls.cc b/test/asan/TestCases/Windows/null_deref_multiple_dlls.cc new file mode 100644 index 000000000000..62fe544ae545 --- /dev/null +++ b/test/asan/TestCases/Windows/null_deref_multiple_dlls.cc @@ -0,0 +1,40 @@ +// Make sure everything works even if the main module doesn't have any stack +// variables, thus doesn't explicitly reference any symbol exported by the +// runtime thunk. +// +// RUN: %clang_cl_asan -LD -O0 -DDLL1 %s -Fe%t1.dll +// RUN: %clang_cl_asan -LD -O0 -DDLL2 %s -Fe%t2.dll +// RUN: %clang_cl_asan -O0 -DEXE %s %t1.lib %t2.lib -Fe%t +// RUN: not %run %t 2>&1 | FileCheck %s + +#include <malloc.h> +#include <string.h> + +extern "C" { +#if defined(EXE) +__declspec(dllimport) void foo1(); +__declspec(dllimport) void foo2(); + +int main() { + foo1(); + foo2(); +} +#elif defined(DLL1) +__declspec(dllexport) void foo1() {} +#elif defined(DLL2) +__attribute__((noinline)) +static void NullDeref(int *ptr) { + // CHECK: ERROR: AddressSanitizer: access-violation on unknown address + // CHECK: {{0x0*000.. .*pc 0x.*}} + ptr[10]++; // BOOM +} + +__declspec(dllexport) void foo2() { + NullDeref((int*)0); + // CHECK: {{ #1 0x.* in foo2.*null_deref_multiple_dlls.cc:}}[[@LINE-1]] + // CHECK: AddressSanitizer can not provide additional info. +} +#else +# error oops! +#endif +} diff --git a/test/asan/TestCases/Windows/operator_array_new_left_oob.cc b/test/asan/TestCases/Windows/operator_array_new_left_oob.cc new file mode 100644 index 000000000000..20a0f1927e5b --- /dev/null +++ b/test/asan/TestCases/Windows/operator_array_new_left_oob.cc @@ -0,0 +1,17 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: not %run %t 2>&1 | FileCheck %s + +int main() { + char *buffer = new char[42]; + buffer[-1] = 42; +// CHECK: AddressSanitizer: heap-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 1 at [[ADDR]] thread T0 +// CHECK-NEXT: {{#0 .* main .*operator_array_new_left_oob.cc}}:[[@LINE-3]] +// +// CHECK: [[ADDR]] is located 1 bytes to the left of 42-byte region +// CHECK-LABEL: allocated by thread T0 here: +// FIXME: The 'operator new' frame should have []. +// CHECK-NEXT: {{#0 .* operator new}} +// CHECK-NEXT: {{#1 .* main .*operator_array_new_left_oob.cc}}:[[@LINE-10]] + delete [] buffer; +} diff --git a/test/asan/TestCases/Windows/operator_array_new_right_oob.cc b/test/asan/TestCases/Windows/operator_array_new_right_oob.cc new file mode 100644 index 000000000000..23775ef6066e --- /dev/null +++ b/test/asan/TestCases/Windows/operator_array_new_right_oob.cc @@ -0,0 +1,18 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: not %run %t 2>&1 | FileCheck %s + +#include <windows.h> + +int main() { + char *buffer = new char[42]; + buffer[42] = 42; +// CHECK: AddressSanitizer: heap-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 1 at [[ADDR]] thread T0 +// CHECK: {{#0 .* main .*operator_array_new_right_oob.cc}}:[[@LINE-3]] +// CHECK: [[ADDR]] is located 0 bytes to the right of 42-byte region +// CHECK: allocated by thread T0 here: +// FIXME: The 'operator new' frame should have []. +// CHECK: {{#0 .* operator new}} +// CHECK: {{#1 .* main .*operator_array_new_right_oob.cc}}:[[@LINE-9]] + delete [] buffer; +} diff --git a/test/asan/TestCases/Windows/operator_array_new_uaf.cc b/test/asan/TestCases/Windows/operator_array_new_uaf.cc new file mode 100644 index 000000000000..b638ef1df415 --- /dev/null +++ b/test/asan/TestCases/Windows/operator_array_new_uaf.cc @@ -0,0 +1,24 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: not %run %t 2>&1 | FileCheck %s + +#include <windows.h> + +int main() { + char *buffer = new char[42]; + delete [] buffer; + buffer[0] = 42; +// CHECK: AddressSanitizer: heap-use-after-free on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 1 at [[ADDR]] thread T0 +// CHECK: {{#0 .* main .*operator_array_new_uaf.cc}}:[[@LINE-3]] +// CHECK: [[ADDR]] is located 0 bytes inside of 42-byte region +// CHECK-LABEL: freed by thread T0 here: +// FIXME: The 'operator delete' frame should have []. +// CHECK: {{#0 .* operator delete}} +// CHECK: {{#1 .* main .*operator_array_new_uaf.cc}}:[[@LINE-9]] +// CHECK-LABEL: previously allocated by thread T0 here: +// FIXME: The 'operator new' frame should have []. +// CHECK: {{#0 .* operator new}} +// CHECK: {{#1 .* main .*operator_array_new_uaf.cc}}:[[@LINE-14]] + return 0; +} + diff --git a/test/asan/TestCases/Windows/operator_array_new_with_dtor_left_oob.cc b/test/asan/TestCases/Windows/operator_array_new_with_dtor_left_oob.cc new file mode 100644 index 000000000000..63f2929bd89b --- /dev/null +++ b/test/asan/TestCases/Windows/operator_array_new_with_dtor_left_oob.cc @@ -0,0 +1,25 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: not %run %t 2>&1 | FileCheck %s + +struct C { + int x; + ~C() {} +}; + +int main() { + C *buffer = new C[42]; + buffer[-2].x = 42; +// CHECK: AddressSanitizer: heap-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 4 at [[ADDR]] thread T0 +// CHECK-NEXT: {{#0 .* main .*operator_array_new_with_dtor_left_oob.cc}}:[[@LINE-3]] +// +// FIXME: Currently it says "4 bytes ... left of 172-byte region", +// should be "8 bytes ... left of 168-byte region", see +// https://code.google.com/p/address-sanitizer/issues/detail?id=314 +// CHECK: [[ADDR]] is located {{.*}} bytes to the left of 172-byte region +// CHECK-LABEL: allocated by thread T0 here: +// FIXME: The 'operator new' frame should have []. +// CHECK-NEXT: {{#0 .* operator new}} +// CHECK-NEXT: {{#1 .* main .*operator_array_new_with_dtor_left_oob.cc}}:[[@LINE-13]] + delete [] buffer; +} diff --git a/test/asan/TestCases/Windows/operator_delete_wrong_argument.cc b/test/asan/TestCases/Windows/operator_delete_wrong_argument.cc new file mode 100644 index 000000000000..c3e7daca55b0 --- /dev/null +++ b/test/asan/TestCases/Windows/operator_delete_wrong_argument.cc @@ -0,0 +1,12 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: not %run %t 2>&1 | FileCheck %s + +#include <windows.h> + +int main() { + int *x = new int[42]; + delete (x + 1); +// CHECK: AddressSanitizer: attempting free on address which was not malloc()-ed +// CHECK: {{#0 0x.* operator delete }} +// CHECK: {{#1 .* main .*operator_delete_wrong_argument.cc}}:[[@LINE-3]] +} diff --git a/test/asan/TestCases/Windows/operator_new_left_oob.cc b/test/asan/TestCases/Windows/operator_new_left_oob.cc new file mode 100644 index 000000000000..c077f11d68f9 --- /dev/null +++ b/test/asan/TestCases/Windows/operator_new_left_oob.cc @@ -0,0 +1,17 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: not %run %t 2>&1 | FileCheck %s + +#include <windows.h> + +int main() { + char *buffer = new char; + buffer[-1] = 42; +// CHECK: AddressSanitizer: heap-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 1 at [[ADDR]] thread T0 +// CHECK: {{#0 .* main .*operator_new_left_oob.cc}}:[[@LINE-3]] +// CHECK: [[ADDR]] is located 1 bytes to the left of 1-byte region +// CHECK: allocated by thread T0 here: +// CHECK: {{#0 .* operator new }} +// CHECK: {{#1 .* main .*operator_new_left_oob.cc}}:[[@LINE-8]] + delete buffer; +} diff --git a/test/asan/TestCases/Windows/operator_new_right_oob.cc b/test/asan/TestCases/Windows/operator_new_right_oob.cc new file mode 100644 index 000000000000..7a66d1714b97 --- /dev/null +++ b/test/asan/TestCases/Windows/operator_new_right_oob.cc @@ -0,0 +1,17 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: not %run %t 2>&1 | FileCheck %s + +#include <windows.h> + +int main() { + char *buffer = new char; + buffer[1] = 42; +// CHECK: AddressSanitizer: heap-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 1 at [[ADDR]] thread T0 +// CHECK: {{#0 .* main .*operator_new_right_oob.cc}}:[[@LINE-3]] +// CHECK: [[ADDR]] is located 0 bytes to the right of 1-byte region +// CHECK: allocated by thread T0 here: +// CHECK: {{#0 .* operator new }} +// CHECK: {{#1 .* main .*operator_new_right_oob.cc}}:[[@LINE-8]] + delete buffer; +} diff --git a/test/asan/TestCases/Windows/operator_new_uaf.cc b/test/asan/TestCases/Windows/operator_new_uaf.cc new file mode 100644 index 000000000000..c435458f0c1c --- /dev/null +++ b/test/asan/TestCases/Windows/operator_new_uaf.cc @@ -0,0 +1,22 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: not %run %t 2>&1 | FileCheck %s + +#include <windows.h> + +int main() { + char *buffer = new char; + delete buffer; + *buffer = 42; +// CHECK: AddressSanitizer: heap-use-after-free on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 1 at [[ADDR]] thread T0 +// CHECK: {{#0 .* main .*operator_new_uaf.cc}}:[[@LINE-3]] +// CHECK: [[ADDR]] is located 0 bytes inside of 1-byte region +// CHECK-LABEL: freed by thread T0 here: +// CHECK: {{#0 .* operator delete }} +// CHECK: {{#1 .* main .*operator_new_uaf.cc}}:[[@LINE-8]] +// CHECK-LABEL: previously allocated by thread T0 here: +// CHECK: {{#0 .* operator new }} +// CHECK: {{#1 .* main .*operator_new_uaf.cc}}:[[@LINE-12]] + return 0; +} + diff --git a/test/asan/TestCases/Windows/realloc_left_oob.cc b/test/asan/TestCases/Windows/realloc_left_oob.cc new file mode 100644 index 000000000000..7d30e1d5c4ad --- /dev/null +++ b/test/asan/TestCases/Windows/realloc_left_oob.cc @@ -0,0 +1,17 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: not %run %t 2>&1 | FileCheck %s + +#include <malloc.h> + +int main() { + char *buffer = (char*)realloc(0, 42); + buffer[-1] = 42; +// CHECK: AddressSanitizer: heap-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 1 at [[ADDR]] thread T0 +// CHECK-NEXT: {{#0 .* main .*realloc_left_oob.cc}}:[[@LINE-3]] +// CHECK: [[ADDR]] is located 1 bytes to the left of 42-byte region +// CHECK: allocated by thread T0 here: +// CHECK-NEXT: {{#0 .* realloc }} +// CHECK-NEXT: {{#1 .* main .*realloc_left_oob.cc}}:[[@LINE-8]] + free(buffer); +} diff --git a/test/asan/TestCases/Windows/realloc_right_oob.cc b/test/asan/TestCases/Windows/realloc_right_oob.cc new file mode 100644 index 000000000000..f741390bd4e9 --- /dev/null +++ b/test/asan/TestCases/Windows/realloc_right_oob.cc @@ -0,0 +1,17 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: not %run %t 2>&1 | FileCheck %s + +#include <malloc.h> + +int main() { + char *buffer = (char*)realloc(0, 42); + buffer[42] = 42; +// CHECK: AddressSanitizer: heap-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 1 at [[ADDR]] thread T0 +// CHECK-NEXT: {{#0 .* main .*realloc_right_oob.cc}}:[[@LINE-3]] +// CHECK: [[ADDR]] is located 0 bytes to the right of 42-byte region +// CHECK: allocated by thread T0 here: +// CHECK-NEXT: {{#0 .* realloc }} +// CHECK-NEXT: {{#1 .* main .*realloc_right_oob.cc}}:[[@LINE-8]] + free(buffer); +} diff --git a/test/asan/TestCases/Windows/realloc_uaf.cc b/test/asan/TestCases/Windows/realloc_uaf.cc new file mode 100644 index 000000000000..c5b6953cf76a --- /dev/null +++ b/test/asan/TestCases/Windows/realloc_uaf.cc @@ -0,0 +1,20 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: not %run %t 2>&1 | FileCheck %s + +#include <malloc.h> + +int main() { + char *buffer = (char*)realloc(0, 42); + free(buffer); + buffer[0] = 42; +// CHECK: AddressSanitizer: heap-use-after-free on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 1 at [[ADDR]] thread T0 +// CHECK-NEXT: {{#0 .* main .*realloc_uaf.cc}}:[[@LINE-3]] +// CHECK: [[ADDR]] is located 0 bytes inside of 42-byte region +// CHECK: freed by thread T0 here: +// CHECK-NEXT: {{#0 .* free }} +// CHECK-NEXT: {{#1 .* main .*realloc_uaf.cc}}:[[@LINE-8]] +// CHECK: previously allocated by thread T0 here: +// CHECK-NEXT: {{#0 .* realloc }} +// CHECK-NEXT: {{#1 .* main .*realloc_uaf.cc}}:[[@LINE-12]] +} diff --git a/test/asan/TestCases/Windows/report_after_syminitialize.cc b/test/asan/TestCases/Windows/report_after_syminitialize.cc new file mode 100644 index 000000000000..faf5e35db5f5 --- /dev/null +++ b/test/asan/TestCases/Windows/report_after_syminitialize.cc @@ -0,0 +1,19 @@ +// RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s + +#include <windows.h> +#include <dbghelp.h> + +int main() { + // Make sure the RTL recovers from "no options enabled" dbghelp setup. + SymSetOptions(0); + + // Make sure the RTL recovers from "fInvadeProcess=FALSE". + if (!SymInitialize(GetCurrentProcess(), 0, FALSE)) + return 42; + + *(volatile int*)0 = 42; + // CHECK: ERROR: AddressSanitizer: access-violation on unknown address + // CHECK-NEXT: {{WARNING: .*DbgHelp}} + // CHECK: {{#0 0x.* in main.*report_after_syminitialize.cc:}}[[@LINE-3]] + // CHECK: AddressSanitizer can not provide additional info. +} diff --git a/test/asan/TestCases/Windows/seh.cc b/test/asan/TestCases/Windows/seh.cc new file mode 100644 index 000000000000..50cf6ddba8d6 --- /dev/null +++ b/test/asan/TestCases/Windows/seh.cc @@ -0,0 +1,56 @@ +// Clang doesn't support SEH on Windows yet, so for the time being we +// build this program in two parts: the code with SEH is built with CL, +// the rest is built with Clang. This represents the typical scenario when we +// build a large project using "clang-cl -fallback -fsanitize=address". +// +// Check both -GS and -GS- builds: +// RUN: cl -c %s -Fo%t.obj +// RUN: %clangxx_asan -o %t.exe %s %t.obj +// RUN: %run %t.exe +// +// RUN: cl -GS- -c %s -Fo%t.obj +// RUN: %clangxx_asan -o %t.exe %s %t.obj +// RUN: %run %t.exe + +#include <windows.h> +#include <assert.h> +#include <stdio.h> + +// Should just "#include <sanitizer/asan_interface.h>" when C++ exceptions are +// supported and we don't need to use CL. +extern "C" bool __asan_address_is_poisoned(void *p); + +void ThrowAndCatch(); + +#if !defined(__clang__) +__declspec(noinline) +void Throw() { + int local, zero = 0; + fprintf(stderr, "Throw: %p\n", &local); + local = 5 / zero; +} + +__declspec(noinline) +void ThrowAndCatch() { + int local; + __try { + Throw(); + } __except(EXCEPTION_EXECUTE_HANDLER) { + fprintf(stderr, "__except: %p\n", &local); + } +} +#else + +int main() { + char x[32]; + fprintf(stderr, "Before: %p poisoned: %d\n", &x, + __asan_address_is_poisoned(x + 32)); + assert(__asan_address_is_poisoned(x + 32)); + ThrowAndCatch(); + fprintf(stderr, "After: %p poisoned: %d\n", &x, + __asan_address_is_poisoned(x + 32)); + // FIXME: Invert this assertion once we fix + // https://code.google.com/p/address-sanitizer/issues/detail?id=258 + assert(!__asan_address_is_poisoned(x + 32)); +} +#endif diff --git a/test/asan/TestCases/Windows/stack_array_left_oob.cc b/test/asan/TestCases/Windows/stack_array_left_oob.cc new file mode 100644 index 000000000000..040d855b48e2 --- /dev/null +++ b/test/asan/TestCases/Windows/stack_array_left_oob.cc @@ -0,0 +1,16 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: not %run %t 2>&1 | FileCheck %s + +#include <stdio.h> + +int main() { + int subscript = -1; + char buffer[42]; + buffer[subscript] = 42; +// CHECK: AddressSanitizer: stack-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 1 at [[ADDR]] thread T0 +// CHECK-NEXT: {{#0 .* main .*stack_array_left_oob.cc}}:[[@LINE-3]] +// CHECK: Address [[ADDR]] is located in stack of thread T0 at offset [[OFFSET:.*]] in frame +// CHECK-NEXT: {{#0 .* main .*stack_array_left_oob.cc}} +// CHECK: 'buffer' <== Memory access at offset [[OFFSET]] underflows this variable +} diff --git a/test/asan/TestCases/Windows/stack_array_right_oob.cc b/test/asan/TestCases/Windows/stack_array_right_oob.cc new file mode 100644 index 000000000000..a370246aa072 --- /dev/null +++ b/test/asan/TestCases/Windows/stack_array_right_oob.cc @@ -0,0 +1,16 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: not %run %t 2>&1 | FileCheck %s + +#include <stdio.h> + +int main() { + int subscript = 42; + char buffer[42]; + buffer[subscript] = 42; +// CHECK: AddressSanitizer: stack-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 1 at [[ADDR]] thread T0 +// CHECK-NEXT: {{#0 .* main .*stack_array_right_oob.cc}}:[[@LINE-3]] +// CHECK: Address [[ADDR]] is located in stack of thread T0 at offset [[OFFSET:.*]] in frame +// CHECK-NEXT: {{#0 .* main .*stack_array_right_oob.cc}} +// CHECK: 'buffer' <== Memory access at offset [[OFFSET]] overflows this variable +} diff --git a/test/asan/TestCases/Windows/stack_array_sanity.cc b/test/asan/TestCases/Windows/stack_array_sanity.cc new file mode 100644 index 000000000000..1aef1a923d24 --- /dev/null +++ b/test/asan/TestCases/Windows/stack_array_sanity.cc @@ -0,0 +1,12 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: %run %t | FileCheck %s + +#include <stdio.h> + +int main() { + int subscript = 1; + char buffer[42]; + buffer[subscript] = 42; + printf("OK\n"); +// CHECK: OK +} diff --git a/test/asan/TestCases/Windows/stack_use_after_return.cc b/test/asan/TestCases/Windows/stack_use_after_return.cc new file mode 100644 index 000000000000..7955f2685308 --- /dev/null +++ b/test/asan/TestCases/Windows/stack_use_after_return.cc @@ -0,0 +1,22 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: env ASAN_OPTIONS=detect_stack_use_after_return=1 not %run %t 2>&1 | FileCheck %s + +char *x; + +void foo() { + char stack_buffer[42]; + x = &stack_buffer[13]; +} + +int main() { + foo(); + *x = 42; +// CHECK: AddressSanitizer: stack-use-after-return +// CHECK: WRITE of size 1 at {{.*}} thread T0 +// CHECK-NEXT: {{#0 0x.* in main .*stack_use_after_return.cc}}:[[@LINE-3]] +// +// CHECK: is located in stack of thread T0 at offset [[OFFSET:.*]] in frame +// CHECK-NEXT: {{#0 0x.* in foo .*stack_use_after_return.cc}} +// +// CHECK: 'stack_buffer' <== Memory access at offset [[OFFSET]] is inside this variable +} diff --git a/test/asan/TestCases/Windows/thread_simple.cc b/test/asan/TestCases/Windows/thread_simple.cc new file mode 100644 index 000000000000..14bb82f042aa --- /dev/null +++ b/test/asan/TestCases/Windows/thread_simple.cc @@ -0,0 +1,26 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: %run %t + +#include <windows.h> + +DWORD WINAPI thread_proc(void *) { + volatile char stack_buffer[42]; + for (int i = 0; i < sizeof(stack_buffer); ++i) + stack_buffer[i] = 42; + return 0x42; +} + +int main() { + DWORD exitcode; + HANDLE thr = CreateThread(NULL, 0, thread_proc, NULL, 0, NULL); + if (thr == 0) + return 1; + if (WAIT_OBJECT_0 != WaitForSingleObject(thr, INFINITE)) + return 2; + + GetExitCodeThread(thr, &exitcode); + if (exitcode != 0x42) + return 3; + CloseHandle(thr); +} + diff --git a/test/asan/TestCases/Windows/thread_stack_array_left_oob.cc b/test/asan/TestCases/Windows/thread_stack_array_left_oob.cc new file mode 100644 index 000000000000..17b9b1bf8ecb --- /dev/null +++ b/test/asan/TestCases/Windows/thread_stack_array_left_oob.cc @@ -0,0 +1,27 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: not %run %t 2>&1 | FileCheck %s + +#include <windows.h> + +DWORD WINAPI thread_proc(void *) { + int subscript = -1; + volatile char stack_buffer[42]; + stack_buffer[subscript] = 42; +// CHECK: AddressSanitizer: stack-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 1 at [[ADDR]] thread T1 +// CHECK: {{#0 .* thread_proc .*thread_stack_array_left_oob.cc}}:[[@LINE-3]] +// CHECK: Address [[ADDR]] is located in stack of thread T1 at offset {{.*}} in frame +// CHECK: thread_proc + return 0; +} + +int main() { + HANDLE thr = CreateThread(NULL, 0, thread_proc, NULL, 0, NULL); +// CHECK: Thread T1 created by T0 here: +// CHECK: {{#[01] .* main .*thread_stack_array_left_oob.cc}}:[[@LINE-2]] + + // A failure to create a thread should fail the test! + if (thr == 0) return 0; + + WaitForSingleObject(thr, INFINITE); +} diff --git a/test/asan/TestCases/Windows/thread_stack_array_right_oob.cc b/test/asan/TestCases/Windows/thread_stack_array_right_oob.cc new file mode 100644 index 000000000000..601a1b8a8760 --- /dev/null +++ b/test/asan/TestCases/Windows/thread_stack_array_right_oob.cc @@ -0,0 +1,27 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: not %run %t 2>&1 | FileCheck %s + +#include <windows.h> + +DWORD WINAPI thread_proc(void *) { + int subscript = 42; + volatile char stack_buffer[42]; + stack_buffer[subscript] = 42; +// CHECK: AddressSanitizer: stack-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 1 at [[ADDR]] thread T1 +// CHECK: {{#0 .* thread_proc .*thread_stack_array_right_oob.cc}}:[[@LINE-3]] +// CHECK: Address [[ADDR]] is located in stack of thread T1 at offset {{.*}} in frame +// CHECK: thread_proc + return 0; +} + +int main(void) { + HANDLE thr = CreateThread(NULL, 0, thread_proc, NULL, 0, NULL); +// CHECK: Thread T1 created by T0 here: +// CHECK: {{#[01] .* main .*thread_stack_array_right_oob.cc}}:[[@LINE-2]] + + // A failure to create a thread should fail the test! + if (thr == 0) return 0; + + WaitForSingleObject(thr, INFINITE); +} diff --git a/test/asan/TestCases/Windows/thread_stack_reuse.cc b/test/asan/TestCases/Windows/thread_stack_reuse.cc new file mode 100644 index 000000000000..7da3a807dac1 --- /dev/null +++ b/test/asan/TestCases/Windows/thread_stack_reuse.cc @@ -0,0 +1,37 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: %run %t + +#include <windows.h> + +DWORD WINAPI thread_proc_1(void *) { + volatile int x, y, z; + x = 1; + y = 2; + z = 3; + return 0; +} + +DWORD WINAPI thread_proc_2(void *) { + volatile char stack_buffer[42]; + for (int i = 0; i < sizeof(stack_buffer); ++i) + stack_buffer[i] = 42; + return 0; +} + +int main(void) { + HANDLE thr = NULL; + + thr = CreateThread(NULL, 0, thread_proc_1, NULL, 0, NULL); + if (thr == 0) + return 1; + if (WAIT_OBJECT_0 != WaitForSingleObject(thr, INFINITE)) + return 2; + + thr = CreateThread(NULL, 0, thread_proc_2, NULL, 0, NULL); + if (thr == 0) + return 3; + if (WAIT_OBJECT_0 != WaitForSingleObject(thr, INFINITE)) + return 4; + CloseHandle(thr); +} + diff --git a/test/asan/TestCases/Windows/thread_stress.cc b/test/asan/TestCases/Windows/thread_stress.cc new file mode 100644 index 000000000000..74be8d88c665 --- /dev/null +++ b/test/asan/TestCases/Windows/thread_stress.cc @@ -0,0 +1,30 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: %run %t + +#include <windows.h> + +DWORD WINAPI thread_proc(void *) { + volatile char stack_buffer[42]; + for (int i = 0; i < sizeof(stack_buffer); ++i) + stack_buffer[i] = 42; + return 0; +} + +int main(void) { + for (int iter = 0; iter < 1024; ++iter) { + const int NUM_THREADS = 8; + HANDLE thr[NUM_THREADS]; + for (int i = 0; i < NUM_THREADS; ++i) { + thr[i] = CreateThread(NULL, 0, thread_proc, NULL, 0, NULL); + if (thr[i] == 0) + return 1; + } + for (int i = 0; i < NUM_THREADS; ++i) { + if (WAIT_OBJECT_0 != WaitForSingleObject(thr[i], INFINITE)) + return 2; + CloseHandle(thr[i]); + } + } + return 0; +} + diff --git a/test/asan/TestCases/Windows/throw_catch.cc b/test/asan/TestCases/Windows/throw_catch.cc new file mode 100644 index 000000000000..5313d25b26d6 --- /dev/null +++ b/test/asan/TestCases/Windows/throw_catch.cc @@ -0,0 +1,73 @@ +// Clang doesn't support exceptions on Windows yet, so for the time being we +// build this program in two parts: the code with exceptions is built with CL, +// the rest is built with Clang. This represents the typical scenario when we +// build a large project using "clang-cl -fallback -fsanitize=address". +// +// RUN: cl -c %s -Fo%t.obj +// RUN: %clangxx_asan -o %t.exe %s %t.obj +// RUN: %run %t.exe + +#include <assert.h> +#include <stdio.h> + +// Should just "#include <sanitizer/asan_interface.h>" when C++ exceptions are +// supported and we don't need to use CL. +extern "C" bool __asan_address_is_poisoned(void *p); + +void ThrowAndCatch(); +void TestThrowInline(); + +#if !defined(__clang__) +__declspec(noinline) +void Throw() { + int local; + fprintf(stderr, "Throw: %p\n", &local); + throw 1; +} + +__declspec(noinline) +void ThrowAndCatch() { + int local; + try { + Throw(); + } catch(...) { + fprintf(stderr, "Catch: %p\n", &local); + } +} + +void TestThrowInline() { + char x[32]; + fprintf(stderr, "Before: %p poisoned: %d\n", &x, + __asan_address_is_poisoned(x + 32)); + try { + Throw(); + } catch(...) { + fprintf(stderr, "Catch\n"); + } + fprintf(stderr, "After: %p poisoned: %d\n", &x, + __asan_address_is_poisoned(x + 32)); + // FIXME: Invert this assertion once we fix + // https://code.google.com/p/address-sanitizer/issues/detail?id=258 + assert(!__asan_address_is_poisoned(x + 32)); +} + +#else + +void TestThrow() { + char x[32]; + fprintf(stderr, "Before: %p poisoned: %d\n", &x, + __asan_address_is_poisoned(x + 32)); + assert(__asan_address_is_poisoned(x + 32)); + ThrowAndCatch(); + fprintf(stderr, "After: %p poisoned: %d\n", &x, + __asan_address_is_poisoned(x + 32)); + // FIXME: Invert this assertion once we fix + // https://code.google.com/p/address-sanitizer/issues/detail?id=258 + assert(!__asan_address_is_poisoned(x + 32)); +} + +int main(int argc, char **argv) { + TestThrowInline(); + TestThrow(); +} +#endif diff --git a/test/asan/TestCases/Windows/use_after_realloc.cc b/test/asan/TestCases/Windows/use_after_realloc.cc new file mode 100644 index 000000000000..9d2c025258fa --- /dev/null +++ b/test/asan/TestCases/Windows/use_after_realloc.cc @@ -0,0 +1,23 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: not %run %t 2>&1 | FileCheck %s + +#include <malloc.h> + +int main() { + char *buffer = (char*)realloc(0, 32), + *stale = buffer; + buffer = (char*)realloc(buffer, 64); + // The 'stale' may now point to a free'd memory. + stale[0] = 42; +// CHECK: AddressSanitizer: heap-use-after-free on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 1 at [[ADDR]] thread T0 +// CHECK-NEXT: {{#0 .* main .*use_after_realloc.cc}}:[[@LINE-3]] +// CHECK: [[ADDR]] is located 0 bytes inside of 32-byte region +// CHECK: freed by thread T0 here: +// CHECK-NEXT: {{#0 .* realloc }} +// CHECK-NEXT: {{#1 .* main .*use_after_realloc.cc}}:[[@LINE-9]] +// CHECK: previously allocated by thread T0 here: +// CHECK-NEXT: {{#0 .* realloc }} +// CHECK-NEXT: {{#1 .* main .*use_after_realloc.cc}}:[[@LINE-14]] + free(buffer); +} diff --git a/test/asan/TestCases/Windows/use_after_return_linkage.cc b/test/asan/TestCases/Windows/use_after_return_linkage.cc new file mode 100644 index 000000000000..48c5065a0fa9 --- /dev/null +++ b/test/asan/TestCases/Windows/use_after_return_linkage.cc @@ -0,0 +1,12 @@ +// Make sure LIBCMT doesn't accidentally get added to the list of DEFAULTLIB +// directives. REQUIRES: asan-dynamic-runtime +// RUN: %clang_cl_asan -LD %s | FileCheck %s +// CHECK: Creating library +// CHECK-NOT: LIBCMT + +void foo(int *p) { *p = 42; } + +__declspec(dllexport) void bar() { + int x; + foo(&x); +} diff --git a/test/asan/TestCases/Windows/windows_h.cc b/test/asan/TestCases/Windows/windows_h.cc new file mode 100644 index 000000000000..40cf5a10ad4f --- /dev/null +++ b/test/asan/TestCases/Windows/windows_h.cc @@ -0,0 +1,7 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: %run %t + +// Just make sure we can parse <windows.h> +#include <windows.h> + +int main() {} diff --git a/test/asan/TestCases/Windows/wrong_downcast_on_heap.cc b/test/asan/TestCases/Windows/wrong_downcast_on_heap.cc new file mode 100644 index 000000000000..112dd5308d11 --- /dev/null +++ b/test/asan/TestCases/Windows/wrong_downcast_on_heap.cc @@ -0,0 +1,26 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: not %run %t 2>&1 | FileCheck %s + +class Parent { + public: + int field; +}; + +class Child : public Parent { + public: + int extra_field; +}; + +int main(void) { + Parent *p = new Parent; + Child *c = (Child*)p; // Intentional error here! + c->extra_field = 42; +// CHECK: AddressSanitizer: heap-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 4 at [[ADDR]] thread T0 +// CHECK: {{#0 0x[0-9a-f]* in main .*wrong_downcast_on_heap.cc}}:[[@LINE-3]] +// CHECK: [[ADDR]] is located 0 bytes to the right of 4-byte region +// CHECK: allocated by thread T0 here: +// CHECK: #0 {{.*}} operator new + return 0; +} + diff --git a/test/asan/TestCases/Windows/wrong_downcast_on_stack.cc b/test/asan/TestCases/Windows/wrong_downcast_on_stack.cc new file mode 100644 index 000000000000..2859ecc521d2 --- /dev/null +++ b/test/asan/TestCases/Windows/wrong_downcast_on_stack.cc @@ -0,0 +1,26 @@ +// RUN: %clang_cl_asan -O0 %s -Fe%t +// RUN: not %run %t 2>&1 | FileCheck %s + +class Parent { + public: + int field; +}; + +class Child : public Parent { + public: + int extra_field; +}; + +int main(void) { + Parent p; + Child *c = (Child*)&p; // Intentional error here! + c->extra_field = 42; +// CHECK: AddressSanitizer: stack-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 4 at [[ADDR]] thread T0 +// CHECK-NEXT: {{#0 0x[0-9a-f]* in main .*wrong_downcast_on_stack.cc}}:[[@LINE-3]] +// CHECK: [[ADDR]] is located in stack of thread T0 at offset [[OFFSET:[0-9]+]] in frame +// CHECK-NEXT: {{#0 0x[0-9a-f]* in main }} +// CHECK: 'p' <== Memory access at offset [[OFFSET]] overflows this variable + return 0; +} + diff --git a/test/asan/TestCases/alloca_big_alignment.cc b/test/asan/TestCases/alloca_big_alignment.cc new file mode 100644 index 000000000000..2ede3f949b24 --- /dev/null +++ b/test/asan/TestCases/alloca_big_alignment.cc @@ -0,0 +1,18 @@ +// RUN: %clangxx_asan -O0 -mllvm -asan-instrument-allocas %s -o %t +// RUN: not %run %t 2>&1 | FileCheck %s +// + +#include <assert.h> + +__attribute__((noinline)) void foo(int index, int len) { + volatile char str[len] __attribute__((aligned(128))); + assert(!(reinterpret_cast<long>(str) & 127L)); + str[index] = '1'; // BOOM +// CHECK: ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 1 at [[ADDR]] thread T0 +} + +int main(int argc, char **argv) { + foo(10, 10); + return 0; +} diff --git a/test/asan/TestCases/alloca_detect_custom_size_.cc b/test/asan/TestCases/alloca_detect_custom_size_.cc new file mode 100644 index 000000000000..2b0f573de3d0 --- /dev/null +++ b/test/asan/TestCases/alloca_detect_custom_size_.cc @@ -0,0 +1,23 @@ +// RUN: %clangxx_asan -O0 -mllvm -asan-instrument-allocas %s -o %t +// RUN: not %run %t 2>&1 | FileCheck %s +// + +#include <assert.h> + +struct A { + char a[3]; + int b[3]; +}; + +__attribute__((noinline)) void foo(int index, int len) { + volatile struct A str[len] __attribute__((aligned(32))); + assert(!(reinterpret_cast<long>(str) & 31L)); + str[index].a[0] = '1'; // BOOM +// CHECK: ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 1 at [[ADDR]] thread T0 +} + +int main(int argc, char **argv) { + foo(10, 10); + return 0; +} diff --git a/test/asan/TestCases/alloca_instruments_all_paddings.cc b/test/asan/TestCases/alloca_instruments_all_paddings.cc new file mode 100644 index 000000000000..d60a3b22dcb9 --- /dev/null +++ b/test/asan/TestCases/alloca_instruments_all_paddings.cc @@ -0,0 +1,23 @@ +// RUN: %clangxx_asan -O0 -mllvm -asan-instrument-allocas %s -o %t +// RUN: %run %t 2>&1 +// + +#include "sanitizer/asan_interface.h" +#include <assert.h> + +__attribute__((noinline)) void foo(int index, int len) { + volatile char str[len] __attribute__((aligned(32))); + assert(!(reinterpret_cast<long>(str) & 31L)); + char *q = (char *)__asan_region_is_poisoned((char *)str, 64); + assert(q && ((q - str) == index)); +} + +int main(int argc, char **argv) { + for (int i = 1; i < 33; ++i) + foo(i, i); + + for (int i = 1; i < 33; ++i) + foo(i, i); + + return 0; +} diff --git a/test/asan/TestCases/alloca_overflow_partial.cc b/test/asan/TestCases/alloca_overflow_partial.cc new file mode 100644 index 000000000000..590f35465dad --- /dev/null +++ b/test/asan/TestCases/alloca_overflow_partial.cc @@ -0,0 +1,18 @@ +// RUN: %clangxx_asan -O0 -mllvm -asan-instrument-allocas %s -o %t +// RUN: not %run %t 2>&1 | FileCheck %s +// + +#include <assert.h> + +__attribute__((noinline)) void foo(int index, int len) { + volatile char str[len] __attribute__((aligned(32))); + assert(!(reinterpret_cast<long>(str) & 31L)); + str[index] = '1'; // BOOM +// CHECK: ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 1 at [[ADDR]] thread T0 +} + +int main(int argc, char **argv) { + foo(10, 10); + return 0; +} diff --git a/test/asan/TestCases/alloca_overflow_right.cc b/test/asan/TestCases/alloca_overflow_right.cc new file mode 100644 index 000000000000..caec846838ef --- /dev/null +++ b/test/asan/TestCases/alloca_overflow_right.cc @@ -0,0 +1,18 @@ +// RUN: %clangxx_asan -O0 -mllvm -asan-instrument-allocas %s -o %t +// RUN: not %run %t 2>&1 | FileCheck %s +// + +#include <assert.h> + +__attribute__((noinline)) void foo(int index, int len) { + volatile char str[len] __attribute__((aligned(32))); + assert(!(reinterpret_cast<long>(str) & 31L)); + str[index] = '1'; // BOOM +// CHECK: ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 1 at [[ADDR]] thread T0 +} + +int main(int argc, char **argv) { + foo(33, 10); + return 0; +} diff --git a/test/asan/TestCases/alloca_safe_access.cc b/test/asan/TestCases/alloca_safe_access.cc new file mode 100644 index 000000000000..240454fd55e4 --- /dev/null +++ b/test/asan/TestCases/alloca_safe_access.cc @@ -0,0 +1,17 @@ +// RUN: %clangxx_asan -O0 -mllvm -asan-instrument-allocas %s -o %t +// RUN: %run %t 2>&1 +// + +#include <assert.h> + +__attribute__((noinline)) void foo(int index, int len) { + volatile char str[len] __attribute__((aligned(32))); + assert(!(reinterpret_cast<long>(str) & 31L)); + str[index] = '1'; +} + +int main(int argc, char **argv) { + foo(4, 5); + foo(39, 40); + return 0; +} diff --git a/test/asan/TestCases/alloca_underflow_left.cc b/test/asan/TestCases/alloca_underflow_left.cc new file mode 100644 index 000000000000..6e7061f7cfe2 --- /dev/null +++ b/test/asan/TestCases/alloca_underflow_left.cc @@ -0,0 +1,18 @@ +// RUN: %clangxx_asan -O0 -mllvm -asan-instrument-allocas %s -o %t +// RUN: not %run %t 2>&1 | FileCheck %s +// + +#include <assert.h> + +__attribute__((noinline)) void foo(int index, int len) { + volatile char str[len] __attribute__((aligned(32))); + assert(!(reinterpret_cast<long>(str) & 31L)); + str[index] = '1'; // BOOM +// CHECK: ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 1 at [[ADDR]] thread T0 +} + +int main(int argc, char **argv) { + foo(-1, 10); + return 0; +} diff --git a/test/asan/TestCases/allocator_returns_null.cc b/test/asan/TestCases/allocator_returns_null.cc new file mode 100644 index 000000000000..59a053c3dcad --- /dev/null +++ b/test/asan/TestCases/allocator_returns_null.cc @@ -0,0 +1,83 @@ +// Test the behavior of malloc/calloc/realloc when the allocation size is huge. +// By default (allocator_may_return_null=0) the process should crash. +// With allocator_may_return_null=1 the allocator should return 0. +// +// RUN: %clangxx_asan -O0 %s -o %t +// RUN: not %run %t malloc 2>&1 | FileCheck %s --check-prefix=CHECK-mCRASH +// RUN: env ASAN_OPTIONS=allocator_may_return_null=0 not %run %t malloc 2>&1 | FileCheck %s --check-prefix=CHECK-mCRASH +// RUN: env ASAN_OPTIONS=allocator_may_return_null=1 %run %t malloc 2>&1 | FileCheck %s --check-prefix=CHECK-mNULL +// RUN: env ASAN_OPTIONS=allocator_may_return_null=0 not %run %t calloc 2>&1 | FileCheck %s --check-prefix=CHECK-cCRASH +// RUN: env ASAN_OPTIONS=allocator_may_return_null=1 %run %t calloc 2>&1 | FileCheck %s --check-prefix=CHECK-cNULL +// RUN: env ASAN_OPTIONS=allocator_may_return_null=0 not %run %t calloc-overflow 2>&1 | FileCheck %s --check-prefix=CHECK-coCRASH +// RUN: env ASAN_OPTIONS=allocator_may_return_null=1 %run %t calloc-overflow 2>&1 | FileCheck %s --check-prefix=CHECK-coNULL +// RUN: env ASAN_OPTIONS=allocator_may_return_null=0 not %run %t realloc 2>&1 | FileCheck %s --check-prefix=CHECK-rCRASH +// RUN: env ASAN_OPTIONS=allocator_may_return_null=1 %run %t realloc 2>&1 | FileCheck %s --check-prefix=CHECK-rNULL +// RUN: env ASAN_OPTIONS=allocator_may_return_null=0 not %run %t realloc-after-malloc 2>&1 | FileCheck %s --check-prefix=CHECK-mrCRASH +// RUN: env ASAN_OPTIONS=allocator_may_return_null=1 %run %t realloc-after-malloc 2>&1 | FileCheck %s --check-prefix=CHECK-mrNULL + +#include <limits.h> +#include <stdlib.h> +#include <string.h> +#include <stdio.h> +#include <assert.h> +#include <limits> +int main(int argc, char **argv) { + volatile size_t size = std::numeric_limits<size_t>::max() - 10000; + assert(argc == 2); + char *x = 0; + if (!strcmp(argv[1], "malloc")) { + fprintf(stderr, "malloc:\n"); + x = (char*)malloc(size); + } + if (!strcmp(argv[1], "calloc")) { + fprintf(stderr, "calloc:\n"); + x = (char*)calloc(size / 4, 4); + } + + if (!strcmp(argv[1], "calloc-overflow")) { + fprintf(stderr, "calloc-overflow:\n"); + volatile size_t kMaxSizeT = std::numeric_limits<size_t>::max(); + size_t kArraySize = 4096; + volatile size_t kArraySize2 = kMaxSizeT / kArraySize + 10; + x = (char*)calloc(kArraySize, kArraySize2); + } + + if (!strcmp(argv[1], "realloc")) { + fprintf(stderr, "realloc:\n"); + x = (char*)realloc(0, size); + } + if (!strcmp(argv[1], "realloc-after-malloc")) { + fprintf(stderr, "realloc-after-malloc:\n"); + char *t = (char*)malloc(100); + *t = 42; + x = (char*)realloc(t, size); + assert(*t == 42); + free(t); + } + // The NULL pointer is printed differently on different systems, while (long)0 + // is always the same. + fprintf(stderr, "x: %lx\n", (long)x); + free(x); + return x != 0; +} +// CHECK-mCRASH: malloc: +// CHECK-mCRASH: AddressSanitizer's allocator is terminating the process +// CHECK-cCRASH: calloc: +// CHECK-cCRASH: AddressSanitizer's allocator is terminating the process +// CHECK-coCRASH: calloc-overflow: +// CHECK-coCRASH: AddressSanitizer's allocator is terminating the process +// CHECK-rCRASH: realloc: +// CHECK-rCRASH: AddressSanitizer's allocator is terminating the process +// CHECK-mrCRASH: realloc-after-malloc: +// CHECK-mrCRASH: AddressSanitizer's allocator is terminating the process + +// CHECK-mNULL: malloc: +// CHECK-mNULL: x: 0 +// CHECK-cNULL: calloc: +// CHECK-cNULL: x: 0 +// CHECK-coNULL: calloc-overflow: +// CHECK-coNULL: x: 0 +// CHECK-rNULL: realloc: +// CHECK-rNULL: x: 0 +// CHECK-mrNULL: realloc-after-malloc: +// CHECK-mrNULL: x: 0 diff --git a/test/asan/TestCases/asan_and_llvm_coverage_test.cc b/test/asan/TestCases/asan_and_llvm_coverage_test.cc new file mode 100644 index 000000000000..35bdfcb353c2 --- /dev/null +++ b/test/asan/TestCases/asan_and_llvm_coverage_test.cc @@ -0,0 +1,10 @@ +// RUN: %clangxx_asan -coverage -O0 %s -o %t +// RUN: env ASAN_OPTIONS=check_initialization_order=1 %run %t 2>&1 | FileCheck %s +// XFAIL: android +#include <stdio.h> +int foo() { return 1; } +int XXX = foo(); +int main() { + printf("PASS\n"); +// CHECK: PASS +} diff --git a/test/asan/TestCases/atexit_stats.cc b/test/asan/TestCases/atexit_stats.cc new file mode 100644 index 000000000000..be6534475245 --- /dev/null +++ b/test/asan/TestCases/atexit_stats.cc @@ -0,0 +1,18 @@ +// Make sure we report atexit stats. +// RUN: %clangxx_asan -O3 %s -o %t +// RUN: env ASAN_OPTIONS=atexit=1:print_stats=1 %run %t 2>&1 | FileCheck %s +// +// No atexit output on Android due to +// https://code.google.com/p/address-sanitizer/issues/detail?id=263 +// XFAIL: android + +#include <stdlib.h> +#if !defined(__APPLE__) && !defined(__FreeBSD__) +#include <malloc.h> +#endif +int *p1 = (int*)malloc(900); +int *p2 = (int*)malloc(90000); +int *p3 = (int*)malloc(9000000); +int main() { } + +// CHECK: AddressSanitizer exit stats: diff --git a/test/asan/TestCases/blacklist.cc b/test/asan/TestCases/blacklist.cc new file mode 100644 index 000000000000..7c31484c2174 --- /dev/null +++ b/test/asan/TestCases/blacklist.cc @@ -0,0 +1,38 @@ +// Test the blacklist functionality of ASan + +// RUN: echo "fun:*brokenFunction*" > %tmp +// RUN: echo "global:*badGlobal*" >> %tmp +// RUN: echo "src:*blacklist-extra.cc" >> %tmp +// RUN: %clangxx_asan -fsanitize-blacklist=%tmp -O0 %s -o %t \ +// RUN: %p/Helpers/blacklist-extra.cc && %run %t 2>&1 +// RUN: %clangxx_asan -fsanitize-blacklist=%tmp -O1 %s -o %t \ +// RUN: %p/Helpers/blacklist-extra.cc && %run %t 2>&1 +// RUN: %clangxx_asan -fsanitize-blacklist=%tmp -O2 %s -o %t \ +// RUN: %p/Helpers/blacklist-extra.cc && %run %t 2>&1 +// RUN: %clangxx_asan -fsanitize-blacklist=%tmp -O3 %s -o %t \ +// RUN: %p/Helpers/blacklist-extra.cc && %run %t 2>&1 + +// badGlobal is accessed improperly, but we blacklisted it. Align +// it to make sure memory past the end of badGlobal will be in +// the same page. +__attribute__((aligned(16))) int badGlobal; +int readBadGlobal() { + return (&badGlobal)[1]; +} + +// A function which is broken, but excluded in the blacklist. +int brokenFunction(int argc) { + char x[10] = {0}; + return x[argc * 10]; // BOOM +} + +// This function is defined in Helpers/blacklist-extra.cc, a source file which +// is blacklisted by name +int externalBrokenFunction(int x); + +int main(int argc, char **argv) { + brokenFunction(argc); + int x = readBadGlobal(); + externalBrokenFunction(argc); + return 0; +} diff --git a/test/asan/TestCases/contiguous_container.cc b/test/asan/TestCases/contiguous_container.cc new file mode 100644 index 000000000000..0f3a7db5b060 --- /dev/null +++ b/test/asan/TestCases/contiguous_container.cc @@ -0,0 +1,75 @@ +// RUN: %clangxx_asan -O %s -o %t && %run %t +// +// Test __sanitizer_annotate_contiguous_container. + +#include <stdlib.h> +#include <stdio.h> +#include <string.h> +#include <assert.h> +#include <sanitizer/asan_interface.h> + +void TestContainer(size_t capacity) { + char *beg = new char[capacity]; + char *end = beg + capacity; + char *mid = beg + capacity; + char *old_mid = 0; + + for (int i = 0; i < 10000; i++) { + size_t size = rand() % (capacity + 1); + assert(size <= capacity); + old_mid = mid; + mid = beg + size; + __sanitizer_annotate_contiguous_container(beg, end, old_mid, mid); + + for (size_t idx = 0; idx < size; idx++) + assert(!__asan_address_is_poisoned(beg + idx)); + for (size_t idx = size; idx < capacity; idx++) + assert(__asan_address_is_poisoned(beg + idx)); + assert(__sanitizer_verify_contiguous_container(beg, mid, end)); + if (mid != beg) + assert(!__sanitizer_verify_contiguous_container(beg, mid - 1, end)); + if (mid != end) + assert(!__sanitizer_verify_contiguous_container(beg, mid + 1, end)); + } + + // Don't forget to unpoison the whole thing before destroing/reallocating. + __sanitizer_annotate_contiguous_container(beg, end, mid, end); + for (size_t idx = 0; idx < capacity; idx++) + assert(!__asan_address_is_poisoned(beg + idx)); + delete[] beg; +} + +__attribute__((noinline)) +void Throw() { throw 1; } + +__attribute__((noinline)) +void ThrowAndCatch() { + try { + Throw(); + } catch(...) { + } +} + +void TestThrow() { + char x[32]; + __sanitizer_annotate_contiguous_container(x, x + 32, x + 32, x + 14); + assert(!__asan_address_is_poisoned(x + 13)); + assert(__asan_address_is_poisoned(x + 14)); + ThrowAndCatch(); + assert(!__asan_address_is_poisoned(x + 13)); + // FIXME: invert the assertion below once we fix + // https://code.google.com/p/address-sanitizer/issues/detail?id=258 + // This assertion works only w/o UAR. + if (!__asan_get_current_fake_stack()) + assert(!__asan_address_is_poisoned(x + 14)); + __sanitizer_annotate_contiguous_container(x, x + 32, x + 14, x + 32); + assert(!__asan_address_is_poisoned(x + 13)); + assert(!__asan_address_is_poisoned(x + 14)); +} + +int main(int argc, char **argv) { + int n = argc == 1 ? 128 : atoi(argv[1]); + for (int i = 0; i <= n; i++) + TestContainer(i); + TestThrow(); +} diff --git a/test/asan/TestCases/contiguous_container_crash.cc b/test/asan/TestCases/contiguous_container_crash.cc new file mode 100644 index 000000000000..143ae9d8edee --- /dev/null +++ b/test/asan/TestCases/contiguous_container_crash.cc @@ -0,0 +1,41 @@ +// RUN: %clangxx_asan -O %s -o %t +// RUN: not %run %t crash 2>&1 | FileCheck --check-prefix=CHECK-CRASH %s +// RUN: not %run %t bad-bounds 2>&1 | FileCheck --check-prefix=CHECK-BAD %s +// RUN: env ASAN_OPTIONS=detect_container_overflow=0 %run %t crash +// +// Test crash due to __sanitizer_annotate_contiguous_container. + +#include <assert.h> +#include <string.h> + +extern "C" { +void __sanitizer_annotate_contiguous_container(const void *beg, const void *end, + const void *old_mid, + const void *new_mid); +} // extern "C" + +static volatile int one = 1; + +int TestCrash() { + long t[100]; + t[60] = 0; + __sanitizer_annotate_contiguous_container(&t[0], &t[0] + 100, &t[0] + 100, + &t[0] + 50); + return (int)t[60 * one]; // Touches the poisoned memory. +} + +void BadBounds() { + long t[100]; + __sanitizer_annotate_contiguous_container(&t[0], &t[0] + 100, &t[0] + 101, + &t[0] + 50); +} + +int main(int argc, char **argv) { + assert(argc == 2); + if (!strcmp(argv[1], "crash")) + return TestCrash(); + else if (!strcmp(argv[1], "bad-bounds")) + BadBounds(); +} +// CHECK-CRASH: AddressSanitizer: container-overflow +// CHECK-BAD: ERROR: AddressSanitizer: bad parameters to __sanitizer_annotate_contiguous_container diff --git a/test/asan/TestCases/current_allocated_bytes.cc b/test/asan/TestCases/current_allocated_bytes.cc new file mode 100644 index 000000000000..c49e433b1e8b --- /dev/null +++ b/test/asan/TestCases/current_allocated_bytes.cc @@ -0,0 +1,44 @@ +// RUN: %clangxx_asan -O0 %s -pthread -o %t && %run %t +// RUN: %clangxx_asan -O2 %s -pthread -o %t && %run %t +// REQUIRES: stable-runtime + +#include <assert.h> +#include <pthread.h> +#include <sanitizer/allocator_interface.h> +#include <stdio.h> +#include <stdlib.h> + +const size_t kLargeAlloc = 1UL << 20; + +void* allocate(void *arg) { + volatile void *ptr = malloc(kLargeAlloc); + free((void*)ptr); + return 0; +} + +void* check_stats(void *arg) { + assert(__sanitizer_get_current_allocated_bytes() > 0); + return 0; +} + +int main() { + size_t used_mem = __sanitizer_get_current_allocated_bytes(); + printf("Before: %zu\n", used_mem); + const int kNumIterations = 1000; + for (int iter = 0; iter < kNumIterations; iter++) { + pthread_t thr[4]; + for (int j = 0; j < 4; j++) { + assert(0 == + pthread_create(&thr[j], 0, (j < 2) ? allocate : check_stats, 0)); + } + for (int j = 0; j < 4; j++) + assert(0 == pthread_join(thr[j], 0)); + used_mem = __sanitizer_get_current_allocated_bytes(); + if (used_mem > kLargeAlloc) { + printf("After iteration %d: %zu\n", iter, used_mem); + return 1; + } + } + printf("Success after %d iterations\n", kNumIterations); + return 0; +} diff --git a/test/asan/TestCases/debug_locate.cc b/test/asan/TestCases/debug_locate.cc new file mode 100644 index 000000000000..5971a772786b --- /dev/null +++ b/test/asan/TestCases/debug_locate.cc @@ -0,0 +1,80 @@ +// Checks the ASan memory address type debugging API, makes sure it returns +// the correct memory type for heap, stack, global and shadow addresses and +// that it correctly finds out which region (and name and size) the address +// belongs to. +// RUN: %clangxx_asan -O0 %s -o %t && %run %t 2>&1 + +#include <assert.h> +#include <sanitizer/asan_interface.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> + +int global_var; + +int main() { + int local_var; + char *heap_ptr = (char *)malloc(10); + + char name[100]; + void *region_address; + size_t region_size; + const char *type; + + type = __asan_locate_address(&global_var, name, 100, + ®ion_address, ®ion_size); + assert(0 == strcmp(name, "global_var")); + assert(0 == strcmp(type, "global")); + assert(region_address == &global_var); + assert(region_size == sizeof(global_var)); + + type = __asan_locate_address((char *)(&global_var)+1, name, 100, + ®ion_address, ®ion_size); + assert(0 == strcmp(name, "global_var")); + assert(0 == strcmp(type, "global")); + assert(region_address == &global_var); + assert(region_size == sizeof(global_var)); + + type = __asan_locate_address(&local_var, name, 100, + ®ion_address, ®ion_size); + assert(0 == strcmp(name, "local_var")); + assert(0 == strcmp(type, "stack")); + assert(region_address == &local_var); + assert(region_size == sizeof(local_var)); + + type = __asan_locate_address((char *)(&local_var)+1, name, 100, + ®ion_address, ®ion_size); + assert(0 == strcmp(name, "local_var")); + assert(0 == strcmp(type, "stack")); + assert(region_address == &local_var); + assert(region_size == sizeof(local_var)); + + type = __asan_locate_address(heap_ptr, name, 100, + ®ion_address, ®ion_size); + assert(0 == strcmp(type, "heap")); + assert(region_address == heap_ptr); + assert(10 == region_size); + + type = __asan_locate_address(heap_ptr+1, name, 100, + ®ion_address, ®ion_size); + assert(0 == strcmp(type, "heap")); + assert(region_address == heap_ptr); + assert(10 == region_size); + + size_t shadow_scale; + size_t shadow_offset; + __asan_get_shadow_mapping(&shadow_scale, &shadow_offset); + + uintptr_t shadow_ptr = (((uintptr_t)heap_ptr) >> shadow_scale) + + shadow_offset; + type = __asan_locate_address((void *)shadow_ptr, NULL, 0, NULL, NULL); + assert((0 == strcmp(type, "high shadow")) || 0 == strcmp(type, "low shadow")); + + uintptr_t shadow_gap = (shadow_ptr >> shadow_scale) + shadow_offset; + type = __asan_locate_address((void *)shadow_gap, NULL, 0, NULL, NULL); + assert(0 == strcmp(type, "shadow gap")); + + free(heap_ptr); + + return 0; +} diff --git a/test/asan/TestCases/debug_mapping.cc b/test/asan/TestCases/debug_mapping.cc new file mode 100644 index 000000000000..f96abf6d11cf --- /dev/null +++ b/test/asan/TestCases/debug_mapping.cc @@ -0,0 +1,24 @@ +// Checks that the debugging API returns correct shadow scale and offset. +// RUN: %clangxx_asan -O %s -o %t +// RUN: env ASAN_OPTIONS=verbosity=1 %run %t 2>&1 | FileCheck %s + +#include <sanitizer/asan_interface.h> +#include <stdio.h> +#include <stdlib.h> + +// printed because of verbosity=1 +// CHECK: SHADOW_SCALE: [[SCALE:[0-9]+]] +// CHECK: SHADOW_OFFSET: [[OFFSET:[0-9]+]] + +int main() { + size_t scale, offset; + __asan_get_shadow_mapping(&scale, &offset); + + fprintf(stderr, "scale: %lx\n", scale); + fprintf(stderr, "offset: %lx\n", offset); + + // CHECK: scale: [[SCALE]] + // CHECK: offset: [[OFFSET]] + + return 0; +} diff --git a/test/asan/TestCases/debug_ppc64_mapping.cc b/test/asan/TestCases/debug_ppc64_mapping.cc new file mode 100644 index 000000000000..3ddd3e1404ce --- /dev/null +++ b/test/asan/TestCases/debug_ppc64_mapping.cc @@ -0,0 +1,37 @@ +// RUN: %clang_asan -O0 %s -o %t +// RUN: env ASAN_OPTIONS=verbosity=0 %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-PPC64-V0 +// RUN: env ASAN_OPTIONS=verbosity=2 %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-PPC64 +// REQUIRES: powerpc64-supported-target + +#include <stdio.h> + +int main() { +// CHECK-PPC64: || `[{{0x0a0|0x040}}000000000, {{0x3ff|0x0ff}}fffffffff]` || HighMem || +// CHECK-PPC64: || `[{{0x034|0x028}}000000000, {{0x09f|0x03f}}fffffffff]` || HighShadow || +// CHECK-PPC64: || `[{{0x024|0x024}}000000000, {{0x033|0x027}}fffffffff]` || ShadowGap || +// CHECK-PPC64: || `[0x020000000000, 0x023fffffffff]` || LowShadow || +// CHECK-PPC64: || `[0x000000000000, 0x01ffffffffff]` || LowMem || +// + printf("ppc64 eyecatcher \n"); +// CHECK-PPC64-V0: ppc64 eyecatcher + + return 0; +} + +/* + * Two different signatures noted at the time of writing. +Newish kernel: (64TB address range support, starting with kernel version 3.7) +|| `[0x0a0000000000, 0x3fffffffffff]` || HighMem || +|| `[0x034000000000, 0x09ffffffffff]` || HighShadow || +|| `[0x024000000000, 0x033fffffffff]` || ShadowGap || +|| `[0x020000000000, 0x023fffffffff]` || LowShadow || +|| `[0x000000000000, 0x01ffffffffff]` || LowMem || + +Oldish kernel: +|| `[0x040000000000, 0x0fffffffffff]` || HighMem || +|| `[0x028000000000, 0x03ffffffffff]` || HighShadow || +|| `[0x024000000000, 0x027fffffffff]` || ShadowGap || +|| `[0x020000000000, 0x023fffffffff]` || LowShadow || +|| `[0x000000000000, 0x01ffffffffff]` || LowMem || +*/ + diff --git a/test/asan/TestCases/debug_report.cc b/test/asan/TestCases/debug_report.cc new file mode 100644 index 000000000000..acf52f918dd8 --- /dev/null +++ b/test/asan/TestCases/debug_report.cc @@ -0,0 +1,48 @@ +// Checks that the ASan debugging API for getting report information +// returns correct values. +// RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s + +#include <sanitizer/asan_interface.h> +#include <stdio.h> +#include <stdlib.h> + +int main() { + char *heap_ptr = (char *)malloc(10); + free(heap_ptr); + int present = __asan_report_present(); + fprintf(stderr, "%s\n", (present == 0) ? "no report" : ""); + // CHECK: no report + heap_ptr[0] = 'A'; // BOOM + return 0; +} + +void __asan_on_error() { + int present = __asan_report_present(); + void *pc = __asan_get_report_pc(); + void *bp = __asan_get_report_bp(); + void *sp = __asan_get_report_sp(); + void *addr = __asan_get_report_address(); + int is_write = __asan_get_report_access_type(); + size_t access_size = __asan_get_report_access_size(); + const char *description = __asan_get_report_description(); + + fprintf(stderr, "%s\n", (present == 1) ? "report" : ""); + // CHECK: report + fprintf(stderr, "pc: %p\n", pc); + // CHECK: pc: 0x[[PC:[0-9a-f]+]] + fprintf(stderr, "bp: %p\n", bp); + // CHECK: bp: 0x[[BP:[0-9a-f]+]] + fprintf(stderr, "sp: %p\n", sp); + // CHECK: sp: 0x[[SP:[0-9a-f]+]] + fprintf(stderr, "addr: %p\n", addr); + // CHECK: addr: 0x[[ADDR:[0-9a-f]+]] + fprintf(stderr, "type: %s\n", (is_write ? "write" : "read")); + // CHECK: type: write + fprintf(stderr, "access_size: %ld\n", access_size); + // CHECK: access_size: 1 + fprintf(stderr, "description: %s\n", description); + // CHECK: description: heap-use-after-free +} + +// CHECK: AddressSanitizer: heap-use-after-free on address {{0x0*}}[[ADDR]] at pc {{0x0*}}[[PC]] bp {{0x0*}}[[BP]] sp {{0x0*}}[[SP]] +// CHECK: WRITE of size 1 at {{0x0*}}[[ADDR]] thread T0 diff --git a/test/asan/TestCases/debug_stacks.cc b/test/asan/TestCases/debug_stacks.cc new file mode 100644 index 000000000000..57bb5465035a --- /dev/null +++ b/test/asan/TestCases/debug_stacks.cc @@ -0,0 +1,62 @@ +// Check that the stack trace debugging API works and returns correct +// malloc and free stacks. +// RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s + +#include <sanitizer/asan_interface.h> +#include <stdio.h> +#include <stdlib.h> + +char *mem; +void func1() { + mem = (char *)malloc(10); +} + +void func2() { + free(mem); +} + +int main() { + func1(); + func2(); + + void *trace[100]; + size_t num_frames = 100; + int thread_id; + num_frames = __asan_get_alloc_stack(mem, trace, num_frames, &thread_id); + + fprintf(stderr, "alloc stack retval %s\n", (num_frames > 0 && num_frames < 10) + ? "ok" : ""); + // CHECK: alloc stack retval ok + fprintf(stderr, "thread id = %d\n", thread_id); + // CHECK: thread id = 0 + fprintf(stderr, "0x%lx\n", trace[0]); + // CHECK: [[ALLOC_FRAME_0:0x[0-9a-f]+]] + fprintf(stderr, "0x%lx\n", trace[1]); + // CHECK: [[ALLOC_FRAME_1:0x[0-9a-f]+]] + + num_frames = 100; + num_frames = __asan_get_free_stack(mem, trace, num_frames, &thread_id); + + fprintf(stderr, "free stack retval %s\n", (num_frames > 0 && num_frames < 10) + ? "ok" : ""); + // CHECK: free stack retval ok + fprintf(stderr, "thread id = %d\n", thread_id); + // CHECK: thread id = 0 + fprintf(stderr, "0x%lx\n", trace[0]); + // CHECK: [[FREE_FRAME_0:0x[0-9a-f]+]] + fprintf(stderr, "0x%lx\n", trace[1]); + // CHECK: [[FREE_FRAME_1:0x[0-9a-f]+]] + + mem[0] = 'A'; // BOOM + + // CHECK: ERROR: AddressSanitizer: heap-use-after-free + // CHECK: WRITE of size 1 at 0x{{.*}} + // CHECK: freed by thread T0 here: + // CHECK: #0 [[FREE_FRAME_0]] + // CHECK: #1 [[FREE_FRAME_1]] + // CHECK: previously allocated by thread T0 here: + // CHECK: #0 [[ALLOC_FRAME_0]] + // CHECK: #1 [[ALLOC_FRAME_1]] + + return 0; +} diff --git a/test/asan/TestCases/deep_call_stack.cc b/test/asan/TestCases/deep_call_stack.cc new file mode 100644 index 000000000000..789f23454d19 --- /dev/null +++ b/test/asan/TestCases/deep_call_stack.cc @@ -0,0 +1,25 @@ +// Check that UAR mode can handle very deep recusrion. +// export ASAN_OPTIONS=detect_stack_use_after_return=1 +// RUN: %clangxx_asan -O2 %s -o %t && \ +// RUN: (ulimit -s 4096; %run %t) 2>&1 | FileCheck %s +// Also check that use_sigaltstack+verbosity doesn't crash. +// RUN: env ASAN_OPTIONS=verbosity=1:use_sigaltstack=1 %run %t | FileCheck %s +#include <stdio.h> + +__attribute__((noinline)) +void RecursiveFunc(int depth, int *ptr) { + if ((depth % 1000) == 0) + printf("[%05d] ptr: %p\n", depth, ptr); + if (depth == 0) + return; + int local; + RecursiveFunc(depth - 1, &local); +} + +int main(int argc, char **argv) { + RecursiveFunc(15000, 0); + return 0; +} +// CHECK: [15000] ptr: +// CHECK: [07000] ptr: +// CHECK: [00000] ptr: diff --git a/test/asan/TestCases/deep_stack_uaf.cc b/test/asan/TestCases/deep_stack_uaf.cc new file mode 100644 index 000000000000..3e88d697fcef --- /dev/null +++ b/test/asan/TestCases/deep_stack_uaf.cc @@ -0,0 +1,36 @@ +// Check that we can store lots of stack frames if asked to. + +// RUN: %clangxx_asan -O0 %s -o %t 2>&1 +// RUN: env ASAN_OPTIONS=malloc_context_size=120:redzone=512 not %run %t 2>&1 | FileCheck %s +// XFAIL: arm-linux-gnueabi +// XFAIL: armv7l-unknown-linux-gnueabihf +#include <stdlib.h> +#include <stdio.h> + +template <int depth> +struct DeepFree { + static void free(char *x) { + DeepFree<depth - 1>::free(x); + } +}; + +template<> +struct DeepFree<0> { + static void free(char *x) { + ::free(x); + } +}; + +int main() { + char *x = (char*)malloc(10); + // deep_free(x); + DeepFree<200>::free(x); + return x[5]; + // CHECK: {{.*ERROR: AddressSanitizer: heap-use-after-free on address}} + // The libcxxrt demangling procedure on FreeBSD 9.2 incorrectly appends + // extra 'E' characters to the end of template arguments; see: + // https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192115 + // CHECK: {{DeepFree<36>|DeepFree<36E>}} + // CHECK: {{DeepFree<98>|DeepFree<98E>}} + // CHECK: {{DeepFree<115>|DeepFree<115E>}} +} diff --git a/test/asan/TestCases/deep_tail_call.cc b/test/asan/TestCases/deep_tail_call.cc new file mode 100644 index 000000000000..628ef06db144 --- /dev/null +++ b/test/asan/TestCases/deep_tail_call.cc @@ -0,0 +1,20 @@ +// RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O1 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O2 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O3 %s -o %t && not %run %t 2>&1 | FileCheck %s + +// CHECK: AddressSanitizer: global-buffer-overflow +int global[10]; +// CHECK: {{#0.*call4}} +void __attribute__((noinline)) call4(int i) { global[i+10]++; } +// CHECK: {{#1.*call3}} +void __attribute__((noinline)) call3(int i) { call4(i); } +// CHECK: {{#2.*call2}} +void __attribute__((noinline)) call2(int i) { call3(i); } +// CHECK: {{#3.*call1}} +void __attribute__((noinline)) call1(int i) { call2(i); } +// CHECK: {{#4.*main}} +int main(int argc, char **argv) { + call1(argc); + return global[0]; +} diff --git a/test/asan/TestCases/deep_thread_stack.cc b/test/asan/TestCases/deep_thread_stack.cc new file mode 100644 index 000000000000..535da79ff58d --- /dev/null +++ b/test/asan/TestCases/deep_thread_stack.cc @@ -0,0 +1,58 @@ +// RUN: %clangxx_asan -O0 %s -pthread -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O1 %s -pthread -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O2 %s -pthread -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O3 %s -pthread -o %t && not %run %t 2>&1 | FileCheck %s +// REQUIRES: stable-runtime + +#include <pthread.h> + +int *x; + +void *AllocThread(void *arg) { + x = new int; + *x = 42; + return NULL; +} + +void *FreeThread(void *arg) { + delete x; + return NULL; +} + +void *AccessThread(void *arg) { + *x = 43; // BOOM + return NULL; +} + +typedef void* (*callback_type)(void* arg); + +void *RunnerThread(void *function) { + pthread_t thread; + pthread_create(&thread, NULL, (callback_type)function, NULL); + pthread_join(thread, NULL); + return NULL; +} + +void RunThread(callback_type function) { + pthread_t runner; + pthread_create(&runner, NULL, RunnerThread, (void*)function); + pthread_join(runner, NULL); +} + +int main(int argc, char *argv[]) { + RunThread(AllocThread); + RunThread(FreeThread); + RunThread(AccessThread); + return (x != 0); +} + +// CHECK: AddressSanitizer: heap-use-after-free +// CHECK: WRITE of size 4 at 0x{{.*}} thread T[[ACCESS_THREAD:[0-9]+]] +// CHECK: freed by thread T[[FREE_THREAD:[0-9]+]] here: +// CHECK: previously allocated by thread T[[ALLOC_THREAD:[0-9]+]] here: +// CHECK: Thread T[[ACCESS_THREAD]] created by T[[ACCESS_RUNNER:[0-9]+]] here: +// CHECK: Thread T[[ACCESS_RUNNER]] created by T0 here: +// CHECK: Thread T[[FREE_THREAD]] created by T[[FREE_RUNNER:[0-9]+]] here: +// CHECK: Thread T[[FREE_RUNNER]] created by T0 here: +// CHECK: Thread T[[ALLOC_THREAD]] created by T[[ALLOC_RUNNER:[0-9]+]] here: +// CHECK: Thread T[[ALLOC_RUNNER]] created by T0 here: diff --git a/test/asan/TestCases/default_blacklist.cc b/test/asan/TestCases/default_blacklist.cc new file mode 100644 index 000000000000..9358cc47cbaa --- /dev/null +++ b/test/asan/TestCases/default_blacklist.cc @@ -0,0 +1,6 @@ +// FIXME: https://code.google.com/p/address-sanitizer/issues/detail?id=316 +// XFAIL: android +// +// Test that ASan uses the default blacklist from resource directory. +// RUN: %clangxx_asan -### %s 2>&1 | FileCheck %s +// CHECK: fsanitize-blacklist={{.*}}asan_blacklist.txt diff --git a/test/asan/TestCases/default_options.cc b/test/asan/TestCases/default_options.cc new file mode 100644 index 000000000000..6453f66a9523 --- /dev/null +++ b/test/asan/TestCases/default_options.cc @@ -0,0 +1,18 @@ +// RUN: %clangxx_asan -O2 %s -o %t +// RUN: %run %t 2>&1 | FileCheck %s + +// __asan_default_options() are not supported on Windows. +// XFAIL: win32 + +const char *kAsanDefaultOptions="verbosity=1 foo=bar"; + +extern "C" +__attribute__((no_sanitize_address)) +const char *__asan_default_options() { + // CHECK: Using the defaults from __asan_default_options: {{.*}} foo=bar + return kAsanDefaultOptions; +} + +int main() { + return 0; +} diff --git a/test/asan/TestCases/describe_address.cc b/test/asan/TestCases/describe_address.cc new file mode 100644 index 000000000000..868c0eb1c446 --- /dev/null +++ b/test/asan/TestCases/describe_address.cc @@ -0,0 +1,19 @@ +// RUN: %clangxx_asan -O0 %s -o %t && %run %t 2>&1 | FileCheck %s + +#include <sanitizer/asan_interface.h> + +int global; + +int main(int argc, char *argv[]) { + int stack; + int *heap = new int[100]; + __asan_describe_address(heap); + // CHECK: {{.*}} is located 0 bytes inside of 400-byte region + // CHECK: allocated by thread T{{.*}} here + __asan_describe_address(&stack); + // CHECK: Address {{.*}} is located in stack of thread T{{.*}} at offset {{.*}} + __asan_describe_address(&global); + // CHECK: {{.*}} is located 0 bytes inside of global variable 'global' + delete[] heap; + return 0; +} diff --git a/test/asan/TestCases/dlclose-test.cc b/test/asan/TestCases/dlclose-test.cc new file mode 100644 index 000000000000..094453f3de2a --- /dev/null +++ b/test/asan/TestCases/dlclose-test.cc @@ -0,0 +1,99 @@ +// Regression test for +// http://code.google.com/p/address-sanitizer/issues/detail?id=19 +// Bug description: +// 1. application dlopens foo.so +// 2. asan registers all globals from foo.so +// 3. application dlcloses foo.so +// 4. application mmaps some memory to the location where foo.so was before +// 5. application starts using this mmaped memory, but asan still thinks there +// are globals. +// 6. BOOM + +// This sublte test assumes that after a foo.so is dlclose-d +// we can mmap the region of memory that has been occupied by the library. +// It works on i368/x86_64 Linux, but not necessary anywhere else. +// REQUIRES: x86_64-supported-target,i386-supported-target + +// RUN: %clangxx_asan -O0 -DSHARED_LIB %s -fPIC -shared -o %t-so.so +// RUN: %clangxx_asan -O0 %s -o %t && %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O1 -DSHARED_LIB %s -fPIC -shared -o %t-so.so +// RUN: %clangxx_asan -O1 %s -o %t && %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O2 -DSHARED_LIB %s -fPIC -shared -o %t-so.so +// RUN: %clangxx_asan -O2 %s -o %t && %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O3 -DSHARED_LIB %s -fPIC -shared -o %t-so.so +// RUN: %clangxx_asan -O3 %s -o %t && %run %t 2>&1 | FileCheck %s + +#if !defined(SHARED_LIB) +#include <assert.h> +#include <dlfcn.h> +#include <stdio.h> +#include <string.h> +#include <sys/mman.h> +#include <unistd.h> + +#include <string> + +using std::string; + +typedef int *(fun_t)(); + +int main(int argc, char *argv[]) { + string path = string(argv[0]) + "-so.so"; + size_t PageSize = sysconf(_SC_PAGESIZE); + printf("opening %s ... \n", path.c_str()); + void *lib = dlopen(path.c_str(), RTLD_NOW); + if (!lib) { + printf("error in dlopen(): %s\n", dlerror()); + return 1; + } + fun_t *get = (fun_t*)dlsym(lib, "get_address_of_static_var"); + if (!get) { + printf("failed dlsym\n"); + return 1; + } + int *addr = get(); + assert(((size_t)addr % 32) == 0); // should be 32-byte aligned. + printf("addr: %p\n", addr); + addr[0] = 1; // make sure we can write there. + + // Now dlclose the shared library. + printf("attempting to dlclose\n"); + if (dlclose(lib)) { + printf("failed to dlclose\n"); + return 1; + } + // Now, the page where 'addr' is unmapped. Map it. + size_t page_beg = ((size_t)addr) & ~(PageSize - 1); + void *res = mmap((void*)(page_beg), PageSize, + PROT_READ | PROT_WRITE, + MAP_PRIVATE | MAP_ANON | MAP_FIXED | MAP_NORESERVE, -1, 0); + if (res == (char*)-1L) { + printf("failed to mmap\n"); + return 1; + } + addr[1] = 2; // BOOM (if the bug is not fixed). + printf("PASS\n"); + // CHECK: PASS + return 0; +} +#else // SHARED_LIB +#include <stdio.h> + +static int pad1; +static int static_var; +static int pad2; + +extern "C" +int *get_address_of_static_var() { + return &static_var; +} + +__attribute__((constructor)) +void at_dlopen() { + printf("%s: I am being dlopened\n", __FILE__); +} +__attribute__((destructor)) +void at_dlclose() { + printf("%s: I am being dlclosed\n", __FILE__); +} +#endif // SHARED_LIB diff --git a/test/asan/TestCases/double-free.cc b/test/asan/TestCases/double-free.cc new file mode 100644 index 000000000000..f0dd29174849 --- /dev/null +++ b/test/asan/TestCases/double-free.cc @@ -0,0 +1,27 @@ +// RUN: %clangxx_asan -O0 %s -o %t 2>&1 +// RUN: not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK --check-prefix=MALLOC-CTX + +// Also works if no malloc context is available. +// RUN: env ASAN_OPTIONS=malloc_context_size=0:fast_unwind_on_malloc=0 not %run %t 2>&1 | FileCheck %s +// RUN: env ASAN_OPTIONS=malloc_context_size=0:fast_unwind_on_malloc=1 not %run %t 2>&1 | FileCheck %s +// XFAIL: arm-linux-gnueabi +// XFAIL: armv7l-unknown-linux-gnueabihf + +#include <stdlib.h> +#include <string.h> +int main(int argc, char **argv) { + char *x = (char*)malloc(10 * sizeof(char)); + memset(x, 0, 10); + int res = x[argc]; + free(x); + free(x + argc - 1); // BOOM + // CHECK: AddressSanitizer: attempting double-free{{.*}}in thread T0 + // CHECK: #0 0x{{.*}} in {{.*}}free + // CHECK: #1 0x{{.*}} in main {{.*}}double-free.cc:[[@LINE-3]] + // CHECK: freed by thread T0 here: + // MALLOC-CTX: #0 0x{{.*}} in {{.*}}free + // MALLOC-CTX: #1 0x{{.*}} in main {{.*}}double-free.cc:[[@LINE-7]] + // CHECK: allocated by thread T0 here: + // MALLOC-CTX: double-free.cc:[[@LINE-12]] + return res; +} diff --git a/test/asan/TestCases/dump_instruction_bytes.cc b/test/asan/TestCases/dump_instruction_bytes.cc new file mode 100644 index 000000000000..981e3c31327f --- /dev/null +++ b/test/asan/TestCases/dump_instruction_bytes.cc @@ -0,0 +1,20 @@ +// Check that ASan prints the faulting instruction bytes on +// dump_instruction_bytes=1 +// RUN: %clangxx_asan %s -o %t +// RUN: env ASAN_OPTIONS=dump_instruction_bytes=1 not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-DUMP +// RUN: not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-NODUMP +// +// REQUIRES: x86_64-supported-target,i386-supported-target + +int main() { +#if defined(__x86_64__) + asm("movq $0, %rax"); + asm("movl $0xcafebabe, 0x0(%rax)"); +#elif defined(i386) + asm("movl $0, %eax"); + asm("movl $0xcafebabe, 0x0(%eax)"); +#endif + // CHECK-DUMP: First 16 instruction bytes at pc: c7 00 be ba fe ca + // CHECK-NODUMP-NOT: First 16 instruction bytes + return 0; +} diff --git a/test/asan/TestCases/force_inline_opt0.cc b/test/asan/TestCases/force_inline_opt0.cc new file mode 100644 index 000000000000..e6e5d26c7998 --- /dev/null +++ b/test/asan/TestCases/force_inline_opt0.cc @@ -0,0 +1,14 @@ +// This test checks that we are no instrumenting a memory access twice +// (before and after inlining) +// RUN: %clangxx_asan -O1 %s -o %t && %run %t +// RUN: %clangxx_asan -O0 %s -o %t && %run %t +__attribute__((always_inline)) +void foo(int *x) { + *x = 0; +} + +int main() { + int x; + foo(&x); + return x; +} diff --git a/test/asan/TestCases/free_hook_realloc.cc b/test/asan/TestCases/free_hook_realloc.cc new file mode 100644 index 000000000000..4b2753252a8d --- /dev/null +++ b/test/asan/TestCases/free_hook_realloc.cc @@ -0,0 +1,37 @@ +// Check that free hook doesn't conflict with Realloc. +// RUN: %clangxx_asan -O2 %s -o %t +// RUN: %run %t 2>&1 | FileCheck %s + +// Malloc/free hooks are not supported on Windows. +// XFAIL: win32 + +#include <stdlib.h> +#include <unistd.h> +#include <sanitizer/allocator_interface.h> + +static void *glob_ptr; + +extern "C" { +void __sanitizer_free_hook(const volatile void *ptr) { + if (ptr == glob_ptr) { + *(int*)ptr = 0; + write(1, "FreeHook\n", sizeof("FreeHook\n")); + } +} +} + +int main() { + int *x = (int*)malloc(100); + x[0] = 42; + glob_ptr = x; + int *y = (int*)realloc(x, 200); + // Verify that free hook was called and didn't spoil the memory. + if (y[0] != 42) { + _exit(1); + } + write(1, "Passed\n", sizeof("Passed\n")); + free(y); + // CHECK: FreeHook + // CHECK: Passed + return 0; +} diff --git a/test/asan/TestCases/frexp_interceptor.cc b/test/asan/TestCases/frexp_interceptor.cc new file mode 100644 index 000000000000..d75ba992b650 --- /dev/null +++ b/test/asan/TestCases/frexp_interceptor.cc @@ -0,0 +1,16 @@ +// RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s + +// Test the frexp() interceptor. + +#include <math.h> +#include <stdio.h> +#include <stdlib.h> +int main() { + double x = 3.14; + int *exp = (int*)malloc(sizeof(int)); + free(exp); + double y = frexp(x, exp); + // CHECK: use-after-free + // CHECK: SUMMARY + return 0; +} diff --git a/test/asan/TestCases/gc-test.cc b/test/asan/TestCases/gc-test.cc new file mode 100644 index 000000000000..ffbea85b2650 --- /dev/null +++ b/test/asan/TestCases/gc-test.cc @@ -0,0 +1,50 @@ +// RUN: %clangxx_asan %s -pthread -o %t +// RUN: env ASAN_OPTIONS=detect_stack_use_after_return=1 %run %t 2>&1 | FileCheck %s --check-prefix=CHECK1 +// RUN: env ASAN_OPTIONS=detect_stack_use_after_return=0 %run %t 2>&1 | FileCheck %s --check-prefix=CHECK0 +// REQUIRES: stable-runtime + +#include <assert.h> +#include <stdio.h> +#include <pthread.h> +#include <sanitizer/asan_interface.h> + +static const int kNumThreads = 2; + +void *Thread(void *unused) { + void *fake_stack = __asan_get_current_fake_stack(); + char var[15]; + if (fake_stack) { + fprintf(stderr, "fake stack found: %p; var: %p\n", fake_stack, var); + // CHECK1: fake stack found + // CHECK1: fake stack found + void *beg, *end; + void *real_stack = + __asan_addr_is_in_fake_stack(fake_stack, &var[0], &beg, &end); + assert(real_stack); + assert((char*)beg <= (char*)&var[0]); + assert((char*)end > (char*)&var[0]); + for (int i = -32; i < 15; i++) { + void *beg1, *end1; + char *ptr = &var[0] + i; + void *real_stack1 = + __asan_addr_is_in_fake_stack(fake_stack, ptr, &beg1, &end1); + assert(real_stack == real_stack1); + assert(beg == beg1); + assert(end == end1); + } + } else { + fprintf(stderr, "no fake stack\n"); + // CHECK0: no fake stack + // CHECK0: no fake stack + } + return NULL; +} + +int main(int argc, char **argv) { + pthread_t t[kNumThreads]; + for (int i = 0; i < kNumThreads; i++) + pthread_create(&t[i], 0, Thread, 0); + for (int i = 0; i < kNumThreads; i++) + pthread_join(t[i], 0); + return 0; +} diff --git a/test/asan/TestCases/global-demangle.cc b/test/asan/TestCases/global-demangle.cc new file mode 100644 index 000000000000..5f7ff91b1601 --- /dev/null +++ b/test/asan/TestCases/global-demangle.cc @@ -0,0 +1,17 @@ +// RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s + +namespace XXX { +class YYY { + public: + static char ZZZ[]; +}; +char YYY::ZZZ[] = "abc"; +} + +int main(int argc, char **argv) { + return (int)XXX::YYY::ZZZ[argc + 5]; // BOOM + // CHECK: {{READ of size 1 at 0x.*}} + // CHECK: {{0x.* is located 2 bytes to the right of global variable}} + // CHECK: 'XXX::YYY::ZZZ' {{.*}} of size 4 + // CHECK: 'XXX::YYY::ZZZ' is ascii string 'abc' +} diff --git a/test/asan/TestCases/global-location.cc b/test/asan/TestCases/global-location.cc new file mode 100644 index 000000000000..795e50bf614e --- /dev/null +++ b/test/asan/TestCases/global-location.cc @@ -0,0 +1,38 @@ +// RUN: %clangxx_asan -O2 %s -o %t +// RUN: not %run %t g 2>&1 | FileCheck %s --check-prefix=CHECK --check-prefix=GLOB +// RUN: not %run %t c 2>&1 | FileCheck %s --check-prefix=CHECK --check-prefix=CLASS_STATIC +// RUN: not %run %t f 2>&1 | FileCheck %s --check-prefix=CHECK --check-prefix=FUNC_STATIC +// RUN: not %run %t l 2>&1 | FileCheck %s --check-prefix=CHECK --check-prefix=LITERAL + +// CHECK: AddressSanitizer: global-buffer-overflow + +#include <string.h> + +struct C { + static int array[10]; +}; + +int global[10]; +// GLOB: 0x{{.*}} is located 4 bytes to the right of global variable 'global' defined in '{{.*}}global-location.cc:[[@LINE-1]]:5' {{.*}} of size 40 +int C::array[10]; +// CLASS_STATIC: 0x{{.*}} is located 4 bytes to the right of global variable 'C::array' defined in '{{.*}}global-location.cc:[[@LINE-1]]:8' {{.*}} of size 40 + +int main(int argc, char **argv) { + int one = argc - 1; + switch (argv[1][0]) { + case 'g': return global[one * 11]; + case 'c': return C::array[one * 11]; + case 'f': + static int array[10]; + // FUNC_STATIC: 0x{{.*}} is located 4 bytes to the right of global variable 'array' defined in '{{.*}}global-location.cc:[[@LINE-1]]:16' {{.*}} of size 40 + memset(array, 0, 10); + return array[one * 11]; + case 'l': + const char *str = "0123456789"; + // LITERAL: 0x{{.*}} is located 0 bytes to the right of global variable {{.*}} defined in '{{.*}}global-location.cc:[[@LINE-1]]:23' {{.*}} of size 11 + return str[one * 11]; + } + return 0; +} + +// CHECK: SUMMARY: AddressSanitizer: global-buffer-overflow diff --git a/test/asan/TestCases/global-overflow.cc b/test/asan/TestCases/global-overflow.cc new file mode 100644 index 000000000000..a39a95306352 --- /dev/null +++ b/test/asan/TestCases/global-overflow.cc @@ -0,0 +1,21 @@ +// RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O1 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O2 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O3 %s -o %t && not %run %t 2>&1 | FileCheck %s + +#include <string.h> +int main(int argc, char **argv) { + static char XXX[10]; + static char YYY[10]; + static char ZZZ[10]; + memset(XXX, 0, 10); + memset(YYY, 0, 10); + memset(ZZZ, 0, 10); + int res = YYY[argc * 10]; // BOOOM + // CHECK: {{READ of size 1 at 0x.* thread T0}} + // CHECK: {{ #0 0x.* in main .*global-overflow.cc:}}[[@LINE-2]] + // CHECK: {{0x.* is located 0 bytes to the right of global variable}} + // CHECK: {{.*YYY.* of size 10}} + res += XXX[argc] + ZZZ[argc]; + return res; +} diff --git a/test/asan/TestCases/heap-overflow-large.cc b/test/asan/TestCases/heap-overflow-large.cc new file mode 100644 index 000000000000..eb2fcc3220e7 --- /dev/null +++ b/test/asan/TestCases/heap-overflow-large.cc @@ -0,0 +1,23 @@ +// Regression test for +// https://code.google.com/p/address-sanitizer/issues/detail?id=183 + +// RUN: %clangxx_asan -O2 %s -o %t +// RUN: not %run %t 12 2>&1 | FileCheck %s +// RUN: not %run %t 100 2>&1 | FileCheck %s +// RUN: not %run %t 10000 2>&1 | FileCheck %s + +#include <stdlib.h> +#include <string.h> +#include <stdio.h> + +int main(int argc, char *argv[]) { + fprintf(stderr, "main\n"); + int *x = new int[5]; + memset(x, 0, sizeof(x[0]) * 5); + int index = atoi(argv[1]); + int res = x[index]; + // CHECK: main + // CHECK-NOT: CHECK failed + delete[] x; + return res ? res : 1; +} diff --git a/test/asan/TestCases/heap-overflow.cc b/test/asan/TestCases/heap-overflow.cc new file mode 100644 index 000000000000..70a1203562be --- /dev/null +++ b/test/asan/TestCases/heap-overflow.cc @@ -0,0 +1,24 @@ +// RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O1 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O2 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O3 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: env ASAN_OPTIONS=print_stats=1 not %run %t 2>&1 | FileCheck %s + +// FIXME: Fix this test under GCC. +// REQUIRES: Clang + +#include <stdlib.h> +#include <string.h> +int main(int argc, char **argv) { + char *x = (char*)malloc(10 * sizeof(char)); + memset(x, 0, 10); + int res = x[argc * 10]; // BOOOM + // CHECK: {{READ of size 1 at 0x.* thread T0}} + // CHECK: {{ #0 0x.* in main .*heap-overflow.cc:}}[[@LINE-2]] + // CHECK: {{0x.* is located 0 bytes to the right of 10-byte region}} + // CHECK: {{allocated by thread T0 here:}} + + // CHECK: {{ #0 0x.* in .*malloc}} + free(x); + return res; +} diff --git a/test/asan/TestCases/heavy_uar_test.cc b/test/asan/TestCases/heavy_uar_test.cc new file mode 100644 index 000000000000..1f8caea21690 --- /dev/null +++ b/test/asan/TestCases/heavy_uar_test.cc @@ -0,0 +1,60 @@ +// RUN: export ASAN_OPTIONS=detect_stack_use_after_return=1 +// RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O2 %s -o %t && not %run %t 2>&1 | FileCheck %s +// XFAIL: arm-linux-gnueabi + +// FIXME: Fix this test under GCC. +// REQUIRES: Clang + +#include <stdio.h> +#include <string.h> +#include <stdlib.h> + +__attribute__((noinline)) +char *pretend_to_do_something(char *x) { + __asm__ __volatile__("" : : "r" (x) : "memory"); + return x; +} + +__attribute__((noinline)) +char *LeakStack() { + char x[1024]; + memset(x, 0, sizeof(x)); + return pretend_to_do_something(x); +} + +template<size_t kFrameSize> +__attribute__((noinline)) +void RecursiveFunctionWithStackFrame(int depth) { + if (depth <= 0) return; + char x[kFrameSize]; + x[0] = depth; + pretend_to_do_something(x); + RecursiveFunctionWithStackFrame<kFrameSize>(depth - 1); +} + +int main(int argc, char **argv) { + int n_iter = argc >= 2 ? atoi(argv[1]) : 1000; + int depth = argc >= 3 ? atoi(argv[2]) : 500; + for (int i = 0; i < n_iter; i++) { + RecursiveFunctionWithStackFrame<10>(depth); + RecursiveFunctionWithStackFrame<100>(depth); + RecursiveFunctionWithStackFrame<500>(depth); + RecursiveFunctionWithStackFrame<1024>(depth); + RecursiveFunctionWithStackFrame<2000>(depth); + // The stack size is tight for the main thread in multithread + // environment on FreeBSD. +#if !defined(__FreeBSD__) + RecursiveFunctionWithStackFrame<5000>(depth); + RecursiveFunctionWithStackFrame<10000>(depth); +#endif + } + char *stale_stack = LeakStack(); + RecursiveFunctionWithStackFrame<1024>(10); + stale_stack[100]++; + // CHECK: ERROR: AddressSanitizer: stack-use-after-return on address + // CHECK: is located in stack of thread T0 at offset {{116|132}} in frame + // CHECK: in LeakStack{{.*}}heavy_uar_test.cc: + // CHECK: [{{16|32}}, {{1040|1056}}) 'x' + return 0; +} diff --git a/test/asan/TestCases/huge_negative_hea_oob.cc b/test/asan/TestCases/huge_negative_hea_oob.cc new file mode 100644 index 000000000000..96e7e613d4bb --- /dev/null +++ b/test/asan/TestCases/huge_negative_hea_oob.cc @@ -0,0 +1,13 @@ +// RUN: %clangxx_asan %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O %s -o %t && not %run %t 2>&1 | FileCheck %s +// Check that we can find huge buffer overflows to the left. +#include <stdlib.h> +#include <string.h> +int main(int argc, char **argv) { + char *x = (char*)malloc(1 << 20); + memset(x, 0, 10); + int res = x[-argc * 4000]; // BOOOM + // CHECK: is located 4000 bytes to the left of + free(x); + return res; +} diff --git a/test/asan/TestCases/init-order-atexit.cc b/test/asan/TestCases/init-order-atexit.cc new file mode 100644 index 000000000000..e0dac325ce58 --- /dev/null +++ b/test/asan/TestCases/init-order-atexit.cc @@ -0,0 +1,34 @@ +// FIXME: https://code.google.com/p/address-sanitizer/issues/detail?id=316 +// XFAIL: android +// +// Test for the following situation: +// (1) global A is constructed. +// (2) exit() is called during construction of global B. +// (3) destructor of A reads uninitialized global C from another module. +// We do *not* want to report init-order bug in this case. + +// RUN: %clangxx_asan -O0 %s %p/Helpers/init-order-atexit-extra.cc -o %t +// RUN: env ASAN_OPTIONS=strict_init_order=true not %run %t 2>&1 | FileCheck %s + +#include <stdio.h> +#include <stdlib.h> + +void AccessC(); + +class A { + public: + A() { } + ~A() { AccessC(); printf("PASSED\n"); } + // CHECK-NOT: AddressSanitizer + // CHECK: PASSED +}; + +A a; + +class B { + public: + B() { exit(1); } + ~B() { } +}; + +B b; diff --git a/test/asan/TestCases/init-order-pthread-create.cc b/test/asan/TestCases/init-order-pthread-create.cc new file mode 100644 index 000000000000..eeff308a4cd5 --- /dev/null +++ b/test/asan/TestCases/init-order-pthread-create.cc @@ -0,0 +1,32 @@ +// Check that init-order checking is properly disabled if pthread_create is +// called. + +// RUN: %clangxx_asan %s %p/Helpers/init-order-pthread-create-extra.cc -pthread -o %t +// RUN: env ASAN_OPTIONS=strict_init_order=true %run %t + +#include <stdio.h> +#include <pthread.h> + +void *run(void *arg) { + return arg; +} + +void *foo(void *input) { + pthread_t t; + pthread_create(&t, 0, run, input); + void *res; + pthread_join(t, &res); + return res; +} + +void *bar(void *input) { + return input; +} + +void *glob = foo((void*)0x1234); +extern void *glob2; + +int main() { + printf("%p %p\n", glob, glob2); + return 0; +} diff --git a/test/asan/TestCases/initialization-blacklist.cc b/test/asan/TestCases/initialization-blacklist.cc new file mode 100644 index 000000000000..8ea6b46c1833 --- /dev/null +++ b/test/asan/TestCases/initialization-blacklist.cc @@ -0,0 +1,29 @@ +// Test for blacklist functionality of initialization-order checker. + +// RUN: %clangxx_asan -O0 %s %p/Helpers/initialization-blacklist-extra.cc\ +// RUN: %p/Helpers/initialization-blacklist-extra2.cc \ +// RUN: -fsanitize-blacklist=%p/Helpers/initialization-blacklist.txt -o %t +// RUN: env ASAN_OPTIONS=check_initialization_order=true %run %t 2>&1 +// RUN: %clangxx_asan -O1 %s %p/Helpers/initialization-blacklist-extra.cc\ +// RUN: %p/Helpers/initialization-blacklist-extra2.cc \ +// RUN: -fsanitize-blacklist=%p/Helpers/initialization-blacklist.txt -o %t +// RUN: env ASAN_OPTIONS=check_initialization_order=true %run %t 2>&1 +// RUN: %clangxx_asan -O2 %s %p/Helpers/initialization-blacklist-extra.cc\ +// RUN: %p/Helpers/initialization-blacklist-extra2.cc \ +// RUN: -fsanitize-blacklist=%p/Helpers/initialization-blacklist.txt -o %t +// RUN: env ASAN_OPTIONS=check_initialization_order=true %run %t 2>&1 + +// Function is defined in another TU. +int readBadGlobal(); +int x = readBadGlobal(); // init-order bug. + +// Function is defined in another TU. +int accessBadObject(); +int y = accessBadObject(); // init-order bug. + +int readBadSrcGlobal(); +int z = readBadSrcGlobal(); // init-order bug. + +int main(int argc, char **argv) { + return argc + x + y + z - 1; +} diff --git a/test/asan/TestCases/initialization-bug.cc b/test/asan/TestCases/initialization-bug.cc new file mode 100644 index 000000000000..badc6d1d1165 --- /dev/null +++ b/test/asan/TestCases/initialization-bug.cc @@ -0,0 +1,45 @@ +// Test to make sure basic initialization order errors are caught. + +// RUN: %clangxx_asan -O0 %s %p/Helpers/initialization-bug-extra2.cc -o %t +// RUN: env ASAN_OPTIONS=check_initialization_order=true not %run %t 2>&1 | FileCheck %s + +// Do not test with optimization -- the error may be optimized away. + +// FIXME: https://code.google.com/p/address-sanitizer/issues/detail?id=186 +// XFAIL: darwin + +#include <cstdio> + +// The structure of the test is: +// "x", "y", "z" are dynamically initialized globals. +// Value of "x" depends on "y", value of "y" depends on "z". +// "x" and "z" are defined in this TU, "y" is defined in another one. +// Thus we shoud stably report initialization order fiasco independently of +// the translation unit order. + +int initZ() { + return 5; +} +int z = initZ(); + +// 'y' is a dynamically initialized global residing in a different TU. This +// dynamic initializer will read the value of 'y' before main starts. The +// result is undefined behavior, which should be caught by initialization order +// checking. +extern int y; +int __attribute__((noinline)) initX() { + return y + 1; + // CHECK: {{AddressSanitizer: initialization-order-fiasco}} + // CHECK: {{READ of size .* at 0x.* thread T0}} + // CHECK: {{0x.* is located 0 bytes inside of global variable .*(y|z).*}} +} + +// This initializer begins our initialization order problems. +static int x = initX(); + +int main() { + // ASan should have caused an exit before main runs. + printf("PASS\n"); + // CHECK-NOT: PASS + return 0; +} diff --git a/test/asan/TestCases/initialization-constexpr.cc b/test/asan/TestCases/initialization-constexpr.cc new file mode 100644 index 000000000000..644246186e02 --- /dev/null +++ b/test/asan/TestCases/initialization-constexpr.cc @@ -0,0 +1,27 @@ +// Constexpr: +// We need to check that a global variable initialized with a constexpr +// constructor can be accessed during dynamic initialization (as a constexpr +// constructor implies that it was initialized during constant initialization, +// not dynamic initialization). + +// RUN: %clangxx_asan -O0 %s %p/Helpers/initialization-constexpr-extra.cc --std=c++11 -o %t +// RUN: env ASAN_OPTIONS=check_initialization_order=true %run %t 2>&1 +// RUN: %clangxx_asan -O1 %s %p/Helpers/initialization-constexpr-extra.cc --std=c++11 -o %t +// RUN: env ASAN_OPTIONS=check_initialization_order=true %run %t 2>&1 +// RUN: %clangxx_asan -O2 %s %p/Helpers/initialization-constexpr-extra.cc --std=c++11 -o %t +// RUN: env ASAN_OPTIONS=check_initialization_order=true %run %t 2>&1 +// RUN: %clangxx_asan -O3 %s %p/Helpers/initialization-constexpr-extra.cc --std=c++11 -o %t +// RUN: env ASAN_OPTIONS=check_initialization_order=true %run %t 2>&1 + +class Integer { + private: + int value; + + public: + constexpr Integer(int x = 0) : value(x) {} + int getValue() {return value;} +}; +Integer coolestInteger(42); +int getCoolestInteger() { return coolestInteger.getValue(); } + +int main() { return 0; } diff --git a/test/asan/TestCases/initialization-nobug.cc b/test/asan/TestCases/initialization-nobug.cc new file mode 100644 index 000000000000..1249deb425aa --- /dev/null +++ b/test/asan/TestCases/initialization-nobug.cc @@ -0,0 +1,48 @@ +// A collection of various initializers which shouldn't trip up initialization +// order checking. If successful, this will just return 0. + +// RUN: %clangxx_asan -O0 %s %p/Helpers/initialization-nobug-extra.cc -o %t +// RUN: env ASAN_OPTIONS=check_initialization_order=true %run %t 2>&1 +// RUN: %clangxx_asan -O1 %s %p/Helpers/initialization-nobug-extra.cc -o %t +// RUN: env ASAN_OPTIONS=check_initialization_order=true %run %t 2>&1 +// RUN: %clangxx_asan -O2 %s %p/Helpers/initialization-nobug-extra.cc -o %t +// RUN: env ASAN_OPTIONS=check_initialization_order=true %run %t 2>&1 +// RUN: %clangxx_asan -O3 %s %p/Helpers/initialization-nobug-extra.cc -o %t +// RUN: env ASAN_OPTIONS=check_initialization_order=true %run %t 2>&1 + +// Simple access: +// Make sure that accessing a global in the same TU is safe + +bool condition = true; +int initializeSameTU() { + return condition ? 0x2a : 052; +} +int sameTU = initializeSameTU(); + +// Linker initialized: +// Check that access to linker initialized globals originating from a different +// TU's initializer is safe. + +int A = (1 << 1) + (1 << 3) + (1 << 5), B; +int getAB() { + return A * B; +} + +// Function local statics: +// Check that access to function local statics originating from a different +// TU's initializer is safe. + +int countCalls() { + static int calls; + return ++calls; +} + +// Trivial constructor, non-trivial destructor. +struct StructWithDtor { + ~StructWithDtor() { } + int value; +}; +StructWithDtor struct_with_dtor; +int getStructWithDtorValue() { return struct_with_dtor.value; } + +int main() { return 0; } diff --git a/test/asan/TestCases/inline.cc b/test/asan/TestCases/inline.cc new file mode 100644 index 000000000000..daeb7b49eb22 --- /dev/null +++ b/test/asan/TestCases/inline.cc @@ -0,0 +1,19 @@ +// RUN: %clangxx_asan -O3 %s -o %t && %run %t + +// Test that no_sanitize_address attribute applies even when the function would +// be normally inlined. + +#include <stdlib.h> + +__attribute__((no_sanitize_address)) +int f(int *p) { + return *p; // BOOOM?? Nope! +} + +int main(int argc, char **argv) { + int * volatile x = (int*)malloc(2*sizeof(int) + 2); + int res = f(x + 2); + if (res) + exit(0); + return 0; +} diff --git a/test/asan/TestCases/interception_failure_test.cc b/test/asan/TestCases/interception_failure_test.cc new file mode 100644 index 000000000000..a23fe6938ca9 --- /dev/null +++ b/test/asan/TestCases/interception_failure_test.cc @@ -0,0 +1,22 @@ +// If user provides his own libc functions, ASan doesn't +// intercept these functions. + +// RUN: %clangxx_asan -O0 %s -o %t && %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O1 %s -o %t && %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O2 %s -o %t && %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O3 %s -o %t && %run %t 2>&1 | FileCheck %s +#include <stdlib.h> +#include <stdio.h> + +extern "C" long strtol(const char *nptr, char **endptr, int base) { + fprintf(stderr, "my_strtol_interceptor\n"); + return 0; +} + +int main() { + char *x = (char*)malloc(10 * sizeof(char)); + free(x); + return (int)strtol(x, 0, 10); + // CHECK: my_strtol_interceptor + // CHECK-NOT: heap-use-after-free +} diff --git a/test/asan/TestCases/interface_test.cc b/test/asan/TestCases/interface_test.cc new file mode 100644 index 000000000000..dc9d0652c8c3 --- /dev/null +++ b/test/asan/TestCases/interface_test.cc @@ -0,0 +1,10 @@ +// Check that user may include ASan interface header. +// RUN: %clang_asan %s -o %t && %run %t +// RUN: %clang_asan -x c %s -o %t && %run %t +// RUN: %clang %s -o %t && %run %t +// RUN: %clang -x c %s -o %t && %run %t +#include <sanitizer/asan_interface.h> + +int main() { + return 0; +} diff --git a/test/asan/TestCases/intra-object-overflow.cc b/test/asan/TestCases/intra-object-overflow.cc new file mode 100644 index 000000000000..e48a261f55cc --- /dev/null +++ b/test/asan/TestCases/intra-object-overflow.cc @@ -0,0 +1,31 @@ +// RUN: %clangxx_asan -O0 -fsanitize-address-field-padding=1 %s -o %t +// RUN: not %run %t 11 2>&1 | FileCheck %s +// RUN: %run %t 10 +// +// FIXME: fix 32-bits. +// REQUIRES: asan-64-bits +#include <stdio.h> +#include <stdlib.h> +class Foo { + public: + Foo() : pre1(1), pre2(2), post1(3), post2(4) { + } + virtual ~Foo() { + } + void set(int i, int val) { a[i] = val; } +// CHECK: ERROR: AddressSanitizer: intra-object-overflow +// CHECK: #0 {{.*}}Foo::set{{.*}}intra-object-overflow.cc:[[@LINE-2]] + private: + int pre1, pre2; + int a[11]; + int post1, post2; +}; + +int main(int argc, char **argv) { + int idx = argc == 2 ? atoi(argv[1]) : 0; + Foo *foo = new Foo; + foo->set(idx, 42); +// CHECK: #1 {{.*}}main{{.*}}intra-object-overflow.cc:[[@LINE-1]] +// CHECK: is located 84 bytes inside of 128-byte region + delete foo; +} diff --git a/test/asan/TestCases/invalid-free.cc b/test/asan/TestCases/invalid-free.cc new file mode 100644 index 000000000000..cb545ccc215e --- /dev/null +++ b/test/asan/TestCases/invalid-free.cc @@ -0,0 +1,23 @@ +// RUN: %clangxx_asan -O0 %s -o %t +// RUN: not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK --check-prefix=MALLOC-CTX + +// Also works if no malloc context is available. +// RUN: env ASAN_OPTIONS=malloc_context_size=0:fast_unwind_on_malloc=0 not %run %t 2>&1 | FileCheck %s +// RUN: env ASAN_OPTIONS=malloc_context_size=0:fast_unwind_on_malloc=1 not %run %t 2>&1 | FileCheck %s +// XFAIL: arm-linux-gnueabi +// XFAIL: armv7l-unknown-linux-gnueabihf + +#include <stdlib.h> +#include <string.h> +int main(int argc, char **argv) { + char *x = (char*)malloc(10 * sizeof(char)); + memset(x, 0, 10); + int res = x[argc]; + free(x + 5); // BOOM + // CHECK: AddressSanitizer: attempting free on address{{.*}}in thread T0 + // CHECK: invalid-free.cc:[[@LINE-2]] + // CHECK: is located 5 bytes inside of 10-byte region + // CHECK: allocated by thread T0 here: + // MALLOC-CTX: invalid-free.cc:[[@LINE-8]] + return res; +} diff --git a/test/asan/TestCases/large_func_test.cc b/test/asan/TestCases/large_func_test.cc new file mode 100644 index 000000000000..6b592f8c4397 --- /dev/null +++ b/test/asan/TestCases/large_func_test.cc @@ -0,0 +1,53 @@ +// RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-%os --check-prefix=CHECK +// RUN: %clangxx_asan -O1 %s -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-%os --check-prefix=CHECK +// RUN: %clangxx_asan -O2 %s -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-%os --check-prefix=CHECK +// RUN: %clangxx_asan -O3 %s -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-%os --check-prefix=CHECK +// XFAIL: arm-linux-gnueabi +// XFAIL: armv7l-unknown-linux-gnueabihf + +#include <stdlib.h> +__attribute__((noinline)) +static void LargeFunction(int *x, int zero) { + x[0]++; + x[1]++; + x[2]++; + x[3]++; + x[4]++; + x[5]++; + x[6]++; + x[7]++; + x[8]++; + x[9]++; + + // CHECK: {{.*ERROR: AddressSanitizer: heap-buffer-overflow on address}} + // CHECK: {{0x.* at pc 0x.* bp 0x.* sp 0x.*}} + // CHECK: {{READ of size 4 at 0x.* thread T0}} + x[zero + 103]++; // we should report this exact line + // atos incorrectly extracts the symbol name for the static functions on + // Darwin. + // CHECK-Linux: {{#0 0x.* in LargeFunction.*large_func_test.cc:}}[[@LINE-3]] + // CHECK-Darwin: {{#0 0x.* in .*LargeFunction.*large_func_test.cc}}:[[@LINE-4]] + + x[10]++; + x[11]++; + x[12]++; + x[13]++; + x[14]++; + x[15]++; + x[16]++; + x[17]++; + x[18]++; + x[19]++; +} + +int main(int argc, char **argv) { + int *x = new int[100]; + LargeFunction(x, argc - 1); + // CHECK: {{ #1 0x.* in main .*large_func_test.cc:}}[[@LINE-1]] + // CHECK: {{0x.* is located 12 bytes to the right of 400-byte region}} + // CHECK: {{allocated by thread T0 here:}} + // CHECK-Linux: {{ #0 0x.* in operator new.*}} + // CHECK-Darwin: {{ #0 0x.* in .*_Zna.*}} + // CHECK: {{ #1 0x.* in main .*large_func_test.cc:}}[[@LINE-7]] + delete x; +} diff --git a/test/asan/TestCases/log-path_test.cc b/test/asan/TestCases/log-path_test.cc new file mode 100644 index 000000000000..5a1d0729119a --- /dev/null +++ b/test/asan/TestCases/log-path_test.cc @@ -0,0 +1,44 @@ +// FIXME: https://code.google.com/p/address-sanitizer/issues/detail?id=316 +// XFAIL: android +// +// RUN: %clangxx_asan %s -o %t + +// Regular run. +// RUN: not %run %t 2> %t.out +// RUN: FileCheck %s --check-prefix=CHECK-ERROR < %t.out + +// Good log_path. +// RUN: rm -f %t.log.* +// RUN: env ASAN_OPTIONS=log_path=%t.log not %run %t 2> %t.out +// RUN: FileCheck %s --check-prefix=CHECK-ERROR < %t.log.* + +// Invalid log_path. +// RUN: env ASAN_OPTIONS=log_path=/INVALID not %run %t 2> %t.out +// RUN: FileCheck %s --check-prefix=CHECK-INVALID < %t.out + +// Too long log_path. +// RUN: env ASAN_OPTIONS=log_path=`for((i=0;i<10000;i++)); do echo -n $i; done` \ +// RUN: not %run %t 2> %t.out +// RUN: FileCheck %s --check-prefix=CHECK-LONG < %t.out + +// Run w/o errors should not produce any log. +// RUN: rm -f %t.log.* +// RUN: env ASAN_OPTIONS=log_path=%t.log %run %t ARG ARG ARG +// RUN: not cat %t.log.* + +// FIXME: log_path is not supported on Windows yet. +// XFAIL: win32 + +#include <stdlib.h> +#include <string.h> +int main(int argc, char **argv) { + if (argc > 2) return 0; + char *x = (char*)malloc(10); + memset(x, 0, 10); + int res = x[argc * 10]; // BOOOM + free(x); + return res; +} +// CHECK-ERROR: ERROR: AddressSanitizer +// CHECK-INVALID: ERROR: Can't open file: /INVALID +// CHECK-LONG: ERROR: Path is too long: 01234 diff --git a/test/asan/TestCases/log_path_fork_test.cc.disabled b/test/asan/TestCases/log_path_fork_test.cc.disabled new file mode 100644 index 000000000000..cfe90dfb54d3 --- /dev/null +++ b/test/asan/TestCases/log_path_fork_test.cc.disabled @@ -0,0 +1,22 @@ +// RUN: %clangxx_asan %s -o %t +// RUN: rm -f %t.log.* +// Set verbosity to 1 so that the log files are opened prior to fork(). +// RUN: env ASAN_OPTIONS="log_path=%t.log verbosity=1" not %run %t 2> %t.out +// RUN: for f in %t.log.* ; do FileCheck %s < $f; done +// RUN: [ `ls %t.log.* | wc -l` == 2 ] + +#include <stdlib.h> +#include <string.h> +#include <unistd.h> + +int main(int argc, char **argv) { + void *x = malloc(10); + free(x); + if (fork() == -1) return 1; + // There are two processes at this point, thus there should be two distinct + // error logs. + free(x); + return 0; +} + +// CHECK: ERROR: AddressSanitizer diff --git a/test/asan/TestCases/longjmp.cc b/test/asan/TestCases/longjmp.cc new file mode 100644 index 000000000000..8e9f2ae195c7 --- /dev/null +++ b/test/asan/TestCases/longjmp.cc @@ -0,0 +1,25 @@ +// RUN: %clangxx_asan -O %s -o %t && %run %t + +#include <assert.h> +#include <setjmp.h> +#include <stdio.h> +#include <sanitizer/asan_interface.h> + +static jmp_buf buf; + +int main() { + char x[32]; + fprintf(stderr, "\nTestLongJmp\n"); + fprintf(stderr, "Before: %p poisoned: %d\n", &x, + __asan_address_is_poisoned(x + 32)); + assert(__asan_address_is_poisoned(x + 32)); + if (0 == setjmp(buf)) + longjmp(buf, 1); + fprintf(stderr, "After: %p poisoned: %d\n", &x, + __asan_address_is_poisoned(x + 32)); + // FIXME: Invert this assertion once we fix + // https://code.google.com/p/address-sanitizer/issues/detail?id=258 + // This assertion works only w/o UAR. + if (!__asan_get_current_fake_stack()) + assert(!__asan_address_is_poisoned(x + 32)); +} diff --git a/test/asan/TestCases/lsan_annotations.cc b/test/asan/TestCases/lsan_annotations.cc new file mode 100644 index 000000000000..f52b0ff66a8d --- /dev/null +++ b/test/asan/TestCases/lsan_annotations.cc @@ -0,0 +1,16 @@ +// Check that LSan annotations work fine. +// RUN: %clangxx_asan -O0 %s -o %t && %run %t +// RUN: %clangxx_asan -O3 %s -o %t && %run %t + +#include <sanitizer/lsan_interface.h> +#include <stdlib.h> + +int main() { + int *x = new int; + __lsan_ignore_object(x); + { + __lsan::ScopedDisabler disabler; + double *y = new double; + } + return 0; +} diff --git a/test/asan/TestCases/malloc_context_size.cc b/test/asan/TestCases/malloc_context_size.cc new file mode 100644 index 000000000000..0d9f31598545 --- /dev/null +++ b/test/asan/TestCases/malloc_context_size.cc @@ -0,0 +1,27 @@ +// RUN: %clangxx_asan -O0 %s -o %t +// RUN: env ASAN_OPTIONS=malloc_context_size=0:fast_unwind_on_malloc=0 not %run %t 2>&1 | FileCheck %s +// RUN: env ASAN_OPTIONS=malloc_context_size=0:fast_unwind_on_malloc=1 not %run %t 2>&1 | FileCheck %s +// RUN: env ASAN_OPTIONS=malloc_context_size=1:fast_unwind_on_malloc=0 not %run %t 2>&1 | FileCheck %s +// RUN: env ASAN_OPTIONS=malloc_context_size=1:fast_unwind_on_malloc=1 not %run %t 2>&1 | FileCheck %s +// RUN: env ASAN_OPTIONS=malloc_context_size=2 not %run %t 2>&1 | FileCheck %s --check-prefix=TWO + +int main() { + char *x = new char[20]; + delete[] x; + return x[0]; + + // CHECK: freed by thread T{{.*}} here: + // CHECK-NEXT: #0 0x{{.*}} in {{operator delete( )?\[\]|wrap__ZdaPv}} + // CHECK-NOT: #1 0x{{.*}} + + // CHECK: previously allocated by thread T{{.*}} here: + // CHECK-NEXT: #0 0x{{.*}} in {{operator new( )?\[\]|wrap__Znam}} + // CHECK-NOT: #1 0x{{.*}} + + // CHECK: SUMMARY: AddressSanitizer: heap-use-after-free + + // TWO: previously allocated by thread T{{.*}} here: + // TWO-NEXT: #0 0x{{.*}} + // TWO-NEXT: #1 0x{{.*}} in main {{.*}}malloc_context_size.cc + // TWO: SUMMARY: AddressSanitizer: heap-use-after-free +} diff --git a/test/asan/TestCases/malloc_fill.cc b/test/asan/TestCases/malloc_fill.cc new file mode 100644 index 000000000000..5c926803708d --- /dev/null +++ b/test/asan/TestCases/malloc_fill.cc @@ -0,0 +1,22 @@ +// Check that we fill malloc-ed memory correctly. +// RUN: %clangxx_asan %s -o %t +// RUN: %run %t | FileCheck %s +// RUN: env ASAN_OPTIONS=max_malloc_fill_size=10:malloc_fill_byte=8 %run %t | FileCheck %s --check-prefix=CHECK-10-8 +// RUN: env ASAN_OPTIONS=max_malloc_fill_size=20:malloc_fill_byte=171 %run %t | FileCheck %s --check-prefix=CHECK-20-ab + +#include <stdio.h> +int main(int argc, char **argv) { + // With asan allocator this makes sure we get memory from mmap. + static const int kSize = 1 << 25; + unsigned char *x = new unsigned char[kSize]; + printf("-"); + for (int i = 0; i <= 32; i++) { + printf("%02x", x[i]); + } + printf("-\n"); + delete [] x; +} + +// CHECK: -bebebebebebebebebebebebebebebebebebebebebebebebebebebebebebebebebe- +// CHECK-10-8: -080808080808080808080000000000000000000000000000000000000000000000- +// CHECK-20-ab: -abababababababababababababababababababab00000000000000000000000000- diff --git a/test/asan/TestCases/max_redzone.cc b/test/asan/TestCases/max_redzone.cc new file mode 100644 index 000000000000..01c25a9f3efc --- /dev/null +++ b/test/asan/TestCases/max_redzone.cc @@ -0,0 +1,26 @@ +// Test max_redzone runtime option. + +// RUN: %clangxx_asan -O0 %s -o %t && env ASAN_OPTIONS=max_redzone=16 %run %t 0 2>&1 +// RUN: %clangxx_asan -O0 %s -o %t && %run %t 1 2>&1 +// RUN: %clangxx_asan -O3 %s -o %t && env ASAN_OPTIONS=max_redzone=16 %run %t 0 2>&1 +// RUN: %clangxx_asan -O3 %s -o %t && %run %t 1 2>&1 + +#include <stdio.h> +#include <stdlib.h> +#include <stdint.h> +#include <sanitizer/allocator_interface.h> + +int main(int argc, char **argv) { + if (argc < 2) + return 1; + bool large_redzone = atoi(argv[1]); + size_t before = __sanitizer_get_heap_size(); + void *pp[10000]; + for (int i = 0; i < 10000; ++i) + pp[i] = malloc(4096 - 64); + size_t after = __sanitizer_get_heap_size(); + for (int i = 0; i < 10000; ++i) + free(pp[i]); + size_t diff = after - before; + return !(large_redzone ? diff > 46000000 : diff < 46000000); +} diff --git a/test/asan/TestCases/memcmp_strict_test.cc b/test/asan/TestCases/memcmp_strict_test.cc new file mode 100644 index 000000000000..16b7673dd547 --- /dev/null +++ b/test/asan/TestCases/memcmp_strict_test.cc @@ -0,0 +1,15 @@ +// RUN: %clangxx_asan -O0 %s -o %t && env ASAN_OPTIONS=strict_memcmp=0 %run %t +// RUN: %clangxx_asan -O0 %s -o %t && env ASAN_OPTIONS=strict_memcmp=1 not %run %t 2>&1 | FileCheck %s +// Default to strict_memcmp=1. +// RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s + +#include <stdio.h> +#include <string.h> +int main() { + char kFoo[] = "foo"; + char kFubar[] = "fubar"; + int res = memcmp(kFoo, kFubar, strlen(kFubar)); + printf("res: %d\n", res); + // CHECK: AddressSanitizer: stack-buffer-overflow + return 0; +} diff --git a/test/asan/TestCases/memcmp_test.cc b/test/asan/TestCases/memcmp_test.cc new file mode 100644 index 000000000000..3b3b8894b73c --- /dev/null +++ b/test/asan/TestCases/memcmp_test.cc @@ -0,0 +1,17 @@ +// RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O1 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O2 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O3 %s -o %t && not %run %t 2>&1 | FileCheck %s + +// REQUIRES: compiler-rt-optimized + +#include <string.h> +int main(int argc, char **argv) { + char a1[] = {argc, 2, 3, 4}; + char a2[] = {1, 2*argc, 3, 4}; + int res = memcmp(a1, a2, 4 + argc); // BOOM + // CHECK: AddressSanitizer: stack-buffer-overflow + // CHECK: {{#0.*memcmp}} + // CHECK: {{#1.*main}} + return res; +} diff --git a/test/asan/TestCases/memset_test.cc b/test/asan/TestCases/memset_test.cc new file mode 100644 index 000000000000..e244d54deb3c --- /dev/null +++ b/test/asan/TestCases/memset_test.cc @@ -0,0 +1,71 @@ +// Test that large memset/memcpy/memmove check the entire range. + +// RUN: %clangxx_asan -O0 -DTEST_MEMSET %s -o %t && not %run %t 2>&1 | \ +// RUN: FileCheck %s --check-prefix=CHECK-MEMSET +// RUN: %clangxx_asan -O1 -DTEST_MEMSET %s -o %t && not %run %t 2>&1 | \ +// RUN: FileCheck %s --check-prefix=CHECK-MEMSET +// RUN: %clangxx_asan -O2 -DTEST_MEMSET %s -o %t && not %run %t 2>&1 | \ +// RUN: FileCheck %s --check-prefix=CHECK-MEMSET +// RUN: %clangxx_asan -O3 -DTEST_MEMSET %s -o %t && not %run %t 2>&1 | \ +// RUN: FileCheck %s --check-prefix=CHECK-MEMSET + +// RUN: %clangxx_asan -O0 -DTEST_MEMCPY %s -o %t && not %run %t 2>&1 | \ +// RUN: FileCheck %s --check-prefix=CHECK-MEMCPY +// RUN: %clangxx_asan -O1 -DTEST_MEMCPY %s -o %t && not %run %t 2>&1 | \ +// RUN: FileCheck %s --check-prefix=CHECK-MEMCPY +// RUN: %clangxx_asan -O2 -DTEST_MEMCPY %s -o %t && not %run %t 2>&1 | \ +// RUN: FileCheck %s --check-prefix=CHECK-MEMCPY +// RUN: %clangxx_asan -O3 -DTEST_MEMCPY %s -o %t && not %run %t 2>&1 | \ +// RUN: FileCheck %s --check-prefix=CHECK-MEMCPY + +// RUN: %clangxx_asan -O0 -DTEST_MEMMOVE %s -o %t && not %run %t 2>&1 | \ +// RUN: FileCheck %s --check-prefix=CHECK-MEMMOVE +// RUN: %clangxx_asan -O1 -DTEST_MEMMOVE %s -o %t && not %run %t 2>&1 | \ +// RUN: FileCheck %s --check-prefix=CHECK-MEMMOVE +// RUN: %clangxx_asan -O2 -DTEST_MEMMOVE %s -o %t && not %run %t 2>&1 | \ +// RUN: FileCheck %s --check-prefix=CHECK-MEMMOVE +// RUN: %clangxx_asan -O3 -DTEST_MEMMOVE %s -o %t && not %run %t 2>&1 | \ +// RUN: FileCheck %s --check-prefix=CHECK-MEMMOVE + +// RUN: %clangxx_asan -O2 -DTEST_MEMCPY_SIZE_OVERFLOW %s -o %t && not %run %t 2>&1 | \ +// RUN: FileCheck %s --check-prefix=CHECK-MEMCPY_SIZE_OVERFLOW + +#include <assert.h> +#include <string.h> +#include <stdlib.h> +#include <stdio.h> + +#include <sanitizer/asan_interface.h> + +typedef void *(*memcpy_t)(void *, const void *, size_t); + +int main(int argc, char **argv) { + char * volatile p = (char *)malloc(3000); + __asan_poison_memory_region(p + 512, 16); +#if defined(TEST_MEMSET) + memset(p, 0, 3000); + assert(p[1] == 0); + // CHECK-MEMSET: AddressSanitizer: use-after-poison on address + // CHECK-MEMSET: in {{.*}}memset +#else + char * volatile q = (char *)malloc(3000); +#if defined(TEST_MEMCPY) + memcpy(q, p, 3000); + // CHECK-MEMCPY: AddressSanitizer: use-after-poison on address + // On Mac, memmove and memcpy are the same. Accept either one. + // CHECK-MEMCPY: in {{.*(memmove|memcpy)}} +#elif defined(TEST_MEMMOVE) + memmove(q, p, 3000); + // CHECK-MEMMOVE: AddressSanitizer: use-after-poison on address + // CHECK-MEMMOVE: in {{.*(memmove|memcpy)}} +#elif defined(TEST_MEMCPY_SIZE_OVERFLOW) + volatile memcpy_t my_memcpy = &memcpy; + my_memcpy(p, q, -argc); + // CHECK-MEMCPY_SIZE_OVERFLOW: AddressSanitizer: negative-size-param: (size=-1) +#endif + assert(q[1] == 0); + free(q); +#endif + free(p); + return 0; +} diff --git a/test/asan/TestCases/mmap_limit_mb.cc b/test/asan/TestCases/mmap_limit_mb.cc new file mode 100644 index 000000000000..d4ffb2eac246 --- /dev/null +++ b/test/asan/TestCases/mmap_limit_mb.cc @@ -0,0 +1,33 @@ +// Test the mmap_limit_mb flag. +// +// RUN: %clangxx_asan -O2 %s -o %t +// RUN: %run %t 20 16 +// RUN: %run %t 30 1000000 +// RUN: env ASAN_OPTIONS=mmap_limit_mb=300 %run %t 20 16 +// RUN: env ASAN_OPTIONS=mmap_limit_mb=300 %run %t 20 1000000 +// RUN: env ASAN_OPTIONS=mmap_limit_mb=300 not %run %t 500 16 2>&1 | FileCheck %s +// RUN: env ASAN_OPTIONS=mmap_limit_mb=300 not %run %t 500 1000000 2>&1 | FileCheck %s +// XFAIL: arm-linux-gnueabi + +#include <assert.h> +#include <stdlib.h> +#include <stdio.h> + +#include <algorithm> +#include <vector> + +int main(int argc, char **argv) { + assert(argc == 3); + long total_mb = atoi(argv[1]); + long allocation_size = atoi(argv[2]); + fprintf(stderr, "total_mb: %zd allocation_size: %zd\n", total_mb, + allocation_size); + std::vector<char *> v; + for (long total = total_mb << 20; total > 0; total -= allocation_size) + v.push_back(new char[allocation_size]); + for (std::vector<char *>::const_iterator it = v.begin(); it != v.end(); ++it) + delete[](*it); + fprintf(stderr, "PASS\n"); + // CHECK: total_mmaped{{.*}}mmap_limit_mb + return 0; +} diff --git a/test/asan/TestCases/no_asan_gen_globals.c b/test/asan/TestCases/no_asan_gen_globals.c new file mode 100644 index 000000000000..0a383da1384d --- /dev/null +++ b/test/asan/TestCases/no_asan_gen_globals.c @@ -0,0 +1,11 @@ +// FIXME: https://code.google.com/p/address-sanitizer/issues/detail?id=316 +// XFAIL: android +// +// Make sure __asan_gen_* strings do not end up in the symbol table. + +// RUN: %clang_asan %s -o %t.exe +// RUN: nm %t.exe | FileCheck %s + +int x, y, z; +int main() { return 0; } +// CHECK-NOT: __asan_gen_ diff --git a/test/asan/TestCases/null_deref.cc b/test/asan/TestCases/null_deref.cc new file mode 100644 index 000000000000..875d65f2852f --- /dev/null +++ b/test/asan/TestCases/null_deref.cc @@ -0,0 +1,19 @@ +// RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O1 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O2 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O3 %s -o %t && not %run %t 2>&1 | FileCheck %s + +__attribute__((noinline)) +static void NullDeref(int *ptr) { + // CHECK: ERROR: AddressSanitizer: SEGV on unknown address + // CHECK: {{0x0*000.. .*pc 0x.*}} + ptr[10]++; // BOOM + // atos on Mac cannot extract the symbol name correctly. Also, on FreeBSD 9.2 + // the demangling function rejects local names with 'L' in front of them. + // CHECK: {{ #0 0x.* in .*NullDeref.*null_deref.cc:}}[[@LINE-3]] +} +int main() { + NullDeref((int*)0); + // CHECK: {{ #1 0x.* in main.*null_deref.cc:}}[[@LINE-1]] + // CHECK: AddressSanitizer can not provide additional info. +} diff --git a/test/asan/TestCases/on_error_callback.cc b/test/asan/TestCases/on_error_callback.cc new file mode 100644 index 000000000000..c378c8b2de1b --- /dev/null +++ b/test/asan/TestCases/on_error_callback.cc @@ -0,0 +1,19 @@ +// RUN: %clangxx_asan -O2 %s -o %t && not %run %t 2>&1 | FileCheck %s + +// FIXME: __asan_on_error() is not supported on Windows yet. +// XFAIL: win32 + +#include <stdio.h> +#include <stdlib.h> + +extern "C" +void __asan_on_error() { + fprintf(stderr, "__asan_on_error called"); +} + +int main() { + char *x = (char*)malloc(10 * sizeof(char)); + free(x); + return x[5]; + // CHECK: __asan_on_error called +} diff --git a/test/asan/TestCases/partial_right.cc b/test/asan/TestCases/partial_right.cc new file mode 100644 index 000000000000..b60c1a597635 --- /dev/null +++ b/test/asan/TestCases/partial_right.cc @@ -0,0 +1,13 @@ +// RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O1 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O2 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O3 %s -o %t && not %run %t 2>&1 | FileCheck %s + +#include <stdlib.h> +int main(int argc, char **argv) { + volatile int *x = (int*)malloc(2*sizeof(int) + 2); + int res = x[2]; // BOOOM + // CHECK: {{READ of size 4 at 0x.* thread T0}} + // CHECK: [[ADDR:0x[01-9a-fa-f]+]] is located 0 bytes to the right of {{.*}}-byte region [{{.*}},{{.*}}[[ADDR]]) + return res; +} diff --git a/test/asan/TestCases/poison_partial.cc b/test/asan/TestCases/poison_partial.cc new file mode 100644 index 000000000000..ce9c98b7859a --- /dev/null +++ b/test/asan/TestCases/poison_partial.cc @@ -0,0 +1,19 @@ +// RUN: %clangxx_asan -O0 %s -o %t +// RUN: not %run %t 2>&1 | FileCheck %s +// RUN: not %run %t heap 2>&1 | FileCheck %s +// RUN: env ASAN_OPTIONS=poison_partial=0 %run %t +// RUN: env ASAN_OPTIONS=poison_partial=0 %run %t heap +#include <string.h> +char g[21]; +char *x; + +int main(int argc, char **argv) { + if (argc >= 2) + x = new char[21]; + else + x = &g[0]; + memset(x, 0, 21); + int *y = (int*)x; + return y[5]; +} +// CHECK: 0 bytes to the right diff --git a/test/asan/TestCases/print_summary.cc b/test/asan/TestCases/print_summary.cc new file mode 100644 index 000000000000..79411c529469 --- /dev/null +++ b/test/asan/TestCases/print_summary.cc @@ -0,0 +1,14 @@ +// RUN: %clangxx_asan -O0 %s -o %t +// RUN: not %run %t 2>&1 | FileCheck %s --check-prefix=YES +// RUN: env ASAN_OPTIONS=print_summary=false not %run %t 2>&1 | FileCheck %s --check-prefix=NO + +int main() { + char *x = new char[20]; + delete[] x; + return x[0]; + // YES: ERROR: AddressSanitizer: heap-use-after-free + // YES: SUMMARY: AddressSanitizer: heap-use-after-free + // NO: ERROR: AddressSanitizer: heap-use-after-free + // NO-NOT: SUMMARY: AddressSanitizer: heap-use-after-free +} + diff --git a/test/asan/TestCases/printf-1.c b/test/asan/TestCases/printf-1.c new file mode 100644 index 000000000000..5657083c5865 --- /dev/null +++ b/test/asan/TestCases/printf-1.c @@ -0,0 +1,25 @@ +// RUN: %clang_asan -O2 %s -o %t +// RUN: env ASAN_OPTIONS=check_printf=1 %run %t 2>&1 | FileCheck %s +// RUN: env ASAN_OPTIONS=check_printf=0 %run %t 2>&1 | FileCheck %s +// RUN: %run %t 2>&1 | FileCheck %s + +#include <stdio.h> +#if defined(_WIN32) +# define snprintf _snprintf +#endif + +int main() { + volatile char c = '0'; + volatile int x = 12; + volatile float f = 1.239; + volatile char s[] = "34"; + // Check that printf works fine under Asan. + printf("%c %d %.3f %s\n", c, x, f, s); + // CHECK: 0 12 1.239 34 + // Check that snprintf works fine under Asan. + char buf[4]; + snprintf(buf, 1000, "qwe"); + printf("%s\n", buf); + // CHECK: qwe + return 0; +} diff --git a/test/asan/TestCases/printf-2.c b/test/asan/TestCases/printf-2.c new file mode 100644 index 000000000000..e9cb47e24c15 --- /dev/null +++ b/test/asan/TestCases/printf-2.c @@ -0,0 +1,27 @@ +// RUN: %clang_asan -O2 %s -o %t +// We need replace_str=0 and replace_intrin=0 to avoid reporting errors in +// strlen() and memcpy() called by printf(). +// RUN: env ASAN_OPTIONS=replace_str=0:replace_intrin=0:check_printf=1 not %run %t 2>&1 | FileCheck --check-prefix=CHECK-ON %s +// RUN: env ASAN_OPTIONS=replace_str=0:replace_intrin=0:check_printf=0 %run %t 2>&1 | FileCheck --check-prefix=CHECK-OFF %s +// RUN: env ASAN_OPTIONS=replace_str=0:replace_intrin=0 not %run %t 2>&1 | FileCheck --check-prefix=CHECK-ON %s + +// FIXME: printf is not intercepted on Windows yet. +// XFAIL: win32 + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +int main() { + volatile char c = '0'; + volatile int x = 12; + volatile float f = 1.239; + volatile char s[] = "34"; + char *p = strdup((const char *)s); + free(p); + printf("%c %d %.3f %s\n", c, x, f, p); + return 0; + // Check that %s is sanitized. + // CHECK-ON: heap-use-after-free + // CHECK-ON-NOT: 0 12 1.239 34 + // CHECK-OFF: 0 12 1.239 +} diff --git a/test/asan/TestCases/printf-3.c b/test/asan/TestCases/printf-3.c new file mode 100644 index 000000000000..d16833d83c6e --- /dev/null +++ b/test/asan/TestCases/printf-3.c @@ -0,0 +1,22 @@ +// RUN: %clang_asan -O2 %s -o %t +// RUN: env ASAN_OPTIONS=check_printf=1 not %run %t 2>&1 | FileCheck --check-prefix=CHECK-ON %s +// RUN: env ASAN_OPTIONS=check_printf=0 %run %t 2>&1 | FileCheck --check-prefix=CHECK-OFF %s +// RUN: not %run %t 2>&1 | FileCheck --check-prefix=CHECK-ON %s + +// FIXME: printf is not intercepted on Windows yet. +// XFAIL: win32 + +#include <stdio.h> +int main() { + volatile char c = '0'; + volatile int x = 12; + volatile float f = 1.239; + volatile char s[] = "34"; + volatile int n[1]; + printf("%c %d %.3f %s%n\n", c, x, f, s, &n[1]); + return 0; + // Check that %n is sanitized. + // CHECK-ON: stack-buffer-overflow + // CHECK-ON-NOT: 0 12 1.239 34 + // CHECK-OFF: 0 12 1.239 34 +} diff --git a/test/asan/TestCases/printf-4.c b/test/asan/TestCases/printf-4.c new file mode 100644 index 000000000000..e269211d4871 --- /dev/null +++ b/test/asan/TestCases/printf-4.c @@ -0,0 +1,23 @@ +// RUN: %clang_asan -O2 %s -o %t +// We need replace_str=0 and replace_intrin=0 to avoid reporting errors in +// strlen() and memcpy() called by puts(). +// RUN: env ASAN_OPTIONS=replace_str=0:replace_intrin=0:check_printf=1 not %run %t 2>&1 | FileCheck --check-prefix=CHECK-ON %s +// RUN: env ASAN_OPTIONS=replace_str=0:replace_intrin=0 not %run %t 2>&1 | FileCheck --check-prefix=CHECK-ON %s + +// FIXME: printf is not intercepted on Windows yet. +// XFAIL: win32 + +#include <stdio.h> +int main() { + volatile char c = '0'; + volatile int x = 12; + volatile float f = 1.239; + volatile char s[] = "34"; + volatile char buf[2]; + sprintf((char *)buf, "%c %d %.3f %s\n", c, x, f, s); + puts((const char *)buf); + return 0; + // Check that size of output buffer is sanitized. + // CHECK-ON: stack-buffer-overflow + // CHECK-ON-NOT: 0 12 1.239 34 +} diff --git a/test/asan/TestCases/printf-5.c b/test/asan/TestCases/printf-5.c new file mode 100644 index 000000000000..ac2c1c4b2997 --- /dev/null +++ b/test/asan/TestCases/printf-5.c @@ -0,0 +1,25 @@ +// RUN: %clang_asan -O2 %s -o %t +// We need replace_intrin=0 to avoid reporting errors in memcpy. +// RUN: env ASAN_OPTIONS=replace_intrin=0:check_printf=1 not %run %t 2>&1 | FileCheck --check-prefix=CHECK-ON %s +// RUN: env ASAN_OPTIONS=replace_intrin=0:check_printf=0 %run %t 2>&1 | FileCheck --check-prefix=CHECK-OFF %s +// RUN: env ASAN_OPTIONS=replace_intrin=0 not %run %t 2>&1 | FileCheck --check-prefix=CHECK-ON %s + +// FIXME: printf is not intercepted on Windows yet. +// XFAIL: win32 + +#include <stdio.h> +#include <string.h> +int main() { + volatile char c = '0'; + volatile int x = 12; + volatile float f = 1.239; + volatile char s[] = "34"; + volatile char fmt[2]; + memcpy((char *)fmt, "%c %d %f %s\n", sizeof(fmt)); + printf((char *)fmt, c, x, f, s); + return 0; + // Check that format string is sanitized. + // CHECK-ON: stack-buffer-overflow + // CHECK-ON-NOT: 0 12 1.239 34 + // CHECK-OFF: 0 +} diff --git a/test/asan/TestCases/sanity_check_pure_c.c b/test/asan/TestCases/sanity_check_pure_c.c new file mode 100644 index 000000000000..c3a43c8cacb2 --- /dev/null +++ b/test/asan/TestCases/sanity_check_pure_c.c @@ -0,0 +1,21 @@ +// Sanity checking a test in pure C. +// RUN: %clang_asan -O2 %s -o %t +// RUN: not %run %t 2>&1 | FileCheck %s + +// Sanity checking a test in pure C with -pie. +// RUN: %clang_asan -O2 %s -pie -fPIE -o %t +// RUN: not %run %t 2>&1 | FileCheck %s +// XFAIL: arm-linux-gnueabi +// XFAIL: armv7l-unknown-linux-gnueabihf + +#include <stdlib.h> +int main() { + char *x = (char*)malloc(10 * sizeof(char)); + free(x); + return x[5]; + // CHECK: heap-use-after-free + // CHECK: free + // CHECK: main{{.*}}sanity_check_pure_c.c:[[@LINE-4]] + // CHECK: malloc + // CHECK: main{{.*}}sanity_check_pure_c.c:[[@LINE-7]] +} diff --git a/test/asan/TestCases/sleep_before_dying.c b/test/asan/TestCases/sleep_before_dying.c new file mode 100644 index 000000000000..28ae0bf66d47 --- /dev/null +++ b/test/asan/TestCases/sleep_before_dying.c @@ -0,0 +1,10 @@ +// RUN: %clang_asan -O2 %s -o %t +// RUN: env ASAN_OPTIONS="sleep_before_dying=1" not %run %t 2>&1 | FileCheck %s + +#include <stdlib.h> +int main() { + char *x = (char*)malloc(10 * sizeof(char)); + free(x); + return x[5]; + // CHECK: Sleeping for 1 second +} diff --git a/test/asan/TestCases/stack-buffer-overflow-with-position.cc b/test/asan/TestCases/stack-buffer-overflow-with-position.cc new file mode 100644 index 000000000000..88f5825baf42 --- /dev/null +++ b/test/asan/TestCases/stack-buffer-overflow-with-position.cc @@ -0,0 +1,44 @@ +// RUN: %clangxx_asan -O2 %s -o %t +// RUN: not %run %t -2 2>&1 | FileCheck --check-prefix=CHECK-m2 %s +// RUN: not %run %t -1 2>&1 | FileCheck --check-prefix=CHECK-m1 %s +// RUN: %run %t 0 +// RUN: %run %t 8 +// RUN: not %run %t 9 2>&1 | FileCheck --check-prefix=CHECK-9 %s +// RUN: not %run %t 10 2>&1 | FileCheck --check-prefix=CHECK-10 %s +// RUN: not %run %t 30 2>&1 | FileCheck --check-prefix=CHECK-30 %s +// RUN: not %run %t 31 2>&1 | FileCheck --check-prefix=CHECK-31 %s +// RUN: not %run %t 41 2>&1 | FileCheck --check-prefix=CHECK-41 %s +// RUN: not %run %t 42 2>&1 | FileCheck --check-prefix=CHECK-42 %s +// RUN: not %run %t 62 2>&1 | FileCheck --check-prefix=CHECK-62 %s +// RUN: not %run %t 63 2>&1 | FileCheck --check-prefix=CHECK-63 %s +// RUN: not %run %t 73 2>&1 | FileCheck --check-prefix=CHECK-73 %s +// RUN: not %run %t 74 2>&1 | FileCheck --check-prefix=CHECK-74 %s +#include <string.h> +#include <stdio.h> +#include <stdlib.h> +#include <assert.h> +int main(int argc, char **argv) { + assert(argc >= 2); + int idx = atoi(argv[1]); + char AAA[10], BBB[10], CCC[10]; + memset(AAA, 0, sizeof(AAA)); + memset(BBB, 0, sizeof(BBB)); + memset(CCC, 0, sizeof(CCC)); + int res = 0; + char *p = AAA + idx; + printf("AAA: %p\ny: %p\nz: %p\np: %p\n", AAA, BBB, CCC, p); + // make sure BBB and CCC are not removed; + return *(short*)(p) + BBB[argc % 2] + CCC[argc % 2]; +} +// CHECK-m2: 'AAA' <== {{.*}}underflows this variable +// CHECK-m1: 'AAA' <== {{.*}}partially underflows this variable +// CHECK-9: 'AAA' <== {{.*}}partially overflows this variable +// CHECK-10: 'AAA' <== {{.*}}overflows this variable +// CHECK-30: 'BBB' <== {{.*}}underflows this variable +// CHECK-31: 'BBB' <== {{.*}}partially underflows this variable +// CHECK-41: 'BBB' <== {{.*}}partially overflows this variable +// CHECK-42: 'BBB' <== {{.*}}overflows this variable +// CHECK-62: 'CCC' <== {{.*}}underflows this variable +// CHECK-63: 'CCC' <== {{.*}}partially underflows this variable +// CHECK-73: 'CCC' <== {{.*}}partially overflows this variable +// CHECK-74: 'CCC' <== {{.*}}overflows this variable diff --git a/test/asan/TestCases/stack-buffer-overflow.cc b/test/asan/TestCases/stack-buffer-overflow.cc new file mode 100644 index 000000000000..bd0c4772cc84 --- /dev/null +++ b/test/asan/TestCases/stack-buffer-overflow.cc @@ -0,0 +1,16 @@ +// RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O1 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O2 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O3 %s -o %t && not %run %t 2>&1 | FileCheck %s + +#include <string.h> +int main(int argc, char **argv) { + char x[10]; + memset(x, 0, 10); + int res = x[argc * 10]; // BOOOM + // CHECK: {{READ of size 1 at 0x.* thread T0}} + // CHECK: {{ #0 0x.* in main .*stack-buffer-overflow.cc:}}[[@LINE-2]] + // CHECK: {{Address 0x.* is located in stack of thread T0 at offset}} + // CHECK-NEXT: in{{.*}}main{{.*}}stack-buffer-overflow.cc + return res; +} diff --git a/test/asan/TestCases/stack-frame-demangle.cc b/test/asan/TestCases/stack-frame-demangle.cc new file mode 100644 index 000000000000..11a8b38e6724 --- /dev/null +++ b/test/asan/TestCases/stack-frame-demangle.cc @@ -0,0 +1,22 @@ +// RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s + +#include <string.h> + +namespace XXX { +struct YYY { + static int ZZZ(int x) { + char array[10]; + memset(array, 0, 10); + return array[x]; // BOOOM + // CHECK: ERROR: AddressSanitizer: stack-buffer-overflow + // CHECK: READ of size 1 at + // CHECK: is located in stack of thread T0 at offset + // CHECK: XXX::YYY::ZZZ + } +}; +} // namespace XXX + +int main(int argc, char **argv) { + int res = XXX::YYY::ZZZ(argc + 10); + return res; +} diff --git a/test/asan/TestCases/stack-oob-frames.cc b/test/asan/TestCases/stack-oob-frames.cc new file mode 100644 index 000000000000..3b5d511b2681 --- /dev/null +++ b/test/asan/TestCases/stack-oob-frames.cc @@ -0,0 +1,59 @@ +// RUN: %clangxx_asan -O1 %s -o %t +// RUN: not %run %t 0 2>&1 | FileCheck %s --check-prefix=CHECK0 +// RUN: not %run %t 1 2>&1 | FileCheck %s --check-prefix=CHECK1 +// RUN: not %run %t 2 2>&1 | FileCheck %s --check-prefix=CHECK2 +// RUN: not %run %t 3 2>&1 | FileCheck %s --check-prefix=CHECK3 + +#define NOINLINE __attribute__((noinline)) +inline void break_optimization(void *arg) { + __asm__ __volatile__("" : : "r" (arg) : "memory"); +} + +NOINLINE static void Frame0(int frame, char *a, char *b, char *c) { + char s[4] = {0}; + char *d = s; + break_optimization(&d); + switch (frame) { + case 3: a[5]++; break; + case 2: b[5]++; break; + case 1: c[5]++; break; + case 0: d[5]++; break; + } +} +NOINLINE static void Frame1(int frame, char *a, char *b) { + char c[4] = {0}; Frame0(frame, a, b, c); + break_optimization(0); +} +NOINLINE static void Frame2(int frame, char *a) { + char b[4] = {0}; Frame1(frame, a, b); + break_optimization(0); +} +NOINLINE static void Frame3(int frame) { + char a[4] = {0}; Frame2(frame, a); + break_optimization(0); +} + +int main(int argc, char **argv) { + if (argc != 2) return 1; + Frame3(argv[1][0] - '0'); +} + +// CHECK0: AddressSanitizer: stack-buffer-overflow +// CHECK0: #0{{.*}}Frame0 +// CHECK0: #1{{.*}}Frame1 +// CHECK0: #2{{.*}}Frame2 +// CHECK0: #3{{.*}}Frame3 +// CHECK0: is located in stack of thread T0 at offset +// CHECK0-NEXT: #0{{.*}}Frame0 +// +// CHECK1: AddressSanitizer: stack-buffer-overflow +// CHECK1: is located in stack of thread T0 at offset +// CHECK1-NEXT: #0{{.*}}Frame1 +// +// CHECK2: AddressSanitizer: stack-buffer-overflow +// CHECK2: is located in stack of thread T0 at offset +// CHECK2-NEXT: #0{{.*}}Frame2 +// +// CHECK3: AddressSanitizer: stack-buffer-overflow +// CHECK3: is located in stack of thread T0 at offset +// CHECK3-NEXT: #0{{.*}}Frame3 diff --git a/test/asan/TestCases/stack-overflow.cc b/test/asan/TestCases/stack-overflow.cc new file mode 100644 index 000000000000..7542d56b6db8 --- /dev/null +++ b/test/asan/TestCases/stack-overflow.cc @@ -0,0 +1,114 @@ +// Test ASan detection of stack-overflow condition. + +// RUN: %clangxx_asan -O0 %s -DSMALL_FRAME -pthread -o %t && env ASAN_OPTIONS=use_sigaltstack=1 not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O3 %s -DSMALL_FRAME -pthread -o %t && env ASAN_OPTIONS=use_sigaltstack=1 not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O0 %s -DSAVE_ALL_THE_REGISTERS -pthread -o %t && env ASAN_OPTIONS=use_sigaltstack=1 not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O3 %s -DSAVE_ALL_THE_REGISTERS -pthread -o %t && env ASAN_OPTIONS=use_sigaltstack=1 not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O0 %s -pthread -o %t && env ASAN_OPTIONS=use_sigaltstack=1 not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O3 %s -pthread -o %t && env ASAN_OPTIONS=use_sigaltstack=1 not %run %t 2>&1 | FileCheck %s + +// RUN: %clangxx_asan -O0 %s -DTHREAD -DSMALL_FRAME -pthread -o %t && env ASAN_OPTIONS=use_sigaltstack=1 not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O3 %s -DTHREAD -DSMALL_FRAME -pthread -o %t && env ASAN_OPTIONS=use_sigaltstack=1 not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O0 %s -DTHREAD -DSAVE_ALL_THE_REGISTERS -pthread -o %t && env ASAN_OPTIONS=use_sigaltstack=1 not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O3 %s -DTHREAD -DSAVE_ALL_THE_REGISTERS -pthread -o %t && env ASAN_OPTIONS=use_sigaltstack=1 not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O0 %s -DTHREAD -pthread -o %t && env ASAN_OPTIONS=use_sigaltstack=1 not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O3 %s -DTHREAD -pthread -o %t && env ASAN_OPTIONS=use_sigaltstack=1 not %run %t 2>&1 | FileCheck %s +// RUN: not %run %t 2>&1 | FileCheck %s +// REQUIRES: stable-runtime + +#include <assert.h> +#include <stdlib.h> +#include <pthread.h> +#include <unistd.h> +#include <sys/time.h> +#include <sys/resource.h> +#include <sanitizer/asan_interface.h> + +const int BS = 1024; +volatile char x; +volatile int y = 1; +volatile int z0, z1, z2, z3, z4, z5, z6, z7, z8, z9, z10, z11, z12, z13; + +void recursive_func(char *p) { +#if defined(SMALL_FRAME) + char *buf = 0; +#elif defined(SAVE_ALL_THE_REGISTERS) + char *buf = 0; + int t0, t1, t2, t3, t4, t5, t6, t7, t8, t9, t10, t11, t12, t13; + t0 = z0; + t1 = z1; + t2 = z2; + t3 = z3; + t4 = z4; + t5 = z5; + t6 = z6; + t7 = z7; + t8 = z8; + t9 = z9; + t10 = z10; + t11 = z11; + t12 = z12; + t13 = z13; + + z0 = t0; + z1 = t1; + z2 = t2; + z3 = t3; + z4 = t4; + z5 = t5; + z6 = t6; + z7 = t7; + z8 = t8; + z9 = t9; + z10 = t10; + z11 = t11; + z12 = t12; + z13 = t13; +#else + char buf[BS]; + // Check that the stack grows in the righ direction, unless we use fake stack. + if (p && !__asan_get_current_fake_stack()) + assert(p - buf >= BS); + buf[rand() % BS] = 1; + buf[rand() % BS] = 2; + x = buf[rand() % BS]; +#endif + if (y) + recursive_func(buf); + x = 1; // prevent tail call optimization + // CHECK: {{stack-overflow on address 0x.* \(pc 0x.* bp 0x.* sp 0x.* T.*\)}} + // If stack overflow happens during function prologue, stack trace may be + // corrupted. Unwind tables are not always 100% exact there. + // For this reason, we don't do any further checks. +} + +void *ThreadFn(void* unused) { + recursive_func(0); + return 0; +} + +void LimitStackAndReexec(int argc, char **argv) { + struct rlimit rlim; + int res = getrlimit(RLIMIT_STACK, &rlim); + assert(res == 0); + if (rlim.rlim_cur == RLIM_INFINITY) { + rlim.rlim_cur = 128 * 1024; + res = setrlimit(RLIMIT_STACK, &rlim); + assert(res == 0); + + execv(argv[0], argv); + assert(0 && "unreachable"); + } +} + +int main(int argc, char **argv) { + LimitStackAndReexec(argc, argv); +#ifdef THREAD + pthread_t t; + pthread_create(&t, 0, ThreadFn, 0); + pthread_join(t, 0); +#else + recursive_func(0); +#endif + return 0; +} diff --git a/test/asan/TestCases/stack-use-after-return.cc b/test/asan/TestCases/stack-use-after-return.cc new file mode 100644 index 000000000000..437c457748c4 --- /dev/null +++ b/test/asan/TestCases/stack-use-after-return.cc @@ -0,0 +1,80 @@ +// RUN: export ASAN_OPTIONS=detect_stack_use_after_return=1 +// RUN: %clangxx_asan -O0 %s -pthread -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O1 %s -pthread -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O2 %s -pthread -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O3 %s -pthread -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: env ASAN_OPTIONS=detect_stack_use_after_return=0 %run %t +// Regression test for a CHECK failure with small stack size and large frame. +// RUN: %clangxx_asan -O3 %s -pthread -o %t -DkSize=10000 -DUseThread -DkStackSize=65536 && not %run %t 2>&1 | FileCheck --check-prefix=THREAD %s +// +// Test that we can find UAR in a thread other than main: +// RUN: %clangxx_asan -DUseThread -O2 %s -pthread -o %t && not %run %t 2>&1 | FileCheck --check-prefix=THREAD %s +// +// Test the max_uar_stack_size_log/min_uar_stack_size_log flag. +// +// RUN: env ASAN_OPTIONS=$ASAN_OPTIONS:max_uar_stack_size_log=20:verbosity=1 not %run %t 2>&1 | FileCheck --check-prefix=CHECK-20 %s +// RUN: env ASAN_OPTIONS=$ASAN_OPTIONS:min_uar_stack_size_log=24:max_uar_stack_size_log=24:verbosity=1 not %run %t 2>&1 | FileCheck --check-prefix=CHECK-24 %s + +#include <stdio.h> +#include <pthread.h> + +#ifndef kSize +# define kSize 1 +#endif + +#ifndef UseThread +# define UseThread 0 +#endif + +#ifndef kStackSize +# define kStackSize 0 +#endif + +__attribute__((noinline)) +char *Ident(char *x) { + fprintf(stderr, "1: %p\n", x); + return x; +} + +__attribute__((noinline)) +char *Func1() { + char local[kSize]; + return Ident(local); +} + +__attribute__((noinline)) +void Func2(char *x) { + fprintf(stderr, "2: %p\n", x); + *x = 1; + // CHECK: WRITE of size 1 {{.*}} thread T0 + // CHECK: #0{{.*}}Func2{{.*}}stack-use-after-return.cc:[[@LINE-2]] + // CHECK: is located in stack of thread T0 at offset + // CHECK: 'local' <== Memory access at offset {{16|32}} is inside this variable + // THREAD: WRITE of size 1 {{.*}} thread T{{[1-9]}} + // THREAD: #0{{.*}}Func2{{.*}}stack-use-after-return.cc:[[@LINE-6]] + // THREAD: is located in stack of thread T{{[1-9]}} at offset + // THREAD: 'local' <== Memory access at offset {{16|32}} is inside this variable + // CHECK-20: T0: FakeStack created:{{.*}} stack_size_log: 20 + // CHECK-24: T0: FakeStack created:{{.*}} stack_size_log: 24 +} + +void *Thread(void *unused) { + Func2(Func1()); + return NULL; +} + +int main(int argc, char **argv) { +#if UseThread + pthread_attr_t attr; + pthread_attr_init(&attr); + if (kStackSize > 0) + pthread_attr_setstacksize(&attr, kStackSize); + pthread_t t; + pthread_create(&t, &attr, Thread, 0); + pthread_attr_destroy(&attr); + pthread_join(t, 0); +#else + Func2(Func1()); +#endif + return 0; +} diff --git a/test/asan/TestCases/strdup_oob_test.cc b/test/asan/TestCases/strdup_oob_test.cc new file mode 100644 index 000000000000..a039568b2245 --- /dev/null +++ b/test/asan/TestCases/strdup_oob_test.cc @@ -0,0 +1,20 @@ +// RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O1 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O2 %s -o %t && not %run %t 2>&1 | FileCheck %s +// RUN: %clangxx_asan -O3 %s -o %t && not %run %t 2>&1 | FileCheck %s + +#include <string.h> + +char kString[] = "foo"; + +int main(int argc, char **argv) { + char *copy = strdup(kString); + int x = copy[4 + argc]; // BOOM + // CHECK: AddressSanitizer: heap-buffer-overflow + // CHECK: #0 {{.*}}main {{.*}}strdup_oob_test.cc:[[@LINE-2]] + // CHECK-LABEL: allocated by thread T{{.*}} here: + // CHECK: #{{[01]}} {{.*}}strdup + // CHECK-LABEL: SUMMARY + // CHECK: strdup_oob_test.cc:[[@LINE-6]] + return x; +} diff --git a/test/asan/TestCases/strip_path_prefix.c b/test/asan/TestCases/strip_path_prefix.c new file mode 100644 index 000000000000..4556e9031e2d --- /dev/null +++ b/test/asan/TestCases/strip_path_prefix.c @@ -0,0 +1,12 @@ +// RUN: %clang_asan -O2 %s -o %t +// RUN: env ASAN_OPTIONS="strip_path_prefix='/'" not %run %t 2>&1 | FileCheck %s + +#include <stdlib.h> +int main() { + char *x = (char*)malloc(10 * sizeof(char)); + free(x); + return x[5]; + // Check that paths in error report don't start with slash. + // CHECK: heap-use-after-free + // CHECK-NOT: #0 0x{{.*}} ({{[/].*}}) +} diff --git a/test/asan/TestCases/strncpy-overflow.cc b/test/asan/TestCases/strncpy-overflow.cc new file mode 100644 index 000000000000..651ae22795f1 --- /dev/null +++ b/test/asan/TestCases/strncpy-overflow.cc @@ -0,0 +1,30 @@ +// RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-%os --check-prefix=CHECK +// RUN: %clangxx_asan -O1 %s -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-%os --check-prefix=CHECK +// RUN: %clangxx_asan -O2 %s -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-%os --check-prefix=CHECK +// RUN: %clangxx_asan -O3 %s -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-%os --check-prefix=CHECK + +// REQUIRES: compiler-rt-optimized +// XFAIL: arm-linux-gnueabi +// XFAIL: armv7l-unknown-linux-gnueabihf + +#include <string.h> +#include <stdlib.h> +int main(int argc, char **argv) { + char *hello = (char*)malloc(6); + strcpy(hello, "hello"); + char *short_buffer = (char*)malloc(9); + strncpy(short_buffer, hello, 10); // BOOM + // CHECK: {{WRITE of size 10 at 0x.* thread T0}} + // CHECK-Linux: {{ #0 0x.* in .*strncpy}} + // CHECK-Darwin: {{ #0 0x.* in wrap_strncpy}} + // CHECK: {{ #1 0x.* in main .*strncpy-overflow.cc:}}[[@LINE-4]] + // CHECK: {{0x.* is located 0 bytes to the right of 9-byte region}} + // CHECK: {{allocated by thread T0 here:}} + + // CHECK-Linux: {{ #0 0x.* in .*malloc}} + // CHECK-Linux: {{ #1 0x.* in main .*strncpy-overflow.cc:}}[[@LINE-10]] + + // CHECK-Darwin: {{ #0 0x.* in wrap_malloc.*}} + // CHECK-Darwin: {{ #1 0x.* in main .*strncpy-overflow.cc:}}[[@LINE-13]] + return short_buffer[8]; +} diff --git a/test/asan/TestCases/suppressions-function.cc b/test/asan/TestCases/suppressions-function.cc new file mode 100644 index 000000000000..c52b3c303518 --- /dev/null +++ b/test/asan/TestCases/suppressions-function.cc @@ -0,0 +1,29 @@ +// Check that without suppressions, we catch the issue. +// RUN: %clangxx_asan -O0 %s -o %t +// RUN: not %run %t 2>&1 | FileCheck --check-prefix=CHECK-CRASH %s + +// RUN: echo "interceptor_via_fun:crash_function" > %t.supp +// RUN: %clangxx_asan -O0 %s -o %t && ASAN_OPTIONS=suppressions=%t.supp %run %t 2>&1 | FileCheck --check-prefix=CHECK-IGNORE %s +// RUN: %clangxx_asan -O3 %s -o %t && ASAN_OPTIONS=suppressions=%t.supp %run %t 2>&1 | FileCheck --check-prefix=CHECK-IGNORE %s + +// XFAIL: android + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> + +void crash_function() { + char *a = (char *)malloc(6); + free(a); + size_t len = strlen(a); // BOOM + fprintf(stderr, "strlen ignored, len = %zu\n", len); +} + +int main() { + crash_function(); +} + +// CHECK-CRASH: AddressSanitizer: heap-use-after-free +// CHECK-CRASH-NOT: strlen ignored +// CHECK-IGNORE-NOT: AddressSanitizer: heap-use-after-free +// CHECK-IGNORE: strlen ignored diff --git a/test/asan/TestCases/suppressions-interceptor.cc b/test/asan/TestCases/suppressions-interceptor.cc new file mode 100644 index 000000000000..10d24fdc30a3 --- /dev/null +++ b/test/asan/TestCases/suppressions-interceptor.cc @@ -0,0 +1,24 @@ +// Check that without suppressions, we catch the issue. +// RUN: %clangxx_asan -O0 %s -o %t +// RUN: not %run %t 2>&1 | FileCheck --check-prefix=CHECK-CRASH %s + +// RUN: echo "interceptor_name:strlen" > %t.supp +// RUN: ASAN_OPTIONS=suppressions=%t.supp %run %t 2>&1 | FileCheck --check-prefix=CHECK-IGNORE %s + +// XFAIL: android + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> + +int main() { + char *a = (char *)malloc(6); + free(a); + size_t len = strlen(a); // BOOM + fprintf(stderr, "strlen ignored, len = %zu\n", len); +} + +// CHECK-CRASH: AddressSanitizer: heap-use-after-free +// CHECK-CRASH-NOT: strlen ignored +// CHECK-IGNORE-NOT: AddressSanitizer: heap-use-after-free +// CHECK-IGNORE: strlen ignored diff --git a/test/asan/TestCases/suppressions-library.cc b/test/asan/TestCases/suppressions-library.cc new file mode 100644 index 000000000000..dfb0d4a5e030 --- /dev/null +++ b/test/asan/TestCases/suppressions-library.cc @@ -0,0 +1,39 @@ +// RUN: %clangxx_asan -O0 -DSHARED_LIB %s -fPIC -shared -o %t-so.so +// RUN: %clangxx_asan -O0 %s %t-so.so -o %t + +// Check that without suppressions, we catch the issue. +// RUN: not %run %t 2>&1 | FileCheck --check-prefix=CHECK-CRASH %s + +// RUN: echo "interceptor_via_lib:%t-so.so" > %t.supp +// RUN: ASAN_OPTIONS=suppressions=%t.supp %run %t 2>&1 | FileCheck --check-prefix=CHECK-IGNORE %s + +// XFAIL: android + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> + +#if !defined(SHARED_LIB) + +void crash_function(); + +int main(int argc, char *argv[]) { + crash_function(); + return 0; +} + +#else // SHARED_LIB + +void crash_function() { + char *a = (char *)malloc(6); + free(a); + size_t len = strlen(a); // BOOM + fprintf(stderr, "strlen ignored, %zu\n", len); +} + +#endif // SHARED_LIB + +// CHECK-CRASH: AddressSanitizer: heap-use-after-free +// CHECK-CRASH-NOT: strlen ignored +// CHECK-IGNORE-NOT: AddressSanitizer: heap-use-after-free +// CHECK-IGNORE: strlen ignored diff --git a/test/asan/TestCases/throw_call_test.cc b/test/asan/TestCases/throw_call_test.cc new file mode 100644 index 000000000000..20e9a5ee565e --- /dev/null +++ b/test/asan/TestCases/throw_call_test.cc @@ -0,0 +1,52 @@ +// RUN: %clangxx_asan %s -o %t && %run %t +// http://code.google.com/p/address-sanitizer/issues/detail?id=147 (not fixed). +// BROKEN: %clangxx_asan %s -o %t -static-libstdc++ && %run %t +// +// Android builds with static libstdc++ by default. +// XFAIL: android + +// Clang doesn't support exceptions on Windows yet. +// XFAIL: win32 + +#include <stdio.h> +static volatile int zero = 0; +inline void pretend_to_do_something(void *x) { + __asm__ __volatile__("" : : "r" (x) : "memory"); +} + +__attribute__((noinline, no_sanitize_address)) +void ReallyThrow() { + fprintf(stderr, "ReallyThrow\n"); + if (zero == 0) + throw 42; +} + +__attribute__((noinline)) +void Throw() { + int a, b, c, d, e; + pretend_to_do_something(&a); + pretend_to_do_something(&b); + pretend_to_do_something(&c); + pretend_to_do_something(&d); + pretend_to_do_something(&e); + fprintf(stderr, "Throw stack = %p\n", &a); + ReallyThrow(); +} + +__attribute__((noinline)) +void CheckStack() { + int ar[100]; + pretend_to_do_something(ar); + for (int i = 0; i < 100; i++) + ar[i] = i; + fprintf(stderr, "CheckStack stack = %p, %p\n", ar, ar + 100); +} + +int main(int argc, char** argv) { + try { + Throw(); + } catch(int a) { + fprintf(stderr, "a = %d\n", a); + } + CheckStack(); +} diff --git a/test/asan/TestCases/throw_catch.cc b/test/asan/TestCases/throw_catch.cc new file mode 100644 index 000000000000..bce48199dbf7 --- /dev/null +++ b/test/asan/TestCases/throw_catch.cc @@ -0,0 +1,64 @@ +// RUN: %clangxx_asan -O %s -o %t && %run %t + +// Clang doesn't support exceptions on Windows yet. +// XFAIL: win32 + +#include <assert.h> +#include <stdio.h> +#include <sanitizer/asan_interface.h> + +__attribute__((noinline)) +void Throw() { + int local; + fprintf(stderr, "Throw: %p\n", &local); + throw 1; +} + +__attribute__((noinline)) +void ThrowAndCatch() { + int local; + try { + Throw(); + } catch(...) { + fprintf(stderr, "Catch: %p\n", &local); + } +} + +void TestThrow() { + char x[32]; + fprintf(stderr, "Before: %p poisoned: %d\n", &x, + __asan_address_is_poisoned(x + 32)); + assert(__asan_address_is_poisoned(x + 32)); + ThrowAndCatch(); + fprintf(stderr, "After: %p poisoned: %d\n", &x, + __asan_address_is_poisoned(x + 32)); + // FIXME: Invert this assertion once we fix + // https://code.google.com/p/address-sanitizer/issues/detail?id=258 + // This assertion works only w/o UAR. + if (!__asan_get_current_fake_stack()) + assert(!__asan_address_is_poisoned(x + 32)); +} + +void TestThrowInline() { + char x[32]; + fprintf(stderr, "Before: %p poisoned: %d\n", &x, + __asan_address_is_poisoned(x + 32)); + assert(__asan_address_is_poisoned(x + 32)); + try { + Throw(); + } catch(...) { + fprintf(stderr, "Catch\n"); + } + fprintf(stderr, "After: %p poisoned: %d\n", &x, + __asan_address_is_poisoned(x + 32)); + // FIXME: Invert this assertion once we fix + // https://code.google.com/p/address-sanitizer/issues/detail?id=258 + // This assertion works only w/o UAR. + if (!__asan_get_current_fake_stack()) + assert(!__asan_address_is_poisoned(x + 32)); +} + +int main(int argc, char **argv) { + TestThrowInline(); + TestThrow(); +} diff --git a/test/asan/TestCases/throw_invoke_test.cc b/test/asan/TestCases/throw_invoke_test.cc new file mode 100644 index 000000000000..ec48fc7b6a49 --- /dev/null +++ b/test/asan/TestCases/throw_invoke_test.cc @@ -0,0 +1,54 @@ +// RUN: %clangxx_asan %s -o %t && %run %t +// RUN: %clangxx_asan %s -o %t -static-libstdc++ && %run %t + +// Clang doesn't support exceptions on Windows yet. +// XFAIL: win32 + +#include <stdio.h> +static volatile int zero = 0; +inline void pretend_to_do_something(void *x) { + __asm__ __volatile__("" : : "r" (x) : "memory"); +} + +__attribute__((noinline)) +void ReallyThrow() { + fprintf(stderr, "ReallyThrow\n"); + try { + if (zero == 0) + throw 42; + else if (zero == 1) + throw 1.; + } catch(double x) { + } +} + +__attribute__((noinline)) +void Throw() { + int a, b, c, d, e; + pretend_to_do_something(&a); + pretend_to_do_something(&b); + pretend_to_do_something(&c); + pretend_to_do_something(&d); + pretend_to_do_something(&e); + fprintf(stderr, "Throw stack = %p\n", &a); + ReallyThrow(); +} + +__attribute__((noinline)) +void CheckStack() { + int ar[100]; + pretend_to_do_something(ar); + for (int i = 0; i < 100; i++) + ar[i] = i; + fprintf(stderr, "CheckStack stack = %p, %p\n", ar, ar + 100); +} + +int main(int argc, char** argv) { + try { + Throw(); + } catch(int a) { + fprintf(stderr, "a = %d\n", a); + } + CheckStack(); +} + diff --git a/test/asan/TestCases/time_interceptor.cc b/test/asan/TestCases/time_interceptor.cc new file mode 100644 index 000000000000..89b2183bcde2 --- /dev/null +++ b/test/asan/TestCases/time_interceptor.cc @@ -0,0 +1,22 @@ +// RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s + +// Test the time() interceptor. + +// There's no interceptor for time() on Windows yet. +// XFAIL: win32 + +#include <stdio.h> +#include <stdlib.h> +#include <time.h> + +int main() { + time_t *tm = (time_t*)malloc(sizeof(time_t)); + free(tm); + time_t t = time(tm); + printf("Time: %s\n", ctime(&t)); // NOLINT + // CHECK: use-after-free + // Regression check for + // https://code.google.com/p/address-sanitizer/issues/detail?id=321 + // CHECK: SUMMARY + return 0; +} diff --git a/test/asan/TestCases/uar_and_exceptions.cc b/test/asan/TestCases/uar_and_exceptions.cc new file mode 100644 index 000000000000..0bfe29729555 --- /dev/null +++ b/test/asan/TestCases/uar_and_exceptions.cc @@ -0,0 +1,43 @@ +// Test that use-after-return works with exceptions. +// export ASAN_OPTIONS=detect_stack_use_after_return=1 +// RUN: %clangxx_asan -O0 %s -o %t && %run %t + +// Clang doesn't support exceptions on Windows yet. +// XFAIL: win32 + +#include <stdio.h> + +volatile char *g; + +#ifndef FRAME_SIZE +# define FRAME_SIZE 100 +#endif + +#ifndef NUM_ITER +# define NUM_ITER 4000 +#endif + +#ifndef DO_THROW +# define DO_THROW 1 +#endif + +void Func(int depth) { + char frame[FRAME_SIZE]; + g = &frame[0]; + if (depth) + Func(depth - 1); + else if (DO_THROW) + throw 1; +} + +int main(int argc, char **argv) { + for (int i = 0; i < NUM_ITER; i++) { + try { + Func(argc * 100); + } catch(...) { + } + if ((i % (NUM_ITER / 10)) == 0) + fprintf(stderr, "done [%d]\n", i); + } + return 0; +} diff --git a/test/asan/TestCases/unaligned_loads_and_stores.cc b/test/asan/TestCases/unaligned_loads_and_stores.cc new file mode 100644 index 000000000000..f1b1d0d457e1 --- /dev/null +++ b/test/asan/TestCases/unaligned_loads_and_stores.cc @@ -0,0 +1,52 @@ +// RUN: %clangxx_asan -O0 %s -o %t +// RUN: not %run %t A 2>&1 | FileCheck --check-prefix=CHECK-A %s +// RUN: not %run %t B 2>&1 | FileCheck --check-prefix=CHECK-B %s +// RUN: not %run %t C 2>&1 | FileCheck --check-prefix=CHECK-C %s +// RUN: not %run %t D 2>&1 | FileCheck --check-prefix=CHECK-D %s +// RUN: not %run %t E 2>&1 | FileCheck --check-prefix=CHECK-E %s + +// RUN: not %run %t K 2>&1 | FileCheck --check-prefix=CHECK-K %s +// RUN: not %run %t L 2>&1 | FileCheck --check-prefix=CHECK-L %s +// RUN: not %run %t M 2>&1 | FileCheck --check-prefix=CHECK-M %s +// RUN: not %run %t N 2>&1 | FileCheck --check-prefix=CHECK-N %s +// RUN: not %run %t O 2>&1 | FileCheck --check-prefix=CHECK-O %s + +#include <sanitizer/asan_interface.h> + +#include <stdlib.h> +#include <string.h> +int main(int argc, char **argv) { + if (argc != 2) return 1; + char *x = new char[16]; + memset(x, 0xab, 16); + int res = 1; + switch (argv[1][0]) { + case 'A': res = __sanitizer_unaligned_load16(x + 15); break; +// CHECK-A ERROR: AddressSanitizer: heap-buffer-overflow on address +// CHECK-A: main{{.*}}unaligned_loads_and_stores.cc:[[@LINE-2]] +// CHECK-A: is located 0 bytes to the right of 16-byte region + case 'B': res = __sanitizer_unaligned_load32(x + 14); break; +// CHECK-B: main{{.*}}unaligned_loads_and_stores.cc:[[@LINE-1]] + case 'C': res = __sanitizer_unaligned_load32(x + 13); break; +// CHECK-C: main{{.*}}unaligned_loads_and_stores.cc:[[@LINE-1]] + case 'D': res = __sanitizer_unaligned_load64(x + 15); break; +// CHECK-D: main{{.*}}unaligned_loads_and_stores.cc:[[@LINE-1]] + case 'E': res = __sanitizer_unaligned_load64(x + 9); break; +// CHECK-E: main{{.*}}unaligned_loads_and_stores.cc:[[@LINE-1]] + + case 'K': __sanitizer_unaligned_store16(x + 15, 0); break; +// CHECK-K ERROR: AddressSanitizer: heap-buffer-overflow on address +// CHECK-K: main{{.*}}unaligned_loads_and_stores.cc:[[@LINE-2]] +// CHECK-K: is located 0 bytes to the right of 16-byte region + case 'L': __sanitizer_unaligned_store32(x + 15, 0); break; +// CHECK-L: main{{.*}}unaligned_loads_and_stores.cc:[[@LINE-1]] + case 'M': __sanitizer_unaligned_store32(x + 13, 0); break; +// CHECK-M: main{{.*}}unaligned_loads_and_stores.cc:[[@LINE-1]] + case 'N': __sanitizer_unaligned_store64(x + 10, 0); break; +// CHECK-N: main{{.*}}unaligned_loads_and_stores.cc:[[@LINE-1]] + case 'O': __sanitizer_unaligned_store64(x + 14, 0); break; +// CHECK-O: main{{.*}}unaligned_loads_and_stores.cc:[[@LINE-1]] + } + delete x; + return res; +} diff --git a/test/asan/TestCases/use-after-delete.cc b/test/asan/TestCases/use-after-delete.cc new file mode 100644 index 000000000000..8fdec8d83c80 --- /dev/null +++ b/test/asan/TestCases/use-after-delete.cc @@ -0,0 +1,31 @@ +// RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-%os --check-prefix=CHECK +// RUN: %clangxx_asan -O1 %s -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-%os --check-prefix=CHECK +// RUN: %clangxx_asan -O2 %s -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-%os --check-prefix=CHECK +// RUN: %clangxx_asan -O3 %s -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-%os --check-prefix=CHECK +// XFAIL: arm-linux-gnueabi +// XFAIL: armv7l-unknown-linux-gnueabihf + +#include <stdlib.h> +int main() { + char * volatile x = new char[10]; + delete[] x; + return x[5]; + // CHECK: {{.*ERROR: AddressSanitizer: heap-use-after-free on address}} + // CHECK: {{0x.* at pc 0x.* bp 0x.* sp 0x.*}} + // CHECK: {{READ of size 1 at 0x.* thread T0}} + // CHECK: {{ #0 0x.* in main .*use-after-delete.cc:}}[[@LINE-4]] + // CHECK: {{0x.* is located 5 bytes inside of 10-byte region .0x.*,0x.*}} + // CHECK: {{freed by thread T0 here:}} + + // CHECK-Linux: {{ #0 0x.* in operator delete\[\]}} + // CHECK-Linux: {{ #1 0x.* in main .*use-after-delete.cc:}}[[@LINE-10]] + + // CHECK: {{previously allocated by thread T0 here:}} + + // CHECK-Linux: {{ #0 0x.* in operator new\[\]}} + // CHECK-Linux: {{ #1 0x.* in main .*use-after-delete.cc:}}[[@LINE-16]] + + // CHECK: Shadow byte legend (one shadow byte represents 8 application bytes): + // CHECK: Global redzone: + // CHECK: ASan internal: +} diff --git a/test/asan/TestCases/use-after-free-right.cc b/test/asan/TestCases/use-after-free-right.cc new file mode 100644 index 000000000000..f714b44f2f1f --- /dev/null +++ b/test/asan/TestCases/use-after-free-right.cc @@ -0,0 +1,36 @@ +// RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-%os --check-prefix=CHECK +// RUN: %clangxx_asan -O1 %s -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-%os --check-prefix=CHECK +// RUN: %clangxx_asan -O2 %s -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-%os --check-prefix=CHECK +// RUN: %clangxx_asan -O3 %s -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-%os --check-prefix=CHECK +// XFAIL: arm-linux-gnueabi +// XFAIL: armv7l-unknown-linux-gnueabihf + +// Test use-after-free report in the case when access is at the right border of +// the allocation. + +#include <stdlib.h> +int main() { + volatile char *x = (char*)malloc(sizeof(char)); + free((void*)x); + *x = 42; + // CHECK: {{.*ERROR: AddressSanitizer: heap-use-after-free on address}} + // CHECK: {{0x.* at pc 0x.* bp 0x.* sp 0x.*}} + // CHECK: {{WRITE of size 1 at 0x.* thread T0}} + // CHECK: {{ #0 0x.* in main .*use-after-free-right.cc:}}[[@LINE-4]] + // CHECK: {{0x.* is located 0 bytes inside of 1-byte region .0x.*,0x.*}} + // CHECK: {{freed by thread T0 here:}} + + // CHECK-Linux: {{ #0 0x.* in .*free}} + // CHECK-Linux: {{ #1 0x.* in main .*use-after-free-right.cc:}}[[@LINE-10]] + + // CHECK-Darwin: {{ #0 0x.* in wrap_free}} + // CHECK-Darwin: {{ #1 0x.* in main .*use-after-free-right.cc:}}[[@LINE-13]] + + // CHECK: {{previously allocated by thread T0 here:}} + + // CHECK-Linux: {{ #0 0x.* in .*malloc}} + // CHECK-Linux: {{ #1 0x.* in main .*use-after-free-right.cc:}}[[@LINE-19]] + + // CHECK-Darwin: {{ #0 0x.* in wrap_malloc.*}} + // CHECK-Darwin: {{ #1 0x.* in main .*use-after-free-right.cc:}}[[@LINE-22]] +} diff --git a/test/asan/TestCases/use-after-free.cc b/test/asan/TestCases/use-after-free.cc new file mode 100644 index 000000000000..7bc225b1ef86 --- /dev/null +++ b/test/asan/TestCases/use-after-free.cc @@ -0,0 +1,36 @@ +// RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-%os --check-prefix=CHECK +// RUN: %clangxx_asan -O1 %s -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-%os --check-prefix=CHECK +// RUN: %clangxx_asan -O2 %s -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-%os --check-prefix=CHECK +// RUN: %clangxx_asan -O3 %s -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-%os --check-prefix=CHECK +// XFAIL: arm-linux-gnueabi +// XFAIL: armv7l-unknown-linux-gnueabihf + +#include <stdlib.h> +int main() { + char *x = (char*)malloc(10 * sizeof(char)); + free(x); + return x[5]; + // CHECK: {{.*ERROR: AddressSanitizer: heap-use-after-free on address}} + // CHECK: {{0x.* at pc 0x.* bp 0x.* sp 0x.*}} + // CHECK: {{READ of size 1 at 0x.* thread T0}} + // CHECK: {{ #0 0x.* in main .*use-after-free.cc:}}[[@LINE-4]] + // CHECK: {{0x.* is located 5 bytes inside of 10-byte region .0x.*,0x.*}} + // CHECK: {{freed by thread T0 here:}} + + // CHECK-Linux: {{ #0 0x.* in .*free}} + // CHECK-Linux: {{ #1 0x.* in main .*use-after-free.cc:}}[[@LINE-10]] + + // CHECK-Darwin: {{ #0 0x.* in wrap_free}} + // CHECK-Darwin: {{ #1 0x.* in main .*use-after-free.cc:}}[[@LINE-13]] + + // CHECK: {{previously allocated by thread T0 here:}} + + // CHECK-Linux: {{ #0 0x.* in .*malloc}} + // CHECK-Linux: {{ #1 0x.* in main .*use-after-free.cc:}}[[@LINE-19]] + + // CHECK-Darwin: {{ #0 0x.* in wrap_malloc.*}} + // CHECK-Darwin: {{ #1 0x.* in main .*use-after-free.cc:}}[[@LINE-22]] + // CHECK: Shadow byte legend (one shadow byte represents 8 application bytes): + // CHECK: Global redzone: + // CHECK: ASan internal: +} diff --git a/test/asan/TestCases/use-after-poison.cc b/test/asan/TestCases/use-after-poison.cc new file mode 100644 index 000000000000..3b247ff531b9 --- /dev/null +++ b/test/asan/TestCases/use-after-poison.cc @@ -0,0 +1,20 @@ +// Check that __asan_poison_memory_region works. +// RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s +// +// Check that we can disable it +// RUN: env ASAN_OPTIONS=allow_user_poisoning=0 %run %t + +#include <stdlib.h> + +extern "C" void __asan_poison_memory_region(void *, size_t); + +int main(int argc, char **argv) { + char *x = new char[16]; + x[10] = 0; + __asan_poison_memory_region(x, 16); + int res = x[argc * 10]; // BOOOM + // CHECK: ERROR: AddressSanitizer: use-after-poison + // CHECK: main{{.*}}use-after-poison.cc:[[@LINE-2]] + delete [] x; + return res; +} diff --git a/test/asan/TestCases/use-after-scope-dtor-order.cc b/test/asan/TestCases/use-after-scope-dtor-order.cc new file mode 100644 index 000000000000..7896dd30c400 --- /dev/null +++ b/test/asan/TestCases/use-after-scope-dtor-order.cc @@ -0,0 +1,26 @@ +// RUN: %clangxx_asan -O0 -fsanitize=use-after-scope %s -o %t && \ +// RUN: not %run %t 2>&1 | FileCheck %s +// XFAIL: * +#include <stdio.h> + +struct IntHolder { + explicit IntHolder(int *val = 0) : val_(val) { } + ~IntHolder() { + printf("Value: %d\n", *val_); // BOOM + // CHECK: ERROR: AddressSanitizer: stack-use-after-scope + // CHECK: #0 0x{{.*}} in IntHolder::~IntHolder{{.*}}use-after-scope-dtor-order.cc:[[@LINE-2]] + } + void set(int *val) { val_ = val; } + int *get() { return val_; } + + int *val_; +}; + +int main(int argc, char *argv[]) { + // It is incorrect to use "x" int IntHolder destructor, because "x" is + // "destroyed" earlier as it's declared later. + IntHolder holder; + int x = argc; + holder.set(&x); + return 0; +} diff --git a/test/asan/TestCases/use-after-scope-inlined.cc b/test/asan/TestCases/use-after-scope-inlined.cc new file mode 100644 index 000000000000..a0a0d9461cb9 --- /dev/null +++ b/test/asan/TestCases/use-after-scope-inlined.cc @@ -0,0 +1,28 @@ +// Test with "-O2" only to make sure inlining (leading to use-after-scope) +// happens. "always_inline" is not enough, as Clang doesn't emit +// llvm.lifetime intrinsics at -O0. +// +// RUN: %clangxx_asan -O2 -fsanitize=use-after-scope %s -o %t && not %run %t 2>&1 | FileCheck %s +// XFAIL: * + +int *arr; + +__attribute__((always_inline)) +void inlined(int arg) { + int x[5]; + for (int i = 0; i < arg; i++) x[i] = i; + arr = x; +} + +int main(int argc, char *argv[]) { + inlined(argc); + return arr[argc - 1]; // BOOM + // CHECK: ERROR: AddressSanitizer: stack-use-after-scope + // CHECK: READ of size 4 at 0x{{.*}} thread T0 + // CHECK: #0 0x{{.*}} in main + // CHECK: {{.*}}use-after-scope-inlined.cc:[[@LINE-4]] + // CHECK: Address 0x{{.*}} is located in stack of thread T0 at offset + // CHECK: [[OFFSET:[^ ]*]] in frame + // CHECK: main + // CHECK: {{\[}}[[OFFSET]], {{.*}}) 'x.i' +} diff --git a/test/asan/TestCases/use-after-scope-nobug.cc b/test/asan/TestCases/use-after-scope-nobug.cc new file mode 100644 index 000000000000..21b085c96275 --- /dev/null +++ b/test/asan/TestCases/use-after-scope-nobug.cc @@ -0,0 +1,15 @@ +// RUN: %clangxx_asan -O0 -fsanitize=use-after-scope %s -o %t && %run %t +// XFAIL: * + +#include <stdio.h> + +int main() { + int *p = 0; + // Variable goes in and out of scope. + for (int i = 0; i < 3; i++) { + int x = 0; + p = &x; + } + printf("PASSED\n"); + return 0; +} diff --git a/test/asan/TestCases/use-after-scope-temp.cc b/test/asan/TestCases/use-after-scope-temp.cc new file mode 100644 index 000000000000..f9bd779ac1a2 --- /dev/null +++ b/test/asan/TestCases/use-after-scope-temp.cc @@ -0,0 +1,29 @@ +// RUN: %clangxx_asan -O0 -fsanitize=use-after-scope %s -o %t && \ +// RUN: %run %t 2>&1 | FileCheck %s +// +// Lifetime for temporaries is not emitted yet. +// XFAIL: * + +#include <stdio.h> + +struct IntHolder { + explicit IntHolder(int val) : val(val) { + printf("IntHolder: %d\n", val); + } + int val; +}; + +const IntHolder *saved; + +void save(const IntHolder &holder) { + saved = &holder; +} + +int main(int argc, char *argv[]) { + save(IntHolder(10)); + int x = saved->val; // BOOM + // CHECK: ERROR: AddressSanitizer: stack-use-after-scope + // CHECK: #0 0x{{.*}} in main {{.*}}use-after-scope-temp.cc:[[@LINE-2]] + printf("saved value: %d\n", x); + return 0; +} diff --git a/test/asan/TestCases/use-after-scope.cc b/test/asan/TestCases/use-after-scope.cc new file mode 100644 index 000000000000..f98a8e6b62e1 --- /dev/null +++ b/test/asan/TestCases/use-after-scope.cc @@ -0,0 +1,17 @@ +// RUN: %clangxx_asan -O0 -fsanitize=use-after-scope %s -o %t && \ +// RUN: not %run %t 2>&1 | FileCheck %s +// RUN: env ASAN_OPTIONS="detect_stack_use_after_return=1" not %run %t 2>&1 | FileCheck %s +// XFAIL: * + +int main() { + int *p = 0; + { + int x = 0; + p = &x; + } + return *p; // BOOM + // CHECK: ERROR: AddressSanitizer: stack-use-after-scope + // CHECK: #0 0x{{.*}} in main {{.*}}use-after-scope.cc:[[@LINE-2]] + // CHECK: Address 0x{{.*}} is located in stack of thread T{{.*}} at offset [[OFFSET:[^ ]+]] in frame + // {{\[}}[[OFFSET]], {{[0-9]+}}) 'x' +} diff --git a/test/asan/TestCases/zero_page_pc.cc b/test/asan/TestCases/zero_page_pc.cc new file mode 100644 index 000000000000..5810a9fb9dde --- /dev/null +++ b/test/asan/TestCases/zero_page_pc.cc @@ -0,0 +1,12 @@ +// Check that ASan correctly detects SEGV on the zero page. +// RUN: %clangxx_asan %s -o %t && not %run %t 2>&1 | FileCheck %s + +typedef void void_f(); +int main() { + void_f *func = (void_f *)0x4; + func(); + // x86 reports the SEGV with both address=4 and pc=4. + // PowerPC64 reports it with address=4 but pc still in main(). + // CHECK: {{AddressSanitizer: SEGV.*(address|pc) 0x0*4}} + return 0; +} |