diff options
Diffstat (limited to 'test/asan/TestCases')
-rw-r--r-- | test/asan/TestCases/Linux/interface_symbols_linux.c | 2 | ||||
-rw-r--r-- | test/asan/TestCases/alloca_loop_unpoisoning.cc | 32 | ||||
-rw-r--r-- | test/asan/TestCases/alloca_vla_interact.cc | 39 | ||||
-rw-r--r-- | test/asan/TestCases/vla_chrome_testcase.cc | 30 | ||||
-rw-r--r-- | test/asan/TestCases/vla_condition_overflow.cc | 21 | ||||
-rw-r--r-- | test/asan/TestCases/vla_loop_overfow.cc | 21 |
6 files changed, 145 insertions, 0 deletions
diff --git a/test/asan/TestCases/Linux/interface_symbols_linux.c b/test/asan/TestCases/Linux/interface_symbols_linux.c index bec501b84..9e876799d 100644 --- a/test/asan/TestCases/Linux/interface_symbols_linux.c +++ b/test/asan/TestCases/Linux/interface_symbols_linux.c @@ -38,6 +38,8 @@ // RUN: echo __asan_report_exp_store_n >> %t.interface // RUN: echo __asan_get_current_fake_stack >> %t.interface // RUN: echo __asan_addr_is_in_fake_stack >> %t.interface +// RUN: echo __asan_alloca_poison >> %t.interface +// RUN: echo __asan_allocas_unpoison >> %t.interface // RUN: cat %t.interface | sort -u | diff %t.symbols - // FIXME: nm -D on powerpc somewhy shows ASan interface symbols residing diff --git a/test/asan/TestCases/alloca_loop_unpoisoning.cc b/test/asan/TestCases/alloca_loop_unpoisoning.cc new file mode 100644 index 000000000..8ae0f707b --- /dev/null +++ b/test/asan/TestCases/alloca_loop_unpoisoning.cc @@ -0,0 +1,32 @@ +// RUN: %clangxx_asan -O0 -mllvm -asan-instrument-allocas %s -o %t +// RUN: %run %t 2>&1 +// + +// This testcase checks that allocas and VLAs inside loop are correctly unpoisoned. + +#include <assert.h> +#include <alloca.h> +#include <stdint.h> +#include "sanitizer/asan_interface.h" + +void *top, *bot; + +__attribute__((noinline)) void foo(int len) { + char x; + top = &x; + char array[len]; // NOLINT + assert(!(reinterpret_cast<uintptr_t>(array) & 31L)); + alloca(len); + for (int i = 0; i < 32; ++i) { + char array[i]; // NOLINT + bot = alloca(i); + assert(!(reinterpret_cast<uintptr_t>(bot) & 31L)); + } +} + +int main(int argc, char **argv) { + foo(32); + void *q = __asan_region_is_poisoned(bot, (char *)top - (char *)bot); + assert(!q); + return 0; +} diff --git a/test/asan/TestCases/alloca_vla_interact.cc b/test/asan/TestCases/alloca_vla_interact.cc new file mode 100644 index 000000000..2b4fb34bf --- /dev/null +++ b/test/asan/TestCases/alloca_vla_interact.cc @@ -0,0 +1,39 @@ +// RUN: %clangxx_asan -O0 -mllvm -asan-instrument-allocas %s -o %t +// RUN: %run %t 2>&1 +// + +// This testcase checks correct interaction between VLAs and allocas. + +#include <assert.h> +#include <alloca.h> +#include <stdint.h> +#include "sanitizer/asan_interface.h" + +#define RZ 32 + +__attribute__((noinline)) void foo(int len) { + char *top, *bot; + // This alloca call should live until the end of foo. + char *alloca1 = (char *)alloca(len); + assert(!(reinterpret_cast<uintptr_t>(alloca1) & 31L)); + // This should be first poisoned address after loop. + top = alloca1 - RZ; + for (int i = 0; i < 32; ++i) { + // Check that previous alloca was unpoisoned at the end of iteration. + if (i) assert(!__asan_region_is_poisoned(bot, 96)); + // VLA is unpoisoned at the end of iteration. + volatile char array[i]; + assert(!(reinterpret_cast<uintptr_t>(array) & 31L)); + // Alloca is unpoisoned at the end of iteration, + // because dominated by VLA. + bot = (char *)alloca(i) - RZ; + } + // Check that all allocas from loop were unpoisoned correctly. + void *q = __asan_region_is_poisoned(bot, (char *)top - (char *)bot + 1); + assert(q == top); +} + +int main(int argc, char **argv) { + foo(32); + return 0; +} diff --git a/test/asan/TestCases/vla_chrome_testcase.cc b/test/asan/TestCases/vla_chrome_testcase.cc new file mode 100644 index 000000000..8ee040120 --- /dev/null +++ b/test/asan/TestCases/vla_chrome_testcase.cc @@ -0,0 +1,30 @@ +// RUN: %clangxx_asan -O0 -mllvm -asan-instrument-allocas %s -o %t +// RUN: not %run %t 2>&1 | FileCheck %s +// + +// This is reduced testcase based on Chromium code. +// See http://reviews.llvm.org/D6055?vs=on&id=15616&whitespace=ignore-all#toc. + +#include <stdint.h> +#include <assert.h> + +int a = 7; +int b; +int c; +int *p; + +__attribute__((noinline)) void fn3(int *first, int second) { +} + +int main() { + int d = b && c; + int e[a]; // NOLINT + assert(!(reinterpret_cast<uintptr_t>(e) & 31L)); + int f; + if (d) + fn3(&f, sizeof 0 * (&c - e)); + e[a] = 0; +// CHECK: ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 4 at [[ADDR]] thread T0 + return 0; +} diff --git a/test/asan/TestCases/vla_condition_overflow.cc b/test/asan/TestCases/vla_condition_overflow.cc new file mode 100644 index 000000000..07470d202 --- /dev/null +++ b/test/asan/TestCases/vla_condition_overflow.cc @@ -0,0 +1,21 @@ +// RUN: %clangxx_asan -O0 -mllvm -asan-instrument-allocas %s -o %t +// RUN: not %run %t 2>&1 | FileCheck %s +// + +#include <assert.h> +#include <stdint.h> + +__attribute__((noinline)) void foo(int index, int len) { + if (index > len) { + char str[len]; //NOLINT + assert(!(reinterpret_cast<uintptr_t>(str) & 31L)); + str[index] = '1'; // BOOM +// CHECK: ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 1 at [[ADDR]] thread T0 + } +} + +int main(int argc, char **argv) { + foo(33, 10); + return 0; +} diff --git a/test/asan/TestCases/vla_loop_overfow.cc b/test/asan/TestCases/vla_loop_overfow.cc new file mode 100644 index 000000000..facafb957 --- /dev/null +++ b/test/asan/TestCases/vla_loop_overfow.cc @@ -0,0 +1,21 @@ +// RUN: %clangxx_asan -O0 -mllvm -asan-instrument-allocas %s -o %t +// RUN: not %run %t 2>&1 | FileCheck %s +// + +#include <assert.h> +#include <stdint.h> + +void foo(int index, int len) { + for (int i = 1; i < len; ++i) { + char array[len]; // NOLINT + assert(!(reinterpret_cast<uintptr_t>(array) & 31L)); + array[index + i] = 0; +// CHECK: ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] +// CHECK: WRITE of size 1 at [[ADDR]] thread T0 + } +} + +int main(int argc, char **argv) { + foo(9, 21); + return 0; +} |