rsleevi@chromium.org | de3a6cf | 2012-04-06 12:53:02 +0900 | [diff] [blame] | 1 | // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
glider@chromium.org | 0f9756f | 2009-12-17 21:37:58 +0900 | [diff] [blame] | 2 | // Use of this source code is governed by a BSD-style license that can be |
| 3 | // found in the LICENSE file. |
glider@chromium.org | 71a6e93 | 2011-10-05 22:22:50 +0900 | [diff] [blame] | 4 | // |
| 5 | // This file contains intentional memory errors, some of which may lead to |
| 6 | // crashes if the test is ran without special memory testing tools. We use these |
| 7 | // errors to verify the sanity of the tools. |
glider@chromium.org | 0f9756f | 2009-12-17 21:37:58 +0900 | [diff] [blame] | 8 | |
avi | a6a6a68 | 2015-12-27 07:15:14 +0900 | [diff] [blame] | 9 | #include <stddef.h> |
| 10 | |
timurrrr@chromium.org | b1d5c02 | 2011-05-11 03:03:34 +0900 | [diff] [blame] | 11 | #include "base/atomicops.h" |
Scott Violet | 04992cc | 2018-02-22 11:08:08 +0900 | [diff] [blame] | 12 | #include "base/cfi_buildflags.h" |
sebmarchand@chromium.org | d117d7a | 2014-06-14 17:29:37 +0900 | [diff] [blame] | 13 | #include "base/debug/asan_invalid_access.h" |
| 14 | #include "base/debug/profiler.h" |
timurrrr@chromium.org | f39c3ff | 2010-05-14 17:24:42 +0900 | [diff] [blame] | 15 | #include "base/third_party/dynamic_annotations/dynamic_annotations.h" |
brettw@chromium.org | 5b5f5e0 | 2011-01-01 10:01:06 +0900 | [diff] [blame] | 16 | #include "base/threading/thread.h" |
avi | a6a6a68 | 2015-12-27 07:15:14 +0900 | [diff] [blame] | 17 | #include "build/build_config.h" |
glider@chromium.org | 0f9756f | 2009-12-17 21:37:58 +0900 | [diff] [blame] | 18 | #include "testing/gtest/include/gtest/gtest.h" |
| 19 | |
brettw@chromium.org | 6139182 | 2011-01-01 05:02:16 +0900 | [diff] [blame] | 20 | namespace base { |
| 21 | |
glider@chromium.org | 0f9756f | 2009-12-17 21:37:58 +0900 | [diff] [blame] | 22 | namespace { |
| 23 | |
timurrrr@chromium.org | b1d5c02 | 2011-05-11 03:03:34 +0900 | [diff] [blame] | 24 | const base::subtle::Atomic32 kMagicValue = 42; |
glider@chromium.org | 0f9756f | 2009-12-17 21:37:58 +0900 | [diff] [blame] | 25 | |
glider@chromium.org | 71a6e93 | 2011-10-05 22:22:50 +0900 | [diff] [blame] | 26 | // Helper for memory accesses that can potentially corrupt memory or cause a |
| 27 | // crash during a native run. |
Sigurdur Asgeirsson | 0fa54ec | 2018-03-30 06:50:51 +0900 | [diff] [blame] | 28 | #if defined(ADDRESS_SANITIZER) |
glider@chromium.org | a3b3c43 | 2012-10-24 23:11:02 +0900 | [diff] [blame] | 29 | #if defined(OS_IOS) |
| 30 | // EXPECT_DEATH is not supported on IOS. |
| 31 | #define HARMFUL_ACCESS(action,error_regexp) do { action; } while (0) |
| 32 | #else |
glider@chromium.org | 71a6e93 | 2011-10-05 22:22:50 +0900 | [diff] [blame] | 33 | #define HARMFUL_ACCESS(action,error_regexp) EXPECT_DEATH(action,error_regexp) |
Sigurdur Asgeirsson | 0fa54ec | 2018-03-30 06:50:51 +0900 | [diff] [blame] | 34 | #endif // !OS_IOS |
glider@chromium.org | 71a6e93 | 2011-10-05 22:22:50 +0900 | [diff] [blame] | 35 | #else |
Mostyn Bramley-Moore | cd7f827 | 2017-12-07 04:13:21 +0900 | [diff] [blame] | 36 | #define HARMFUL_ACCESS(action, error_regexp) |
| 37 | #define HARMFUL_ACCESS_IS_NOOP |
glider@chromium.org | 71a6e93 | 2011-10-05 22:22:50 +0900 | [diff] [blame] | 38 | #endif |
| 39 | |
earthdok@chromium.org | 5a5e465 | 2014-01-16 14:31:41 +0900 | [diff] [blame] | 40 | void DoReadUninitializedValue(char *ptr) { |
eugenis@google.com | 7634fc5 | 2012-05-16 17:42:08 +0900 | [diff] [blame] | 41 | // Comparison with 64 is to prevent clang from optimizing away the |
thakis@chromium.org | 987f833 | 2011-09-19 01:39:12 +0900 | [diff] [blame] | 42 | // jump -- valgrind only catches jumps and conditional moves, but clang uses |
Mostyn Bramley-Moore | cd7f827 | 2017-12-07 04:13:21 +0900 | [diff] [blame] | 43 | // the borrow flag if the condition is just `*ptr == '\0'`. We no longer |
| 44 | // support valgrind, but this constant should be fine to keep as-is. |
eugenis@google.com | 7634fc5 | 2012-05-16 17:42:08 +0900 | [diff] [blame] | 45 | if (*ptr == 64) { |
earthdok@chromium.org | 5a5e465 | 2014-01-16 14:31:41 +0900 | [diff] [blame] | 46 | VLOG(1) << "Uninit condition is true"; |
timurrrr@chromium.org | 4631544 | 2010-09-23 18:12:37 +0900 | [diff] [blame] | 47 | } else { |
earthdok@chromium.org | 5a5e465 | 2014-01-16 14:31:41 +0900 | [diff] [blame] | 48 | VLOG(1) << "Uninit condition is false"; |
timurrrr@chromium.org | 4631544 | 2010-09-23 18:12:37 +0900 | [diff] [blame] | 49 | } |
| 50 | } |
| 51 | |
earthdok@chromium.org | 5a5e465 | 2014-01-16 14:31:41 +0900 | [diff] [blame] | 52 | void ReadUninitializedValue(char *ptr) { |
| 53 | #if defined(MEMORY_SANITIZER) |
| 54 | EXPECT_DEATH(DoReadUninitializedValue(ptr), |
| 55 | "use-of-uninitialized-value"); |
| 56 | #else |
| 57 | DoReadUninitializedValue(ptr); |
| 58 | #endif |
| 59 | } |
| 60 | |
Mostyn Bramley-Moore | cd7f827 | 2017-12-07 04:13:21 +0900 | [diff] [blame] | 61 | #ifndef HARMFUL_ACCESS_IS_NOOP |
timurrrr@chromium.org | 4597f34 | 2010-03-26 21:54:44 +0900 | [diff] [blame] | 62 | void ReadValueOutOfArrayBoundsLeft(char *ptr) { |
pkasting@chromium.org | 4baea27 | 2010-10-19 08:57:49 +0900 | [diff] [blame] | 63 | char c = ptr[-2]; |
| 64 | VLOG(1) << "Reading a byte out of bounds: " << c; |
timurrrr@chromium.org | 4597f34 | 2010-03-26 21:54:44 +0900 | [diff] [blame] | 65 | } |
| 66 | |
| 67 | void ReadValueOutOfArrayBoundsRight(char *ptr, size_t size) { |
pkasting@chromium.org | 4baea27 | 2010-10-19 08:57:49 +0900 | [diff] [blame] | 68 | char c = ptr[size + 1]; |
| 69 | VLOG(1) << "Reading a byte out of bounds: " << c; |
timurrrr@chromium.org | 4597f34 | 2010-03-26 21:54:44 +0900 | [diff] [blame] | 70 | } |
| 71 | |
timurrrr@chromium.org | 4597f34 | 2010-03-26 21:54:44 +0900 | [diff] [blame] | 72 | void WriteValueOutOfArrayBoundsLeft(char *ptr) { |
timurrrr@chromium.org | b1d5c02 | 2011-05-11 03:03:34 +0900 | [diff] [blame] | 73 | ptr[-1] = kMagicValue; |
timurrrr@chromium.org | 4597f34 | 2010-03-26 21:54:44 +0900 | [diff] [blame] | 74 | } |
| 75 | |
timurrrr@chromium.org | 4597f34 | 2010-03-26 21:54:44 +0900 | [diff] [blame] | 76 | void WriteValueOutOfArrayBoundsRight(char *ptr, size_t size) { |
timurrrr@chromium.org | b1d5c02 | 2011-05-11 03:03:34 +0900 | [diff] [blame] | 77 | ptr[size] = kMagicValue; |
timurrrr@chromium.org | 4597f34 | 2010-03-26 21:54:44 +0900 | [diff] [blame] | 78 | } |
Mostyn Bramley-Moore | cd7f827 | 2017-12-07 04:13:21 +0900 | [diff] [blame] | 79 | #endif // HARMFUL_ACCESS_IS_NOOP |
timurrrr@chromium.org | 4597f34 | 2010-03-26 21:54:44 +0900 | [diff] [blame] | 80 | |
| 81 | void MakeSomeErrors(char *ptr, size_t size) { |
timurrrr@chromium.org | 4631544 | 2010-09-23 18:12:37 +0900 | [diff] [blame] | 82 | ReadUninitializedValue(ptr); |
mithro@mithis.com | 62c7227 | 2013-12-18 14:31:33 +0900 | [diff] [blame] | 83 | |
glider@chromium.org | 71a6e93 | 2011-10-05 22:22:50 +0900 | [diff] [blame] | 84 | HARMFUL_ACCESS(ReadValueOutOfArrayBoundsLeft(ptr), |
mithro@mithis.com | 62c7227 | 2013-12-18 14:31:33 +0900 | [diff] [blame] | 85 | "2 bytes to the left"); |
glider@chromium.org | 71a6e93 | 2011-10-05 22:22:50 +0900 | [diff] [blame] | 86 | HARMFUL_ACCESS(ReadValueOutOfArrayBoundsRight(ptr, size), |
mithro@mithis.com | 62c7227 | 2013-12-18 14:31:33 +0900 | [diff] [blame] | 87 | "1 bytes to the right"); |
glider@chromium.org | 71a6e93 | 2011-10-05 22:22:50 +0900 | [diff] [blame] | 88 | HARMFUL_ACCESS(WriteValueOutOfArrayBoundsLeft(ptr), |
mithro@mithis.com | 62c7227 | 2013-12-18 14:31:33 +0900 | [diff] [blame] | 89 | "1 bytes to the left"); |
glider@chromium.org | 71a6e93 | 2011-10-05 22:22:50 +0900 | [diff] [blame] | 90 | HARMFUL_ACCESS(WriteValueOutOfArrayBoundsRight(ptr, size), |
mithro@mithis.com | 62c7227 | 2013-12-18 14:31:33 +0900 | [diff] [blame] | 91 | "0 bytes to the right"); |
timurrrr@chromium.org | 4597f34 | 2010-03-26 21:54:44 +0900 | [diff] [blame] | 92 | } |
| 93 | |
glider@chromium.org | b311fbc | 2010-10-14 17:25:54 +0900 | [diff] [blame] | 94 | } // namespace |
| 95 | |
| 96 | // A memory leak detector should report an error in this test. |
| 97 | TEST(ToolsSanityTest, MemoryLeak) { |
thakis@chromium.org | 1a3c5d1 | 2011-11-01 20:08:09 +0900 | [diff] [blame] | 98 | // Without the |volatile|, clang optimizes away the next two lines. |
| 99 | int* volatile leak = new int[256]; // Leak some memory intentionally. |
glider@chromium.org | b311fbc | 2010-10-14 17:25:54 +0900 | [diff] [blame] | 100 | leak[4] = 1; // Make sure the allocated memory is used. |
| 101 | } |
| 102 | |
Sigurdur Asgeirsson | 0fa54ec | 2018-03-30 06:50:51 +0900 | [diff] [blame] | 103 | #if (defined(ADDRESS_SANITIZER) && defined(OS_IOS)) |
glider@chromium.org | a3b3c43 | 2012-10-24 23:11:02 +0900 | [diff] [blame] | 104 | // Because iOS doesn't support death tests, each of the following tests will |
Sigurdur Asgeirsson | 0fa54ec | 2018-03-30 06:50:51 +0900 | [diff] [blame] | 105 | // crash the whole program under Asan. |
glider@chromium.org | a3b3c43 | 2012-10-24 23:11:02 +0900 | [diff] [blame] | 106 | #define MAYBE_AccessesToNewMemory DISABLED_AccessesToNewMemory |
| 107 | #define MAYBE_AccessesToMallocMemory DISABLED_AccessesToMallocMemory |
glider@chromium.org | 738e89d | 2014-05-14 20:50:37 +0900 | [diff] [blame] | 108 | #else |
| 109 | #define MAYBE_AccessesToNewMemory AccessesToNewMemory |
| 110 | #define MAYBE_AccessesToMallocMemory AccessesToMallocMemory |
Sigurdur Asgeirsson | 0fa54ec | 2018-03-30 06:50:51 +0900 | [diff] [blame] | 111 | #endif // (defined(ADDRESS_SANITIZER) && defined(OS_IOS)) |
glider@chromium.org | e43d006 | 2014-05-15 01:04:30 +0900 | [diff] [blame] | 112 | |
| 113 | // The following tests pass with Clang r170392, but not r172454, which |
| 114 | // makes AddressSanitizer detect errors in them. We disable these tests under |
| 115 | // AddressSanitizer until we fully switch to Clang r172454. After that the |
| 116 | // tests should be put back under the (defined(OS_IOS) || defined(OS_WIN)) |
| 117 | // clause above. |
| 118 | // See also http://crbug.com/172614. |
Sigurdur Asgeirsson | 0fa54ec | 2018-03-30 06:50:51 +0900 | [diff] [blame] | 119 | #if defined(ADDRESS_SANITIZER) |
glider@chromium.org | 738e89d | 2014-05-14 20:50:37 +0900 | [diff] [blame] | 120 | #define MAYBE_SingleElementDeletedWithBraces \ |
| 121 | DISABLED_SingleElementDeletedWithBraces |
glider@chromium.org | e43d006 | 2014-05-15 01:04:30 +0900 | [diff] [blame] | 122 | #define MAYBE_ArrayDeletedWithoutBraces DISABLED_ArrayDeletedWithoutBraces |
tzik@chromium.org | f65e67e | 2014-07-18 11:40:40 +0900 | [diff] [blame] | 123 | #else |
| 124 | #define MAYBE_ArrayDeletedWithoutBraces ArrayDeletedWithoutBraces |
| 125 | #define MAYBE_SingleElementDeletedWithBraces SingleElementDeletedWithBraces |
Sigurdur Asgeirsson | 0fa54ec | 2018-03-30 06:50:51 +0900 | [diff] [blame] | 126 | #endif // defined(ADDRESS_SANITIZER) |
tzik@chromium.org | f65e67e | 2014-07-18 11:40:40 +0900 | [diff] [blame] | 127 | |
glider@chromium.org | a3b3c43 | 2012-10-24 23:11:02 +0900 | [diff] [blame] | 128 | TEST(ToolsSanityTest, MAYBE_AccessesToNewMemory) { |
timurrrr@chromium.org | 4597f34 | 2010-03-26 21:54:44 +0900 | [diff] [blame] | 129 | char *foo = new char[10]; |
| 130 | MakeSomeErrors(foo, 10); |
| 131 | delete [] foo; |
glider@chromium.org | 71a6e93 | 2011-10-05 22:22:50 +0900 | [diff] [blame] | 132 | // Use after delete. |
| 133 | HARMFUL_ACCESS(foo[5] = 0, "heap-use-after-free"); |
timurrrr@chromium.org | 4597f34 | 2010-03-26 21:54:44 +0900 | [diff] [blame] | 134 | } |
| 135 | |
glider@chromium.org | a3b3c43 | 2012-10-24 23:11:02 +0900 | [diff] [blame] | 136 | TEST(ToolsSanityTest, MAYBE_AccessesToMallocMemory) { |
timurrrr@chromium.org | 4597f34 | 2010-03-26 21:54:44 +0900 | [diff] [blame] | 137 | char *foo = reinterpret_cast<char*>(malloc(10)); |
| 138 | MakeSomeErrors(foo, 10); |
| 139 | free(foo); |
glider@chromium.org | 71a6e93 | 2011-10-05 22:22:50 +0900 | [diff] [blame] | 140 | // Use after free. |
| 141 | HARMFUL_ACCESS(foo[5] = 0, "heap-use-after-free"); |
timurrrr@chromium.org | 4597f34 | 2010-03-26 21:54:44 +0900 | [diff] [blame] | 142 | } |
| 143 | |
Sigurdur Asgeirsson | 0fa54ec | 2018-03-30 06:50:51 +0900 | [diff] [blame] | 144 | #if defined(ADDRESS_SANITIZER) |
Mostyn Bramley-Moore | cd7f827 | 2017-12-07 04:13:21 +0900 | [diff] [blame] | 145 | |
hans | e03e7f7 | 2015-05-20 02:03:14 +0900 | [diff] [blame] | 146 | static int* allocateArray() { |
| 147 | // Clang warns about the mismatched new[]/delete if they occur in the same |
| 148 | // function. |
| 149 | return new int[10]; |
| 150 | } |
| 151 | |
Mostyn Bramley-Moore | cd7f827 | 2017-12-07 04:13:21 +0900 | [diff] [blame] | 152 | // This test may corrupt memory if not compiled with AddressSanitizer. |
glider@chromium.org | a3b3c43 | 2012-10-24 23:11:02 +0900 | [diff] [blame] | 153 | TEST(ToolsSanityTest, MAYBE_ArrayDeletedWithoutBraces) { |
thakis@chromium.org | c3846f8 | 2011-09-19 01:30:12 +0900 | [diff] [blame] | 154 | // Without the |volatile|, clang optimizes away the next two lines. |
hans | e03e7f7 | 2015-05-20 02:03:14 +0900 | [diff] [blame] | 155 | int* volatile foo = allocateArray(); |
glider@chromium.org | e43d006 | 2014-05-15 01:04:30 +0900 | [diff] [blame] | 156 | delete foo; |
timurrrr@chromium.org | 4597f34 | 2010-03-26 21:54:44 +0900 | [diff] [blame] | 157 | } |
Mostyn Bramley-Moore | cd7f827 | 2017-12-07 04:13:21 +0900 | [diff] [blame] | 158 | #endif |
timurrrr@chromium.org | 4597f34 | 2010-03-26 21:54:44 +0900 | [diff] [blame] | 159 | |
Mostyn Bramley-Moore | cd7f827 | 2017-12-07 04:13:21 +0900 | [diff] [blame] | 160 | #if defined(ADDRESS_SANITIZER) |
hans | e03e7f7 | 2015-05-20 02:03:14 +0900 | [diff] [blame] | 161 | static int* allocateScalar() { |
| 162 | // Clang warns about the mismatched new/delete[] if they occur in the same |
| 163 | // function. |
| 164 | return new int; |
| 165 | } |
| 166 | |
Mostyn Bramley-Moore | cd7f827 | 2017-12-07 04:13:21 +0900 | [diff] [blame] | 167 | // This test may corrupt memory if not compiled with AddressSanitizer. |
glider@chromium.org | a3b3c43 | 2012-10-24 23:11:02 +0900 | [diff] [blame] | 168 | TEST(ToolsSanityTest, MAYBE_SingleElementDeletedWithBraces) { |
thakis@chromium.org | c3846f8 | 2011-09-19 01:30:12 +0900 | [diff] [blame] | 169 | // Without the |volatile|, clang optimizes away the next two lines. |
hans | e03e7f7 | 2015-05-20 02:03:14 +0900 | [diff] [blame] | 170 | int* volatile foo = allocateScalar(); |
pph34r@gmail.com | 8027129 | 2011-10-01 03:52:04 +0900 | [diff] [blame] | 171 | (void) foo; |
glider@chromium.org | e43d006 | 2014-05-15 01:04:30 +0900 | [diff] [blame] | 172 | delete [] foo; |
timurrrr@chromium.org | 4597f34 | 2010-03-26 21:54:44 +0900 | [diff] [blame] | 173 | } |
Mostyn Bramley-Moore | cd7f827 | 2017-12-07 04:13:21 +0900 | [diff] [blame] | 174 | #endif |
timurrrr@chromium.org | 4597f34 | 2010-03-26 21:54:44 +0900 | [diff] [blame] | 175 | |
Sigurdur Asgeirsson | 0fa54ec | 2018-03-30 06:50:51 +0900 | [diff] [blame] | 176 | #if defined(ADDRESS_SANITIZER) |
sebmarchand@chromium.org | d117d7a | 2014-06-14 17:29:37 +0900 | [diff] [blame] | 177 | |
glider@chromium.org | 4b5cd88 | 2011-11-08 18:28:49 +0900 | [diff] [blame] | 178 | TEST(ToolsSanityTest, DISABLED_AddressSanitizerNullDerefCrashTest) { |
glider@chromium.org | 2fa52d0 | 2011-10-13 02:18:24 +0900 | [diff] [blame] | 179 | // Intentionally crash to make sure AddressSanitizer is running. |
| 180 | // This test should not be ran on bots. |
| 181 | int* volatile zero = NULL; |
| 182 | *zero = 0; |
| 183 | } |
glider@chromium.org | 4b5cd88 | 2011-11-08 18:28:49 +0900 | [diff] [blame] | 184 | |
| 185 | TEST(ToolsSanityTest, DISABLED_AddressSanitizerLocalOOBCrashTest) { |
| 186 | // Intentionally crash to make sure AddressSanitizer is instrumenting |
| 187 | // the local variables. |
| 188 | // This test should not be ran on bots. |
| 189 | int array[5]; |
| 190 | // Work around the OOB warning reported by Clang. |
| 191 | int* volatile access = &array[5]; |
| 192 | *access = 43; |
| 193 | } |
| 194 | |
| 195 | namespace { |
| 196 | int g_asan_test_global_array[10]; |
| 197 | } // namespace |
| 198 | |
| 199 | TEST(ToolsSanityTest, DISABLED_AddressSanitizerGlobalOOBCrashTest) { |
| 200 | // Intentionally crash to make sure AddressSanitizer is instrumenting |
| 201 | // the global variables. |
| 202 | // This test should not be ran on bots. |
| 203 | |
| 204 | // Work around the OOB warning reported by Clang. |
| 205 | int* volatile access = g_asan_test_global_array - 1; |
| 206 | *access = 43; |
| 207 | } |
| 208 | |
Mostyn Bramley-Moore | cd7f827 | 2017-12-07 04:13:21 +0900 | [diff] [blame] | 209 | #ifndef HARMFUL_ACCESS_IS_NOOP |
sebmarchand@chromium.org | d117d7a | 2014-06-14 17:29:37 +0900 | [diff] [blame] | 210 | TEST(ToolsSanityTest, AsanHeapOverflow) { |
| 211 | HARMFUL_ACCESS(debug::AsanHeapOverflow() ,"to the right"); |
| 212 | } |
| 213 | |
| 214 | TEST(ToolsSanityTest, AsanHeapUnderflow) { |
| 215 | HARMFUL_ACCESS(debug::AsanHeapUnderflow(), "to the left"); |
| 216 | } |
| 217 | |
| 218 | TEST(ToolsSanityTest, AsanHeapUseAfterFree) { |
| 219 | HARMFUL_ACCESS(debug::AsanHeapUseAfterFree(), "heap-use-after-free"); |
| 220 | } |
| 221 | |
Sigurdur Asgeirsson | 0fa54ec | 2018-03-30 06:50:51 +0900 | [diff] [blame] | 222 | #if defined(OS_WIN) |
Sigurdur Asgeirsson | ad07f72 | 2018-04-05 00:44:04 +0900 | [diff] [blame] | 223 | // The ASAN runtime doesn't detect heap corruption, this needs fixing before |
| 224 | // ASAN builds can ship to the wild. See https://crbug.com/818747. |
| 225 | TEST(ToolsSanityTest, DISABLED_AsanCorruptHeapBlock) { |
sebmarchand@chromium.org | d117d7a | 2014-06-14 17:29:37 +0900 | [diff] [blame] | 226 | HARMFUL_ACCESS(debug::AsanCorruptHeapBlock(), ""); |
| 227 | } |
| 228 | |
Sigurdur Asgeirsson | ad07f72 | 2018-04-05 00:44:04 +0900 | [diff] [blame] | 229 | TEST(ToolsSanityTest, DISABLED_AsanCorruptHeap) { |
sebmarchand@chromium.org | d117d7a | 2014-06-14 17:29:37 +0900 | [diff] [blame] | 230 | // This test will kill the process by raising an exception, there's no |
| 231 | // particular string to look for in the stack trace. |
| 232 | EXPECT_DEATH(debug::AsanCorruptHeap(), ""); |
| 233 | } |
Sigurdur Asgeirsson | 0fa54ec | 2018-03-30 06:50:51 +0900 | [diff] [blame] | 234 | #endif // OS_WIN |
Mostyn Bramley-Moore | cd7f827 | 2017-12-07 04:13:21 +0900 | [diff] [blame] | 235 | #endif // !HARMFUL_ACCESS_IS_NOOP |
sebmarchand@chromium.org | d117d7a | 2014-06-14 17:29:37 +0900 | [diff] [blame] | 236 | |
Sigurdur Asgeirsson | 0fa54ec | 2018-03-30 06:50:51 +0900 | [diff] [blame] | 237 | #endif // ADDRESS_SANITIZER |
timurrrr@chromium.org | b1d5c02 | 2011-05-11 03:03:34 +0900 | [diff] [blame] | 238 | |
| 239 | namespace { |
| 240 | |
| 241 | // We use caps here just to ensure that the method name doesn't interfere with |
| 242 | // the wildcarded suppressions. |
| 243 | class TOOLS_SANITY_TEST_CONCURRENT_THREAD : public PlatformThread::Delegate { |
| 244 | public: |
| 245 | explicit TOOLS_SANITY_TEST_CONCURRENT_THREAD(bool *value) : value_(value) {} |
Chris Watkins | d155d9f | 2017-11-29 16:16:38 +0900 | [diff] [blame] | 246 | ~TOOLS_SANITY_TEST_CONCURRENT_THREAD() override = default; |
dcheng | 7dc8df5 | 2014-10-21 19:54:51 +0900 | [diff] [blame] | 247 | void ThreadMain() override { |
timurrrr@chromium.org | b1d5c02 | 2011-05-11 03:03:34 +0900 | [diff] [blame] | 248 | *value_ = true; |
| 249 | |
| 250 | // Sleep for a few milliseconds so the two threads are more likely to live |
| 251 | // simultaneously. Otherwise we may miss the report due to mutex |
| 252 | // lock/unlock's inside thread creation code in pure-happens-before mode... |
tedvessenes@gmail.com | aaa6303 | 2012-01-01 07:53:51 +0900 | [diff] [blame] | 253 | PlatformThread::Sleep(TimeDelta::FromMilliseconds(100)); |
timurrrr@chromium.org | b1d5c02 | 2011-05-11 03:03:34 +0900 | [diff] [blame] | 254 | } |
| 255 | private: |
| 256 | bool *value_; |
| 257 | }; |
| 258 | |
| 259 | class ReleaseStoreThread : public PlatformThread::Delegate { |
| 260 | public: |
| 261 | explicit ReleaseStoreThread(base::subtle::Atomic32 *value) : value_(value) {} |
Chris Watkins | d155d9f | 2017-11-29 16:16:38 +0900 | [diff] [blame] | 262 | ~ReleaseStoreThread() override = default; |
dcheng | 7dc8df5 | 2014-10-21 19:54:51 +0900 | [diff] [blame] | 263 | void ThreadMain() override { |
timurrrr@chromium.org | b1d5c02 | 2011-05-11 03:03:34 +0900 | [diff] [blame] | 264 | base::subtle::Release_Store(value_, kMagicValue); |
| 265 | |
| 266 | // Sleep for a few milliseconds so the two threads are more likely to live |
| 267 | // simultaneously. Otherwise we may miss the report due to mutex |
| 268 | // lock/unlock's inside thread creation code in pure-happens-before mode... |
tedvessenes@gmail.com | aaa6303 | 2012-01-01 07:53:51 +0900 | [diff] [blame] | 269 | PlatformThread::Sleep(TimeDelta::FromMilliseconds(100)); |
timurrrr@chromium.org | b1d5c02 | 2011-05-11 03:03:34 +0900 | [diff] [blame] | 270 | } |
| 271 | private: |
| 272 | base::subtle::Atomic32 *value_; |
| 273 | }; |
| 274 | |
| 275 | class AcquireLoadThread : public PlatformThread::Delegate { |
| 276 | public: |
| 277 | explicit AcquireLoadThread(base::subtle::Atomic32 *value) : value_(value) {} |
Chris Watkins | d155d9f | 2017-11-29 16:16:38 +0900 | [diff] [blame] | 278 | ~AcquireLoadThread() override = default; |
dcheng | 7dc8df5 | 2014-10-21 19:54:51 +0900 | [diff] [blame] | 279 | void ThreadMain() override { |
timurrrr@chromium.org | b1d5c02 | 2011-05-11 03:03:34 +0900 | [diff] [blame] | 280 | // Wait for the other thread to make Release_Store |
tedvessenes@gmail.com | aaa6303 | 2012-01-01 07:53:51 +0900 | [diff] [blame] | 281 | PlatformThread::Sleep(TimeDelta::FromMilliseconds(100)); |
timurrrr@chromium.org | b1d5c02 | 2011-05-11 03:03:34 +0900 | [diff] [blame] | 282 | base::subtle::Acquire_Load(value_); |
| 283 | } |
| 284 | private: |
| 285 | base::subtle::Atomic32 *value_; |
| 286 | }; |
| 287 | |
| 288 | void RunInParallel(PlatformThread::Delegate *d1, PlatformThread::Delegate *d2) { |
| 289 | PlatformThreadHandle a; |
| 290 | PlatformThreadHandle b; |
| 291 | PlatformThread::Create(0, d1, &a); |
| 292 | PlatformThread::Create(0, d2, &b); |
| 293 | PlatformThread::Join(a); |
| 294 | PlatformThread::Join(b); |
| 295 | } |
| 296 | |
glider@chromium.org | c75e137 | 2014-06-26 22:10:50 +0900 | [diff] [blame] | 297 | #if defined(THREAD_SANITIZER) |
| 298 | void DataRace() { |
glider@chromium.org | 7bb5ece | 2013-03-23 20:28:17 +0900 | [diff] [blame] | 299 | bool *shared = new bool(false); |
| 300 | TOOLS_SANITY_TEST_CONCURRENT_THREAD thread1(shared), thread2(shared); |
timurrrr@chromium.org | b1d5c02 | 2011-05-11 03:03:34 +0900 | [diff] [blame] | 301 | RunInParallel(&thread1, &thread2); |
glider@chromium.org | 7bb5ece | 2013-03-23 20:28:17 +0900 | [diff] [blame] | 302 | EXPECT_TRUE(*shared); |
| 303 | delete shared; |
glider@chromium.org | c75e137 | 2014-06-26 22:10:50 +0900 | [diff] [blame] | 304 | // We're in a death test - crash. |
| 305 | CHECK(0); |
timurrrr@chromium.org | b1d5c02 | 2011-05-11 03:03:34 +0900 | [diff] [blame] | 306 | } |
glider@chromium.org | c75e137 | 2014-06-26 22:10:50 +0900 | [diff] [blame] | 307 | #endif |
| 308 | |
| 309 | } // namespace |
| 310 | |
| 311 | #if defined(THREAD_SANITIZER) |
| 312 | // A data race detector should report an error in this test. |
| 313 | TEST(ToolsSanityTest, DataRace) { |
| 314 | // The suppression regexp must match that in base/debug/tsan_suppressions.cc. |
| 315 | EXPECT_DEATH(DataRace(), "1 race:base/tools_sanity_unittest.cc"); |
| 316 | } |
| 317 | #endif |
timurrrr@chromium.org | b1d5c02 | 2011-05-11 03:03:34 +0900 | [diff] [blame] | 318 | |
| 319 | TEST(ToolsSanityTest, AnnotateBenignRace) { |
| 320 | bool shared = false; |
| 321 | ANNOTATE_BENIGN_RACE(&shared, "Intentional race - make sure doesn't show up"); |
| 322 | TOOLS_SANITY_TEST_CONCURRENT_THREAD thread1(&shared), thread2(&shared); |
| 323 | RunInParallel(&thread1, &thread2); |
| 324 | EXPECT_TRUE(shared); |
| 325 | } |
| 326 | |
| 327 | TEST(ToolsSanityTest, AtomicsAreIgnored) { |
| 328 | base::subtle::Atomic32 shared = 0; |
| 329 | ReleaseStoreThread thread1(&shared); |
| 330 | AcquireLoadThread thread2(&shared); |
| 331 | RunInParallel(&thread1, &thread2); |
| 332 | EXPECT_EQ(kMagicValue, shared); |
glider@chromium.org | 0f9756f | 2009-12-17 21:37:58 +0900 | [diff] [blame] | 333 | } |
brettw@chromium.org | 6139182 | 2011-01-01 05:02:16 +0900 | [diff] [blame] | 334 | |
Vlad Tsyrklevich | ca1cd2f | 2017-10-14 04:35:24 +0900 | [diff] [blame] | 335 | #if BUILDFLAG(CFI_ENFORCEMENT_TRAP) |
Peter Collingbourne | 473708a | 2017-10-13 04:51:27 +0900 | [diff] [blame] | 336 | #if defined(OS_WIN) |
| 337 | #define CFI_ERROR_MSG "EXCEPTION_ILLEGAL_INSTRUCTION" |
| 338 | #elif defined(OS_ANDROID) |
| 339 | // TODO(pcc): Produce proper stack dumps on Android and test for the correct |
| 340 | // si_code here. |
| 341 | #define CFI_ERROR_MSG "^$" |
| 342 | #else |
Vlad Tsyrklevich | ee84f43 | 2017-08-16 08:45:10 +0900 | [diff] [blame] | 343 | #define CFI_ERROR_MSG "ILL_ILLOPN" |
Peter Collingbourne | 473708a | 2017-10-13 04:51:27 +0900 | [diff] [blame] | 344 | #endif |
Vlad Tsyrklevich | ca1cd2f | 2017-10-14 04:35:24 +0900 | [diff] [blame] | 345 | #elif BUILDFLAG(CFI_ENFORCEMENT_DIAGNOSTIC) |
Vlad Tsyrklevich | ee84f43 | 2017-08-16 08:45:10 +0900 | [diff] [blame] | 346 | #define CFI_ERROR_MSG "runtime error: control flow integrity check" |
Vlad Tsyrklevich | ca1cd2f | 2017-10-14 04:35:24 +0900 | [diff] [blame] | 347 | #endif // BUILDFLAG(CFI_ENFORCEMENT_TRAP || CFI_ENFORCEMENT_DIAGNOSTIC) |
pcc | 85bb755 | 2015-07-31 09:19:06 +0900 | [diff] [blame] | 348 | |
Vlad Tsyrklevich | ee84f43 | 2017-08-16 08:45:10 +0900 | [diff] [blame] | 349 | #if defined(CFI_ERROR_MSG) |
krasin | d7c57c3 | 2016-07-13 12:24:34 +0900 | [diff] [blame] | 350 | class A { |
| 351 | public: |
| 352 | A(): n_(0) {} |
| 353 | virtual void f() { n_++; } |
| 354 | protected: |
| 355 | int n_; |
| 356 | }; |
| 357 | |
| 358 | class B: public A { |
| 359 | public: |
| 360 | void f() override { n_--; } |
| 361 | }; |
| 362 | |
Vlad Tsyrklevich | ee84f43 | 2017-08-16 08:45:10 +0900 | [diff] [blame] | 363 | class C: public B { |
| 364 | public: |
| 365 | void f() override { n_ += 2; } |
| 366 | }; |
| 367 | |
krasin | d7c57c3 | 2016-07-13 12:24:34 +0900 | [diff] [blame] | 368 | NOINLINE void KillVptrAndCall(A *obj) { |
| 369 | *reinterpret_cast<void **>(obj) = 0; |
| 370 | obj->f(); |
| 371 | } |
| 372 | |
Vlad Tsyrklevich | ee84f43 | 2017-08-16 08:45:10 +0900 | [diff] [blame] | 373 | TEST(ToolsSanityTest, BadVirtualCallNull) { |
krasin | d7c57c3 | 2016-07-13 12:24:34 +0900 | [diff] [blame] | 374 | A a; |
| 375 | B b; |
Vlad Tsyrklevich | ee84f43 | 2017-08-16 08:45:10 +0900 | [diff] [blame] | 376 | EXPECT_DEATH({ KillVptrAndCall(&a); KillVptrAndCall(&b); }, CFI_ERROR_MSG); |
krasin | d7c57c3 | 2016-07-13 12:24:34 +0900 | [diff] [blame] | 377 | } |
| 378 | |
Vlad Tsyrklevich | ee84f43 | 2017-08-16 08:45:10 +0900 | [diff] [blame] | 379 | NOINLINE void OverwriteVptrAndCall(B *obj, A *vptr) { |
| 380 | *reinterpret_cast<void **>(obj) = *reinterpret_cast<void **>(vptr); |
| 381 | obj->f(); |
| 382 | } |
| 383 | |
| 384 | TEST(ToolsSanityTest, BadVirtualCallWrongType) { |
| 385 | A a; |
| 386 | B b; |
| 387 | C c; |
| 388 | EXPECT_DEATH({ OverwriteVptrAndCall(&b, &a); OverwriteVptrAndCall(&b, &c); }, |
| 389 | CFI_ERROR_MSG); |
| 390 | } |
| 391 | |
| 392 | // TODO(pcc): remove CFI_CAST_CHECK, see https://crbug.com/626794. |
Vlad Tsyrklevich | ca1cd2f | 2017-10-14 04:35:24 +0900 | [diff] [blame] | 393 | #if BUILDFLAG(CFI_CAST_CHECK) |
Vlad Tsyrklevich | ee84f43 | 2017-08-16 08:45:10 +0900 | [diff] [blame] | 394 | TEST(ToolsSanityTest, BadDerivedCast) { |
| 395 | A a; |
| 396 | EXPECT_DEATH((void)(B*)&a, CFI_ERROR_MSG); |
| 397 | } |
| 398 | |
| 399 | TEST(ToolsSanityTest, BadUnrelatedCast) { |
| 400 | class A { |
| 401 | virtual void f() {} |
| 402 | }; |
| 403 | |
| 404 | class B { |
| 405 | virtual void f() {} |
| 406 | }; |
| 407 | |
| 408 | A a; |
| 409 | EXPECT_DEATH((void)(B*)&a, CFI_ERROR_MSG); |
| 410 | } |
Vlad Tsyrklevich | ca1cd2f | 2017-10-14 04:35:24 +0900 | [diff] [blame] | 411 | #endif // BUILDFLAG(CFI_CAST_CHECK) |
Vlad Tsyrklevich | ee84f43 | 2017-08-16 08:45:10 +0900 | [diff] [blame] | 412 | |
Vlad Tsyrklevich | ca1cd2f | 2017-10-14 04:35:24 +0900 | [diff] [blame] | 413 | #endif // CFI_ERROR_MSG |
pcc | 85bb755 | 2015-07-31 09:19:06 +0900 | [diff] [blame] | 414 | |
Mostyn Bramley-Moore | cd7f827 | 2017-12-07 04:13:21 +0900 | [diff] [blame] | 415 | #undef CFI_ERROR_MSG |
| 416 | #undef MAYBE_AccessesToNewMemory |
| 417 | #undef MAYBE_AccessesToMallocMemory |
| 418 | #undef MAYBE_ArrayDeletedWithoutBraces |
| 419 | #undef MAYBE_SingleElementDeletedWithBraces |
| 420 | #undef HARMFUL_ACCESS |
| 421 | #undef HARMFUL_ACCESS_IS_NOOP |
| 422 | |
brettw@chromium.org | 6139182 | 2011-01-01 05:02:16 +0900 | [diff] [blame] | 423 | } // namespace base |