| Matt Morehouse | 3478494 | 2019-05-09 22:48:46 +0000 | [diff] [blame] | 1 | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. |
| 2 | // See https://llvm.org/LICENSE.txt for license information. |
| 3 | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception |
| 4 | |
| 5 | // Triggers the bug described here: |
| 6 | // https://github.com/google/oss-fuzz/issues/2369#issuecomment-490240627 |
| 7 | // |
| 8 | // In a nutshell, MSan's parameter shadow does not get unpoisoned before calls |
| 9 | // to LLVMFuzzerTestOneInput. This test case causes the parameter shadow to be |
| 10 | // poisoned by the call to foo(), which will trigger an MSan false positive on |
| 11 | // the Size == 0 check if the parameter shadow is still poisoned. |
| 12 | #include <cstdint> |
| 13 | #include <cstdio> |
| 14 | #include <cstdlib> |
| 15 | #include <cstring> |
| 16 | |
| 17 | volatile int zero = 0; |
| 18 | __attribute__((noinline)) int foo(int arg1, int arg2) { return zero; } |
| 19 | |
| 20 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { |
| 21 | if (Size == 0) |
| 22 | return 0; |
| 23 | |
| 24 | // Pass uninitialized values to foo(). Since foo doesn't do anything with |
| 25 | // them, MSan should not report an error here. |
| 26 | int a, b; |
| 27 | return foo(a, b); |
| 28 | } |