Chromium Code Reviews Chromium Code Reviews
Issue 306753003:
Add some function and URLs to induce ASan crashes. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 // | 4 // |
| 5 // This file contains intentional memory errors, some of which may lead to | 5 // This file contains intentional memory errors, some of which may lead to |
| 6 // crashes if the test is ran without special memory testing tools. We use these | 6 // crashes if the test is ran without special memory testing tools. We use these |
| 7 // errors to verify the sanity of the tools. | 7 // errors to verify the sanity of the tools. |
| 8 | 8 |
| 9 #include "base/atomicops.h" | 9 #include "base/atomicops.h" |
| 10 #include "base/debug/asan_invalid_access.h" | |
| 11 #include "base/debug/profiler.h" | |
| 10 #include "base/message_loop/message_loop.h" | 12 #include "base/message_loop/message_loop.h" |
| 11 #include "base/third_party/dynamic_annotations/dynamic_annotations.h" | 13 #include "base/third_party/dynamic_annotations/dynamic_annotations.h" |
| 12 #include "base/threading/thread.h" | 14 #include "base/threading/thread.h" |
| 13 #include "testing/gtest/include/gtest/gtest.h" | 15 #include "testing/gtest/include/gtest/gtest.h" |
| 14 | 16 |
| 15 namespace base { | 17 namespace base { |
| 16 | 18 |
| 17 namespace { | 19 namespace { |
| 18 | 20 |
| 19 const base::subtle::Atomic32 kMagicValue = 42; | 21 const base::subtle::Atomic32 kMagicValue = 42; |
| 20 | 22 |
| 21 // Helper for memory accesses that can potentially corrupt memory or cause a | 23 // Helper for memory accesses that can potentially corrupt memory or cause a |
| 22 // crash during a native run. | 24 // crash during a native run. |
| 23 #if defined(ADDRESS_SANITIZER) || defined(SYZYASAN) | 25 #if defined(ADDRESS_SANITIZER) || defined(SYZYASAN) |
| 24 #if defined(OS_IOS) | 26 #if defined(OS_IOS) |
| 25 // EXPECT_DEATH is not supported on IOS. | 27 // EXPECT_DEATH is not supported on IOS. |
| 26 #define HARMFUL_ACCESS(action,error_regexp) do { action; } while (0) | 28 #define HARMFUL_ACCESS(action,error_regexp) do { action; } while (0) |
| 29 #elif defined(SYZYASAN) | |
| 30 #define HARMFUL_ACCESS(action,error_regexp) \ | |
| 31 if (debug::IsBinaryInstrumented()) { EXPECT_DEATH(action,error_regexp); } | |
| 27 #else | 32 #else |
| 28 #define HARMFUL_ACCESS(action,error_regexp) EXPECT_DEATH(action,error_regexp) | 33 #define HARMFUL_ACCESS(action,error_regexp) EXPECT_DEATH(action,error_regexp) |
| 29 #endif // !OS_IOS | 34 #endif // !OS_IOS && !SYZYASAN |
| 30 #else | 35 #else |
| 31 #define HARMFUL_ACCESS(action,error_regexp) \ | 36 #define HARMFUL_ACCESS(action,error_regexp) \ |
| 32 do { if (RunningOnValgrind()) { action; } } while (0) | 37 do { if (RunningOnValgrind()) { action; } } while (0) |
| 33 #endif | 38 #endif |
| 34 | 39 |
| 35 void DoReadUninitializedValue(char *ptr) { | 40 void DoReadUninitializedValue(char *ptr) { |
| 36 // Comparison with 64 is to prevent clang from optimizing away the | 41 // Comparison with 64 is to prevent clang from optimizing away the |
| 37 // jump -- valgrind only catches jumps and conditional moves, but clang uses | 42 // jump -- valgrind only catches jumps and conditional moves, but clang uses |
| 38 // the borrow flag if the condition is just `*ptr == '\0'`. | 43 // the borrow flag if the condition is just `*ptr == '\0'`. |
| 39 if (*ptr == 64) { | 44 if (*ptr == 64) { |
| (...skipping 115 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 155 return; | 160 return; |
| 156 #endif | 161 #endif |
| 157 | 162 |
| 158 // Without the |volatile|, clang optimizes away the next two lines. | 163 // Without the |volatile|, clang optimizes away the next two lines. |
| 159 int* volatile foo = new int; | 164 int* volatile foo = new int; |
| 160 (void) foo; | 165 (void) foo; |
| 161 delete [] foo; | 166 delete [] foo; |
| 162 } | 167 } |
| 163 | 168 |
| 164 #if defined(ADDRESS_SANITIZER) || defined(SYZYASAN) | 169 #if defined(ADDRESS_SANITIZER) || defined(SYZYASAN) |
| 170 | |
| 165 TEST(ToolsSanityTest, DISABLED_AddressSanitizerNullDerefCrashTest) { | 171 TEST(ToolsSanityTest, DISABLED_AddressSanitizerNullDerefCrashTest) { |
| 166 // Intentionally crash to make sure AddressSanitizer is running. | 172 // Intentionally crash to make sure AddressSanitizer is running. |
| 167 // This test should not be ran on bots. | 173 // This test should not be ran on bots. |
| 168 int* volatile zero = NULL; | 174 int* volatile zero = NULL; |
| 169 *zero = 0; | 175 *zero = 0; |
| 170 } | 176 } |
| 171 | 177 |
| 172 TEST(ToolsSanityTest, DISABLED_AddressSanitizerLocalOOBCrashTest) { | 178 TEST(ToolsSanityTest, DISABLED_AddressSanitizerLocalOOBCrashTest) { |
| 173 // Intentionally crash to make sure AddressSanitizer is instrumenting | 179 // Intentionally crash to make sure AddressSanitizer is instrumenting |
| 174 // the local variables. | 180 // the local variables. |
| (...skipping 11 matching lines...) Expand all Loading... | |
| 186 TEST(ToolsSanityTest, DISABLED_AddressSanitizerGlobalOOBCrashTest) { | 192 TEST(ToolsSanityTest, DISABLED_AddressSanitizerGlobalOOBCrashTest) { |
| 187 // Intentionally crash to make sure AddressSanitizer is instrumenting | 193 // Intentionally crash to make sure AddressSanitizer is instrumenting |
| 188 // the global variables. | 194 // the global variables. |
| 189 // This test should not be ran on bots. | 195 // This test should not be ran on bots. |
| 190 | 196 |
| 191 // Work around the OOB warning reported by Clang. | 197 // Work around the OOB warning reported by Clang. |
| 192 int* volatile access = g_asan_test_global_array - 1; | 198 int* volatile access = g_asan_test_global_array - 1; |
| 193 *access = 43; | 199 *access = 43; |
| 194 } | 200 } |
| 195 | 201 |
| 202 TEST(ToolsSanityTest, AsanHeapOverflow) { | |
| 203 #if defined(SYZYASAN) | |
| 204 // We won't get a meaningful error message because we're not running under the | |
| 205 // SyzyASan logger, but we can at least make sure that the error has been | |
| 206 // generated in the SyzyASan runtime. | |
| 207 HARMFUL_ACCESS(AsanHeapOverflow(), "AsanRuntime::OnError") | |
|
Timur Iskhodzhanov
2014/06/05 15:32:09
can you put the OnError stuff into the HARMFUL_ACC
Sébastien Marchand
2014/06/05 19:44:34
Nop, mostly because of ToolsSanityTest.AsanCorrupt
Timur Iskhodzhanov
2014/06/06 11:36:56
:(
Maybe we can handle only that test differently
Sébastien Marchand
2014/06/09 14:47:39
Done.
| |
| 208 #else | |
| 209 HARMFUL_ACCESS(AsanHeapOverflow(),"to the right"); | |
| 196 #endif | 210 #endif |
| 211 } | |
| 212 | |
| 213 TEST(ToolsSanityTest, AsanHeapUnderflow) { | |
| 214 #if defined(SYZYASAN) | |
| 215 // We won't get a meaningful error message because we're not running under the | |
| 216 // SyzyASan logger, but we can at least make sure that the error has been | |
| 217 // generated in the SyzyASan runtime. | |
| 218 HARMFUL_ACCESS(AsanHeapUnderflow(), "AsanRuntime::OnError"); | |
| 219 #else | |
| 220 HARMFUL_ACCESS(AsanHeapUnderflow(), "to the left"); | |
| 221 #endif | |
| 222 } | |
| 223 | |
| 224 TEST(ToolsSanityTest, AsanHeapUseAfterFree) { | |
| 225 #if defined(SYZYASAN) | |
| 226 // We won't get a meaningful error message because we're not running under the | |
| 227 // SyzyASan logger, but we can at least make sure that the error has been | |
| 228 // generated in the SyzyASan runtime. | |
| 229 HARMFUL_ACCESS(AsanHeapUseAfterFree(), "AsanRuntime::OnError"); | |
| 230 #else | |
| 231 HARMFUL_ACCESS(AsanHeapUseAfterFree(), "heap-use-after-free"); | |
| 232 #endif | |
| 233 } | |
| 234 | |
| 235 #if defined(SYZYASAN) | |
| 236 TEST(ToolsSanityTest, AsanCorruptHeapBlock) { | |
| 237 HARMFUL_ACCESS(AsanCorruptHeapBlock(), "AsanRuntime::OnError"); | |
| 238 } | |
| 239 | |
| 240 TEST(ToolsSanityTest, AsanCorruptHeap) { | |
| 241 // This test will kill the process by raising an exception, there's no | |
| 242 // particular string to look for in the stack trace. | |
| 243 HARMFUL_ACCESS(AsanCorruptHeap(), ""); | |
| 244 } | |
| 245 #endif // SYZYASAN | |
| 246 | |
| 247 #endif // ADDRESS_SANITIZER || SYZYASAN | |
| 197 | 248 |
| 198 namespace { | 249 namespace { |
| 199 | 250 |
| 200 // We use caps here just to ensure that the method name doesn't interfere with | 251 // We use caps here just to ensure that the method name doesn't interfere with |
| 201 // the wildcarded suppressions. | 252 // the wildcarded suppressions. |
| 202 class TOOLS_SANITY_TEST_CONCURRENT_THREAD : public PlatformThread::Delegate { | 253 class TOOLS_SANITY_TEST_CONCURRENT_THREAD : public PlatformThread::Delegate { |
| 203 public: | 254 public: |
| 204 explicit TOOLS_SANITY_TEST_CONCURRENT_THREAD(bool *value) : value_(value) {} | 255 explicit TOOLS_SANITY_TEST_CONCURRENT_THREAD(bool *value) : value_(value) {} |
| 205 virtual ~TOOLS_SANITY_TEST_CONCURRENT_THREAD() {} | 256 virtual ~TOOLS_SANITY_TEST_CONCURRENT_THREAD() {} |
| 206 virtual void ThreadMain() OVERRIDE { | 257 virtual void ThreadMain() OVERRIDE { |
| (...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 274 | 325 |
| 275 TEST(ToolsSanityTest, AtomicsAreIgnored) { | 326 TEST(ToolsSanityTest, AtomicsAreIgnored) { |
| 276 base::subtle::Atomic32 shared = 0; | 327 base::subtle::Atomic32 shared = 0; |
| 277 ReleaseStoreThread thread1(&shared); | 328 ReleaseStoreThread thread1(&shared); |
| 278 AcquireLoadThread thread2(&shared); | 329 AcquireLoadThread thread2(&shared); |
| 279 RunInParallel(&thread1, &thread2); | 330 RunInParallel(&thread1, &thread2); |
| 280 EXPECT_EQ(kMagicValue, shared); | 331 EXPECT_EQ(kMagicValue, shared); |
| 281 } | 332 } |
| 282 | 333 |
| 283 } // namespace base | 334 } // namespace base |
| OLD | NEW |
