| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 // | 4 // |
| 5 // This file contains intentional memory errors, some of which may lead to | 5 // This file contains intentional memory errors, some of which may lead to |
| 6 // crashes if the test is ran without special memory testing tools. We use these | 6 // crashes if the test is ran without special memory testing tools. We use these |
| 7 // errors to verify the sanity of the tools. | 7 // errors to verify the sanity of the tools. |
| 8 | 8 |
| 9 #include "base/atomicops.h" | 9 #include "base/atomicops.h" |
| 10 #include "base/debug/asan_invalid_access.h" |
| 11 #include "base/debug/profiler.h" |
| 10 #include "base/message_loop/message_loop.h" | 12 #include "base/message_loop/message_loop.h" |
| 11 #include "base/third_party/dynamic_annotations/dynamic_annotations.h" | 13 #include "base/third_party/dynamic_annotations/dynamic_annotations.h" |
| 12 #include "base/threading/thread.h" | 14 #include "base/threading/thread.h" |
| 13 #include "testing/gtest/include/gtest/gtest.h" | 15 #include "testing/gtest/include/gtest/gtest.h" |
| 14 | 16 |
| 15 namespace base { | 17 namespace base { |
| 16 | 18 |
| 17 namespace { | 19 namespace { |
| 18 | 20 |
| 19 const base::subtle::Atomic32 kMagicValue = 42; | 21 const base::subtle::Atomic32 kMagicValue = 42; |
| 20 | 22 |
| 21 // Helper for memory accesses that can potentially corrupt memory or cause a | 23 // Helper for memory accesses that can potentially corrupt memory or cause a |
| 22 // crash during a native run. | 24 // crash during a native run. |
| 23 #if defined(ADDRESS_SANITIZER) || defined(SYZYASAN) | 25 #if defined(ADDRESS_SANITIZER) || defined(SYZYASAN) |
| 24 #if defined(OS_IOS) | 26 #if defined(OS_IOS) |
| 25 // EXPECT_DEATH is not supported on IOS. | 27 // EXPECT_DEATH is not supported on IOS. |
| 26 #define HARMFUL_ACCESS(action,error_regexp) do { action; } while (0) | 28 #define HARMFUL_ACCESS(action,error_regexp) do { action; } while (0) |
| 29 #elif defined(SYZYASAN) |
| 30 // We won't get a meaningful error message because we're not running under the |
| 31 // SyzyASan logger, but we can at least make sure that the error has been |
| 32 // generated in the SyzyASan runtime. |
| 33 #define HARMFUL_ACCESS(action,unused) \ |
| 34 if (debug::IsBinaryInstrumented()) { EXPECT_DEATH(action, \ |
| 35 "AsanRuntime::OnError"); } |
| 27 #else | 36 #else |
| 28 #define HARMFUL_ACCESS(action,error_regexp) EXPECT_DEATH(action,error_regexp) | 37 #define HARMFUL_ACCESS(action,error_regexp) EXPECT_DEATH(action,error_regexp) |
| 29 #endif // !OS_IOS | 38 #endif // !OS_IOS && !SYZYASAN |
| 30 #else | 39 #else |
| 31 #define HARMFUL_ACCESS(action,error_regexp) \ | 40 #define HARMFUL_ACCESS(action,error_regexp) \ |
| 32 do { if (RunningOnValgrind()) { action; } } while (0) | 41 do { if (RunningOnValgrind()) { action; } } while (0) |
| 33 #endif | 42 #endif |
| 34 | 43 |
| 35 void DoReadUninitializedValue(char *ptr) { | 44 void DoReadUninitializedValue(char *ptr) { |
| 36 // Comparison with 64 is to prevent clang from optimizing away the | 45 // Comparison with 64 is to prevent clang from optimizing away the |
| 37 // jump -- valgrind only catches jumps and conditional moves, but clang uses | 46 // jump -- valgrind only catches jumps and conditional moves, but clang uses |
| 38 // the borrow flag if the condition is just `*ptr == '\0'`. | 47 // the borrow flag if the condition is just `*ptr == '\0'`. |
| 39 if (*ptr == 64) { | 48 if (*ptr == 64) { |
| (...skipping 115 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 155 return; | 164 return; |
| 156 #endif | 165 #endif |
| 157 | 166 |
| 158 // Without the |volatile|, clang optimizes away the next two lines. | 167 // Without the |volatile|, clang optimizes away the next two lines. |
| 159 int* volatile foo = new int; | 168 int* volatile foo = new int; |
| 160 (void) foo; | 169 (void) foo; |
| 161 delete [] foo; | 170 delete [] foo; |
| 162 } | 171 } |
| 163 | 172 |
| 164 #if defined(ADDRESS_SANITIZER) || defined(SYZYASAN) | 173 #if defined(ADDRESS_SANITIZER) || defined(SYZYASAN) |
| 174 |
| 165 TEST(ToolsSanityTest, DISABLED_AddressSanitizerNullDerefCrashTest) { | 175 TEST(ToolsSanityTest, DISABLED_AddressSanitizerNullDerefCrashTest) { |
| 166 // Intentionally crash to make sure AddressSanitizer is running. | 176 // Intentionally crash to make sure AddressSanitizer is running. |
| 167 // This test should not be ran on bots. | 177 // This test should not be ran on bots. |
| 168 int* volatile zero = NULL; | 178 int* volatile zero = NULL; |
| 169 *zero = 0; | 179 *zero = 0; |
| 170 } | 180 } |
| 171 | 181 |
| 172 TEST(ToolsSanityTest, DISABLED_AddressSanitizerLocalOOBCrashTest) { | 182 TEST(ToolsSanityTest, DISABLED_AddressSanitizerLocalOOBCrashTest) { |
| 173 // Intentionally crash to make sure AddressSanitizer is instrumenting | 183 // Intentionally crash to make sure AddressSanitizer is instrumenting |
| 174 // the local variables. | 184 // the local variables. |
| (...skipping 11 matching lines...) Expand all Loading... |
| 186 TEST(ToolsSanityTest, DISABLED_AddressSanitizerGlobalOOBCrashTest) { | 196 TEST(ToolsSanityTest, DISABLED_AddressSanitizerGlobalOOBCrashTest) { |
| 187 // Intentionally crash to make sure AddressSanitizer is instrumenting | 197 // Intentionally crash to make sure AddressSanitizer is instrumenting |
| 188 // the global variables. | 198 // the global variables. |
| 189 // This test should not be ran on bots. | 199 // This test should not be ran on bots. |
| 190 | 200 |
| 191 // Work around the OOB warning reported by Clang. | 201 // Work around the OOB warning reported by Clang. |
| 192 int* volatile access = g_asan_test_global_array - 1; | 202 int* volatile access = g_asan_test_global_array - 1; |
| 193 *access = 43; | 203 *access = 43; |
| 194 } | 204 } |
| 195 | 205 |
| 196 #endif | 206 TEST(ToolsSanityTest, AsanHeapOverflow) { |
| 207 HARMFUL_ACCESS(debug::AsanHeapOverflow() ,"to the right"); |
| 208 } |
| 209 |
| 210 TEST(ToolsSanityTest, AsanHeapUnderflow) { |
| 211 HARMFUL_ACCESS(debug::AsanHeapUnderflow(), "to the left"); |
| 212 } |
| 213 |
| 214 TEST(ToolsSanityTest, AsanHeapUseAfterFree) { |
| 215 HARMFUL_ACCESS(debug::AsanHeapUseAfterFree(), "heap-use-after-free"); |
| 216 } |
| 217 |
| 218 #if defined(SYZYASAN) |
| 219 TEST(ToolsSanityTest, AsanCorruptHeapBlock) { |
| 220 HARMFUL_ACCESS(debug::AsanCorruptHeapBlock(), ""); |
| 221 } |
| 222 |
| 223 TEST(ToolsSanityTest, AsanCorruptHeap) { |
| 224 // This test will kill the process by raising an exception, there's no |
| 225 // particular string to look for in the stack trace. |
| 226 EXPECT_DEATH(debug::AsanCorruptHeap(), ""); |
| 227 } |
| 228 #endif // SYZYASAN |
| 229 |
| 230 #endif // ADDRESS_SANITIZER || SYZYASAN |
| 197 | 231 |
| 198 namespace { | 232 namespace { |
| 199 | 233 |
| 200 // We use caps here just to ensure that the method name doesn't interfere with | 234 // We use caps here just to ensure that the method name doesn't interfere with |
| 201 // the wildcarded suppressions. | 235 // the wildcarded suppressions. |
| 202 class TOOLS_SANITY_TEST_CONCURRENT_THREAD : public PlatformThread::Delegate { | 236 class TOOLS_SANITY_TEST_CONCURRENT_THREAD : public PlatformThread::Delegate { |
| 203 public: | 237 public: |
| 204 explicit TOOLS_SANITY_TEST_CONCURRENT_THREAD(bool *value) : value_(value) {} | 238 explicit TOOLS_SANITY_TEST_CONCURRENT_THREAD(bool *value) : value_(value) {} |
| 205 virtual ~TOOLS_SANITY_TEST_CONCURRENT_THREAD() {} | 239 virtual ~TOOLS_SANITY_TEST_CONCURRENT_THREAD() {} |
| 206 virtual void ThreadMain() OVERRIDE { | 240 virtual void ThreadMain() OVERRIDE { |
| (...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 274 | 308 |
| 275 TEST(ToolsSanityTest, AtomicsAreIgnored) { | 309 TEST(ToolsSanityTest, AtomicsAreIgnored) { |
| 276 base::subtle::Atomic32 shared = 0; | 310 base::subtle::Atomic32 shared = 0; |
| 277 ReleaseStoreThread thread1(&shared); | 311 ReleaseStoreThread thread1(&shared); |
| 278 AcquireLoadThread thread2(&shared); | 312 AcquireLoadThread thread2(&shared); |
| 279 RunInParallel(&thread1, &thread2); | 313 RunInParallel(&thread1, &thread2); |
| 280 EXPECT_EQ(kMagicValue, shared); | 314 EXPECT_EQ(kMagicValue, shared); |
| 281 } | 315 } |
| 282 | 316 |
| 283 } // namespace base | 317 } // namespace base |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 306753003:
Add some function and URLs to induce ASan crashes. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master