blob: fb82783143a9e7611b927b8dc156ff2f4dc16c4b [file] [log] [blame]
// Copyright 2012 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// This file contains intentional memory errors, some of which may lead to
// crashes if the test is ran without special memory testing tools. We use these
// errors to verify the sanity of the tools.
#include <stddef.h>
#include "base/atomicops.h"
#include "base/cfi_buildflags.h"
#include "base/debug/asan_invalid_access.h"
#include "base/debug/profiler.h"
#include "base/logging.h"
#include "base/memory/raw_ptr.h"
#include "base/sanitizer_buildflags.h"
#include "base/third_party/dynamic_annotations/dynamic_annotations.h"
#include "base/threading/thread.h"
#include "build/build_config.h"
#include "testing/gtest/include/gtest/gtest.h"
#if BUILDFLAG(IS_WIN)
#include <windows.h>
#else
#include <dlfcn.h>
#endif
namespace base {
namespace {
const base::subtle::Atomic32 kMagicValue = 42;
// Helper for memory accesses that can potentially corrupt memory or cause a
// crash during a native run.
#if defined(ADDRESS_SANITIZER)
#define HARMFUL_ACCESS(action, error_regexp) \
EXPECT_DEATH_IF_SUPPORTED(action, error_regexp)
#elif BUILDFLAG(IS_HWASAN)
#define HARMFUL_ACCESS(action, error_regexp) \
EXPECT_DEATH(action, "tag-mismatch")
#else
#define HARMFUL_ACCESS(action, error_regexp)
#define HARMFUL_ACCESS_IS_NOOP
#endif
void DoReadUninitializedValue(volatile char *ptr) {
// Comparison with 64 is to prevent clang from optimizing away the
// jump -- valgrind only catches jumps and conditional moves, but clang uses
// the borrow flag if the condition is just `*ptr == '\0'`. We no longer
// support valgrind, but this constant should be fine to keep as-is.
if (*ptr == 64) {
VLOG(1) << "Uninit condition is true";
} else {
VLOG(1) << "Uninit condition is false";
}
}
void ReadUninitializedValue(volatile char *ptr) {
#if defined(MEMORY_SANITIZER)
EXPECT_DEATH(DoReadUninitializedValue(ptr),
"use-of-uninitialized-value");
#else
DoReadUninitializedValue(ptr);
#endif
}
#ifndef HARMFUL_ACCESS_IS_NOOP
void ReadValueOutOfArrayBoundsLeft(char *ptr) {
char c = ptr[-2];
VLOG(1) << "Reading a byte out of bounds: " << c;
}
void ReadValueOutOfArrayBoundsRight(char *ptr, size_t size) {
char c = ptr[size + 1];
VLOG(1) << "Reading a byte out of bounds: " << c;
}
void WriteValueOutOfArrayBoundsLeft(char *ptr) {
ptr[-1] = kMagicValue;
}
void WriteValueOutOfArrayBoundsRight(char *ptr, size_t size) {
ptr[size] = kMagicValue;
}
#endif // HARMFUL_ACCESS_IS_NOOP
void MakeSomeErrors(char *ptr, size_t size) {
ReadUninitializedValue(ptr);
HARMFUL_ACCESS(ReadValueOutOfArrayBoundsLeft(ptr), "2 bytes before");
HARMFUL_ACCESS(ReadValueOutOfArrayBoundsRight(ptr, size), "1 bytes after");
HARMFUL_ACCESS(WriteValueOutOfArrayBoundsLeft(ptr), "1 bytes before");
HARMFUL_ACCESS(WriteValueOutOfArrayBoundsRight(ptr, size), "0 bytes after");
}
} // namespace
#if defined(ADDRESS_SANITIZER) || defined(LEAK_SANITIZER) || \
defined(MEMORY_SANITIZER) || defined(THREAD_SANITIZER) || \
defined(UNDEFINED_SANITIZER)
// build/sanitizers/sanitizer_options.cc defines symbols like
// __asan_default_options which the sanitizer runtime calls if they exist
// in the executable. If they don't, the sanitizer runtime silently uses an
// internal default value instead. The build puts the symbol
// _sanitizer_options_link_helper (which the sanitizer runtime doesn't know
// about, it's a chrome thing) in that file and then tells the linker that
// that symbol must exist. This causes sanitizer_options.cc to be part of
// our binaries, which in turn makes sure our __asan_default_options are used.
// We had problems with __asan_default_options not being used, so this test
// verifies that _sanitizer_options_link_helper actually makes it into our
// binaries.
#if BUILDFLAG(IS_ANDROID) || BUILDFLAG(IS_WIN) || defined(COBALT_PENDING_CLEAN_UP)
// TODO(https://crbug.com/1322143): Sanitizer options are currently broken
// on Android.
// TODO(https://crbug.com/1321584): __asan_default_options should be used
// on Windows too, but currently isn't.
#define MAYBE_LinksSanitizerOptions DISABLED_LinksSanitizerOptions
#else
#define MAYBE_LinksSanitizerOptions LinksSanitizerOptions
#endif
TEST(ToolsSanityTest, MAYBE_LinksSanitizerOptions) {
constexpr char kSym[] = "_sanitizer_options_link_helper";
#if BUILDFLAG(IS_WIN)
auto sym = GetProcAddress(GetModuleHandle(nullptr), kSym);
#else
void* sym = dlsym(RTLD_DEFAULT, kSym);
#endif
EXPECT_TRUE(sym != nullptr);
}
#endif // sanitizers
// A memory leak detector should report an error in this test.
TEST(ToolsSanityTest, MemoryLeak) {
// Without the |volatile|, clang optimizes away the next two lines.
int* volatile leak = new int[256]; // Leak some memory intentionally.
leak[4] = 1; // Make sure the allocated memory is used.
}
TEST(ToolsSanityTest, AccessesToNewMemory) {
char* foo = new char[16];
MakeSomeErrors(foo, 16);
delete [] foo;
// Use after delete.
HARMFUL_ACCESS(foo[5] = 0, "heap-use-after-free");
}
TEST(ToolsSanityTest, AccessesToMallocMemory) {
char* foo = reinterpret_cast<char*>(malloc(16));
MakeSomeErrors(foo, 16);
free(foo);
// Use after free.
HARMFUL_ACCESS(foo[5] = 0, "heap-use-after-free");
}
TEST(ToolsSanityTest, AccessesToStack) {
char foo[16];
ReadUninitializedValue(foo);
HARMFUL_ACCESS(ReadValueOutOfArrayBoundsLeft(foo),
"underflows this variable");
HARMFUL_ACCESS(ReadValueOutOfArrayBoundsRight(foo, 16),
"overflows this variable");
HARMFUL_ACCESS(WriteValueOutOfArrayBoundsLeft(foo),
"underflows this variable");
HARMFUL_ACCESS(WriteValueOutOfArrayBoundsRight(foo, 16),
"overflows this variable");
}
#if defined(ADDRESS_SANITIZER)
// alloc_dealloc_mismatch defaults to
// !SANITIZER_MAC && !SANITIZER_WINDOWS && !SANITIZER_ANDROID,
// in the sanitizer runtime upstream.
#if BUILDFLAG(IS_ANDROID) || BUILDFLAG(IS_MAC) || BUILDFLAG(IS_WIN) || \
BUILDFLAG(IS_FUCHSIA)
#define MAYBE_SingleElementDeletedWithBraces \
DISABLED_SingleElementDeletedWithBraces
#define MAYBE_ArrayDeletedWithoutBraces DISABLED_ArrayDeletedWithoutBraces
#else
#define MAYBE_ArrayDeletedWithoutBraces ArrayDeletedWithoutBraces
#define MAYBE_SingleElementDeletedWithBraces SingleElementDeletedWithBraces
#endif // defined(ADDRESS_SANITIZER)
static int* allocateArray() {
// Clang warns about the mismatched new[]/delete if they occur in the same
// function.
return new int[10];
}
// This test may corrupt memory if not compiled with AddressSanitizer.
TEST(ToolsSanityTest, MAYBE_ArrayDeletedWithoutBraces) {
// Without the |volatile|, clang optimizes away the next two lines.
int* volatile foo = allocateArray();
HARMFUL_ACCESS(delete foo, "alloc-dealloc-mismatch");
// Under ASan the crash happens in the process spawned by HARMFUL_ACCESS,
// need to free the memory in the parent.
delete [] foo;
}
static int* allocateScalar() {
// Clang warns about the mismatched new/delete[] if they occur in the same
// function.
return new int;
}
// This test may corrupt memory if not compiled with AddressSanitizer.
TEST(ToolsSanityTest, MAYBE_SingleElementDeletedWithBraces) {
// Without the |volatile|, clang optimizes away the next two lines.
int* volatile foo = allocateScalar();
(void) foo;
HARMFUL_ACCESS(delete [] foo, "alloc-dealloc-mismatch");
// Under ASan the crash happens in the process spawned by HARMFUL_ACCESS,
// need to free the memory in the parent.
delete foo;
}
#endif
TEST(ToolsSanityTest, DISABLED_AddressSanitizerNullDerefCrashTest) {
// Intentionally crash to make sure AddressSanitizer is running.
// This test should not be ran on bots.
int* volatile zero = NULL;
*zero = 0;
}
TEST(ToolsSanityTest, DISABLED_AddressSanitizerLocalOOBCrashTest) {
// Intentionally crash to make sure AddressSanitizer is instrumenting
// the local variables.
// This test should not be ran on bots.
int array[5];
// Work around the OOB warning reported by Clang.
int* volatile access = &array[5];
*access = 43;
}
namespace {
int g_asan_test_global_array[10];
} // namespace
TEST(ToolsSanityTest, DISABLED_AddressSanitizerGlobalOOBCrashTest) {
// Intentionally crash to make sure AddressSanitizer is instrumenting
// the global variables.
// This test should not be ran on bots.
// Work around the OOB warning reported by Clang.
int* volatile access = g_asan_test_global_array - 1;
*access = 43;
}
#ifndef HARMFUL_ACCESS_IS_NOOP
TEST(ToolsSanityTest, AsanHeapOverflow) {
HARMFUL_ACCESS(debug::AsanHeapOverflow(), "after");
}
TEST(ToolsSanityTest, AsanHeapUnderflow) {
HARMFUL_ACCESS(debug::AsanHeapUnderflow(), "before");
}
TEST(ToolsSanityTest, AsanHeapUseAfterFree) {
HARMFUL_ACCESS(debug::AsanHeapUseAfterFree(), "heap-use-after-free");
}
#if BUILDFLAG(IS_WIN)
// The ASAN runtime doesn't detect heap corruption, this needs fixing before
// ASAN builds can ship to the wild. See https://crbug.com/818747.
TEST(ToolsSanityTest, DISABLED_AsanCorruptHeapBlock) {
HARMFUL_ACCESS(debug::AsanCorruptHeapBlock(), "");
}
TEST(ToolsSanityTest, DISABLED_AsanCorruptHeap) {
// This test will kill the process by raising an exception, there's no
// particular string to look for in the stack trace.
EXPECT_DEATH(debug::AsanCorruptHeap(), "");
}
#endif // BUILDFLAG(IS_WIN)
#endif // !HARMFUL_ACCESS_IS_NOOP
namespace {
// We use caps here just to ensure that the method name doesn't interfere with
// the wildcarded suppressions.
class TOOLS_SANITY_TEST_CONCURRENT_THREAD : public PlatformThread::Delegate {
public:
explicit TOOLS_SANITY_TEST_CONCURRENT_THREAD(bool *value) : value_(value) {}
~TOOLS_SANITY_TEST_CONCURRENT_THREAD() override = default;
void ThreadMain() override {
*value_ = true;
// Sleep for a few milliseconds so the two threads are more likely to live
// simultaneously. Otherwise we may miss the report due to mutex
// lock/unlock's inside thread creation code in pure-happens-before mode...
PlatformThread::Sleep(Milliseconds(100));
}
private:
raw_ptr<bool> value_;
};
class ReleaseStoreThread : public PlatformThread::Delegate {
public:
explicit ReleaseStoreThread(base::subtle::Atomic32 *value) : value_(value) {}
~ReleaseStoreThread() override = default;
void ThreadMain() override {
base::subtle::Release_Store(value_, kMagicValue);
// Sleep for a few milliseconds so the two threads are more likely to live
// simultaneously. Otherwise we may miss the report due to mutex
// lock/unlock's inside thread creation code in pure-happens-before mode...
PlatformThread::Sleep(Milliseconds(100));
}
private:
raw_ptr<base::subtle::Atomic32> value_;
};
class AcquireLoadThread : public PlatformThread::Delegate {
public:
explicit AcquireLoadThread(base::subtle::Atomic32 *value) : value_(value) {}
~AcquireLoadThread() override = default;
void ThreadMain() override {
// Wait for the other thread to make Release_Store
PlatformThread::Sleep(Milliseconds(100));
base::subtle::Acquire_Load(value_);
}
private:
raw_ptr<base::subtle::Atomic32> value_;
};
void RunInParallel(PlatformThread::Delegate *d1, PlatformThread::Delegate *d2) {
PlatformThreadHandle a;
PlatformThreadHandle b;
PlatformThread::Create(0, d1, &a);
PlatformThread::Create(0, d2, &b);
PlatformThread::Join(a);
PlatformThread::Join(b);
}
#if defined(THREAD_SANITIZER)
void DataRace() {
bool *shared = new bool(false);
TOOLS_SANITY_TEST_CONCURRENT_THREAD thread1(shared), thread2(shared);
RunInParallel(&thread1, &thread2);
EXPECT_TRUE(*shared);
delete shared;
// We're in a death test - crash.
CHECK(0);
}
#endif
} // namespace
#if defined(THREAD_SANITIZER)
// A data race detector should report an error in this test.
TEST(ToolsSanityTest, DataRace) {
// The suppression regexp must match that in base/debug/tsan_suppressions.cc.
EXPECT_DEATH(DataRace(), "1 race:base/tools_sanity_unittest.cc");
}
#endif
TEST(ToolsSanityTest, AnnotateBenignRace) {
bool shared = false;
ANNOTATE_BENIGN_RACE(&shared, "Intentional race - make sure doesn't show up");
TOOLS_SANITY_TEST_CONCURRENT_THREAD thread1(&shared), thread2(&shared);
RunInParallel(&thread1, &thread2);
EXPECT_TRUE(shared);
}
TEST(ToolsSanityTest, AtomicsAreIgnored) {
base::subtle::Atomic32 shared = 0;
ReleaseStoreThread thread1(&shared);
AcquireLoadThread thread2(&shared);
RunInParallel(&thread1, &thread2);
EXPECT_EQ(kMagicValue, shared);
}
#if BUILDFLAG(CFI_ENFORCEMENT_TRAP)
#if BUILDFLAG(IS_WIN)
#define CFI_ERROR_MSG "EXCEPTION_ILLEGAL_INSTRUCTION"
#elif BUILDFLAG(IS_ANDROID)
// TODO(pcc): Produce proper stack dumps on Android and test for the correct
// si_code here.
#define CFI_ERROR_MSG "^$"
#else
#define CFI_ERROR_MSG "ILL_ILLOPN"
#endif
#elif BUILDFLAG(CFI_ENFORCEMENT_DIAGNOSTIC)
#define CFI_ERROR_MSG "runtime error: control flow integrity check"
#endif // BUILDFLAG(CFI_ENFORCEMENT_TRAP || CFI_ENFORCEMENT_DIAGNOSTIC)
#if defined(CFI_ERROR_MSG)
class A {
public:
A(): n_(0) {}
virtual void f() { n_++; }
protected:
int n_;
};
class B: public A {
public:
void f() override { n_--; }
};
class C: public B {
public:
void f() override { n_ += 2; }
};
NOINLINE void KillVptrAndCall(A *obj) {
*reinterpret_cast<void **>(obj) = 0;
obj->f();
}
TEST(ToolsSanityTest, BadVirtualCallNull) {
A a;
B b;
EXPECT_DEATH({ KillVptrAndCall(&a); KillVptrAndCall(&b); }, CFI_ERROR_MSG);
}
NOINLINE void OverwriteVptrAndCall(B *obj, A *vptr) {
*reinterpret_cast<void **>(obj) = *reinterpret_cast<void **>(vptr);
obj->f();
}
TEST(ToolsSanityTest, BadVirtualCallWrongType) {
A a;
B b;
C c;
EXPECT_DEATH({ OverwriteVptrAndCall(&b, &a); OverwriteVptrAndCall(&b, &c); },
CFI_ERROR_MSG);
}
// TODO(pcc): remove CFI_CAST_CHECK, see https://crbug.com/626794.
#if BUILDFLAG(CFI_CAST_CHECK)
TEST(ToolsSanityTest, BadDerivedCast) {
A a;
EXPECT_DEATH((void)(B*)&a, CFI_ERROR_MSG);
}
TEST(ToolsSanityTest, BadUnrelatedCast) {
class A {
virtual void f() {}
};
class B {
virtual void f() {}
};
A a;
EXPECT_DEATH((void)(B*)&a, CFI_ERROR_MSG);
}
#endif // BUILDFLAG(CFI_CAST_CHECK)
#endif // CFI_ERROR_MSG
#undef CFI_ERROR_MSG
#undef HARMFUL_ACCESS
#undef HARMFUL_ACCESS_IS_NOOP
} // namespace base