| 1 | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. |
|---|
| 2 | // See https://llvm.org/LICENSE.txt for license information. |
|---|
| 3 | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception |
|---|
| 4 | |
|---|
| 5 | // Triggers the bug described here: |
|---|
| 6 | // https://github.com/google/oss-fuzz/issues/2369#issuecomment-490240627 |
|---|
| 7 | // |
|---|
| 8 | // In a nutshell, MSan's parameter shadow does not get unpoisoned before calls |
|---|
| 9 | // to LLVMFuzzerTestOneInput. This test case causes the parameter shadow to be |
|---|
| 10 | // poisoned by the call to foo(), which will trigger an MSan false positive on |
|---|
| 11 | // the Size == 0 check if the parameter shadow is still poisoned. |
|---|
| 12 | #include <cstdint> |
|---|
| 13 | #include <cstdio> |
|---|
| 14 | #include <cstdlib> |
|---|
| 15 | #include <cstring> |
|---|
| 16 | |
|---|
| 17 | volatile int zero = 0; |
|---|
| 18 | __attribute__((noinline)) int foo(int arg1, int arg2) { return zero; } |
|---|
| 19 | |
|---|
| 20 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { |
|---|
| 21 | if (Size == 0) |
|---|
| 22 | return 0; |
|---|
| 23 | |
|---|
| 24 | // Pass uninitialized values to foo(). Since foo doesn't do anything with |
|---|
| 25 | // them, MSan should not report an error here. |
|---|
| 26 | int a, b; |
|---|
| 27 | return foo(arg1: a, arg2: b); |
|---|
| 28 | } |
|---|
| 29 | |
|---|
