1 | // RUN: %clang_hwasan %s -o %t |
2 | // RUN: not %run %t 40 2>&1 | FileCheck %s --check-prefix=CHECK40 |
3 | // RUN: not %run %t 80 2>&1 | FileCheck %s --check-prefix=CHECK80 |
4 | // RUN: not %run %t -30 2>&1 | FileCheck %s --check-prefix=CHECKm30 |
5 | // RUN: not %run %t -30 1000000 2>&1 | FileCheck %s --check-prefix=CHECKMm30 |
6 | // RUN: not %run %t 1000000 1000000 2>&1 | FileCheck %s --check-prefix=CHECKM |
7 | |
8 | // Test OOB within the granule. |
9 | // RUN: not %run %t 31 2>&1 | FileCheck %s --check-prefix=CHECK31 |
10 | // RUN: not %run %t 30 20 2>&1 | FileCheck %s --check-prefix=CHECK20 |
11 | |
12 | #include <stdlib.h> |
13 | #include <stdio.h> |
14 | #include <sanitizer/hwasan_interface.h> |
15 | |
16 | static volatile char sink; |
17 | |
18 | int main(int argc, char **argv) { |
19 | __hwasan_enable_allocator_tagging(); |
20 | int offset = argc < 2 ? 40 : atoi(nptr: argv[1]); |
21 | int size = argc < 3 ? 30 : atoi(nptr: argv[2]); |
22 | char * volatile x = (char*)malloc(size: size); |
23 | fprintf(stderr, format: "base: %p access: %p\n" , x, &x[offset]); |
24 | sink = x[offset]; |
25 | |
26 | #if defined(__x86_64__) |
27 | // Aliasing mode doesn't support the secondary allocator, so we fake a HWASan |
28 | // report instead of disabling the entire test. |
29 | if (size == 1000000) { |
30 | fprintf(stderr, format: "is a large allocated heap chunk; size: 1003520 offset: %d\n" , |
31 | offset); |
32 | fprintf(stderr, format: "Cause: heap-buffer-overflow\n" ); |
33 | fprintf(stderr, format: "is located %s a 1000000-byte region\n" , |
34 | offset == -30 ? "30 bytes before" : "0 bytes after" ); |
35 | return -1; |
36 | } |
37 | #endif |
38 | |
39 | // CHECK40: allocated heap chunk; size: 32 offset: 8 |
40 | // CHECK40: Cause: heap-buffer-overflow |
41 | // CHECK40: is located 10 bytes after a 30-byte region |
42 | // |
43 | // CHECK80: allocated heap chunk; size: 32 offset: 16 |
44 | // CHECK80: Cause: heap-buffer-overflow |
45 | // CHECK80: is located 50 bytes after a 30-byte region |
46 | // |
47 | // CHECKm30: Cause: heap-buffer-overflow |
48 | // CHECKm30: is located 30 bytes before a 30-byte region |
49 | // |
50 | // CHECKMm30: is a large allocated heap chunk; size: 1003520 offset: -30 |
51 | // CHECKMm30: Cause: heap-buffer-overflow |
52 | // CHECKMm30: is located 30 bytes before a 1000000-byte region |
53 | // |
54 | // CHECKM: is a large allocated heap chunk; size: 1003520 offset: 1000000 |
55 | // CHECKM: Cause: heap-buffer-overflow |
56 | // CHECKM: is located 0 bytes after a 1000000-byte region |
57 | // |
58 | // CHECK31: tags: [[TAG:..]]/0e([[TAG]]) (ptr/mem) |
59 | // CHECK31-NOT: Invalid access starting at offset |
60 | // CHECK31: Cause: heap-buffer-overflow |
61 | // CHECK31: is located 1 bytes after a 30-byte region |
62 | // CHECK31: Memory tags around the buggy address |
63 | // CHECK31: [0e] |
64 | // CHECK31: Tags for short granules around the buggy address |
65 | // CHECK31: {{\[}}[[TAG]]] |
66 | // |
67 | // CHECK20-NOT: Invalid access starting at offset |
68 | // CHECK20: Cause: heap-buffer-overflow |
69 | // CHECK20: is located 10 bytes after a 20-byte region [0x{{.*}}0,0x{{.*}}4) |
70 | free(ptr: x); |
71 | } |
72 | |