1// RUN: %clang_hwasan %s -o %t
2// RUN: not %run %t 40 2>&1 | FileCheck %s --check-prefix=CHECK40
3// RUN: not %run %t 80 2>&1 | FileCheck %s --check-prefix=CHECK80
4// RUN: not %run %t -30 2>&1 | FileCheck %s --check-prefix=CHECKm30
5// RUN: not %run %t -30 1000000 2>&1 | FileCheck %s --check-prefix=CHECKMm30
6// RUN: not %run %t 1000000 1000000 2>&1 | FileCheck %s --check-prefix=CHECKM
7
8// Test OOB within the granule.
9// RUN: not %run %t 31 2>&1 | FileCheck %s --check-prefix=CHECK31
10// RUN: not %run %t 30 20 2>&1 | FileCheck %s --check-prefix=CHECK20
11
12#include <stdlib.h>
13#include <stdio.h>
14#include <sanitizer/hwasan_interface.h>
15
16static volatile char sink;
17
18int main(int argc, char **argv) {
19 __hwasan_enable_allocator_tagging();
20 int offset = argc < 2 ? 40 : atoi(nptr: argv[1]);
21 int size = argc < 3 ? 30 : atoi(nptr: argv[2]);
22 char * volatile x = (char*)malloc(size: size);
23 fprintf(stderr, format: "base: %p access: %p\n", x, &x[offset]);
24 sink = x[offset];
25
26#if defined(__x86_64__)
27 // Aliasing mode doesn't support the secondary allocator, so we fake a HWASan
28 // report instead of disabling the entire test.
29 if (size == 1000000) {
30 fprintf(stderr, format: "is a large allocated heap chunk; size: 1003520 offset: %d\n",
31 offset);
32 fprintf(stderr, format: "Cause: heap-buffer-overflow\n");
33 fprintf(stderr, format: "is located %s a 1000000-byte region\n",
34 offset == -30 ? "30 bytes before" : "0 bytes after");
35 return -1;
36 }
37#endif
38
39 // CHECK40: allocated heap chunk; size: 32 offset: 8
40 // CHECK40: Cause: heap-buffer-overflow
41 // CHECK40: is located 10 bytes after a 30-byte region
42 //
43 // CHECK80: allocated heap chunk; size: 32 offset: 16
44 // CHECK80: Cause: heap-buffer-overflow
45 // CHECK80: is located 50 bytes after a 30-byte region
46 //
47 // CHECKm30: Cause: heap-buffer-overflow
48 // CHECKm30: is located 30 bytes before a 30-byte region
49 //
50 // CHECKMm30: is a large allocated heap chunk; size: 1003520 offset: -30
51 // CHECKMm30: Cause: heap-buffer-overflow
52 // CHECKMm30: is located 30 bytes before a 1000000-byte region
53 //
54 // CHECKM: is a large allocated heap chunk; size: 1003520 offset: 1000000
55 // CHECKM: Cause: heap-buffer-overflow
56 // CHECKM: is located 0 bytes after a 1000000-byte region
57 //
58 // CHECK31: tags: [[TAG:..]]/0e([[TAG]]) (ptr/mem)
59 // CHECK31-NOT: Invalid access starting at offset
60 // CHECK31: Cause: heap-buffer-overflow
61 // CHECK31: is located 1 bytes after a 30-byte region
62 // CHECK31: Memory tags around the buggy address
63 // CHECK31: [0e]
64 // CHECK31: Tags for short granules around the buggy address
65 // CHECK31: {{\[}}[[TAG]]]
66 //
67 // CHECK20-NOT: Invalid access starting at offset
68 // CHECK20: Cause: heap-buffer-overflow
69 // CHECK20: is located 10 bytes after a 20-byte region [0x{{.*}}0,0x{{.*}}4)
70 free(ptr: x);
71}
72

source code of compiler-rt/test/hwasan/TestCases/heap-buffer-overflow.c