Re: [PATCH] Introduce tests for -fsanitize=use-after-scope

Wed, 11 May 2016 05:57:08 -0700 

On 05/06/2016 01:07 PM, Martin Liška wrote:
> Hi.
> 
> This is a new test coverage for the new sanitizer option.
> 
> Martin

Hello.

This is second version of tests. I fixed a test where a variable overflowed and
couple of tests were adopted from LLVM's testsuite (basically rewritten from 
scratch).

Martin

>From 7dd04d12a4bf04ac18dca266f44b18e39e1d711f Mon Sep 17 00:00:00 2001
From: marxin <mli...@suse.cz>
Date: Wed, 4 May 2016 12:57:05 +0200
Subject: [PATCH 2/2] Introduce tests for -fsanitize=use-after-scope

gcc/testsuite/ChangeLog:

2016-05-10  Martin Liska  <mli...@suse.cz>

	* g++.dg/asan/use-after-scope-1.C: New test.
	* g++.dg/asan/use-after-scope-2.C: New test.
	* gcc.dg/asan/use-after-scope-1.c: New test.
	* gcc.dg/asan/use-after-scope-2.c: New test.
	* gcc.dg/asan/use-after-scope-3.c: New test.
	* gcc.dg/asan/use-after-scope-4.c: New test.
	* gcc.dg/asan/use-after-scope-5.c: New test.
	* gcc.dg/asan/use-after-scope-goto-1.c: New test.
---
 gcc/testsuite/g++.dg/asan/use-after-scope-1.C      | 22 ++++++++++
 gcc/testsuite/g++.dg/asan/use-after-scope-2.C      | 41 ++++++++++++++++++
 gcc/testsuite/gcc.dg/asan/use-after-scope-1.c      | 19 +++++++++
 gcc/testsuite/gcc.dg/asan/use-after-scope-2.c      | 48 ++++++++++++++++++++++
 gcc/testsuite/gcc.dg/asan/use-after-scope-3.c      | 21 ++++++++++
 gcc/testsuite/gcc.dg/asan/use-after-scope-4.c      | 17 ++++++++
 gcc/testsuite/gcc.dg/asan/use-after-scope-5.c      | 28 +++++++++++++
 gcc/testsuite/gcc.dg/asan/use-after-scope-goto-1.c | 47 +++++++++++++++++++++
 8 files changed, 243 insertions(+)
 create mode 100644 gcc/testsuite/g++.dg/asan/use-after-scope-1.C
 create mode 100644 gcc/testsuite/g++.dg/asan/use-after-scope-2.C
 create mode 100644 gcc/testsuite/gcc.dg/asan/use-after-scope-1.c
 create mode 100644 gcc/testsuite/gcc.dg/asan/use-after-scope-2.c
 create mode 100644 gcc/testsuite/gcc.dg/asan/use-after-scope-3.c
 create mode 100644 gcc/testsuite/gcc.dg/asan/use-after-scope-4.c
 create mode 100644 gcc/testsuite/gcc.dg/asan/use-after-scope-5.c
 create mode 100644 gcc/testsuite/gcc.dg/asan/use-after-scope-goto-1.c

diff --git a/gcc/testsuite/g++.dg/asan/use-after-scope-1.C b/gcc/testsuite/g++.dg/asan/use-after-scope-1.C
new file mode 100644
index 0000000..ed61aed
--- /dev/null
+++ b/gcc/testsuite/g++.dg/asan/use-after-scope-1.C
@@ -0,0 +1,22 @@
+// { dg-do run }
+// { dg-additional-options "-fsanitize=use-after-scope" }
+// { dg-shouldfail "asan" }
+
+#include <functional>
+
+int main() {
+  std::function<int()> function;
+  {
+    int v = 0;
+    function = [&v]()
+    {
+      return v;
+    };
+  }
+  return function();
+}
+
+
+// { dg-output "ERROR: AddressSanitizer: stack-use-after-scope on address.*(\n|\r\n|\r)" }
+// { dg-output "READ of size 4 at.*" }
+// { dg-output ".*'v' <== Memory access at offset \[0-9\]* is inside this variable.*" }
diff --git a/gcc/testsuite/g++.dg/asan/use-after-scope-2.C b/gcc/testsuite/g++.dg/asan/use-after-scope-2.C
new file mode 100644
index 0000000..d82bc88
--- /dev/null
+++ b/gcc/testsuite/g++.dg/asan/use-after-scope-2.C
@@ -0,0 +1,41 @@
+// { dg-do run }
+// { dg-additional-options "-fsanitize=use-after-scope" }
+// { dg-shouldfail "asan" }
+
+#include <stdio.h>
+
+struct Test
+{
+  Test ()
+    {
+      my_value = 0;
+    }
+
+  ~Test ()
+    {
+      fprintf (stderr, "Value: %d\n", *my_value);
+    }
+
+  void init (int *v)
+    {
+      my_value = v;
+    }
+
+  int *my_value;
+};
+
+int main(int argc, char **argv)
+{
+  Test t;
+
+  {
+    int x = argc;
+    t.init(&x);
+  }
+
+  return 0;
+}
+
+// { dg-output "ERROR: AddressSanitizer: stack-use-after-scope on address.*(\n|\r\n|\r)" }
+// { dg-output "READ of size 4 at.*" }
+// { dg-output ".*'x' <== Memory access at offset \[0-9\]* is inside this variable.*" }
diff --git a/gcc/testsuite/gcc.dg/asan/use-after-scope-1.c b/gcc/testsuite/gcc.dg/asan/use-after-scope-1.c
new file mode 100644
index 0000000..1420416
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/asan/use-after-scope-1.c
@@ -0,0 +1,19 @@
+// { dg-do run }
+// { dg-additional-options "-fsanitize=use-after-scope" }
+// { dg-shouldfail "asan" }
+
+int
+main (void)
+{
+  char *ptr;
+  {
+    char my_char[9];
+    ptr = &my_char[0];
+  }
+
+  return *(ptr+8);
+}
+
+// { dg-output "ERROR: AddressSanitizer: stack-use-after-scope on address.*(\n|\r\n|\r)" }
+// { dg-output "READ of size 1 at.*" }
+// { dg-output ".*'my_char' <== Memory access at offset \[0-9\]* is inside this variable.*" }
diff --git a/gcc/testsuite/gcc.dg/asan/use-after-scope-2.c b/gcc/testsuite/gcc.dg/asan/use-after-scope-2.c
new file mode 100644
index 0000000..96f0082
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/asan/use-after-scope-2.c
@@ -0,0 +1,48 @@
+// { dg-do run }
+// { dg-additional-options "-fsanitize=use-after-scope" }
+// { dg-shouldfail "asan" }
+
+int *bar (int *x, int *y) { return y; }
+
+int foo (void)
+{
+  char *p;
+  {
+    char a = 0;
+    p = &a;
+  }
+
+  if (*p)
+    return 1;
+  else
+    return 0;
+}
+
+int
+main (void)
+{
+  char *ptr;
+  {
+    char my_char[9];
+    ptr = &my_char[0];
+  }
+
+  int a[16];
+  int *p, *q = a;
+  {
+    int b[16];
+    p = bar (a, b);
+  }
+  bar (a, q);
+  {
+    int c[16];
+    q = bar (a, c);
+  }
+  int v = *bar (a, q);
+  return v;
+}
+
+
+// { dg-output "ERROR: AddressSanitizer: stack-use-after-scope on address.*(\n|\r\n|\r)" }
+// { dg-output "READ of size 4 at.*" }
+// { dg-output ".*'c' <== Memory access at offset \[0-9\]* is inside this variable.*" }
diff --git a/gcc/testsuite/gcc.dg/asan/use-after-scope-3.c b/gcc/testsuite/gcc.dg/asan/use-after-scope-3.c
new file mode 100644
index 0000000..5241f37
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/asan/use-after-scope-3.c
@@ -0,0 +1,21 @@
+// { dg-do run }
+// { dg-additional-options "-fsanitize=use-after-scope" }
+// { dg-shouldfail "asan" }
+
+int
+main (void)
+{
+  char *ptr;
+  char *ptr2;
+  {
+    char my_char[9];
+    ptr = &my_char[0];
+    __builtin_memcpy (&ptr2, &ptr, sizeof (ptr2));
+  }
+
+  *(ptr2+9) = 'c';
+}
+
+// { dg-output "ERROR: AddressSanitizer: stack-use-after-scope on address.*(\n|\r\n|\r)" }
+// { dg-output "WRITE of size 1 at.*" }
+// { dg-output ".*'my_char' <== Memory access at offset \[0-9\]* overflows this variable.*" }
diff --git a/gcc/testsuite/gcc.dg/asan/use-after-scope-4.c b/gcc/testsuite/gcc.dg/asan/use-after-scope-4.c
new file mode 100644
index 0000000..d50ce5f
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/asan/use-after-scope-4.c
@@ -0,0 +1,17 @@
+// { dg-do run }
+// { dg-additional-options "-fsanitize=use-after-scope" }
+
+int
+__attribute__((no_sanitize_address))
+main (void)
+{
+  char *ptr;
+  char *ptr2;
+  {
+    char my_char[9];
+    ptr = &my_char[0];
+    __builtin_memcpy (&ptr2, &ptr, sizeof (ptr2));
+  }
+
+  *(ptr2+9) = 'c';
+}
diff --git a/gcc/testsuite/gcc.dg/asan/use-after-scope-5.c b/gcc/testsuite/gcc.dg/asan/use-after-scope-5.c
new file mode 100644
index 0000000..bcfbb1c
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/asan/use-after-scope-5.c
@@ -0,0 +1,28 @@
+// { dg-do run }
+// { dg-additional-options "-fsanitize=use-after-scope" }
+// { dg-shouldfail "asan" }
+
+int *ptr;
+
+__attribute__((always_inline))
+inline static void
+foo(int v)
+{
+  int values[10];
+  for (unsigned i = 0; i < 10; i++)
+    values[i] = v;
+
+  ptr = &values[3];
+}
+
+int
+main (int argc, char **argv)
+{
+  foo (argc);
+
+  return *ptr;
+}
+
+// { dg-output "ERROR: AddressSanitizer: stack-use-after-scope on address.*(\n|\r\n|\r)" }
+// { dg-output "READ of size 4 at.*" }
+// { dg-output ".*'values' <== Memory access at offset \[0-9\]* is inside this variable.*" }
diff --git a/gcc/testsuite/gcc.dg/asan/use-after-scope-goto-1.c b/gcc/testsuite/gcc.dg/asan/use-after-scope-goto-1.c
new file mode 100644
index 0000000..32d5680
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/asan/use-after-scope-goto-1.c
@@ -0,0 +1,47 @@
+// { dg-do run }
+// { dg-additional-options "-fsanitize=use-after-scope -fdump-tree-asan0" }
+/* { dg-skip-if "" { *-*-* } { "*" } { "-O0" } } */
+
+int main(int argc, char **argv)
+{
+  int a = 123;
+  int b = 123;
+  int c = 123;
+  int d = 123;
+  int e = 123;
+  int f = 123;
+
+  if (argc == 0)
+  {
+    int *ptr;
+    int *ptr2;
+    int *ptr3;
+    int *ptr4;
+    int *ptr5;
+    int *ptr6;
+    label:
+      {
+	ptr = &a;
+        *ptr = 1;
+	ptr2 = &b;
+        *ptr2 = 1;
+	ptr3 = &c;
+        *ptr3 = 1;
+	ptr4 = &d;
+        *ptr4 = 1;
+	ptr5 = &e;
+        *ptr5 = 1;
+	ptr6 = &f;
+        *ptr6 = 1;
+	return 0;
+      }
+  }
+  else
+    goto label;
+
+  return 0;
+}
+
+/* { dg-final { scan-tree-dump-times "ASAN_MARK \\(2, &a, 4\\);" 2 "asan0" } }  */
+/* { dg-final { scan-tree-dump-times "ASAN_MARK \\(2, &c, 4\\);" 2 "asan0" } }  */
+/* { dg-final { scan-tree-dump-times "ASAN_MARK \\(2, &e, 4\\);" 2 "asan0" } }  */
-- 
2.8.2

Reply via email to