base/tools_sanity_unittest.cc

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4 //
   5 // This file contains intentional memory errors, some of which may lead to
   6 // crashes if the test is ran without special memory testing tools. We use these
   7 // errors to verify the sanity of the tools.
   8
   9 #include "base/atomicops.h"
  10 #include "base/debug/asan_invalid_access.h"
  11 #include "base/debug/profiler.h"
  12 #include "base/message_loop/message_loop.h"
  13 #include "base/third_party/dynamic_annotations/dynamic_annotations.h"
  14 #include "base/threading/thread.h"
  15 #include "testing/gtest/include/gtest/gtest.h"
  16
  17 namespace base {
  18
  19 namespace {
  20
  21 const base::subtle::Atomic32 kMagicValue = 42;
  22
  23 // Helper for memory accesses that can potentially corrupt memory or cause a
  24 // crash during a native run.
  25 #if defined(ADDRESS_SANITIZER) || defined(SYZYASAN)
  26 #if defined(OS_IOS)
  27 // EXPECT_DEATH is not supported on IOS.
  28 #define HARMFUL_ACCESS(action,error_regexp) do { action; } while (0)
  29 #elif defined(SYZYASAN)
  30 // We won't get a meaningful error message because we're not running under the
  31 // SyzyASan logger, but we can at least make sure that the error has been
  32 // generated in the SyzyASan runtime.
  33 #define HARMFUL_ACCESS(action,unused) \
  34 if (debug::IsBinaryInstrumented()) { EXPECT_DEATH(action, \
  35                                                   "AsanRuntime::OnError"); }
  36 #else
  37 #define HARMFUL_ACCESS(action,error_regexp) EXPECT_DEATH(action,error_regexp)
  38 #endif  // !OS_IOS && !SYZYASAN
  39 #else
  40 #define HARMFUL_ACCESS(action,error_regexp) \
  41 do { if (RunningOnValgrind()) { action; } } while (0)
  42 #endif
  43
  44 void DoReadUninitializedValue(char *ptr) {
  45   // Comparison with 64 is to prevent clang from optimizing away the
  46   // jump -- valgrind only catches jumps and conditional moves, but clang uses
  47   // the borrow flag if the condition is just `*ptr == '\0'`.
  48   if (*ptr == 64) {
  49     VLOG(1) << "Uninit condition is true";
  50   } else {
  51     VLOG(1) << "Uninit condition is false";
  52   }
  53 }
  54
  55 void ReadUninitializedValue(char *ptr) {
  56 #if defined(MEMORY_SANITIZER)
  57   EXPECT_DEATH(DoReadUninitializedValue(ptr),
  58                "use-of-uninitialized-value");
  59 #else
  60   DoReadUninitializedValue(ptr);
  61 #endif
  62 }
  63
  64 void ReadValueOutOfArrayBoundsLeft(char *ptr) {
  65   char c = ptr[-2];
  66   VLOG(1) << "Reading a byte out of bounds: " << c;
  67 }
  68
  69 void ReadValueOutOfArrayBoundsRight(char *ptr, size_t size) {
  70   char c = ptr[size + 1];
  71   VLOG(1) << "Reading a byte out of bounds: " << c;
  72 }
  73
  74 // This is harmless if you run it under Valgrind thanks to redzones.
  75 void WriteValueOutOfArrayBoundsLeft(char *ptr) {
  76   ptr[-1] = kMagicValue;
  77 }
  78
  79 // This is harmless if you run it under Valgrind thanks to redzones.
  80 void WriteValueOutOfArrayBoundsRight(char *ptr, size_t size) {
  81   ptr[size] = kMagicValue;
  82 }
  83
  84 void MakeSomeErrors(char *ptr, size_t size) {
  85   ReadUninitializedValue(ptr);
  86
  87   HARMFUL_ACCESS(ReadValueOutOfArrayBoundsLeft(ptr),
  88                  "2 bytes to the left");
  89   HARMFUL_ACCESS(ReadValueOutOfArrayBoundsRight(ptr, size),
  90                  "1 bytes to the right");
  91   HARMFUL_ACCESS(WriteValueOutOfArrayBoundsLeft(ptr),
  92                  "1 bytes to the left");
  93   HARMFUL_ACCESS(WriteValueOutOfArrayBoundsRight(ptr, size),
  94                  "0 bytes to the right");
  95 }
  96
  97 }  // namespace
  98
  99 // A memory leak detector should report an error in this test.
 100 TEST(ToolsSanityTest, MemoryLeak) {
 101   // Without the |volatile|, clang optimizes away the next two lines.
 102   int* volatile leak = new int[256];  // Leak some memory intentionally.
 103   leak[4] = 1;  // Make sure the allocated memory is used.
 104 }
 105
 106 #if (defined(ADDRESS_SANITIZER) && defined(OS_IOS)) || defined(SYZYASAN)
 107 // Because iOS doesn't support death tests, each of the following tests will
 108 // crash the whole program under Asan. On Windows Asan is based on SyzyAsan; the
 109 // error report mechanism is different than with Asan so these tests will fail.
 110 #define MAYBE_AccessesToNewMemory DISABLED_AccessesToNewMemory
 111 #define MAYBE_AccessesToMallocMemory DISABLED_AccessesToMallocMemory
 112 #else
 113 #define MAYBE_AccessesToNewMemory AccessesToNewMemory
 114 #define MAYBE_AccessesToMallocMemory AccessesToMallocMemory
 115 #define MAYBE_ArrayDeletedWithoutBraces ArrayDeletedWithoutBraces
 116 #define MAYBE_SingleElementDeletedWithBraces SingleElementDeletedWithBraces
 117 #endif
 118
 119 // The following tests pass with Clang r170392, but not r172454, which
 120 // makes AddressSanitizer detect errors in them. We disable these tests under
 121 // AddressSanitizer until we fully switch to Clang r172454. After that the
 122 // tests should be put back under the (defined(OS_IOS) || defined(OS_WIN))
 123 // clause above.
 124 // See also http://crbug.com/172614.
 125 #if defined(ADDRESS_SANITIZER) || defined(SYZYASAN)
 126 #define MAYBE_SingleElementDeletedWithBraces \
 127     DISABLED_SingleElementDeletedWithBraces
 128 #define MAYBE_ArrayDeletedWithoutBraces DISABLED_ArrayDeletedWithoutBraces
 129 #endif
 130 TEST(ToolsSanityTest, MAYBE_AccessesToNewMemory) {
 131   char *foo = new char[10];
 132   MakeSomeErrors(foo, 10);
 133   delete [] foo;
 134   // Use after delete.
 135   HARMFUL_ACCESS(foo[5] = 0, "heap-use-after-free");
 136 }
 137
 138 TEST(ToolsSanityTest, MAYBE_AccessesToMallocMemory) {
 139   char *foo = reinterpret_cast<char*>(malloc(10));
 140   MakeSomeErrors(foo, 10);
 141   free(foo);
 142   // Use after free.
 143   HARMFUL_ACCESS(foo[5] = 0, "heap-use-after-free");
 144 }
 145
 146 TEST(ToolsSanityTest, MAYBE_ArrayDeletedWithoutBraces) {
 147 #if !defined(ADDRESS_SANITIZER) && !defined(SYZYASAN)
 148   // This test may corrupt memory if not run under Valgrind or compiled with
 149   // AddressSanitizer.
 150   if (!RunningOnValgrind())
 151     return;
 152 #endif
 153
 154   // Without the |volatile|, clang optimizes away the next two lines.
 155   int* volatile foo = new int[10];
 156   delete foo;
 157 }
 158
 159 TEST(ToolsSanityTest, MAYBE_SingleElementDeletedWithBraces) {
 160 #if !defined(ADDRESS_SANITIZER)
 161   // This test may corrupt memory if not run under Valgrind or compiled with
 162   // AddressSanitizer.
 163   if (!RunningOnValgrind())
 164     return;
 165 #endif
 166
 167   // Without the |volatile|, clang optimizes away the next two lines.
 168   int* volatile foo = new int;
 169   (void) foo;
 170   delete [] foo;
 171 }
 172
 173 #if defined(ADDRESS_SANITIZER) || defined(SYZYASAN)
 174
 175 TEST(ToolsSanityTest, DISABLED_AddressSanitizerNullDerefCrashTest) {
 176   // Intentionally crash to make sure AddressSanitizer is running.
 177   // This test should not be ran on bots.
 178   int* volatile zero = NULL;
 179   *zero = 0;
 180 }
 181
 182 TEST(ToolsSanityTest, DISABLED_AddressSanitizerLocalOOBCrashTest) {
 183   // Intentionally crash to make sure AddressSanitizer is instrumenting
 184   // the local variables.
 185   // This test should not be ran on bots.
 186   int array[5];
 187   // Work around the OOB warning reported by Clang.
 188   int* volatile access = &array[5];
 189   *access = 43;
 190 }
 191
 192 namespace {
 193 int g_asan_test_global_array[10];
 194 }  // namespace
 195
 196 TEST(ToolsSanityTest, DISABLED_AddressSanitizerGlobalOOBCrashTest) {
 197   // Intentionally crash to make sure AddressSanitizer is instrumenting
 198   // the global variables.
 199   // This test should not be ran on bots.
 200
 201   // Work around the OOB warning reported by Clang.
 202   int* volatile access = g_asan_test_global_array - 1;
 203   *access = 43;
 204 }
 205
 206 TEST(ToolsSanityTest, AsanHeapOverflow) {
 207   HARMFUL_ACCESS(debug::AsanHeapOverflow() ,"to the right");
 208 }
 209
 210 TEST(ToolsSanityTest, AsanHeapUnderflow) {
 211   HARMFUL_ACCESS(debug::AsanHeapUnderflow(), "to the left");
 212 }
 213
 214 TEST(ToolsSanityTest, AsanHeapUseAfterFree) {
 215   HARMFUL_ACCESS(debug::AsanHeapUseAfterFree(), "heap-use-after-free");
 216 }
 217
 218 #if defined(SYZYASAN)
 219 TEST(ToolsSanityTest, AsanCorruptHeapBlock) {
 220   HARMFUL_ACCESS(debug::AsanCorruptHeapBlock(), "");
 221 }
 222
 223 TEST(ToolsSanityTest, AsanCorruptHeap) {
 224   // This test will kill the process by raising an exception, there's no
 225   // particular string to look for in the stack trace.
 226   EXPECT_DEATH(debug::AsanCorruptHeap(), "");
 227 }
 228 #endif  // SYZYASAN
 229
 230 #endif  // ADDRESS_SANITIZER || SYZYASAN
 231
 232 namespace {
 233
 234 // We use caps here just to ensure that the method name doesn't interfere with
 235 // the wildcarded suppressions.
 236 class TOOLS_SANITY_TEST_CONCURRENT_THREAD : public PlatformThread::Delegate {
 237  public:
 238   explicit TOOLS_SANITY_TEST_CONCURRENT_THREAD(bool *value) : value_(value) {}
 239   virtual ~TOOLS_SANITY_TEST_CONCURRENT_THREAD() {}
 240   virtual void ThreadMain() OVERRIDE {
 241     *value_ = true;
 242
 243     // Sleep for a few milliseconds so the two threads are more likely to live
 244     // simultaneously. Otherwise we may miss the report due to mutex
 245     // lock/unlock's inside thread creation code in pure-happens-before mode...
 246     PlatformThread::Sleep(TimeDelta::FromMilliseconds(100));
 247   }
 248  private:
 249   bool *value_;
 250 };
 251
 252 class ReleaseStoreThread : public PlatformThread::Delegate {
 253  public:
 254   explicit ReleaseStoreThread(base::subtle::Atomic32 *value) : value_(value) {}
 255   virtual ~ReleaseStoreThread() {}
 256   virtual void ThreadMain() OVERRIDE {
 257     base::subtle::Release_Store(value_, kMagicValue);
 258
 259     // Sleep for a few milliseconds so the two threads are more likely to live
 260     // simultaneously. Otherwise we may miss the report due to mutex
 261     // lock/unlock's inside thread creation code in pure-happens-before mode...
 262     PlatformThread::Sleep(TimeDelta::FromMilliseconds(100));
 263   }
 264  private:
 265   base::subtle::Atomic32 *value_;
 266 };
 267
 268 class AcquireLoadThread : public PlatformThread::Delegate {
 269  public:
 270   explicit AcquireLoadThread(base::subtle::Atomic32 *value) : value_(value) {}
 271   virtual ~AcquireLoadThread() {}
 272   virtual void ThreadMain() OVERRIDE {
 273     // Wait for the other thread to make Release_Store
 274     PlatformThread::Sleep(TimeDelta::FromMilliseconds(100));
 275     base::subtle::Acquire_Load(value_);
 276   }
 277  private:
 278   base::subtle::Atomic32 *value_;
 279 };
 280
 281 void RunInParallel(PlatformThread::Delegate *d1, PlatformThread::Delegate *d2) {
 282   PlatformThreadHandle a;
 283   PlatformThreadHandle b;
 284   PlatformThread::Create(0, d1, &a);
 285   PlatformThread::Create(0, d2, &b);
 286   PlatformThread::Join(a);
 287   PlatformThread::Join(b);
 288 }
 289
 290 }  // namespace
 291
 292 // A data race detector should report an error in this test.
 293 TEST(ToolsSanityTest, DataRace) {
 294   bool *shared = new bool(false);
 295   TOOLS_SANITY_TEST_CONCURRENT_THREAD thread1(shared), thread2(shared);
 296   RunInParallel(&thread1, &thread2);
 297   EXPECT_TRUE(*shared);
 298   delete shared;
 299 }
 300
 301 TEST(ToolsSanityTest, AnnotateBenignRace) {
 302   bool shared = false;
 303   ANNOTATE_BENIGN_RACE(&shared, "Intentional race - make sure doesn't show up");
 304   TOOLS_SANITY_TEST_CONCURRENT_THREAD thread1(&shared), thread2(&shared);
 305   RunInParallel(&thread1, &thread2);
 306   EXPECT_TRUE(shared);
 307 }
 308
 309 TEST(ToolsSanityTest, AtomicsAreIgnored) {
 310   base::subtle::Atomic32 shared = 0;
 311   ReleaseStoreThread thread1(&shared);
 312   AcquireLoadThread thread2(&shared);
 313   RunInParallel(&thread1, &thread2);
 314   EXPECT_EQ(kMagicValue, shared);
 315 }
 316
 317 }  // namespace base