// Copyright 2014 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #if defined(OS_WIN) #include <windows.h> #endif #include "base/debug/alias.h" #include "base/debug/asan_invalid_access.h" #include "base/logging.h" #include "base/memory/scoped_ptr.h" namespace base { namespace debug { namespace { #if defined(SYZYASAN) && defined(COMPILER_MSVC) // Disable warning C4530: "C++ exception handler used, but unwind semantics are // not enabled". We don't want to change the compilation flags just for this // test, and no exception should be triggered here, so this warning has no value // here. #pragma warning(push) #pragma warning(disable: 4530) // Corrupt a memory block and make sure that the corruption gets detected either // when we free it or when another crash happens (if |induce_crash| is set to // true). NOINLINE void CorruptMemoryBlock(bool induce_crash) { // NOTE(sebmarchand): We intentionally corrupt a memory block here in order to // trigger an Address Sanitizer (ASAN) error report. static const int kArraySize = 5; int* array = new int[kArraySize]; // Encapsulate the invalid memory access into a try-catch statement to prevent // this function from being instrumented. This way the underflow won't be // detected but the corruption will (as the allocator will still be hooked). try { // Declares the dummy value as volatile to make sure it doesn't get // optimized away. int volatile dummy = array[-1]--; base::debug::Alias(const_cast<int*>(&dummy)); } catch (...) { } if (induce_crash) CHECK(false); delete[] array; } #pragma warning(pop) #endif // SYZYASAN && COMPILER_MSVC } // namespace #if defined(ADDRESS_SANITIZER) || defined(SYZYASAN) // NOTE(sebmarchand): We intentionally perform some invalid heap access here in // order to trigger an AddressSanitizer (ASan) error report. static const size_t kArraySize = 5; void AsanHeapOverflow() { scoped_ptr<int[]> array(new int[kArraySize]); // Declares the dummy value as volatile to make sure it doesn't get optimized // away. int volatile dummy = 0; dummy = array[kArraySize]; base::debug::Alias(const_cast<int*>(&dummy)); } void AsanHeapUnderflow() { scoped_ptr<int[]> array(new int[kArraySize]); // Declares the dummy value as volatile to make sure it doesn't get optimized // away. int volatile dummy = 0; // We need to store the underflow address in a temporary variable as trying to // access array[-1] will trigger a warning C4245: "conversion from 'int' to // 'size_t', signed/unsigned mismatch". int* underflow_address = &array[0] - 1; dummy = *underflow_address; base::debug::Alias(const_cast<int*>(&dummy)); } void AsanHeapUseAfterFree() { scoped_ptr<int[]> array(new int[kArraySize]); // Declares the dummy value as volatile to make sure it doesn't get optimized // away. int volatile dummy = 0; int* dangling = array.get(); array.reset(); dummy = dangling[kArraySize / 2]; base::debug::Alias(const_cast<int*>(&dummy)); } #endif // ADDRESS_SANITIZER || SYZYASAN #if defined(SYZYASAN) && defined(COMPILER_MSVC) void AsanCorruptHeapBlock() { CorruptMemoryBlock(false); } void AsanCorruptHeap() { CorruptMemoryBlock(true); } #endif // SYZYASAN && COMPILER_MSVC } // namespace debug } // namespace base