Summary:
When destructor for a class is not declared, no destructor
is emitted, and members are not poisoned. Test case exhibits this
current bug in use-after-dtor implementation (detailed in
https://github.com/google/sanitizers/issues/596).
Reviewers: eugenis, kcc
Subscribers: llvm-commits
Differential Revision: http://reviews.llvm.org/D12617
Rename test files.
llvm-svn: 247091
Summary: Verify that all members are poisoned.
Reviewers: eugenis, kcc
Differential Revision: http://reviews.llvm.org/D12023
Test virtual functions and virtual bases poisoning proper size.
Runtime testing of destroying diamond inheritance.
Explicit testing for 0 optimizations.
Simplify test to only test interesting values.
Test poisoning on multiple inheritance with nontrivial and trivial members.
Removed unnecessary header.
Testing (anonymous/)bit fields.
Revised object instantiation in test to avoid undefined behavior.
llvm-svn: 246817
Summary: Fixed test in response to buildbot failures from last night.
Reviewers: eugenis, kcc
Differential Revision: http://reviews.llvm.org/D12018
llvm-svn: 244952
Summary: Fixed test in response to buildbot failures from last night.
Reviewers: eugenis, kcc
Differential Revision: http://reviews.llvm.org/D11992
llvm-svn: 244818
Summary: New implementation for dtor sanitizer callback poisons only class members, and emits poisoning callback before base dtor invoked.
Reviewers: eugenis, kcc
Differential Revision: http://reviews.llvm.org/D11952
Explicit dtor invocation
llvm-svn: 244709
Summary:
A virtual base class and derived class should only poison their
respective members upon destruction. In particular, trivial members should
be poisoned directly, non-trivial members should be poisoned by their
respective destructors, and references to non-trivial members should be
poisoned.
Reviewers: eugenis, kcc
Differential Revision: http://reviews.llvm.org/D11912
Test case avoids casting to access members
Run configurations to reflect expected runtime failure on assertions.
Simplified access to internal members.
Updated internal member structure of base.
Revised assert in main to verify successful poisoning after dtor.
Verify address of pointer is poisoned.
Fixed assert err.
Cleaned up test by removing extraneous prints, asserts.
llvm-svn: 244521
Summary: Simple test case to verify that an instance of a derived class with virtual base is properly poisoned
Reviewers: eugenis, kcc
Subscribers: cfe-commits
Differential Revision: http://reviews.llvm.org/D11733
modified test to be more concise, and check the local pointer to the destroyed object
revised test to not examine padding- only explicit object members
llvm-svn: 243913
Summary: Verify that running in optimized mode while checking for use-after-dtor errors, does not generate tail call invocation of destructor. This avoids possible error where stack frame for the destructor is eliminated, making tracking down the errors more difficult.
Reviewers: eugenis, kcc
Subscribers: cfe-commits
Differential Revision: http://reviews.llvm.org/D11614
simplified test cases
updated line numbering on test
renamed test
llvm-svn: 243675
Summary:
This patch adds basic memory sanitizer support for PPC64. PR23219.
I have further patches ready to enable it in LLVM and Clang, and to fix
most of the many failing tests in check-msan.
Reviewers: kcc, willschm, samsonov, wschmidt, eugenis
Reviewed By: eugenis
Subscribers: wschmidt, llvm-commits
Differential Revision: http://reviews.llvm.org/D10648
llvm-svn: 240623
Summary: This test uses x86 intrinsics, so it can't work on other platforms.
Reviewers: garious, eugenis, samsonov
Reviewed By: samsonov
Subscribers: llvm-commits
Differential Revision: http://reviews.llvm.org/D10652
llvm-svn: 240449
Fix 2 bugs in memory mapping setup:
- the invalid region at offset 0 was not protected because mmap at
address 0 fails with EPERM on most Linux systems. We did not
notice this because the check condition was flipped: the code was
checking that mprotect has failed. And the test that was supposed
to catch this was weakened by the mitigations in the mmap
interceptor.
- when running without origins, the origin shadow range was left
unprotected.
The new test ensures that mmap w/o MAP_FIXED always returns valid
application addresses.
llvm-svn: 238109
Enabling internal ptrace for mips, which fixes some
ptrace related tests. Along with this fixing some
other failures.
Reviewers: Reviewers: eugenis, kcc, samsonov
Subscribers: dsanders, sagar, lldb-commits
Differential Revision: http://reviews.llvm.org/D7332
llvm-svn: 229656
By attaching an extra integer tag to heap origins, we are able
to distinguish between uninits
- created by heap allocation,
- created by heap deallocation (i.e. use-after-free),
- created by __msan_allocated_memory call,
- etc.
See https://code.google.com/p/memory-sanitizer/issues/detail?id=35.
llvm-svn: 226821
Fixes 2 issues in origins arising from realloc() calls:
* In the in-place grow case origin for the new memory is not set at all.
* In the copy-realloc case __msan_memcpy is used, which unwinds stack from
inside the MSan runtime. This does not generally work (as we may be built
w/o frame pointers), and produces "bad" stack trace anyway, with several
uninteresting (internal) frames on top.
This change also makes realloc() honor "zeroise" and "poison_in_malloc" flags.
See https://code.google.com/p/memory-sanitizer/issues/detail?id=73.
llvm-svn: 226674
Previously we always stored 4 bytes of origin at the destination address
even for 8-byte (and longer) stores.
This should fix rare missing, or incorrect, origin stacks in MSan reports.
llvm-svn: 226658
MSan does not assign origin for instrumentation temps (i.e. the ones that do
not come from the application code), but "select" instrumentation erroneously
tried to use one of those.
https://code.google.com/p/memory-sanitizer/issues/detail?id=78
llvm-svn: 222918
MSanDR is a dynamic instrumentation tool that can instrument the code
(prebuilt libraries and such) that could not be instrumented at compile time.
This code is unused (to the best of our knowledge) and unmaintained, and
starting to bit-rot.
llvm-svn: 222232
ParamTLS (shadow for function arguments) is of limited size. This change
makes all arguments that do not fit unpoisoned, and avoids writing
past the end of a TLS buffer.
llvm-svn: 220351
This change replaces an in-test timeout with an unconditional blocking wait.
It speeds up normal execution significantly at the cost of hanging up indefinitely
in case of a failure. This is a very specific regression test and we don't
expect any failures in the future.
Another approach ould be increasing the timeout to ~8 seconds, which seems too
much for a lit test.
llvm-svn: 217870
We are interested in verifying that -gline-tables-only provides enough
debug information for verbose error reports and symbolized stack traces.
llvm-svn: 217284
Chained origins make plain memory stores async-signal-unsafe.
We already disable it inside signal handlers.
This change grabs all origin-related locks before fork() and releases
them after fork() to avoid a deadlock in the child process.
llvm-svn: 217140
This was done by calling __cxa_demangle directly, which is bad
when c++abi library is instrumented. The following line always
contains the demangled name (when running with a symbolizer) anyway.
llvm-svn: 212929
Introduce new public header <sanitizer/allocator_interface.h> and a set
of functions __sanitizer_get_ownership(), __sanitizer_malloc_hook() etc.
that will eventually replace their tool-specific equivalents
(__asan_get_ownership(), __msan_get_ownership() etc.). Tool-specific
functions are now deprecated and implemented as stubs redirecting
to __sanitizer_ versions (which are implemented differently in each tool).
Replace all uses of __xsan_ versions with __sanitizer_ versions in unit
and lit tests.
llvm-svn: 212469
With this change all values passed through blacklisted functions
become fully initialized. Previous behavior was to initialize all
loads in blacklisted functions, but apply normal shadow propagation
logic for all other operation.
This makes blacklist applicable in a wider range of situations.
It also makes code for blacklisted functions a lot shorter, which
works as yet another workaround for PR17409.
llvm-svn: 212268
With this change all values passed through blacklisted functions
become fully initialized. Previous behavior was to initialize all
loads in blacklisted functions, but apply normal shadow propagation
logic for all other operation.
This makes blacklist applicable in a wider range of situations.
It also makes code for blacklisted functions a lot shorter, which
works as yet another workaround for PR17409.
llvm-svn: 212265
Origin history should only be recorded for uninitialized values, because it is
meaningless otherwise. This change moves __msan_chain_origin to the runtime
library side and makes it conditional on the corresponding shadow value.
Previous code was correct, but _very_ inefficient.
llvm-svn: 211700
Multiplication by an integer with a number of trailing zero bits leaves
the same number of lower bits of the result initialized to zero.
This change makes MSan take this into account in the case of multiplication by
a compile-time constant.
We don't handle the general, non-constant, case because
(a) it's not going to be cheap (computation-wise);
(b) multiplication by a partially uninitialized value in user code is
a bad idea anyway.
Constant case must be handled because it appears from LLVM optimization of a
completely valid user code, as the test case in compiler-rt demonstrates.
llvm-svn: 211092
Instructions from __nodebug__ functions don't have file:line
information even when inlined into no-nodebug functions. As a result,
intrinsics (SSE and other) from <*intrin.h> clang headers _never_
have file:line information.
With this change, an instruction without !dbg metadata gets one from
the call instruction when inlined.
Fixes PR19001.
llvm-svn: 210459
Generalize StackDepot and create a new specialized instance of it to
efficiently (i.e. without duplicating stack trace data) store the
origin history tree.
This reduces memory usage for chained origins roughly by an order of
magnitude.
Most importantly, this new design allows us to put two limits on
stored history data (exposed in MSAN_OPTIONS) that help avoid
exponential growth in used memory on certain workloads.
See comments in lib/msan/msan_origin.h for more details.
llvm-svn: 209284
Move fflush and fclose interceptors to sanitizer_common.
Use a metadata map to keep information about the external locations
that must be updated when the file is written to.
llvm-svn: 208676
If printf is intercepted (it is not atm), REAL(printf) call in the interceptor
would get redirected back to my_lgamma, resulting in infinite recursion.
llvm-svn: 208294
Using __msan_unpoison() on null-terminated strings is awkward because
strlen() can't be called on a poisoned string. This case warrants a special
interface function.
llvm-svn: 204448
Compiler-rt part of MSan implementation of advanced origin tracking,
when we record not only creation point, but all locations where
an uninitialized value was stored to memory, too.
llvm-svn: 204152
Naomi Musgrave