dcf23e1361
Complex scenario, but reports when there's both a use-after-free and buffer-underflow that is in-page (i.e. doesn't touch the guard page) ended up generating a pretty bad report: 'Use After Free at 0x7ff392e88fef (18446744073709551615 bytes into a 1-byte allocation at 0x7ff392e88ff0) by thread 3836722 here:' (note the 2^64-bytes-into-alloc, very cool and good!) Fix up that case, and add a diagnostic about when you have both a use-after-free and a buffer-overflow that it's probably a bogus report (assuming the developer didn't *really* screw up and have a uaf+overflow bug at the same time). Reviewed By: vitalybuka Differential Revision: https://reviews.llvm.org/D139885
27 lines
730 B
C++
27 lines
730 B
C++
// REQUIRES: gwp_asan
|
|
// RUN: %clangxx_gwp_asan %s -o %t
|
|
// RUN: %expect_crash %run %t 2>&1 | FileCheck %s
|
|
|
|
// RUN: %clangxx_gwp_asan %s -o %t -DTOUCH_GUARD_PAGE
|
|
// RUN: %expect_crash %run %t 2>&1 | FileCheck %s
|
|
|
|
// CHECK: GWP-ASan detected a memory error
|
|
// CHECK: Use After Free
|
|
// CHECK-SAME: warning: buffer overflow/underflow detected on a free()'d allocation
|
|
// CHECK-SAME: at 0x{{[a-f0-9]+}} ({{[0-9]+}} byte{{s?}} to the right
|
|
|
|
#include <cstdlib>
|
|
|
|
#include "page_size.h"
|
|
|
|
int main() {
|
|
unsigned malloc_size = 1;
|
|
#ifdef TOUCH_GUARD_PAGE
|
|
malloc_size = pageSize();
|
|
#endif // TOUCH_GUARD_PAGE
|
|
char *Ptr = reinterpret_cast<char *>(malloc(malloc_size));
|
|
free(Ptr);
|
|
volatile char x = *(Ptr + malloc_size);
|
|
return 0;
|
|
}
|