From 82444c222a4eea225d986d757a008ad9718fb21e Mon Sep 17 00:00:00 2001 From: Thurston Dang Date: Thu, 28 Aug 2025 22:14:33 +0000 Subject: [PATCH 1/3] [asan] Add test for deferencing zero-sized malloc/calloc ASan fails to catch this, because 0-byte allocations are converted into 1-byte allocations. Bug originally reported by dvyukov --- .../test/asan/TestCases/zero_alloc.cpp | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 compiler-rt/test/asan/TestCases/zero_alloc.cpp diff --git a/compiler-rt/test/asan/TestCases/zero_alloc.cpp b/compiler-rt/test/asan/TestCases/zero_alloc.cpp new file mode 100644 index 0000000000000..3decd5acb7bae --- /dev/null +++ b/compiler-rt/test/asan/TestCases/zero_alloc.cpp @@ -0,0 +1,37 @@ +// RUN: %clang_asan -Wno-alloc-size -fsanitize-recover=address %s -o %t && %env_asan_opts=halt_on_error=0 %run %t 2>&1 | FileCheck %s + +// XFAIL: * + +#include +#include + +int main(int argc, char **argv) { + { + char* p1 = (char*)calloc(1, 0); + printf ("p1 is %p\n", p1); + printf ("Content of p1 is: %d\n", *p1); + // CHECK: ERROR: AddressSanitizer: heap-buffer-overflow + // CHECK: {{#0 0x.* in main .*zero_alloc.cpp:}}[[@LINE-2]] + free(p1); + } + + { + char* p2 = (char*)calloc(0, 1); + printf ("p2 is %p\n", p2); + printf ("Content of p2 is: %d\n", *p2); + // CHECK: ERROR: AddressSanitizer: heap-buffer-overflow + // CHECK: {{#0 0x.* in main .*zero_alloc.cpp:}}[[@LINE-2]] + free(p2); + } + + { + char* p3 = (char*)malloc(0); + printf ("p3 is %p\n", p3); + printf ("Content of p2 is: %d\n", *p3); + // CHECK: ERROR: AddressSanitizer: heap-buffer-overflow + // CHECK: {{#0 0x.* in main .*zero_alloc.cpp:}}[[@LINE-2]] + free(p3); + } + + return 0; +} From b4f3a7ec73dfa0cd1336379fe37de4f4b74f47da Mon Sep 17 00:00:00 2001 From: Thurston Dang Date: Thu, 28 Aug 2025 22:22:47 +0000 Subject: [PATCH 2/3] clang-format --- .../test/asan/TestCases/zero_alloc.cpp | 36 +++++++++---------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/compiler-rt/test/asan/TestCases/zero_alloc.cpp b/compiler-rt/test/asan/TestCases/zero_alloc.cpp index 3decd5acb7bae..832b35395bc93 100644 --- a/compiler-rt/test/asan/TestCases/zero_alloc.cpp +++ b/compiler-rt/test/asan/TestCases/zero_alloc.cpp @@ -7,30 +7,30 @@ int main(int argc, char **argv) { { - char* p1 = (char*)calloc(1, 0); - printf ("p1 is %p\n", p1); - printf ("Content of p1 is: %d\n", *p1); - // CHECK: ERROR: AddressSanitizer: heap-buffer-overflow - // CHECK: {{#0 0x.* in main .*zero_alloc.cpp:}}[[@LINE-2]] - free(p1); + char *p1 = (char *)calloc(1, 0); + printf("p1 is %p\n", p1); + printf("Content of p1 is: %d\n", *p1); + // CHECK: ERROR: AddressSanitizer: heap-buffer-overflow + // CHECK: {{#0 0x.* in main .*zero_alloc.cpp:}}[[@LINE-2]] + free(p1); } { - char* p2 = (char*)calloc(0, 1); - printf ("p2 is %p\n", p2); - printf ("Content of p2 is: %d\n", *p2); - // CHECK: ERROR: AddressSanitizer: heap-buffer-overflow - // CHECK: {{#0 0x.* in main .*zero_alloc.cpp:}}[[@LINE-2]] - free(p2); + char *p2 = (char *)calloc(0, 1); + printf("p2 is %p\n", p2); + printf("Content of p2 is: %d\n", *p2); + // CHECK: ERROR: AddressSanitizer: heap-buffer-overflow + // CHECK: {{#0 0x.* in main .*zero_alloc.cpp:}}[[@LINE-2]] + free(p2); } { - char* p3 = (char*)malloc(0); - printf ("p3 is %p\n", p3); - printf ("Content of p2 is: %d\n", *p3); - // CHECK: ERROR: AddressSanitizer: heap-buffer-overflow - // CHECK: {{#0 0x.* in main .*zero_alloc.cpp:}}[[@LINE-2]] - free(p3); + char *p3 = (char *)malloc(0); + printf("p3 is %p\n", p3); + printf("Content of p2 is: %d\n", *p3); + // CHECK: ERROR: AddressSanitizer: heap-buffer-overflow + // CHECK: {{#0 0x.* in main .*zero_alloc.cpp:}}[[@LINE-2]] + free(p3); } return 0; From 58ae9a9190289704b84ec916342c16df261cda67 Mon Sep 17 00:00:00 2001 From: Thurston Dang Date: Thu, 28 Aug 2025 22:24:32 +0000 Subject: [PATCH 3/3] Add note on bad compilers --- compiler-rt/test/asan/TestCases/zero_alloc.cpp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/compiler-rt/test/asan/TestCases/zero_alloc.cpp b/compiler-rt/test/asan/TestCases/zero_alloc.cpp index 832b35395bc93..d25164a1e2eb9 100644 --- a/compiler-rt/test/asan/TestCases/zero_alloc.cpp +++ b/compiler-rt/test/asan/TestCases/zero_alloc.cpp @@ -1,5 +1,7 @@ // RUN: %clang_asan -Wno-alloc-size -fsanitize-recover=address %s -o %t && %env_asan_opts=halt_on_error=0 %run %t 2>&1 | FileCheck %s +// ASan doesn't catch this because internally it translates 0-byte allocations +// into 1-byte // XFAIL: * #include