From 7f209a979c55a58e91946a2efd5f0b339ffe309c Mon Sep 17 00:00:00 2001 From: Iris Chang Date: Wed, 16 Jan 2019 11:17:15 +0800 Subject: Bionic malloc debug: add a new option "abort_on_error" This new option causes an abort after malloc debug detects an error. This allows vendors to get process coredumps to analyze memory for corruption. Bug: 123009873 Test: New test cases added for unit tests and config tests. Change-Id: I6b480af7f747d6a82f61e8bf3df204a5f7ba017f --- .../malloc_debug/tests/malloc_debug_unit_tests.cpp | 56 ++++++++++++++++++++++ 1 file changed, 56 insertions(+) (limited to 'libc/malloc_debug/tests/malloc_debug_unit_tests.cpp') diff --git a/libc/malloc_debug/tests/malloc_debug_unit_tests.cpp b/libc/malloc_debug/tests/malloc_debug_unit_tests.cpp index 2d6346fea..44f9795bc 100644 --- a/libc/malloc_debug/tests/malloc_debug_unit_tests.cpp +++ b/libc/malloc_debug/tests/malloc_debug_unit_tests.cpp @@ -2380,3 +2380,59 @@ TEST_F(MallocDebugTest, verify_pointers) { expected_log += DIVIDER; ASSERT_STREQ(expected_log.c_str(), getFakeLogPrint().c_str()); } + +TEST_F(MallocDebugTest, abort_on_error_log_error) { + Init("abort_on_error verify_pointers"); + + void* pointer = debug_malloc(10); + memset(pointer, 0, 10); + debug_free(pointer); + + ASSERT_STREQ("", getFakeLogBuf().c_str()); + ASSERT_STREQ("", getFakeLogPrint().c_str()); + + EXPECT_DEATH(debug_free(pointer), ""); +} + +TEST_F(MallocDebugTest, abort_on_error_guard_corrupted) { + Init("abort_on_error front_guard=32"); + + uint8_t* pointer = reinterpret_cast(debug_malloc(100)); + ASSERT_TRUE(pointer != nullptr); + pointer[-16] = 0x00; + EXPECT_DEATH(debug_free(pointer), ""); + pointer[-16] = 0xaa; + debug_free(pointer); +} + +TEST_F(MallocDebugTest, abort_on_error_use_after_free) { + Init("abort_on_error free_track=100 free_track_backtrace_num_frames=0"); + + uint8_t* pointer = reinterpret_cast(debug_malloc(100)); + ASSERT_TRUE(pointer != nullptr); + memset(pointer, 0, 100); + debug_free(pointer); + + pointer[56] = 0x91; + + EXPECT_DEATH(debug_finalize(), ""); + + pointer[56] = 0xef; +} + +TEST_F(MallocDebugTest, abort_on_error_header_tag_corrupted) { + Init("abort_on_error free_track=100 free_track_backtrace_num_frames=0 rear_guard"); + + uint8_t* pointer = reinterpret_cast(debug_malloc(100)); + ASSERT_TRUE(pointer != nullptr); + memset(pointer, 0, 100); + debug_free(pointer); + + uint8_t tag_value = pointer[-get_tag_offset()]; + pointer[-get_tag_offset()] = 0x00; + + EXPECT_DEATH(debug_finalize(), ""); + + pointer[-get_tag_offset()] = tag_value; +} + -- cgit v1.2.3