File: MsanParamUnpoison.cpp

package info (click to toggle)
llvm-toolchain-17 1%3A17.0.6-22
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 1,799,624 kB
  • sloc: cpp: 6,428,607; ansic: 1,383,196; asm: 793,408; python: 223,504; objc: 75,364; f90: 60,502; lisp: 33,869; pascal: 15,282; sh: 9,684; perl: 7,453; ml: 4,937; awk: 3,523; makefile: 2,889; javascript: 2,149; xml: 888; fortran: 619; cs: 573
file content (28 lines) | stat: -rw-r--r-- 1,055 bytes parent folder | download | duplicates (26) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
 
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

// Triggers the bug described here:
// https://github.com/google/oss-fuzz/issues/2369#issuecomment-490240627
//
// In a nutshell, MSan's parameter shadow does not get unpoisoned before calls
// to LLVMFuzzerTestOneInput.  This test case causes the parameter shadow to be
// poisoned by the call to foo(), which will trigger an MSan false positive on
// the Size == 0 check if the parameter shadow is still poisoned.
#include <cstdint>
#include <cstdio>
#include <cstdlib>
#include <cstring>

volatile int zero = 0;
__attribute__((noinline)) int foo(int arg1, int arg2) { return zero; }

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
  if (Size == 0)
    return 0;

  // Pass uninitialized values to foo().  Since foo doesn't do anything with
  // them, MSan should not report an error here.
  int a, b;
  return foo(a, b);
}