From 0f5ae186b3b2e4474064c459ee3e49dc7434feef Mon Sep 17 00:00:00 2001 From: Josh Berdine Date: Mon, 24 Jun 2019 14:11:49 -0700 Subject: [PATCH] [sledge] Add test for use-after-destroy of a temp Summary: And fix test Makefile to call the C++ compiler on .cpp files. Reviewed By: kren1 Differential Revision: D15972426 fbshipit-source-id: 719de755f --- sledge/test/Makefile | 2 +- sledge/test/exec/tmp_uaf.cpp | 29 +++++++++++++++++++++++++++++ sledge/test/report.expected | 1 + 3 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 sledge/test/exec/tmp_uaf.cpp diff --git a/sledge/test/Makefile b/sledge/test/Makefile index bc68f15b9..428b3aa3f 100644 --- a/sledge/test/Makefile +++ b/sledge/test/Makefile @@ -58,7 +58,7 @@ translate-report: # compile c++ to llvm bitcode %.bc : %.cpp - @(cd $(dir $*) && clang -g -c -emit-llvm $(CLANG_ARGS) $(notdir $*).cpp -o $(notdir $*).bc) + @(cd $(dir $*) && clang++ -g -c -emit-llvm $(CLANG_ARGS) $(notdir $*).cpp -o $(notdir $*).bc) # code to test analyze AnalyzeCs:=$(shell find * -not -path 'llvm/*' -name '*.c') diff --git a/sledge/test/exec/tmp_uaf.cpp b/sledge/test/exec/tmp_uaf.cpp new file mode 100644 index 000000000..4862dc8ab --- /dev/null +++ b/sledge/test/exec/tmp_uaf.cpp @@ -0,0 +1,29 @@ +/* + * Copyright (c) Facebook, Inc. and its affiliates. + * + * This source code is licensed under the MIT license found in the + * LICENSE file in the root directory of this source tree. + */ + +#include +#include + +// just a struct +struct A { + int f; + ~A() {} +}; + +// a function that returns an object, here a unique_ptr +std::unique_ptr return_object() { return std::unique_ptr(new A()); } + +int main() { + // the compiler creates a C++ temporary to hold the result + // of the function call + const A& a_ref = *return_object(); + // the lifetime of the temporary is only the expression + // above, so the pointer inside a_ref has been deleted + // by unique_ptr's destructor + std::cout << a_ref.f; // a_ref is garbage now; boom. + return 0; +} diff --git a/sledge/test/report.expected b/sledge/test/report.expected index 8d848d5b6..d135403cf 100644 --- a/sledge/test/report.expected +++ b/sledge/test/report.expected @@ -3,6 +3,7 @@ frontend/cond_alloca.bc: RESULT: Internal error: no applicable harness exec/globals.bc: RESULT: Success exec/global_vars.bc: RESULT: Success exec/recursion.bc: RESULT: Success +exec/tmp_uaf.bc: RESULT: Success exec/wrap_malloc.bc: RESULT: Success frontend/destructor_bases.bc: RESULT: Success frontend/exceptions.bc: RESULT: Success