allocator-test/fuzz: stochastic necromancy test
Hold on to a random collection of freed pointers (stored before we free
them) and, after each round, scan the collection looking for asserted
tags. This could happen if an object is prematurely released from
quarantine before the revoker gets to the copy here in the collection.
diff --git a/tests/allocator-test.cc b/tests/allocator-test.cc
index bbce8d3..80b78bc 100644
--- a/tests/allocator-test.cc
+++ b/tests/allocator-test.cc
@@ -239,9 +239,14 @@
16, 64, 72, 96, 128, 256, 384, 1024};
static constexpr size_t NAllocSizes = std::size(AllocSizes);
+ static constexpr size_t NCachedFrees = 4 * MaxAllocCount;
+
ds::xoroshiro::P32R16 rand = {};
auto t = Timeout(0); /* don't sleep */
+ std::vector<void *> cachedFrees;
+ cachedFrees.resize(NCachedFrees);
+
auto doAlloc = [&](size_t sz) {
CHERI::Capability p{heap_allocate(&t, MALLOC_CAPABILITY, sz)};
@@ -263,6 +268,8 @@
TEST(CHERI::Capability{p}.is_valid(), "Double free {}", p);
+ cachedFrees[rand.next() % NCachedFrees] = p;
+
free(p);
};
@@ -297,8 +304,15 @@
doFree();
}
}
+
+ for (void *p : cachedFrees)
+ {
+ TEST(!Capability{p}.is_valid(), "Detected necromancy: {}", p);
+ }
}
+ cachedFrees.clear();
+
for (auto allocation : allocations)
{
free(allocation);
