[asan] add a test for array cookie if the operator new is defined inside the class (the cookie should not be poisoned in such case); update the related comment in asan_poisoning.cc

llvm-svn: 218620

compiler-rt/lib/asan/asan_poisoning.cc

@@ -252,7 +252,8 @@ uptr __asan_load_cxx_array_cookie(uptr *p) {
            "expect a double-free report\n");
     return 0;
   }
-  // FIXME: apparently it can be something else; need to find a reproducer.
+  // The cookie may remain unpoisoned if e.g. it comes from a custom
+  // operator new defined inside a class.
   return *p;
 }
 

compiler-rt/test/asan/TestCases/Linux/new_array_cookie_with_new_from_class.cc

@@ -0,0 +1,34 @@
+// Test that we do not poison the array cookie if the operator new is defined
+// inside the class.
+// RUN: %clangxx_asan  %s -o %t && %run %t
+#include <new>
+#include <stdlib.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <assert.h>
+struct Foo {
+  void *operator new(size_t s) { return Allocate(s); }
+  void *operator new[] (size_t s) { return Allocate(s); }
+  ~Foo();
+  static void *allocated;
+  static void *Allocate(size_t s) {
+    assert(!allocated);
+    return allocated = ::new char[s];
+  }
+};
+
+Foo::~Foo() {}
+void *Foo::allocated;
+
+Foo *getFoo(size_t n) {
+  return new Foo[n];
+}
+
+int main() {
+  Foo *foo = getFoo(10);
+  fprintf(stderr, "foo  : %p\n", foo);
+  fprintf(stderr, "alloc: %p\n", Foo::allocated);
+  assert(reinterpret_cast<uintptr_t>(foo) ==
+         reinterpret_cast<uintptr_t>(Foo::allocated) + sizeof(void*));
+  *reinterpret_cast<uintptr_t*>(Foo::allocated) = 42;
+}