Index: lib/hwasan/hwasan_allocator.cc =================================================================== --- lib/hwasan/hwasan_allocator.cc +++ lib/hwasan/hwasan_allocator.cc @@ -176,10 +176,16 @@ size - orig_size); void *user_ptr = allocated; - if (flags()->tag_in_malloc && - atomic_load_relaxed(&hwasan_allocator_tagging_enabled)) - user_ptr = (void *)TagMemoryAligned( - (uptr)user_ptr, size, t ? t->GenerateRandomTag() : kFallbackAllocTag); + // Tagging can only be skipped when both tag_in_malloc and tag_in_free are + // false. When tag_in_malloc = false and tag_in_free = true malloc needs to + // retag to 0. + if ((flags()->tag_in_malloc || flags()->tag_in_free) && + atomic_load_relaxed(&hwasan_allocator_tagging_enabled)) { + tag_t tag = flags()->tag_in_malloc + ? (t ? t->GenerateRandomTag() : kFallbackAllocTag) + : 0; + user_ptr = (void *)TagMemoryAligned((uptr)user_ptr, size, tag); + } if ((orig_size % kShadowAlignment) && (alignment <= kShadowAlignment) && right_align_mode) { Index: test/hwasan/TestCases/tag_in_free.c =================================================================== --- test/hwasan/TestCases/tag_in_free.c +++ test/hwasan/TestCases/tag_in_free.c @@ -0,0 +1,51 @@ +// RUN: %clang_hwasan -O0 %s -DMALLOC -DFREE -o %t.mf +// RUN: %env_hwasan_opts=tag_in_malloc=0,tag_in_free=1 not %run %t.mf 2>&1 | FileCheck %s --check-prefixes=FREE +// RUN: %env_hwasan_opts=tag_in_malloc=1,tag_in_free=1 not %run %t.mf 2>&1 | FileCheck %s --check-prefixes=MALLOC +// RUN: %env_hwasan_opts=tag_in_malloc=1,tag_in_free=0 not %run %t.mf 2>&1 | FileCheck %s --check-prefixes=MALLOC +// RUN: %env_hwasan_opts=tag_in_malloc=0,tag_in_free=0 %run %t.mf 2>&1 + +// RUN: %clang_hwasan -O0 %s -DFREE -o %t.f +// RUN: %env_hwasan_opts=tag_in_malloc=0,tag_in_free=1 not %run %t.f 2>&1 | FileCheck %s --check-prefixes=FREE +// RUN: %env_hwasan_opts=tag_in_malloc=1,tag_in_free=1 not %run %t.f 2>&1 | FileCheck %s --check-prefixes=FREE +// RUN: %env_hwasan_opts=tag_in_malloc=1,tag_in_free=0 %run %t.f 2>&1 +// RUN: %env_hwasan_opts=tag_in_malloc=0,tag_in_free=0 %run %t.f 2>&1 + +// RUN: %clang_hwasan -O0 %s -DMALLOC -o %t.m +// RUN: %env_hwasan_opts=tag_in_malloc=0,tag_in_free=1 %run %t.m 2>&1 +// RUN: %env_hwasan_opts=tag_in_malloc=1,tag_in_free=1 not %run %t.m 2>&1 | FileCheck %s --check-prefixes=MALLOC +// RUN: %env_hwasan_opts=tag_in_malloc=1,tag_in_free=0 not %run %t.m 2>&1 | FileCheck %s --check-prefixes=MALLOC +// RUN: %env_hwasan_opts=tag_in_malloc=0,tag_in_free=0 %run %t.m 2>&1 + +#include +#include +#include + +int main() { + __hwasan_enable_allocator_tagging(); + // Loop for a while to make sure that the memory for the test below is reused after an earlier free(), + // and is potentially tagged (when tag_in_free == 1). + for (int i = 0; i < 100; ++i) { + char * volatile p = (char*)malloc(10); + free(p); + } + + char * volatile p = (char*)malloc(10); +#ifdef MALLOC + // MALLOC: READ of size 1 at + // MALLOC: is located 6 bytes to the right of 10-byte region + // MALLOC: allocated here: + char volatile x = p[16]; +#endif + free(p); +#ifdef FREE + // FREE: READ of size 1 at + // FREE: is located 0 bytes inside of 10-byte region + // FREE: freed by thread T0 here: + // FREE: previously allocated here: + char volatile y = p[0]; +#endif + + __hwasan_disable_allocator_tagging(); + + return 0; +}