Merge "fortify: import tests from Chrome OS"
diff --git a/tests/Android.bp b/tests/Android.bp
index e0faa5f..a55d08b 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -281,6 +281,16 @@
 // -----------------------------------------------------------------------------
 
 cc_defaults {
+    name: "bionic_clang_fortify_tests_w_flags",
+    cflags: [
+        "-Wno-builtin-memcpy-chk-size",
+        "-Wno-format-zero-length",
+        "-Wno-memset-transposed-args",
+        "-Wno-strncat-size",
+    ],
+}
+
+cc_defaults {
     name: "bionic_fortify_tests_defaults",
     cflags: [
         "-U_FORTIFY_SOURCE",
@@ -299,6 +309,9 @@
 // unused.
 cc_test_library {
     name: "fortify_disabled_for_asan",
+    defaults: [
+        "bionic_clang_fortify_tests_w_flags",
+    ],
     cflags: [
         "-Werror",
         "-D_FORTIFY_SOURCE=2",
@@ -306,11 +319,10 @@
         // enabled. Since the intent is just to build this, we can get away with
         // passing this flag on its own.
         "-fsanitize=address",
-        "-Wno-memset-transposed-args",
     ],
     // Ignore that we don't have ASAN symbols linked in.
     allow_undefined_symbols: true,
-    srcs: ["fortify_filecheck_diagnostics_test.cpp"],
+    srcs: ["clang_fortify_tests.cpp"],
 }
 
 // Ensure we don't use FORTIFY'ed functions with the static analyzer/clang-tidy:
@@ -319,13 +331,15 @@
 // enabled. The library that results from building this is meant to be unused.
 cc_test_library {
     name: "fortify_disabled_for_tidy",
+    defaults: [
+        "bionic_clang_fortify_tests_w_flags",
+    ],
     cflags: [
         "-Werror",
         "-D_FORTIFY_SOURCE=2",
         "-D__clang_analyzer__",
-        "-Wno-memset-transposed-args",
     ],
-    srcs: ["fortify_filecheck_diagnostics_test.cpp"],
+    srcs: ["clang_fortify_tests.cpp"],
 }
 
 cc_test_library {
@@ -358,6 +372,53 @@
     },
 }
 
+cc_defaults {
+    name: "bionic_new_fortify_tests_defaults",
+    defaults: [
+        "bionic_clang_fortify_tests_w_flags",
+    ],
+    cflags: [
+        "-U_FORTIFY_SOURCE",
+    ],
+    srcs: ["clang_fortify_tests.cpp"],
+    target: {
+        host: {
+            clang_cflags: ["-D__clang__"],
+        },
+    },
+}
+
+cc_test_library {
+    name: "libfortify1-new-tests-clang",
+    defaults: [
+        "bionic_new_fortify_tests_defaults",
+        "bionic_tests_defaults",
+    ],
+    cflags: [
+        "-D_FORTIFY_SOURCE=1",
+        "-DTEST_NAME=Fortify1_clang_new",
+    ],
+    shared: {
+        enabled: false,
+    },
+}
+
+cc_test_library {
+    name: "libfortify2-new-tests-clang",
+    defaults: [
+        "bionic_new_fortify_tests_defaults",
+        "bionic_tests_defaults",
+    ],
+    cflags: [
+        "-D_FORTIFY_SOURCE=2",
+        "-DTEST_NAME=Fortify2_clang_new",
+    ],
+    shared: {
+        enabled: false,
+    },
+}
+
+
 // -----------------------------------------------------------------------------
 // Library of all tests (excluding the dynamic linker tests).
 // -----------------------------------------------------------------------------
@@ -368,7 +429,9 @@
         "libBionicStandardTests",
         "libBionicElfTlsTests",
         "libfortify1-tests-clang",
+        "libfortify1-new-tests-clang",
         "libfortify2-tests-clang",
+        "libfortify2-new-tests-clang",
     ],
     shared: {
         enabled: false,
diff --git a/tests/Android.mk b/tests/Android.mk
index 848d291..b5571e3 100644
--- a/tests/Android.mk
+++ b/tests/Android.mk
@@ -59,23 +59,11 @@
 # Compile time tests.
 # -----------------------------------------------------------------------------
 
-# Some of these are intentionally using = instead of := since we need access to
-# some variables not initialtized until we're in the build system.
+FORTIFY_LEVEL := 1
+include $(LOCAL_PATH)/make_fortify_compile_test.mk
 
-include $(CLEAR_VARS)
-LOCAL_ADDITIONAL_DEPENDENCIES := \
-    $(LOCAL_PATH)/Android.mk \
-    $(LOCAL_PATH)/touch-obj-on-success
-
-LOCAL_CXX := $(LOCAL_PATH)/touch-obj-on-success \
-    $(LLVM_PREBUILTS_PATH)/clang++ \
-
-LOCAL_CLANG := true
-LOCAL_MODULE := bionic-compile-time-tests-clang++
-LOCAL_CPPFLAGS := -Wall -Wno-error
-LOCAL_CPPFLAGS += -fno-color-diagnostics -ferror-limit=10000 -Xclang -verify
-LOCAL_SRC_FILES := fortify_filecheck_diagnostics_test.cpp
-include $(BUILD_STATIC_LIBRARY)
+FORTIFY_LEVEL := 2
+include $(LOCAL_PATH)/make_fortify_compile_test.mk
 
 endif # linux-x86
 
diff --git a/tests/clang_fortify_tests.cpp b/tests/clang_fortify_tests.cpp
new file mode 100644
index 0000000..948faf3
--- /dev/null
+++ b/tests/clang_fortify_tests.cpp
@@ -0,0 +1,611 @@
+/*
+ * Copyright (C) 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef __clang__
+#error "Non-clang isn't supported"
+#endif
+
+// Clang compile-time and run-time tests for Bionic's FORTIFY.
+//
+// This file is compiled in two configurations ways to give us a sane set of tests for clang's
+// FORTIFY implementation.
+//
+// One configuration uses clang's diagnostic consumer
+// (https://clang.llvm.org/doxygen/classclang_1_1VerifyDiagnosticConsumer.html#details)
+// to check diagnostics (e.g. the expected-* comments everywhere).
+//
+// Please note that this test does things like leaking memory. That's WAI.
+
+// Silence all "from 'diagnose_if'" `note`s from anywhere, including headers; they're uninteresting
+// for this test case, and their line numbers may change over time.
+// expected-note@* 0+{{from 'diagnose_if'}}
+//
+// Similarly, there are a few overload tricks we have to emit errors. Ignore any notes from those.
+// expected-note@* 0+{{candidate function}}
+
+#ifndef _FORTIFY_SOURCE
+#error "_FORTIFY_SOURCE must be defined"
+#endif
+
+#include <sys/cdefs.h>
+
+// This is a test specifically of bionic's FORTIFY machinery. Other stdlibs need not apply.
+#ifndef __BIONIC__
+// expected-no-diagnostics
+#else
+
+// As alluded to above, we're going to be doing some obviously very broken things in this file.
+// FORTIFY helpfully flags a lot of it at compile-time, but we want it to *actually* crash, too. So
+// let's wipe out any build-time errors.
+#ifndef COMPILATION_TESTS
+#undef __clang_error_if
+#define __clang_error_if(...)
+#undef __clang_warning_if
+#define __clang_warning_if(...)
+#endif
+
+#include <err.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <poll.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+#include <syslog.h>
+#include <unistd.h>
+#include <wchar.h>
+
+#ifndef COMPILATION_TESTS
+#include <gtest/gtest.h>
+#include "BionicDeathTest.h"
+
+#define CONCAT2(x, y) x##y
+#define CONCAT(x, y) CONCAT2(x, y)
+#define FORTIFY_TEST_NAME CONCAT(clang_fortify_test_, _FORTIFY_SOURCE)
+
+namespace {
+struct FORTIFY_TEST_NAME : BionicDeathTest {
+ protected:
+  void SetUp() override {
+    stdin_saved = dup(STDIN_FILENO);
+    if (stdin_saved < 0) err(1, "failed to dup stdin");
+
+    int devnull = open("/dev/null", O_RDONLY);
+    if (devnull < 0) err(1, "failed to open /dev/null");
+
+    if (!dup2(devnull, STDIN_FILENO)) err(1, "failed to overwrite stdin");
+    static_cast<void>(close(devnull));
+
+    BionicDeathTest::SetUp();
+  }
+
+  void TearDown() override {
+    if (stdin_saved == -1) return;
+    if (!dup2(stdin_saved, STDIN_FILENO)) warn("failed to restore stdin");
+
+    static_cast<void>(close(stdin_saved));
+
+    BionicDeathTest::TearDown();
+  }
+
+ private:
+  int stdin_saved = -1;
+};
+}  // namespace
+
+template <typename Fn>
+__attribute__((noreturn)) static void ExitAfter(Fn&& f) {
+  f();
+  // No need to tear things down; our parent process should handle that.
+  _exit(0);
+}
+
+// In any case (including failing tests), we always want to die after this.
+#define DIE_WITH(expr, cond, regex) EXPECT_EXIT(ExitAfter([&] { (expr); }), cond, regex)
+
+// EXPECT_NO_DEATH forks so that the test remains alive on a bug, and so that the environment
+// doesn't get modified on no bug. (Environment modification is especially tricky to deal with given
+// the *_STRUCT variants below.)
+#define EXPECT_NO_DEATH(expr) DIE_WITH(expr, testing::ExitedWithCode(0), "")
+#define EXPECT_FORTIFY_DEATH(expr) DIE_WITH(expr, testing::KilledBySignal(SIGABRT), "FORTIFY")
+// Expecting death, but only if we're doing a "strict" struct-checking mode.
+#if _FORTIFY_SOURCE > 1
+#define EXPECT_FORTIFY_DEATH_STRUCT EXPECT_FORTIFY_DEATH
+#else
+#define EXPECT_FORTIFY_DEATH_STRUCT EXPECT_NO_DEATH
+#endif
+
+#define FORTIFY_TEST(test_name) TEST(FORTIFY_TEST_NAME, test_name)
+
+#else  // defined(COMPILATION_TESTS)
+
+#define EXPECT_NO_DEATH(expr) expr
+#define EXPECT_FORTIFY_DEATH(expr) expr
+#define EXPECT_FORTIFY_DEATH_STRUCT EXPECT_FORTIFY_DEATH
+#define FORTIFY_TEST(test_name) void test_name()
+#endif
+
+const static int kBogusFD = -1;
+
+FORTIFY_TEST(string) {
+  char small_buffer[8] = {};
+
+  {
+    char large_buffer[sizeof(small_buffer) + 1] = {};
+    // expected-error@+1{{size bigger than buffer}}
+    EXPECT_FORTIFY_DEATH(memcpy(small_buffer, large_buffer, sizeof(large_buffer)));
+    // expected-error@+1{{size bigger than buffer}}
+    EXPECT_FORTIFY_DEATH(memmove(small_buffer, large_buffer, sizeof(large_buffer)));
+    // FIXME: this should be EXPECT_FORTIFY_DEATH
+#if 0
+    // expected-error@+1{{called with bigger length than the destination}}
+#endif
+    EXPECT_NO_DEATH(mempcpy(small_buffer, large_buffer, sizeof(large_buffer)));
+    // expected-error@+1{{size bigger than buffer}}
+    EXPECT_FORTIFY_DEATH(memset(small_buffer, 0, sizeof(large_buffer)));
+    // expected-warning@+1{{arguments got flipped?}}
+    EXPECT_NO_DEATH(memset(small_buffer, sizeof(small_buffer), 0));
+    // FIXME: Should these be warnings?
+    // expected-warning@+1{{will always overflow}}
+    EXPECT_FORTIFY_DEATH(bcopy(large_buffer, small_buffer, sizeof(large_buffer)));
+    // expected-warning@+1{{will always overflow}}
+    EXPECT_FORTIFY_DEATH(bzero(small_buffer, sizeof(large_buffer)));
+  }
+
+  {
+    const char large_string[] = "Hello!!!";
+    static_assert(sizeof(large_string) > sizeof(small_buffer), "");
+
+    // expected-error@+1{{string bigger than buffer}}
+    EXPECT_FORTIFY_DEATH(strcpy(small_buffer, large_string));
+    // expected-error@+1{{string bigger than buffer}}
+    EXPECT_FORTIFY_DEATH(stpcpy(small_buffer, large_string));
+#if 0
+    // expected-error@+1{{called with bigger length than the destination}}
+#endif
+    EXPECT_FORTIFY_DEATH(strncpy(small_buffer, large_string, sizeof(large_string)));
+#if 0
+    // expected-error@+1{{called with bigger length than the destination}}
+#endif
+    EXPECT_FORTIFY_DEATH(stpncpy(small_buffer, large_string, sizeof(large_string)));
+#if 0
+    // expected-error@+1{{destination buffer will always be overflown}}
+#endif
+    EXPECT_FORTIFY_DEATH(strcat(small_buffer, large_string));
+#if 0
+    // expected-error@+1{{destination buffer will always be overflown}}
+#endif
+    EXPECT_FORTIFY_DEATH(strncat(small_buffer, large_string, sizeof(large_string)));
+  }
+
+  {
+    struct {
+      char tiny_buffer[4];
+      char tiny_buffer2[4];
+    } split = {};
+
+    EXPECT_NO_DEATH(memcpy(split.tiny_buffer, &split, sizeof(split)));
+    EXPECT_NO_DEATH(memcpy(split.tiny_buffer, &split, sizeof(split)));
+    EXPECT_NO_DEATH(memmove(split.tiny_buffer, &split, sizeof(split)));
+    EXPECT_NO_DEATH(mempcpy(split.tiny_buffer, &split, sizeof(split)));
+    EXPECT_NO_DEATH(memset(split.tiny_buffer, 0, sizeof(split)));
+
+    EXPECT_NO_DEATH(bcopy(&split, split.tiny_buffer, sizeof(split)));
+    EXPECT_NO_DEATH(bzero(split.tiny_buffer, sizeof(split)));
+
+    const char small_string[] = "Hi!!";
+    static_assert(sizeof(small_string) > sizeof(split.tiny_buffer), "");
+
+#if _FORTIFY_SOURCE > 1
+    // expected-error@+2{{string bigger than buffer}}
+#endif
+    EXPECT_FORTIFY_DEATH_STRUCT(strcpy(split.tiny_buffer, small_string));
+
+#if _FORTIFY_SOURCE > 1
+    // expected-error@+2{{string bigger than buffer}}
+#endif
+    EXPECT_FORTIFY_DEATH_STRUCT(stpcpy(split.tiny_buffer, small_string));
+
+#if _FORTIFY_SOURCE > 1
+#if 0
+    // expected-error@+2{{called with bigger length than the destination}}
+#endif
+#endif
+    EXPECT_FORTIFY_DEATH_STRUCT(strncpy(split.tiny_buffer, small_string, sizeof(small_string)));
+
+#if _FORTIFY_SOURCE > 1
+#if 0
+    // expected-error@+2{{called with bigger length than the destination}}
+#endif
+#endif
+    EXPECT_FORTIFY_DEATH_STRUCT(stpncpy(split.tiny_buffer, small_string, sizeof(small_string)));
+
+#if _FORTIFY_SOURCE > 1
+#if 0
+    // expected-error@+2{{destination buffer will always be overflown}}
+#endif
+#endif
+    EXPECT_FORTIFY_DEATH_STRUCT(strcat(split.tiny_buffer, small_string));
+
+#if _FORTIFY_SOURCE > 1
+#if 0
+    // expected-error@+2{{destination buffer will always be overflown}}
+#endif
+#endif
+    EXPECT_FORTIFY_DEATH_STRUCT(strncat(split.tiny_buffer, small_string, sizeof(small_string)));
+  }
+}
+
+// Since these emit hard errors, it's sort of hard to run them...
+#ifdef COMPILATION_TESTS
+namespace compilation_tests {
+template <typename T>
+static T declval() {
+  __builtin_unreachable();
+}
+
+static void testFcntl() {
+  // expected-error@+1{{too many arguments}}
+  open("/", 0, 0, 0);
+#if 0
+  // expected-error@+1{{either with 2 or 3 arguments, not more}}
+#endif
+  open64("/", 0, 0, 0);
+  // expected-error@+1{{too many arguments}}
+  openat(0, "/", 0, 0, 0);
+#if 0
+  // expected-error@+1{{either with 3 or 4 arguments, not more}}
+#endif
+  openat64(0, "/", 0, 0, 0);
+
+  // expected-error@+1{{missing mode}}
+  open("/", O_CREAT);
+  // expected-error@+1{{missing mode}}
+  open("/", O_TMPFILE);
+#if 0
+  // expected-error@+1{{needs 3 arguments}}
+#endif
+  open64("/", O_CREAT);
+#if 0
+  // expected-error@+1{{needs 3 arguments}}
+#endif
+  open64("/", O_TMPFILE);
+  // expected-error@+1{{missing mode}}
+  openat(0, "/", O_CREAT);
+  // expected-error@+1{{missing mode}}
+  openat(0, "/", O_TMPFILE);
+#if 0
+  // expected-error@+1{{needs 4 arguments}}
+#endif
+  openat64(0, "/", O_CREAT);
+#if 0
+  // expected-error@+1{{needs 4 arguments}}
+#endif
+  openat64(0, "/", O_TMPFILE);
+
+  // Superfluous modes are sometimes bugs, but not often enough to complain
+  // about, apparently.
+}
+
+static void testFormatStrings() {
+  const auto unsigned_value = declval<unsigned long long>();
+  const auto* unknown_string = declval<const char*>();
+  const auto va = declval<va_list>();
+
+  {
+    auto some_fd = declval<int>();
+    // expected-warning@+1{{format specifies type 'int'}}
+    dprintf(some_fd, "%d", unsigned_value);
+    // expected-warning@+1{{format string is not a string literal}}
+    dprintf(some_fd, unknown_string, unsigned_value);
+    // expected-warning@+1{{format string is not a string literal}}
+    vdprintf(1, unknown_string, va);
+  }
+
+  {
+    auto* retval = declval<char*>();
+#if 0
+    // expected-error@+2{{ignoring return value}}
+#endif
+    // expected-warning@+1{{format specifies type 'int'}}
+    asprintf(&retval, "%d", unsigned_value);
+#if 0
+    // expected-error@+2{{ignoring return value}}
+#endif
+    // expected-warning@+1{{format string is not a string literal}}
+    asprintf(&retval, unknown_string, unsigned_value);
+#if 0
+    // expected-error@+2{{ignoring return value}}
+#endif
+    // expected-warning@+1{{format string is not a string literal}}
+    vasprintf(&retval, unknown_string, va);
+  }
+
+  // expected-warning@+1{{format specifies type 'int'}}
+  syslog(0, "%d", unsigned_value);
+  // expected-warning@+1{{format string is not a string literal}}
+  syslog(0, unknown_string, unsigned_value);
+  // expected-warning@+1{{format string is not a string literal}}
+  vsyslog(0, unknown_string, va);
+
+  {
+    auto* file = declval<FILE*>();
+    // expected-warning@+1{{format specifies type 'int'}}
+    fprintf(file, "%d", unsigned_value);
+    // expected-warning@+1{{format string is not a string literal}}
+    fprintf(file, unknown_string, unsigned_value);
+    // expected-warning@+1{{format string is not a string literal}}
+    vfprintf(file, unknown_string, va);
+  }
+
+  // expected-warning@+1{{format specifies type 'int'}}
+  printf("%d", unsigned_value);
+  // expected-warning@+1{{format string is not a string literal}}
+  printf(unknown_string, unsigned_value);
+  // expected-warning@+1{{format string is not a string literal}}
+  vprintf(unknown_string, va);
+
+  {
+    char buf[128];
+    // expected-warning@+1{{format specifies type 'int'}}
+    sprintf(buf, "%d", unsigned_value);
+    // expected-warning@+1{{format string is not a string literal}}
+    sprintf(buf, unknown_string, unsigned_value);
+    // expected-warning@+1{{format string is not a string literal}}
+    sprintf(buf, unknown_string, va);
+
+    // expected-warning@+1{{format specifies type 'int'}}
+    snprintf(buf, sizeof(buf), "%d", unsigned_value);
+    // expected-warning@+1{{format string is not a string literal}}
+    snprintf(buf, sizeof(buf), unknown_string, unsigned_value);
+    // expected-warning@+1{{format string is not a string literal}}
+    vsnprintf(buf, sizeof(buf), unknown_string, va);
+  }
+
+  // FIXME: below are general format string cases where clang should probably try to warn.
+  {
+    char buf[4];
+    sprintf(buf, "%s", "1234");
+    sprintf(buf, "1%s4", "23");
+    sprintf(buf, "%d", 1234);
+
+    // Similar thoughts for strncpy, etc.
+  }
+}
+
+static void testStdlib() {
+  char path_buffer[PATH_MAX - 1];
+#if 0
+  // expected-error@+2{{ignoring return value of function}}
+#endif
+  // expected-error@+1{{must be NULL or a pointer to a buffer with >= PATH_MAX bytes}}
+  realpath("/", path_buffer);
+#if 0
+    // expected-error@+1{{ignoring return value of function}}
+#endif
+  realpath("/", nullptr);
+
+  // FIXME: This should complain about flipped arguments, instead of objectsize.
+  // expected-error@+1{{must be NULL or a pointer to a buffer with >= PATH_MAX bytes}}
+  realpath(nullptr, path_buffer);
+
+  // expected-error@+1{{flipped arguments?}}
+  realpath(nullptr, nullptr);
+}
+}  // namespace compilation_tests
+#endif
+
+FORTIFY_TEST(poll) {
+  int pipe_fds[2];
+  if (pipe(pipe_fds)) err(1, "pipe failed");
+
+  // after this, pipe_fds[0] should always report RDHUP
+  if (close(pipe_fds[1])) err(1, "close failed");
+
+  struct pollfd poll_fd = { pipe_fds[0], POLLRDHUP, 0 };
+  {
+    struct pollfd few_fds[] = { poll_fd, poll_fd };
+    // expected-error@+1{{fd_count is larger than the given buffer}}
+    EXPECT_FORTIFY_DEATH(poll(few_fds, 3, 0));
+    // expected-error@+1{{fd_count is larger than the given buffer}}
+    EXPECT_FORTIFY_DEATH(ppoll(few_fds, 3, 0, 0));
+    // expected-error@+1{{fd_count is larger than the given buffer}}
+    EXPECT_FORTIFY_DEATH(ppoll64(few_fds, 3, 0, nullptr));
+  }
+
+  {
+    struct {
+      struct pollfd few[2];
+      struct pollfd extra[1];
+    } fds = { { poll_fd, poll_fd }, { poll_fd } };
+    static_assert(sizeof(fds) >= sizeof(struct pollfd) * 3, "");
+
+#if _FORTIFY_SOURCE > 1
+    // expected-error@+2{{fd_count is larger than the given buffer}}
+#endif
+    EXPECT_FORTIFY_DEATH_STRUCT(poll(fds.few, 3, 0));
+
+    struct timespec timeout = {};
+#if _FORTIFY_SOURCE > 1
+    // expected-error@+2{{fd_count is larger than the given buffer}}
+#endif
+    EXPECT_FORTIFY_DEATH_STRUCT(ppoll(fds.few, 3, &timeout, 0));
+
+#if _FORTIFY_SOURCE > 1
+    // expected-error@+2{{fd_count is larger than the given buffer}}
+#endif
+    EXPECT_FORTIFY_DEATH_STRUCT(ppoll64(fds.few, 3, 0, nullptr));
+  }
+}
+
+FORTIFY_TEST(socket) {
+  {
+    char small_buffer[8];
+    // expected-error@+1{{size bigger than buffer}}
+    EXPECT_FORTIFY_DEATH(recv(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
+    // expected-error@+1{{size bigger than buffer}}
+    EXPECT_FORTIFY_DEATH(recvfrom(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0, 0, 0));
+
+    // expected-error@+1{{size bigger than buffer}}
+    EXPECT_FORTIFY_DEATH(send(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
+    // expected-error@+1{{size bigger than buffer}}
+    EXPECT_FORTIFY_DEATH(sendto(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0, 0, 0));
+  }
+
+  {
+    struct {
+      char tiny_buffer[4];
+      char tiny_buffer2;
+    } split = {};
+
+    EXPECT_NO_DEATH(recv(kBogusFD, split.tiny_buffer, sizeof(split), 0));
+    EXPECT_NO_DEATH(recvfrom(kBogusFD, split.tiny_buffer, sizeof(split), 0, 0, 0));
+  }
+}
+
+FORTIFY_TEST(sys_stat) {
+  // expected-error@+1{{'umask' called with invalid mode}}
+  EXPECT_FORTIFY_DEATH(umask(01777));
+}
+
+FORTIFY_TEST(stdio) {
+  char small_buffer[8] = {};
+  {
+#if 0
+    // expected-error@+1{{may overflow the destination buffer}}
+#endif
+    EXPECT_FORTIFY_DEATH(snprintf(small_buffer, sizeof(small_buffer) + 1, ""));
+
+    va_list va;
+#if 0
+    // expected-error@+1{{may overflow the destination buffer}}
+#endif
+    // expected-warning@+1{{format string is empty}}
+    EXPECT_FORTIFY_DEATH(vsnprintf(small_buffer, sizeof(small_buffer) + 1, "", va));
+  }
+
+  // expected-error@+1{{size should not be negative}}
+  EXPECT_FORTIFY_DEATH(fgets(small_buffer, -1, stdin));
+  // expected-error@+1{{size is larger than the destination buffer}}
+  EXPECT_FORTIFY_DEATH(fgets(small_buffer, sizeof(small_buffer) + 1, stdin));
+
+  // expected-error@+1{{size * count overflows}}
+  EXPECT_NO_DEATH(fread(small_buffer, 2, (size_t)-1, stdin));
+  // expected-error@+1{{size * count is too large for the given buffer}}
+  EXPECT_FORTIFY_DEATH(fread(small_buffer, 1, sizeof(small_buffer) + 1, stdin));
+
+  // expected-error@+1{{size * count overflows}}
+  EXPECT_NO_DEATH(fwrite(small_buffer, 2, (size_t)-1, stdout));
+  // expected-error@+1{{size * count is too large for the given buffer}}
+  EXPECT_FORTIFY_DEATH(fwrite(small_buffer, 1, sizeof(small_buffer) + 1, stdout));
+}
+
+FORTIFY_TEST(unistd) {
+  char small_buffer[8];
+
+  // Return value warnings are (sort of) a part of FORTIFY, so we don't ignore them.
+#if 0
+  // expected-error@+2{{ignoring return value of function}}
+#endif
+  // expected-error@+1{{bytes overflows the given object}}
+  EXPECT_FORTIFY_DEATH(read(kBogusFD, small_buffer, sizeof(small_buffer) + 1));
+#if 0
+  // expected-error@+2{{ignoring return value of function}}
+#endif
+  // expected-error@+1{{bytes overflows the given object}}
+  EXPECT_FORTIFY_DEATH(pread(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
+#if 0
+  // expected-error@+2{{ignoring return value of function}}
+#endif
+  // expected-error@+1{{bytes overflows the given object}}
+  EXPECT_FORTIFY_DEATH(pread64(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
+#if 0
+  // expected-error@+2{{ignoring return value of function}}
+#endif
+  // expected-error@+1{{bytes overflows the given object}}
+  EXPECT_FORTIFY_DEATH(write(kBogusFD, small_buffer, sizeof(small_buffer) + 1));
+#if 0
+  // expected-error@+2{{ignoring return value of function}}
+#endif
+  // expected-error@+1{{bytes overflows the given object}}
+  EXPECT_FORTIFY_DEATH(pwrite(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
+#if 0
+  // expected-error@+2{{ignoring return value of function}}
+#endif
+  // expected-error@+1{{bytes overflows the given object}}
+  EXPECT_FORTIFY_DEATH(pwrite64(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
+#if 0
+  // expected-error@+2{{ignoring return value of function}}
+#endif
+  // expected-error@+1{{bytes overflows the given object}}
+  EXPECT_FORTIFY_DEATH(readlink("/", small_buffer, sizeof(small_buffer) + 1));
+#if 0
+  // expected-error@+2{{ignoring return value of function}}
+#endif
+  // expected-error@+1{{bytes overflows the given object}}
+  EXPECT_FORTIFY_DEATH(getcwd(small_buffer, sizeof(small_buffer) + 1));
+
+  // getcwd allocates and returns a buffer if you pass null to getcwd
+  EXPECT_NO_DEATH(getcwd(nullptr, 0));
+  EXPECT_NO_DEATH(getcwd(nullptr, 4096));
+
+  struct {
+    char tiny_buffer[4];
+    char tiny_buffer2[4];
+  } split;
+
+  EXPECT_NO_DEATH(read(kBogusFD, split.tiny_buffer, sizeof(split)));
+  EXPECT_NO_DEATH(pread(kBogusFD, split.tiny_buffer, sizeof(split), 0));
+  EXPECT_NO_DEATH(pread64(kBogusFD, split.tiny_buffer, sizeof(split), 0));
+  EXPECT_NO_DEATH(write(kBogusFD, split.tiny_buffer, sizeof(split)));
+  EXPECT_NO_DEATH(pwrite(kBogusFD, split.tiny_buffer, sizeof(split), 0));
+  EXPECT_NO_DEATH(pwrite64(kBogusFD, split.tiny_buffer, sizeof(split), 0));
+
+#if _FORTIFY_SOURCE > 1
+  // expected-error@+2{{bytes overflows the given object}}
+#endif
+  EXPECT_FORTIFY_DEATH_STRUCT(readlink("/", split.tiny_buffer, sizeof(split)));
+#if _FORTIFY_SOURCE > 1
+  // expected-error@+2{{bytes overflows the given object}}
+#endif
+  EXPECT_FORTIFY_DEATH_STRUCT(getcwd(split.tiny_buffer, sizeof(split)));
+
+  {
+    // FIXME: These should all die in FORTIFY. Headers are bugged.
+#ifdef COMPILATION_TESTS
+    char* volatile unknown = small_buffer;
+    const size_t count = static_cast<size_t>(SSIZE_MAX) + 1;
+    // expected-error@+1{{'count' must be <= SSIZE_MAX}}
+    EXPECT_FORTIFY_DEATH(read(kBogusFD, unknown, count));
+    // expected-error@+1{{'count' must be <= SSIZE_MAX}}
+    EXPECT_FORTIFY_DEATH(pread(kBogusFD, unknown, count, 0));
+    // expected-error@+1{{'count' must be <= SSIZE_MAX}}
+    EXPECT_FORTIFY_DEATH(pread64(kBogusFD, unknown, count, 0));
+    // expected-error@+1{{'count' must be <= SSIZE_MAX}}
+    EXPECT_FORTIFY_DEATH(write(kBogusFD, unknown, count));
+    // expected-error@+1{{'count' must be <= SSIZE_MAX}}
+    EXPECT_FORTIFY_DEATH(pwrite(kBogusFD, unknown, count, 0));
+    // expected-error@+1{{'count' must be <= SSIZE_MAX}}
+    EXPECT_FORTIFY_DEATH(pwrite64(kBogusFD, unknown, count, 0));
+#endif
+  }
+}
+
+#endif  // defined(__BIONIC__)
diff --git a/tests/fortify_filecheck_diagnostics_test.cpp b/tests/fortify_filecheck_diagnostics_test.cpp
deleted file mode 100644
index ac9853c..0000000
--- a/tests/fortify_filecheck_diagnostics_test.cpp
+++ /dev/null
@@ -1,323 +0,0 @@
-/*
- * Copyright (C) 2014 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-/*
- * Silence all notes about enable_if-related 'candidates'; they're nice to know
- * about for users, but this test doesn't care.
- */
-// expected-note@* 0+{{candidate function}}
-
-/* Similarly, ignore all "from 'diagnose_if'"s. */
-// expected-note@* 0+{{from 'diagnose_if'}}
-
-
-#undef _FORTIFY_SOURCE
-#define _FORTIFY_SOURCE 2
-#include <fcntl.h>
-#include <netinet/in.h>
-#include <poll.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/socket.h>
-#include <sys/stat.h>
-#include <time.h>
-#include <unistd.h>
-
-#if !defined(__BIONIC__)
-#  error "This only works with Bionic."
-#endif
-
-void test_sprintf() {
-  char buf[4];
-
-  // NOLINTNEXTLINE(whitespace/line_length)
-  // expected-error@+1{{call to unavailable function 'sprintf': format string will always overflow destination buffer}}
-  sprintf(buf, "foobar");  // NOLINT(runtime/printf)
-
-  // TODO: clang should emit a warning, but doesn't
-  sprintf(buf, "%s", "foobar");  // NOLINT(runtime/printf)
-}
-
-void test_snprintf() {
-  char buf[4];
-
-  // NOLINTNEXTLINE(whitespace/line_length)
-  // expected-error@+1{{call to unavailable function 'snprintf': format string will always overflow destination buffer}}
-  snprintf(buf, 5, "foobar");  // NOLINT(runtime/printf)
-
-  // TODO: clang should emit a warning, but doesn't
-  snprintf(buf, 5, "%s", "foobar");  // NOLINT(runtime/printf)
-
-  // TODO: clang should emit a warning, but doesn't
-  snprintf(buf, 5, " %s ", "foobar");  // NOLINT(runtime/printf)
-
-  // TODO: clang should emit a warning, but doesn't
-  snprintf(buf, 5, "%d", 100000);  // NOLINT(runtime/printf)
-}
-
-void test_memcpy() {
-  char buf[4];
-
-  // expected-error@+1{{'memcpy' called with size bigger than buffer}}
-  memcpy(buf, "foobar", sizeof("foobar") + 100);
-}
-
-void test_memmove() {
-  char buf[4];
-
-  // expected-error@+1{{'memmove' called with size bigger than buffer}}
-  memmove(buf, "foobar", sizeof("foobar"));
-}
-
-void test_memset() {
-  char buf[4];
-
-  // expected-error@+1{{'memset' called with size bigger than buffer}}
-  memset(buf, 0, 6);
-}
-
-void test_strcpy() {
-  char buf[4];
-
-  // expected-error@+1{{'strcpy' called with string bigger than buffer}}
-  strcpy(buf, "foobar");  // NOLINT(runtime/printf)
-
-  // expected-error@+1{{'strcpy' called with string bigger than buffer}}
-  strcpy(buf, "quux");
-}
-
-void test_stpcpy() {
-  char buf[4];
-
-  // expected-error@+1{{'stpcpy' called with string bigger than buffer}}
-  stpcpy(buf, "foobar");
-
-  // expected-error@+1{{'stpcpy' called with string bigger than buffer}}
-  stpcpy(buf, "quux");
-}
-
-void test_strncpy() {
-  char buf[4];
-
-  // TODO: clang should emit a warning, but doesn't
-  strncpy(buf, "foobar", sizeof("foobar"));
-}
-
-void test_strcat() {
-  char buf[4] = "";
-
-  // TODO: clang should emit a warning, but doesn't
-  strcat(buf, "foobar");  // NOLINT(runtime/printf)
-}
-
-void test_strncat() {
-  char buf[4] = "";
-
-  // TODO: clang should emit a warning, but doesn't
-  strncat(buf, "foobar", sizeof("foobar"));
-}
-
-void test_vsprintf(const char* fmt, ...) {
-  va_list va;
-  char buf[4];
-  va_start(va, fmt);
-
-  // clang should emit a warning, but doesn't
-  vsprintf(buf, "foobar", va);
-  va_end(va);
-}
-
-void test_vsnprintf(const char* fmt, ...) {
-  va_list va;
-  char buf[4];
-  va_start(va, fmt);
-
-  // clang should emit a warning, but doesn't
-  vsnprintf(buf, 5, "foobar", va);  // NOLINT(runtime/printf)
-
-  va_end(va);
-}
-
-void test_fgets() {
-  char buf[4];
-
-  // expected-error@+1{{in call to 'fgets', size should not be negative}}
-  fgets(buf, -1, stdin);
-
-  // expected-error@+1{{in call to 'fgets', size is larger than the destination buffer}}
-  fgets(buf, 6, stdin);
-}
-
-void test_recvfrom() {
-  char buf[4];
-  sockaddr_in addr;
-
-  // expected-error@+1{{'recvfrom' called with size bigger than buffer}}
-  recvfrom(0, buf, 6, 0, reinterpret_cast<sockaddr*>(&addr), nullptr);
-}
-
-void test_recv() {
-  char buf[4] = {0};
-
-  // expected-error@+1{{'recv' called with size bigger than buffer}}
-  recv(0, buf, 6, 0);
-}
-
-void test_umask() {
-  // expected-error@+1{{'umask' called with invalid mode}}
-  umask(01777);
-}
-
-void test_read() {
-  char buf[4];
-  // expected-error@+1{{in call to 'read', 'count' bytes overflows the given object}}
-  read(0, buf, 6);
-}
-
-void test_open() {
-  // expected-error@+1{{'open' called with O_CREAT or O_TMPFILE, but missing mode}}
-  open("/dev/null", O_CREAT);
-
-  // expected-error@+1{{'open' called with O_CREAT or O_TMPFILE, but missing mode}}
-  open("/dev/null", O_TMPFILE);
-
-  // expected-error@+1{{call to unavailable function 'open': too many arguments}}
-  open("/dev/null", O_CREAT, 0, 0);
-
-  // expected-error@+1{{call to unavailable function 'open': too many arguments}}
-  open("/dev/null", O_TMPFILE, 0, 0);
-
-  // expected-warning@+1{{'open' has superfluous mode bits; missing O_CREAT?}}
-  open("/dev/null", O_RDONLY, 0644);
-
-  // expected-warning@+1{{'open' has superfluous mode bits; missing O_CREAT?}}
-  open("/dev/null", O_DIRECTORY, 0644);
-}
-
-void test_poll() {
-  pollfd fds[1];
-  // expected-error@+1{{in call to 'poll', fd_count is larger than the given buffer}}
-  poll(fds, 2, 0);
-}
-
-void test_ppoll() {
-  pollfd fds[1];
-  timespec timeout;
-  // expected-error@+1{{in call to 'ppoll', fd_count is larger than the given buffer}}
-  ppoll(fds, 2, &timeout, nullptr);
-}
-
-void test_ppoll64() {
-  pollfd fds[1];
-  timespec timeout;
-  // NOLINTNEXTLINE(whitespace/line_length)
-  // expected-error@+1{{in call to 'ppoll64', fd_count is larger than the given buffer}}
-  ppoll64(fds, 2, &timeout, nullptr);
-}
-
-void test_fread_overflow() {
-  char buf[4];
-  // expected-error@+1{{in call to 'fread', size * count overflows}}
-  fread(buf, 2, (size_t)-1, stdin);
-}
-
-void test_fread_too_big() {
-  char buf[4];
-  // NOLINTNEXTLINE(whitespace/line_length)
-  // expected-error@+1{{in call to 'fread', size * count is too large for the given buffer}}
-  fread(buf, 1, 5, stdin);
-}
-
-void test_fwrite_overflow() {
-  char buf[4] = {0};
-  // expected-error@+1{{in call to 'fwrite', size * count overflows}}
-  fwrite(buf, 2, (size_t)-1, stdout);
-}
-
-void test_fwrite_too_big() {
-  char buf[4] = {0};
-  // NOLINTNEXTLINE(whitespace/line_length)
-  // expected-error@+1{{in call to 'fwrite', size * count is too large for the given buffer}}
-  fwrite(buf, 1, 5, stdout);
-}
-
-void test_getcwd() {
-  char buf[4];
-  // expected-error@+1{{in call to 'getcwd', 'size' bytes overflows the given object}}
-  getcwd(buf, 5);
-}
-
-void test_pwrite64_size() {
-  char buf[4] = {0};
-  // expected-error@+1{{in call to 'pwrite64', 'count' bytes overflows the given object}}
-  pwrite64(STDOUT_FILENO, buf, 5, 0);
-}
-
-void test_pwrite64_too_big_malloc() {
-  void *buf = calloc(atoi("5"), 1);
-  // expected-error@+1{{in call to 'pwrite64', 'count' must be <= SSIZE_MAX}}
-  pwrite64(STDOUT_FILENO, buf, SIZE_MAX, 0);
-}
-
-void test_pwrite64_too_big() {
-  char buf[4] = {0};
-  // expected-error@+1{{in call to 'pwrite64', 'count' must be <= SSIZE_MAX}}
-  pwrite64(STDOUT_FILENO, buf, SIZE_MAX, 0);
-}
-
-void test_write_size() {
-  char buf[4] = {0};
-  // expected-error@+1{{in call to 'write', 'count' bytes overflows the given object}}
-  write(STDOUT_FILENO, buf, 5);
-}
-
-void test_memset_args_flipped() {
-  char from[4] = {0};
-  // NOLINTNEXTLINE(whitespace/line_length)
-  // expected-warning@+1{{'memset' will set 0 bytes; maybe the arguments got flipped?}}
-  memset(from, sizeof(from), 0);
-}
-
-void test_sendto() {
-  char buf[4] = {0};
-  sockaddr_in addr;
-
-  // expected-error@+1{{'sendto' called with size bigger than buffer}}
-  sendto(0, buf, 6, 0, reinterpret_cast<sockaddr*>(&addr), sizeof(sockaddr_in));
-}
-
-void test_send() {
-  char buf[4] = {0};
-
-  // expected-error@+1{{'send' called with size bigger than buffer}}
-  send(0, buf, 6, 0);
-}
-
-void test_realpath() {
-  char buf[4] = {0};
-  // NOLINTNEXTLINE(whitespace/line_length)
-  // expected-error@+1{{'realpath' output parameter must be NULL or a pointer to a buffer with >= PATH_MAX bytes}}
-  realpath(".", buf);
-
-  // This is fine.
-  realpath(".", nullptr);
-
-  char bigbuf[PATH_MAX];
-  // expected-error@+1{{'realpath': NULL path is never correct; flipped arguments?}}
-  realpath(nullptr, bigbuf);
-}
diff --git a/tests/make_fortify_compile_test.mk b/tests/make_fortify_compile_test.mk
new file mode 100644
index 0000000..8270f29
--- /dev/null
+++ b/tests/make_fortify_compile_test.mk
@@ -0,0 +1,20 @@
+include $(CLEAR_VARS)
+
+LOCAL_ADDITIONAL_DEPENDENCIES := \
+    $(LOCAL_PATH)/Android.mk \
+    $(LOCAL_PATH)/touch-obj-on-success
+
+LOCAL_CXX := $(LOCAL_PATH)/touch-obj-on-success \
+    $(LLVM_PREBUILTS_PATH)/clang++ \
+
+LOCAL_CLANG := true
+LOCAL_MODULE := bionic-compile-time-tests$(FORTIFY_LEVEL)-clang++
+LOCAL_CPPFLAGS := -Wall -Wno-error
+LOCAL_CPPFLAGS += -fno-color-diagnostics -ferror-limit=10000 -Xclang -verify
+LOCAL_CPPFLAGS += -DCOMPILATION_TESTS=1 -Wformat-nonliteral
+LOCAL_CPPFLAGS += -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=$(FORTIFY_LEVEL)
+LOCAL_SRC_FILES := clang_fortify_tests.cpp
+
+include $(BUILD_STATIC_LIBRARY)
+
+FORTIFY_LEVEL :=