CFI: Add a new debug URL, chrome://badcast.

CFI: Add a new debug URL, chrome://badcastcrash.

This URL causes the renderer to intentionally perform a bad cast, which
causes a CFI violation. This allows us to manually test how CFI violations
in the renderer are handled.

BUG=464797
R=avi@chromium.org
TEST=build with cfi_vptr=1, manually navigate to chrome://badcastcrash, verify that "Aw, snap" page appears

Committed: https://crrev.com/3184322ba03c4221ca2b0295d7413ab9ac82b4d2
Cr-Commit-Position: refs/heads/master@{#341247}

[Avi (use Gerrit), 2015-07-30 20:52:34]

Are you intending to leave this in long-term, or is this for the short term for
testing?

[pcc1, 2015-07-30 21:03:31]

On 2015/07/30 20:52:34, Avi wrote:
> Are you intending to leave this in long-term, or is this for the short term
for
> testing?

I imagine that we will always need some way to verify that CFI enforcement is
working as expected. This can probably be automated with an end-to-end test,
which we could add once https://codereview.chromium.org/1264053002/ gives us a
#define to conditionalize on.

[Avi (use Gerrit), 2015-07-30 21:09:35]

On 2015/07/30 21:03:31, pcc1 wrote:
> On 2015/07/30 20:52:34, Avi wrote:
> > Are you intending to leave this in long-term, or is this for the short term
> for
> > testing?
> 
> I imagine that we will always need some way to verify that CFI enforcement is
> working as expected. This can probably be automated with an end-to-end test,
> which we could add once https://codereview.chromium.org/1264053002/ gives us a
> #define to conditionalize on.

If you want to put this in temporarily, maybe. That test you link to makes much
more sense to me.

[pcc1, 2015-07-30 21:29:26]

On 2015/07/30 21:09:35, Avi wrote:
> On 2015/07/30 21:03:31, pcc1 wrote:
> > On 2015/07/30 20:52:34, Avi wrote:
> > > Are you intending to leave this in long-term, or is this for the short
term
> > for
> > > testing?
> > 
> > I imagine that we will always need some way to verify that CFI enforcement
is
> > working as expected. This can probably be automated with an end-to-end test,
> > which we could add once https://codereview.chromium.org/1264053002/ gives us
a
> > #define to conditionalize on.
> 
> If you want to put this in temporarily, maybe. That test you link to makes
much
> more sense to me.

My intent was to add a way to verify that the enforcement works in arbitrary
Chrome binaries that we build. The test I linked to is part of a unit test suite
so can't be used to check a Chrome binary. Because the goal of the CFI
enforcement is to protect Chrome binaries, I'd like there to be some way to test
the thing we're trying to protect.

Does that distinction make sense?

[Avi (use Gerrit), 2015-07-30 21:36:49]

I'll OK it with with a bit of a naming change.

https://codereview.chromium.org/1266893002/diff/1/content/public/common/url_c...
File content/public/common/url_constants.cc (right):

https://codereview.chromium.org/1266893002/diff/1/content/public/common/url_c...
content/public/common/url_constants.cc:38: const char kChromeUIBadCastURL[] =
"chrome://badcast";
chrome://badcastcrash

to fit in with chrome://gpucrash and chrome://ppapiflashcrash

https://codereview.chromium.org/1266893002/diff/1/content/renderer/render_fra...
File content/renderer/render_frame_impl.cc (right):

https://codereview.chromium.org/1266893002/diff/1/content/renderer/render_fra...
content/renderer/render_frame_impl.cc:315: NOINLINE void BadCastIntentionally()
{
BadCastCrashIntentionally

Our crash triage folks are looking for "CrashIntentionally", and while we can
introduce new flavors of intentional crashes, we should stick to the established
naming.

[pcc1, 2015-07-30 23:43:01]

https://codereview.chromium.org/1266893002/diff/1/content/public/common/url_c...
File content/public/common/url_constants.cc (right):

https://codereview.chromium.org/1266893002/diff/1/content/public/common/url_c...
content/public/common/url_constants.cc:38: const char kChromeUIBadCastURL[] =
"chrome://badcast";
On 2015/07/30 21:36:49, Avi wrote:
> chrome://badcastcrash
> 
> to fit in with chrome://gpucrash and chrome://ppapiflashcrash

Done.

https://codereview.chromium.org/1266893002/diff/1/content/renderer/render_fra...
File content/renderer/render_frame_impl.cc (right):

https://codereview.chromium.org/1266893002/diff/1/content/renderer/render_fra...
content/renderer/render_frame_impl.cc:315: NOINLINE void BadCastIntentionally()
{
On 2015/07/30 21:36:49, Avi wrote:
> BadCastCrashIntentionally
> 
> Our crash triage folks are looking for "CrashIntentionally", and while we can
> introduce new flavors of intentional crashes, we should stick to the
established
> naming.

Done.

[Avi (use Gerrit), 2015-07-30 23:44:47]

lgtm

[pcc1, 2015-07-30 23:45:40]

The CQ bit was checked by pcc@chromium.org

[commit-bot: I haz the power, 2015-07-30 23:46:38]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1266893002/20001
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1266893002/20001

[commit-bot: I haz the power, 2015-07-31 00:46:37]

Committed patchset #2 (id:20001)

[commit-bot: I haz the power, 2015-07-31 00:47:15]

Patchset 2 (id:??) landed as
https://crrev.com/3184322ba03c4221ca2b0295d7413ab9ac82b4d2
Cr-Commit-Position: refs/heads/master@{#341247}