CFI: Add a new debug URL, chrome://badcast.

content/renderer/render_frame_impl.cc

Index: content/renderer/render_frame_impl.cc
diff --git a/content/renderer/render_frame_impl.cc b/content/renderer/render_frame_impl.cc
index f6a4baca9e17bc55960516e1d1c75490a0f6129f..8e061484c83e404bc77837998a3d7a095da10e4a 100644
--- a/content/renderer/render_frame_impl.cc
+++ b/content/renderer/render_frame_impl.cc
@@ -312,6 +312,19 @@ NOINLINE void CrashIntentionally() {
   *zero = 0;
 }
 
+NOINLINE void BadCastIntentionally() {

[Avi (use Gerrit), 2015/07/30 21:36:49]

BadCastCrashIntentionally

Our crash triage folks are looking for "CrashIntentionally", and while we can
introduce new flavors of intentional crashes, we should stick to the established
naming.

[pcc1, 2015/07/30 23:43:01]

Done.

+  class A {
+    virtual void f() {}
+  };
+
+  class B {
+    virtual void f() {}
+  };
+
+  A a;
+  (void)(B*)&a;
+}
+
 #if defined(ADDRESS_SANITIZER) || defined(SYZYASAN)
 NOINLINE void MaybeTriggerAsanError(const GURL& url) {
   // NOTE(rogerm): We intentionally perform an invalid heap access here in
@@ -351,7 +364,9 @@ NOINLINE void MaybeTriggerAsanError(const GURL& url) {
 void MaybeHandleDebugURL(const GURL& url) {
   if (!url.SchemeIs(kChromeUIScheme))
     return;
-  if (url == GURL(kChromeUICrashURL)) {
+  if (url == GURL(kChromeUIBadCastURL)) {
+    BadCastIntentionally();
+  } else if (url == GURL(kChromeUICrashURL)) {
     CrashIntentionally();
   } else if (url == GURL(kChromeUIDumpURL)) {
     // This URL will only correctly create a crash dump file if content is