Index: content/renderer/render_frame_impl.cc |
diff --git a/content/renderer/render_frame_impl.cc b/content/renderer/render_frame_impl.cc |
index f6a4baca9e17bc55960516e1d1c75490a0f6129f..98130382df2cd4bc3c7b11e3289a276c70131ae1 100644 |
--- a/content/renderer/render_frame_impl.cc |
+++ b/content/renderer/render_frame_impl.cc |
@@ -312,6 +312,19 @@ NOINLINE void CrashIntentionally() { |
*zero = 0; |
} |
+NOINLINE void BadCastCrashIntentionally() { |
+ class A { |
+ virtual void f() {} |
+ }; |
+ |
+ class B { |
+ virtual void f() {} |
+ }; |
+ |
+ A a; |
+ (void)(B*)&a; |
+} |
+ |
#if defined(ADDRESS_SANITIZER) || defined(SYZYASAN) |
NOINLINE void MaybeTriggerAsanError(const GURL& url) { |
// NOTE(rogerm): We intentionally perform an invalid heap access here in |
@@ -351,7 +364,9 @@ NOINLINE void MaybeTriggerAsanError(const GURL& url) { |
void MaybeHandleDebugURL(const GURL& url) { |
if (!url.SchemeIs(kChromeUIScheme)) |
return; |
- if (url == GURL(kChromeUICrashURL)) { |
+ if (url == GURL(kChromeUIBadCastCrashURL)) { |
+ BadCastCrashIntentionally(); |
+ } else if (url == GURL(kChromeUICrashURL)) { |
CrashIntentionally(); |
} else if (url == GURL(kChromeUIDumpURL)) { |
// This URL will only correctly create a crash dump file if content is |