| Index: content/renderer/render_frame_impl.cc
|
| diff --git a/content/renderer/render_frame_impl.cc b/content/renderer/render_frame_impl.cc
|
| index f6a4baca9e17bc55960516e1d1c75490a0f6129f..98130382df2cd4bc3c7b11e3289a276c70131ae1 100644
|
| --- a/content/renderer/render_frame_impl.cc
|
| +++ b/content/renderer/render_frame_impl.cc
|
| @@ -312,6 +312,19 @@ NOINLINE void CrashIntentionally() {
|
| *zero = 0;
|
| }
|
|
|
| +NOINLINE void BadCastCrashIntentionally() {
|
| + class A {
|
| + virtual void f() {}
|
| + };
|
| +
|
| + class B {
|
| + virtual void f() {}
|
| + };
|
| +
|
| + A a;
|
| + (void)(B*)&a;
|
| +}
|
| +
|
| #if defined(ADDRESS_SANITIZER) || defined(SYZYASAN)
|
| NOINLINE void MaybeTriggerAsanError(const GURL& url) {
|
| // NOTE(rogerm): We intentionally perform an invalid heap access here in
|
| @@ -351,7 +364,9 @@ NOINLINE void MaybeTriggerAsanError(const GURL& url) {
|
| void MaybeHandleDebugURL(const GURL& url) {
|
| if (!url.SchemeIs(kChromeUIScheme))
|
| return;
|
| - if (url == GURL(kChromeUICrashURL)) {
|
| + if (url == GURL(kChromeUIBadCastCrashURL)) {
|
| + BadCastCrashIntentionally();
|
| + } else if (url == GURL(kChromeUICrashURL)) {
|
| CrashIntentionally();
|
| } else if (url == GURL(kChromeUIDumpURL)) {
|
| // This URL will only correctly create a crash dump file if content is
|
|
|
Chromium Code Reviews
Issue 1266893002:
CFI: Add a new debug URL, chrome://badcast. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master