Add support for more ASAN errors generation to chrome://crash/...

content/renderer/render_frame_impl.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/renderer/render_frame_impl.h"
 
 #include <map>
 #include <string>
 
 #include "base/auto_reset.h"
@@ skipping 184 matching lines @@
   return ds->originalRequest().url();
 }
 
 NOINLINE static void CrashIntentionally() {
   // NOTE(shess): Crash directly rather than using NOTREACHED() so
   // that the signature is easier to triage in crash reports.
   volatile int* zero = NULL;
   *zero = 0;
 }
 
+#if defined(SYZYASAN)
+// This code triggers a C4509 warning as we're using an object with a destructor
+// in a function with SEH. We can safely disable this as no exception will
+// actually be thrown.
+#pragma warning(push)
+#pragma warning(disable: 4509)
+NOINLINE static void CorruptMemoryBlock() {
+  // NOTE(sebmarchand): We intentionally corrupt a memory block here in order to
+  //     trigger an Address Sanitizer (ASAN) error report.
+  static const int kArraySize = 5;
+  scoped_ptr<int[]> array(new int[kArraySize]);
+  // Encapsulate the invalid memory access into a try-catch statement to prevent
+  // this function from being instrumented. This way the underflow won't be
+  // detected but the corruption will (as the allocator will still be hooked).
+  __try {
+    int dummy = array[-1]--;
+    // Make sure the assignments to the dummy value aren't optimized away.
+    base::debug::Alias(&array);
+  } __except (EXCEPTION_EXECUTE_HANDLER) {
+    return;
+  }
+}
+#pragma warning(pop)
+#endif
+
 #if defined(ADDRESS_SANITIZER) || defined(SYZYASAN)
 NOINLINE static void MaybeTriggerAsanError(const GURL& url) {
   // NOTE(rogerm): We intentionally perform an invalid heap access here in
   //     order to trigger an Address Sanitizer (ASAN) error report.
   static const char kCrashDomain[] = "crash";
   static const char kHeapOverflow[] = "/heap-overflow";
   static const char kHeapUnderflow[] = "/heap-underflow";
   static const char kUseAfterFree[] = "/use-after-free";
+#if defined(SYZYASAN)
+  static const char kCorruptHeapBlock[] = "/corrupt-heap-block";
+#endif
   static const int kArraySize = 5;
 
   if (!url.DomainIs(kCrashDomain, sizeof(kCrashDomain) - 1))
     return;
 
   if (!url.has_path())
     return;
 
   scoped_ptr<int[]> array(new int[kArraySize]);
   std::string crash_type(url.path());
   int dummy = 0;
   if (crash_type == kHeapOverflow) {
     dummy = array[kArraySize];
   } else if (crash_type == kHeapUnderflow ) {
     dummy = array[-1];
   } else if (crash_type == kUseAfterFree) {
     int* dangling = array.get();
     array.reset();
     dummy = dangling[kArraySize / 2];
+#if defined(SYZYASAN)
+  } else if (crash_type == kCorruptHeapBlock) {
+    CorruptMemoryBlock();
+#endif
   }
 
   // Make sure the assignments to the dummy value aren't optimized away.
   base::debug::Alias(&dummy);
 }
 #endif  // ADDRESS_SANITIZER || SYZYASAN
 
 static void MaybeHandleDebugURL(const GURL& url) {
   if (!url.SchemeIs(kChromeUIScheme))
     return;
@@ skipping 2927 matching lines @@
     selection_text_offset_ = offset;
     selection_range_ = range;
     // This IPC is dispatched by RenderWidetHost, so use its routing ID.
     Send(new ViewHostMsg_SelectionChanged(
         GetRenderWidget()->routing_id(), text, offset, range));
   }
   GetRenderWidget()->UpdateSelectionBounds();
 }
 
 }  // namespace content