Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(29)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: content/renderer/render_frame_impl.cc

Issue 247543002: Add support for more ASAN errors generation to chrome://crash/... (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Address Chris nit. Created 6 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: content/renderer/render_frame_impl.cc
diff --git a/content/renderer/render_frame_impl.cc b/content/renderer/render_frame_impl.cc
index a088661633d144135611d95f83b8200077448e13..c28b72da79b414073980710da41d53c7e2c55a58 100644
--- a/content/renderer/render_frame_impl.cc
+++ b/content/renderer/render_frame_impl.cc
@@ -202,6 +202,31 @@ NOINLINE static void CrashIntentionally() {
*zero = 0;
}
+#if defined(SYZYASAN)
+// This code triggers a C4509 warning as we're using an object with a destructor
+// in a function with SEH. We can safely disable this as no exception will
+// actually be thrown.
+#pragma warning(push)
+#pragma warning(disable: 4509)
+NOINLINE static void CorruptMemoryBlock() {
+ // NOTE(sebmarchand): We intentionally corrupt a memory block here in order to
+ // trigger an Address Sanitizer (ASAN) error report.
+ static const int kArraySize = 5;
+ scoped_ptr<int[]> array(new int[kArraySize]);
+ // Encapsulate the invalid memory access into a try-catch statement to prevent
+ // this function from being instrumented. This way the underflow won't be
+ // detected but the corruption will (as the allocator will still be hooked).
+ __try {
+ int dummy = array[-1]--;
+ // Make sure the assignments to the dummy value aren't optimized away.
+ base::debug::Alias(&array);
+ } __except (EXCEPTION_EXECUTE_HANDLER) {
+ return;
+ }
+}
+#pragma warning(pop)
+#endif
+
#if defined(ADDRESS_SANITIZER) || defined(SYZYASAN)
NOINLINE static void MaybeTriggerAsanError(const GURL& url) {
// NOTE(rogerm): We intentionally perform an invalid heap access here in
@@ -210,6 +235,9 @@ NOINLINE static void MaybeTriggerAsanError(const GURL& url) {
static const char kHeapOverflow[] = "/heap-overflow";
static const char kHeapUnderflow[] = "/heap-underflow";
static const char kUseAfterFree[] = "/use-after-free";
+#if defined(SYZYASAN)
+ static const char kCorruptHeapBlock[] = "/corrupt-heap-block";
+#endif
static const int kArraySize = 5;
if (!url.DomainIs(kCrashDomain, sizeof(kCrashDomain) - 1))
@@ -229,6 +257,10 @@ NOINLINE static void MaybeTriggerAsanError(const GURL& url) {
int* dangling = array.get();
array.reset();
dummy = dangling[kArraySize / 2];
+#if defined(SYZYASAN)
+ } else if (crash_type == kCorruptHeapBlock) {
+ CorruptMemoryBlock();
+#endif
}
// Make sure the assignments to the dummy value aren't optimized away.
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698