Chromium Code Reviews Chromium Code Reviews
Issue 306753003:
Add some function and URLs to induce ASan crashes. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #if defined(OS_WIN) | |
| 6 #include <windows.h> | |
| 7 #endif | |
| 8 | |
| 9 #include "base/debug/alias.h" | |
| 10 #include "base/debug/asan_invalid_access.h" | |
| 11 #include "base/logging.h" | |
| 12 #include "base/memory/scoped_ptr.h" | |
| 13 | |
| 14 namespace base { | |
| 15 namespace { | |
| 16 | |
| 17 #if defined(SYZYASAN) && defined(COMPILER_MSVC) | |
| 18 // Corrupt a memory block and make sure that the corruption gets detected either | |
| 19 // when we free it or when another crash happen (if |induce_crash| is set to | |
|
Timur Iskhodzhanov
2014/06/05 15:32:09
happens?
Sébastien Marchand
2014/06/05 19:44:34
Done. Sorry for the grammatical nits and thanks fo
| |
| 20 // true). | |
| 21 NOINLINE void CorruptMemoryBlock(bool induce_crash) { | |
| 22 // NOTE(sebmarchand): We intentionally corrupt a memory block here in order to | |
| 23 // trigger an Address Sanitizer (ASAN) error report. | |
| 24 static const int kArraySize = 5; | |
| 25 int* array = new int[kArraySize]; | |
| 26 // Encapsulate the invalid memory access into a try-catch statement to prevent | |
| 27 // this function from being instrumented. This way the underflow won't be | |
| 28 // detected but the corruption will (as the allocator will still be hooked). | |
| 29 __try { | |
| 30 // Declares the dummy value as volatile to make sure it doesn't get | |
| 31 // optimized away. | |
| 32 int volatile dummy = array[-1]--; | |
| 33 base::debug::Alias(const_cast<int*>(&dummy)); | |
| 34 } __except (EXCEPTION_EXECUTE_HANDLER) { | |
| 35 } | |
| 36 if (induce_crash) | |
| 37 CHECK(false); | |
| 38 delete[] array; | |
| 39 } | |
| 40 #endif | |
| 41 | |
| 42 } // namespace | |
| 43 | |
| 44 #if defined(ADDRESS_SANITIZER) || defined(SYZYASAN) | |
| 45 // NOTE(sebmarchand): We intentionally perform some invalid heap access here in | |
| 46 // order to trigger an Address Sanitizer (ASAN) error report. | |
|
Timur Iskhodzhanov
2014/06/05 15:32:09
ditto
Timur Iskhodzhanov
2014/06/05 15:32:59
that was about
AddressSanitizer (ASan)
Sébastien Marchand
2014/06/05 19:44:33
Done.
Sébastien Marchand
2014/06/05 19:44:34
Done.
| |
| 47 | |
| 48 static const int kArraySize = 5; | |
| 49 | |
| 50 void AsanHeapOverflow() { | |
| 51 scoped_ptr<int[]> array(new int[kArraySize]); | |
| 52 // Declares the dummy value as volatile to make sure it doesn't get optimized | |
| 53 // away. | |
| 54 int volatile dummy = 0; | |
| 55 dummy = array[kArraySize]; | |
| 56 base::debug::Alias(const_cast<int*>(&dummy)); | |
| 57 } | |
| 58 | |
| 59 void AsanHeapUnderflow() { | |
| 60 scoped_ptr<int[]> array(new int[kArraySize]); | |
| 61 // Declares the dummy value as volatile to make sure it doesn't get optimized | |
| 62 // away. | |
| 63 int volatile dummy = 0; | |
| 64 dummy = array[-1]; | |
| 65 base::debug::Alias(const_cast<int*>(&dummy)); | |
| 66 } | |
| 67 | |
| 68 void AsanHeapUseAfterFree() { | |
| 69 scoped_ptr<int[]> array(new int[kArraySize]); | |
| 70 // Declares the dummy value as volatile to make sure it doesn't get optimized | |
| 71 // away. | |
| 72 int volatile dummy = 0; | |
| 73 int* dangling = array.get(); | |
| 74 array.reset(); | |
| 75 dummy = dangling[kArraySize / 2]; | |
| 76 base::debug::Alias(const_cast<int*>(&dummy)); | |
| 77 } | |
| 78 | |
| 79 #endif // ADDRESS_SANITIZER || SYZYASAN | |
| 80 | |
| 81 #if defined(SYZYASAN) && defined(COMPILER_MSVC) | |
| 82 void AsanCorruptHeapBlock() { | |
| 83 CorruptMemoryBlock(false); | |
| 84 } | |
| 85 | |
| 86 void AsanCorruptHeap() { | |
| 87 CorruptMemoryBlock(true); | |
| 88 } | |
| 89 #endif // SYZYASAN | |
| 90 | |
| 91 } // namespace base | |
| OLD | NEW |
