| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/browser/frame_host/debug_urls.h" | 5 #include "content/browser/frame_host/debug_urls.h" |
| 6 | 6 |
| 7 #include <vector> | 7 #include <vector> |
| 8 | 8 |
| 9 #include "base/debug/asan_invalid_access.h" |
| 10 #include "base/debug/profiler.h" |
| 9 #include "base/strings/utf_string_conversions.h" | 11 #include "base/strings/utf_string_conversions.h" |
| 10 #include "content/browser/gpu/gpu_process_host_ui_shim.h" | 12 #include "content/browser/gpu/gpu_process_host_ui_shim.h" |
| 11 #include "content/browser/ppapi_plugin_process_host.h" | 13 #include "content/browser/ppapi_plugin_process_host.h" |
| 12 #include "content/public/browser/browser_thread.h" | 14 #include "content/public/browser/browser_thread.h" |
| 13 #include "content/public/common/content_constants.h" | 15 #include "content/public/common/content_constants.h" |
| 14 #include "content/public/common/url_constants.h" | 16 #include "content/public/common/url_constants.h" |
| 15 #include "ppapi/proxy/ppapi_messages.h" | 17 #include "ppapi/proxy/ppapi_messages.h" |
| 16 #include "url/gurl.h" | 18 #include "url/gurl.h" |
| 17 | 19 |
| 18 namespace content { | 20 namespace content { |
| 19 | 21 |
| 20 namespace { | 22 namespace { |
| 21 | 23 |
| 24 // Define the Asan debug URLs. |
| 25 static const char kAsanCrashDomain[] = "crash"; |
| 26 static const char kAsanHeapOverflow[] = "/browser-heap-overflow"; |
| 27 static const char kAsanHeapUnderflow[] = "/browser-heap-underflow"; |
| 28 static const char kAsanUseAfterFree[] = "/browser-use-after-free"; |
| 29 #if defined(SYZYASAN) |
| 30 static const char kAsanCorruptHeapBlock[] = "/browser-corrupt-heap-block"; |
| 31 static const char kAsanCorruptHeap[] = "/browser-corrupt-heap"; |
| 32 #endif |
| 33 |
| 22 void HandlePpapiFlashDebugURL(const GURL& url) { | 34 void HandlePpapiFlashDebugURL(const GURL& url) { |
| 23 #if defined(ENABLE_PLUGINS) | 35 #if defined(ENABLE_PLUGINS) |
| 24 bool crash = url == GURL(kChromeUIPpapiFlashCrashURL); | 36 bool crash = url == GURL(kChromeUIPpapiFlashCrashURL); |
| 25 | 37 |
| 26 std::vector<PpapiPluginProcessHost*> hosts; | 38 std::vector<PpapiPluginProcessHost*> hosts; |
| 27 PpapiPluginProcessHost::FindByName( | 39 PpapiPluginProcessHost::FindByName( |
| 28 base::UTF8ToUTF16(kFlashPluginName), &hosts); | 40 base::UTF8ToUTF16(kFlashPluginName), &hosts); |
| 29 for (std::vector<PpapiPluginProcessHost*>::iterator iter = hosts.begin(); | 41 for (std::vector<PpapiPluginProcessHost*>::iterator iter = hosts.begin(); |
| 30 iter != hosts.end(); ++iter) { | 42 iter != hosts.end(); ++iter) { |
| 31 if (crash) | 43 if (crash) |
| 32 (*iter)->Send(new PpapiMsg_Crash()); | 44 (*iter)->Send(new PpapiMsg_Crash()); |
| 33 else | 45 else |
| 34 (*iter)->Send(new PpapiMsg_Hang()); | 46 (*iter)->Send(new PpapiMsg_Hang()); |
| 35 } | 47 } |
| 36 #endif | 48 #endif |
| 37 } | 49 } |
| 38 | 50 |
| 51 bool IsAsanDebugURL(const GURL& url) { |
| 52 #if defined(SYZYASAN) |
| 53 if (!base::debug::IsBinaryInstrumented()) |
| 54 return false; |
| 55 #endif |
| 56 return url.is_valid() && |
| 57 url.DomainIs(kAsanCrashDomain, sizeof(kAsanCrashDomain) - 1) && |
| 58 url.has_path() && (url.path() == kAsanHeapOverflow || |
| 59 url.path() == kAsanHeapUnderflow || |
| 60 url.path() == kAsanUseAfterFree || |
| 61 #if defined(SYZYASAN) && defined(COMPILER_MSVC) |
| 62 url.path() == kAsanCorruptHeapBlock || |
| 63 url.path() == kAsanCorruptHeap |
| 64 #endif |
| 65 ); |
| 66 } |
| 67 |
| 68 bool HandleAsanDebugURL(const GURL& url) { |
| 69 #if defined(SYZYASAN) |
| 70 if (!base::debug::IsBinaryInstrumented()) |
| 71 return false; |
| 72 |
| 73 if (url.path() == kAsanCorruptHeapBlock) { |
| 74 base::AsanCorruptHeapBlock(); |
| 75 return true; |
| 76 } else if (url.path() == kAsanCorruptHeap) { |
| 77 base::AsanCorruptHeap(); |
| 78 return true; |
| 79 } |
| 80 #endif |
| 81 |
| 82 if (url.path() == kAsanHeapOverflow) { |
| 83 base::AsanHeapOverflow(); |
| 84 } else if (url.path() == kAsanHeapUnderflow) { |
| 85 base::AsanHeapUnderflow(); |
| 86 } else if (url.path() == kAsanUseAfterFree) { |
| 87 base::AsanHeapUseAfterFree(); |
| 88 } else { |
| 89 return false; |
| 90 } |
| 91 |
| 92 return true; |
| 93 } |
| 94 |
| 95 |
| 39 } // namespace | 96 } // namespace |
| 40 | 97 |
| 41 bool HandleDebugURL(const GURL& url, PageTransition transition) { | 98 bool HandleDebugURL(const GURL& url, PageTransition transition) { |
| 42 // Ensure that the user explicitly navigated to this URL. | 99 // Ensure that the user explicitly navigated to this URL. |
| 43 if (!(transition & PAGE_TRANSITION_FROM_ADDRESS_BAR)) | 100 if (!(transition & PAGE_TRANSITION_FROM_ADDRESS_BAR)) |
| 44 return false; | 101 return false; |
| 45 | 102 |
| 46 // NOTE: when you add handling of any URLs to this function, also | 103 // NOTE: when you add handling of any URLs to this function, also |
| 47 // update IsDebugURL, below. | 104 // update IsDebugURL, below. |
| 48 | 105 |
| 106 if (IsAsanDebugURL(url)) |
| 107 return HandleAsanDebugURL(url); |
| 108 |
| 49 if (url.host() == kChromeUIBrowserCrashHost) { | 109 if (url.host() == kChromeUIBrowserCrashHost) { |
| 50 // Induce an intentional crash in the browser process. | 110 // Induce an intentional crash in the browser process. |
| 51 CHECK(false); | 111 CHECK(false); |
| 52 return true; | 112 return true; |
| 53 } | 113 } |
| 54 | 114 |
| 55 if (url == GURL(kChromeUIGpuCleanURL)) { | 115 if (url == GURL(kChromeUIGpuCleanURL)) { |
| 56 GpuProcessHostUIShim* shim = GpuProcessHostUIShim::GetOneInstance(); | 116 GpuProcessHostUIShim* shim = GpuProcessHostUIShim::GetOneInstance(); |
| 57 if (shim) | 117 if (shim) |
| 58 shim->SimulateRemoveAllContext(); | 118 shim->SimulateRemoveAllContext(); |
| (...skipping 20 matching lines...) Expand all Loading... |
| 79 base::Bind(&HandlePpapiFlashDebugURL, url)); | 139 base::Bind(&HandlePpapiFlashDebugURL, url)); |
| 80 return true; | 140 return true; |
| 81 } | 141 } |
| 82 | 142 |
| 83 return false; | 143 return false; |
| 84 } | 144 } |
| 85 | 145 |
| 86 bool IsDebugURL(const GURL& url) { | 146 bool IsDebugURL(const GURL& url) { |
| 87 // NOTE: when you add any URLs to this list, also update | 147 // NOTE: when you add any URLs to this list, also update |
| 88 // HandleDebugURL, above. | 148 // HandleDebugURL, above. |
| 89 return IsRendererDebugURL(url) || | 149 return IsRendererDebugURL(url) || IsAsanDebugURL(url) || |
| 90 (url.is_valid() && | 150 (url.is_valid() && |
| 91 (url.host() == kChromeUIBrowserCrashHost || | 151 (url.host() == kChromeUIBrowserCrashHost || |
| 92 url == GURL(kChromeUIGpuCleanURL) || | 152 url == GURL(kChromeUIGpuCleanURL) || |
| 93 url == GURL(kChromeUIGpuCrashURL) || | 153 url == GURL(kChromeUIGpuCrashURL) || |
| 94 url == GURL(kChromeUIGpuHangURL) || | 154 url == GURL(kChromeUIGpuHangURL) || |
| 95 url == GURL(kChromeUIPpapiFlashCrashURL) || | 155 url == GURL(kChromeUIPpapiFlashCrashURL) || |
| 96 url == GURL(kChromeUIPpapiFlashHangURL))); | 156 url == GURL(kChromeUIPpapiFlashHangURL))); |
| 97 } | 157 } |
| 98 | 158 |
| 99 bool IsRendererDebugURL(const GURL& url) { | 159 bool IsRendererDebugURL(const GURL& url) { |
| 100 if (!url.is_valid()) | 160 if (!url.is_valid()) |
| 101 return false; | 161 return false; |
| 102 | 162 |
| 103 if (url.SchemeIs(url::kJavaScriptScheme)) | 163 if (url.SchemeIs(url::kJavaScriptScheme)) |
| 104 return true; | 164 return true; |
| 105 | 165 |
| 106 return url == GURL(kChromeUICrashURL) || | 166 return url == GURL(kChromeUICrashURL) || |
| 107 url == GURL(kChromeUIKillURL) || | 167 url == GURL(kChromeUIKillURL) || |
| 108 url == GURL(kChromeUIHangURL) || | 168 url == GURL(kChromeUIHangURL) || |
| 109 url == GURL(kChromeUIShorthangURL); | 169 url == GURL(kChromeUIShorthangURL); |
| 110 } | 170 } |
| 111 | 171 |
| 112 } // namespace content | 172 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 306753003:
Add some function and URLs to induce ASan crashes. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master