| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/renderer/render_frame_impl.h" | 5 #include "content/renderer/render_frame_impl.h" |
| 6 | 6 |
| 7 #include <map> | 7 #include <map> |
| 8 #include <string> | 8 #include <string> |
| 9 | 9 |
| 10 #include "base/auto_reset.h" | 10 #include "base/auto_reset.h" |
| 11 #include "base/command_line.h" | 11 #include "base/command_line.h" |
| 12 #include "base/debug/alias.h" | 12 #include "base/debug/alias.h" |
| 13 #include "base/debug/asan_invalid_access.h" |
| 13 #include "base/debug/dump_without_crashing.h" | 14 #include "base/debug/dump_without_crashing.h" |
| 14 #include "base/i18n/char_iterator.h" | 15 #include "base/i18n/char_iterator.h" |
| 15 #include "base/metrics/histogram.h" | 16 #include "base/metrics/histogram.h" |
| 16 #include "base/process/kill.h" | 17 #include "base/process/kill.h" |
| 17 #include "base/process/process.h" | 18 #include "base/process/process.h" |
| 18 #include "base/strings/string16.h" | 19 #include "base/strings/string16.h" |
| 19 #include "base/strings/utf_string_conversions.h" | 20 #include "base/strings/utf_string_conversions.h" |
| 20 #include "base/time/time.h" | 21 #include "base/time/time.h" |
| 21 #include "content/child/appcache/appcache_dispatcher.h" | 22 #include "content/child/appcache/appcache_dispatcher.h" |
| 22 #include "content/child/plugin_messages.h" | 23 #include "content/child/plugin_messages.h" |
| (...skipping 232 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 255 #if defined(ADDRESS_SANITIZER) || defined(SYZYASAN) | 256 #if defined(ADDRESS_SANITIZER) || defined(SYZYASAN) |
| 256 NOINLINE static void MaybeTriggerAsanError(const GURL& url) { | 257 NOINLINE static void MaybeTriggerAsanError(const GURL& url) { |
| 257 // NOTE(rogerm): We intentionally perform an invalid heap access here in | 258 // NOTE(rogerm): We intentionally perform an invalid heap access here in |
| 258 // order to trigger an Address Sanitizer (ASAN) error report. | 259 // order to trigger an Address Sanitizer (ASAN) error report. |
| 259 static const char kCrashDomain[] = "crash"; | 260 static const char kCrashDomain[] = "crash"; |
| 260 static const char kHeapOverflow[] = "/heap-overflow"; | 261 static const char kHeapOverflow[] = "/heap-overflow"; |
| 261 static const char kHeapUnderflow[] = "/heap-underflow"; | 262 static const char kHeapUnderflow[] = "/heap-underflow"; |
| 262 static const char kUseAfterFree[] = "/use-after-free"; | 263 static const char kUseAfterFree[] = "/use-after-free"; |
| 263 #if defined(SYZYASAN) | 264 #if defined(SYZYASAN) |
| 264 static const char kCorruptHeapBlock[] = "/corrupt-heap-block"; | 265 static const char kCorruptHeapBlock[] = "/corrupt-heap-block"; |
| 266 static const char kCorruptHeap[] = "/corrupt-heap"; |
| 265 #endif | 267 #endif |
| 266 static const int kArraySize = 5; | 268 static const int kArraySize = 5; |
| 267 | 269 |
| 268 if (!url.DomainIs(kCrashDomain, sizeof(kCrashDomain) - 1)) | 270 if (!url.DomainIs(kCrashDomain, sizeof(kCrashDomain) - 1)) |
| 269 return; | 271 return; |
| 270 | 272 |
| 271 if (!url.has_path()) | 273 if (!url.has_path()) |
| 272 return; | 274 return; |
| 273 | 275 |
| 274 scoped_ptr<int[]> array(new int[kArraySize]); | |
| 275 std::string crash_type(url.path()); | 276 std::string crash_type(url.path()); |
| 276 int dummy = 0; | |
| 277 if (crash_type == kHeapOverflow) { | 277 if (crash_type == kHeapOverflow) { |
| 278 dummy = array[kArraySize]; | 278 base::AsanHeapOverflow(); |
| 279 } else if (crash_type == kHeapUnderflow ) { | 279 } else if (crash_type == kHeapUnderflow ) { |
| 280 dummy = array[-1]; | 280 base::AsanHeapUnderflow(); |
| 281 } else if (crash_type == kUseAfterFree) { | 281 } else if (crash_type == kUseAfterFree) { |
| 282 int* dangling = array.get(); | 282 base::AsanHeapUseAfterFree(); |
| 283 array.reset(); | |
| 284 dummy = dangling[kArraySize / 2]; | |
| 285 #if defined(SYZYASAN) | 283 #if defined(SYZYASAN) |
| 286 } else if (crash_type == kCorruptHeapBlock) { | 284 } else if (crash_type == kCorruptHeapBlock) { |
| 287 CorruptMemoryBlock(); | 285 base::AsanCorruptHeapBlock(); |
| 286 } else if (crash_type == kCorruptHeap) { |
| 287 base::AsanCorruptHeap(); |
| 288 #endif | 288 #endif |
| 289 } | 289 } |
| 290 | |
| 291 // Make sure the assignments to the dummy value aren't optimized away. | |
| 292 base::debug::Alias(&dummy); | |
| 293 } | 290 } |
| 294 #endif // ADDRESS_SANITIZER || SYZYASAN | 291 #endif // ADDRESS_SANITIZER || SYZYASAN |
| 295 | 292 |
| 296 static void MaybeHandleDebugURL(const GURL& url) { | 293 static void MaybeHandleDebugURL(const GURL& url) { |
| 297 if (!url.SchemeIs(kChromeUIScheme)) | 294 if (!url.SchemeIs(kChromeUIScheme)) |
| 298 return; | 295 return; |
| 299 if (url == GURL(kChromeUICrashURL)) { | 296 if (url == GURL(kChromeUICrashURL)) { |
| 300 CrashIntentionally(); | 297 CrashIntentionally(); |
| 301 } else if (url == GURL(kChromeUIKillURL)) { | 298 } else if (url == GURL(kChromeUIKillURL)) { |
| 302 base::KillProcess(base::GetCurrentProcessHandle(), 1, false); | 299 base::KillProcess(base::GetCurrentProcessHandle(), 1, false); |
| (...skipping 3240 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3543 | 3540 |
| 3544 RendererCdmManager* RenderFrameImpl::GetCdmManager() { | 3541 RendererCdmManager* RenderFrameImpl::GetCdmManager() { |
| 3545 if (!cdm_manager_) | 3542 if (!cdm_manager_) |
| 3546 cdm_manager_ = new RendererCdmManager(this); | 3543 cdm_manager_ = new RendererCdmManager(this); |
| 3547 return cdm_manager_; | 3544 return cdm_manager_; |
| 3548 } | 3545 } |
| 3549 | 3546 |
| 3550 #endif // defined(OS_ANDROID) | 3547 #endif // defined(OS_ANDROID) |
| 3551 | 3548 |
| 3552 } // namespace content | 3549 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 306753003:
Add some function and URLs to induce ASan crashes. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master