Chromium Code Reviews Chromium Code Reviews
Issue 306753003:
Add some function and URLs to induce ASan crashes. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #if defined(OS_WIN) | |
| 6 #include <windows.h> | |
| 7 #endif | |
| 8 | |
| 9 #include "base/debug/alias.h" | |
| 10 #include "base/debug/asan_invalid_access.h" | |
| 11 #include "base/logging.h" | |
| 12 #include "base/memory/scoped_ptr.h" | |
| 13 | |
| 14 namespace base { | |
| 15 namespace debug { | |
| 16 | |
| 17 namespace { | |
| 18 | |
| 19 #if defined(SYZYASAN) | |
| 20 // Corrupt a memory block and make sure that the corruption gets detected either | |
| 21 // when we free it or when another crash happens (if |induce_crash| is set to | |
| 22 // true). | |
| 23 NOINLINE void CorruptMemoryBlock(bool induce_crash) { | |
| 24 // NOTE(sebmarchand): We intentionally corrupt a memory block here in order to | |
| 25 // trigger an Address Sanitizer (ASAN) error report. | |
| 26 static const int kArraySize = 5; | |
| 27 int* array = new int[kArraySize]; | |
| 28 // Encapsulate the invalid memory access into a try-catch statement to prevent | |
| 29 // this function from being instrumented. This way the underflow won't be | |
| 30 // detected but the corruption will (as the allocator will still be hooked). | |
| 31 try { | |
| 32 // Declares the dummy value as volatile to make sure it doesn't get | |
| 33 // optimized away. | |
| 34 int volatile dummy = array[-1]--; | |
| 35 base::debug::Alias(const_cast<int*>(&dummy)); | |
| 36 } catch (...) { | |
| 37 } | |
| 38 if (induce_crash) | |
| 39 CHECK(false); | |
| 40 delete[] array; | |
| 41 } | |
| 42 #endif | |
| 43 | |
| 44 } // namespace | |
| 45 | |
| 46 #if defined(ADDRESS_SANITIZER) || defined(SYZYASAN) | |
| 47 // NOTE(sebmarchand): We intentionally perform some invalid heap access here in | |
| 48 // order to trigger an Address Sanitizer (ASan) error report. | |
|
Timur Iskhodzhanov
2014/06/06 11:36:56
ditto
Sébastien Marchand
2014/06/09 14:47:39
Done.
| |
| 49 | |
| 50 static const int kArraySize = 5; | |
| 51 | |
| 52 void AsanHeapOverflow() { | |
| 53 scoped_ptr<int[]> array(new int[kArraySize]); | |
| 54 // Declares the dummy value as volatile to make sure it doesn't get optimized | |
| 55 // away. | |
| 56 int volatile dummy = 0; | |
| 57 dummy = array[kArraySize]; | |
| 58 base::debug::Alias(const_cast<int*>(&dummy)); | |
| 59 } | |
| 60 | |
| 61 void AsanHeapUnderflow() { | |
| 62 scoped_ptr<int[]> array(new int[kArraySize]); | |
| 63 // Declares the dummy value as volatile to make sure it doesn't get optimized | |
| 64 // away. | |
| 65 int volatile dummy = 0; | |
| 66 dummy = array[-1]; | |
| 67 base::debug::Alias(const_cast<int*>(&dummy)); | |
| 68 } | |
| 69 | |
| 70 void AsanHeapUseAfterFree() { | |
| 71 scoped_ptr<int[]> array(new int[kArraySize]); | |
| 72 // Declares the dummy value as volatile to make sure it doesn't get optimized | |
| 73 // away. | |
| 74 int volatile dummy = 0; | |
| 75 int* dangling = array.get(); | |
| 76 array.reset(); | |
| 77 dummy = dangling[kArraySize / 2]; | |
| 78 base::debug::Alias(const_cast<int*>(&dummy)); | |
| 79 } | |
| 80 | |
| 81 #endif // ADDRESS_SANITIZER || SYZYASAN | |
| 82 | |
| 83 #if defined(SYZYASAN) | |
| 84 void AsanCorruptHeapBlock() { | |
| 85 CorruptMemoryBlock(false); | |
| 86 } | |
| 87 | |
| 88 void AsanCorruptHeap() { | |
| 89 CorruptMemoryBlock(true); | |
| 90 } | |
| 91 #endif // SYZYASAN | |
| 92 | |
| 93 } // namespace debug | |
| 94 } // namespace base | |
| OLD | NEW |
