Add some function and URLs to induce ASan crashes.

base/tools_sanity_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
 // This file contains intentional memory errors, some of which may lead to
 // crashes if the test is ran without special memory testing tools. We use these
 // errors to verify the sanity of the tools.
 
 #include "base/atomicops.h"
+#include "base/debug/asan_invalid_access.h"
+#include "base/debug/profiler.h"
 #include "base/message_loop/message_loop.h"
 #include "base/third_party/dynamic_annotations/dynamic_annotations.h"
 #include "base/threading/thread.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 namespace base {
 
 namespace {
 
 const base::subtle::Atomic32 kMagicValue = 42;
 
 // Helper for memory accesses that can potentially corrupt memory or cause a
 // crash during a native run.
 #if defined(ADDRESS_SANITIZER) || defined(SYZYASAN)
 #if defined(OS_IOS)
 // EXPECT_DEATH is not supported on IOS.
 #define HARMFUL_ACCESS(action,error_regexp) do { action; } while (0)
+#elif defined(SYZYASAN)
+// We won't get a meaningful error message because we're not running under the
+// SyzyASan logger, but we can at least make sure that the error has been
+// generated in the SyzyASan runtime.
+#define HARMFUL_ACCESS(action,unused) \
+if (debug::IsBinaryInstrumented()) { EXPECT_DEATH(action, \
+                                                  "AsanRuntime::OnError"); }
 #else
 #define HARMFUL_ACCESS(action,error_regexp) EXPECT_DEATH(action,error_regexp)
-#endif  // !OS_IOS
+#endif  // !OS_IOS && !SYZYASAN
 #else
 #define HARMFUL_ACCESS(action,error_regexp) \
 do { if (RunningOnValgrind()) { action; } } while (0)
 #endif
 
 void DoReadUninitializedValue(char *ptr) {
   // Comparison with 64 is to prevent clang from optimizing away the
   // jump -- valgrind only catches jumps and conditional moves, but clang uses
   // the borrow flag if the condition is just `*ptr == '\0'`.
   if (*ptr == 64) {
@@ skipping 115 matching lines @@
     return;
 #endif
 
   // Without the |volatile|, clang optimizes away the next two lines.
   int* volatile foo = new int;
   (void) foo;
   delete [] foo;
 }
 
 #if defined(ADDRESS_SANITIZER) || defined(SYZYASAN)
+
 TEST(ToolsSanityTest, DISABLED_AddressSanitizerNullDerefCrashTest) {
   // Intentionally crash to make sure AddressSanitizer is running.
   // This test should not be ran on bots.
   int* volatile zero = NULL;
   *zero = 0;
 }
 
 TEST(ToolsSanityTest, DISABLED_AddressSanitizerLocalOOBCrashTest) {
   // Intentionally crash to make sure AddressSanitizer is instrumenting
   // the local variables.
@@ skipping 11 matching lines @@
 TEST(ToolsSanityTest, DISABLED_AddressSanitizerGlobalOOBCrashTest) {
   // Intentionally crash to make sure AddressSanitizer is instrumenting
   // the global variables.
   // This test should not be ran on bots.
 
   // Work around the OOB warning reported by Clang.
   int* volatile access = g_asan_test_global_array - 1;
   *access = 43;
 }
 
-#endif
+TEST(ToolsSanityTest, AsanHeapOverflow) {
+  HARMFUL_ACCESS(debug::AsanHeapOverflow() ,"to the right");
+}
+
+TEST(ToolsSanityTest, AsanHeapUnderflow) {
+  HARMFUL_ACCESS(debug::AsanHeapUnderflow(), "to the left");
+}
+
+TEST(ToolsSanityTest, AsanHeapUseAfterFree) {
+  HARMFUL_ACCESS(debug::AsanHeapUseAfterFree(), "heap-use-after-free");
+}
+
+#if defined(SYZYASAN)
+TEST(ToolsSanityTest, AsanCorruptHeapBlock) {
+  HARMFUL_ACCESS(debug::AsanCorruptHeapBlock(), "");
+}
+
+TEST(ToolsSanityTest, AsanCorruptHeap) {
+  // This test will kill the process by raising an exception, there's no
+  // particular string to look for in the stack trace.
+  EXPECT_DEATH(debug::AsanCorruptHeap(), "");
+}
+#endif  // SYZYASAN
+
+#endif  // ADDRESS_SANITIZER || SYZYASAN
 
 namespace {
 
 // We use caps here just to ensure that the method name doesn't interfere with
 // the wildcarded suppressions.
 class TOOLS_SANITY_TEST_CONCURRENT_THREAD : public PlatformThread::Delegate {
  public:
   explicit TOOLS_SANITY_TEST_CONCURRENT_THREAD(bool *value) : value_(value) {}
   virtual ~TOOLS_SANITY_TEST_CONCURRENT_THREAD() {}
   virtual void ThreadMain() OVERRIDE {
@@ skipping 67 matching lines @@
 
 TEST(ToolsSanityTest, AtomicsAreIgnored) {
   base::subtle::Atomic32 shared = 0;
   ReleaseStoreThread thread1(&shared);
   AcquireLoadThread thread2(&shared);
   RunInParallel(&thread1, &thread2);
   EXPECT_EQ(kMagicValue, shared);
 }
 
 }  // namespace base