Chromium Code Reviews Chromium Code Reviews
Issue 306753003:
Add some function and URLs to induce ASan crashes. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/renderer/render_frame_impl.h" | 5 #include "content/renderer/render_frame_impl.h" |
| 6 | 6 |
| 7 #include <map> | 7 #include <map> |
| 8 #include <string> | 8 #include <string> |
| 9 | 9 |
| 10 #include "base/auto_reset.h" | 10 #include "base/auto_reset.h" |
| 11 #include "base/command_line.h" | 11 #include "base/command_line.h" |
| 12 #include "base/debug/alias.h" | 12 #include "base/debug/alias.h" |
| 13 #include "base/debug/asan_invalid_access.h" | |
| 13 #include "base/debug/dump_without_crashing.h" | 14 #include "base/debug/dump_without_crashing.h" |
| 14 #include "base/i18n/char_iterator.h" | 15 #include "base/i18n/char_iterator.h" |
| 15 #include "base/metrics/histogram.h" | 16 #include "base/metrics/histogram.h" |
| 16 #include "base/process/kill.h" | 17 #include "base/process/kill.h" |
| 17 #include "base/process/process.h" | 18 #include "base/process/process.h" |
| 18 #include "base/strings/string16.h" | 19 #include "base/strings/string16.h" |
| 19 #include "base/strings/utf_string_conversions.h" | 20 #include "base/strings/utf_string_conversions.h" |
| 20 #include "base/time/time.h" | 21 #include "base/time/time.h" |
| 21 #include "content/child/appcache/appcache_dispatcher.h" | 22 #include "content/child/appcache/appcache_dispatcher.h" |
| 22 #include "content/child/plugin_messages.h" | 23 #include "content/child/plugin_messages.h" |
| (...skipping 204 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 227 } | 228 } |
| 228 | 229 |
| 229 NOINLINE static void CrashIntentionally() { | 230 NOINLINE static void CrashIntentionally() { |
| 230 // NOTE(shess): Crash directly rather than using NOTREACHED() so | 231 // NOTE(shess): Crash directly rather than using NOTREACHED() so |
| 231 // that the signature is easier to triage in crash reports. | 232 // that the signature is easier to triage in crash reports. |
| 232 volatile int* zero = NULL; | 233 volatile int* zero = NULL; |
| 233 *zero = 0; | 234 *zero = 0; |
| 234 } | 235 } |
| 235 | 236 |
| 236 #if defined(SYZYASAN) | 237 #if defined(SYZYASAN) |
| 237 NOINLINE static void CorruptMemoryBlock() { | 238 NOINLINE static void CorruptMemoryBlock() { |
|
Nico
2014/06/12 18:36:56
I suppose this isn't used any longer?
Sébastien Marchand
2014/06/12 19:54:13
Good catch, thanks.
| |
| 238 // NOTE(sebmarchand): We intentionally corrupt a memory block here in order to | 239 // NOTE(sebmarchand): We intentionally corrupt a memory block here in order to |
| 239 // trigger an Address Sanitizer (ASAN) error report. | 240 // trigger an Address Sanitizer (ASAN) error report. |
| 240 static const int kArraySize = 5; | 241 static const int kArraySize = 5; |
| 241 int* array = new int[kArraySize]; | 242 int* array = new int[kArraySize]; |
| 242 // Encapsulate the invalid memory access into a try-catch statement to prevent | 243 // Encapsulate the invalid memory access into a try-catch statement to prevent |
| 243 // this function from being instrumented. This way the underflow won't be | 244 // this function from being instrumented. This way the underflow won't be |
| 244 // detected but the corruption will (as the allocator will still be hooked). | 245 // detected but the corruption will (as the allocator will still be hooked). |
| 245 __try { | 246 __try { |
| 246 int dummy = array[-1]--; | 247 int dummy = array[-1]--; |
| 247 // Make sure the assignments to the dummy value aren't optimized away. | 248 // Make sure the assignments to the dummy value aren't optimized away. |
| 248 base::debug::Alias(&array); | 249 base::debug::Alias(&array); |
| 249 } __except (EXCEPTION_EXECUTE_HANDLER) { | 250 } __except (EXCEPTION_EXECUTE_HANDLER) { |
| 250 } | 251 } |
| 251 delete[] array; | 252 delete[] array; |
| 252 } | 253 } |
| 253 #endif | 254 #endif |
| 254 | 255 |
| 255 #if defined(ADDRESS_SANITIZER) || defined(SYZYASAN) | 256 #if defined(ADDRESS_SANITIZER) || defined(SYZYASAN) |
| 256 NOINLINE static void MaybeTriggerAsanError(const GURL& url) { | 257 NOINLINE static void MaybeTriggerAsanError(const GURL& url) { |
| 257 // NOTE(rogerm): We intentionally perform an invalid heap access here in | 258 // NOTE(rogerm): We intentionally perform an invalid heap access here in |
| 258 // order to trigger an Address Sanitizer (ASAN) error report. | 259 // order to trigger an Address Sanitizer (ASAN) error report. |
| 259 static const char kCrashDomain[] = "crash"; | 260 static const char kCrashDomain[] = "crash"; |
| 260 static const char kHeapOverflow[] = "/heap-overflow"; | 261 static const char kHeapOverflow[] = "/heap-overflow"; |
| 261 static const char kHeapUnderflow[] = "/heap-underflow"; | 262 static const char kHeapUnderflow[] = "/heap-underflow"; |
| 262 static const char kUseAfterFree[] = "/use-after-free"; | 263 static const char kUseAfterFree[] = "/use-after-free"; |
| 263 #if defined(SYZYASAN) | 264 #if defined(SYZYASAN) |
| 264 static const char kCorruptHeapBlock[] = "/corrupt-heap-block"; | 265 static const char kCorruptHeapBlock[] = "/corrupt-heap-block"; |
| 266 static const char kCorruptHeap[] = "/corrupt-heap"; | |
| 265 #endif | 267 #endif |
| 266 static const int kArraySize = 5; | 268 static const int kArraySize = 5; |
| 267 | 269 |
| 268 if (!url.DomainIs(kCrashDomain, sizeof(kCrashDomain) - 1)) | 270 if (!url.DomainIs(kCrashDomain, sizeof(kCrashDomain) - 1)) |
| 269 return; | 271 return; |
| 270 | 272 |
| 271 if (!url.has_path()) | 273 if (!url.has_path()) |
| 272 return; | 274 return; |
| 273 | 275 |
| 274 scoped_ptr<int[]> array(new int[kArraySize]); | |
| 275 std::string crash_type(url.path()); | 276 std::string crash_type(url.path()); |
| 276 int dummy = 0; | |
| 277 if (crash_type == kHeapOverflow) { | 277 if (crash_type == kHeapOverflow) { |
| 278 dummy = array[kArraySize]; | 278 base::debug::AsanHeapOverflow(); |
| 279 } else if (crash_type == kHeapUnderflow ) { | 279 } else if (crash_type == kHeapUnderflow ) { |
| 280 dummy = array[-1]; | 280 base::debug::AsanHeapUnderflow(); |
| 281 } else if (crash_type == kUseAfterFree) { | 281 } else if (crash_type == kUseAfterFree) { |
| 282 int* dangling = array.get(); | 282 base::debug::AsanHeapUseAfterFree(); |
| 283 array.reset(); | |
| 284 dummy = dangling[kArraySize / 2]; | |
| 285 #if defined(SYZYASAN) | 283 #if defined(SYZYASAN) |
| 286 } else if (crash_type == kCorruptHeapBlock) { | 284 } else if (crash_type == kCorruptHeapBlock) { |
| 287 CorruptMemoryBlock(); | 285 base::debug::AsanCorruptHeapBlock(); |
| 286 } else if (crash_type == kCorruptHeap) { | |
| 287 base::debug::AsanCorruptHeap(); | |
| 288 #endif | 288 #endif |
| 289 } | 289 } |
| 290 | |
| 291 // Make sure the assignments to the dummy value aren't optimized away. | |
| 292 base::debug::Alias(&dummy); | |
| 293 } | 290 } |
| 294 #endif // ADDRESS_SANITIZER || SYZYASAN | 291 #endif // ADDRESS_SANITIZER || SYZYASAN |
| 295 | 292 |
| 296 static void MaybeHandleDebugURL(const GURL& url) { | 293 static void MaybeHandleDebugURL(const GURL& url) { |
| 297 if (!url.SchemeIs(kChromeUIScheme)) | 294 if (!url.SchemeIs(kChromeUIScheme)) |
| 298 return; | 295 return; |
| 299 if (url == GURL(kChromeUICrashURL)) { | 296 if (url == GURL(kChromeUICrashURL)) { |
| 300 CrashIntentionally(); | 297 CrashIntentionally(); |
| 301 } else if (url == GURL(kChromeUIKillURL)) { | 298 } else if (url == GURL(kChromeUIKillURL)) { |
| 302 base::KillProcess(base::GetCurrentProcessHandle(), 1, false); | 299 base::KillProcess(base::GetCurrentProcessHandle(), 1, false); |
| (...skipping 3244 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 3547 | 3544 |
| 3548 RendererCdmManager* RenderFrameImpl::GetCdmManager() { | 3545 RendererCdmManager* RenderFrameImpl::GetCdmManager() { |
| 3549 if (!cdm_manager_) | 3546 if (!cdm_manager_) |
| 3550 cdm_manager_ = new RendererCdmManager(this); | 3547 cdm_manager_ = new RendererCdmManager(this); |
| 3551 return cdm_manager_; | 3548 return cdm_manager_; |
| 3552 } | 3549 } |
| 3553 | 3550 |
| 3554 #endif // defined(OS_ANDROID) | 3551 #endif // defined(OS_ANDROID) |
| 3555 | 3552 |
| 3556 } // namespace content | 3553 } // namespace content |
| OLD | NEW |
