| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/browser/frame_host/debug_urls.h" | 5 #include "content/browser/frame_host/debug_urls.h" |
| 6 | 6 |
| 7 #include <vector> | 7 #include <vector> |
| 8 | 8 |
| 9 #include "base/debug/asan_invalid_access.h" |
| 10 #include "base/debug/profiler.h" |
| 9 #include "base/strings/utf_string_conversions.h" | 11 #include "base/strings/utf_string_conversions.h" |
| 10 #include "content/browser/gpu/gpu_process_host_ui_shim.h" | 12 #include "content/browser/gpu/gpu_process_host_ui_shim.h" |
| 11 #include "content/browser/ppapi_plugin_process_host.h" | 13 #include "content/browser/ppapi_plugin_process_host.h" |
| 12 #include "content/public/browser/browser_thread.h" | 14 #include "content/public/browser/browser_thread.h" |
| 13 #include "content/public/common/content_constants.h" | 15 #include "content/public/common/content_constants.h" |
| 14 #include "content/public/common/url_constants.h" | 16 #include "content/public/common/url_constants.h" |
| 15 #include "ppapi/proxy/ppapi_messages.h" | 17 #include "ppapi/proxy/ppapi_messages.h" |
| 16 #include "url/gurl.h" | 18 #include "url/gurl.h" |
| 17 | 19 |
| 18 namespace content { | 20 namespace content { |
| 19 | 21 |
| 20 namespace { | 22 namespace { |
| 21 | 23 |
| 24 // Define the Asan debug URLs. |
| 25 const char kAsanCrashDomain[] = "crash"; |
| 26 const char kAsanHeapOverflow[] = "/browser-heap-overflow"; |
| 27 const char kAsanHeapUnderflow[] = "/browser-heap-underflow"; |
| 28 const char kAsanUseAfterFree[] = "/browser-use-after-free"; |
| 29 #if defined(SYZYASAN) |
| 30 const char kAsanCorruptHeapBlock[] = "/browser-corrupt-heap-block"; |
| 31 const char kAsanCorruptHeap[] = "/browser-corrupt-heap"; |
| 32 #endif |
| 33 |
| 22 void HandlePpapiFlashDebugURL(const GURL& url) { | 34 void HandlePpapiFlashDebugURL(const GURL& url) { |
| 23 #if defined(ENABLE_PLUGINS) | 35 #if defined(ENABLE_PLUGINS) |
| 24 bool crash = url == GURL(kChromeUIPpapiFlashCrashURL); | 36 bool crash = url == GURL(kChromeUIPpapiFlashCrashURL); |
| 25 | 37 |
| 26 std::vector<PpapiPluginProcessHost*> hosts; | 38 std::vector<PpapiPluginProcessHost*> hosts; |
| 27 PpapiPluginProcessHost::FindByName( | 39 PpapiPluginProcessHost::FindByName( |
| 28 base::UTF8ToUTF16(kFlashPluginName), &hosts); | 40 base::UTF8ToUTF16(kFlashPluginName), &hosts); |
| 29 for (std::vector<PpapiPluginProcessHost*>::iterator iter = hosts.begin(); | 41 for (std::vector<PpapiPluginProcessHost*>::iterator iter = hosts.begin(); |
| 30 iter != hosts.end(); ++iter) { | 42 iter != hosts.end(); ++iter) { |
| 31 if (crash) | 43 if (crash) |
| 32 (*iter)->Send(new PpapiMsg_Crash()); | 44 (*iter)->Send(new PpapiMsg_Crash()); |
| 33 else | 45 else |
| 34 (*iter)->Send(new PpapiMsg_Hang()); | 46 (*iter)->Send(new PpapiMsg_Hang()); |
| 35 } | 47 } |
| 36 #endif | 48 #endif |
| 37 } | 49 } |
| 38 | 50 |
| 51 bool IsAsanDebugURL(const GURL& url) { |
| 52 #if defined(SYZYASAN) |
| 53 if (!base::debug::IsBinaryInstrumented()) |
| 54 return false; |
| 55 #endif |
| 56 |
| 57 if (!(url.is_valid() && url.SchemeIs(kChromeUIScheme) && |
| 58 url.DomainIs(kAsanCrashDomain, sizeof(kAsanCrashDomain) - 1) && |
| 59 url.has_path())) { |
| 60 return false; |
| 61 } |
| 62 |
| 63 if (url.path() == kAsanHeapOverflow || url.path() == kAsanHeapUnderflow || |
| 64 url.path() == kAsanUseAfterFree) { |
| 65 return true; |
| 66 } |
| 67 |
| 68 #if defined(SYZYASAN) |
| 69 if (url.path() == kAsanCorruptHeapBlock || url.path() == kAsanCorruptHeap) |
| 70 return true; |
| 71 #endif |
| 72 |
| 73 return false; |
| 74 } |
| 75 |
| 76 bool HandleAsanDebugURL(const GURL& url) { |
| 77 #if defined(SYZYASAN) |
| 78 if (!base::debug::IsBinaryInstrumented()) |
| 79 return false; |
| 80 |
| 81 if (url.path() == kAsanCorruptHeapBlock) { |
| 82 base::debug::AsanCorruptHeapBlock(); |
| 83 return true; |
| 84 } else if (url.path() == kAsanCorruptHeap) { |
| 85 base::debug::AsanCorruptHeap(); |
| 86 return true; |
| 87 } |
| 88 #endif |
| 89 |
| 90 #if defined(ADDRESS_SANITIZER) || defined(SYZYASAN) |
| 91 if (url.path() == kAsanHeapOverflow) { |
| 92 base::debug::AsanHeapOverflow(); |
| 93 } else if (url.path() == kAsanHeapUnderflow) { |
| 94 base::debug::AsanHeapUnderflow(); |
| 95 } else if (url.path() == kAsanUseAfterFree) { |
| 96 base::debug::AsanHeapUseAfterFree(); |
| 97 } else { |
| 98 return false; |
| 99 } |
| 100 #endif |
| 101 |
| 102 return true; |
| 103 } |
| 104 |
| 105 |
| 39 } // namespace | 106 } // namespace |
| 40 | 107 |
| 41 bool HandleDebugURL(const GURL& url, PageTransition transition) { | 108 bool HandleDebugURL(const GURL& url, PageTransition transition) { |
| 42 // Ensure that the user explicitly navigated to this URL. | 109 // Ensure that the user explicitly navigated to this URL. |
| 43 if (!(transition & PAGE_TRANSITION_FROM_ADDRESS_BAR)) | 110 if (!(transition & PAGE_TRANSITION_FROM_ADDRESS_BAR)) |
| 44 return false; | 111 return false; |
| 45 | 112 |
| 46 // NOTE: when you add handling of any URLs to this function, also | 113 // NOTE: when you add handling of any URLs to this function, also |
| 47 // update IsDebugURL, below. | 114 // update IsDebugURL, below. |
| 48 | 115 |
| 116 if (IsAsanDebugURL(url)) |
| 117 return HandleAsanDebugURL(url); |
| 118 |
| 49 if (url.host() == kChromeUIBrowserCrashHost) { | 119 if (url.host() == kChromeUIBrowserCrashHost) { |
| 50 // Induce an intentional crash in the browser process. | 120 // Induce an intentional crash in the browser process. |
| 51 CHECK(false); | 121 CHECK(false); |
| 52 return true; | 122 return true; |
| 53 } | 123 } |
| 54 | 124 |
| 55 if (url == GURL(kChromeUIGpuCleanURL)) { | 125 if (url == GURL(kChromeUIGpuCleanURL)) { |
| 56 GpuProcessHostUIShim* shim = GpuProcessHostUIShim::GetOneInstance(); | 126 GpuProcessHostUIShim* shim = GpuProcessHostUIShim::GetOneInstance(); |
| 57 if (shim) | 127 if (shim) |
| 58 shim->SimulateRemoveAllContext(); | 128 shim->SimulateRemoveAllContext(); |
| (...skipping 20 matching lines...) Expand all Loading... |
| 79 base::Bind(&HandlePpapiFlashDebugURL, url)); | 149 base::Bind(&HandlePpapiFlashDebugURL, url)); |
| 80 return true; | 150 return true; |
| 81 } | 151 } |
| 82 | 152 |
| 83 return false; | 153 return false; |
| 84 } | 154 } |
| 85 | 155 |
| 86 bool IsDebugURL(const GURL& url) { | 156 bool IsDebugURL(const GURL& url) { |
| 87 // NOTE: when you add any URLs to this list, also update | 157 // NOTE: when you add any URLs to this list, also update |
| 88 // HandleDebugURL, above. | 158 // HandleDebugURL, above. |
| 89 return IsRendererDebugURL(url) || | 159 return IsRendererDebugURL(url) || IsAsanDebugURL(url) || |
| 90 (url.is_valid() && | 160 (url.is_valid() && |
| 91 (url.host() == kChromeUIBrowserCrashHost || | 161 (url.host() == kChromeUIBrowserCrashHost || |
| 92 url == GURL(kChromeUIGpuCleanURL) || | 162 url == GURL(kChromeUIGpuCleanURL) || |
| 93 url == GURL(kChromeUIGpuCrashURL) || | 163 url == GURL(kChromeUIGpuCrashURL) || |
| 94 url == GURL(kChromeUIGpuHangURL) || | 164 url == GURL(kChromeUIGpuHangURL) || |
| 95 url == GURL(kChromeUIPpapiFlashCrashURL) || | 165 url == GURL(kChromeUIPpapiFlashCrashURL) || |
| 96 url == GURL(kChromeUIPpapiFlashHangURL))); | 166 url == GURL(kChromeUIPpapiFlashHangURL))); |
| 97 } | 167 } |
| 98 | 168 |
| 99 bool IsRendererDebugURL(const GURL& url) { | 169 bool IsRendererDebugURL(const GURL& url) { |
| 100 if (!url.is_valid()) | 170 if (!url.is_valid()) |
| 101 return false; | 171 return false; |
| 102 | 172 |
| 103 if (url.SchemeIs(url::kJavaScriptScheme)) | 173 if (url.SchemeIs(url::kJavaScriptScheme)) |
| 104 return true; | 174 return true; |
| 105 | 175 |
| 106 return url == GURL(kChromeUICrashURL) || | 176 return url == GURL(kChromeUICrashURL) || |
| 107 url == GURL(kChromeUIKillURL) || | 177 url == GURL(kChromeUIKillURL) || |
| 108 url == GURL(kChromeUIHangURL) || | 178 url == GURL(kChromeUIHangURL) || |
| 109 url == GURL(kChromeUIShorthangURL); | 179 url == GURL(kChromeUIShorthangURL); |
| 110 } | 180 } |
| 111 | 181 |
| 112 } // namespace content | 182 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 306753003:
Add some function and URLs to induce ASan crashes. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master