| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/renderer/render_frame_impl.h" | 5 #include "content/renderer/render_frame_impl.h" |
| 6 | 6 |
| 7 #include <map> | 7 #include <map> |
| 8 #include <string> | 8 #include <string> |
| 9 | 9 |
| 10 #include "base/auto_reset.h" | 10 #include "base/auto_reset.h" |
| 11 #include "base/command_line.h" | 11 #include "base/command_line.h" |
| 12 #include "base/debug/alias.h" | 12 #include "base/debug/alias.h" |
| 13 #include "base/debug/asan_invalid_access.h" |
| 13 #include "base/debug/dump_without_crashing.h" | 14 #include "base/debug/dump_without_crashing.h" |
| 14 #include "base/i18n/char_iterator.h" | 15 #include "base/i18n/char_iterator.h" |
| 15 #include "base/metrics/histogram.h" | 16 #include "base/metrics/histogram.h" |
| 16 #include "base/process/kill.h" | 17 #include "base/process/kill.h" |
| 17 #include "base/process/process.h" | 18 #include "base/process/process.h" |
| 18 #include "base/strings/string16.h" | 19 #include "base/strings/string16.h" |
| 19 #include "base/strings/utf_string_conversions.h" | 20 #include "base/strings/utf_string_conversions.h" |
| 20 #include "base/time/time.h" | 21 #include "base/time/time.h" |
| 21 #include "content/child/appcache/appcache_dispatcher.h" | 22 #include "content/child/appcache/appcache_dispatcher.h" |
| 22 #include "content/child/plugin_messages.h" | 23 #include "content/child/plugin_messages.h" |
| (...skipping 211 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 234 return ds->originalRequest().url(); | 235 return ds->originalRequest().url(); |
| 235 } | 236 } |
| 236 | 237 |
| 237 NOINLINE static void CrashIntentionally() { | 238 NOINLINE static void CrashIntentionally() { |
| 238 // NOTE(shess): Crash directly rather than using NOTREACHED() so | 239 // NOTE(shess): Crash directly rather than using NOTREACHED() so |
| 239 // that the signature is easier to triage in crash reports. | 240 // that the signature is easier to triage in crash reports. |
| 240 volatile int* zero = NULL; | 241 volatile int* zero = NULL; |
| 241 *zero = 0; | 242 *zero = 0; |
| 242 } | 243 } |
| 243 | 244 |
| 244 #if defined(SYZYASAN) | |
| 245 NOINLINE static void CorruptMemoryBlock() { | |
| 246 // NOTE(sebmarchand): We intentionally corrupt a memory block here in order to | |
| 247 // trigger an Address Sanitizer (ASAN) error report. | |
| 248 static const int kArraySize = 5; | |
| 249 int* array = new int[kArraySize]; | |
| 250 // Encapsulate the invalid memory access into a try-catch statement to prevent | |
| 251 // this function from being instrumented. This way the underflow won't be | |
| 252 // detected but the corruption will (as the allocator will still be hooked). | |
| 253 __try { | |
| 254 int dummy = array[-1]--; | |
| 255 // Make sure the assignments to the dummy value aren't optimized away. | |
| 256 base::debug::Alias(&array); | |
| 257 } __except (EXCEPTION_EXECUTE_HANDLER) { | |
| 258 } | |
| 259 delete[] array; | |
| 260 } | |
| 261 #endif | |
| 262 | |
| 263 #if defined(ADDRESS_SANITIZER) || defined(SYZYASAN) | 245 #if defined(ADDRESS_SANITIZER) || defined(SYZYASAN) |
| 264 NOINLINE static void MaybeTriggerAsanError(const GURL& url) { | 246 NOINLINE static void MaybeTriggerAsanError(const GURL& url) { |
| 265 // NOTE(rogerm): We intentionally perform an invalid heap access here in | 247 // NOTE(rogerm): We intentionally perform an invalid heap access here in |
| 266 // order to trigger an Address Sanitizer (ASAN) error report. | 248 // order to trigger an Address Sanitizer (ASAN) error report. |
| 267 static const char kCrashDomain[] = "crash"; | 249 const char kCrashDomain[] = "crash"; |
| 268 static const char kHeapOverflow[] = "/heap-overflow"; | 250 const char kHeapOverflow[] = "/heap-overflow"; |
| 269 static const char kHeapUnderflow[] = "/heap-underflow"; | 251 const char kHeapUnderflow[] = "/heap-underflow"; |
| 270 static const char kUseAfterFree[] = "/use-after-free"; | 252 const char kUseAfterFree[] = "/use-after-free"; |
| 271 #if defined(SYZYASAN) | 253 #if defined(SYZYASAN) |
| 272 static const char kCorruptHeapBlock[] = "/corrupt-heap-block"; | 254 const char kCorruptHeapBlock[] = "/corrupt-heap-block"; |
| 255 const char kCorruptHeap[] = "/corrupt-heap"; |
| 273 #endif | 256 #endif |
| 274 static const int kArraySize = 5; | 257 const int kArraySize = 5; |
| 275 | 258 |
| 276 if (!url.DomainIs(kCrashDomain, sizeof(kCrashDomain) - 1)) | 259 if (!url.DomainIs(kCrashDomain, sizeof(kCrashDomain) - 1)) |
| 277 return; | 260 return; |
| 278 | 261 |
| 279 if (!url.has_path()) | 262 if (!url.has_path()) |
| 280 return; | 263 return; |
| 281 | 264 |
| 282 scoped_ptr<int[]> array(new int[kArraySize]); | |
| 283 std::string crash_type(url.path()); | 265 std::string crash_type(url.path()); |
| 284 int dummy = 0; | |
| 285 if (crash_type == kHeapOverflow) { | 266 if (crash_type == kHeapOverflow) { |
| 286 dummy = array[kArraySize]; | 267 base::debug::AsanHeapOverflow(); |
| 287 } else if (crash_type == kHeapUnderflow ) { | 268 } else if (crash_type == kHeapUnderflow ) { |
| 288 dummy = array[-1]; | 269 base::debug::AsanHeapUnderflow(); |
| 289 } else if (crash_type == kUseAfterFree) { | 270 } else if (crash_type == kUseAfterFree) { |
| 290 int* dangling = array.get(); | 271 base::debug::AsanHeapUseAfterFree(); |
| 291 array.reset(); | |
| 292 dummy = dangling[kArraySize / 2]; | |
| 293 #if defined(SYZYASAN) | 272 #if defined(SYZYASAN) |
| 294 } else if (crash_type == kCorruptHeapBlock) { | 273 } else if (crash_type == kCorruptHeapBlock) { |
| 295 CorruptMemoryBlock(); | 274 base::debug::AsanCorruptHeapBlock(); |
| 275 } else if (crash_type == kCorruptHeap) { |
| 276 base::debug::AsanCorruptHeap(); |
| 296 #endif | 277 #endif |
| 297 } | 278 } |
| 298 | |
| 299 // Make sure the assignments to the dummy value aren't optimized away. | |
| 300 base::debug::Alias(&dummy); | |
| 301 } | 279 } |
| 302 #endif // ADDRESS_SANITIZER || SYZYASAN | 280 #endif // ADDRESS_SANITIZER || SYZYASAN |
| 303 | 281 |
| 304 static void MaybeHandleDebugURL(const GURL& url) { | 282 static void MaybeHandleDebugURL(const GURL& url) { |
| 305 if (!url.SchemeIs(kChromeUIScheme)) | 283 if (!url.SchemeIs(kChromeUIScheme)) |
| 306 return; | 284 return; |
| 307 if (url == GURL(kChromeUICrashURL)) { | 285 if (url == GURL(kChromeUICrashURL)) { |
| 308 CrashIntentionally(); | 286 CrashIntentionally(); |
| 309 } else if (url == GURL(kChromeUIKillURL)) { | 287 } else if (url == GURL(kChromeUIKillURL)) { |
| 310 base::KillProcess(base::GetCurrentProcessHandle(), 1, false); | 288 base::KillProcess(base::GetCurrentProcessHandle(), 1, false); |
| (...skipping 3270 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3581 | 3559 |
| 3582 #if defined(ENABLE_BROWSER_CDMS) | 3560 #if defined(ENABLE_BROWSER_CDMS) |
| 3583 RendererCdmManager* RenderFrameImpl::GetCdmManager() { | 3561 RendererCdmManager* RenderFrameImpl::GetCdmManager() { |
| 3584 if (!cdm_manager_) | 3562 if (!cdm_manager_) |
| 3585 cdm_manager_ = new RendererCdmManager(this); | 3563 cdm_manager_ = new RendererCdmManager(this); |
| 3586 return cdm_manager_; | 3564 return cdm_manager_; |
| 3587 } | 3565 } |
| 3588 #endif // defined(ENABLE_BROWSER_CDMS) | 3566 #endif // defined(ENABLE_BROWSER_CDMS) |
| 3589 | 3567 |
| 3590 } // namespace content | 3568 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 306753003:
Add some function and URLs to induce ASan crashes. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master