Add support for ASAN error generation to chrome://crash/...

Adds the following crash URLS to chrome/chromium builds when ADDRESS_SANITIZER is defined (built with asan=1 in GYP_DEFINES). chrome://crash/heap-overflow chrome://crash/heap-underflow chrome://crash/use-after-free This allows easy validation of the instrumentation/reporting for a given build without having to track down a known/unfixed memory error. R= jamesr@chromium.org, sebmarchand@chromium.org, kcc@chromium.org Review URL: https://chromiumcodereview.appspot.com/16022009 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@204095 0039d316-1c4b-4281-b951-d872f2087c98

Add support for ASAN error generation to chrome://crash/...
Adds the following crash URLS to chrome/chromium builds when ADDRESS_SANITIZER is defined (built with asan=1 in GYP_DEFINES). chrome://crash/heap-overflow chrome://crash/heap-underflow chrome://crash/use-after-free This allows easy validation of the instrumentation/reporting for a given build without having to track down a known/unfixed memory error. R= jamesr@chromium.org, sebmarchand@chromium.org, kcc@chromium.org Review URL: https://chromiumcodereview.appspot.com/16022009 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@204095 0039d316-1c4b-4281-b951-d872f2087c98
2132d6bb · rogerm@chromium.org · ccdfabae · 2132d6bb
Commit 2132d6bb authored Jun 05, 2013 by rogerm@chromium.org
Show whitespace changes
Inline Side-by-side

Showing with 39 additions and 0 deletions

content/renderer/render_view_impl.cc content/renderer/render_view_impl.cc +39 -0

No files found.
--- a/content/renderer/render_view_impl.cc
+++ b/content/renderer/render_view_impl.cc
@@ -12,6 +12,7 @@
 #include "base/bind_helpers.h"
 #include "base/command_line.h"
 #include "base/compiler_specific.h"
+#include "base/debug/alias.h"
 #include "base/debug/trace_event.h"
 #include "base/json/json_writer.h"
 #include "base/lazy_instance.h"
@@ -439,6 +440,40 @@ NOINLINE static void CrashIntentionally() {
  *zero = 0;
 }
+#if defined(ADDRESS_SANITIZER)
+NOINLINE static void MaybeTriggerAsanError(const GURL& url) {
+  // NOTE(rogerm): We intentionally perform an invalid heap access here in
+  //     order to trigger an Address Sanitizer (ASAN) error report.
+  static const char kCrashDomain[] = "crash";
+  static const char kHeapOverflow[] = "/heap-overflow";
+  static const char kHeapUnderflow[] = "/heap-underflow";
+  static const char kUseAfterFree[] = "/use-after-free";
+  static const int kArraySize = 5;
+  if (!url.DomainIs(kCrashDomain, sizeof(kCrashDomain) - 1))
+    return;
+  if (!url.has_path())
+    return;
+  scoped_ptr<int[]> array(new int[kArraySize]);
+  std::string crash_type(url.path());
+  int dummy = 0;
+  if (crash_type == kHeapOverflow) {
+    dummy = array[kArraySize];
+  } else if (crash_type == kHeapUnderflow ) {
+    dummy = array[-1];
+  } else if (crash_type == kUseAfterFree) {
+    int* dangling = array.get();
+    array.reset();
+    dummy = dangling[kArraySize / 2];
+  }
+  // Make sure the assignments to the dummy value aren't optimized away.
+  base::debug::Alias(&dummy);
+}
+#endif  // ADDRESS_SANITIZER
 static void MaybeHandleDebugURL(const GURL& url) {
  if (!url.SchemeIs(chrome::kChromeUIScheme))
    return;
@@ -453,6 +488,10 @@ static void MaybeHandleDebugURL(const GURL& url) {
  } else if (url == GURL(kChromeUIShorthangURL)) {
    base::PlatformThread::Sleep(base::TimeDelta::FromSeconds(20));
  }
+#if defined(ADDRESS_SANITIZER)
+  MaybeTriggerAsanError(url);
+#endif  // ADDRESS_SANITIZER
 }
 // Returns false unless this is a top-level navigation.