1 // Copyright 2013 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "content/browser/frame_host/debug_urls.h" 6 7 #include <vector> 8 9 #include "base/debug/asan_invalid_access.h" 10 #include "base/debug/profiler.h" 11 #include "base/strings/utf_string_conversions.h" 12 #include "content/browser/gpu/gpu_process_host_ui_shim.h" 13 #include "content/browser/ppapi_plugin_process_host.h" 14 #include "content/public/browser/browser_thread.h" 15 #include "content/public/common/content_constants.h" 16 #include "content/public/common/url_constants.h" 17 #include "ppapi/proxy/ppapi_messages.h" 18 #include "url/gurl.h" 19 20 namespace content { 21 22 namespace { 23 24 // Define the Asan debug URLs. 25 const char kAsanCrashDomain[] = "crash"; 26 const char kAsanHeapOverflow[] = "/browser-heap-overflow"; 27 const char kAsanHeapUnderflow[] = "/browser-heap-underflow"; 28 const char kAsanUseAfterFree[] = "/browser-use-after-free"; 29 #if defined(SYZYASAN) 30 const char kAsanCorruptHeapBlock[] = "/browser-corrupt-heap-block"; 31 const char kAsanCorruptHeap[] = "/browser-corrupt-heap"; 32 #endif 33 34 void HandlePpapiFlashDebugURL(const GURL& url) { 35 #if defined(ENABLE_PLUGINS) 36 bool crash = url == GURL(kChromeUIPpapiFlashCrashURL); 37 38 std::vector<PpapiPluginProcessHost*> hosts; 39 PpapiPluginProcessHost::FindByName( 40 base::UTF8ToUTF16(kFlashPluginName), &hosts); 41 for (std::vector<PpapiPluginProcessHost*>::iterator iter = hosts.begin(); 42 iter != hosts.end(); ++iter) { 43 if (crash) 44 (*iter)->Send(new PpapiMsg_Crash()); 45 else 46 (*iter)->Send(new PpapiMsg_Hang()); 47 } 48 #endif 49 } 50 51 bool IsAsanDebugURL(const GURL& url) { 52 #if defined(SYZYASAN) 53 if (!base::debug::IsBinaryInstrumented()) 54 return false; 55 #endif 56 57 if (!(url.is_valid() && url.SchemeIs(kChromeUIScheme) && 58 url.DomainIs(kAsanCrashDomain, sizeof(kAsanCrashDomain) - 1) && 59 url.has_path())) { 60 return false; 61 } 62 63 if (url.path() == kAsanHeapOverflow || url.path() == kAsanHeapUnderflow || 64 url.path() == kAsanUseAfterFree) { 65 return true; 66 } 67 68 #if defined(SYZYASAN) 69 if (url.path() == kAsanCorruptHeapBlock || url.path() == kAsanCorruptHeap) 70 return true; 71 #endif 72 73 return false; 74 } 75 76 bool HandleAsanDebugURL(const GURL& url) { 77 #if defined(SYZYASAN) 78 if (!base::debug::IsBinaryInstrumented()) 79 return false; 80 81 if (url.path() == kAsanCorruptHeapBlock) { 82 base::debug::AsanCorruptHeapBlock(); 83 return true; 84 } else if (url.path() == kAsanCorruptHeap) { 85 base::debug::AsanCorruptHeap(); 86 return true; 87 } 88 #endif 89 90 #if defined(ADDRESS_SANITIZER) || defined(SYZYASAN) 91 if (url.path() == kAsanHeapOverflow) { 92 base::debug::AsanHeapOverflow(); 93 } else if (url.path() == kAsanHeapUnderflow) { 94 base::debug::AsanHeapUnderflow(); 95 } else if (url.path() == kAsanUseAfterFree) { 96 base::debug::AsanHeapUseAfterFree(); 97 } else { 98 return false; 99 } 100 #endif 101 102 return true; 103 } 104 105 106 } // namespace 107 108 bool HandleDebugURL(const GURL& url, PageTransition transition) { 109 // Ensure that the user explicitly navigated to this URL. 110 if (!(transition & PAGE_TRANSITION_FROM_ADDRESS_BAR)) 111 return false; 112 113 // NOTE: when you add handling of any URLs to this function, also 114 // update IsDebugURL, below. 115 116 if (IsAsanDebugURL(url)) 117 return HandleAsanDebugURL(url); 118 119 if (url.host() == kChromeUIBrowserCrashHost) { 120 // Induce an intentional crash in the browser process. 121 CHECK(false); 122 return true; 123 } 124 125 if (url == GURL(kChromeUIGpuCleanURL)) { 126 GpuProcessHostUIShim* shim = GpuProcessHostUIShim::GetOneInstance(); 127 if (shim) 128 shim->SimulateRemoveAllContext(); 129 return true; 130 } 131 132 if (url == GURL(kChromeUIGpuCrashURL)) { 133 GpuProcessHostUIShim* shim = GpuProcessHostUIShim::GetOneInstance(); 134 if (shim) 135 shim->SimulateCrash(); 136 return true; 137 } 138 139 if (url == GURL(kChromeUIGpuHangURL)) { 140 GpuProcessHostUIShim* shim = GpuProcessHostUIShim::GetOneInstance(); 141 if (shim) 142 shim->SimulateHang(); 143 return true; 144 } 145 146 if (url == GURL(kChromeUIPpapiFlashCrashURL) || 147 url == GURL(kChromeUIPpapiFlashHangURL)) { 148 BrowserThread::PostTask(BrowserThread::IO, FROM_HERE, 149 base::Bind(&HandlePpapiFlashDebugURL, url)); 150 return true; 151 } 152 153 return false; 154 } 155 156 bool IsDebugURL(const GURL& url) { 157 // NOTE: when you add any URLs to this list, also update 158 // HandleDebugURL, above. 159 return IsRendererDebugURL(url) || IsAsanDebugURL(url) || 160 (url.is_valid() && 161 (url.host() == kChromeUIBrowserCrashHost || 162 url == GURL(kChromeUIGpuCleanURL) || 163 url == GURL(kChromeUIGpuCrashURL) || 164 url == GURL(kChromeUIGpuHangURL) || 165 url == GURL(kChromeUIPpapiFlashCrashURL) || 166 url == GURL(kChromeUIPpapiFlashHangURL))); 167 } 168 169 bool IsRendererDebugURL(const GURL& url) { 170 if (!url.is_valid()) 171 return false; 172 173 if (url.SchemeIs(url::kJavaScriptScheme)) 174 return true; 175 176 return url == GURL(kChromeUICrashURL) || 177 url == GURL(kChromeUIDumpURL) || 178 url == GURL(kChromeUIKillURL) || 179 url == GURL(kChromeUIHangURL) || 180 url == GURL(kChromeUIShorthangURL); 181 } 182 183 } // namespace content 184
