blob: ff7788a39cc6eef35151cc8bde487992fd453630 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
// Copyright 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#if defined(OS_WIN)
#include <windows.h>
#endif
#include "base/debug/alias.h"
#include "base/debug/asan_invalid_access.h"
#include "base/logging.h"
#include "base/memory/scoped_ptr.h"
namespace base {
namespace debug {
namespace {
#if defined(SYZYASAN)
// Corrupt a memory block and make sure that the corruption gets detected either
// when we free it or when another crash happens (if |induce_crash| is set to
// true).
NOINLINE void CorruptMemoryBlock(bool induce_crash) {
// NOTE(sebmarchand): We intentionally corrupt a memory block here in order to
// trigger an Address Sanitizer (ASAN) error report.
static const int kArraySize = 5;
int* array = new int[kArraySize];
// Encapsulate the invalid memory access into a try-catch statement to prevent
// this function from being instrumented. This way the underflow won't be
// detected but the corruption will (as the allocator will still be hooked).
try {
// Declares the dummy value as volatile to make sure it doesn't get
// optimized away.
int volatile dummy = array[-1]--;
base::debug::Alias(const_cast<int*>(&dummy));
} catch (...) {
}
if (induce_crash)
CHECK(false);
delete[] array;
}
#endif
} // namespace
#if defined(ADDRESS_SANITIZER) || defined(SYZYASAN)
// NOTE(sebmarchand): We intentionally perform some invalid heap access here in
// order to trigger an AddressSanitizer (ASan) error report.
static const int kArraySize = 5;
void AsanHeapOverflow() {
scoped_ptr<int[]> array(new int[kArraySize]);
// Declares the dummy value as volatile to make sure it doesn't get optimized
// away.
int volatile dummy = 0;
dummy = array[kArraySize];
base::debug::Alias(const_cast<int*>(&dummy));
}
void AsanHeapUnderflow() {
scoped_ptr<int[]> array(new int[kArraySize]);
// Declares the dummy value as volatile to make sure it doesn't get optimized
// away.
int volatile dummy = 0;
dummy = array[-1];
base::debug::Alias(const_cast<int*>(&dummy));
}
void AsanHeapUseAfterFree() {
scoped_ptr<int[]> array(new int[kArraySize]);
// Declares the dummy value as volatile to make sure it doesn't get optimized
// away.
int volatile dummy = 0;
int* dangling = array.get();
array.reset();
dummy = dangling[kArraySize / 2];
base::debug::Alias(const_cast<int*>(&dummy));
}
#endif // ADDRESS_SANITIZER || SYZYASAN
#if defined(SYZYASAN)
void AsanCorruptHeapBlock() {
CorruptMemoryBlock(false);
}
void AsanCorruptHeap() {
CorruptMemoryBlock(true);
}
#endif // SYZYASAN
} // namespace debug
} // namespace base
|
