content/browser/frame_host/debug_urls.cc

   1 // Copyright 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "content/browser/frame_host/debug_urls.h"
   6
   7 #include <vector>
   8
   9 #include "base/command_line.h"
  10 #include "base/debug/asan_invalid_access.h"
  11 #include "base/debug/profiler.h"
  12 #include "base/strings/utf_string_conversions.h"
  13 #include "cc/base/switches.h"
  14 #include "content/browser/gpu/gpu_process_host_ui_shim.h"
  15 #include "content/public/browser/browser_thread.h"
  16 #include "content/public/common/content_constants.h"
  17 #include "content/public/common/url_constants.h"
  18 #include "ppapi/proxy/ppapi_messages.h"
  19 #include "url/gurl.h"
  20
  21 #if defined(ENABLE_PLUGINS)
  22 #include "content/browser/ppapi_plugin_process_host.h"
  23 #endif
  24
  25 namespace content {
  26
  27 namespace {
  28
  29 // Define the Asan debug URLs.
  30 const char kAsanCrashDomain[] = "crash";
  31 const char kAsanHeapOverflow[] = "/browser-heap-overflow";
  32 const char kAsanHeapUnderflow[] = "/browser-heap-underflow";
  33 const char kAsanUseAfterFree[] = "/browser-use-after-free";
  34 #if defined(SYZYASAN)
  35 const char kAsanCorruptHeapBlock[] = "/browser-corrupt-heap-block";
  36 const char kAsanCorruptHeap[] = "/browser-corrupt-heap";
  37 #endif
  38
  39 void HandlePpapiFlashDebugURL(const GURL& url) {
  40 #if defined(ENABLE_PLUGINS)
  41   bool crash = url == GURL(kChromeUIPpapiFlashCrashURL);
  42
  43   std::vector<PpapiPluginProcessHost*> hosts;
  44   PpapiPluginProcessHost::FindByName(
  45       base::UTF8ToUTF16(kFlashPluginName), &hosts);
  46   for (std::vector<PpapiPluginProcessHost*>::iterator iter = hosts.begin();
  47        iter != hosts.end(); ++iter) {
  48     if (crash)
  49       (*iter)->Send(new PpapiMsg_Crash());
  50     else
  51       (*iter)->Send(new PpapiMsg_Hang());
  52   }
  53 #endif
  54 }
  55
  56 bool IsAsanDebugURL(const GURL& url) {
  57 #if defined(SYZYASAN)
  58   if (!base::debug::IsBinaryInstrumented())
  59     return false;
  60 #endif
  61
  62   if (!(url.is_valid() && url.SchemeIs(kChromeUIScheme) &&
  63         url.DomainIs(kAsanCrashDomain, sizeof(kAsanCrashDomain) - 1) &&
  64         url.has_path())) {
  65     return false;
  66   }
  67
  68   if (url.path() == kAsanHeapOverflow || url.path() == kAsanHeapUnderflow ||
  69       url.path() == kAsanUseAfterFree) {
  70     return true;
  71   }
  72
  73 #if defined(SYZYASAN)
  74   if (url.path() == kAsanCorruptHeapBlock || url.path() == kAsanCorruptHeap)
  75     return true;
  76 #endif
  77
  78   return false;
  79 }
  80
  81 bool HandleAsanDebugURL(const GURL& url) {
  82 #if defined(SYZYASAN)
  83   if (!base::debug::IsBinaryInstrumented())
  84     return false;
  85
  86   if (url.path() == kAsanCorruptHeapBlock) {
  87     base::debug::AsanCorruptHeapBlock();
  88     return true;
  89   } else if (url.path() == kAsanCorruptHeap) {
  90     base::debug::AsanCorruptHeap();
  91     return true;
  92   }
  93 #endif
  94
  95 #if defined(ADDRESS_SANITIZER) || defined(SYZYASAN)
  96   if (url.path() == kAsanHeapOverflow) {
  97     base::debug::AsanHeapOverflow();
  98   } else if (url.path() == kAsanHeapUnderflow) {
  99     base::debug::AsanHeapUnderflow();
 100   } else if (url.path() == kAsanUseAfterFree) {
 101     base::debug::AsanHeapUseAfterFree();
 102   } else {
 103     return false;
 104   }
 105 #endif
 106
 107   return true;
 108 }
 109
 110
 111 }  // namespace
 112
 113 bool HandleDebugURL(const GURL& url, PageTransition transition) {
 114   // Ensure that the user explicitly navigated to this URL, unless
 115   // kEnableGpuBenchmarking is enabled by Telemetry.
 116   bool is_telemetry_navigation =
 117       base::CommandLine::ForCurrentProcess()->HasSwitch(
 118           cc::switches::kEnableGpuBenchmarking) &&
 119       (transition & PAGE_TRANSITION_TYPED);
 120
 121   if (!(transition & PAGE_TRANSITION_FROM_ADDRESS_BAR) &&
 122       !is_telemetry_navigation)
 123     return false;
 124
 125   if (IsAsanDebugURL(url))
 126     return HandleAsanDebugURL(url);
 127
 128   if (url.host() == kChromeUIBrowserCrashHost) {
 129     // Induce an intentional crash in the browser process.
 130     CHECK(false);
 131     return true;
 132   }
 133
 134   if (url == GURL(kChromeUIGpuCleanURL)) {
 135     GpuProcessHostUIShim* shim = GpuProcessHostUIShim::GetOneInstance();
 136     if (shim)
 137       shim->SimulateRemoveAllContext();
 138     return true;
 139   }
 140
 141   if (url == GURL(kChromeUIGpuCrashURL)) {
 142     GpuProcessHostUIShim* shim = GpuProcessHostUIShim::GetOneInstance();
 143     if (shim)
 144       shim->SimulateCrash();
 145     return true;
 146   }
 147
 148   if (url == GURL(kChromeUIGpuHangURL)) {
 149     GpuProcessHostUIShim* shim = GpuProcessHostUIShim::GetOneInstance();
 150     if (shim)
 151       shim->SimulateHang();
 152     return true;
 153   }
 154
 155   if (url == GURL(kChromeUIPpapiFlashCrashURL) ||
 156       url == GURL(kChromeUIPpapiFlashHangURL)) {
 157     BrowserThread::PostTask(BrowserThread::IO, FROM_HERE,
 158                             base::Bind(&HandlePpapiFlashDebugURL, url));
 159     return true;
 160   }
 161
 162   return false;
 163 }
 164
 165 bool IsRendererDebugURL(const GURL& url) {
 166   if (!url.is_valid())
 167     return false;
 168
 169   if (url.SchemeIs(url::kJavaScriptScheme))
 170     return true;
 171
 172   return url == GURL(kChromeUICrashURL) ||
 173          url == GURL(kChromeUIDumpURL) ||
 174          url == GURL(kChromeUIKillURL) ||
 175          url == GURL(kChromeUIHangURL) ||
 176          url == GURL(kChromeUIShorthangURL);
 177 }
 178
 179 }  // namespace content