content/browser/renderer_host/debug_urls.cc

// Copyright 2013 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "content/browser/renderer_host/debug_urls.h"

#include <vector>

#include "base/command_line.h"
#include "base/compiler_specific.h"
#include "base/debug/alias.h"
#include "base/debug/asan_invalid_access.h"
#include "base/debug/profiler.h"
#include "base/functional/bind.h"
#include "base/immediate_crash.h"
#include "base/memory/memory_pressure_listener.h"
#include "base/sanitizer_buildflags.h"
#include "base/strings/utf_string_conversions.h"
#include "base/synchronization/waitable_event.h"
#include "base/threading/thread_restrictions.h"
#include "build/build_config.h"
#include "cc/base/switches.h"
#include "content/browser/gpu/gpu_process_host.h"
#include "content/public/browser/browser_task_traits.h"
#include "content/public/browser/browser_thread.h"
#include "content/public/common/content_constants.h"
#include "content/public/common/url_constants.h"
#include "third_party/blink/public/common/chrome_debug_urls.h"
#include "url/gurl.h"

#if BUILDFLAG(IS_WIN)
#include "base/debug/invalid_access_win.h"
#endif

namespace content {

class ScopedAllowWaitForDebugURL {
 private:
  base::ScopedAllowBaseSyncPrimitivesOutsideBlockingScope wait;
};

namespace {

// Define the Asan debug URLs.
const char kAsanCrashDomain[] = "crash";
const char kAsanHeapOverflow[] = "/browser-heap-overflow";
const char kAsanHeapUnderflow[] = "/browser-heap-underflow";
const char kAsanUseAfterFree[] = "/browser-use-after-free";

#if BUILDFLAG(IS_WIN)
const char kAsanCorruptHeapBlock[] = "/browser-corrupt-heap-block";
const char kAsanCorruptHeap[] = "/browser-corrupt-heap";
#endif

// The conditions here must stay in sync with |HandleAsanDebugURL|.
bool IsAsanDebugURL(const GURL& url) {
  if (!(url.is_valid() && url.SchemeIs(kChromeUIScheme) &&
        url.DomainIs(kAsanCrashDomain) && url.has_path())) {
    return false;
  }

  if (url.path_piece() == kAsanHeapOverflow ||
      url.path_piece() == kAsanHeapUnderflow ||
      url.path_piece() == kAsanUseAfterFree) {
    return true;
  }

#if BUILDFLAG(IS_WIN)
  if (url.path_piece() == kAsanCorruptHeapBlock ||
      url.path_piece() == kAsanCorruptHeap) {
    return true;
  }
#endif

  return false;
}

// The URLs handled here must exactly match those that return true from
// |IsAsanDebugURL|.
void HandleAsanDebugURL(const GURL& url) {
  CHECK(IsAsanDebugURL(url));
#if defined(ADDRESS_SANITIZER) || BUILDFLAG(IS_HWASAN)
#if BUILDFLAG(IS_WIN)
  if (url.path_piece() == kAsanCorruptHeapBlock) {
    base::debug::AsanCorruptHeapBlock();
    return;
  }
  if (url.path_piece() == kAsanCorruptHeap) {
    base::debug::AsanCorruptHeap();
    return;
  }
#endif  // BUILDFLAG(IS_WIN)

  if (url.path_piece() == kAsanHeapOverflow) {
    base::debug::AsanHeapOverflow();
    return;
  }
  if (url.path_piece() == kAsanHeapUnderflow) {
    base::debug::AsanHeapUnderflow();
    return;
  }
  if (url.path_piece() == kAsanUseAfterFree) {
    base::debug::AsanHeapUseAfterFree();
    return;
  }
#endif
}

NOINLINE void HangCurrentThread() {
  ScopedAllowWaitForDebugURL allow_wait;
  base::WaitableEvent(base::WaitableEvent::ResetPolicy::AUTOMATIC,
                      base::WaitableEvent::InitialState::NOT_SIGNALED)
      .Wait();
}

NOINLINE void CrashBrowserProcessIntentionally() {
  // Don't fold so that crash reports will clearly show this method. This helps
  // with crash triage.
  NO_CODE_FOLDING();
  // Induce an intentional crash in the browser process.
  base::ImmediateCrash();
}

}  // namespace

// The conditions here must stay in sync with |HandleDebugURL|.
bool IsDebugURL(const GURL& url) {
  if (!(url.is_valid() && url.SchemeIs(kChromeUIScheme))) {
    return false;
  }

  if (IsAsanDebugURL(url)) {
    return true;
  }

  if (url == blink::kChromeUIBrowserCrashURL ||
      url == blink::kChromeUIBrowserDcheckURL ||
#if BUILDFLAG(IS_WIN)
      url == blink::kChromeUIBrowserHeapCorruptionURL ||
#endif
      url == blink::kChromeUIBrowserUIHang ||
      url == blink::kChromeUIDelayedBrowserUIHang ||
      url == blink::kChromeUIGpuCleanURL ||
      url == blink::kChromeUIGpuCrashURL ||
#if BUILDFLAG(IS_ANDROID)
      url == blink::kChromeUIGpuJavaCrashURL ||
#endif
      url == blink::kChromeUIGpuHangURL ||
      url == blink::kChromeUIMemoryPressureCriticalURL ||
      url == blink::kChromeUIMemoryPressureModerateURL) {
    return true;
  }

  return false;
}

// The URLs handled here must exactly match those that return true from
// |IsDebugURL|.
void HandleDebugURL(const GURL& url,
                    ui::PageTransition transition,
                    bool is_explicit_navigation) {
  CHECK(IsDebugURL(url));
  // We want to handle the debug URL if the user explicitly navigated to this
  // URL, unless kEnableGpuBenchmarking is enabled by Telemetry.
  bool is_telemetry_navigation =
      base::CommandLine::ForCurrentProcess()->HasSwitch(
          switches::kEnableGpuBenchmarking) &&
      (PageTransitionCoreTypeIs(transition, ui::PAGE_TRANSITION_TYPED));
  if (!is_explicit_navigation && !is_telemetry_navigation) {
    return;
  }

  if (IsAsanDebugURL(url)) {
    HandleAsanDebugURL(url);
    return;
  }
  if (url == blink::kChromeUIBrowserCrashURL) {
    CrashBrowserProcessIntentionally();
    return;
  }
  if (url == blink::kChromeUIBrowserDcheckURL) {
    // Induce an intentional DCHECK in the browser process. This is used to
    // see if a DCHECK will bring down the current process (is FATAL).
    DCHECK(false);
    return;
  }
#if BUILDFLAG(IS_WIN)
  if (url == blink::kChromeUIBrowserHeapCorruptionURL) {
    // Induce an intentional heap corruption in the browser process.
    base::debug::win::TerminateWithHeapCorruption();
  }
#endif
  if (url == blink::kChromeUIBrowserUIHang) {
    HangCurrentThread();
    return;
  }
  if (url == blink::kChromeUIDelayedBrowserUIHang) {
    // Webdriver-safe url to hang the ui thread. Webdriver waits for the onload
    // event in javascript which needs a little more time to fire.
    GetUIThreadTaskRunner({})->PostDelayedTask(
        FROM_HERE, base::BindOnce(&HangCurrentThread), base::Seconds(2));
    return;
  }
  if (url == blink::kChromeUIGpuCleanURL) {
    auto* host = GpuProcessHost::Get();
    if (host) {
      host->gpu_service()->DestroyAllChannels();
    }
    return;
  }
  if (url == blink::kChromeUIGpuCrashURL) {
    auto* host = GpuProcessHost::Get();
    if (host) {
      host->gpu_service()->Crash();
    }
    return;
  }
#if BUILDFLAG(IS_ANDROID)
  if (url == blink::kChromeUIGpuJavaCrashURL) {
    auto* host = GpuProcessHost::Get();
    if (host) {
      host->gpu_service()->ThrowJavaException();
    }
    return;
  }
#endif
  if (url == blink::kChromeUIGpuHangURL) {
    auto* host = GpuProcessHost::Get();
    if (host) {
      host->gpu_service()->Hang();
    }
    return;
  }
  if (url == blink::kChromeUIMemoryPressureCriticalURL) {
    base::MemoryPressureListener::NotifyMemoryPressure(
        base::MemoryPressureListener::MEMORY_PRESSURE_LEVEL_CRITICAL);
    return;
  }
  if (url == blink::kChromeUIMemoryPressureModerateURL) {
    base::MemoryPressureListener::NotifyMemoryPressure(
        base::MemoryPressureListener::MEMORY_PRESSURE_LEVEL_MODERATE);
    return;
  }
}

}  // namespace content