File: mojolpm_fuzzer_support.cc

package info (click to toggle)
chromium 139.0.7258.127-1
  • links: PTS, VCS
  • area: main
  • in suites:
  • size: 6,122,068 kB
  • sloc: cpp: 35,100,771; ansic: 7,163,530; javascript: 4,103,002; python: 1,436,920; asm: 946,517; xml: 746,709; pascal: 187,653; perl: 88,691; sh: 88,436; objc: 79,953; sql: 51,488; cs: 44,583; fortran: 24,137; makefile: 22,147; tcl: 15,277; php: 13,980; yacc: 8,984; ruby: 7,485; awk: 3,720; lisp: 3,096; lex: 1,327; ada: 727; jsp: 228; sed: 36
file content (129 lines) | stat: -rw-r--r-- 4,933 bytes parent folder | download | duplicates (5) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
 
// Copyright 2022 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "content/test/fuzzer/mojolpm_fuzzer_support.h"

#include "base/allocator/partition_alloc_features.h"
#include "base/command_line.h"
#include "base/compiler_specific.h"
#include "base/debug/asan_service.h"
#include "base/i18n/icu_util.h"
#include "base/test/test_suite_helper.h"
#include "base/test/test_timeouts.h"
#include "base/threading/platform_thread.h"
#include "content/browser/network_service_instance_impl.h"  // [nogncheck]
#include "content/browser/storage_partition_impl.h"         // [nogncheck]
#include "content/browser/storage_partition_impl_map.h"     // [nogncheck]
#include "partition_alloc/buildflags.h"

#if PA_BUILDFLAG(USE_PARTITION_ALLOC)
#include "base/allocator/partition_alloc_support.h"
#endif  // PA_BUILDFLAG(USE_PARTITION_ALLOC)

namespace content::mojolpm {

#if defined(ADDRESS_SANITIZER)
static void FalsePositiveErrorReportCallback(const char* reason,
                                             bool* should_exit_cleanly) {
  if (!UNSAFE_TODO(strcmp(base::PlatformThread::GetName(), "fuzzer_thread"))) {
    base::debug::AsanService::GetInstance()->Log(
        "MojoLPM: FALSE POSITIVE\n"
        "This crash occurred on the fuzzer thread, so it is a false positive "
        "and "
        "\ndoes not represent a security issue. In MojoLPM, the fuzzer thread "
        "\nrepresents the unprivileged renderer process.\n");
    *should_exit_cleanly = true;
  }
}

static void AddFalsePositiveErrorReportCallback() {
  static bool registered = false;
  if (!registered) {
    base::debug::AsanService::GetInstance()->AddErrorCallback(
        FalsePositiveErrorReportCallback);
    registered = true;
  }
}
#endif  // defined(ADDRESS_SANITIZER)

FuzzerEnvironment::FuzzerEnvironment(int argc, const char* const* argv)
    : command_line_initialized_(base::CommandLine::Init(argc, argv)),
      fuzzer_thread_("fuzzer_thread") {
  base::test::InitScopedFeatureListForTesting(feature_list_);

  disable_asan_brp_instantiation_check_.InitAndDisableFeature(
      base::features::kAsanBrpInstantiationCheck);

  TestTimeouts::Initialize();

  logging::SetMinLogLevel(logging::LOGGING_FATAL);
  mojo::core::Init();
  base::i18n::InitializeICU();

  ForceCreateNetworkServiceDirectlyForTesting();
  StoragePartitionImpl::ForceInProcessStorageServiceForTesting();

  fuzzer_thread_.StartAndWaitForTesting();

#if defined(ADDRESS_SANITIZER)
  base::debug::AsanService::GetInstance()->Initialize();
  AddFalsePositiveErrorReportCallback();
#endif  // defined(ADDRESS_SANITIZER)

#if PA_BUILDFLAG(USE_PARTITION_ALLOC)
  // For now, the dangling pointer detector is not enforced in MojoLPM. The
  // errors are only potential security issues. We should consider enabling this
  // feature in the future, after evaluating the amount of code to be updated.
  // It would be interesting, because MojoLPM would highlight area lacking
  // proper testing.
  const bool check_dangling_pointers = true;

  // Among other things, this will install the hooks to determine the
  // `MiraclePtr Status`, and some additional memory safety checks.
  base::allocator::PartitionAllocSupport::Get()
      ->ReconfigureAfterFeatureListInit("", check_dangling_pointers);
#endif  // PA_BUILDFLAG(USE_PARTITION_ALLOC)
}

FuzzerEnvironment::~FuzzerEnvironment() {}

FuzzerEnvironmentWithTaskEnvironment::FuzzerEnvironmentWithTaskEnvironment(
    int argc,
    const char* const* argv)
    : FuzzerEnvironment(argc, argv),
      task_environment_(
          base::test::TaskEnvironment::MainThreadType::DEFAULT,
          base::test::TaskEnvironment::ThreadPoolExecutionMode::ASYNC,
          base::test::TaskEnvironment::ThreadingMode::MULTIPLE_THREADS,
          BrowserTaskEnvironment::REAL_IO_THREAD) {}

FuzzerEnvironmentWithTaskEnvironment::~FuzzerEnvironmentWithTaskEnvironment() {}

RenderViewHostTestHarnessAdapter::RenderViewHostTestHarnessAdapter()
    : RenderViewHostTestHarness(
          base::test::TaskEnvironment::TimeSource::MOCK_TIME,
          base::test::TaskEnvironment::MainThreadType::DEFAULT,
          base::test::TaskEnvironment::ThreadPoolExecutionMode::ASYNC,
          base::test::TaskEnvironment::ThreadingMode::MULTIPLE_THREADS,
          BrowserTaskEnvironment::REAL_IO_THREAD) {}

RenderViewHostTestHarnessAdapter::~RenderViewHostTestHarnessAdapter() {}

void RenderViewHostTestHarnessAdapter::SetUp() {
  RenderViewHostTestHarness::SetUp();
}

void RenderViewHostTestHarnessAdapter::TearDown() {
  RenderViewHostTestHarness::TearDown();
}

BrowserTaskEnvironment* RenderViewHostTestHarnessAdapter::task_environment() {
  return RenderViewHostTestHarness::task_environment();
}

BrowserContext* RenderViewHostTestHarnessAdapter::browser_context() {
  return RenderViewHostTestHarness::browser_context();
}

}  // namespace content::mojolpm