chromium/src
0
Fork 0
Code Activity

MojoLPM: Disable AsanBrp Instantiating checks.

Browse Source 
To display the `MiraclePtr` status in MojoLPM fuzzers, I recently
enabled ASAN BRP:
https://chromium-review.googlesource.com/c/chromium/src/+/6182270

Fortunately/Unfortunately, it failed due to: Asan BRP
InstantiationChecks.

I can't reproduce, as it is scoped to Windows. Moreover, I won't have
time to investigate this issue before going on a leave. So, I'm
disabling the AsanBrpInstantiationChecks for now in order to keep
AsanBrp enabled.

Note that this is only a potential memory safety issue. So we aren't
ignoring any real issues by not enabling this check for now.

Cq-Include-Trybots: luci.chromium.try:linux-libfuzzer-asan-rel
Cq-Include-Trybots: luci.chromium.try:win-libfuzzer-asan-rel
Cq-Include-Trybots: luci.chromium.try:mac-libfuzzer-asan-rel
Bug: 391728753
Change-Id: I1e2fcf007f3ca1e840fd2bacb5fedb1112c08f42
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6268649
Reviewed-by: Sergei Glazunov <glazunov@google.com>
Auto-Submit: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Benoit Lize <lizeb@chromium.org>
Commit-Queue: Benoit Lize <lizeb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1421050}
This commit is contained in:
Arthur Sonzogni
2025-02-17 05:59:07 -08:00
committed by Chromium LUCI CQ
parent 04137b45bc
commit 44bc44b7a0
5 changed files with 32 additions and 30 deletions

19
base/allocator/partition_alloc_features.cc

@ -273,16 +273,15 @@ BASE_FEATURE(kPartitionAllocPermissiveMte,
#endif
);
// Note: Do not use the prepared macro to implement following FeatureParams
// as of no need for a local cache.
constinit const FeatureParam<bool> kBackupRefPtrAsanEnableDereferenceCheckParam{
&kPartitionAllocBackupRefPtr, "asan-enable-dereference-check", true};
constinit const FeatureParam<bool> kBackupRefPtrAsanEnableExtractionCheckParam{
&kPartitionAllocBackupRefPtr, "asan-enable-extraction-check",
false}; // Not much noise at the moment to enable by default.
constinit const FeatureParam<bool>
kBackupRefPtrAsanEnableInstantiationCheckParam{
&kPartitionAllocBackupRefPtr, "asan-enable-instantiation-check", true};
BASE_FEATURE(kAsanBrpDereferenceCheck,
"AsanBrpDereferenceCheck",
FEATURE_ENABLED_BY_DEFAULT);
BASE_FEATURE(kAsanBrpExtractionCheck,
"AsanBrpExtractionCheck", // Not much noise at the moment to
FEATURE_DISABLED_BY_DEFAULT); // enable by default.
BASE_FEATURE(kAsanBrpInstantiationCheck,
"AsanBrpInstantiationCheck",
FEATURE_ENABLED_BY_DEFAULT);
// If enabled, switches the bucket distribution to a denser one.
//

12
base/allocator/partition_alloc_features.h

@ -162,15 +162,9 @@ BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(MemoryTaggingEnabledProcesses,
// enabled.
BASE_EXPORT BASE_DECLARE_FEATURE(kKillPartitionAllocMemoryTagging);
BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocPermissiveMte);
BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(
bool,
kBackupRefPtrAsanEnableDereferenceCheckParam);
BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(
bool,
kBackupRefPtrAsanEnableExtractionCheckParam);
BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(
bool,
kBackupRefPtrAsanEnableInstantiationCheckParam);
BASE_EXPORT BASE_DECLARE_FEATURE(kAsanBrpDereferenceCheck);
BASE_EXPORT BASE_DECLARE_FEATURE(kAsanBrpExtractionCheck);
BASE_EXPORT BASE_DECLARE_FEATURE(kAsanBrpInstantiationCheck);
BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(BucketDistributionMode,
kPartitionAllocBucketDistributionParam);

21
base/allocator/partition_alloc_support.cc

@ -1003,18 +1003,17 @@ void PartitionAllocSupport::ReconfigureAfterFeatureListInit(
if (ShouldEnableFeatureOnProcess(
base::features::kBackupRefPtrEnabledProcessesParam.Get(),
process_type)) {
base::RawPtrAsanService::GetInstance().Configure(
base::EnableDereferenceCheck(
base::features::kBackupRefPtrAsanEnableDereferenceCheckParam.Get()),
base::EnableExtractionCheck(
base::features::kBackupRefPtrAsanEnableExtractionCheckParam.Get()),
base::EnableInstantiationCheck(
base::features::kBackupRefPtrAsanEnableInstantiationCheckParam
.Get()));
RawPtrAsanService::GetInstance().Configure(
EnableDereferenceCheck(
FeatureList::IsEnabled(features::kAsanBrpDereferenceCheck)),
EnableExtractionCheck(
FeatureList::IsEnabled(features::kAsanBrpExtractionCheck)),
EnableInstantiationCheck(
FeatureList::IsEnabled(features::kAsanBrpInstantiationCheck)));
} else {
base::RawPtrAsanService::GetInstance().Configure(
base::EnableDereferenceCheck(false), base::EnableExtractionCheck(false),
base::EnableInstantiationCheck(false));
RawPtrAsanService::GetInstance().Configure(EnableDereferenceCheck(false),
EnableExtractionCheck(false),
EnableInstantiationCheck(false));
}
#endif // PA_BUILDFLAG(USE_ASAN_BACKUP_REF_PTR)

4
content/test/fuzzer/mojolpm_fuzzer_support.cc

@ -4,6 +4,7 @@
#include "content/test/fuzzer/mojolpm_fuzzer_support.h"
#include "base/allocator/partition_alloc_features.h"
#include "base/command_line.h"
#include "base/debug/asan_service.h"
#include "base/i18n/icu_util.h"
@ -50,6 +51,9 @@ FuzzerEnvironment::FuzzerEnvironment(int argc, const char* const* argv)
fuzzer_thread_("fuzzer_thread") {
base::test::InitScopedFeatureListForTesting(feature_list_);
disable_asan_brp_instantiation_check_.InitAndDisableFeature(
base::features::kAsanBrpInstantiationCheck);
TestTimeouts::Initialize();
logging::SetMinLogLevel(logging::LOGGING_FATAL);

6
content/test/fuzzer/mojolpm_fuzzer_support.h

@ -51,6 +51,12 @@ class FuzzerEnvironment {
TestContentClientInitializer content_client_initializer_;
base::test::ScopedFeatureList feature_list_;
// TODO(391728753) Enable AsanBrpInstantiationCheck. This is currently
// disabled because this new check is failing. We should fix the failures and
// enable this check. Note that this check is not necessarily a security
// issue, as long as the assigned dangling pointer isn't used.
base::test::ScopedFeatureList disable_asan_brp_instantiation_check_;
};
// If we can also safely re-use a single BrowserTaskEnvironment and the