chromium/src
0
Fork 0
Code Activity

Remove Syzygy/SyzyASAN build configuration and related code.

Browse Source 
This removes the is_syzyasan build flag and related build configuration.
Everything under the SYZYASAN define is either removed, or moved under
ADDRESS_SANITIZER, as e.g. the previously SyzyASAN-only heap corruption
debug URLs.

The DCHECK debug URL is now enabled and the activity tracker grabs a
stack trace when DCHECK_IS_ON(), instead of only under SYZYASAN.

The metrics system sets the is_asan_build bit in the system profile now
under ADDRESS_SANITIZER, against the day when we ship Clang ASAN builds.

The SyzyProf profiling support is removed.

To support the upcoming official build with configurable DCHECKs, the
channel string visible in chrome://settings/help is adorned with "DCheck".

The DEPS to fetch the Syzygy binary archive is left in place, as the
zap_timestamps.exe utility is still in use. Once LLD replaces the MSVC
linker, that can be removed without penalty, at which time the DEPS will
be scrubbed.

Bug: 821764
Change-Id: I08202da8f032f2350a589cfcda9e9b2edd147b7d
Reviewed-on: https://chromium-review.googlesource.com/980912
Reviewed-by: Will Harris <wfh@chromium.org>
Reviewed-by: John Abd-El-Malek <jam@chromium.org>
Reviewed-by: Wez <wez@chromium.org>
Reviewed-by: Nico Weber <thakis@chromium.org>
Reviewed-by: Chris Hamilton <chrisha@chromium.org>
Reviewed-by: Sébastien Marchand <sebmarchand@chromium.org>
Commit-Queue: Sigurður Ásgeirsson <siggi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#546966}
This commit is contained in:
Sigurdur Asgeirsson
2018-03-29 21:50:51 +00:00
committed by Commit Bot
parent 297d5f530f
commit 69d0bcdd97
67 changed files with 156 additions and 1069 deletions
.gitignoreBUILD.gnDEPS
ash/wm
lock_state_controller.cc
base
allocator
README.md
debug
activity_tracker.ccasan_invalid_access.ccasan_invalid_access.hprofiler.ccprofiler.h
logging.cc
process
process_util_unittest.cc
test
test_timeouts.cc
threading
platform_thread_win.cc
tools_sanity_unittest.cc
trace_event
malloc_dump_provider.cc
build
config
BUILD.gnallocator.gni
sanitizers
sanitizers.gni
win
BUILD.gn
win
syzygy
BUILD.gnOWNERSinstrument.pyreorder.pysyzyasan-allocation-filter.txtsyzyasan-instrumentation-filter.txtsyzygy.gni
chrome
app
chrome_main_delegate.cc
browser
chrome_browser_main.cc
extensions
active_tab_apitest.cc
api
bookmark_manager_private
bookmark_manager_private_apitest.cc
context_menus
context_menu_apitest.cc
cookies
cookies_apitest.cc
metrics
chrome_metrics_service_accessor.h
profiling_host
chrome_browser_main_extra_parts_profiling.ccmemlog_browsertest.cc
ui
webui
memory_internals_ui.cc
child
BUILD.gnchild_profiling.ccchild_profiling.h
common
channel_info_win.ccchrome_features.ccchrome_features.h
installer
mini_installer
BUILD.gnchrome.release
test
base
javascript_browser_test.cc
ppapi
ppapi_interactive_browsertest.cc
tools
build
win
FILES.cfgcreate_installer_archive.py
syzygy
BUILD.gnOWNERS
chrome_elf
elf_imports_unittest.cc
components
browser_watcher
stability_debugging.cc
metrics
metrics_log.ccmetrics_log_unittest.cc
content
browser
frame_host
debug_urls.cc
gpu
browser_gpu_channel_host_factory.cc
webrtc
webrtc_stress_pause_browsertest.ccwebrtc_stress_resolution_switch_browsertest.ccwebrtc_stress_source_switch_browsertest.cc
public
common
url_constants.ccurl_constants.hurl_utils.cc
renderer
render_frame_impl.cc
shell
BUILD.gn
services/service_manager/sandbox/win
sandbox_win.cc
skia
BUILD.gn

1
.gitignore vendored

@ -118,7 +118,6 @@ vs-chromium-project.txt
/chrome/installer/mini_installer.xml
/chrome/installer/mini_installer/mini_installer.aps
/chrome/installer/mini_installer/support
/chrome/installer/mini_installer_syzygy.xml
/chrome/installer/mini_installer_tests_run.xml
/chrome/installer_util_strings.xml
/chrome/interactive_ui_tests_run.xml

25
BUILD.gn

@ -569,7 +569,6 @@ group("gn_all") {
"//chrome/install_static:install_static_unittests",
"//chrome/installer/gcapi",
"//chrome/installer/setup:setup_unittests",
"//chrome/tools/build/win/syzygy:chrome_dll_syzygy",
"//chrome_elf:chrome_elf_import_unittests",
"//chrome_elf:chrome_elf_unittests",
"//chrome_elf:dll_hash_main",
@ -805,24 +804,6 @@ if (is_win) {
"//url:url_unittests",
]
}
group("All_syzygy") {
if (is_syzyasan) {
deps = [
"//chrome/installer/mini_installer:mini_installer",
"//chrome/installer/mini_installer:mini_installer_syzygy",
]
}
}
if (is_syzyasan) {
group("chrome_official_syzyasan_builder") {
deps = [
":All_syzygy",
":chrome_official_builder_no_unittests",
]
}
}
}
if (is_chromeos) {
@ -1109,12 +1090,6 @@ if (!is_ios && !is_android && !is_chromecast && !is_fuchsia) {
"//v8:v8_shell($v8_snapshot_toolchain)",
]
}
if (is_win && symbol_level == 2 && target_cpu == "x86" && is_syzyasan) {
deps += [
"//chrome/tools/build/win/syzygy:chrome_dll_syzygy",
"//content/shell:content_shell_syzyasan",
]
}
}
}

2
DEPS

@ -1293,6 +1293,8 @@ hooks = [
],
},
# Pull the Syzygy binaries, used for optimization and instrumentation.
# Remove this as soon as the zap_timestamp.exe utility is no longer used.
# See https://crbug.com/821764#c3.
{
'name': 'syzygy-binaries',
'pattern': '.',

3
ash/wm/lock_state_controller.cc

@ -52,8 +52,7 @@ namespace {
// For MSan the slowdown depends heavily on the value of msan_track_origins GYP
// flag. The multiplier below corresponds to msan_track_origins=1.
constexpr int kTimeoutMultiplier = 6;
#elif defined(ADDRESS_SANITIZER) || defined(THREAD_SANITIZER) || \
defined(SYZYASAN)
#elif defined(ADDRESS_SANITIZER) || defined(THREAD_SANITIZER)
constexpr int kTimeoutMultiplier = 2;
#else
constexpr int kTimeoutMultiplier = 1;

30
base/allocator/README.md

@ -19,30 +19,30 @@ build-time flags involved are `use_allocator` and `use_allocator_shim`.
The default choices are as follows:
**Windows**
**Windows**
`use_allocator: winheap`, the default Windows heap.
Additionally, `static_library` (i.e. non-component) builds have a shim
layer wrapping malloc/new, which is controlled by `use_allocator_shim`.
layer wrapping malloc/new, which is controlled by `use_allocator_shim`.
The shim layer provides extra security features, such as preventing large
allocations that can hit signed vs. unsigned bugs in third_party code.
**Linux Desktop / CrOS**
**Linux Desktop / CrOS**
`use_allocator: tcmalloc`, a forked copy of tcmalloc which resides in
`third_party/tcmalloc/chromium`. Setting `use_allocator: none` causes the build
to fall back to the system (Glibc) symbols.
**Android**
**Android**
`use_allocator: none`, always use the allocator symbols coming from Android's
libc (Bionic). As it is developed as part of the OS, it is considered to be
optimized for small devices and more memory-efficient than other choices.
optimized for small devices and more memory-efficient than other choices.
The actual implementation backing malloc symbols in Bionic is up to the board
config and can vary (typically *dlmalloc* or *jemalloc* on most Nexus devices).
**Mac/iOS**
**Mac/iOS**
`use_allocator: none`, we always use the system's allocator implementation.
In addition, when building for `asan` / `msan` / `syzyasan`, both the allocator
and the shim layer are disabled.
In addition, when building for `asan` / `msan` both the allocator and the shim
layer are disabled.
Layering and build deps
-----------------------
@ -59,7 +59,7 @@ If such a functional dependency is required that should be achieved using
abstractions in `base` (see `/base/allocator/allocator_extension.h` and
`/base/memory/`)
**Why `base` depends on `allocator`?**
**Why `base` depends on `allocator`?**
Because it needs to provide services that depend on the actual allocator
implementation. In the past `base` used to pretend to be allocator-agnostic
and get the dependencies injected by other layers. This ended up being an
@ -90,7 +90,7 @@ Unified allocator shim
On most platforms, Chrome overrides the malloc / operator new symbols (and
corresponding free / delete and other variants). This is to enforce security
checks and lately to enable the
[memory-infra heap profiler][url-memory-infra-heap-profiler].
[memory-infra heap profiler][url-memory-infra-heap-profiler].
Historically each platform had its special logic for defining the allocator
symbols in different places of the codebase. The unified allocator shim is
a project aimed to unify the symbol definition and allocator routing logic in
@ -102,7 +102,7 @@ a central place.
- Tracking bug: [https://crbug.com/550886][crbug.com/550886].
- Build-time flag: `use_allocator_shim`.
**Overview of the unified allocator shim**
**Overview of the unified allocator shim**
The allocator shim consists of three stages:
```
+-------------------------+ +-----------------------+ +----------------+
@ -118,7 +118,7 @@ The allocator shim consists of three stages:
+-------------------------+
```
**1. malloc symbols definition**
**1. malloc symbols definition**
This stage takes care of overriding the symbols `malloc`, `free`,
`operator new`, `operator delete` and friends and routing those calls inside the
allocator shim (next point).
@ -158,7 +158,7 @@ undefined symbol references to malloc symbols.
These symbols will be resolved against libc.so as usual.
More details in [crrev.com/1719433002](https://crrev.com/1719433002).
**2. Shim layer implementation**
**2. Shim layer implementation**
This stage contains the actual shim implementation. This consists of:
- A singly linked list of dispatchers (structs with function pointers to `malloc`-like functions). Dispatchers can be dynamically inserted at runtime
(using the `InsertAllocatorDispatch` API). They can intercept and override
@ -166,7 +166,7 @@ allocator calls.
- The security checks (suicide on malloc-failure via `std::new_handler`, etc).
This happens inside `allocator_shim.cc`
**3. Final allocator routing**
**3. Final allocator routing**
The final element of the aforementioned dispatcher chain is statically defined
at build time and ultimately routes the allocator calls to the actual allocator
(as described in the *Background* section above). This is taken care of by the
@ -175,7 +175,7 @@ headers in `allocator_shim_default_dispatch_to_*` files.
Appendixes
----------
**How does the Windows shim layer replace the malloc symbols?**
**How does the Windows shim layer replace the malloc symbols?**
The mechanism for hooking LIBCMT in Windows is rather tricky. The core
problem is that by default, the Windows library does not declare malloc and
free as weak symbols. Because of this, they cannot be overridden. To work

6
base/debug/activity_tracker.cc

@ -25,6 +25,7 @@
#include "base/strings/string_util.h"
#include "base/strings/utf_string_conversions.h"
#include "base/threading/platform_thread.h"
#include "build/build_config.h"
namespace base {
namespace debug {
@ -260,8 +261,9 @@ void Activity::FillFrom(Activity* activity,
activity->activity_type = type;
activity->data = data;
#if defined(SYZYASAN)
// Create a stacktrace from the current location and get the addresses.
#if (!defined(OS_NACL) && DCHECK_IS_ON()) || defined(ADDRESS_SANITIZER)
// Create a stacktrace from the current location and get the addresses for
// improved debuggability.
StackTrace stack_trace;
size_t stack_depth;
const void* const* stack_addrs = stack_trace.Addresses(&stack_depth);

44
base/debug/asan_invalid_access.cc

@ -21,13 +21,7 @@ namespace debug {
namespace {
#if defined(SYZYASAN) && defined(COMPILER_MSVC)
// Disable warning C4530: "C++ exception handler used, but unwind semantics are
// not enabled". We don't want to change the compilation flags just for this
// test, and no exception should be triggered here, so this warning has no value
// here.
#pragma warning(push)
#pragma warning(disable: 4530)
#if defined(OS_WIN) && defined(ADDRESS_SANITIZER)
// Corrupt a memory block and make sure that the corruption gets detected either
// when we free it or when another crash happens (if |induce_crash| is set to
// true).
@ -35,27 +29,28 @@ NOINLINE void CorruptMemoryBlock(bool induce_crash) {
// NOTE(sebmarchand): We intentionally corrupt a memory block here in order to
// trigger an Address Sanitizer (ASAN) error report.
static const int kArraySize = 5;
int* array = new int[kArraySize];
// Encapsulate the invalid memory access into a try-catch statement to prevent
// this function from being instrumented. This way the underflow won't be
// detected but the corruption will (as the allocator will still be hooked).
try {
// Declares the dummy value as volatile to make sure it doesn't get
// optimized away.
int volatile dummy = array[-1]--;
base::debug::Alias(const_cast<int*>(&dummy));
} catch (...) {
}
LONG* array = new LONG[kArraySize];
// Explicitly call out to a kernel32 function to perform the memory access.
// This way the underflow won't be detected but the corruption will (as the
// allocator will still be hooked).
auto InterlockedIncrementFn =
reinterpret_cast<LONG (*)(LONG volatile * addend)>(
GetProcAddress(GetModuleHandle(L"kernel32"), "InterlockedIncrement"));
CHECK(InterlockedIncrementFn);
LONG volatile dummy = InterlockedIncrementFn(array - 1);
base::debug::Alias(const_cast<LONG*>(&dummy));
if (induce_crash)
CHECK(false);
delete[] array;
}
#pragma warning(pop)
#endif // SYZYASAN && COMPILER_MSVC
#endif // OS_WIN && ADDRESS_SANITIZER
} // namespace
#if defined(ADDRESS_SANITIZER) || defined(SYZYASAN)
#if defined(ADDRESS_SANITIZER)
// NOTE(sebmarchand): We intentionally perform some invalid heap access here in
// order to trigger an AddressSanitizer (ASan) error report.
@ -91,9 +86,7 @@ void AsanHeapUseAfterFree() {
base::debug::Alias(&dummy);
}
#endif // ADDRESS_SANITIZER || SYZYASAN
#if defined(SYZYASAN) && defined(COMPILER_MSVC)
#if defined(OS_WIN)
void AsanCorruptHeapBlock() {
CorruptMemoryBlock(false);
}
@ -101,7 +94,8 @@ void AsanCorruptHeapBlock() {
void AsanCorruptHeap() {
CorruptMemoryBlock(true);
}
#endif // SYZYASAN && COMPILER_MSVC
#endif // OS_WIN
#endif // ADDRESS_SANITIZER
} // namespace debug
} // namespace base

13
base/debug/asan_invalid_access.h

@ -10,11 +10,12 @@
#include "base/base_export.h"
#include "base/compiler_specific.h"
#include "build/build_config.h"
namespace base {
namespace debug {
#if defined(ADDRESS_SANITIZER) || defined(SYZYASAN)
#if defined(ADDRESS_SANITIZER)
// Generates an heap buffer overflow.
BASE_EXPORT NOINLINE void AsanHeapOverflow();
@ -25,12 +26,9 @@ BASE_EXPORT NOINLINE void AsanHeapUnderflow();
// Generates an use after free.
BASE_EXPORT NOINLINE void AsanHeapUseAfterFree();
#endif // ADDRESS_SANITIZER || SYZYASAN
// The "corrupt-block" and "corrupt-heap" classes of bugs is specific to
// SyzyASan.
#if defined(SYZYASAN) && defined(COMPILER_MSVC)
// Windows.
#if defined(OS_WIN)
// Corrupts a memory block and makes sure that the corruption gets detected when
// we try to free this block.
BASE_EXPORT NOINLINE void AsanCorruptHeapBlock();
@ -39,7 +37,8 @@ BASE_EXPORT NOINLINE void AsanCorruptHeapBlock();
// crash occur.
BASE_EXPORT NOINLINE void AsanCorruptHeap();
#endif // SYZYASAN && COMPILER_MSVC
#endif // OS_WIN
#endif // ADDRESS_SANITIZER
} // namespace debug
} // namespace base

37
base/debug/profiler.cc

@ -87,10 +87,6 @@ bool IsProfilingSupported() {
#if !defined(OS_WIN)
bool IsBinaryInstrumented() {
return false;
}
ReturnAddressLocationResolver GetProfilerReturnAddrResolutionFunc() {
return nullptr;
}
@ -109,36 +105,6 @@ MoveDynamicSymbol GetProfilerMoveDynamicSymbolFunc() {
#else // defined(OS_WIN)
bool IsBinaryInstrumented() {
enum InstrumentationCheckState {
UNINITIALIZED,
INSTRUMENTED_IMAGE,
NON_INSTRUMENTED_IMAGE,
};
static InstrumentationCheckState state = UNINITIALIZED;
if (state == UNINITIALIZED) {
base::win::PEImage image(CURRENT_MODULE());
// Check to be sure our image is structured as we'd expect.
DCHECK(image.VerifyMagic());
// Syzygy-instrumented binaries contain a PE image section named ".thunks",
// and all Syzygy-modified binaries contain the ".syzygy" image section.
// This is a very fast check, as it only looks at the image header.
if ((image.GetImageSectionHeaderByName(".thunks") != NULL) &&
(image.GetImageSectionHeaderByName(".syzygy") != NULL)) {
state = INSTRUMENTED_IMAGE;
} else {
state = NON_INSTRUMENTED_IMAGE;
}
}
DCHECK(state != UNINITIALIZED);
return state == INSTRUMENTED_IMAGE;
}
namespace {
struct FunctionSearchContext {
@ -186,9 +152,6 @@ bool FindResolutionFunctionInImports(
template <typename FunctionType>
FunctionType FindFunctionInImports(const char* function_name) {
if (!IsBinaryInstrumented())
return NULL;
base::win::PEImage image(CURRENT_MODULE());
FunctionSearchContext ctx = { function_name, NULL };

3
base/debug/profiler.h

@ -35,9 +35,6 @@ BASE_EXPORT bool BeingProfiled();
// Reset profiling after a fork, which disables timers.
BASE_EXPORT void RestartProfilingAfterFork();
// Returns true iff this executable is instrumented with the Syzygy profiler.
BASE_EXPORT bool IsBinaryInstrumented();
// Returns true iff this executable supports profiling.
BASE_EXPORT bool IsProfilingSupported();

2
base/logging.cc

@ -386,7 +386,7 @@ void CloseLogFileUnlocked() {
} // namespace
#if DCHECK_IS_CONFIGURABLE
// In DCHECK-enabled SyzyASAN builds, allow the meaning of LOG_DCHECK to be
// In DCHECK-enabled Chrome builds, allow the meaning of LOG_DCHECK to be
// determined at run-time. We default it to INFO, to avoid it triggering
// crashes before the run-time has explicitly chosen the behaviour.
BASE_EXPORT logging::LogSeverity LOG_DCHECK = LOG_INFO;

2
base/process/process_util_unittest.cc

@ -369,7 +369,7 @@ MULTIPROCESS_TEST_MAIN(CrashingChildProcess) {
// This test intentionally crashes, so we don't need to run it under
// AddressSanitizer.
#if defined(ADDRESS_SANITIZER) || defined(SYZYASAN)
#if defined(ADDRESS_SANITIZER)
#define MAYBE_GetTerminationStatusCrash DISABLED_GetTerminationStatusCrash
#else
#define MAYBE_GetTerminationStatusCrash GetTerminationStatusCrash

3
base/test/test_timeouts.cc

@ -43,8 +43,7 @@ void InitializeTimeout(const char* switch_name, int min_value, int* value) {
// ASan/Win has not been optimized yet, give it a higher
// timeout multiplier. See http://crbug.com/412471
constexpr int kTimeoutMultiplier = 3;
#elif defined(ADDRESS_SANITIZER) || defined(THREAD_SANITIZER) || \
defined(SYZYASAN)
#elif defined(ADDRESS_SANITIZER) || defined(THREAD_SANITIZER)
constexpr int kTimeoutMultiplier = 2;
#else
constexpr int kTimeoutMultiplier = 1;

4
base/threading/platform_thread_win.cc

@ -188,9 +188,7 @@ void PlatformThread::SetName(const std::string& name) {
// The debugger needs to be around to catch the name in the exception. If
// there isn't a debugger, we are just needlessly throwing an exception.
// If this image file is instrumented, we raise the exception anyway
// to provide the profiler with human-readable thread names.
if (!::IsDebuggerPresent() && !base::debug::IsBinaryInstrumented())
if (!::IsDebuggerPresent())
return;
SetNameInternal(CurrentId(), name.c_str());

32
base/tools_sanity_unittest.cc

@ -26,20 +26,13 @@ const base::subtle::Atomic32 kMagicValue = 42;
// Helper for memory accesses that can potentially corrupt memory or cause a
// crash during a native run.
#if defined(ADDRESS_SANITIZER) || defined(SYZYASAN)
#if defined(ADDRESS_SANITIZER)
#if defined(OS_IOS)
// EXPECT_DEATH is not supported on IOS.
#define HARMFUL_ACCESS(action,error_regexp) do { action; } while (0)
#elif defined(SYZYASAN)
// We won't get a meaningful error message because we're not running under the
// SyzyASan logger, but we can at least make sure that the error has been
// generated in the SyzyASan runtime.
#define HARMFUL_ACCESS(action,unused) \
if (debug::IsBinaryInstrumented()) { EXPECT_DEATH(action, \
"AsanRuntime::OnError"); }
#else
#define HARMFUL_ACCESS(action,error_regexp) EXPECT_DEATH(action,error_regexp)
#endif // !OS_IOS && !SYZYASAN
#endif // !OS_IOS
#else
#define HARMFUL_ACCESS(action, error_regexp)
#define HARMFUL_ACCESS_IS_NOOP
@ -108,16 +101,15 @@ TEST(ToolsSanityTest, MemoryLeak) {
leak[4] = 1; // Make sure the allocated memory is used.
}
#if (defined(ADDRESS_SANITIZER) && defined(OS_IOS)) || defined(SYZYASAN)
#if (defined(ADDRESS_SANITIZER) && defined(OS_IOS))
// Because iOS doesn't support death tests, each of the following tests will
// crash the whole program under Asan. On Windows Asan is based on SyzyAsan; the
// error report mechanism is different than with Asan so these tests will fail.
// crash the whole program under Asan.
#define MAYBE_AccessesToNewMemory DISABLED_AccessesToNewMemory
#define MAYBE_AccessesToMallocMemory DISABLED_AccessesToMallocMemory
#else
#define MAYBE_AccessesToNewMemory AccessesToNewMemory
#define MAYBE_AccessesToMallocMemory AccessesToMallocMemory
#endif // (defined(ADDRESS_SANITIZER) && defined(OS_IOS)) || defined(SYZYASAN)
#endif // (defined(ADDRESS_SANITIZER) && defined(OS_IOS))
// The following tests pass with Clang r170392, but not r172454, which
// makes AddressSanitizer detect errors in them. We disable these tests under
@ -125,14 +117,14 @@ TEST(ToolsSanityTest, MemoryLeak) {
// tests should be put back under the (defined(OS_IOS) || defined(OS_WIN))
// clause above.
// See also http://crbug.com/172614.
#if defined(ADDRESS_SANITIZER) || defined(SYZYASAN)
#if defined(ADDRESS_SANITIZER)
#define MAYBE_SingleElementDeletedWithBraces \
DISABLED_SingleElementDeletedWithBraces
#define MAYBE_ArrayDeletedWithoutBraces DISABLED_ArrayDeletedWithoutBraces
#else
#define MAYBE_ArrayDeletedWithoutBraces ArrayDeletedWithoutBraces
#define MAYBE_SingleElementDeletedWithBraces SingleElementDeletedWithBraces
#endif // defined(ADDRESS_SANITIZER) || defined(SYZYASAN)
#endif // defined(ADDRESS_SANITIZER)
TEST(ToolsSanityTest, MAYBE_AccessesToNewMemory) {
char *foo = new char[10];
@ -150,7 +142,7 @@ TEST(ToolsSanityTest, MAYBE_AccessesToMallocMemory) {
HARMFUL_ACCESS(foo[5] = 0, "heap-use-after-free");
}
#if defined(ADDRESS_SANITIZER) || defined(SYZYASAN)
#if defined(ADDRESS_SANITIZER)
static int* allocateArray() {
// Clang warns about the mismatched new[]/delete if they occur in the same
@ -182,7 +174,7 @@ TEST(ToolsSanityTest, MAYBE_SingleElementDeletedWithBraces) {
}
#endif
#if defined(ADDRESS_SANITIZER) || defined(SYZYASAN)
#if defined(ADDRESS_SANITIZER)
TEST(ToolsSanityTest, DISABLED_AddressSanitizerNullDerefCrashTest) {
// Intentionally crash to make sure AddressSanitizer is running.
@ -228,7 +220,7 @@ TEST(ToolsSanityTest, AsanHeapUseAfterFree) {
HARMFUL_ACCESS(debug::AsanHeapUseAfterFree(), "heap-use-after-free");
}
#if defined(SYZYASAN) && defined(COMPILER_MSVC)
#if defined(OS_WIN)
TEST(ToolsSanityTest, AsanCorruptHeapBlock) {
HARMFUL_ACCESS(debug::AsanCorruptHeapBlock(), "");
}
@ -238,10 +230,10 @@ TEST(ToolsSanityTest, AsanCorruptHeap) {
// particular string to look for in the stack trace.
EXPECT_DEATH(debug::AsanCorruptHeap(), "");
}
#endif // SYZYASAN && COMPILER_MSVC
#endif // OS_WIN
#endif // !HARMFUL_ACCESS_IS_NOOP
#endif // ADDRESS_SANITIZER || SYZYASAN
#endif // ADDRESS_SANITIZER
namespace {

5
base/trace_event/malloc_dump_provider.cc

@ -154,11 +154,6 @@ struct WinHeapInfo {
// Unfortunately, there is no safe way to collect information from secondary
// heaps due to limitations and racy nature of this piece of WinAPI.
void WinHeapMemoryDumpImpl(WinHeapInfo* crt_heap_info) {
#if defined(SYZYASAN)
if (base::debug::IsBinaryInstrumented())
return;
#endif
// Iterate through whichever heap our CRT is using.
HANDLE crt_heap = reinterpret_cast<HANDLE>(_get_heap_handle());
::HeapLock(crt_heap);

6
build/config/BUILD.gn

@ -127,12 +127,6 @@ config("feature_flags") {
} else {
defines += [ "CHROMIUM_BUILD" ]
}
if (is_syzyasan) {
defines += [
"SYZYASAN",
"MEMORY_SANITIZER_INITIAL_SIZE",
]
}
if (!fieldtrial_testing_like_official_build && !is_chrome_branded) {
defines += [ "FIELDTRIAL_TESTING_ENABLED" ]
}

3
build/config/allocator.gni

@ -6,8 +6,7 @@ import("//build/config/sanitizers/sanitizers.gni")
# Temporarily disable tcmalloc on arm64 linux to get rid of compilation errors.
if (is_android || is_mac || is_ios || is_asan || is_lsan || is_tsan ||
is_msan || is_win || is_syzyasan || is_fuchsia ||
(is_linux && target_cpu == "arm64")) {
is_msan || is_win || is_fuchsia || (is_linux && target_cpu == "arm64")) {
_default_allocator = "none"
} else {
_default_allocator = "tcmalloc"

6
build/config/sanitizers/sanitizers.gni

@ -46,11 +46,6 @@ declare_args() {
# standard system libraries. Set this flag to build the libraries from source.
use_locally_built_instrumented_libraries = false
# Enable building with SyzyAsan which can find certain types of memory
# errors. Only works on Windows. See
# https://github.com/google/syzygy/wiki/SyzyASanHowTo
is_syzyasan = false
# Compile with Control Flow Integrity to protect virtual calls and casts.
# See http://clang.llvm.org/docs/ControlFlowIntegrity.html
#
@ -119,7 +114,6 @@ if (current_toolchain != default_toolchain) {
is_cfi = false
is_lsan = false
is_msan = false
is_syzyasan = false
is_tsan = false
is_ubsan = false
is_ubsan_null = false

48
build/config/win/BUILD.gn

@ -115,31 +115,25 @@ config("compiler") {
cflags += [ "/Brepro" ]
}
# TODO(siggi): Is this of any use anymore?
# /PROFILE ensures that the PDB file contains FIXUP information (growing the
# PDB file by about 5%) but does not otherwise alter the output binary. This
# information is used by the Syzygy optimization tool when decomposing the
# release image. It is enabled for syzyasan builds and opportunistically for
# other builds where it is not prohibited (not supported when incrementally
# linking, or using /debug:fastlink).
if (is_syzyasan) {
assert(!is_win_fastlink)
ldflags = [ "/PROFILE" ]
} else {
if (!is_debug && !is_component_build) {
if (is_win_fastlink && !use_lld) {
# /PROFILE implies the following linker flags. Therefore if we are
# skipping /PROFILE because it is incompatible with /DEBUG:FASTLINK
# we should explicitly add these flags in order to avoid unintended
# consequences such as larger binaries.
ldflags = [
"/OPT:REF",
"/OPT:ICF",
"/INCREMENTAL:NO",
"/FIXED:NO",
]
} else {
ldflags = [ "/PROFILE" ]
}
# PDB file by about 5%) but does not otherwise alter the output binary. It is
# enabled opportunistically for builds where it is not prohibited (not
# supported when incrementally linking, or using /debug:fastlink).
if (!is_debug && !is_component_build) {
if (is_win_fastlink && !use_lld) {
# /PROFILE implies the following linker flags. Therefore if we are
# skipping /PROFILE because it is incompatible with /DEBUG:FASTLINK
# we should explicitly add these flags in order to avoid unintended
# consequences such as larger binaries.
ldflags = [
"/OPT:REF",
"/OPT:ICF",
"/INCREMENTAL:NO",
"/FIXED:NO",
]
} else {
ldflags = [ "/PROFILE" ]
}
}
@ -485,9 +479,9 @@ if (use_lld) {
incremental_linking_on_switch += [ "/OPT:NOREF" ]
}
# Disable incremental linking for syzyasan, enable for debug builds and all
# component builds - any builds where performance is not job one.
if ((is_debug || is_component_build) && !is_syzyasan) {
# Enable incremental linking for debug builds and all component builds - any
# builds where performance is not job one.
if (is_debug || is_component_build) {
default_incremental_linking_switch = incremental_linking_on_switch
} else {
default_incremental_linking_switch = incremental_linking_off_switch

23
build/win/syzygy/BUILD.gn

@ -1,23 +0,0 @@
# Copyright 2016 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
copy("copy_syzyasan_binaries") {
visibility = [
"//chrome/*",
"//content/*",
]
source_dir = "//third_party/syzygy/binaries/exe"
sources = [
"$source_dir/agent_logger.exe",
"$source_dir/minidump_symbolizer.py",
"$source_dir/syzyasan_rtl.dll",
"$source_dir/syzyasan_rtl.dll.pdb",
]
outputs = [
"$root_out_dir/syzygy/{{source_file_part}}",
]
}

3
build/win/syzygy/OWNERS

@ -1,3 +0,0 @@
chrisha@chromium.org
sebmarchand@chromium.org
siggi@chromium.org

157
build/win/syzygy/instrument.py

@ -1,157 +0,0 @@
#!/usr/bin/env python
# Copyright (c) 2012 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
"""A utility script to help building Syzygy-instrumented Chrome binaries."""
import glob
import logging
import optparse
import os
import shutil
import subprocess
import sys
# The default directory containing the Syzygy toolchain.
_DEFAULT_SYZYGY_DIR = os.path.abspath(os.path.join(
os.path.dirname(__file__), '../../..',
'third_party/syzygy/binaries/exe/'))
# Basenames of various tools.
_INSTRUMENT_EXE = 'instrument.exe'
_GENFILTER_EXE = 'genfilter.exe'
_LOGGER = logging.getLogger()
def _Shell(*cmd, **kw):
"""Shells out to "cmd". Returns a tuple of cmd's stdout, stderr."""
_LOGGER.info('Running command "%s".', cmd)
prog = subprocess.Popen(cmd, **kw)
stdout, stderr = prog.communicate()
if prog.returncode != 0:
raise RuntimeError('Command "%s" returned %d.' % (cmd, prog.returncode))
return stdout, stderr
def _CompileFilter(syzygy_dir, executable, symbol, filter_file,
output_filter_file):
"""Compiles the provided filter writing the compiled filter file to
output_filter_file.
"""
cmd = [os.path.abspath(os.path.join(syzygy_dir, _GENFILTER_EXE)),
'--action=compile',
'--input-image=%s' % executable,
'--input-pdb=%s' % symbol,
'--output-file=%s' % output_filter_file,
'--overwrite',
os.path.abspath(filter_file)]
_Shell(*cmd)
if not os.path.exists(output_filter_file):
raise RuntimeError('Compiled filter file missing: %s' % output_filter_file)
return
def _InstrumentBinary(syzygy_dir, mode, executable, symbol, dst_dir,
filter_file, allocation_filter_file):
"""Instruments the executable found in input_dir, and writes the resultant
instrumented executable and symbol files to dst_dir.
"""
cmd = [os.path.abspath(os.path.join(syzygy_dir, _INSTRUMENT_EXE)),
'--overwrite',
'--mode=%s' % mode,
'--debug-friendly',
'--input-image=%s' % executable,
'--input-pdb=%s' % symbol,
'--output-image=%s' % os.path.abspath(
os.path.join(dst_dir, os.path.basename(executable))),
'--output-pdb=%s' % os.path.abspath(
os.path.join(dst_dir, os.path.basename(symbol)))]
if mode == "asan":
cmd.append('--no-augment-pdb')
# Disable some of the new SysyASAN features. We're seeing an increase in
# crash rates and are wondering if they are to blame.
cmd.append(
'--asan-rtl-options="--enable_feature_randomization '
'--prevent_duplicate_corruption_crashes"')
# If any filters were specified then pass them on to the instrumenter.
if filter_file:
cmd.append('--filter=%s' % os.path.abspath(filter_file))
if allocation_filter_file:
cmd.append('--allocation-filter-config-file=%s' %
os.path.abspath(allocation_filter_file))
return _Shell(*cmd)
def main(options):
# Make sure the destination directory exists.
if not os.path.isdir(options.destination_dir):
_LOGGER.info('Creating destination directory "%s".',
options.destination_dir)
os.makedirs(options.destination_dir)
# Compile the filter if one was provided.
if options.filter:
_CompileFilter(options.syzygy_dir,
options.input_executable,
options.input_symbol,
options.filter,
options.output_filter_file)
# Instruments the binaries into the destination directory.
_InstrumentBinary(options.syzygy_dir,
options.mode,
options.input_executable,
options.input_symbol,
options.destination_dir,
options.output_filter_file,
options.allocation_filter_file)
def _ParseOptions():
option_parser = optparse.OptionParser()
option_parser.add_option('--input_executable',
help='The path to the input executable.')
option_parser.add_option('--input_symbol',
help='The path to the input symbol file.')
option_parser.add_option('--mode',
help='Specifies which instrumentation mode is to be used.')
option_parser.add_option('--syzygy-dir', default=_DEFAULT_SYZYGY_DIR,
help='Instrumenter executable to use, defaults to "%default".')
option_parser.add_option('-d', '--destination_dir',
help='Destination directory for instrumented files.')
option_parser.add_option('--filter',
help='An optional filter. This will be compiled and passed to the '
'instrumentation executable.')
option_parser.add_option('--output-filter-file',
help='The path where the compiled filter will be written. This is '
'required if --filter is specified.')
option_parser.add_option('--allocation-filter-file',
help='The path to the SyzyASAN allocation filter to use.')
options, args = option_parser.parse_args()
if not options.mode:
option_parser.error('You must provide an instrumentation mode.')
if not options.input_executable:
option_parser.error('You must provide an input executable.')
if not options.input_symbol:
option_parser.error('You must provide an input symbol file.')
if not options.destination_dir:
option_parser.error('You must provide a destination directory.')
if options.filter and not options.output_filter_file:
option_parser.error('You must provide a filter output file.')
return options
if '__main__' == __name__:
logging.basicConfig(level=logging.INFO)
sys.exit(main(_ParseOptions()))

111
build/win/syzygy/reorder.py

@ -1,111 +0,0 @@
#!/usr/bin/env python
# Copyright (c) 2012 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
"""A utility script to help building Syzygy-reordered Chrome binaries."""
import logging
import optparse
import os
import subprocess
import sys
# The default relink executable to use to reorder binaries.
_DEFAULT_RELINKER = os.path.join(
os.path.join(os.path.dirname(__file__), '../../..'),
'third_party/syzygy/binaries/exe/relink.exe')
_LOGGER = logging.getLogger()
# We use the same seed for all random reorderings to get a deterministic build.
_RANDOM_SEED = 1347344
def _Shell(*cmd, **kw):
"""Shells out to "cmd". Returns a tuple of cmd's stdout, stderr."""
_LOGGER.info('Running command "%s".', cmd)
prog = subprocess.Popen(cmd, **kw)
stdout, stderr = prog.communicate()
if prog.returncode != 0:
raise RuntimeError('Command "%s" returned %d.' % (cmd, prog.returncode))
return stdout, stderr
def _ReorderBinary(relink_exe, executable, symbol, destination_dir):
"""Reorders the executable found in input_dir, and writes the resultant
reordered executable and symbol files to destination_dir.
If a file named <executable>-order.json exists, imposes that order on the
output binaries, otherwise orders them randomly.
"""
cmd = [relink_exe,
'--overwrite',
'--input-image=%s' % executable,
'--input-pdb=%s' % symbol,
'--output-image=%s' % os.path.abspath(
os.path.join(destination_dir, os.path.basename(executable))),
'--output-pdb=%s' % os.path.abspath(
os.path.join(destination_dir, os.path.basename(symbol))),]
# Check whether there's an order file available for the executable.
order_file = '%s-order.json' % executable
if os.path.exists(order_file):
# The ordering file exists, let's use that.
_LOGGER.info('Reordering "%s" according to "%s".',
os.path.basename(executable),
os.path.basename(order_file))
cmd.append('--order-file=%s' % order_file)
else:
# No ordering file, we randomize the output.
_LOGGER.info('Randomly reordering "%s"', executable)
cmd.append('--seed=%d' % _RANDOM_SEED)
return _Shell(*cmd)
def main(options):
logging.basicConfig(level=logging.INFO)
# Make sure the destination directory exists.
if not os.path.isdir(options.destination_dir):
_LOGGER.info('Creating destination directory "%s".',
options.destination_dir)
os.makedirs(options.destination_dir)
# Reorder the binaries into the destination directory.
_ReorderBinary(options.relinker,
options.input_executable,
options.input_symbol,
options.destination_dir)
def _ParseOptions():
option_parser = optparse.OptionParser()
option_parser.add_option('--input_executable',
help='The path to the input executable.')
option_parser.add_option('--input_symbol',
help='The path to the input symbol file.')
option_parser.add_option('--relinker', default=_DEFAULT_RELINKER,
help='Relinker exectuable to use, defaults to "%s"' % _DEFAULT_RELINKER)
option_parser.add_option('-d', '--destination_dir',
help='Destination directory for reordered files, defaults to '
'the subdirectory "reordered" in the output_dir.')
options, args = option_parser.parse_args()
if not options.input_executable:
option_parser.error('You must provide an input executable.')
if not options.input_symbol:
option_parser.error('You must provide an input symbol file.')
if not options.destination_dir:
options.destination_dir = os.path.join(options.output_dir, 'reordered')
return options
if '__main__' == __name__:
sys.exit(main(_ParseOptions()))

14
build/win/syzygy/syzyasan-allocation-filter.txt

@ -1,14 +0,0 @@
// Copyright (c) 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// This file describes suspicious allocation sites that are to be treated
// specially and served from the page heap. It is used at instrumentation time
// to ensure allocations are runtime redirected from specified stack traces.
//
// See chrome_syzygy.gypi and instrument.py for more details.
{
"hooks": {
"func": []
}
}

10
build/win/syzygy/syzyasan-instrumentation-filter.txt

@ -1,10 +0,0 @@
# Copyright (c) 2013 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
#
# This file describes filtering rules that will be applied when applying
# Syzygy ASAN instrumentation to chrome.dll. It is intended to be used for
# disabling instrumentation of functions with known and deferred bugs, allowing
# functional instrumented builds of Chrome to be produced in the meantime.
#
# See chrome_syzygy.gypi and instrument.py for more details.

86
build/win/syzygy/syzygy.gni

@ -1,86 +0,0 @@
# Copyright 2016 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
assert(is_win)
# Where the output binaries will be placed.
syzygy_dest_dir = "$root_out_dir/syzygy"
# Instruments a binary with SyzyAsan.
#
# binary_name (required)
# Name of the binary to be instrumented, with no extension or path. This
# binary_name is assumed to be in the output directory and must be
# generated by a dependency of this target.
#
# dest_dir (required)
# The destination directory where the instrumented image should be
# written.
#
# deps (required)
# Normal meaning.
#
# public_deps
# Normal meaning.
#
# data_deps
# Normal meaning.
template("syzygy_asan") {
action(target_name) {
if (defined(invoker.visibility)) {
visibility = invoker.visibility
}
script = "//build/win/syzygy/instrument.py"
filter = "//build/win/syzygy/syzyasan-instrumentation-filter.txt"
binary_name = invoker.binary_name
dest_dir = invoker.dest_dir
input_image = "$root_out_dir/$binary_name"
input_pdb = "$root_out_dir/$binary_name.pdb"
inputs = [
filter,
input_image,
#input_pdb,
]
output_filter = "$dest_dir/win-syzyasan-filter-$binary_name.txt.json"
outputs = [
"$dest_dir/$binary_name",
"$dest_dir/$binary_name.pdb",
output_filter,
]
args = [
"--mode",
"asan",
"--input_executable",
rebase_path(input_image, root_build_dir),
"--input_symbol",
rebase_path(input_pdb, root_build_dir),
"--filter",
rebase_path(filter, root_build_dir),
"--output-filter-file",
rebase_path(output_filter, root_build_dir),
"--destination_dir",
rebase_path(dest_dir, root_build_dir),
]
deps = [
"//build/win/syzygy:copy_syzyasan_binaries",
]
if (defined(invoker.deps)) {
deps += invoker.deps
}
forward_variables_from(invoker,
[
"data_deps",
"public_deps",
"testonly",
])
}
}

5
chrome/app/chrome_main_delegate.cc

@ -26,7 +26,6 @@
#include "build/build_config.h"
#include "chrome/browser/chrome_content_browser_client.h"
#include "chrome/browser/defaults.h"
#include "chrome/child/child_profiling.h"
#include "chrome/common/buildflags.h"
#include "chrome/common/channel_info.h"
#include "chrome/common/chrome_constants.h"
@ -536,9 +535,6 @@ bool ChromeMainDelegate::BasicStartupComplete(int* exit_code) {
chrome::common::mac::EnableCFBundleBlocker();
#endif
#if !defined(CHROME_MULTIPLE_DLL_BROWSER)
ChildProfiling::ProcessStarted();
#endif
Profiling::ProcessStarted();
base::trace_event::TraceLog::GetInstance()->SetArgumentFilterPredicate(
@ -1038,7 +1034,6 @@ void ChromeMainDelegate::ZygoteStarting(
}
void ChromeMainDelegate::ZygoteForked() {
ChildProfiling::ProcessStarted();
Profiling::ProcessStarted();
if (Profiling::BeingProfiled()) {
base::debug::RestartProfilingAfterFork();

77
chrome/browser/chrome_browser_main.cc

@ -1491,62 +1491,6 @@ void ChromeBrowserMainParts::PostProfileInit() {
chrome_extra_parts_[i]->PostProfileInit();
}
#if defined(SYZYASAN)
// This function must be in the global namespace as it needs to be friended
// by ChromeMetricsServiceAccessor.
void SyzyASANRegisterExperiment(const char* name, const char* group) {
ChromeMetricsServiceAccessor::RegisterSyntheticFieldTrial(name, group);
}
namespace {
void WINAPI SyzyASANExperimentCallback(const char* name, const char* group) {
// Indirect through the function above, so that the friend declaration doesn't
// need the ugly calling convention.
SyzyASANRegisterExperiment(name, group);
}
void SetupSyzyASAN() {
typedef VOID(WINAPI* SyzyASANExperimentCallbackFn)(const char* name,
const char* group);
typedef VOID(WINAPI* SyzyASANEnumExperimentsFn)(SyzyASANExperimentCallbackFn);
HMODULE syzyasan_handle = ::GetModuleHandle(L"syzyasan_rtl.dll");
if (!syzyasan_handle)
return;
// Export the SyzyASAN experiments as synthetic field trials.
SyzyASANEnumExperimentsFn syzyasan_enum_experiments =
reinterpret_cast<SyzyASANEnumExperimentsFn>(
::GetProcAddress(syzyasan_handle, "asan_EnumExperiments"));
if (syzyasan_enum_experiments) {
syzyasan_enum_experiments(&SyzyASANExperimentCallback);
}
// Enable the deferred free mechanism in the syzyasan module, which helps the
// performance by deferring some work on the critical path to a background
// thread. Note that this is now enabled by default, the feature is kept as a
// kill switch.
if (base::FeatureList::IsEnabled(features::kSyzyasanDeferredFree)) {
typedef VOID(WINAPI * SyzyasanEnableDeferredFreeThreadFunc)(VOID);
bool success = false;
SyzyasanEnableDeferredFreeThreadFunc syzyasan_enable_deferred_free =
reinterpret_cast<SyzyasanEnableDeferredFreeThreadFunc>(
::GetProcAddress(syzyasan_handle,
"asan_EnableDeferredFreeThread"));
if (syzyasan_enable_deferred_free) {
syzyasan_enable_deferred_free();
success = true;
}
UMA_HISTOGRAM_BOOLEAN("Syzyasan.DeferredFreeWasEnabled", success);
}
}
} // namespace
#endif // SYZYASAN
void ChromeBrowserMainParts::PreBrowserStart() {
TRACE_EVENT0("startup", "ChromeBrowserMainParts::PreBrowserStart");
for (size_t i = 0; i < chrome_extra_parts_.size(); ++i)
@ -1554,10 +1498,6 @@ void ChromeBrowserMainParts::PreBrowserStart() {
three_d_observer_.reset(new ThreeDAPIObserver());
#if defined(SYZYASAN)
SetupSyzyASAN();
#endif
// Start the tab manager here so that we give the most amount of time for the
// other services to start up before we start adjusting the oom priority.
#if defined(OS_WIN) || defined(OS_MACOSX) || defined(OS_LINUX)
@ -2210,23 +2150,6 @@ void ChromeBrowserMainParts::PostMainMessageLoopRun() {
restart_last_session_ = browser_shutdown::ShutdownPreThreadsStop();
browser_process_->StartTearDown();
#if defined(SYZYASAN)
// Disable the deferred free mechanism in the syzyasan module. This is needed
// to avoid a potential crash when the syzyasan module is unloaded.
if (base::FeatureList::IsEnabled(features::kSyzyasanDeferredFree)) {
typedef VOID(WINAPI * SyzyasanDisableDeferredFreeThreadFunc)(VOID);
HMODULE syzyasan_handle = ::GetModuleHandle(L"syzyasan_rtl.dll");
if (syzyasan_handle) {
SyzyasanDisableDeferredFreeThreadFunc syzyasan_disable_deferred_free =
reinterpret_cast<SyzyasanDisableDeferredFreeThreadFunc>(
::GetProcAddress(syzyasan_handle,
"asan_DisableDeferredFreeThread"));
if (syzyasan_disable_deferred_free)
syzyasan_disable_deferred_free();
}
}
#endif // defined(SYZYASAN)
#endif // defined(OS_ANDROID)
}

8
chrome/browser/extensions/active_tab_apitest.cc

@ -24,13 +24,7 @@
namespace extensions {
namespace {
// Times out on win syzyasan, http://crbug.com/166026
#if defined(SYZYASAN)
#define MAYBE_ActiveTab DISABLED_ActiveTab
#else
#define MAYBE_ActiveTab ActiveTab
#endif
IN_PROC_BROWSER_TEST_F(ExtensionApiTest, MAYBE_ActiveTab) {
IN_PROC_BROWSER_TEST_F(ExtensionApiTest, ActiveTab) {
ASSERT_TRUE(StartEmbeddedTestServer());
const Extension* extension =

8
chrome/browser/extensions/api/bookmark_manager_private/bookmark_manager_private_apitest.cc

@ -26,13 +26,7 @@
using bookmarks::BookmarkModel;
using bookmarks::BookmarkNode;
// Times out on win syzyasan, http://crbug.com/166026
#if defined(SYZYASAN)
#define MAYBE_BookmarkManager DISABLED_BookmarkManager
#else
#define MAYBE_BookmarkManager BookmarkManager
#endif
IN_PROC_BROWSER_TEST_F(ExtensionApiTest, MAYBE_BookmarkManager) {
IN_PROC_BROWSER_TEST_F(ExtensionApiTest, BookmarkManager) {
// Add managed bookmarks.
Profile* profile = browser()->profile();
BookmarkModel* model = BookmarkModelFactory::GetForBrowserContext(profile);

8
chrome/browser/extensions/api/context_menus/context_menu_apitest.cc

@ -125,13 +125,7 @@ class ExtensionContextMenuApiTest : public ExtensionApiTest {
DISALLOW_COPY_AND_ASSIGN(ExtensionContextMenuApiTest);
};
// Times out on win syzyasan, http://crbug.com/166026
#if defined(SYZYASAN)
#define MAYBE_ContextMenus DISABLED_ContextMenus
#else
#define MAYBE_ContextMenus ContextMenus
#endif
IN_PROC_BROWSER_TEST_F(ExtensionApiTest, MAYBE_ContextMenus) {
IN_PROC_BROWSER_TEST_F(ExtensionApiTest, ContextMenus) {
ASSERT_TRUE(RunExtensionTest("context_menus/basics")) << message_;
ASSERT_TRUE(RunExtensionTest("context_menus/no_perms")) << message_;
ASSERT_TRUE(RunExtensionTest("context_menus/item_ids")) << message_;

8
chrome/browser/extensions/api/cookies/cookies_apitest.cc

@ -8,13 +8,7 @@
namespace extensions {
// Times out on win syzyasan, http://crbug.com/166026
#if defined(SYZYASAN)
#define MAYBE_Cookies DISABLED_Cookies
#else
#define MAYBE_Cookies Cookies
#endif
IN_PROC_BROWSER_TEST_F(ExtensionApiTest, MAYBE_Cookies) {
IN_PROC_BROWSER_TEST_F(ExtensionApiTest, Cookies) {
ASSERT_TRUE(RunExtensionTest("cookies/api")) << message_;
}

1
chrome/browser/metrics/chrome_metrics_service_accessor.h

@ -129,7 +129,6 @@ class ChromeMetricsServiceAccessor : public metrics::MetricsServiceAccessor {
friend class safe_browsing::SRTGlobalError;
friend class safe_browsing::SafeBrowsingService;
friend class safe_browsing::SafeBrowsingUIManager;
friend void SyzyASANRegisterExperiment(const char*, const char*);
friend class ChromeMetricsServiceClient;
friend class ChromePasswordManagerClient;
friend class NavigationMetricsRecorder;

2
chrome/browser/profiling_host/chrome_browser_main_extra_parts_profiling.cc

@ -15,7 +15,7 @@ ChromeBrowserMainExtraPartsProfiling::~ChromeBrowserMainExtraPartsProfiling() =
void ChromeBrowserMainExtraPartsProfiling::ServiceManagerConnectionStarted(
content::ServiceManagerConnection* connection) {
#if defined(ADDRESS_SANITIZER) || defined(SYZYASAN)
#if defined(ADDRESS_SANITIZER)
// Memory sanitizers are using large memory shadow to keep track of memory
// state. Using memlog and memory sanitizers at the same time is slowing down
// user experience, causing the browser to be barely responsive. In theory,

4
chrome/browser/profiling_host/memlog_browsertest.cc

@ -25,7 +25,7 @@
#include "third_party/zlib/zlib.h"
// Some builds don't support memlog in which case the tests won't function.
#if BUILDFLAG(USE_ALLOCATOR_SHIM) && !defined(SYZYASAN)
#if BUILDFLAG(USE_ALLOCATOR_SHIM)
namespace profiling {
@ -155,4 +155,4 @@ INSTANTIATE_TEST_CASE_P(Memlog,
} // namespace profiling
#endif // BUILDFLAG(USE_ALLOCATOR_SHIM) && !defined(SYZYASAN)
#endif // BUILDFLAG(USE_ALLOCATOR_SHIM)

2
chrome/browser/ui/webui/memory_internals_ui.cc

@ -77,7 +77,7 @@ std::string GetMessageString() {
"Memory logging must be manually enabled for each process via "
"chrome://memory-internals.");
}
#elif defined(ADDRESS_SANITIZER) || defined(SYZYASAN)
#elif defined(ADDRESS_SANITIZER)
return "Memory logging is not available in this build because a memory "
"sanitizer is running.";
#else

2
chrome/child/BUILD.gn

@ -4,8 +4,6 @@
static_library("child") {
sources = [
"child_profiling.cc",
"child_profiling.h",
"pdf_child_init.cc",
"pdf_child_init.h",
"v8_breakpad_support_win.cc",

68
chrome/child/child_profiling.cc

@ -1,68 +0,0 @@
// Copyright 2017 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "chrome/child/child_profiling.h"
#include "base/debug/profiler.h"
#include "base/logging.h"
#include "chrome/common/chrome_features.h"
#include "gin/public/debug.h"
#include "v8/include/v8.h"
namespace {
base::debug::AddDynamicSymbol add_dynamic_symbol_func = NULL;
base::debug::MoveDynamicSymbol move_dynamic_symbol_func = NULL;
void JitCodeEventHandler(const v8::JitCodeEvent* event) {
DCHECK_NE(static_cast<base::debug::AddDynamicSymbol>(NULL),
add_dynamic_symbol_func);
DCHECK_NE(static_cast<base::debug::MoveDynamicSymbol>(NULL),
move_dynamic_symbol_func);
switch (event->type) {
case v8::JitCodeEvent::CODE_ADDED:
add_dynamic_symbol_func(event->code_start, event->code_len,
event->name.str, event->name.len);
break;
case v8::JitCodeEvent::CODE_MOVED:
move_dynamic_symbol_func(event->code_start, event->new_code_start);
break;
default:
break;
}
}
} // namespace
// static
void ChildProfiling::ProcessStarted() {
// Establish the V8 profiling hooks if we're an instrumented binary.
if (base::debug::IsBinaryInstrumented()) {
base::debug::ReturnAddressLocationResolver resolve_func =
base::debug::GetProfilerReturnAddrResolutionFunc();
if (resolve_func != NULL) {
v8::V8::SetReturnAddressLocationResolver(resolve_func);
}
// Set up the JIT code entry handler and the symbol callbacks if the
// profiler supplies them.
// TODO(siggi): Maybe add a switch or an environment variable to turn off
// V8 profiling?
base::debug::DynamicFunctionEntryHook entry_hook_func =
base::debug::GetProfilerDynamicFunctionEntryHookFunc();
add_dynamic_symbol_func = base::debug::GetProfilerAddDynamicSymbolFunc();
move_dynamic_symbol_func = base::debug::GetProfilerMoveDynamicSymbolFunc();
if (entry_hook_func != NULL &&
add_dynamic_symbol_func != NULL &&
move_dynamic_symbol_func != NULL) {
gin::Debug::SetFunctionEntryHook(entry_hook_func);
gin::Debug::SetJitCodeEventHandler(&JitCodeEventHandler);
}
}
}

22
chrome/child/child_profiling.h

@ -1,22 +0,0 @@
// Copyright 2017 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef CHROME_CHILD_CHILD_PROFILING_H_
#define CHROME_CHILD_CHILD_PROFILING_H_
#include "base/macros.h"
// This class is the child-process-only (i.e. non-browser) portion of
// chrome/common/profiling.h.
class ChildProfiling {
public:
// Called early in a process' life to allow profiling of startup time.
static void ProcessStarted();
private:
ChildProfiling();
DISALLOW_COPY_AND_ASSIGN(ChildProfiling);
};
#endif // CHROME_CHILD_CHILD_PROFILING_H_

7
chrome/common/channel_info_win.cc

@ -14,9 +14,10 @@ namespace chrome {
std::string GetChannelName() {
#if defined(GOOGLE_CHROME_BUILD)
base::string16 channel(install_static::GetChromeChannelName());
#if defined(SYZYASAN)
if (base::debug::IsBinaryInstrumented())
channel += L" SyzyASan";
#if defined(DCHECK_IS_CONFIGURABLE)
// Adorn the channel when DCHECKs are baked into the build, as there will be
// a performance hit. See https://crbug.com/812058 for details.
channel += " DCheck";
#endif
return base::UTF16ToASCII(channel);
#else

8
chrome/common/chrome_features.cc

@ -562,14 +562,6 @@ const base::Feature kSysInternals{"SysInternals",
base::FEATURE_DISABLED_BY_DEFAULT};
#endif
#if defined(SYZYASAN)
// Enable the deferred free mechanism in the syzyasan module, which helps the
// performance by deferring some work on the critical path to a background
// thread.
const base::Feature kSyzyasanDeferredFree{"SyzyasanDeferredFree",
base::FEATURE_ENABLED_BY_DEFAULT};
#endif
// Enable TopSites to source and sort its site data using site engagement.
const base::Feature kTopSitesFromSiteEngagement{
"TopSitesFromSiteEngagement", base::FEATURE_DISABLED_BY_DEFAULT};

4
chrome/common/chrome_features.h

@ -304,10 +304,6 @@ extern const base::Feature kSupervisedUserCommittedInterstitials;
extern const base::Feature kSysInternals;
#endif
#if defined(SYZYASAN)
extern const base::Feature kSyzyasanDeferredFree;
#endif
#if !defined(OS_ANDROID)
extern const base::Feature kTabMetricsLogging;
#endif

8
chrome/installer/mini_installer/BUILD.gn

@ -293,14 +293,6 @@ generate_mini_installer("mini_installer") {
chrome_dll_target = "//chrome:main_dll"
}
if (is_syzyasan) {
generate_mini_installer("mini_installer_syzygy") {
out_dir = "$root_out_dir/syzygy/"
chrome_dll_file = "$root_out_dir/syzygy/chrome.dll"
chrome_dll_target = "//chrome/tools/build/win/syzygy:chrome_dll_syzygy"
}
}
# next_version_mini_installer.exe can't be generated in an x86 Debug component
# build because it requires too much memory.
# TODO(thakis): Enable this in cross builds, https://crbug.com/799827

1
chrome/installer/mini_installer/chrome.release

@ -35,7 +35,6 @@ nacl_irt_x86_64.nexe: %(VersionDir)s\
natives_blob.bin: %(VersionDir)s\
notification_helper.exe: %(VersionDir)s\
resources.pak: %(VersionDir)s\
syzyasan_rtl.dll: %(VersionDir)s\
v8_context_snapshot.bin: %(VersionDir)s\
#
# Sub directories living in the version dir

2
chrome/test/base/javascript_browser_test.cc

@ -58,7 +58,7 @@ void JavaScriptBrowserTest::SetUpOnMainThread() {
// enabled. Also, it seems some ChromeOS-specific tests use the
// js2gtest GN template.
#if (!defined(MEMORY_SANITIZER) && !defined(ADDRESS_SANITIZER) && \
!defined(LEAK_SANITIZER) && !defined(SYZYASAN)) || \
!defined(LEAK_SANITIZER)) || \
BUILDFLAG(ENABLE_NACL) || defined(OS_CHROMEOS)
base::FilePath gen_test_data_directory;
ASSERT_TRUE(

2
chrome/test/ppapi/ppapi_interactive_browsertest.cc

@ -17,7 +17,7 @@
// Disable tests under ASAN. http://crbug.com/104832.
// This is a bit heavy handed, but the majority of these tests fail under ASAN.
// See bug for history.
#if !defined(ADDRESS_SANITIZER) && !defined(SYZYASAN)
#if !defined(ADDRESS_SANITIZER)
// Disabled due to timeouts: http://crbug.com/136548
IN_PROC_BROWSER_TEST_F(

79
chrome/tools/build/win/FILES.cfg

@ -548,54 +548,6 @@ FILES = [
'buildtype': ['official'],
'archive': 'cloud_print.zip',
},
# Syzygy modified binaries and related files. Only add to this section if you
# know what you're doing! The build configuration has to be modified to run
# Syzygy on the target in question before adding a staging dependency here!
{
'filename': 'syzygy/chrome.dll',
'arch': ['32bit'],
'buildtype': ['dev', 'official'],
'archive': 'syzygy/chrome.dll',
'filegroup': ['symsrc'],
'optional': ['dev', 'official'],
},
{
'filename': 'syzygy/chrome_child.dll',
'arch': ['32bit'],
'buildtype': ['dev', 'official'],
'archive': 'syzygy/chrome_child.dll',
'filegroup': ['symsrc'],
'optional': ['dev', 'official'],
},
{
'filename': 'syzygy/instrumented/chrome_child.dll',
'arch': ['32bit'],
'buildtype': ['official'],
'archive': 'syzygy/instrumented/chrome_child.dll',
'filegroup': ['symsrc'],
'optional': ['official'],
},
{
'filename': 'syzygy/mini_installer.exe',
'arch': ['32bit'],
'buildtype': ['dev', 'official'],
'archive': 'syzygy/mini_installer.exe',
'filegroup': ['symsrc'],
'optional': ['dev', 'official'],
},
{
'filename': 'syzygy/chrome.packed.7z',
'arch': ['32bit'],
'buildtype': ['dev', 'official'],
'archive': 'syzygy/chrome.packed.7z',
'optional': ['dev', 'official'],
},
{
'filename': 'syzygy/syzyasan_rtl.dll',
'arch': ['32bit'],
'buildtype': ['dev', 'official'],
'optional': ['dev', 'official'],
},
# Test binaries for external QA:
{
'filename': 'interactive_ui_tests.exe',
@ -742,37 +694,6 @@ FILES = [
'buildtype': ['dev', 'official'],
'archive': 'chrome-win32-syms.zip',
},
# PDB files for Syzygy modified binaries. Only add to this section if you
# know what you're doing! The build configuration has to be modified to run
# Syzygy on the target in question before adding a staging dependency here!
{
'filename': 'syzygy/chrome.dll.pdb',
'arch': ['32bit'],
'buildtype': ['dev', 'official'],
'archive': 'chrome-win32-syms.zip',
'optional': ['dev', 'official'],
},
{
'filename': 'syzygy/chrome_child.dll.pdb',
'arch': ['32bit'],
'buildtype': ['dev', 'official'],
'archive': 'chrome-win32-syms.zip',
'optional': ['dev', 'official'],
},
{
'filename': 'syzygy/mini_installer.exe.pdb',
'arch': ['32bit'],
'buildtype': ['dev', 'official'],
'archive': 'chrome-win32-syms.zip',
'optional': ['dev', 'official'],
},
{
'filename': 'syzygy/syzyasan_rtl.dll.pdb',
'arch': ['32bit'],
'buildtype': ['dev', 'official'],
'archive': 'chrome-win32-syms.zip',
'optional': ['dev', 'official'],
},
{
'filename': 'nacl_irt_x86_32.nexe.debug',
'arch': ['32bit'],

10
chrome/tools/build/win/create_installer_archive.py

@ -540,15 +540,7 @@ def main(options):
options.last_chrome_installer,
options.output_name)
# Preferentially copy the files we can find from the output_dir, as
# this is where we'll find the Syzygy-optimized executables when
# building the optimized mini_installer.
if options.build_dir != options.output_dir:
CopyAllFilesToStagingDir(config, options.distribution,
staging_dir, options.output_dir,
options.enable_hidpi)
# Now copy the remainder of the files from the build dir.
# Copy the files from the build dir.
CopyAllFilesToStagingDir(config, options.distribution,
staging_dir, options.build_dir,
options.enable_hidpi)

75
chrome/tools/build/win/syzygy/BUILD.gn

@ -1,75 +0,0 @@
# Copyright 2015 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
import("//build/config/chrome_build.gni")
import("//build/config/compiler/compiler.gni")
import("//build/config/sanitizers/sanitizers.gni")
import("//build/win/syzygy/syzygy.gni")
# Where the output binaries will be placed.
syzygy_dest_dir = "$root_out_dir/syzygy"
if (is_syzyasan) {
syzygy_asan("chrome_dll_syzygy") {
binary_name = "chrome.dll"
dest_dir = syzygy_dest_dir
deps = [
"//chrome:main_dll",
]
if (is_multi_dll_chrome) {
data_deps = [
":chrome_child_dll_syzygy",
]
}
}
if (is_multi_dll_chrome) {
# Also instrument chrome_child.dll.
#
# For official builds, the instrumented version will be put into an
# "instrumented" subdirectory and the regular output will be
# uninstrumented. Otherwise, chrome_child is also instrumented to the
# normal place.
syzygy_asan("chrome_child_dll_syzygy") {
binary_name = "chrome_child.dll"
deps = [
"//chrome:chrome_child",
]
if (is_official_build) {
dest_dir = "$syzygy_dest_dir/instrumented"
deps += [ ":chrome_child_dll_syzygy_copy" ]
} else {
dest_dir = syzygy_dest_dir
}
}
if (is_official_build) {
# Copies the uninstrumented chrome_child.dll.
copy("chrome_child_dll_syzygy_copy") {
sources = [
"$root_out_dir/chrome_child.dll",
]
outputs = [
"$syzygy_dest_dir/{{source_file_part}}",
]
deps = [
"//chrome:chrome_child",
]
}
}
}
} else {
# No syzygy. Generate dummy targets so other targets can unconditionally
# depend on these without having to duplicate our conditions.
group("chrome_dll_syzygy") {
}
if (is_multi_dll_chrome) {
group("chrome_child_dll_syzygy") {
}
}
}
# Prevent unused variable warning for code paths where this is unused.
assert(syzygy_dest_dir != "")

2
chrome/tools/build/win/syzygy/OWNERS

@ -1,2 +0,0 @@
chrisha@chromium.org
siggi@chromium.org

3
chrome_elf/elf_imports_unittest.cc

@ -87,9 +87,6 @@ TEST_F(ELFImportsTest, ChromeElfSanityCheck) {
static const char* const kValidFilePatterns[] = {
"KERNEL32.dll",
"RPCRT4.dll",
#if defined(SYZYASAN)
"syzyasan_rtl.dll",
#endif
#if defined(ADDRESS_SANITIZER) && defined(COMPONENT_BUILD)
"clang_rt.asan_dynamic-i386.dll",
#endif

2
components/browser_watcher/stability_debugging.cc

@ -65,7 +65,7 @@ void SetStabilityDataInt(base::StringPiece name, int64_t value) {
}
void RegisterStabilityVEH() {
#if defined(ADDRESS_SANITIZER) || defined(SYZYASAN)
#if defined(ADDRESS_SANITIZER)
// ASAN on windows x64 is dynamically allocating the shadow memory on a
// memory access violation by setting up an vector exception handler.
// When instrumented with ASAN, this code may trigger an exception by

2
components/metrics/metrics_log.cc

@ -149,7 +149,7 @@ void MetricsLog::RecordCoreSystemProfile(MetricsServiceClient* client,
system_profile->set_channel(client->GetChannel());
system_profile->set_application_locale(client->GetApplicationLocale());
#if defined(SYZYASAN)
#if defined(ADDRESS_SANITIZER)
system_profile->set_is_asan_build(true);
#endif

2
components/metrics/metrics_log_unittest.cc

@ -136,7 +136,7 @@ TEST_F(MetricsLogTest, BasicRecord) {
system_profile->set_channel(client.GetChannel());
system_profile->set_application_locale(client.GetApplicationLocale());
#if defined(SYZYASAN)
#if defined(ADDRESS_SANITIZER)
system_profile->set_is_asan_build(true);
#endif
metrics::SystemProfileProto::Hardware* hardware =

24
content/browser/frame_host/debug_urls.cc

@ -4,10 +4,6 @@
#include "content/browser/frame_host/debug_urls.h"
#if defined(SYZYASAN)
#include <windows.h>
#endif
#include <vector>
#include "base/command_line.h"
@ -16,6 +12,7 @@
#include "base/strings/utf_string_conversions.h"
#include "base/synchronization/waitable_event.h"
#include "base/threading/thread_restrictions.h"
#include "build/build_config.h"
#include "cc/base/switches.h"
#include "content/browser/gpu/gpu_process_host.h"
#include "content/public/browser/browser_thread.h"
@ -43,7 +40,8 @@ const char kAsanCrashDomain[] = "crash";
const char kAsanHeapOverflow[] = "/browser-heap-overflow";
const char kAsanHeapUnderflow[] = "/browser-heap-underflow";
const char kAsanUseAfterFree[] = "/browser-use-after-free";
#if defined(SYZYASAN)
#if defined(OS_WIN)
const char kAsanCorruptHeapBlock[] = "/browser-corrupt-heap-block";
const char kAsanCorruptHeap[] = "/browser-corrupt-heap";
#endif
@ -66,11 +64,6 @@ void HandlePpapiFlashDebugURL(const GURL& url) {
}
bool IsAsanDebugURL(const GURL& url) {
#if defined(SYZYASAN)
if (!base::debug::IsBinaryInstrumented())
return false;
#endif
if (!(url.is_valid() && url.SchemeIs(kChromeUIScheme) &&
url.DomainIs(kAsanCrashDomain) &&
url.has_path())) {
@ -83,7 +76,7 @@ bool IsAsanDebugURL(const GURL& url) {
return true;
}
#if defined(SYZYASAN)
#if defined(OS_WIN)
if (url.path_piece() == kAsanCorruptHeapBlock ||
url.path_piece() == kAsanCorruptHeap) {
return true;
@ -94,10 +87,8 @@ bool IsAsanDebugURL(const GURL& url) {
}
bool HandleAsanDebugURL(const GURL& url) {
#if defined(SYZYASAN)
if (!base::debug::IsBinaryInstrumented())
return false;
#if defined(ADDRESS_SANITIZER)
#if defined(OS_WIN)
if (url.path_piece() == kAsanCorruptHeapBlock) {
base::debug::AsanCorruptHeapBlock();
return true;
@ -105,9 +96,8 @@ bool HandleAsanDebugURL(const GURL& url) {
base::debug::AsanCorruptHeap();
return true;
}
#endif
#endif // OS_WIN
#if defined(ADDRESS_SANITIZER) || defined(SYZYASAN)
if (url.path_piece() == kAsanHeapOverflow) {
base::debug::AsanHeapOverflow();
} else if (url.path_piece() == kAsanHeapUnderflow) {

2
content/browser/gpu/browser_gpu_channel_host_factory.cc

@ -352,7 +352,7 @@ void BrowserGpuChannelHostFactory::RestartTimeout() {
return;
#if defined(ADDRESS_SANITIZER) || defined(THREAD_SANITIZER) || \
defined(SYZYASAN) || defined(CYGPROFILE_INSTRUMENTATION)
defined(CYGPROFILE_INSTRUMENTATION)
constexpr int64_t kGpuChannelTimeoutInSeconds = 40;
#else
// The GPU watchdog timeout is 15 seconds (1.5x the kGpuTimeout value due to

2
content/browser/webrtc/webrtc_stress_pause_browsertest.cc

@ -17,7 +17,7 @@ namespace content {
namespace {
#if defined(ADDRESS_SANITIZER) || defined(THREAD_SANITIZER) || \
defined(SYZYASAN) || defined(MEMORY_SANITIZER)
defined(MEMORY_SANITIZER)
static const int kTestDurationSecs = 2;
static const int kNumPeerConnections = 3;
#else

2
content/browser/webrtc/webrtc_stress_resolution_switch_browsertest.cc

@ -17,7 +17,7 @@ namespace content {
namespace {
#if defined(ADDRESS_SANITIZER) || defined(THREAD_SANITIZER) || \
defined(SYZYASAN) || defined(MEMORY_SANITIZER)
defined(MEMORY_SANITIZER)
static const int kTestDurationSecs = 2;
static const int kNumPeerConnections = 3;
#else

2
content/browser/webrtc/webrtc_stress_source_switch_browsertest.cc

@ -17,7 +17,7 @@ namespace content {
namespace {
#if defined(ADDRESS_SANITIZER) || defined(THREAD_SANITIZER) || \
defined(SYZYASAN) || defined(MEMORY_SANITIZER)
defined(MEMORY_SANITIZER)
static const int kTestDurationSecs = 2;
static const int kNumPeerConnections = 3;
#else

10
content/public/common/url_constants.cc

@ -57,15 +57,19 @@ const char kChromeUIPpapiFlashHangURL[] = "chrome://ppapiflashhang/";
#if defined(OS_ANDROID)
const char kChromeUIGpuJavaCrashURL[] = "chrome://gpu-java-crash/";
#endif
#if defined(ADDRESS_SANITIZER) || defined(SYZYASAN)
#if defined(ADDRESS_SANITIZER)
const char kChromeUICrashHeapOverflowURL[] = "chrome://crash/heap-overflow";
const char kChromeUICrashHeapUnderflowURL[] = "chrome://crash/heap-underflow";
const char kChromeUICrashUseAfterFreeURL[] = "chrome://crash/use-after-free";
#endif
#if defined(SYZYASAN)
#if defined(OS_WIN)
const char kChromeUICrashCorruptHeapBlockURL[] =
"chrome://crash/corrupt-heap-block";
const char kChromeUICrashCorruptHeapURL[] = "chrome://crash/corrupt-heap";
#endif // OS_WIN
#endif // ADDRESS_SANITIZER
#if DCHECK_IS_ON()
const char kChromeUICrashDcheckURL[] = "chrome://crash/dcheck";
#endif

10
content/public/common/url_constants.h

@ -5,6 +5,7 @@
#ifndef CONTENT_PUBLIC_COMMON_URL_CONSTANTS_H_
#define CONTENT_PUBLIC_COMMON_URL_CONSTANTS_H_
#include "base/logging.h"
#include "build/build_config.h"
#include "content/common/content_export.h"
#include "url/url_constants.h"
@ -66,14 +67,17 @@ CONTENT_EXPORT extern const char kChromeUIPpapiFlashHangURL[];
#if defined(OS_ANDROID)
CONTENT_EXPORT extern const char kChromeUIGpuJavaCrashURL[];
#endif
#if defined(ADDRESS_SANITIZER) || defined(SYZYASAN)
#if defined(ADDRESS_SANITIZER)
CONTENT_EXPORT extern const char kChromeUICrashHeapOverflowURL[];
CONTENT_EXPORT extern const char kChromeUICrashHeapUnderflowURL[];
CONTENT_EXPORT extern const char kChromeUICrashUseAfterFreeURL[];
#endif
#if defined(SYZYASAN)
#if defined(OS_WIN)
CONTENT_EXPORT extern const char kChromeUICrashCorruptHeapBlockURL[];
CONTENT_EXPORT extern const char kChromeUICrashCorruptHeapURL[];
#endif // OS_WIN
#endif // ADDRESS_SANITIZER
#if DCHECK_IS_ON()
CONTENT_EXPORT extern const char kChromeUICrashDcheckURL[];
#endif

12
content/public/common/url_utils.cc

@ -4,6 +4,7 @@
#include "content/public/common/url_utils.h"
#include "base/logging.h"
#include "build/build_config.h"
#include "content/common/url_schemes.h"
#include "content/public/common/browser_side_navigation_policy.h"
@ -81,7 +82,7 @@ bool IsRendererDebugURL(const GURL& url) {
return true;
}
#if defined(ADDRESS_SANITIZER) || defined(SYZYASAN)
#if defined(ADDRESS_SANITIZER)
if (url == kChromeUICrashHeapOverflowURL ||
url == kChromeUICrashHeapUnderflowURL ||
url == kChromeUICrashUseAfterFreeURL) {
@ -89,9 +90,14 @@ bool IsRendererDebugURL(const GURL& url) {
}
#endif
#if defined(SYZYASAN)
#if DCHECK_IS_ON()
if (url == kChromeUICrashDcheckURL)
return true;
#endif
#if defined(OS_WIN) && defined(ADDRESS_SANITIZER)
if (url == kChromeUICrashCorruptHeapBlockURL ||
url == kChromeUICrashCorruptHeapURL || url == kChromeUICrashDcheckURL) {
url == kChromeUICrashCorruptHeapURL) {
return true;
}
#endif

26
content/renderer/render_frame_impl.cc

@ -851,7 +851,7 @@ NOINLINE void ExhaustMemory() {
} while (ptr);
}
#if defined(ADDRESS_SANITIZER) || defined(SYZYASAN)
#if defined(ADDRESS_SANITIZER)
NOINLINE void MaybeTriggerAsanError(const GURL& url) {
// NOTE(rogerm): We intentionally perform an invalid heap access here in
// order to trigger an Address Sanitizer (ASAN) error report.
@ -867,7 +867,7 @@ NOINLINE void MaybeTriggerAsanError(const GURL& url) {
LOG(ERROR) << "Intentionally causing ASAN heap use-after-free"
<< " because user navigated to " << url.spec();
base::debug::AsanHeapUseAfterFree();
#if defined(SYZYASAN)
#if defined(OS_WIN)
} else if (url == kChromeUICrashCorruptHeapBlockURL) {
LOG(ERROR) << "Intentionally causing ASAN corrupt heap block"
<< " because user navigated to " << url.spec();
@ -876,15 +876,10 @@ NOINLINE void MaybeTriggerAsanError(const GURL& url) {
LOG(ERROR) << "Intentionally causing ASAN corrupt heap"
<< " because user navigated to " << url.spec();
base::debug::AsanCorruptHeap();
} else if (url == kChromeUICrashDcheckURL) {
LOG(ERROR) << "Intentionally DCHECKING because user navigated to "
<< url.spec();
DCHECK(false) << "Intentional DCHECK.";
#endif
#endif // OS_WIN
}
}
#endif // ADDRESS_SANITIZER || SYZYASAN
#endif // ADDRESS_SANITIZER
// Returns true if the URL is a debug URL, false otherwise. These URLs do not
// commit, though they are intentionally left in the address bar above the
@ -931,9 +926,18 @@ void HandleChromeDebugURL(const GURL& url) {
CHECK(false);
}
#if defined(ADDRESS_SANITIZER) || defined(SYZYASAN)
#if DCHECK_IS_ON()
if (url == kChromeUICrashDcheckURL) {
LOG(ERROR) << "Intentionally causing DCHECK because user navigated to "
<< url.spec();
DCHECK(false) << "Intentional DCHECK.";
}
#endif
#if defined(ADDRESS_SANITIZER)
MaybeTriggerAsanError(url);
#endif // ADDRESS_SANITIZER || SYZYASAN
#endif // ADDRESS_SANITIZER
}
struct RenderFrameImpl::PendingFileChooser {

15
content/shell/BUILD.gn

@ -21,8 +21,6 @@ if (is_android) {
import("//build/mac/tweak_info_plist.gni")
import("//third_party/icu/config.gni")
import("//v8/gni/v8.gni")
} else if (is_win) {
import("//build/win/syzygy/syzygy.gni")
}
declare_args() {
@ -616,19 +614,6 @@ if (is_android) {
}
}
if (is_win) {
if (is_syzyasan) {
syzygy_asan("content_shell_syzyasan") {
binary_name = "content_shell.exe"
dest_dir = "$root_out_dir/syzygy"
deps = [
"//content/shell:content_shell",
]
testonly = true
}
}
}
if (is_mac) {
bundle_data("content_shell_framework_helpers") {
testonly = true

8
services/service_manager/sandbox/win/sandbox_win.cc

@ -12,7 +12,7 @@
#include "base/command_line.h"
#include "base/debug/activity_tracker.h"
#include "base/debug/profiler.h"
#include "base/feature_list.h"
#include "base/files/file_path.h"
#include "base/files/file_util.h"
#include "base/hash.h"
@ -774,11 +774,7 @@ bool SandboxWin::InitBrokerServices(sandbox::BrokerServices* broker_services) {
#if !defined(OFFICIAL_BUILD) && !defined(COMPONENT_BUILD)
BOOL is_in_job = FALSE;
CHECK(::IsProcessInJob(::GetCurrentProcess(), NULL, &is_in_job));
// In a Syzygy-profiled binary, instrumented for import profiling, this
// patch will end in infinite recursion on the attempted delegation to the
// original function.
if (!base::debug::IsBinaryInstrumented() && !is_in_job &&
!g_iat_patch_duplicate_handle.is_patched()) {
if (!is_in_job && !g_iat_patch_duplicate_handle.is_patched()) {
HMODULE module = NULL;
wchar_t module_name[MAX_PATH];
CHECK(::GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS,

11
skia/BUILD.gn

@ -640,14 +640,7 @@ if (current_cpu == "x86" || current_cpu == "x64") {
visibility = [ ":skia_opts" ]
}
skia_source_set("skia_opts_hsw") {
# SyzyAsan doesn't support the AVX2 and F16C instructions.
if (!is_syzyasan) {
sources = skia_opts.hsw_sources
} else {
sources = [
"ext/SkOpts_hsw_stub.cc",
]
}
sources = skia_opts.hsw_sources
if (!is_win) {
cflags = [
"-mavx2",
@ -657,7 +650,7 @@ if (current_cpu == "x86" || current_cpu == "x64") {
"-mfma",
]
}
if (is_win && !is_syzyasan) {
if (is_win) {
cflags = [ "/arch:AVX2" ]
}
visibility = [ ":skia_opts" ]