Add a new test to crasher to upset dlmalloc.
We should also add a test for heap corruption, but I failed to come up
with a kind of corruption that dlmalloc actually detects (rather than
just crashing accidentally).
Change-Id: I7457e732729635b171ffc44517c3de71f55608e6
diff --git a/debuggerd/crasher.c b/debuggerd/crasher.c
index d88ef88..8c225cb 100644
--- a/debuggerd/crasher.c
+++ b/debuggerd/crasher.c
@@ -21,8 +21,7 @@
void crash1(void);
void crashnostack(void);
-void maybeabort(void);
-int do_action(const char* arg);
+static int do_action(const char* arg);
static void debuggerd_connect()
{
@@ -30,14 +29,20 @@
int s;
sprintf(tmp, "%d", gettid());
s = socket_local_client("android:debuggerd",
- ANDROID_SOCKET_NAMESPACE_ABSTRACT, SOCK_STREAM);
+ ANDROID_SOCKET_NAMESPACE_ABSTRACT, SOCK_STREAM);
if(s >= 0) {
read(s, tmp, 1);
close(s);
}
}
-int smash_stack(int i) {
+static void maybeabort() {
+ if(time(0) != 42) {
+ abort();
+ }
+}
+
+static int smash_stack(int i) {
printf("crasher: deliberately corrupting stack...\n");
// Unless there's a "big enough" buffer on the stack, gcc
// doesn't bother inserting checks.
@@ -49,19 +54,19 @@
return *(int*)(&buf[0]);
}
-__attribute__((noinline)) void overflow_stack(void* p) {
+__attribute__((noinline)) static void overflow_stack(void* p) {
fprintf(stderr, "p = %p\n", p);
void* buf[1];
buf[0] = p;
overflow_stack(&buf);
}
-void test_call1()
+static void test_call1()
{
*((int*) 32) = 1;
}
-void *noisy(void *x)
+static void *noisy(void *x)
{
char c = (unsigned) x;
for(;;) {
@@ -72,7 +77,7 @@
return 0;
}
-int ctest()
+static int ctest()
{
pthread_t thr;
pthread_attr_t attr;
@@ -90,7 +95,7 @@
return (void*) do_action((const char*) raw_arg);
}
-int do_action_on_thread(const char* arg)
+static int do_action_on_thread(const char* arg)
{
pthread_t t;
pthread_create(&t, NULL, thread_callback, (void*) arg);
@@ -99,22 +104,27 @@
return (int) result;
}
-__attribute__((noinline)) int crash3(int a) {
- *((int*) 0xdead) = a;
- return a*4;
+__attribute__((noinline)) static int crash3(int a) {
+ *((int*) 0xdead) = a;
+ return a*4;
}
-__attribute__((noinline)) int crash2(int a) {
- a = crash3(a) + 2;
- return a*3;
+__attribute__((noinline)) static int crash2(int a) {
+ a = crash3(a) + 2;
+ return a*3;
}
-__attribute__((noinline)) int crash(int a) {
- a = crash2(a) + 1;
- return a*2;
+__attribute__((noinline)) static int crash(int a) {
+ a = crash2(a) + 1;
+ return a*2;
}
-int do_action(const char* arg)
+static void abuse_heap() {
+ char buf[16];
+ free((void*) buf); // GCC is smart enough to warn about this, but we're doing it deliberately.
+}
+
+static int do_action(const char* arg)
{
fprintf(stderr,"crasher: init pid=%d tid=%d\n", getpid(), gettid());
@@ -134,12 +144,16 @@
return crash(42);
} else if (!strcmp(arg,"abort")) {
maybeabort();
+ } else if (!strcmp(arg, "heap-usage")) {
+ abuse_heap();
}
fprintf(stderr, "%s OP\n", __progname);
fprintf(stderr, "where OP is:\n");
fprintf(stderr, " smash-stack overwrite a stack-guard canary\n");
fprintf(stderr, " stack-overflow recurse until the stack overflows\n");
+ fprintf(stderr, " heap-corruption cause a libc abort by corrupting the heap\n");
+ fprintf(stderr, " heap-usage cause a libc abort by abusing a heap function\n");
fprintf(stderr, " nostack crash with a NULL stack pointer\n");
fprintf(stderr, " ctest (obsoleted by thread-crash?)\n");
fprintf(stderr, " exit call exit(1)\n");
@@ -159,11 +173,6 @@
} else {
crash1();
}
-
- return 0;
-}
-void maybeabort()
-{
- if(time(0) != 42) abort();
+ return 0;
}