Add sandbox support for AsanCoverage.

content/zygote/zygote_main_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/zygote/zygote_main.h"
 
 #include <dlfcn.h>
+#include <fcntl.h>
 #include <pthread.h>
 #include <string.h>
+#include <sys/socket.h>
 #include <sys/types.h>
 #include <unistd.h>
 
 #include "base/basictypes.h"
 #include "base/bind.h"
 #include "base/command_line.h"
 #include "base/compiler_specific.h"
 #include "base/memory/scoped_vector.h"
 #include "base/native_library.h"
 #include "base/pickle.h"
+#include "base/posix/eintr_wrapper.h"
 #include "base/posix/unix_domain_socket_linux.h"
 #include "base/rand_util.h"
 #include "base/sys_info.h"
 #include "build/build_config.h"
 #include "content/common/child_process_sandbox_support_impl_linux.h"
 #include "content/common/font_config_ipc_linux.h"
 #include "content/common/pepper_plugin_list.h"
 #include "content/common/sandbox_linux/sandbox_linux.h"
 #include "content/common/zygote_commands_linux.h"
 #include "content/public/common/content_switches.h"
@@ skipping 10 matching lines @@
 #include "third_party/skia/include/ports/SkFontConfigInterface.h"
 
 #if defined(OS_LINUX)
 #include <sys/prctl.h>
 #endif
 
 #if defined(ENABLE_WEBRTC)
 #include "third_party/libjingle/overrides/init_webrtc.h"
 #endif
 
+#if defined(ADDRESS_SANITIZER)
+#include <sanitizer/asan_interface.h>
+#endif
+
 namespace content {
 
 // See http://code.google.com/p/chromium/wiki/LinuxZygote
 
 static void ProxyLocaltimeCallToBrowser(time_t input, struct tm* output,
                                         char* timezone_out,
                                         size_t timezone_out_len) {
   Pickle request;
   request.WriteInt(LinuxSandbox::METHOD_LOCALTIME);
   request.WriteString(
@@ skipping 331 matching lines @@
     if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) {
       LOG(ERROR) << "Failed to set non-dumpable flag";
       return false;
     }
   }
 #endif
 
   return true;
 }
 
+#if defined(ADDRESS_SANITIZER)
+const size_t kSanitizerMaxMessageLength = 1 * 1024 * 1024;
+
+static void SanitizerCoverageHelper(int socket_fd, int file_fd) {
+  scoped_ptr<char[]> buffer(new char[kSanitizerMaxMessageLength]);
+  while (true) {
+    ssize_t received_size = HANDLE_EINTR(
+        recv(socket_fd, buffer.get(), kSanitizerMaxMessageLength, 0));

[jln (very slow on Chromium), 2014/05/21 01:07:37]

Once the all renderers have exited and the Zygote follows, recv() should return
0 since |socket_fd| will EOF.

Currently this process will spin forever. We should simply _exit(0) on
received_size == 0 I think.

+    PCHECK(received_size >= 0);
+    if (received_size > 0) {
+      PCHECK(file_fd >= 0);
+      ssize_t written_size = 0;
+      while (written_size < received_size) {
+        ssize_t write_res =
+            HANDLE_EINTR(write(file_fd, buffer.get() + written_size,
+                               received_size - written_size));
+        PCHECK(write_res >= 0);
+        written_size += write_res;
+      }
+      PCHECK(0 == HANDLE_EINTR(fsync(file_fd)));
+    }
+  }
+}
+
+// fds[0] is the read end, fds[1] is the write end.
+static void CreateSanitizerCoverageSocketPair(int fds[2]) {

[jln (very slow on Chromium), 2014/05/21 01:07:37]

How are you handling this socketpair on the *SAN side?

Are you performing a non-blocking send()? You could also fcntl O_NONBLOCK the
writing end here for extra safety.

I fear some kind of deadlock if, for instance write() on L22 fails and the
helper process dies: the socketpair will become full and processes writing to it
will block forever.

+  PCHECK(0 == socketpair(AF_UNIX, SOCK_SEQPACKET, 0, fds));
+  PCHECK(0 == shutdown(fds[0], SHUT_WR));
+  PCHECK(0 == shutdown(fds[1], SHUT_RD));
+}
+
+static void ForkSanitizerCoverageHelper(int child_fd, int parent_fd,
+                                        base::ScopedFD file_fd) {
+  pid_t pid = fork();
+  PCHECK(pid >= 0);
+  if (pid == 0) {
+    // In the child.
+    PCHECK(0 == IGNORE_EINTR(close(parent_fd)));
+    SanitizerCoverageHelper(child_fd, file_fd.get());
+    _exit(0);
+  } else {
+    // In the parent.

[jln (very slow on Chromium), 2014/05/21 01:07:37]

Could you add a note along the lines of:

- We will never wait for this child. If the child exits, it will be reparented
to init(1) once the Zygote exits and reaped.

(At some point we may want to account for this child in the Zygote, but for now,
keeping all of this hidden is nice).

+    PCHECK(0 == IGNORE_EINTR(close(child_fd)));
+  }
+}
+#endif

[jln (very slow on Chromium), 2014/05/21 01:07:37]

// defined(...)

+
 // If |is_suid_sandbox_child|, then make sure that the setuid sandbox is
 // engaged.
 static void EnterLayerOneSandbox(LinuxSandbox* linux_sandbox,
                                  bool is_suid_sandbox_child) {
   DCHECK(linux_sandbox);
 
   ZygotePreSandboxInit();
 
   // Check that the pre-sandbox initialization didn't spawn threads.
 #if !defined(THREAD_SANITIZER)
   DCHECK(linux_sandbox->IsSingleThreaded());
 #endif
 
   sandbox::SetuidSandboxClient* setuid_sandbox =
       linux_sandbox->setuid_sandbox_client();
 
   if (is_suid_sandbox_child) {
     CHECK(EnterSuidSandbox(setuid_sandbox)) << "Failed to enter setuid sandbox";
   }
 }
 
 bool ZygoteMain(const MainFunctionParams& params,
                 ScopedVector<ZygoteForkDelegate> fork_delegates) {
   g_am_zygote_or_renderer = true;
   sandbox::InitLibcUrandomOverrides();
 
   LinuxSandbox* linux_sandbox = LinuxSandbox::GetInstance();
+
+#if defined(ADDRESS_SANITIZER)
+  base::ScopedFD sancov_file_fd(__sanitizer_maybe_open_cov_file("zygote"));
+  int sancov_socket_fds[2] = {-1, -1};
+  CreateSanitizerCoverageSocketPair(sancov_socket_fds);
+  linux_sandbox->sanitizer_args()->coverage_sandboxed = 1;
+  linux_sandbox->sanitizer_args()->coverage_fd = sancov_socket_fds[1];
+  linux_sandbox->sanitizer_args()->coverage_max_block_size =
+      kSanitizerMaxMessageLength;
+#endif

[jln (very slow on Chromium), 2014/05/21 01:07:37]

// defined(ADDRESS_SANITIZER)

+
   // This will pre-initialize the various sandboxes that need it.
   linux_sandbox->PreinitializeSandbox();
 
   const bool must_enable_setuid_sandbox =
       linux_sandbox->setuid_sandbox_client()->IsSuidSandboxChild();
   if (must_enable_setuid_sandbox) {
     linux_sandbox->setuid_sandbox_client()->CloseDummyFile();
 
     // Let the ZygoteHost know we're booting up.
     CHECK(UnixDomainSocket::SendMsg(kZygoteSocketPairFd,
                                     kZygoteBootMessage,
                                     sizeof(kZygoteBootMessage),
                                     std::vector<int>()));
   }
 
   VLOG(1) << "ZygoteMain: initializing " << fork_delegates.size()
           << " fork delegates";
   for (ScopedVector<ZygoteForkDelegate>::iterator i = fork_delegates.begin();
        i != fork_delegates.end();
        ++i) {
     (*i)->Init(GetSandboxFD(), must_enable_setuid_sandbox);
   }
 
   // Turn on the first layer of the sandbox if the configuration warrants it.
   EnterLayerOneSandbox(linux_sandbox, must_enable_setuid_sandbox);
 
+#if defined(ADDRESS_SANITIZER)
+  ForkSanitizerCoverageHelper(sancov_socket_fds[0], sancov_socket_fds[1],
+                              sancov_file_fd.Pass());
+#endif
+
   int sandbox_flags = linux_sandbox->GetStatus();
   bool setuid_sandbox_engaged = sandbox_flags & kSandboxLinuxSUID;
   CHECK_EQ(must_enable_setuid_sandbox, setuid_sandbox_engaged);
 
   Zygote zygote(sandbox_flags, fork_delegates.Pass());
   // This function call can return multiple times, once per fork().
   return zygote.ProcessRequests();
 }
 
 }  // namespace content