Bug 1725008 - Implement FuzzingFunctions.crash() r=glandium,mccr8

Differential Revision: https://phabricator.services.mozilla.com/D125000
2021-09-15 18:24:04 +00:00 · 2021-09-15 18:24:04 +00:00 · d8f7c11471
--- a/dom/base/FuzzingFunctions.cpp
+++ b/dom/base/FuzzingFunctions.cpp
@ -10,6 +10,7 @@
 #include "js/GCAPI.h"
 #include "mozilla/dom/KeyboardEvent.h"
 #include "mozilla/ErrorResult.h"
+#include "mozilla/Sprintf.h"
 #include "mozilla/TextEvents.h"
 #include "mozilla/TextInputProcessor.h"
 #include "nsFocusManager.h"
@ -34,6 +35,19 @@ void FuzzingFunctions::GarbageCollectCompacting(const GlobalObject&) {
                                 nsJSContext::ShrinkingGC);
 }

+/* static */
+void FuzzingFunctions::Crash(const GlobalObject& aGlobalObject,
+                             const nsAString& aKeyValue) {
+  char msgbuf[250];
+
+  SprintfLiteral(msgbuf, "%s", NS_ConvertUTF16toUTF8(aKeyValue).get());
+  if (aKeyValue.Length() >= sizeof(msgbuf)) {
+    // Update the end of a truncated message to '...'.
+    strcpy(&msgbuf[sizeof(msgbuf) - 4], "...");
+  }
+  MOZ_CRASH_UNSAFE_PRINTF("%s", msgbuf);
+}
+
 /* static */
 void FuzzingFunctions::CycleCollect(const GlobalObject&) {
  nsJSContext::CycleCollectNow();
--- a/dom/base/FuzzingFunctions.h
+++ b/dom/base/FuzzingFunctions.h
@ -27,6 +27,9 @@ class FuzzingFunctions final {

  static void GarbageCollectCompacting(const GlobalObject&);

+  static void Crash(const GlobalObject& aGlobalObject,
+                    const nsAString& aKeyValue);
+
  static void CycleCollect(const GlobalObject&);

  static void MemoryPressure(const GlobalObject&);
--- a/dom/webidl/FuzzingFunctions.webidl
+++ b/dom/webidl/FuzzingFunctions.webidl
@ -23,6 +23,11 @@ interface FuzzingFunctions {
   */
  static void garbageCollectCompacting();

+  /**
+   * Trigger a forced crash.
+   */
+  static void crash(optional DOMString reason = "");
+
  /**
   * Synchronously perform a cycle collection.
   */
--- a/mfbt/Assertions.h
+++ b/mfbt/Assertions.h
@ -220,7 +220,7 @@ MOZ_NoReturn(int aLine) {
 * builds, and it's hard to print to stderr safely when memory might have been
 * corrupted.
 */
-#ifndef DEBUG
+#if !(defined(DEBUG) || defined(FUZZING))
 #  define MOZ_CRASH(...)                                \
    do {                                                \
      MOZ_CRASH_ANNOTATE("MOZ_CRASH(" __VA_ARGS__ ")"); \
@ -249,7 +249,7 @@ MOZ_NoReturn(int aLine) {
 */
 static MOZ_ALWAYS_INLINE_EVEN_DEBUG MOZ_COLD MOZ_NORETURN void MOZ_Crash(
    const char* aFilename, int aLine, const char* aReason) {
-#ifdef DEBUG
+#if defined(DEBUG) || defined(FUZZING)
  MOZ_ReportCrash(aReason, aFilename, aLine);
 #endif
  MOZ_CRASH_ANNOTATE(aReason);