Enabling Gwp Asan in Android

[uazo]

Preliminary checklist

• I have read the README
• I have read the FAQs.
• I have searched existing issues for my feature request. This is a new issue (NOT a duplicate) and is not related to another issue.
• I have searched wont fix issues and this request is not among them
• This is a feature request for the Cromite browser; not the website nor F-Droid nor anything else.

Is your feature request related to privacy?

Yes

Is there a patch available for this feature somewhere?

No.

Describe the solution you would like

To understand whether it is possible to enable GWP Asan in android. Currently in Windows it is active but in Android is not.
More than privacy you can think about security in general and for me to understand if potentially my code introduces security bugs.
in A13+ you can opt-in to the one built into the os

refs:

• https://bugs.chromium.org/p/chromium/issues/detail?id=1233008
• https://developer.android.com/ndk/guides/gwp-asan

Describe alternatives you have considered

n/a

[uazo]

• With v118.0.5993.71-002dc9166f20c34dc2ea87004712725e9e4bc3b0 (118.0.5993.71: new chromium version #388 (comment)) reverify the presence of the crash in windows and the absence in android.

• crash on windows 3c84787d-e8dc-41b7-bee1-9c6747a6264d.zip with 118

• dumped in android
  165e0341-a9f1-4bea-9d73-552055684d80.zip but file is in \data\data\org.cromite.cromite\cache\Crashpad\pending not in UI in UI after restart

windows stack trace

chrome_elf.dll!00007ff9ef830be7()
chrome.dll!base::debug::DumpWithoutCrashing(class base::Location const &,class base::TimeDelta)
chrome.dll!base::debug::win::TerminateWithControlFlowViolation(void)
chrome.dll!base::internal::Invoker<struct base::internal::BindState<void ,class base::internal::UnretainedWrapper<class media::AudioLog,struct base::unretained_traits::MayNotDangle,0> >,void >::Run(class base::internal::BindStateBase *,class std::__Cr::basic_string<char,struct std::__Cr::char_traits<char>,class std::__Cr::allocator<char> > const &)
chrome.dll!?InsertUserCSSAndApplyElemHidingEmuJS@?A0xAABCB7CD@adblock@@YAXUGlobalRenderFrameHostId@content@@V?$OnceCallback@$$A6AXAEBUElemhideInjectionData@ElementHider@adblock@@@Z@base@@UElemhideInjectionData@ElementHider@1@@Z.llvm.3547908535045569475()
chrome.dll!base::internal::Invoker<struct base::internal::BindState<void ,struct content::GlobalRenderFrameHostId,class base::OnceCallback<void > >,void >::RunOnce(class base::internal::BindStateBase *,struct adblock::ElementHider::ElemhideInjectionData &&)
chrome.dll!base::internal::BindState<void ,struct content::GlobalRenderFrameHostId,class base::OnceCallback<void > >::Destroy(class base::internal::BindStateBase const *)
chrome.dll!??@8ba85330290543fed8db40393cbc3e18@()
chrome.dll!base::internal::Invoker<struct base::internal::BindState<void ,class base::internal::PostTaskAndReplyRelay>,void >::RunOnce(class base::internal::BindStateBase *)
chrome.dll!base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork(void)
chrome.dll!base::MessagePumpForUI::DoRunLoop(void)
chrome.dll!base::MessagePumpWin::Run(class base::MessagePump::Delegate *)
chrome.dll!base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run(bool,class base::TimeDelta)
chrome.dll!base::RunLoop::Run(class base::Location const &)
chrome.dll!content::BrowserMainLoop::RunMainMessageLoop(void)
chrome.dll!content::BrowserMain(struct content::MainFunctionParams)
chrome.dll!content::ContentMainRunnerImpl::RunBrowser(struct content::MainFunctionParams,bool)
chrome.dll!content::ContentMainRunnerImpl::Run(void)
chrome.dll!content::ContentMain(struct content::ContentMainParams)
chrome.dll!ChromeMain()

android stack trace

Operating system: Android
                  5.10.136 Must use __system_property_read_callback() to read -android12-9-00005-gf9a66cbe7091-ab9177899 #1 SMP PREEMPT Fri Oct 14 05:14:18 UTC 2022 x86_64
CPU: amd64
     family 6 model 165 stepping 2
     4 CPUs

GPU: UNKNOWN

Crash reason:  DUMP_REQUESTED
Crash address: 0x0
Process uptime: 72 seconds

Thread 0 (crashed)
 0  libchrome.so!crash_reporter::DumpWithoutCrashing() [crashpad_android.cc : 654 + 0x0]
    Found by: given as instruction pointer in context
 1  libchrome.so!base::debug::DumpWithoutCrashing(base::Location const&, base::TimeDelta) [dump_without_crashing.cc : 94 + 0x6]
    Found by: call frame info
 2  libchrome.so!base::allocator::UnretainedDanglingRawPtrDetectedDumpWithoutCrashing(unsigned long) [partition_alloc_support.cc : 675 + 0x8]
    Found by: call frame info
 3  libchrome.so!base::internal::Invoker<base::internal::BindState<void (*)(media::learning::LearningSessionImpl*, media::learning::LearningTask const&), base::internal::UnretainedWrapper<media::learning::LearningSessionImpl, base::unret
ained_traits::MayNotDangle, (base::RawPtrTraits)0>>, void (media::learning::LearningTask const&)>::Run(base::internal::BindStateBase*, media::learning::LearningTask const&) [raw_ptr_backup_ref_impl.h : 451 + 0x5]
    Found by: call frame info
 4  libchrome.so!adblock::(anonymous namespace)::InsertUserCSSAndApplyElemHidingEmuJS(content::GlobalRenderFrameHostId, base::OnceCallback<void (adblock::ElementHider::ElemhideInjectionData const&)>, adblock::ElementHider::ElemhideInject
ionData) [callback.h : 152 + 0x9]
    Found by: call frame info
 5  libchrome.so!base::internal::Invoker<base::internal::BindState<void (*)(content::GlobalRenderFrameHostId, base::OnceCallback<void (adblock::ElementHider::ElemhideInjectionData const&)>, adblock::ElementHider::ElemhideInjectionData),
content::GlobalRenderFrameHostId, base::OnceCallback<void (adblock::ElementHider::ElemhideInjectionData const&)>>, void (adblock::ElementHider::ElemhideInjectionData)>::RunOnce(base::internal::BindStateBase*, adblock::ElementHider::Elemh
ideInjectionData&&) [bind_internal.h : 631 + 0x9]
    Found by: call frame info
 6  libchrome.so!void base::internal::ReplyAdapter<adblock::ElementHider::ElemhideInjectionData, adblock::ElementHider::ElemhideInjectionData>(base::OnceCallback<void (adblock::ElementHider::ElemhideInjectionData)>, std::__Cr::unique_ptr
<adblock::ElementHider::ElemhideInjectionData, std::__Cr::default_delete<adblock::ElementHider::ElemhideInjectionData>>*) [callback.h : 152 + 0x3]
    Found by: call frame info
 7  libchrome.so!audio::DeviceListenerOutputStream::OnDeviceChange() [callback.h : 152 + 0x6]
    Found by: call frame info
 8  libchrome.so!base::internal::Invoker<base::internal::BindState<void (*)(base::internal::PostTaskAndReplyRelay), base::internal::PostTaskAndReplyRelay>, void ()>::RunOnce(base::internal::BindStateBase*) [bind_internal.h : 631 + 0x6]
    Found by: call frame info
 9  libchrome.so!base::TaskAnnotator::RunTaskImpl(base::PendingTask&) [callback.h : 152 + 0x3]
    Found by: call frame info
10  libchrome.so!base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() [task_annotator.h : 89 + 0x8]
    Found by: call frame info
11  libchrome.so!non-virtual thunk to base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() [thread_controller_with_message_pump_impl.cc : 0 + 0x10]
    Found by: call frame info
12  libchrome.so!base::MessagePumpForUI::DoNonDelayedLooperWork(bool) [message_pump_android.cc : 186 + 0x6]
    Found by: call frame info
13  libchrome.so!base::(anonymous namespace)::NonDelayedLooperCallback(int, int, void*) [message_pump_android.cc : 172 + 0x9]
    Found by: call frame info
14  libutils.so + 0x18476
    Found by: call frame info

[uazo]

launched 118 build https://github.com/uazo/cromite/actions/runs/6768790411 commit 002dc91, I need symbols

[uazo]

branch #508 to test 118 002dc91 with gwp asan enabled

[uazo]

a few updates. tried the version with the patch in release mode, no visible change in the log but at least I know that the patch does not crash the browser at startup.
next step, integrate the example code and check what happens

[uazo]

next step, integrate the example code and check what happen

also tried this, nothing goes. it needs to be investigated further.

[uazo]

ah, that's incredible. gwp asan will be active by default in v121.
https://chromium-review.googlesource.com/c/chromium/src/+/5038919

[uazo]

I have checked, my code is identical to theirs, but I cannot generate a crash with that code.
what a strange thing... could it be that android:gwpAsanMode is only active if the target is level 30?

[uazo]

is only active if the target is level 30?

is already so, I don't understand..

[uazo]

got it!

[0112/112950.680905:ERROR:crash_handler.cc(101)]
Detected GWP-ASan crash for allocation at 0x3c7600332fe0 (malloc) of type heap-use-after-free

that example code is not complete

[uazo]

I don't know who reads but I need advice:

gwpasan seems to have an impact on performance, and is made active on the processes according to the formula:

active if (base::RandDouble() < process_sampling_probability)

process_sampling_probability by default it is 0.015, so it takes 1,5% of the active processes.
I imagine that for chrome it is sufficient, given the amount of installations present, but in cromite I would like to increase that value to 50%.
The problem is that currently the value can only be changed with field trials and I do not have the infrastructure to manage them.

what should be done? ideas are welcome.

[PF4Public]

The problem is that currently the value can only be changed with field trials

You can always hardcode it, but…

process_sampling_probability by default it is 0.015, so it takes 1,5% of the active processes.
I imagine that for chrome it is sufficient, given the amount of installations

Are you sure it considers installation? Maybe it triggers for 1,5% of processes started by Chromium and not installations?

[Universalizer]

https://chromium.googlesource.com/chromium/src/+/master/docs/asan.md
Some relevant information in master docs asan.

[uazo]

Are you sure it considers installation?

no, I mean active processes.
but if you multiply 0.15% by the number of active processes on all installations, the value is large.

You can always hardcode it, but…

I guess that's the only way.

[uazo]

so in the end I did this:

• activation by default in android of gwpasan (windows and linux are already active)
• change activation parameters to 50% (+ boost) of active processes
• test accessible via the developer options
  

it might happen that the test fails (browser not crash) because not all threads are checked (precisely 'only' 50%).
it is not possible for me to insert flags or changes to parameters via ui since memory management is active before anything.
the hope is that performance will not drop too much.

[uazo]

https://github.com/uazo/cromite/releases/tag/v120.0.6099.217-c56a11a15b82c958469293ad3fe5721ef96d6431

available for those who would like to tell me if it has an impact on performance

[uazo]

Personally, I am not detecting any impact on performance, neither in android, nor in windows (although for the latter my machine is noticeably fast).
I think I'm going to release.