Enabling Gwp Asan in Android

[uazo]

Preliminary checklist

• [X] I have read the README
• [X] I have read the FAQs.
• [X] I have searched existing issues for my feature request. This is a new issue (NOT a duplicate) and is not related to another issue.
• [X] I have searched wont fix issues and this request is not among them
• [X] This is a feature request for the Cromite browser; not the website nor F-Droid nor anything else.

Is your feature request related to privacy?

Yes

Is there a patch available for this feature somewhere?

No.

Describe the solution you would like

To understand whether it is possible to enable GWP Asan in android. Currently in Windows it is active but in Android is not. More than privacy you can think about security in general and for me to understand if potentially my code introduces security bugs. in A13+ you can opt-in to the one built into the os

refs:

• https://bugs.chromium.org/p/chromium/issues/detail?id=1233008
• https://developer.android.com/ndk/guides/gwp-asan

Describe alternatives you have considered

n/a

[uazo]

• [ ] With v118.0.5993.71-002dc9166f20c34dc2ea87004712725e9e4bc3b0 (https://github.com/uazo/cromite/issues/388#issuecomment-1759462578) reverify the presence of the crash in windows and the absence in android.

• crash on windows 3c84787d-e8dc-41b7-bee1-9c6747a6264d.zip with 118

• dumped in android 165e0341-a9f1-4bea-9d73-552055684d80.zip ~but file is in \data\data\org.cromite.cromite\cache\Crashpad\pending not in UI~ in UI after restart

windows stack trace

``` chrome_elf.dll!00007ff9ef830be7() chrome.dll!base::debug::DumpWithoutCrashing(class base::Location const &,class base::TimeDelta) chrome.dll!base::debug::win::TerminateWithControlFlowViolation(void) chrome.dll!base::internal::Invoker >,void >::Run(class base::internal::BindStateBase *,class std::__Cr::basic_string,class std::__Cr::allocator > const &) chrome.dll!?InsertUserCSSAndApplyElemHidingEmuJS@?A0xAABCB7CD@adblock@@YAXUGlobalRenderFrameHostId@content@@V?$OnceCallback@$$A6AXAEBUElemhideInjectionData@ElementHider@adblock@@@Z@base@@UElemhideInjectionData@ElementHider@1@@Z.llvm.3547908535045569475() chrome.dll!base::internal::Invoker >,void >::RunOnce(class base::internal::BindStateBase *,struct adblock::ElementHider::ElemhideInjectionData &&) chrome.dll!base::internal::BindState >::Destroy(class base::internal::BindStateBase const *) chrome.dll!??@8ba85330290543fed8db40393cbc3e18@() chrome.dll!base::internal::Invoker,void >::RunOnce(class base::internal::BindStateBase *) chrome.dll!base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork(void) chrome.dll!base::MessagePumpForUI::DoRunLoop(void) chrome.dll!base::MessagePumpWin::Run(class base::MessagePump::Delegate *) chrome.dll!base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run(bool,class base::TimeDelta) chrome.dll!base::RunLoop::Run(class base::Location const &) chrome.dll!content::BrowserMainLoop::RunMainMessageLoop(void) chrome.dll!content::BrowserMain(struct content::MainFunctionParams) chrome.dll!content::ContentMainRunnerImpl::RunBrowser(struct content::MainFunctionParams,bool) chrome.dll!content::ContentMainRunnerImpl::Run(void) chrome.dll!content::ContentMain(struct content::ContentMainParams) chrome.dll!ChromeMain() ```

android stack trace

``` Operating system: Android 5.10.136 Must use __system_property_read_callback() to read -android12-9-00005-gf9a66cbe7091-ab9177899 #1 SMP PREEMPT Fri Oct 14 05:14:18 UTC 2022 x86_64 CPU: amd64 family 6 model 165 stepping 2 4 CPUs GPU: UNKNOWN Crash reason: DUMP_REQUESTED Crash address: 0x0 Process uptime: 72 seconds Thread 0 (crashed) 0 libchrome.so!crash_reporter::DumpWithoutCrashing() [crashpad_android.cc : 654 + 0x0] Found by: given as instruction pointer in context 1 libchrome.so!base::debug::DumpWithoutCrashing(base::Location const&, base::TimeDelta) [dump_without_crashing.cc : 94 + 0x6] Found by: call frame info 2 libchrome.so!base::allocator::UnretainedDanglingRawPtrDetectedDumpWithoutCrashing(unsigned long) [partition_alloc_support.cc : 675 + 0x8] Found by: call frame info 3 libchrome.so!base::internal::Invoker>, void (media::learning::LearningTask const&)>::Run(base::internal::BindStateBase*, media::learning::LearningTask const&) [raw_ptr_backup_ref_impl.h : 451 + 0x5] Found by: call frame info 4 libchrome.so!adblock::(anonymous namespace)::InsertUserCSSAndApplyElemHidingEmuJS(content::GlobalRenderFrameHostId, base::OnceCallback, adblock::ElementHider::ElemhideInject ionData) [callback.h : 152 + 0x9] Found by: call frame info 5 libchrome.so!base::internal::Invoker, adblock::ElementHider::ElemhideInjectionData), content::GlobalRenderFrameHostId, base::OnceCallback>, void (adblock::ElementHider::ElemhideInjectionData)>::RunOnce(base::internal::BindStateBase*, adblock::ElementHider::Elemh ideInjectionData&&) [bind_internal.h : 631 + 0x9] Found by: call frame info 6 libchrome.so!void base::internal::ReplyAdapter(base::OnceCallback, std::__Cr::unique_ptr >*) [callback.h : 152 + 0x3] Found by: call frame info 7 libchrome.so!audio::DeviceListenerOutputStream::OnDeviceChange() [callback.h : 152 + 0x6] Found by: call frame info 8 libchrome.so!base::internal::Invoker, void ()>::RunOnce(base::internal::BindStateBase*) [bind_internal.h : 631 + 0x6] Found by: call frame info 9 libchrome.so!base::TaskAnnotator::RunTaskImpl(base::PendingTask&) [callback.h : 152 + 0x3] Found by: call frame info 10 libchrome.so!base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() [task_annotator.h : 89 + 0x8] Found by: call frame info 11 libchrome.so!non-virtual thunk to base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() [thread_controller_with_message_pump_impl.cc : 0 + 0x10] Found by: call frame info 12 libchrome.so!base::MessagePumpForUI::DoNonDelayedLooperWork(bool) [message_pump_android.cc : 186 + 0x6] Found by: call frame info 13 libchrome.so!base::(anonymous namespace)::NonDelayedLooperCallback(int, int, void*) [message_pump_android.cc : 172 + 0x9] Found by: call frame info 14 libutils.so + 0x18476 Found by: call frame info ```

[uazo]

launched 118 build https://github.com/uazo/cromite/actions/runs/6768790411 commit https://github.com/uazo/cromite/commit/002dc9166f20c34dc2ea87004712725e9e4bc3b0, I need symbols

[uazo]

branch https://github.com/uazo/cromite/pull/508 to test 118 https://github.com/uazo/cromite/commit/002dc9166f20c34dc2ea87004712725e9e4bc3b0 with gwp asan enabled

[uazo]

a few updates. tried the version with the patch in release mode, no visible change in the log but at least I know that the patch does not crash the browser at startup. next step, integrate the example code and check what happens

[uazo]

next step, integrate the example code and check what happen

also tried this, nothing goes. it needs to be investigated further.

[uazo]

ah, that's incredible. gwp asan will be active by default in v121. https://chromium-review.googlesource.com/c/chromium/src/+/5038919

[uazo]

I have checked, my code is identical to theirs, but I cannot generate a crash with that code. what a strange thing... could it be that android:gwpAsanMode is only active if the target is level 30?

[uazo]

is only active if the target is level 30?

is already so, I don't understand..

[uazo]

got it!

[0112/112950.680905:ERROR:crash_handler.cc(101)]
Detected GWP-ASan crash for allocation at 0x3c7600332fe0 (malloc) of type heap-use-after-free

that example code is not complete

[uazo]

I don't know who reads but I need advice:

gwpasan seems to have an impact on performance, and is made active on the processes according to the formula:

active if (base::RandDouble() < process_sampling_probability)

process_sampling_probability by default it is 0.015, so it takes 1,5% of the active processes. I imagine that for chrome it is sufficient, given the amount of installations present, but in cromite I would like to increase that value to 50%. The problem is that currently the value can only be changed with field trials and I do not have the infrastructure to manage them.

what should be done? ideas are welcome.

[PF4Public]

The problem is that currently the value can only be changed with field trials

You can always hardcode it, but…

process_sampling_probability by default it is 0.015, so it takes 1,5% of the active processes. I imagine that for chrome it is sufficient, given the amount of installations

Are you sure it considers installation? Maybe it triggers for 1,5% of processes started by Chromium and not installations?

[Universalizer]

https://chromium.googlesource.com/chromium/src/+/master/docs/asan.md Some relevant information in master docs asan.

[uazo]

Are you sure it considers installation?

no, I mean active processes. but if you multiply 0.15% by the number of active processes on all installations, the value is large.

You can always hardcode it, but…

I guess that's the only way.

[uazo]

so in the end I did this:

• activation by default in android of gwpasan (windows and linux are already active)
• change activation parameters to 50% (+ boost) of active processes
• test accessible via the developer options

it might happen that the test fails (browser not crash) because not all threads are checked (precisely 'only' 50%). it is not possible for me to insert flags or changes to parameters via ui since memory management is active before anything. the hope is that performance will not drop too much.

[uazo]

https://github.com/uazo/cromite/releases/tag/v120.0.6099.217-c56a11a15b82c958469293ad3fe5721ef96d6431

available for those who would like to tell me if it has an impact on performance

[uazo]

Personally, I am not detecting any impact on performance, neither in android, nor in windows (although for the latter my machine is noticeably fast). I think I'm going to release.