diff options
Diffstat (limited to 'build/sanitizers/ubsan_unsigned_overflow_blacklist.txt')
-rw-r--r-- | build/sanitizers/ubsan_unsigned_overflow_blacklist.txt | 264 |
1 files changed, 264 insertions, 0 deletions
diff --git a/build/sanitizers/ubsan_unsigned_overflow_blacklist.txt b/build/sanitizers/ubsan_unsigned_overflow_blacklist.txt new file mode 100644 index 0000000000..46bb4f6f12 --- /dev/null +++ b/build/sanitizers/ubsan_unsigned_overflow_blacklist.txt @@ -0,0 +1,264 @@ +# This file contains an extensive compile-time blacklist for silencing highly +# frequent *un*signed integer overflows in our codebase, found by the use of +# -fsanitize=unsigned-integer-overflow. Such overflows are not necessarily +# bugs -- unsigned integer overflow has well-defined semantics in C/C++. But +# overflow may still be *unexpected* and incorrectly handled, so we try to +# annotate those places where unsigned overflow is correct and desired. +# +# The rules in this file are applied at compile time; changes to this list +# usually require a full rebuild to apply. If you can modify the source in +# question to exempt specific functions using MOZ_NO_SANITIZE_UNSIGNED_OVERFLOW, +# do that instead. +# +# The extensive number of entries below is for two reasons. +# +# First, compiler instrumentation for unsigned integer overflows has a cost, at +# compile time and at runtime. In places where code expects and depends upon +# overflow behavior -- and especially in performance-critical code -- it makes +# sense to turn off overflow detection to avoid both costs. (Indeed, +# -fsanitize=signed-integer-overflow is unusably slow without this.) +# +# Second, many entries here are overly aggressive to get the build into a state +# that allows any testing to happen at all. Some of the entries here are for +# issues that are highly frequent in our test suites -- over 500 times per run. +# Aggressive entries now let us start using this mode, without having to first +# fix wide swaths of existing code. +# +# Entries should be removed 1) as issues are fixed; and 2) as blacklist entries +# can be moved out of this centralized file, into source-level blacklist +# attributes on individual functions. + +# All entries in this file are to suppress unsigned-integer-overflow problems. +# Blacklists for other reasons should go in separate blacklist files. +[unsigned-integer-overflow] + +# Overflows in the C++ std headers aren't necessarily bugs, because code inside +# a language implementation can depend on compiler-specific behavior where C/C++ +# leave the behavior undefined. +src:*bits/basic_string.h + +# Assume everything running through CheckedInt.h is ok. The CheckedInt class +# casts signed integers to unsigned first and then does a post-overflow +# check causing lots of unsigned integer overflow messages. +src:*/CheckedInt.h + +# Exclude bignum +src:*/mfbt/double-conversion/source/bignum.cc + +# Exclude anything within gtests +src:*/gtest/* + +# The JS engine has a lot of code doing all sorts of overflows. This code +# is pretty well tested though and excluding it here will allow us to go +# for other, less tested code. Ideally, we would include the JS engine here +# at some point. +src:*/js/src/* +src:*/js/public/* +src:*/js/*.h +src:*/jsfriendapi.h + +# Atomics can overflow, but without a full stack we can't trace these back +# to what is actually causing the overflow. Ignoring these for now, as it will +# be too much effort to determine every single source here. +src:*/mfbt/Atomics.h + +# No reason to instrument certain parts of NSS that explicitely deal with +# arithmetics and crypto. +src:*/security/nss/lib/freebl/mpi/* +src:*/security/nss/lib/freebl/ecl/* + +# nsTArray_base<Alloc, Copy>::ShiftData performs overflows +fun:*nsTArray_base*ShiftData* + +### Frequent 0 - 1 overflows +# +# We have several code patterns in our codebase that cause these overflows, +# but they are typically all harmless and could be filtered easily at runtime. +# However, some of them are so frequent that suppressing them at compile-time +# makes sense to increase runtime performance. +# +src:*/netwerk/base/nsSocketTransportService2.cpp +src:*/nsCharTraits.h +# Code in xpcom/base/CycleCollectedJSContext.cpp +fun:*CycleCollectedJSContext*ProcessMetastableStateQueue* +# Code in layout/painting/nsDisplayList.cpp +fun:*nsDisplayOpacity*ShouldFlattenAway* +# Code in modules/libpref/Preferences.cpp +fun:*pref_InitInitialObjects* +# Code in netwerk/base/nsIOService.cpp +fun:*nsIOService*GetCachedProtocolHandler* +# Code in layout/xul/nsXULPopupManager.cpp +fun:*nsXULPopupManager*AdjustPopupsOnWindowChange* +# Code in dom/base/nsDocument.cpp +fun:*1nsDocument@@* +# Code in gfx/layers/ipc/CompositorBridgeChild.cpp +fun:*CompositorBridgeChild*Destroy* +# Code in gfx/layers/ipc/ImageBridgeChild.cpp +fun:*ImageBridgeChild*ShutdownStep1* +# Code in dom/base/nsGlobalWindow.cpp +fun:*nsGlobalWindow*ClearControllers* +# Code in layout/style/AnimationCollection.cpp +fun:*AnimationCollection*PropertyDtor* +# Code in layout/style/nsStyleSet.cpp +fun:*nsStyleSet*AddImportantRules* +fun:*nsStyleSet*CounterStyleRuleForName* + + +### Misc overflows + +# Hot function in protobuf producing overflows +fun:*CodedInputStream*ReadTagWithCutoff* + + +# SQLite3 is full of overflows :/ +src:*/third_party/sqlite3/src/sqlite3.c + +# zlib has some overflows, we can't deal with them right now +src:*/modules/zlib/src/* + +# Our LZ4 implementation uses overflows. By listing it here we might +# miss some unintended overflows in that implementation, but we can't +# check for it right now. +src:*/mfbt/lz4/* + +# Apparently this overflows a lot, because it contains some allocators +# that keep overflowing, not sure why. Disabling by function didn't seem +# to work here for operator new. +src:*/xpcom/ds/nsArrayEnumerator.cpp + +# Memory usage reporting code in gfx/thebes/gfxASurface.cpp +# We probably don't care about the frequent overflows there. +fun:*SurfaceMemoryReporter*AdjustUsedMemory* + +# Frequent overflower in gfx/thebes/gfxFontEntry.cpp +fun:*WeightDistance* + +# Another frequent overflower +fun:*nsTObserverArray_base*AdjustIterators* + +# Overflows in Skia +fun:*SkPathRef*makeSpace* +fun:*SkPathRef*resetToSize* + +# Expat Parser has some overflows +fun:*nsExpatDriver*ConsumeToken* + +# Frequent overflowers in harfbuzz +fun:*hb_in_range* +fun:*OT*collect_glyphs* + +# These look like harmless layouting-related overflows +src:*/gfx/cairo/libpixman/src/pixman-region.c + +# Code in ipc/chromium/src/base/file_path.cc where a function returns -1 +# being cast to unsigned and then overflowed. +fun:*FilePath*Append* +fun:*FilePath*StripTrailingSeparatorsInternal* + +# Code in dom/base/nsJSEnvironment.cpp +fun:*FireForgetSkippable* + +# Code in gfx/thebes/gfxSkipChars.h +fun:*gfxSkipCharsIterator*AdvanceSkipped* + +# Code in gfx/thebes/gfxScriptItemizer.cpp +fun:*gfxScriptItemizer*fixup* +fun:*gfxScriptItemizer*push* + +# Code in dom/base/nsDocument.cpp +fun:*nsDocument*BlockOnload* + +# Code in layout/base/nsCSSFrameConstructor.cpp +fun:*nsCSSFrameConstructor*FrameConstructionItemList*AdjustCountsForItem* + +# Code in nsprpub/lib/ds/plarena.c doing ptrdiffs +fun:*PL_ArenaRelease* + +# This file contains a bunch of arithmetic operations on timestamps that +# apparently are allowed to overflow. +src:*/src/widget/SystemTimeConverter.h + +# Code in dom/media/flac/FlacDemuxer.cpp purposely uses overflowing arithmetics +fun:*Frame*FindNext* + +# Code in netwerk/base/nsStandardURL.cpp, +# these methods return signed but the subtraction is first performed unsigned +fun:*nsStandardURL*ReplaceSegment* + +# Code in netwerk/protocol/http/nsHttpChannel.cpp +# same as previous with the previous entry. +fun:*nsHttpChannel*ReportNetVSCacheTelemetry* + +# Code in layout/tables/nsCellMap.cpp +# again subtraction then cast to signed. +fun:*nsTableCellMap*GetColInfoAt* + +# Code in layout/generic/nsTextFrame.cpp +# again subtraction then cast to signed. +fun:*nsTextFrame*CharacterDataChanged* + +# Not sure what is going on in this file, but it doesn't look +# related to what we are looking for. +src:*/xpcom/base/CountingAllocatorBase.h + +# Code in dom/base/nsDOMNavigationTiming.cpp +# Timestamp related, probably expecting the overflow +fun:*nsDOMNavigationTiming*TimeStampToDOM* + +# Several unsigned arithmetic operations with -1 +src:*/hal/HalWakeLock.cpp + +# Code in layout/generic/nsGfxScrollFrame.cpp that produces +# somewhat frequent signed integer overflows. Probably harmless +# because it's layout code. +fun:*ClampAndAlignWithPixels* + +# Likely benign overflow in mozglue/misc/TimeStamp_posix.cpp +fun:*ClockResolutionNs* + +# This header has all sorts of operators that do post-operation +# overflow and underflow checking, triggering frequent reports +src:*/mozglue/misc/TimeStamp.h + +# +# Various hashing functions, both regular and cryptographic ones +# +src:*/dom/canvas/MurmurHash3.cpp +src:*/gfx/skia/skia/include/private/SkChecksum.h +src:*/intl/icu/source/common/unifiedcache.h +src:*/mfbt/SHA1.cpp +src:*/modules/zlib/src/adler32.c +src:*/netwerk/cache2/CacheHashUtils.cpp +src:*/netwerk/sctp/src/netinet/sctp_sha1.c +src:*/netwerk/srtp/src/crypto/hash/sha1.c +src:*/netwerk/sctp/src/netinet/sctp_sha1.c +src:*/nsprpub/lib/ds/plhash.c +src:*/security/manager/ssl/md4.c +src:*/security/nss/lib/dbm/src/h_func.c +src:*/security/nss/lib/freebl/sha512.c +src:*/security/nss/lib/freebl/md5.c +src:*/xpcom/ds/PLDHashTable.cpp + +# Hash/Cache function in Skia +fun:*GradientShaderCache*Build32bitCache* + +# Hashing functions in Cairo +fun:*_hash_matrix_fnv* +fun:*_hash_mix_bits* +fun:*_cairo_hash_string* +fun:*_cairo_hash_bytes* + +# intl code hashing functions +fun:*ustr_hash*CharsN* +fun:*hashEntry* + +# harfbuzz hash/digest functions +fun:*hb_set_digest_lowest_bits_t* + +# Hash function in gfx +fun:*gfxFontStyle*Hash* + +# expat uses a CHAR_HASH macro in several places that causes +# a high amount of overflows. We should try finding a better +# way to disable this rather than blacklisting the whole thing. +src:*/parser/expat/* |