mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-12-11 16:32:59 +00:00
04b3dd73c0
Depends on D219450 Differential Revision: https://phabricator.services.mozilla.com/D219451
261 lines
9.0 KiB
Plaintext
261 lines
9.0 KiB
Plaintext
# This file contains an extensive compile-time blacklist for silencing highly
|
|
# frequent *un*signed integer overflows in our codebase, found by the use of
|
|
# -fsanitize=unsigned-integer-overflow. Such overflows are not necessarily
|
|
# bugs -- unsigned integer overflow has well-defined semantics in C/C++. But
|
|
# overflow may still be *unexpected* and incorrectly handled, so we try to
|
|
# annotate those places where unsigned overflow is correct and desired.
|
|
#
|
|
# The rules in this file are applied at compile time; changes to this list
|
|
# usually require a full rebuild to apply. If you can modify the source in
|
|
# question to exempt specific functions using MOZ_NO_SANITIZE_UNSIGNED_OVERFLOW,
|
|
# do that instead.
|
|
#
|
|
# The extensive number of entries below is for two reasons.
|
|
#
|
|
# First, compiler instrumentation for unsigned integer overflows has a cost, at
|
|
# compile time and at runtime. In places where code expects and depends upon
|
|
# overflow behavior -- and especially in performance-critical code -- it makes
|
|
# sense to turn off overflow detection to avoid both costs. (Indeed,
|
|
# -fsanitize=signed-integer-overflow is unusably slow without this.)
|
|
#
|
|
# Second, many entries here are overly aggressive to get the build into a state
|
|
# that allows any testing to happen at all. Some of the entries here are for
|
|
# issues that are highly frequent in our test suites -- over 500 times per run.
|
|
# Aggressive entries now let us start using this mode, without having to first
|
|
# fix wide swaths of existing code.
|
|
#
|
|
# Entries should be removed 1) as issues are fixed; and 2) as blacklist entries
|
|
# can be moved out of this centralized file, into source-level blacklist
|
|
# attributes on individual functions.
|
|
|
|
# All entries in this file are to suppress unsigned-integer-overflow problems.
|
|
# Blacklists for other reasons should go in separate blacklist files.
|
|
[unsigned-integer-overflow]
|
|
|
|
# Overflows in the C++ std headers aren't necessarily bugs, because code inside
|
|
# a language implementation can depend on compiler-specific behavior where C/C++
|
|
# leave the behavior undefined.
|
|
src:*bits/basic_string.h
|
|
|
|
# Assume everything running through CheckedInt.h is ok. The CheckedInt class
|
|
# casts signed integers to unsigned first and then does a post-overflow
|
|
# check causing lots of unsigned integer overflow messages.
|
|
src:*/CheckedInt.h
|
|
|
|
# Exclude bignum
|
|
src:*/mfbt/double-conversion/source/bignum.cc
|
|
|
|
# Exclude anything within gtests
|
|
src:*/gtest/*
|
|
|
|
# The JS engine has a lot of code doing all sorts of overflows. This code
|
|
# is pretty well tested though and excluding it here will allow us to go
|
|
# for other, less tested code. Ideally, we would include the JS engine here
|
|
# at some point.
|
|
src:*/js/src/*
|
|
src:*/js/public/*
|
|
src:*/js/*.h
|
|
src:*/jsfriendapi.h
|
|
|
|
# Atomics can overflow, but without a full stack we can't trace these back
|
|
# to what is actually causing the overflow. Ignoring these for now, as it will
|
|
# be too much effort to determine every single source here.
|
|
src:*/mfbt/Atomics.h
|
|
|
|
# No reason to instrument certain parts of NSS that explicitely deal with
|
|
# arithmetics and crypto.
|
|
src:*/security/nss/lib/freebl/mpi/*
|
|
src:*/security/nss/lib/freebl/ecl/*
|
|
|
|
# nsTArray_base<Alloc, Copy>::ShiftData performs overflows
|
|
fun:*nsTArray_base*ShiftData*
|
|
|
|
### Frequent 0 - 1 overflows
|
|
#
|
|
# We have several code patterns in our codebase that cause these overflows,
|
|
# but they are typically all harmless and could be filtered easily at runtime.
|
|
# However, some of them are so frequent that suppressing them at compile-time
|
|
# makes sense to increase runtime performance.
|
|
#
|
|
src:*/netwerk/base/nsSocketTransportService2.cpp
|
|
src:*/nsCharTraits.h
|
|
# Code in xpcom/base/CycleCollectedJSContext.cpp
|
|
fun:*CycleCollectedJSContext*ProcessMetastableStateQueue*
|
|
# Code in layout/painting/nsDisplayList.cpp
|
|
fun:*nsDisplayOpacity*ShouldFlattenAway*
|
|
# Code in modules/libpref/Preferences.cpp
|
|
fun:*pref_InitInitialObjects*
|
|
# Code in netwerk/base/nsIOService.cpp
|
|
fun:*nsIOService*GetCachedProtocolHandler*
|
|
# Code in layout/xul/nsXULPopupManager.cpp
|
|
fun:*nsXULPopupManager*AdjustPopupsOnWindowChange*
|
|
# Code in dom/base/nsDocument.cpp
|
|
fun:*1nsDocument@@*
|
|
# Code in gfx/layers/ipc/CompositorBridgeChild.cpp
|
|
fun:*CompositorBridgeChild*Destroy*
|
|
# Code in gfx/layers/ipc/ImageBridgeChild.cpp
|
|
fun:*ImageBridgeChild*ShutdownStep1*
|
|
# Code in dom/base/nsGlobalWindow.cpp
|
|
fun:*nsGlobalWindow*ClearControllers*
|
|
# Code in layout/style/AnimationCollection.cpp
|
|
fun:*AnimationCollection*PropertyDtor*
|
|
# Code in layout/style/nsStyleSet.cpp
|
|
fun:*nsStyleSet*AddImportantRules*
|
|
fun:*nsStyleSet*CounterStyleRuleForName*
|
|
|
|
|
|
### Misc overflows
|
|
|
|
# Hot function in protobuf producing overflows
|
|
fun:*CodedInputStream*ReadTagWithCutoff*
|
|
|
|
|
|
# SQLite3 is full of overflows :/
|
|
src:*/third_party/sqlite3/src/sqlite3.c
|
|
|
|
# zlib has some overflows, we can't deal with them right now
|
|
src:*/modules/zlib/src/*
|
|
|
|
# Our LZ4 implementation uses overflows. By listing it here we might
|
|
# miss some unintended overflows in that implementation, but we can't
|
|
# check for it right now.
|
|
src:*/mfbt/lz4/*
|
|
|
|
# Apparently this overflows a lot, because it contains some allocators
|
|
# that keep overflowing, not sure why. Disabling by function didn't seem
|
|
# to work here for operator new.
|
|
src:*/xpcom/ds/nsArrayEnumerator.cpp
|
|
|
|
# Memory usage reporting code in gfx/thebes/gfxASurface.cpp
|
|
# We probably don't care about the frequent overflows there.
|
|
fun:*SurfaceMemoryReporter*AdjustUsedMemory*
|
|
|
|
# Frequent overflower in gfx/thebes/gfxFontEntry.cpp
|
|
fun:*WeightDistance*
|
|
|
|
# Another frequent overflower
|
|
fun:*nsTObserverArray_base*AdjustIterators*
|
|
|
|
# Overflows in Skia
|
|
fun:*SkPathRef*makeSpace*
|
|
fun:*SkPathRef*resetToSize*
|
|
|
|
# Expat Parser has some overflows
|
|
fun:*nsExpatDriver*ConsumeToken*
|
|
|
|
# Frequent overflowers in harfbuzz
|
|
fun:*hb_in_range*
|
|
fun:*OT*collect_glyphs*
|
|
|
|
# These look like harmless layouting-related overflows
|
|
src:*/gfx/cairo/libpixman/src/pixman-region.c
|
|
|
|
# Code in ipc/chromium/src/base/file_path.cc where a function returns -1
|
|
# being cast to unsigned and then overflowed.
|
|
fun:*FilePath*Append*
|
|
fun:*FilePath*StripTrailingSeparatorsInternal*
|
|
|
|
# Code in dom/base/nsJSEnvironment.cpp
|
|
fun:*FireForgetSkippable*
|
|
|
|
# Code in gfx/thebes/gfxSkipChars.h
|
|
fun:*gfxSkipCharsIterator*AdvanceSkipped*
|
|
|
|
# Code in gfx/thebes/gfxScriptItemizer.cpp
|
|
fun:*gfxScriptItemizer*fixup*
|
|
fun:*gfxScriptItemizer*push*
|
|
|
|
# Code in dom/base/nsDocument.cpp
|
|
fun:*nsDocument*BlockOnload*
|
|
|
|
# Code in layout/base/nsCSSFrameConstructor.cpp
|
|
fun:*nsCSSFrameConstructor*FrameConstructionItemList*AdjustCountsForItem*
|
|
|
|
# Code in nsprpub/lib/ds/plarena.c doing ptrdiffs
|
|
fun:*PL_ArenaRelease*
|
|
|
|
# This file contains a bunch of arithmetic operations on timestamps that
|
|
# apparently are allowed to overflow.
|
|
src:*/src/widget/SystemTimeConverter.h
|
|
|
|
# Code in dom/media/flac/FlacDemuxer.cpp purposely uses overflowing arithmetics
|
|
fun:*Frame*FindNext*
|
|
|
|
# Code in netwerk/base/nsStandardURL.cpp,
|
|
# these methods return signed but the subtraction is first performed unsigned
|
|
fun:*nsStandardURL*ReplaceSegment*
|
|
|
|
# Code in layout/tables/nsCellMap.cpp
|
|
# again subtraction then cast to signed.
|
|
fun:*nsTableCellMap*GetColInfoAt*
|
|
|
|
# Code in layout/generic/nsTextFrame.cpp
|
|
# again subtraction then cast to signed.
|
|
fun:*nsTextFrame*CharacterDataChanged*
|
|
|
|
# Not sure what is going on in this file, but it doesn't look
|
|
# related to what we are looking for.
|
|
src:*/xpcom/base/CountingAllocatorBase.h
|
|
|
|
# Code in dom/base/nsDOMNavigationTiming.cpp
|
|
# Timestamp related, probably expecting the overflow
|
|
fun:*nsDOMNavigationTiming*TimeStampToDOM*
|
|
|
|
# Several unsigned arithmetic operations with -1
|
|
src:*/hal/HalWakeLock.cpp
|
|
|
|
# Code in layout/generic/ScrollContainerFrame.cpp that produces
|
|
# somewhat frequent signed integer overflows. Probably harmless
|
|
# because it's layout code.
|
|
fun:*ClampAndAlignWithPixels*
|
|
|
|
# Likely benign overflow in mozglue/misc/TimeStamp_posix.cpp
|
|
fun:*ClockResolutionNs*
|
|
|
|
# This header has all sorts of operators that do post-operation
|
|
# overflow and underflow checking, triggering frequent reports
|
|
src:*/mozglue/misc/TimeStamp.h
|
|
|
|
#
|
|
# Various hashing functions, both regular and cryptographic ones
|
|
#
|
|
src:*/dom/canvas/MurmurHash3.cpp
|
|
src:*/gfx/skia/skia/include/private/SkChecksum.h
|
|
src:*/intl/icu/source/common/unifiedcache.h
|
|
src:*/mfbt/SHA1.cpp
|
|
src:*/modules/zlib/src/adler32.c
|
|
src:*/netwerk/cache2/CacheHashUtils.cpp
|
|
src:*/netwerk/sctp/src/netinet/sctp_sha1.c
|
|
src:*/netwerk/srtp/src/crypto/hash/sha1.c
|
|
src:*/netwerk/sctp/src/netinet/sctp_sha1.c
|
|
src:*/nsprpub/lib/ds/plhash.c
|
|
src:*/security/manager/ssl/md4.c
|
|
src:*/security/nss/lib/dbm/src/h_func.c
|
|
src:*/security/nss/lib/freebl/sha512.c
|
|
src:*/security/nss/lib/freebl/md5.c
|
|
src:*/xpcom/ds/PLDHashTable.cpp
|
|
|
|
# Hash/Cache function in Skia
|
|
fun:*GradientShaderCache*Build32bitCache*
|
|
|
|
# Hashing functions in Cairo
|
|
fun:*_hash_matrix_fnv*
|
|
fun:*_hash_mix_bits*
|
|
fun:*_cairo_hash_string*
|
|
fun:*_cairo_hash_bytes*
|
|
|
|
# intl code hashing functions
|
|
fun:*ustr_hash*CharsN*
|
|
fun:*hashEntry*
|
|
|
|
# harfbuzz hash/digest functions
|
|
fun:*hb_set_digest_lowest_bits_t*
|
|
|
|
# Hash function in gfx
|
|
fun:*gfxFontStyle*Hash*
|
|
|
|
# expat uses a CHAR_HASH macro in several places that causes
|
|
# a high amount of overflows. We should try finding a better
|
|
# way to disable this rather than blacklisting the whole thing.
|
|
src:*/parser/expat/*
|