ubsan_signed_overflow_blacklist.txt (9005B)
1 # This file contains an extensive compile-time blacklist for silencing highly 2 # frequent signed integer overflows in our codebase, found by the use of 3 # -fsanitize=signed-integer-overflow. C/C++ say signed integer overflow is 4 # undefined behavior, so instances of this need to be fixed. But not all code 5 # has been properly written to not overflow, and overflow-checking can have 6 # significant compile time and runtime costs, so we will sometimes disable 7 # signed overflow checking. 8 # 9 # The rules in this file are applied at compile time; changes to this list 10 # usually require a full rebuild to apply. If you can modify the source in 11 # question to exempt specific functions using MOZ_NO_SANITIZE_SIGNED_OVERFLOW, 12 # do that instead. 13 # 14 # The extensive number of entries below is for two reasons. 15 # 16 # First, compiler instrumentation for signed integer overflows has a cost, at 17 # compile time and at runtime. In performance-critical code proven to have no 18 # signed overflow, it makes sense to turn off overflow detection to avoid both 19 # costs. (Indeed, -fsanitize=signed-integer-overflow is unusably slow without 20 # this.) 21 # 22 # Second, many entries here are overly aggressive to get the build into a state 23 # that allows any testing to happen at all. Some of the entries here are for 24 # issues that are highly frequent in our test suites -- over 500 times per run. 25 # Aggressive entries now let us start using this mode, without having to first 26 # fix wide swaths of existing code. 27 # 28 # Entries should be removed 1) as issues are fixed; and 2) as blacklist entries 29 # can be moved out of this centralized file, into source-level blacklist 30 # attributes on individual functions. 31 32 # All entries in this file are to suppress signed-integer-overflow problems. 33 # Blacklists for other reasons should go in separate blacklist files. 34 [signed-integer-overflow] 35 36 # Overflows in the C++ std headers aren't necessarily bugs, because code inside 37 # a language implementation can depend on compiler-specific behavior where C/C++ 38 # leave the behavior undefined. 39 src:*bits/basic_string.h 40 41 # Assume everything running through CheckedInt.h is ok. Signed overflows here 42 # should generally have been guarded by safe overflow checks, so it's likely 43 # safe to exempt it from overflow checking. (This should eventually be verified 44 # and functions individually tagged safe so this entry can be removed.) 45 src:*/CheckedInt.h 46 47 # Exclude bignum 48 src:*/mfbt/double-conversion/source/bignum.cc 49 50 # Exclude anything within gtests 51 src:*/gtest/* 52 53 # Atomics can overflow, but without a full stack we can't trace these back 54 # to what is actually causing the overflow. Ignoring these for now, as it will 55 # be too much effort to determine every single source here. 56 src:*/mfbt/Atomics.h 57 58 # No reason to instrument certain parts of NSS that explicitely deal with 59 # arithmetics and crypto. 60 src:*/security/nss/lib/freebl/mpi/* 61 src:*/security/nss/lib/freebl/ecl/* 62 63 # nsTArray_base<Alloc, Copy>::ShiftData performs overflows 64 fun:*nsTArray_base*ShiftData* 65 66 ### Frequent 0 - 1 overflows 67 # 68 # We have several code patterns in our codebase that cause these overflows, 69 # but they are typically all harmless and could be filtered easily at runtime. 70 # However, some of them are so frequent that suppressing them at compile-time 71 # makes sense to increase runtime performance. 72 # 73 src:*/netwerk/base/nsSocketTransportService2.cpp 74 src:*/nsCharTraits.h 75 # Code in xpcom/base/CycleCollectedJSContext.cpp 76 fun:*CycleCollectedJSContext*ProcessMetastableStateQueue* 77 # Code in layout/painting/nsDisplayList.cpp 78 fun:*nsDisplayOpacity*ShouldFlattenAway* 79 # Code in modules/libpref/Preferences.cpp 80 fun:*pref_InitInitialObjects* 81 # Code in netwerk/base/nsIOService.cpp 82 fun:*nsIOService*GetCachedProtocolHandler* 83 # Code in layout/xul/nsXULPopupManager.cpp 84 fun:*nsXULPopupManager*AdjustPopupsOnWindowChange* 85 # Code in dom/base/nsDocument.cpp 86 fun:*1nsDocument@@* 87 # Code in gfx/layers/ipc/CompositorBridgeChild.cpp 88 fun:*CompositorBridgeChild*Destroy* 89 # Code in gfx/layers/ipc/ImageBridgeChild.cpp 90 fun:*ImageBridgeChild*ShutdownStep1* 91 # Code in dom/base/nsGlobalWindow.cpp 92 fun:*nsGlobalWindow*ClearControllers* 93 # Code in layout/style/AnimationCollection.cpp 94 fun:*AnimationCollection*PropertyDtor* 95 # Code in layout/style/nsStyleSet.cpp 96 fun:*nsStyleSet*AddImportantRules* 97 fun:*nsStyleSet*CounterStyleRuleForName* 98 99 100 ### Misc overflows 101 102 # Hot function in protobuf producing overflows 103 fun:*CodedInputStream*ReadTagWithCutoff* 104 105 106 # SQLite3 is full of overflows :/ 107 src:*/third_party/sqlite3/src/sqlite3.c 108 109 # zlib has some overflows, we can't deal with them right now 110 src:*/modules/zlib/src/* 111 112 # Our LZ4 implementation uses overflows. By listing it here we might 113 # miss some unintended overflows in that implementation, but we can't 114 # check for it right now. 115 src:*/mozglue/static/lz4/lz4.c 116 117 # Apparently this overflows a lot, because it contains some allocators 118 # that keep overflowing, not sure why. Disabling by function didn't seem 119 # to work here for operator new. 120 src:*/xpcom/ds/nsArrayEnumerator.cpp 121 122 # Memory usage reporting code in gfx/thebes/gfxASurface.cpp 123 # We probably don't care about the frequent overflows there. 124 fun:*SurfaceMemoryReporter*AdjustUsedMemory* 125 126 # Frequent overflower in gfx/thebes/gfxFontEntry.cpp 127 fun:*WeightDistance* 128 129 # Another frequent overflower 130 fun:*nsTObserverArray_base*AdjustIterators* 131 132 # Overflows in Skia 133 fun:*SkPathRef*makeSpace* 134 fun:*SkPathRef*resetToSize* 135 136 # Expat Parser has some overflows 137 fun:*nsExpatDriver*ConsumeToken* 138 139 # Frequent overflowers in harfbuzz 140 fun:*hb_in_range* 141 fun:*OT*collect_glyphs* 142 143 # These look like harmless layouting-related overflows 144 src:*/gfx/cairo/libpixman/src/pixman-region.c 145 146 # Code in ipc/chromium/src/base/file_path.cc where a function returns -1 147 # being cast to unsigned and then overflowed. 148 fun:*FilePath*Append* 149 fun:*FilePath*StripTrailingSeparatorsInternal* 150 151 # Code in dom/base/nsJSEnvironment.cpp 152 fun:*FireForgetSkippable* 153 154 # Code in gfx/thebes/gfxSkipChars.h 155 fun:*gfxSkipCharsIterator*AdvanceSkipped* 156 157 # Code in gfx/thebes/gfxScriptItemizer.cpp 158 fun:*gfxScriptItemizer*fixup* 159 fun:*gfxScriptItemizer*push* 160 161 # Code in dom/base/nsDocument.cpp 162 fun:*nsDocument*BlockOnload* 163 164 # Code in layout/base/nsCSSFrameConstructor.cpp 165 fun:*nsCSSFrameConstructor*FrameConstructionItemList*AdjustCountsForItem* 166 167 # Code in nsprpub/lib/ds/plarena.c doing ptrdiffs 168 fun:*PL_ArenaRelease* 169 170 # This file contains a bunch of arithmetic operations on timestamps that 171 # apparently are allowed to overflow. 172 src:*/src/widget/SystemTimeConverter.h 173 174 # Code in dom/media/flac/FlacDemuxer.cpp purposely uses overflowing arithmetics 175 fun:*Frame*FindNext* 176 177 # Code in netwerk/base/nsStandardURL.cpp, 178 # these methods return signed but the subtraction is first performed unsigned 179 fun:*nsStandardURL*ReplaceSegment* 180 181 # Code in layout/tables/nsCellMap.cpp 182 # again subtraction then cast to signed. 183 fun:*nsTableCellMap*GetColInfoAt* 184 185 # Code in layout/generic/nsTextFrame.cpp 186 # again subtraction then cast to signed. 187 fun:*nsTextFrame*CharacterDataChanged* 188 189 # Not sure what is going on in this file, but it doesn't look 190 # related to what we are looking for. 191 src:*/xpcom/base/CountingAllocatorBase.h 192 193 # Code in dom/base/nsDOMNavigationTiming.cpp 194 # Timestamp related, probably expecting the overflow 195 fun:*nsDOMNavigationTiming*TimeStampToDOM* 196 197 # Several unsigned arithmetic operations with -1 198 src:*/hal/HalWakeLock.cpp 199 200 # Code in layout/generic/ScrollContainerFrame.cpp that produces 201 # somewhat frequent signed integer overflows. Probably harmless 202 # because it's layout code. 203 fun:*ClampAndAlignWithPixels* 204 205 # Likely benign overflow in mozglue/misc/TimeStamp_posix.cpp 206 fun:*ClockResolutionNs* 207 208 # This header has all sorts of operators that do post-operation 209 # overflow and underflow checking, triggering frequent reports 210 src:*/mozglue/misc/TimeStamp.h 211 212 # 213 # Various hashing functions, both regular and cryptographic ones 214 # 215 src:*/dom/canvas/MurmurHash3.cpp 216 src:*/gfx/skia/skia/include/private/SkChecksum.h 217 src:*/intl/icu/source/common/unifiedcache.h 218 src:*/mfbt/SHA1.cpp 219 src:*/modules/zlib/src/adler32.c 220 src:*/netwerk/cache2/CacheHashUtils.cpp 221 src:*/netwerk/sctp/src/netinet/sctp_sha1.c 222 src:*/netwerk/srtp/src/crypto/hash/sha1.c 223 src:*/netwerk/sctp/src/netinet/sctp_sha1.c 224 src:*/nsprpub/lib/ds/plhash.c 225 src:*/security/manager/ssl/md4.c 226 src:*/security/nss/lib/dbm/src/h_func.c 227 src:*/security/nss/lib/freebl/sha512.c 228 src:*/security/nss/lib/freebl/md5.c 229 src:*/xpcom/ds/PLDHashTable.cpp 230 231 # Hash/Cache function in Skia 232 fun:*GradientShaderCache*Build32bitCache* 233 234 # Hashing functions in Cairo 235 fun:*_hash_matrix_fnv* 236 fun:*_hash_mix_bits* 237 fun:*_cairo_hash_string* 238 fun:*_cairo_hash_bytes* 239 240 # intl code hashing functions 241 fun:*ustr_hash*CharsN* 242 fun:*hashEntry* 243 244 # harfbuzz hash/digest functions 245 fun:*hb_set_digest_lowest_bits_t* 246 247 # Hash function in gfx 248 fun:*gfxFontStyle*Hash* 249 250 # expat uses a CHAR_HASH macro in several places that causes 251 # a high amount of overflows. We should try finding a better 252 # way to disable this rather than blacklisting the whole thing. 253 src:*/parser/expat/*