ubsan_unsigned_overflow_blacklist.txt (9236B)
1 # This file contains an extensive compile-time blacklist for silencing highly 2 # frequent *un*signed integer overflows in our codebase, found by the use of 3 # -fsanitize=unsigned-integer-overflow. Such overflows are not necessarily 4 # bugs -- unsigned integer overflow has well-defined semantics in C/C++. But 5 # overflow may still be *unexpected* and incorrectly handled, so we try to 6 # annotate those places where unsigned overflow is correct and desired. 7 # 8 # The rules in this file are applied at compile time; changes to this list 9 # usually require a full rebuild to apply. If you can modify the source in 10 # question to exempt specific functions using MOZ_NO_SANITIZE_UNSIGNED_OVERFLOW, 11 # do that instead. 12 # 13 # The extensive number of entries below is for two reasons. 14 # 15 # First, compiler instrumentation for unsigned integer overflows has a cost, at 16 # compile time and at runtime. In places where code expects and depends upon 17 # overflow behavior -- and especially in performance-critical code -- it makes 18 # sense to turn off overflow detection to avoid both costs. (Indeed, 19 # -fsanitize=signed-integer-overflow is unusably slow without this.) 20 # 21 # Second, many entries here are overly aggressive to get the build into a state 22 # that allows any testing to happen at all. Some of the entries here are for 23 # issues that are highly frequent in our test suites -- over 500 times per run. 24 # Aggressive entries now let us start using this mode, without having to first 25 # fix wide swaths of existing code. 26 # 27 # Entries should be removed 1) as issues are fixed; and 2) as blacklist entries 28 # can be moved out of this centralized file, into source-level blacklist 29 # attributes on individual functions. 30 31 # All entries in this file are to suppress unsigned-integer-overflow problems. 32 # Blacklists for other reasons should go in separate blacklist files. 33 [unsigned-integer-overflow] 34 35 # Overflows in the C++ std headers aren't necessarily bugs, because code inside 36 # a language implementation can depend on compiler-specific behavior where C/C++ 37 # leave the behavior undefined. 38 src:*bits/basic_string.h 39 40 # Assume everything running through CheckedInt.h is ok. The CheckedInt class 41 # casts signed integers to unsigned first and then does a post-overflow 42 # check causing lots of unsigned integer overflow messages. 43 src:*/CheckedInt.h 44 45 # Exclude bignum 46 src:*/mfbt/double-conversion/source/bignum.cc 47 48 # Exclude anything within gtests 49 src:*/gtest/* 50 51 # The JS engine has a lot of code doing all sorts of overflows. This code 52 # is pretty well tested though and excluding it here will allow us to go 53 # for other, less tested code. Ideally, we would include the JS engine here 54 # at some point. 55 src:*/js/src/* 56 src:*/js/public/* 57 src:*/js/*.h 58 src:*/jsfriendapi.h 59 60 # Atomics can overflow, but without a full stack we can't trace these back 61 # to what is actually causing the overflow. Ignoring these for now, as it will 62 # be too much effort to determine every single source here. 63 src:*/mfbt/Atomics.h 64 65 # No reason to instrument certain parts of NSS that explicitely deal with 66 # arithmetics and crypto. 67 src:*/security/nss/lib/freebl/mpi/* 68 src:*/security/nss/lib/freebl/ecl/* 69 70 # nsTArray_base<Alloc, Copy>::ShiftData performs overflows 71 fun:*nsTArray_base*ShiftData* 72 73 ### Frequent 0 - 1 overflows 74 # 75 # We have several code patterns in our codebase that cause these overflows, 76 # but they are typically all harmless and could be filtered easily at runtime. 77 # However, some of them are so frequent that suppressing them at compile-time 78 # makes sense to increase runtime performance. 79 # 80 src:*/netwerk/base/nsSocketTransportService2.cpp 81 src:*/nsCharTraits.h 82 # Code in xpcom/base/CycleCollectedJSContext.cpp 83 fun:*CycleCollectedJSContext*ProcessMetastableStateQueue* 84 # Code in layout/painting/nsDisplayList.cpp 85 fun:*nsDisplayOpacity*ShouldFlattenAway* 86 # Code in modules/libpref/Preferences.cpp 87 fun:*pref_InitInitialObjects* 88 # Code in netwerk/base/nsIOService.cpp 89 fun:*nsIOService*GetCachedProtocolHandler* 90 # Code in layout/xul/nsXULPopupManager.cpp 91 fun:*nsXULPopupManager*AdjustPopupsOnWindowChange* 92 # Code in dom/base/nsDocument.cpp 93 fun:*1nsDocument@@* 94 # Code in gfx/layers/ipc/CompositorBridgeChild.cpp 95 fun:*CompositorBridgeChild*Destroy* 96 # Code in gfx/layers/ipc/ImageBridgeChild.cpp 97 fun:*ImageBridgeChild*ShutdownStep1* 98 # Code in dom/base/nsGlobalWindow.cpp 99 fun:*nsGlobalWindow*ClearControllers* 100 # Code in layout/style/AnimationCollection.cpp 101 fun:*AnimationCollection*PropertyDtor* 102 # Code in layout/style/nsStyleSet.cpp 103 fun:*nsStyleSet*AddImportantRules* 104 fun:*nsStyleSet*CounterStyleRuleForName* 105 106 107 ### Misc overflows 108 109 # Hot function in protobuf producing overflows 110 fun:*CodedInputStream*ReadTagWithCutoff* 111 112 113 # SQLite3 is full of overflows :/ 114 src:*/third_party/sqlite3/src/sqlite3.c 115 116 # zlib has some overflows, we can't deal with them right now 117 src:*/modules/zlib/src/* 118 119 # Our LZ4 implementation uses overflows. By listing it here we might 120 # miss some unintended overflows in that implementation, but we can't 121 # check for it right now. 122 src:*/mozglue/static/lz4/* 123 124 # Apparently this overflows a lot, because it contains some allocators 125 # that keep overflowing, not sure why. Disabling by function didn't seem 126 # to work here for operator new. 127 src:*/xpcom/ds/nsArrayEnumerator.cpp 128 129 # Memory usage reporting code in gfx/thebes/gfxASurface.cpp 130 # We probably don't care about the frequent overflows there. 131 fun:*SurfaceMemoryReporter*AdjustUsedMemory* 132 133 # Frequent overflower in gfx/thebes/gfxFontEntry.cpp 134 fun:*WeightDistance* 135 136 # Another frequent overflower 137 fun:*nsTObserverArray_base*AdjustIterators* 138 139 # Overflows in Skia 140 fun:*SkPathRef*makeSpace* 141 fun:*SkPathRef*resetToSize* 142 143 # Expat Parser has some overflows 144 fun:*nsExpatDriver*ConsumeToken* 145 146 # Frequent overflowers in harfbuzz 147 fun:*hb_in_range* 148 fun:*OT*collect_glyphs* 149 150 # These look like harmless layouting-related overflows 151 src:*/gfx/cairo/libpixman/src/pixman-region.c 152 153 # Code in ipc/chromium/src/base/file_path.cc where a function returns -1 154 # being cast to unsigned and then overflowed. 155 fun:*FilePath*Append* 156 fun:*FilePath*StripTrailingSeparatorsInternal* 157 158 # Code in dom/base/nsJSEnvironment.cpp 159 fun:*FireForgetSkippable* 160 161 # Code in gfx/thebes/gfxSkipChars.h 162 fun:*gfxSkipCharsIterator*AdvanceSkipped* 163 164 # Code in gfx/thebes/gfxScriptItemizer.cpp 165 fun:*gfxScriptItemizer*fixup* 166 fun:*gfxScriptItemizer*push* 167 168 # Code in dom/base/nsDocument.cpp 169 fun:*nsDocument*BlockOnload* 170 171 # Code in layout/base/nsCSSFrameConstructor.cpp 172 fun:*nsCSSFrameConstructor*FrameConstructionItemList*AdjustCountsForItem* 173 174 # Code in nsprpub/lib/ds/plarena.c doing ptrdiffs 175 fun:*PL_ArenaRelease* 176 177 # This file contains a bunch of arithmetic operations on timestamps that 178 # apparently are allowed to overflow. 179 src:*/src/widget/SystemTimeConverter.h 180 181 # Code in dom/media/flac/FlacDemuxer.cpp purposely uses overflowing arithmetics 182 fun:*Frame*FindNext* 183 184 # Code in netwerk/base/nsStandardURL.cpp, 185 # these methods return signed but the subtraction is first performed unsigned 186 fun:*nsStandardURL*ReplaceSegment* 187 188 # Code in layout/tables/nsCellMap.cpp 189 # again subtraction then cast to signed. 190 fun:*nsTableCellMap*GetColInfoAt* 191 192 # Code in layout/generic/nsTextFrame.cpp 193 # again subtraction then cast to signed. 194 fun:*nsTextFrame*CharacterDataChanged* 195 196 # Not sure what is going on in this file, but it doesn't look 197 # related to what we are looking for. 198 src:*/xpcom/base/CountingAllocatorBase.h 199 200 # Code in dom/base/nsDOMNavigationTiming.cpp 201 # Timestamp related, probably expecting the overflow 202 fun:*nsDOMNavigationTiming*TimeStampToDOM* 203 204 # Several unsigned arithmetic operations with -1 205 src:*/hal/HalWakeLock.cpp 206 207 # Code in layout/generic/ScrollContainerFrame.cpp that produces 208 # somewhat frequent signed integer overflows. Probably harmless 209 # because it's layout code. 210 fun:*ClampAndAlignWithPixels* 211 212 # Likely benign overflow in mozglue/misc/TimeStamp_posix.cpp 213 fun:*ClockResolutionNs* 214 215 # This header has all sorts of operators that do post-operation 216 # overflow and underflow checking, triggering frequent reports 217 src:*/mozglue/misc/TimeStamp.h 218 219 # 220 # Various hashing functions, both regular and cryptographic ones 221 # 222 src:*/dom/canvas/MurmurHash3.cpp 223 src:*/gfx/skia/skia/include/private/SkChecksum.h 224 src:*/intl/icu/source/common/unifiedcache.h 225 src:*/mfbt/SHA1.cpp 226 src:*/modules/zlib/src/adler32.c 227 src:*/netwerk/cache2/CacheHashUtils.cpp 228 src:*/netwerk/sctp/src/netinet/sctp_sha1.c 229 src:*/netwerk/srtp/src/crypto/hash/sha1.c 230 src:*/netwerk/sctp/src/netinet/sctp_sha1.c 231 src:*/nsprpub/lib/ds/plhash.c 232 src:*/security/manager/ssl/md4.c 233 src:*/security/nss/lib/dbm/src/h_func.c 234 src:*/security/nss/lib/freebl/sha512.c 235 src:*/security/nss/lib/freebl/md5.c 236 src:*/xpcom/ds/PLDHashTable.cpp 237 238 # Hash/Cache function in Skia 239 fun:*GradientShaderCache*Build32bitCache* 240 241 # Hashing functions in Cairo 242 fun:*_hash_matrix_fnv* 243 fun:*_hash_mix_bits* 244 fun:*_cairo_hash_string* 245 fun:*_cairo_hash_bytes* 246 247 # intl code hashing functions 248 fun:*ustr_hash*CharsN* 249 fun:*hashEntry* 250 251 # harfbuzz hash/digest functions 252 fun:*hb_set_digest_lowest_bits_t* 253 254 # Hash function in gfx 255 fun:*gfxFontStyle*Hash* 256 257 # expat uses a CHAR_HASH macro in several places that causes 258 # a high amount of overflows. We should try finding a better 259 # way to disable this rather than blacklisting the whole thing. 260 src:*/parser/expat/*