| blob | 694eaa4737ecae1efce1b37e198e71c105c08770 |
1 # This file contains an extensive compile-time blacklist for silencing highly
2 # frequent signed integer overflows in our codebase, found by the use of
3 # -fsanitize=signed-integer-overflow. C/C++ say signed integer overflow is
4 # undefined behavior, so instances of this need to be fixed. But not all code
5 # has been properly written to not overflow, and overflow-checking can have
6 # significant compile time and runtime costs, so we will sometimes disable
7 # signed overflow checking.
8 #
9 # The rules in this file are applied at compile time; changes to this list
10 # usually require a full rebuild to apply. If you can modify the source in
11 # question to exempt specific functions using MOZ_NO_SANITIZE_SIGNED_OVERFLOW,
12 # do that instead.
13 #
14 # The extensive number of entries below is for two reasons.
15 #
16 # First, compiler instrumentation for signed integer overflows has a cost, at
17 # compile time and at runtime. In performance-critical code proven to have no
18 # signed overflow, it makes sense to turn off overflow detection to avoid both
19 # costs. (Indeed, -fsanitize=signed-integer-overflow is unusably slow without
20 # this.)
21 #
22 # Second, many entries here are overly aggressive to get the build into a state
23 # that allows any testing to happen at all. Some of the entries here are for
24 # issues that are highly frequent in our test suites -- over 500 times per run.
25 # Aggressive entries now let us start using this mode, without having to first
26 # fix wide swaths of existing code.
27 #
28 # Entries should be removed 1) as issues are fixed; and 2) as blacklist entries
29 # can be moved out of this centralized file, into source-level blacklist
30 # attributes on individual functions.
32 # All entries in this file are to suppress signed-integer-overflow problems.
33 # Blacklists for other reasons should go in separate blacklist files.
34 [signed-integer-overflow]
36 # Overflows in the C++ std headers aren't necessarily bugs, because code inside
37 # a language implementation can depend on compiler-specific behavior where C/C++
38 # leave the behavior undefined.
39 src:*bits/basic_string.h
41 # Assume everything running through CheckedInt.h is ok. Signed overflows here
42 # should generally have been guarded by safe overflow checks, so it's likely
43 # safe to exempt it from overflow checking. (This should eventually be verified
44 # and functions individually tagged safe so this entry can be removed.)
45 src:*/CheckedInt.h
47 # Exclude bignum
48 src:*/mfbt/double-conversion/source/bignum.cc
50 # Exclude anything within gtests
51 src:*/gtest/*
53 # Atomics can overflow, but without a full stack we can't trace these back
54 # to what is actually causing the overflow. Ignoring these for now, as it will
55 # be too much effort to determine every single source here.
56 src:*/mfbt/Atomics.h
58 # No reason to instrument certain parts of NSS that explicitely deal with
59 # arithmetics and crypto.
60 src:*/security/nss/lib/freebl/mpi/*
61 src:*/security/nss/lib/freebl/ecl/*
63 # nsTArray_base<Alloc, Copy>::ShiftData performs overflows
64 fun:*nsTArray_base*ShiftData*
66 ### Frequent 0 - 1 overflows
67 #
68 # We have several code patterns in our codebase that cause these overflows,
69 # but they are typically all harmless and could be filtered easily at runtime.
70 # However, some of them are so frequent that suppressing them at compile-time
71 # makes sense to increase runtime performance.
72 #
73 src:*/netwerk/base/nsSocketTransportService2.cpp
74 src:*/nsCharTraits.h
75 # Code in xpcom/base/CycleCollectedJSContext.cpp
76 fun:*CycleCollectedJSContext*ProcessMetastableStateQueue*
77 # Code in layout/painting/nsDisplayList.cpp
78 fun:*nsDisplayOpacity*ShouldFlattenAway*
79 # Code in modules/libpref/Preferences.cpp
80 fun:*pref_InitInitialObjects*
81 # Code in netwerk/base/nsIOService.cpp
82 fun:*nsIOService*GetCachedProtocolHandler*
83 # Code in layout/xul/nsXULPopupManager.cpp
84 fun:*nsXULPopupManager*AdjustPopupsOnWindowChange*
85 # Code in dom/base/nsDocument.cpp
86 fun:*1nsDocument@@*
87 # Code in gfx/layers/ipc/CompositorBridgeChild.cpp
88 fun:*CompositorBridgeChild*Destroy*
89 # Code in gfx/layers/ipc/ImageBridgeChild.cpp
90 fun:*ImageBridgeChild*ShutdownStep1*
91 # Code in dom/base/nsGlobalWindow.cpp
92 fun:*nsGlobalWindow*ClearControllers*
93 # Code in layout/style/AnimationCollection.cpp
94 fun:*AnimationCollection*PropertyDtor*
95 # Code in layout/style/nsStyleSet.cpp
96 fun:*nsStyleSet*AddImportantRules*
97 fun:*nsStyleSet*CounterStyleRuleForName*
100 ### Misc overflows
102 # Hot function in protobuf producing overflows
103 fun:*CodedInputStream*ReadTagWithCutoff*
106 # SQLite3 is full of overflows :/
107 src:*/third_party/sqlite3/src/sqlite3.c
109 # zlib has some overflows, we can't deal with them right now
110 src:*/modules/zlib/src/*
112 # Our LZ4 implementation uses overflows. By listing it here we might
113 # miss some unintended overflows in that implementation, but we can't
114 # check for it right now.
115 src:*/mfbt/lz4.c
117 # Apparently this overflows a lot, because it contains some allocators
118 # that keep overflowing, not sure why. Disabling by function didn't seem
119 # to work here for operator new.
120 src:*/xpcom/ds/nsArrayEnumerator.cpp
122 # Memory usage reporting code in gfx/thebes/gfxASurface.cpp
123 # We probably don't care about the frequent overflows there.
124 fun:*SurfaceMemoryReporter*AdjustUsedMemory*
126 # Frequent overflower in gfx/thebes/gfxFontEntry.cpp
127 fun:*WeightDistance*
129 # Another frequent overflower
130 fun:*nsTObserverArray_base*AdjustIterators*
132 # Overflows in Skia
133 fun:*SkPathRef*makeSpace*
134 fun:*SkPathRef*resetToSize*
136 # Expat Parser has some overflows
137 fun:*nsExpatDriver*ConsumeToken*
139 # Frequent overflowers in harfbuzz
140 fun:*hb_in_range*
141 fun:*OT*collect_glyphs*
143 # These look like harmless layouting-related overflows
144 src:*/gfx/cairo/libpixman/src/pixman-region.c
146 # Code in ipc/chromium/src/base/file_path.cc where a function returns -1
147 # being cast to unsigned and then overflowed.
148 fun:*FilePath*Append*
149 fun:*FilePath*StripTrailingSeparatorsInternal*
151 # Code in dom/base/nsJSEnvironment.cpp
152 fun:*FireForgetSkippable*
154 # Code in gfx/thebes/gfxSkipChars.h
155 fun:*gfxSkipCharsIterator*AdvanceSkipped*
157 # Code in gfx/thebes/gfxScriptItemizer.cpp
158 fun:*gfxScriptItemizer*fixup*
159 fun:*gfxScriptItemizer*push*
161 # Code in dom/base/nsDocument.cpp
162 fun:*nsDocument*BlockOnload*
164 # Code in layout/base/nsCSSFrameConstructor.cpp
165 fun:*nsCSSFrameConstructor*FrameConstructionItemList*AdjustCountsForItem*
167 # Code in nsprpub/lib/ds/plarena.c doing ptrdiffs
168 fun:*PL_ArenaRelease*
170 # This file contains a bunch of arithmetic operations on timestamps that
171 # apparently are allowed to overflow.
172 src:*/src/widget/SystemTimeConverter.h
174 # Code in dom/media/flac/FlacDemuxer.cpp purposely uses overflowing arithmetics
175 fun:*Frame*FindNext*
177 # Code in netwerk/base/nsStandardURL.cpp,
178 # these methods return signed but the subtraction is first performed unsigned
179 fun:*nsStandardURL*ReplaceSegment*
181 # Code in netwerk/protocol/http/nsHttpChannel.cpp
182 # same as previous with the previous entry.
183 fun:*nsHttpChannel*ReportNetVSCacheTelemetry*
185 # Code in layout/tables/nsCellMap.cpp
186 # again subtraction then cast to signed.
187 fun:*nsTableCellMap*GetColInfoAt*
189 # Code in layout/generic/nsTextFrame.cpp
190 # again subtraction then cast to signed.
191 fun:*nsTextFrame*CharacterDataChanged*
193 # Not sure what is going on in this file, but it doesn't look
194 # related to what we are looking for.
195 src:*/xpcom/base/CountingAllocatorBase.h
197 # Code in dom/base/nsDOMNavigationTiming.cpp
198 # Timestamp related, probably expecting the overflow
199 fun:*nsDOMNavigationTiming*TimeStampToDOM*
201 # Several unsigned arithmetic operations with -1
202 src:*/hal/HalWakeLock.cpp
204 # Code in layout/generic/nsGfxScrollFrame.cpp that produces
205 # somewhat frequent signed integer overflows. Probably harmless
206 # because it's layout code.
207 fun:*ClampAndAlignWithPixels*
209 # Likely benign overflow in mozglue/misc/TimeStamp_posix.cpp
210 fun:*ClockResolutionNs*
212 # This header has all sorts of operators that do post-operation
213 # overflow and underflow checking, triggering frequent reports
214 src:*/mozglue/misc/TimeStamp.h
216 #
217 # Various hashing functions, both regular and cryptographic ones
218 #
219 src:*/dom/canvas/MurmurHash3.cpp
220 src:*/gfx/skia/skia/include/private/SkChecksum.h
221 src:*/intl/icu/source/common/unifiedcache.h
222 src:*/mfbt/SHA1.cpp
223 src:*/modules/zlib/src/adler32.c
224 src:*/netwerk/cache2/CacheHashUtils.cpp
225 src:*/netwerk/sctp/src/netinet/sctp_sha1.c
226 src:*/netwerk/srtp/src/crypto/hash/sha1.c
227 src:*/netwerk/sctp/src/netinet/sctp_sha1.c
228 src:*/nsprpub/lib/ds/plhash.c
229 src:*/security/manager/ssl/md4.c
230 src:*/security/nss/lib/dbm/src/h_func.c
231 src:*/security/nss/lib/freebl/sha512.c
232 src:*/security/nss/lib/freebl/md5.c
233 src:*/xpcom/ds/PLDHashTable.cpp
235 # Hash/Cache function in Skia
236 fun:*GradientShaderCache*Build32bitCache*
238 # Hashing functions in Cairo
239 fun:*_hash_matrix_fnv*
240 fun:*_hash_mix_bits*
241 fun:*_cairo_hash_string*
242 fun:*_cairo_hash_bytes*
244 # intl code hashing functions
245 fun:*ustr_hash*CharsN*
246 fun:*hashEntry*
248 # harfbuzz hash/digest functions
249 fun:*hb_set_digest_lowest_bits_t*
251 # Hash function in gfx
252 fun:*gfxFontStyle*Hash*
254 # expat uses a CHAR_HASH macro in several places that causes
255 # a high amount of overflows. We should try finding a better
256 # way to disable this rather than blacklisting the whole thing.
257 src:*/parser/expat/*