| blob | 46bb4f6f121c263f31a206a760947ed3f92910a0 |
1 # This file contains an extensive compile-time blacklist for silencing highly
2 # frequent *un*signed integer overflows in our codebase, found by the use of
3 # -fsanitize=unsigned-integer-overflow. Such overflows are not necessarily
4 # bugs -- unsigned integer overflow has well-defined semantics in C/C++. But
5 # overflow may still be *unexpected* and incorrectly handled, so we try to
6 # annotate those places where unsigned overflow is correct and desired.
7 #
8 # The rules in this file are applied at compile time; changes to this list
9 # usually require a full rebuild to apply. If you can modify the source in
10 # question to exempt specific functions using MOZ_NO_SANITIZE_UNSIGNED_OVERFLOW,
11 # do that instead.
12 #
13 # The extensive number of entries below is for two reasons.
14 #
15 # First, compiler instrumentation for unsigned integer overflows has a cost, at
16 # compile time and at runtime. In places where code expects and depends upon
17 # overflow behavior -- and especially in performance-critical code -- it makes
18 # sense to turn off overflow detection to avoid both costs. (Indeed,
19 # -fsanitize=signed-integer-overflow is unusably slow without this.)
20 #
21 # Second, many entries here are overly aggressive to get the build into a state
22 # that allows any testing to happen at all. Some of the entries here are for
23 # issues that are highly frequent in our test suites -- over 500 times per run.
24 # Aggressive entries now let us start using this mode, without having to first
25 # fix wide swaths of existing code.
26 #
27 # Entries should be removed 1) as issues are fixed; and 2) as blacklist entries
28 # can be moved out of this centralized file, into source-level blacklist
29 # attributes on individual functions.
31 # All entries in this file are to suppress unsigned-integer-overflow problems.
32 # Blacklists for other reasons should go in separate blacklist files.
33 [unsigned-integer-overflow]
35 # Overflows in the C++ std headers aren't necessarily bugs, because code inside
36 # a language implementation can depend on compiler-specific behavior where C/C++
37 # leave the behavior undefined.
38 src:*bits/basic_string.h
40 # Assume everything running through CheckedInt.h is ok. The CheckedInt class
41 # casts signed integers to unsigned first and then does a post-overflow
42 # check causing lots of unsigned integer overflow messages.
43 src:*/CheckedInt.h
45 # Exclude bignum
46 src:*/mfbt/double-conversion/source/bignum.cc
48 # Exclude anything within gtests
49 src:*/gtest/*
51 # The JS engine has a lot of code doing all sorts of overflows. This code
52 # is pretty well tested though and excluding it here will allow us to go
53 # for other, less tested code. Ideally, we would include the JS engine here
54 # at some point.
55 src:*/js/src/*
56 src:*/js/public/*
57 src:*/js/*.h
58 src:*/jsfriendapi.h
60 # Atomics can overflow, but without a full stack we can't trace these back
61 # to what is actually causing the overflow. Ignoring these for now, as it will
62 # be too much effort to determine every single source here.
63 src:*/mfbt/Atomics.h
65 # No reason to instrument certain parts of NSS that explicitely deal with
66 # arithmetics and crypto.
67 src:*/security/nss/lib/freebl/mpi/*
68 src:*/security/nss/lib/freebl/ecl/*
70 # nsTArray_base<Alloc, Copy>::ShiftData performs overflows
71 fun:*nsTArray_base*ShiftData*
73 ### Frequent 0 - 1 overflows
74 #
75 # We have several code patterns in our codebase that cause these overflows,
76 # but they are typically all harmless and could be filtered easily at runtime.
77 # However, some of them are so frequent that suppressing them at compile-time
78 # makes sense to increase runtime performance.
79 #
80 src:*/netwerk/base/nsSocketTransportService2.cpp
81 src:*/nsCharTraits.h
82 # Code in xpcom/base/CycleCollectedJSContext.cpp
83 fun:*CycleCollectedJSContext*ProcessMetastableStateQueue*
84 # Code in layout/painting/nsDisplayList.cpp
85 fun:*nsDisplayOpacity*ShouldFlattenAway*
86 # Code in modules/libpref/Preferences.cpp
87 fun:*pref_InitInitialObjects*
88 # Code in netwerk/base/nsIOService.cpp
89 fun:*nsIOService*GetCachedProtocolHandler*
90 # Code in layout/xul/nsXULPopupManager.cpp
91 fun:*nsXULPopupManager*AdjustPopupsOnWindowChange*
92 # Code in dom/base/nsDocument.cpp
93 fun:*1nsDocument@@*
94 # Code in gfx/layers/ipc/CompositorBridgeChild.cpp
95 fun:*CompositorBridgeChild*Destroy*
96 # Code in gfx/layers/ipc/ImageBridgeChild.cpp
97 fun:*ImageBridgeChild*ShutdownStep1*
98 # Code in dom/base/nsGlobalWindow.cpp
99 fun:*nsGlobalWindow*ClearControllers*
100 # Code in layout/style/AnimationCollection.cpp
101 fun:*AnimationCollection*PropertyDtor*
102 # Code in layout/style/nsStyleSet.cpp
103 fun:*nsStyleSet*AddImportantRules*
104 fun:*nsStyleSet*CounterStyleRuleForName*
107 ### Misc overflows
109 # Hot function in protobuf producing overflows
110 fun:*CodedInputStream*ReadTagWithCutoff*
113 # SQLite3 is full of overflows :/
114 src:*/third_party/sqlite3/src/sqlite3.c
116 # zlib has some overflows, we can't deal with them right now
117 src:*/modules/zlib/src/*
119 # Our LZ4 implementation uses overflows. By listing it here we might
120 # miss some unintended overflows in that implementation, but we can't
121 # check for it right now.
122 src:*/mfbt/lz4/*
124 # Apparently this overflows a lot, because it contains some allocators
125 # that keep overflowing, not sure why. Disabling by function didn't seem
126 # to work here for operator new.
127 src:*/xpcom/ds/nsArrayEnumerator.cpp
129 # Memory usage reporting code in gfx/thebes/gfxASurface.cpp
130 # We probably don't care about the frequent overflows there.
131 fun:*SurfaceMemoryReporter*AdjustUsedMemory*
133 # Frequent overflower in gfx/thebes/gfxFontEntry.cpp
134 fun:*WeightDistance*
136 # Another frequent overflower
137 fun:*nsTObserverArray_base*AdjustIterators*
139 # Overflows in Skia
140 fun:*SkPathRef*makeSpace*
141 fun:*SkPathRef*resetToSize*
143 # Expat Parser has some overflows
144 fun:*nsExpatDriver*ConsumeToken*
146 # Frequent overflowers in harfbuzz
147 fun:*hb_in_range*
148 fun:*OT*collect_glyphs*
150 # These look like harmless layouting-related overflows
151 src:*/gfx/cairo/libpixman/src/pixman-region.c
153 # Code in ipc/chromium/src/base/file_path.cc where a function returns -1
154 # being cast to unsigned and then overflowed.
155 fun:*FilePath*Append*
156 fun:*FilePath*StripTrailingSeparatorsInternal*
158 # Code in dom/base/nsJSEnvironment.cpp
159 fun:*FireForgetSkippable*
161 # Code in gfx/thebes/gfxSkipChars.h
162 fun:*gfxSkipCharsIterator*AdvanceSkipped*
164 # Code in gfx/thebes/gfxScriptItemizer.cpp
165 fun:*gfxScriptItemizer*fixup*
166 fun:*gfxScriptItemizer*push*
168 # Code in dom/base/nsDocument.cpp
169 fun:*nsDocument*BlockOnload*
171 # Code in layout/base/nsCSSFrameConstructor.cpp
172 fun:*nsCSSFrameConstructor*FrameConstructionItemList*AdjustCountsForItem*
174 # Code in nsprpub/lib/ds/plarena.c doing ptrdiffs
175 fun:*PL_ArenaRelease*
177 # This file contains a bunch of arithmetic operations on timestamps that
178 # apparently are allowed to overflow.
179 src:*/src/widget/SystemTimeConverter.h
181 # Code in dom/media/flac/FlacDemuxer.cpp purposely uses overflowing arithmetics
182 fun:*Frame*FindNext*
184 # Code in netwerk/base/nsStandardURL.cpp,
185 # these methods return signed but the subtraction is first performed unsigned
186 fun:*nsStandardURL*ReplaceSegment*
188 # Code in netwerk/protocol/http/nsHttpChannel.cpp
189 # same as previous with the previous entry.
190 fun:*nsHttpChannel*ReportNetVSCacheTelemetry*
192 # Code in layout/tables/nsCellMap.cpp
193 # again subtraction then cast to signed.
194 fun:*nsTableCellMap*GetColInfoAt*
196 # Code in layout/generic/nsTextFrame.cpp
197 # again subtraction then cast to signed.
198 fun:*nsTextFrame*CharacterDataChanged*
200 # Not sure what is going on in this file, but it doesn't look
201 # related to what we are looking for.
202 src:*/xpcom/base/CountingAllocatorBase.h
204 # Code in dom/base/nsDOMNavigationTiming.cpp
205 # Timestamp related, probably expecting the overflow
206 fun:*nsDOMNavigationTiming*TimeStampToDOM*
208 # Several unsigned arithmetic operations with -1
209 src:*/hal/HalWakeLock.cpp
211 # Code in layout/generic/nsGfxScrollFrame.cpp that produces
212 # somewhat frequent signed integer overflows. Probably harmless
213 # because it's layout code.
214 fun:*ClampAndAlignWithPixels*
216 # Likely benign overflow in mozglue/misc/TimeStamp_posix.cpp
217 fun:*ClockResolutionNs*
219 # This header has all sorts of operators that do post-operation
220 # overflow and underflow checking, triggering frequent reports
221 src:*/mozglue/misc/TimeStamp.h
223 #
224 # Various hashing functions, both regular and cryptographic ones
225 #
226 src:*/dom/canvas/MurmurHash3.cpp
227 src:*/gfx/skia/skia/include/private/SkChecksum.h
228 src:*/intl/icu/source/common/unifiedcache.h
229 src:*/mfbt/SHA1.cpp
230 src:*/modules/zlib/src/adler32.c
231 src:*/netwerk/cache2/CacheHashUtils.cpp
232 src:*/netwerk/sctp/src/netinet/sctp_sha1.c
233 src:*/netwerk/srtp/src/crypto/hash/sha1.c
234 src:*/netwerk/sctp/src/netinet/sctp_sha1.c
235 src:*/nsprpub/lib/ds/plhash.c
236 src:*/security/manager/ssl/md4.c
237 src:*/security/nss/lib/dbm/src/h_func.c
238 src:*/security/nss/lib/freebl/sha512.c
239 src:*/security/nss/lib/freebl/md5.c
240 src:*/xpcom/ds/PLDHashTable.cpp
242 # Hash/Cache function in Skia
243 fun:*GradientShaderCache*Build32bitCache*
245 # Hashing functions in Cairo
246 fun:*_hash_matrix_fnv*
247 fun:*_hash_mix_bits*
248 fun:*_cairo_hash_string*
249 fun:*_cairo_hash_bytes*
251 # intl code hashing functions
252 fun:*ustr_hash*CharsN*
253 fun:*hashEntry*
255 # harfbuzz hash/digest functions
256 fun:*hb_set_digest_lowest_bits_t*
258 # Hash function in gfx
259 fun:*gfxFontStyle*Hash*
261 # expat uses a CHAR_HASH macro in several places that causes
262 # a high amount of overflows. We should try finding a better
263 # way to disable this rather than blacklisting the whole thing.
264 src:*/parser/expat/*