build/sanitizers/ubsan_signed_overflow_blacklist.txt
author Franziskus Kiefer <franziskuskiefer@gmail.com>
Tue, 02 Oct 2018 14:59:34 +0200
changeset 439251 432a98e50d2bfab224328254266069aef1a474cc
parent 432932 e2cedc15272d164e81a4f48cb7115ff012430745
child 476055 670a1fa153f316b7b4866e9226abd6f1fa7e849b
permissions -rw-r--r--
Bug 1479787 - use NSS mozpkix in Firefox, r=mt,keeler,glandium Differential Revision: https://phabricator.services.mozilla.com/D2725 Differential Revision: https://phabricator.services.mozilla.com/D2860

# This file contains an extensive compile-time blacklist for silencing highly
# frequent signed integer overflows in our codebase, found by the use of
# -fsanitize=signed-integer-overflow.  C/C++ say signed integer overflow is
# undefined behavior, so instances of this need to be fixed.  But not all code
# has been properly written to not overflow, and overflow-checking can have
# significant compile time and runtime costs, so we will sometimes  disable
# signed overflow checking.
#
# The rules in this file are applied at compile time; changes to this list
# usually require a full rebuild to apply. If you can modify the source in
# question to exempt specific functions using MOZ_NO_SANITIZE_SIGNED_OVERFLOW,
# do that instead.
#
# The extensive number of entries below is for two reasons.
#
# First, compiler instrumentation for signed integer overflows has a cost, at
# compile time and at runtime.  In performance-critical code proven to have no
# signed overflow, it makes sense to turn off overflow detection to avoid both
# costs.  (Indeed, -fsanitize=signed-integer-overflow is unusably slow without
# this.)
#
# Second, many entries here are overly aggressive to get the build into a state
# that allows any testing to happen at all.  Some of the entries here are for
# issues that are highly frequent in our test suites -- over 500 times per run.
# Aggressive entries now let us start using this mode, without having to first
# fix wide swaths of existing code.
#
# Entries should be removed 1) as issues are fixed; and 2) as blacklist entries
# can be moved out of this centralized file, into source-level blacklist
# attributes on individual functions.

# All entries in this file are to suppress signed-integer-overflow problems.
# Blacklists for other reasons should go in separate blacklist files.
[signed-integer-overflow]

# Overflows in the C++ std headers aren't necessarily bugs, because code inside
# a language implementation can depend on compiler-specific behavior where C/C++
# leave the behavior undefined.
src:*bits/basic_string.h

# Assume everything running through CheckedInt.h is ok.  Signed overflows here
# should generally have been guarded by safe overflow checks, so it's likely
# safe to exempt it from overflow checking.  (This should eventually be verified
# and functions individually tagged safe so this entry can be removed.)
src:*/CheckedInt.h

# Exclude bignum
src:*/mfbt/double-conversion/source/bignum.cc

# Exclude anything within gtests
src:*/gtest/*

# Atomics can overflow, but without a full stack we can't trace these back
# to what is actually causing the overflow. Ignoring these for now, as it will
# be too much effort to determine every single source here.
src:*/mfbt/Atomics.h

# No reason to instrument certain parts of NSS that explicitely deal with
# arithmetics and crypto.
src:*/security/nss/lib/freebl/mpi/*
src:*/security/nss/lib/freebl/ecl/*

# nsTArray_base<Alloc, Copy>::ShiftData performs overflows
fun:*nsTArray_base*ShiftData*

### Frequent 0 - 1 overflows
#
# We have several code patterns in our codebase that cause these overflows,
# but they are typically all harmless and could be filtered easily at runtime.
# However, some of them are so frequent that suppressing them at compile-time
# makes sense to increase runtime performance.
#
src:*/netwerk/base/nsSocketTransportService2.cpp
src:*/dom/xul/XULDocument.cpp
src:*/nsCharTraits.h
# Code in xpcom/base/CycleCollectedJSContext.cpp
fun:*CycleCollectedJSContext*ProcessMetastableStateQueue*
# Code in layout/painting/nsDisplayList.cpp
fun:*nsDisplayOpacity*ShouldFlattenAway*
# Code in modules/libpref/Preferences.cpp
fun:*pref_InitInitialObjects*
# Code in netwerk/base/nsIOService.cpp
fun:*nsIOService*GetCachedProtocolHandler*
# Code in layout/xul/nsXULPopupManager.cpp
fun:*nsXULPopupManager*AdjustPopupsOnWindowChange*
# Code in dom/base/nsDocument.cpp
fun:*1nsDocument@@*
# Code in gfx/layers/ipc/CompositorBridgeChild.cpp
fun:*CompositorBridgeChild*Destroy*
# Code in gfx/layers/ipc/ImageBridgeChild.cpp
fun:*ImageBridgeChild*ShutdownStep1*
# Code in dom/base/nsGlobalWindow.cpp
fun:*nsGlobalWindow*ClearControllers*
# Code in layout/style/AnimationCollection.cpp
fun:*AnimationCollection*PropertyDtor*
# Code in layout/style/nsStyleSet.cpp
fun:*nsStyleSet*AddImportantRules*
fun:*nsStyleSet*CounterStyleRuleForName*


### Misc overflows

# Hot function in protobuf producing overflows
fun:*CodedInputStream*ReadTagWithCutoff*


# SQLite3 is full of overflows :/
src:*/db/sqlite3/src/sqlite3.c

# zlib has some overflows, we can't deal with them right now
src:*/modules/zlib/src/*

# Our LZ4 implementation uses overflows. By listing it here we might
# miss some unintended overflows in that implementation, but we can't
# check for it right now.
src:*/mfbt/lz4.c

# Apparently this overflows a lot, because it contains some allocators
# that keep overflowing, not sure why. Disabling by function didn't seem
# to work here for operator new.
src:*/xpcom/ds/nsArrayEnumerator.cpp

# Memory usage reporting code in gfx/thebes/gfxASurface.cpp
# We probably don't care about the frequent overflows there.
fun:*SurfaceMemoryReporter*AdjustUsedMemory*

# Frequent overflower in gfx/thebes/gfxFontEntry.cpp
fun:*WeightDistance*

# Another frequent overflower
fun:*nsTObserverArray_base*AdjustIterators*

# Overflows in Skia
fun:*SkPathRef*makeSpace*
fun:*SkPathRef*resetToSize*

# Expat Parser has some overflows
fun:*nsExpatDriver*ConsumeToken*

# Frequent overflowers in harfbuzz
fun:*hb_in_range*
fun:*OT*collect_glyphs*

# These look like harmless layouting-related overflows
src:*/gfx/cairo/libpixman/src/pixman-region.c

# Code in ipc/chromium/src/base/file_path.cc where a function returns -1
# being cast to unsigned and then overflowed.
fun:*FilePath*Append*
fun:*FilePath*StripTrailingSeparatorsInternal*

# Code in dom/base/nsJSEnvironment.cpp
fun:*FireForgetSkippable*

# Code in gfx/thebes/gfxSkipChars.h
fun:*gfxSkipCharsIterator*AdvanceSkipped*

# Code in gfx/thebes/gfxScriptItemizer.cpp
fun:*gfxScriptItemizer*fixup*
fun:*gfxScriptItemizer*push*

# Code in dom/base/nsDocument.cpp
fun:*nsDocument*BlockOnload*

# Code in layout/base/nsCSSFrameConstructor.cpp
fun:*nsCSSFrameConstructor*FrameConstructionItemList*AdjustCountsForItem*

# Code in nsprpub/lib/ds/plarena.c doing ptrdiffs
fun:*PL_ArenaRelease*

# This file contains a bunch of arithmetic operations on timestamps that
# apparently are allowed to overflow.
src:*/src/widget/SystemTimeConverter.h

# Code in dom/media/flac/FlacDemuxer.cpp purposely uses overflowing arithmetics
fun:*Frame*FindNext*

# Code in netwerk/base/nsStandardURL.cpp,
# these methods return signed but the subtraction is first performed unsigned
fun:*nsStandardURL*ReplaceSegment*

# Code in netwerk/protocol/http/nsHttpChannel.cpp
# same as previous with the previous entry.
fun:*nsHttpChannel*ReportNetVSCacheTelemetry*

# Code in layout/tables/nsCellMap.cpp
# again subtraction then cast to signed.
fun:*nsTableCellMap*GetColInfoAt*

# Code in layout/generic/nsTextFrame.cpp
# again subtraction then cast to signed.
fun:*nsTextFrame*CharacterDataChanged*

# Not sure what is going on in this file, but it doesn't look
# related to what we are looking for.
src:*/xpcom/base/CountingAllocatorBase.h

# Code in dom/base/nsDOMNavigationTiming.cpp
# Timestamp related, probably expecting the overflow
fun:*nsDOMNavigationTiming*TimeStampToDOM*

# Several unsigned arithmetic operations with -1
src:*/hal/HalWakeLock.cpp

# Code in layout/generic/nsGfxScrollFrame.cpp that produces
# somewhat frequent signed integer overflows. Probably harmless
# because it's layout code.
fun:*ClampAndAlignWithPixels*

# Likely benign overflow in mozglue/misc/TimeStamp_posix.cpp
fun:*ClockResolutionNs*

# This header has all sorts of operators that do post-operation
# overflow and underflow checking, triggering frequent reports
src:*/mozglue/misc/TimeStamp.h

#
# Various hashing functions, both regular and cryptographic ones
#
src:*/dom/canvas/MurmurHash3.cpp
src:*/gfx/skia/skia/include/private/SkChecksum.h
src:*/intl/icu/source/common/unifiedcache.h
src:*/mfbt/SHA1.cpp
src:*/modules/zlib/src/adler32.c
src:*/netwerk/cache/nsDiskCacheDevice.cpp
src:*/netwerk/cache2/CacheHashUtils.cpp
src:*/netwerk/sctp/src/netinet/sctp_sha1.c
src:*/netwerk/srtp/src/crypto/hash/sha1.c
src:*/netwerk/sctp/src/netinet/sctp_sha1.c
src:*/nsprpub/lib/ds/plhash.c
src:*/security/manager/ssl/md4.c
src:*/security/nss/lib/dbm/src/h_func.c
src:*/security/nss/lib/freebl/sha512.c
src:*/security/nss/lib/freebl/md5.c
src:*/xpcom/ds/PLDHashTable.cpp

# Hash/Cache function in Skia
fun:*GradientShaderCache*Build32bitCache*

# Hashing functions in Cairo
fun:*_hash_matrix_fnv*
fun:*_hash_mix_bits*
fun:*_cairo_hash_string*
fun:*_cairo_hash_bytes*

# intl code hashing functions
fun:*ustr_hash*CharsN*
fun:*hashEntry*

# harfbuzz hash/digest functions
fun:*hb_set_digest_lowest_bits_t*

# Hash function in gfx
fun:*gfxFontStyle*Hash*

# expat uses a CHAR_HASH macro in several places that causes
# a high amount of overflows. We should try finding a better
# way to disable this rather than blacklisting the whole thing.
src:*/parser/expat/*