Bug 1379254 - Add a @note to the documentation of MOZ_CRASH_UNSAFE_* to make clear data collection risk and requirements, r=erahm
authorBenjamin Smedberg <benjamin@smedbergs.us>
Fri, 07 Jul 2017 14:44:26 -0400
changeset 369173 07976bd4a36ca50b15a2b40004f917e6e0bdddce
parent 369172 86ee390b7596064015f8bbc53250ec08097eb1d9
child 369174 7eceab6da87599e367c0d4dfd3d3167841f0f6a9
push id32192
push userkwierso@gmail.com
push dateTue, 18 Jul 2017 00:01:01 +0000
treeherdermozilla-central@efc0b1525edb [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerserahm
bugs1379254
milestone56.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1379254 - Add a @note to the documentation of MOZ_CRASH_UNSAFE_* to make clear data collection risk and requirements, r=erahm MozReview-Commit-ID: KssgssWHTUX
mfbt/Assertions.h
--- a/mfbt/Assertions.h
+++ b/mfbt/Assertions.h
@@ -273,16 +273,20 @@ static MOZ_COLD MOZ_NORETURN MOZ_NEVER_I
 
 /*
  * MOZ_CRASH_UNSAFE_OOL(explanation-string) can be used if the explanation
  * string cannot be a string literal (but no other processing needs to be done
  * on it). A regular MOZ_CRASH() is preferred wherever possible, as passing
  * arbitrary strings from a potentially compromised process is not without risk.
  * If the string being passed is the result of a printf-style function,
  * consider using MOZ_CRASH_UNSAFE_PRINTF instead.
+ *
+ * @note This macro causes data collection because crash strings are annotated
+ * to crash-stats and are publicly visible. Firefox data stewards must do data
+ * review on usages of this macro.
  */
 #ifndef DEBUG
 MFBT_API MOZ_COLD MOZ_NORETURN MOZ_NEVER_INLINE void
 MOZ_CrashOOL(int aLine, const char* aReason);
 #  define MOZ_CRASH_UNSAFE_OOL(reason) MOZ_CrashOOL(__LINE__, reason)
 #else
 MFBT_API MOZ_COLD MOZ_NORETURN MOZ_NEVER_INLINE void
 MOZ_CrashOOL(const char* aFilename, int aLine, const char* aReason);
@@ -306,16 +310,20 @@ MOZ_CrashPrintf(const char* aFilename, i
 
 /*
  * MOZ_CRASH_UNSAFE_PRINTF(format, arg1 [, args]) can be used when more
  * information is desired than a string literal can supply. The caller provides
  * a printf-style format string, which must be a string literal and between
  * 1 and 4 additional arguments. A regular MOZ_CRASH() is preferred wherever
  * possible, as passing arbitrary strings to printf from a potentially
  * compromised process is not without risk.
+ *
+ * @note This macro causes data collection because crash strings are annotated
+ * to crash-stats and are publicly visible. Firefox data stewards must do data
+ * review on usages of this macro.
  */
 #define MOZ_CRASH_UNSAFE_PRINTF(format, ...) \
    do { \
      static_assert( \
        MOZ_ARG_COUNT(__VA_ARGS__) > 0, \
        "Did you forget arguments to MOZ_CRASH_UNSAFE_PRINTF? " \
        "Or maybe you want MOZ_CRASH instead?"); \
      static_assert( \