Bug 1373256 - Changes to support -fsanitize=integer in the codebase. r=froydnj
authorChristian Holler <choller@mozilla.com>
Sun, 09 Apr 2017 12:59:26 +0200
changeset 415530 e0882faffdd74c73d746c302a28ff6d296f73ba5
parent 415529 31f204fd055003ec1487597a79be89147452ab74
child 415531 3c9580f796845cc704ba5bc3a5e5f9dc80e1bf0e
push id7566
push usermtabara@mozilla.com
push dateWed, 02 Aug 2017 08:25:16 +0000
treeherdermozilla-beta@86913f512c3c [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersfroydnj
bugs1373256
milestone56.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1373256 - Changes to support -fsanitize=integer in the codebase. r=froydnj The -fsanitize=integer analysis from UBSan can be helpful to detect signed and unsigned integer overflows in the codebase. Unfortunately, those occur very frequently, making it impossible to test anything with it without the use of a huge blacklist. This patch includes a blacklist that is broad enough to silence everything that would drain performance too much. But even with this blacklist, neither tests nor fuzzing is "clean". We can however in the future combine this with static analysis to limit ourselves to interesting places to look at, or improve the dynamic analysis to omit typical benign overflows. It also adds another attribute that can be used on functions. It is not used right now because it was initially easier to add things to the compile-time blacklist to get started. Finally, it includes a runtime suppression list and patches various parts in the test harnesses to support that. It is currently empty and it should not be used on frequent overflows because it is expensive. However, it has the advantage that it can be used to differentiate between signed and unsigned overflows while the compile-time blacklist cannot do that. So it can be used to e.g. silence unsigned integer overflows on a file or function while still reporting signed issues. We can also use this suppression list for any other UBSan related suppressions, should we ever want to use other features from that sanitizer. MozReview-Commit-ID: C5ofhfJdpCS
build/autoconf/sanitize.m4
build/automation.py.in
build/gyp.mozbuild
build/mobile/remoteautomation.py
build/moz.configure/old.configure
build/sanitizers/ubsan_blacklist_int.txt
build/sanitizers/ubsan_suppressions.txt
mfbt/Attributes.h
python/mozbuild/mozbuild/mozinfo.py
testing/mochitest/moz.build
testing/mochitest/runtests.py
testing/mozbase/mozrunner/mozrunner/utils.py
--- a/build/autoconf/sanitize.m4
+++ b/build/autoconf/sanitize.m4
@@ -75,16 +75,38 @@ if test -n "$MOZ_TSAN"; then
     if test -z "$CLANG_CL"; then
         LDFLAGS="-fsanitize=thread $LDFLAGS"
     fi
     AC_DEFINE(MOZ_TSAN)
     MOZ_PATH_PROG(LLVM_SYMBOLIZER, llvm-symbolizer)
 fi
 AC_SUBST(MOZ_TSAN)
 
+dnl ========================================================
+dnl = Use UndefinedBehavior Sanitizer to find integer overflows
+dnl ========================================================
+MOZ_ARG_ENABLE_BOOL(ubsan-int-overflow,
+[  --enable-ubsan-int-overflow       Enable UndefinedBehavior Sanitizer (Integer Overflow Parts, default=no)],
+   MOZ_UBSAN_INT_OVERFLOW=1,
+   MOZ_UBSAN_INT_OVERFLOW= )
+if test -n "$MOZ_UBSAN_INT_OVERFLOW"; then
+    MOZ_LLVM_HACKS=1
+    MOZ_UBSAN=1
+    CFLAGS="-fsanitize=integer -fsanitize-blacklist=$_topsrcdir/build/sanitizers/ubsan_blacklist_int.txt $CFLAGS"
+    CXXFLAGS="-fsanitize=integer -fsanitize-blacklist=$_topsrcdir/build/sanitizers/ubsan_blacklist_int.txt $CXXFLAGS"
+    if test -z "$CLANG_CL"; then
+        LDFLAGS="-fsanitize=integer $LDFLAGS"
+    fi
+    AC_DEFINE(MOZ_UBSAN_INT_OVERFLOW)
+    AC_DEFINE(MOZ_UBSAN)
+    MOZ_PATH_PROG(LLVM_SYMBOLIZER, llvm-symbolizer)
+fi
+AC_SUBST(MOZ_UBSAN_INT_OVERFLOW)
+AC_SUBST(MOZ_UBSAN)
+
 # The LLVM symbolizer is used by all sanitizers
 AC_SUBST(LLVM_SYMBOLIZER)
 
 dnl ========================================================
 dnl = Enable hacks required for LLVM instrumentations
 dnl ========================================================
 MOZ_ARG_ENABLE_BOOL(llvm-hacks,
 [  --enable-llvm-hacks       Enable workarounds required for several LLVM instrumentations (default=no)],
--- a/build/automation.py.in
+++ b/build/automation.py.in
@@ -178,17 +178,17 @@ class Automation(object):
     def kill(self):
       if Automation().IS_WIN32:
         import platform
         pid = "%i" % self.pid
         subprocess.Popen(["taskkill", "/F", "/PID", pid]).wait()
       else:
         os.kill(self.pid, signal.SIGKILL)
 
-  def environment(self, env=None, xrePath=None, crashreporter=True, debugger=False, dmdPath=None, lsanPath=None):
+  def environment(self, env=None, xrePath=None, crashreporter=True, debugger=False, dmdPath=None, lsanPath=None, ubsanPath=None):
     if xrePath == None:
       xrePath = self.DIST_BIN
     if env == None:
       env = dict(os.environ)
 
     ldLibraryPath = os.path.abspath(os.path.join(SCRIPT_DIR, xrePath))
     dmdLibrary = None
     preloadEnvVar = None
--- a/build/gyp.mozbuild
+++ b/build/gyp.mozbuild
@@ -4,16 +4,17 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 include('gyp_base.mozbuild')
 
 gyp_vars.update({
     'lsan': 0,
     'asan': 0,
+    'ubsan' : 0,
     'build_with_mozilla': 1,
     'build_with_chromium': 0,
     # 10.9 once we move to TC cross-compiles - bug 1270217
     'mac_sdk_min': '10.7',
     'mac_deployment_target': '10.7',
     'use_official_google_api_keys': 0,
     'have_clock_monotonic': 1 if CONFIG['HAVE_CLOCK_MONOTONIC'] else 0,
     'have_ethtool_cmd_speed_hi': 1 if CONFIG['MOZ_WEBRTC_HAVE_ETHTOOL_SPEED_HI'] else 0,
--- a/build/mobile/remoteautomation.py
+++ b/build/mobile/remoteautomation.py
@@ -55,17 +55,17 @@ class RemoteAutomation(Automation):
 
     def setProduct(self, product):
         self._product = product
 
     def setRemoteLog(self, logfile):
         self._remoteLog = logfile
 
     # Set up what we need for the remote environment
-    def environment(self, env=None, xrePath=None, crashreporter=True, debugger=False, dmdPath=None, lsanPath=None):
+    def environment(self, env=None, xrePath=None, crashreporter=True, debugger=False, dmdPath=None, lsanPath=None, ubsanPath=None):
         # Because we are running remote, we don't want to mimic the local env
         # so no copying of os.environ
         if env is None:
             env = {}
 
         if dmdPath:
             env['MOZ_REPLACE_MALLOC_LIB'] = os.path.join(dmdPath, 'libdmd.so')
 
--- a/build/moz.configure/old.configure
+++ b/build/moz.configure/old.configure
@@ -225,16 +225,17 @@ def old_configure_options(*options):
     '--enable-synth-pico',
     '--enable-system-cairo',
     '--enable-system-extension-dirs',
     '--enable-system-pixman',
     '--enable-system-sqlite',
     '--enable-tasktracer',
     '--enable-thread-sanitizer',
     '--enable-trace-logging',
+    '--enable-ubsan-int-overflow',
     '--enable-ui-locale',
     '--enable-universalchardet',
     '--enable-updater',
     '--enable-url-classifier',
     '--enable-valgrind',
     '--enable-verify-mar',
     '--enable-webrtc',
     '--enable-xul',
new file mode 100644
--- /dev/null
+++ b/build/sanitizers/ubsan_blacklist_int.txt
@@ -0,0 +1,264 @@
+# This file contains an extensive compile-time blacklist for silencing highly
+# frequent signed and unsigned integer overflows in our codebase, found by the
+# use of -fsanitize=integer. All of the overflows that caused an entry in this
+# list are highly frequent in our test suites (> 500 times per run) and therefore
+# unlikely to be bugs. Nevertheless, the slow down this test mode significantly
+# if left active. Without this list, the -fsanitize=integer test mode is unusable
+# both because of performance and the large number of results to check.
+#
+# Some of the entries on this list are more aggressive to get the build into a
+# state that allows any testing to happen at all. This is not an optimal solution
+# and it would be good if we could refine the tool and shorten this list over
+# the time. Source code annotations can also help with this.
+#
+# The rules in this file are only applied at compile time. If you can modify the
+# source in question, consider function attributes to disable instrumentation.
+
+# Ignore common overflows in the C++ std headers
+src:*bits/basic_string.h
+
+# Assume everything running through CheckedInt.h is ok. The CheckedInt class
+# casts signed integers to unsigned first and then does a post-overflow
+# check causing lots of unsigned integer overflow messages.
+src:*/CheckedInt.h
+
+# Exclude bignum
+src:*/mfbt/double-conversion/source/bignum.cc
+
+# Exclude anything within gtests
+src:*/gtest/*
+
+# The JS engine has a lot of code doing all sorts of overflows. This code
+# is pretty well tested though and excluding it here will allow us to go
+# for other, less tested code. Ideally, we would include the JS engine here
+# at some point.
+src:*/js/src/*
+src:*/js/public/*
+src:*/js/*.h
+src:*/jsfriendapi.h
+
+# Atomics can overflow, but without a full stack we can't trace these back
+# to what is actually causing the overflow. Ignoring these for now, as it will
+# be too much effort to determine every single source here.
+src:*/mfbt/Atomics.h
+
+# No reason to instrument certain parts of NSS that explicitely deal with
+# arithmetics and crypto.
+src:*/security/nss/lib/freebl/mpi/*
+src:*/security/nss/lib/freebl/ecl/*
+
+# nsTArray_base<Alloc, Copy>::ShiftData performs overflows
+fun:*nsTArray_base*ShiftData*
+
+### Frequent 0 - 1 overflows
+#
+# We have several code patterns in our codebase that cause these overflows,
+# but they are typically all harmless and could be filtered easily at runtime.
+# However, some of them are so frequent that suppressing them at compile-time
+# makes sense to increase runtime performance.
+#
+src:*/media/libstagefright/system/core/include/utils/TypeHelpers.h
+src:*/netwerk/base/nsSocketTransportService2.cpp
+src:*/dom/xul/XULDocument.cpp
+src:*/nsCharTraits.h
+# Code in xpcom/base/CycleCollectedJSContext.cpp
+fun:*CycleCollectedJSContext*ProcessMetastableStateQueue*
+# Code in layout/painting/nsDisplayList.cpp
+fun:*nsDisplayOpacity*ShouldFlattenAway*
+# Code in modules/libpref/Preferences.cpp
+fun:*pref_InitInitialObjects*
+# Code in netwerk/base/nsIOService.cpp
+fun:*nsIOService*GetCachedProtocolHandler*
+# Code in layout/style/nsCSSRuleProcessor.cpp
+fun:*0nsCSSRuleProcessor@@*
+fun:*nsCSSRuleProcessor*ClearSheets*
+fun:*TreeMatchContext*InitAncestors*
+fun:*TreeMatchContext*InitStyleScopes*
+# Code in layout/xul/nsXULPopupManager.cpp
+fun:*nsXULPopupManager*AdjustPopupsOnWindowChange*
+# Code in dom/base/nsDocument.cpp
+fun:*1nsDocument@@*
+# Code in gfx/layers/ipc/CompositorBridgeChild.cpp
+fun:*CompositorBridgeChild*Destroy*
+# Code in gfx/layers/ipc/ImageBridgeChild.cpp
+fun:*ImageBridgeChild*ShutdownStep1*
+# Code in dom/base/nsGlobalWindow.cpp
+fun:*nsGlobalWindow*ClearControllers*
+# Code in layout/style/AnimationCollection.cpp
+fun:*AnimationCollection*PropertyDtor*
+# Code in layout/style/nsStyleSet.cpp
+fun:*nsStyleSet*AddImportantRules*
+fun:*nsStyleSet*CounterStyleRuleForName*
+
+
+### Misc overflows
+
+# Hot function in protobuf producing overflows
+fun:*CodedInputStream*ReadTagWithCutoff*
+
+
+# SQLite3 is full of overflows :/
+src:*/db/sqlite3/src/sqlite3.c
+
+# zlib has some overflows, we can't deal with them right now
+src:*/modules/zlib/src/*
+
+# Our LZ4 implementation uses overflows. By listing it here we might
+# miss some unintended overflows in that implementation, but we can't
+# check for it right now.
+src:*/mfbt/lz4.c
+
+# Apparently this overflows a lot, because it contains some allocators
+# that keep overflowing, not sure why. Disabling by function didn't seem
+# to work here for operator new.
+src:*/xpcom/ds/nsArrayEnumerator.cpp
+
+# Memory usage reporting code in gfx/thebes/gfxASurface.cpp
+# We probably don't care about the frequent overflows there.
+fun:*SurfaceMemoryReporter*AdjustUsedMemory*
+
+# Frequent overflower in gfx/thebes/gfxFontEntry.cpp
+fun:*WeightDistance*
+
+# Another frequent overflower
+fun:*nsTObserverArray_base*AdjustIterators*
+
+# Overflows in Skia
+fun:*SkPathRef*makeSpace*
+fun:*SkPathRef*resetToSize*
+
+# Expat Parser has some overflows
+fun:*nsExpatDriver*ConsumeToken*
+
+# Frequent overflowers in harfbuzz
+fun:*hb_in_range*
+fun:*OT*collect_glyphs*
+
+# These look like harmless layouting-related overflows
+src:*/gfx/cairo/libpixman/src/pixman-region.c
+
+# Sorting code in layout/style/nsCSSProps.cpp that probably doesn't
+# care about overflows.
+fun:*SortPropertyAndCount*
+
+# Code in ipc/chromium/src/base/file_path.cc where a function returns -1
+# being cast to unsigned and then overflowed.
+fun:*FilePath*Append*
+fun:*FilePath*StripTrailingSeparatorsInternal*
+
+# Code in dom/base/nsJSEnvironment.cpp
+fun:*FireForgetSkippable*
+
+# Code in gfx/thebes/gfxSkipChars.h
+fun:*gfxSkipCharsIterator*AdvanceSkipped*
+
+# Code in gfx/thebes/gfxScriptItemizer.cpp
+fun:*gfxScriptItemizer*fixup*
+fun:*gfxScriptItemizer*push*
+
+# Code in dom/base/nsDocument.cpp
+fun:*nsDocument*BlockOnload*
+
+# Code in layout/base/nsCSSFrameConstructor.cpp
+fun:*nsCSSFrameConstructor*FrameConstructionItemList*AdjustCountsForItem*
+
+# Code in nsprpub/lib/ds/plarena.c doing ptrdiffs
+fun:*PL_ArenaRelease*
+
+# This file contains a bunch of arithmetic operations on timestamps that
+# apparently are allowed to overflow.
+src:*/src/widget/SystemTimeConverter.h
+
+# Code in dom/media/flac/FlacDemuxer.cpp purposely uses overflowing arithmetics
+fun:*Frame*FindNext*
+
+# Code in netwerk/base/nsStandardURL.cpp,
+# these methods return signed but the subtraction is first performed unsigned
+fun:*nsStandardURL*ReplaceSegment*
+
+# Code in netwerk/protocol/http/nsHttpChannel.cpp
+# same as previous with the previous entry.
+fun:*nsHttpChannel*ReportNetVSCacheTelemetry*
+
+# Code in layout/tables/nsCellMap.cpp
+# again subtraction then cast to signed.
+fun:*nsTableCellMap*GetColInfoAt*
+
+# Code in layout/generic/nsTextFrame.cpp
+# again subtraction then cast to signed.
+fun:*nsTextFrame*CharacterDataChanged*
+
+# Not sure what is going on in this file, but it doesn't look
+# related to what we are looking for.
+src:*/xpcom/base/CountingAllocatorBase.h
+
+# Code in dom/base/nsDOMNavigationTiming.cpp
+# Timestamp related, probably expecting the overflow
+fun:*nsDOMNavigationTiming*TimeStampToDOM*
+
+# Several unsigned arithmetic operations with -1
+src:*/hal/HalWakeLock.cpp
+
+# Code in layout/generic/nsGfxScrollFrame.cpp that produces
+# somewhat frequent signed integer overflows. Probably harmless
+# because it's layout code.
+fun:*ClampAndAlignWithPixels*
+
+# Likely benign overflow in mozglue/misc/TimeStamp_posix.cpp
+fun:*ClockResolutionNs*
+
+# This header has all sorts of operators that do post-operation
+# overflow and underflow checking, triggering frequent reports
+src:*/mozglue/misc/TimeStamp.h
+
+#
+# Various hashing functions, both regular and cryptographic ones
+#
+src:*/dom/canvas/MurmurHash3.cpp
+src:*/gfx/skia/skia/include/private/SkChecksum.h
+src:*/HashFunctions.h
+src:*/intl/icu/source/common/unifiedcache.h
+src:*/mfbt/SHA1.cpp
+src:*/modules/zlib/src/adler32.c
+src:*/netwerk/cache/nsDiskCacheDevice.cpp
+src:*/netwerk/cache2/CacheHashUtils.cpp
+src:*/netwerk/sctp/src/netinet/sctp_sha1.c
+src:*/netwerk/srtp/src/crypto/hash/sha1.c
+src:*/netwerk/sctp/src/netinet/sctp_sha1.c
+src:*/nsprpub/lib/ds/plhash.c
+src:*/security/manager/ssl/md4.c
+src:*/security/nss/lib/dbm/src/h_func.c
+src:*/security/nss/lib/freebl/sha512.c
+src:*/security/nss/lib/freebl/md5.c
+src:*/XorShift128PlusRNG.h
+src:*/xpcom/ds/PLDHashTable.cpp
+
+# Hash/Cache function in Skia
+fun:*GradientShaderCache*Build32bitCache*
+
+# Hash function in js/public/Utility.h
+fun:ScrambleHashCode*
+
+# Hashing functions in Cairo
+fun:*_hash_matrix_fnv*
+fun:*_hash_mix_bits*
+fun:*_cairo_hash_string*
+fun:*_cairo_hash_bytes*
+
+# Hash function in modules/libjar/nsZipArchive.cpp
+fun:*HashName*
+
+# intl code hashing functions
+fun:*ustr_hash*CharsN*
+fun:*hashEntry*
+
+# harfbuzz hash/digest functions
+fun:*hb_set_digest_lowest_bits_t*
+
+# Hash function in gfx
+fun:*gfxFontStyle*Hash*
+
+# expat uses a CHAR_HASH macro in several places that causes
+# a high amount of overflows. We should try finding a better
+# way to disable this rather than blacklisting the whole thing.
+src:*/parser/expat/*
new file mode 100644
--- /dev/null
+++ b/build/sanitizers/ubsan_suppressions.txt
@@ -0,0 +1,15 @@
+# This list contains runtime suppression entries for any issues reported
+# by UndefinedBehaviorSanitizer (UBSan). Unlike the compile-time blacklists,
+# this list allows us to blacklist source code files and functions only for
+# specific checks performed by UBSan.
+#
+# Example:
+#
+# signed-integer-overflow:file-with-known-overflow.cpp
+# alignment:function_doing_unaligned_access
+# vptr:shared_object_with_vptr_failures.so
+#
+# Since runtime suppressions are much more expensive than compile-time
+# blacklisting, this list should not be used for frequent issues but rather
+# only for sporadic warnings that have already been checked and confirmed
+# to not be bugs.
--- a/mfbt/Attributes.h
+++ b/mfbt/Attributes.h
@@ -218,16 +218,40 @@
 #    define MOZ_TSAN_BLACKLIST MOZ_NEVER_INLINE __attribute__((no_sanitize_thread))
 #  else
 #    define MOZ_TSAN_BLACKLIST /* nothing */
 #  endif
 #else
 #  define MOZ_TSAN_BLACKLIST /* nothing */
 #endif
 
+/*
+ * The MOZ_NO_SANITIZE_* family of macros is an annotation based on a more recently
+ * introduced Clang feature that allows disabling various sanitizer features for
+ * the particular function, including those from UndefinedBehaviorSanitizer.
+ */
+
+#if defined(__has_attribute)
+#  if __has_attribute(no_sanitize)
+#    define MOZ_HAVE_NO_SANITIZE_ATTR
+#  endif
+#endif
+
+#if defined(MOZ_HAVE_NO_SANITIZE_ATTR)
+#  define MOZ_NO_SANITIZE_UINT_OVERFLOW __attribute__((no_sanitize("unsigned-integer-overflow")))
+#  define MOZ_NO_SANITIZE_INT_OVERFLOW __attribute__((no_sanitize("signed-integer-overflow")))
+#else
+#  define MOZ_NO_SANITIZE_UINT_OVERFLOW /* nothing */
+#  define MOZ_NO_SANITIZE_INT_OVERFLOW /* nothing */
+#endif
+
+
+#undef MOZ_HAVE_NO_SANITIZE_ATTR
+
+
 /**
  * MOZ_ALLOCATOR tells the compiler that the function it marks returns either a
  * "fresh", "pointer-free" block of memory, or nullptr. "Fresh" means that the
  * block is not pointed to by any other reachable pointer in the program.
  * "Pointer-free" means that the block contains no pointers to any valid object
  * in the program. It may be initialized with other (non-pointer) values.
  *
  * Placing this attribute on appropriate functions helps GCC analyze pointer
--- a/python/mozbuild/mozbuild/mozinfo.py
+++ b/python/mozbuild/mozbuild/mozinfo.py
@@ -80,16 +80,17 @@ def build_dict(config, env=os.environ):
     d['pgo'] = substs.get('MOZ_PGO') == '1'
     d['crashreporter'] = bool(substs.get('MOZ_CRASHREPORTER'))
     d['datareporting'] = bool(substs.get('MOZ_DATA_REPORTING'))
     d['healthreport'] = substs.get('MOZ_SERVICES_HEALTHREPORT') == '1'
     d['sync'] = substs.get('MOZ_SERVICES_SYNC') == '1'
     d['stylo'] = substs.get('MOZ_STYLO_ENABLE') == '1'
     d['asan'] = substs.get('MOZ_ASAN') == '1'
     d['tsan'] = substs.get('MOZ_TSAN') == '1'
+    d['ubsan'] = substs.get('MOZ_UBSAN') == '1'
     d['telemetry'] = substs.get('MOZ_TELEMETRY_REPORTING') == '1'
     d['tests_enabled'] = substs.get('ENABLE_TESTS') == "1"
     d['bin_suffix'] = substs.get('BIN_SUFFIX', '')
     d['addon_signing'] = substs.get('MOZ_ADDON_SIGNING') == '1'
     d['require_signing'] = substs.get('MOZ_REQUIRE_SIGNING') == '1'
     d['no_legacy_extensions'] = substs.get('MOZ_ALLOW_LEGACY_EXTENSIONS') == '0'
     d['official'] = bool(substs.get('MOZILLA_OFFICIAL'))
     d['updater'] = substs.get('MOZ_UPDATER') == '1'
--- a/testing/mochitest/moz.build
+++ b/testing/mochitest/moz.build
@@ -32,16 +32,17 @@ GENERATED_FILES += [
     'automation.py',
 ]
 
 TEST_HARNESS_FILES.testing.mochitest += [
     '!automation.py',
     '/build/mobile/remoteautomation.py',
     '/build/pgo/server-locations.txt',
     '/build/sanitizers/lsan_suppressions.txt',
+    '/build/sanitizers/ubsan_suppressions.txt',
     '/build/valgrind/cross-architecture.sup',
     '/build/valgrind/i386-redhat-linux-gnu.sup',
     '/build/valgrind/x86_64-redhat-linux-gnu.sup',
     '/netwerk/test/httpserver/httpd.js',
     'bisection.py',
     'browser-harness.xul',
     'browser-test-overlay.xul',
     'browser-test.js',
--- a/testing/mochitest/runtests.py
+++ b/testing/mochitest/runtests.py
@@ -1570,22 +1570,28 @@ toolbar#nav-bar {
 
     def buildBrowserEnv(self, options, debugger=False, env=None):
         """build the environment variables for the specific test and operating system"""
         if mozinfo.info["asan"] and mozinfo.isLinux and mozinfo.bits == 64:
             lsanPath = SCRIPT_DIR
         else:
             lsanPath = None
 
+        if mozinfo.info["ubsan"]:
+            ubsanPath = SCRIPT_DIR
+        else:
+            ubsanPath = None
+
         browserEnv = self.environment(
             xrePath=options.xrePath,
             env=env,
             debugger=debugger,
             dmdPath=options.dmdPath,
-            lsanPath=lsanPath)
+            lsanPath=lsanPath,
+            ubsanPath=ubsanPath)
 
         if hasattr(options, "topsrcdir"):
             browserEnv["MOZ_DEVELOPER_REPO_DIR"] = options.topsrcdir
 
         # These variables are necessary for correct application startup; change
         # via the commandline at your own risk.
         browserEnv["XPCOM_DEBUG_BREAK"] = "stack"
 
--- a/testing/mozbase/mozrunner/mozrunner/utils.py
+++ b/testing/mozbase/mozrunner/mozrunner/utils.py
@@ -77,17 +77,17 @@ def _find_marionette_in_args(*args, **kw
 
 
 def _raw_log():
     import logging
     return logging.getLogger(__name__)
 
 
 def test_environment(xrePath, env=None, crashreporter=True, debugger=False,
-                     dmdPath=None, lsanPath=None, log=None):
+                     dmdPath=None, lsanPath=None, ubsanPath=None, log=None):
     """
     populate OS environment variables for mochitest and reftests.
 
     Originally comes from automationutils.py. Don't use that for new code.
     """
 
     env = os.environ.copy() if env is None else env
     log = log or _raw_log()
@@ -222,16 +222,31 @@ def test_environment(xrePath, env=None, 
         if os.path.isfile(llvmsym):
             env["TSAN_OPTIONS"] = "external_symbolizer_path=%s" % llvmsym
             log.info("INFO | runtests.py | TSan using symbolizer at %s"
                      % llvmsym)
         else:
             log.info("TEST-UNEXPECTED-FAIL | runtests.py | Failed to find TSan"
                      " symbolizer at %s" % llvmsym)
 
+    ubsan = bool(mozinfo.info.get("ubsan"))
+    if ubsan and (mozinfo.isLinux or mozinfo.isMac):
+        if ubsanPath:
+            log.info("UBSan enabled.")
+            ubsanOptions = []
+            suppressionsFile = os.path.join(
+                ubsanPath, 'ubsan_suppressions.txt')
+            if os.path.exists(suppressionsFile):
+                log.info("UBSan using suppression file " + suppressionsFile)
+                ubsanOptions.append("suppressions=" + suppressionsFile)
+            else:
+                log.info("WARNING | runtests.py | UBSan suppressions file"
+                         " does not exist! " + suppressionsFile)
+            env["UBSAN_OPTIONS"] = ':'.join(ubsanOptions)
+
     return env
 
 
 def get_stack_fixer_function(utilityPath, symbolsPath):
     """
     Return a stack fixing function, if possible, to use on output lines.
 
     A stack fixing function checks if a line conforms to the output from