Bug 1373256 - Changes to support -fsanitize=integer in the codebase. r=froydnj

The -fsanitize=integer analysis from UBSan can be helpful to detect signed and unsigned integer overflows in the codebase. Unfortunately, those occur very frequently, making it impossible to test anything with it without the use of a huge blacklist. This patch includes a blacklist that is broad enough to silence everything that would drain performance too much. But even with this blacklist, neither tests nor fuzzing is "clean". We can however in the future combine this with static analysis to limit ourselves to interesting places to look at, or improve the dynamic analysis to omit typical benign overflows.

It also adds another attribute that can be used on functions. It is not used right now because it was initially easier to add things to the compile-time blacklist to get started.

Finally, it includes a runtime suppression list and patches various parts in the test harnesses to support that. It is currently empty and it should not be used on frequent overflows because it is expensive. However, it has the advantage that it can be used to differentiate between signed and unsigned overflows while the compile-time blacklist cannot do that. So it can be used to e.g. silence unsigned integer overflows on a file or function while still reporting signed issues. We can also use this suppression list for any other UBSan related suppressions, should we ever want to use other features from that sanitizer.

MozReview-Commit-ID: C5ofhfJdpCS

--HG--
extra : rebase_source : 64aa804965d24bb90b103c00c692a2ac6859e408

build/autoconf/sanitize.m4

@@ -80,6 +80,28 @@ if test -n "$MOZ_TSAN"; then
 fi
 AC_SUBST(MOZ_TSAN)
 
+dnl ========================================================
+dnl = Use UndefinedBehavior Sanitizer to find integer overflows
+dnl ========================================================
+MOZ_ARG_ENABLE_BOOL(ubsan-int-overflow,
+[  --enable-ubsan-int-overflow       Enable UndefinedBehavior Sanitizer (Integer Overflow Parts, default=no)],
+   MOZ_UBSAN_INT_OVERFLOW=1,
+   MOZ_UBSAN_INT_OVERFLOW= )
+if test -n "$MOZ_UBSAN_INT_OVERFLOW"; then
+    MOZ_LLVM_HACKS=1
+    MOZ_UBSAN=1
+    CFLAGS="-fsanitize=integer -fsanitize-blacklist=$_topsrcdir/build/sanitizers/ubsan_blacklist_int.txt $CFLAGS"
+    CXXFLAGS="-fsanitize=integer -fsanitize-blacklist=$_topsrcdir/build/sanitizers/ubsan_blacklist_int.txt $CXXFLAGS"
+    if test -z "$CLANG_CL"; then
+        LDFLAGS="-fsanitize=integer $LDFLAGS"
+    fi
+    AC_DEFINE(MOZ_UBSAN_INT_OVERFLOW)
+    AC_DEFINE(MOZ_UBSAN)
+    MOZ_PATH_PROG(LLVM_SYMBOLIZER, llvm-symbolizer)
+fi
+AC_SUBST(MOZ_UBSAN_INT_OVERFLOW)
+AC_SUBST(MOZ_UBSAN)
+
 # The LLVM symbolizer is used by all sanitizers
 AC_SUBST(LLVM_SYMBOLIZER)
 

build/gyp.mozbuild

@@ -9,6 +9,7 @@ include('gyp_base.mozbuild')
 gyp_vars.update({
     'lsan': 0,
     'asan': 0,
+    'ubsan' : 0,
     'build_with_mozilla': 1,
     'build_with_chromium': 0,
     # 10.9 once we move to TC cross-compiles - bug 1270217

build/moz.configure/old.configure

@@ -230,6 +230,7 @@ def old_configure_options(*options):
     '--enable-tasktracer',
     '--enable-thread-sanitizer',
     '--enable-trace-logging',
+    '--enable-ubsan-int-overflow',
     '--enable-ui-locale',
     '--enable-universalchardet',
     '--enable-updater',

build/sanitizers/ubsan_blacklist_int.txt

@@ -0,0 +1,264 @@
+# This file contains an extensive compile-time blacklist for silencing highly
+# frequent signed and unsigned integer overflows in our codebase, found by the
+# use of -fsanitize=integer. All of the overflows that caused an entry in this
+# list are highly frequent in our test suites (> 500 times per run) and therefore
+# unlikely to be bugs. Nevertheless, the slow down this test mode significantly
+# if left active. Without this list, the -fsanitize=integer test mode is unusable
+# both because of performance and the large number of results to check.
+#
+# Some of the entries on this list are more aggressive to get the build into a
+# state that allows any testing to happen at all. This is not an optimal solution
+# and it would be good if we could refine the tool and shorten this list over
+# the time. Source code annotations can also help with this.
+#
+# The rules in this file are only applied at compile time. If you can modify the
+# source in question, consider function attributes to disable instrumentation.
+
+# Ignore common overflows in the C++ std headers
+src:*bits/basic_string.h
+
+# Assume everything running through CheckedInt.h is ok. The CheckedInt class
+# casts signed integers to unsigned first and then does a post-overflow
+# check causing lots of unsigned integer overflow messages.
+src:*/CheckedInt.h
+
+# Exclude bignum
+src:*/mfbt/double-conversion/source/bignum.cc
+
+# Exclude anything within gtests
+src:*/gtest/*
+
+# The JS engine has a lot of code doing all sorts of overflows. This code
+# is pretty well tested though and excluding it here will allow us to go
+# for other, less tested code. Ideally, we would include the JS engine here
+# at some point.
+src:*/js/src/*
+src:*/js/public/*
+src:*/js/*.h
+src:*/jsfriendapi.h
+
+# Atomics can overflow, but without a full stack we can't trace these back
+# to what is actually causing the overflow. Ignoring these for now, as it will
+# be too much effort to determine every single source here.
+src:*/mfbt/Atomics.h
+
+# No reason to instrument certain parts of NSS that explicitely deal with
+# arithmetics and crypto.
+src:*/security/nss/lib/freebl/mpi/*
+src:*/security/nss/lib/freebl/ecl/*
+
+# nsTArray_base<Alloc, Copy>::ShiftData performs overflows
+fun:*nsTArray_base*ShiftData*
+
+### Frequent 0 - 1 overflows
+#
+# We have several code patterns in our codebase that cause these overflows,
+# but they are typically all harmless and could be filtered easily at runtime.
+# However, some of them are so frequent that suppressing them at compile-time
+# makes sense to increase runtime performance.
+#
+src:*/media/libstagefright/system/core/include/utils/TypeHelpers.h
+src:*/netwerk/base/nsSocketTransportService2.cpp
+src:*/dom/xul/XULDocument.cpp
+src:*/nsCharTraits.h
+# Code in xpcom/base/CycleCollectedJSContext.cpp
+fun:*CycleCollectedJSContext*ProcessMetastableStateQueue*
+# Code in layout/painting/nsDisplayList.cpp
+fun:*nsDisplayOpacity*ShouldFlattenAway*
+# Code in modules/libpref/Preferences.cpp
+fun:*pref_InitInitialObjects*
+# Code in netwerk/base/nsIOService.cpp
+fun:*nsIOService*GetCachedProtocolHandler*
+# Code in layout/style/nsCSSRuleProcessor.cpp
+fun:*0nsCSSRuleProcessor@@*
+fun:*nsCSSRuleProcessor*ClearSheets*
+fun:*TreeMatchContext*InitAncestors*
+fun:*TreeMatchContext*InitStyleScopes*
+# Code in layout/xul/nsXULPopupManager.cpp
+fun:*nsXULPopupManager*AdjustPopupsOnWindowChange*
+# Code in dom/base/nsDocument.cpp
+fun:*1nsDocument@@*
+# Code in gfx/layers/ipc/CompositorBridgeChild.cpp
+fun:*CompositorBridgeChild*Destroy*
+# Code in gfx/layers/ipc/ImageBridgeChild.cpp
+fun:*ImageBridgeChild*ShutdownStep1*
+# Code in dom/base/nsGlobalWindow.cpp
+fun:*nsGlobalWindow*ClearControllers*
+# Code in layout/style/AnimationCollection.cpp
+fun:*AnimationCollection*PropertyDtor*
+# Code in layout/style/nsStyleSet.cpp
+fun:*nsStyleSet*AddImportantRules*
+fun:*nsStyleSet*CounterStyleRuleForName*
+
+
+### Misc overflows
+
+# Hot function in protobuf producing overflows
+fun:*CodedInputStream*ReadTagWithCutoff*
+
+
+# SQLite3 is full of overflows :/
+src:*/db/sqlite3/src/sqlite3.c
+
+# zlib has some overflows, we can't deal with them right now
+src:*/modules/zlib/src/*
+
+# Our LZ4 implementation uses overflows. By listing it here we might
+# miss some unintended overflows in that implementation, but we can't
+# check for it right now.
+src:*/mfbt/lz4.c
+
+# Apparently this overflows a lot, because it contains some allocators
+# that keep overflowing, not sure why. Disabling by function didn't seem
+# to work here for operator new.
+src:*/xpcom/ds/nsArrayEnumerator.cpp
+
+# Memory usage reporting code in gfx/thebes/gfxASurface.cpp
+# We probably don't care about the frequent overflows there.
+fun:*SurfaceMemoryReporter*AdjustUsedMemory*
+
+# Frequent overflower in gfx/thebes/gfxFontEntry.cpp
+fun:*WeightDistance*
+
+# Another frequent overflower
+fun:*nsTObserverArray_base*AdjustIterators*
+
+# Overflows in Skia
+fun:*SkPathRef*makeSpace*
+fun:*SkPathRef*resetToSize*
+
+# Expat Parser has some overflows
+fun:*nsExpatDriver*ConsumeToken*
+
+# Frequent overflowers in harfbuzz
+fun:*hb_in_range*
+fun:*OT*collect_glyphs*
+
+# These look like harmless layouting-related overflows
+src:*/gfx/cairo/libpixman/src/pixman-region.c
+
+# Sorting code in layout/style/nsCSSProps.cpp that probably doesn't
+# care about overflows.
+fun:*SortPropertyAndCount*
+
+# Code in ipc/chromium/src/base/file_path.cc where a function returns -1
+# being cast to unsigned and then overflowed.
+fun:*FilePath*Append*
+fun:*FilePath*StripTrailingSeparatorsInternal*
+
+# Code in dom/base/nsJSEnvironment.cpp
+fun:*FireForgetSkippable*
+
+# Code in gfx/thebes/gfxSkipChars.h
+fun:*gfxSkipCharsIterator*AdvanceSkipped*
+
+# Code in gfx/thebes/gfxScriptItemizer.cpp
+fun:*gfxScriptItemizer*fixup*
+fun:*gfxScriptItemizer*push*
+
+# Code in dom/base/nsDocument.cpp
+fun:*nsDocument*BlockOnload*
+
+# Code in layout/base/nsCSSFrameConstructor.cpp
+fun:*nsCSSFrameConstructor*FrameConstructionItemList*AdjustCountsForItem*
+
+# Code in nsprpub/lib/ds/plarena.c doing ptrdiffs
+fun:*PL_ArenaRelease*
+
+# This file contains a bunch of arithmetic operations on timestamps that
+# apparently are allowed to overflow.
+src:*/src/widget/SystemTimeConverter.h
+
+# Code in dom/media/flac/FlacDemuxer.cpp purposely uses overflowing arithmetics
+fun:*Frame*FindNext*
+
+# Code in netwerk/base/nsStandardURL.cpp,
+# these methods return signed but the subtraction is first performed unsigned
+fun:*nsStandardURL*ReplaceSegment*
+
+# Code in netwerk/protocol/http/nsHttpChannel.cpp
+# same as previous with the previous entry.
+fun:*nsHttpChannel*ReportNetVSCacheTelemetry*
+
+# Code in layout/tables/nsCellMap.cpp
+# again subtraction then cast to signed.
+fun:*nsTableCellMap*GetColInfoAt*
+
+# Code in layout/generic/nsTextFrame.cpp
+# again subtraction then cast to signed.
+fun:*nsTextFrame*CharacterDataChanged*
+
+# Not sure what is going on in this file, but it doesn't look
+# related to what we are looking for.
+src:*/xpcom/base/CountingAllocatorBase.h
+
+# Code in dom/base/nsDOMNavigationTiming.cpp
+# Timestamp related, probably expecting the overflow
+fun:*nsDOMNavigationTiming*TimeStampToDOM*
+
+# Several unsigned arithmetic operations with -1
+src:*/hal/HalWakeLock.cpp
+
+# Code in layout/generic/nsGfxScrollFrame.cpp that produces
+# somewhat frequent signed integer overflows. Probably harmless
+# because it's layout code.
+fun:*ClampAndAlignWithPixels*
+
+# Likely benign overflow in mozglue/misc/TimeStamp_posix.cpp
+fun:*ClockResolutionNs*
+
+# This header has all sorts of operators that do post-operation
+# overflow and underflow checking, triggering frequent reports
+src:*/mozglue/misc/TimeStamp.h
+
+#
+# Various hashing functions, both regular and cryptographic ones
+#
+src:*/dom/canvas/MurmurHash3.cpp
+src:*/gfx/skia/skia/include/private/SkChecksum.h
+src:*/HashFunctions.h
+src:*/intl/icu/source/common/unifiedcache.h
+src:*/mfbt/SHA1.cpp
+src:*/modules/zlib/src/adler32.c
+src:*/netwerk/cache/nsDiskCacheDevice.cpp
+src:*/netwerk/cache2/CacheHashUtils.cpp
+src:*/netwerk/sctp/src/netinet/sctp_sha1.c
+src:*/netwerk/srtp/src/crypto/hash/sha1.c
+src:*/netwerk/sctp/src/netinet/sctp_sha1.c
+src:*/nsprpub/lib/ds/plhash.c
+src:*/security/manager/ssl/md4.c
+src:*/security/nss/lib/dbm/src/h_func.c
+src:*/security/nss/lib/freebl/sha512.c
+src:*/security/nss/lib/freebl/md5.c
+src:*/XorShift128PlusRNG.h
+src:*/xpcom/ds/PLDHashTable.cpp
+
+# Hash/Cache function in Skia
+fun:*GradientShaderCache*Build32bitCache*
+
+# Hash function in js/public/Utility.h
+fun:ScrambleHashCode*
+
+# Hashing functions in Cairo
+fun:*_hash_matrix_fnv*
+fun:*_hash_mix_bits*
+fun:*_cairo_hash_string*
+fun:*_cairo_hash_bytes*
+
+# Hash function in modules/libjar/nsZipArchive.cpp
+fun:*HashName*
+
+# intl code hashing functions
+fun:*ustr_hash*CharsN*
+fun:*hashEntry*
+
+# harfbuzz hash/digest functions
+fun:*hb_set_digest_lowest_bits_t*
+
+# Hash function in gfx
+fun:*gfxFontStyle*Hash*
+
+# expat uses a CHAR_HASH macro in several places that causes
+# a high amount of overflows. We should try finding a better
+# way to disable this rather than blacklisting the whole thing.
+src:*/parser/expat/*

build/sanitizers/ubsan_suppressions.txt

@@ -0,0 +1,15 @@
+# This list contains runtime suppression entries for any issues reported
+# by UndefinedBehaviorSanitizer (UBSan). Unlike the compile-time blacklists,
+# this list allows us to blacklist source code files and functions only for
+# specific checks performed by UBSan.
+#
+# Example:
+#
+# signed-integer-overflow:file-with-known-overflow.cpp
+# alignment:function_doing_unaligned_access
+# vptr:shared_object_with_vptr_failures.so
+#
+# Since runtime suppressions are much more expensive than compile-time
+# blacklisting, this list should not be used for frequent issues but rather
+# only for sporadic warnings that have already been checked and confirmed
+# to not be bugs.

mfbt/Attributes.h

@@ -223,6 +223,30 @@
 #  define MOZ_TSAN_BLACKLIST /* nothing */
 #endif
 
+/*
+ * The MOZ_NO_SANITIZE_* family of macros is an annotation based on a more recently
+ * introduced Clang feature that allows disabling various sanitizer features for
+ * the particular function, including those from UndefinedBehaviorSanitizer.
+ */
+
+#if defined(__has_attribute)
+#  if __has_attribute(no_sanitize)
+#    define MOZ_HAVE_NO_SANITIZE_ATTR
+#  endif
+#endif
+
+#if defined(MOZ_HAVE_NO_SANITIZE_ATTR)
+#  define MOZ_NO_SANITIZE_UINT_OVERFLOW __attribute__((no_sanitize("unsigned-integer-overflow")))
+#  define MOZ_NO_SANITIZE_INT_OVERFLOW __attribute__((no_sanitize("signed-integer-overflow")))
+#else
+#  define MOZ_NO_SANITIZE_UINT_OVERFLOW /* nothing */
+#  define MOZ_NO_SANITIZE_INT_OVERFLOW /* nothing */
+#endif
+
+
+#undef MOZ_HAVE_NO_SANITIZE_ATTR
+
+
 /**
  * MOZ_ALLOCATOR tells the compiler that the function it marks returns either a
  * "fresh", "pointer-free" block of memory, or nullptr. "Fresh" means that the

python/mozbuild/mozbuild/mozinfo.py

@@ -85,6 +85,7 @@ def build_dict(config, env=os.environ):
     d['stylo'] = substs.get('MOZ_STYLO_ENABLE') == '1'
     d['asan'] = substs.get('MOZ_ASAN') == '1'
     d['tsan'] = substs.get('MOZ_TSAN') == '1'
+    d['ubsan'] = substs.get('MOZ_UBSAN') == '1'
     d['telemetry'] = substs.get('MOZ_TELEMETRY_REPORTING') == '1'
     d['tests_enabled'] = substs.get('ENABLE_TESTS') == "1"
     d['bin_suffix'] = substs.get('BIN_SUFFIX', '')

testing/mochitest/moz.build

@@ -37,6 +37,7 @@ TEST_HARNESS_FILES.testing.mochitest += [
     '/build/mobile/remoteautomation.py',
     '/build/pgo/server-locations.txt',
     '/build/sanitizers/lsan_suppressions.txt',
+    '/build/sanitizers/ubsan_suppressions.txt',
     '/build/valgrind/cross-architecture.sup',
     '/build/valgrind/i386-redhat-linux-gnu.sup',
     '/build/valgrind/x86_64-redhat-linux-gnu.sup',

testing/mochitest/runtests.py

@@ -1575,12 +1575,18 @@ toolbar#nav-bar {
         else:
             lsanPath = None
 
+        if mozinfo.info["ubsan"]:
+            ubsanPath = SCRIPT_DIR
+        else:
+            ubsanPath = None
+
         browserEnv = self.environment(
             xrePath=options.xrePath,
             env=env,
             debugger=debugger,
             dmdPath=options.dmdPath,
-            lsanPath=lsanPath)
+            lsanPath=lsanPath,
+            ubsanPath=ubsanPath)
 
         if hasattr(options, "topsrcdir"):
             browserEnv["MOZ_DEVELOPER_REPO_DIR"] = options.topsrcdir

testing/mozbase/mozrunner/mozrunner/utils.py

@@ -82,7 +82,7 @@ def _raw_log():
 
 
 def test_environment(xrePath, env=None, crashreporter=True, debugger=False,
-                     dmdPath=None, lsanPath=None, log=None):
+                     dmdPath=None, lsanPath=None, ubsanPath=None, log=None):
     """
     populate OS environment variables for mochitest and reftests.
 
@@ -227,6 +227,21 @@ def test_environment(xrePath, env=None, crashreporter=True, debugger=False,
             log.info("TEST-UNEXPECTED-FAIL | runtests.py | Failed to find TSan"
                      " symbolizer at %s" % llvmsym)
 
+    ubsan = bool(mozinfo.info.get("ubsan"))
+    if ubsan and (mozinfo.isLinux or mozinfo.isMac):
+        if ubsanPath:
+            log.info("UBSan enabled.")
+            ubsanOptions = []
+            suppressionsFile = os.path.join(
+                ubsanPath, 'ubsan_suppressions.txt')
+            if os.path.exists(suppressionsFile):
+                log.info("UBSan using suppression file " + suppressionsFile)
+                ubsanOptions.append("suppressions=" + suppressionsFile)
+            else:
+                log.info("WARNING | runtests.py | UBSan suppressions file"
+                         " does not exist! " + suppressionsFile)
+            env["UBSAN_OPTIONS"] = ':'.join(ubsanOptions)
+
     return env