Introduced in:
8aeca4fa64
Shipping in glib 2.63.5 (available in Debian experimental)
Thanks to @padenot for the suggestion!
Differential Revision: https://phabricator.services.mozilla.com/D63451
--HG--
extra : moz-landing-system : lando
This removes `nsAutoPtr` usage from ipc/. security/ failed to build due to missing includes so I fixed that as well. IDB was using `ThreadLocal` from ipc which had a member changed to a `UniquePtr` so needed to be updated as well. localstorage was missing some includes.
Differential Revision: https://phabricator.services.mozilla.com/D63745
--HG--
extra : moz-landing-system : lando
Upstream patch:
6bd491daaf%5E%21/#F0
_sifields is a glibc-internal field, and is not available on musl
libc. Instead, use the public-facing fields si_call_addr, si_syscall,
and si_arch, if they are available.
Differential Revision: https://phabricator.services.mozilla.com/D61051
--HG--
extra : moz-landing-system : lando
This was done by:
This was done by applying:
```
diff --git a/python/mozbuild/mozbuild/code-analysis/mach_commands.py b/python/mozbuild/mozbuild/code-analysis/mach_commands.py
index 789affde7bbf..fe33c4c7d4d1 100644
--- a/python/mozbuild/mozbuild/code-analysis/mach_commands.py
+++ b/python/mozbuild/mozbuild/code-analysis/mach_commands.py
@@ -2007,7 +2007,7 @@ class StaticAnalysis(MachCommandBase):
from subprocess import Popen, PIPE, check_output, CalledProcessError
diff_process = Popen(self._get_clang_format_diff_command(commit), stdout=PIPE)
- args = [sys.executable, clang_format_diff, "-p1", "-binary=%s" % clang_format]
+ args = [sys.executable, clang_format_diff, "-p1", "-binary=%s" % clang_format, '-sort-includes']
if not output_file:
args.append("-i")
```
Then running `./mach clang-format -c <commit-hash>`
Then undoing that patch.
Then running check_spidermonkey_style.py --fixup
Then running `./mach clang-format`
I had to fix four things:
* I needed to move <utility> back down in GuardObjects.h because I was hitting
obscure problems with our system include wrappers like this:
0:03.94 /usr/include/stdlib.h:550:14: error: exception specification in declaration does not match previous declaration
0:03.94 extern void *realloc (void *__ptr, size_t __size)
0:03.94 ^
0:03.94 /home/emilio/src/moz/gecko-2/obj-debug/dist/include/malloc_decls.h:53:1: note: previous declaration is here
0:03.94 MALLOC_DECL(realloc, void*, void*, size_t)
0:03.94 ^
0:03.94 /home/emilio/src/moz/gecko-2/obj-debug/dist/include/mozilla/mozalloc.h:22:32: note: expanded from macro 'MALLOC_DECL'
0:03.94 MOZ_MEMORY_API return_type name##_impl(__VA_ARGS__);
0:03.94 ^
0:03.94 <scratch space>:178:1: note: expanded from here
0:03.94 realloc_impl
0:03.94 ^
0:03.94 /home/emilio/src/moz/gecko-2/obj-debug/dist/include/mozmemory_wrap.h:142:41: note: expanded from macro 'realloc_impl'
0:03.94 #define realloc_impl mozmem_malloc_impl(realloc)
Which I really didn't feel like digging into.
* I had to restore the order of TrustOverrideUtils.h and related files in nss
because the .inc files depend on TrustOverrideUtils.h being included earlier.
* I had to add a missing include to RollingNumber.h
* Also had to partially restore include order in JsepSessionImpl.cpp to avoid
some -WError issues due to some static inline functions being defined in a
header but not used in the rest of the compilation unit.
Differential Revision: https://phabricator.services.mozilla.com/D60327
--HG--
extra : moz-landing-system : lando
rg -l 'mozilla/Move.h' | xargs sed -i 's/#include "mozilla\/Move.h"/#include <utility>/g'
Further manual fixups and cleanups to the include order incoming.
Differential Revision: https://phabricator.services.mozilla.com/D60323
--HG--
extra : moz-landing-system : lando
Bug 1603999 changed the environment so that whether you can enter the chroot is
passed as the first character in the environment variable. This caused all
content processes that don't enter the chroot to crash. This can happen
trivially with any sandbox level < 4.
Differential Revision: https://phabricator.services.mozilla.com/D57927
--HG--
extra : moz-landing-system : lando
This changeset is a simple find and replace of `MOZ_FALLTHROUGH` and `[[fallthrough]]`.
Unfortunately, the MOZ_FALLTHROUGH_ASSERT macro (to assert on case fallthrough in debug builds) is still necessary after switching from [[clang::fallthrough]] to [[fallthrough]] because:
* MOZ_ASSERT(false) followed by [[fallthrough]] triggers a -Wunreachable-code warning in DEBUG builds
* but MOZ_ASSERT(false) without [[fallthrough]] triggers a -Wimplicit-fallthrough warning in NDEBUG builds.
Differential Revision: https://phabricator.services.mozilla.com/D56440
--HG--
extra : moz-landing-system : lando
- make the fork server use the same sandbox level as content processes to make preloading work correctly.
- pass |canChroot| through env instead of hard coding.
Differential Revision: https://phabricator.services.mozilla.com/D57221
--HG--
extra : moz-landing-system : lando
This is generally pretty straightforward, and rewrites nearly all calls. It
skips the ones that it can detect using frame script globals like
`sendAsyncMessage`, though.
Differential Revision: https://phabricator.services.mozilla.com/D53740
--HG--
extra : moz-landing-system : lando
This is generally pretty straightforward, and rewrites nearly all calls. It
skips the ones that it can detect using frame script globals like
`sendAsyncMessage`, though.
Differential Revision: https://phabricator.services.mozilla.com/D53740
--HG--
extra : moz-landing-system : lando
Fix:
/var/lib/jenkins/workspace/firefox-clang-lld-last/security/sandbox/chromium/base/time/time.h:796:18: error: implicit conversion from 'long' to 'double' changes value from 922337203
return value > std::numeric_limits<int64_t>::max()
~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Upstream code is very different now (uses some saturated_cast):
https://chromium.googlesource.com/chromium/src/base/+/master/time/time.h#846
Differential Revision: https://phabricator.services.mozilla.com/D43786
--HG--
extra : moz-landing-system : lando
This is generally pretty straightforward, and rewrites nearly all calls. It
skips the ones that it can detect using frame script globals like
`sendAsyncMessage`, though.
Differential Revision: https://phabricator.services.mozilla.com/D53740
--HG--
extra : moz-landing-system : lando
When launching a sandboxed child process that uses `firefox.exe`, we now
perform early initialization of the DLL blocklist.
Differential Revision: https://phabricator.services.mozilla.com/D53679
--HG--
extra : moz-landing-system : lando
This is generally pretty straightforward, and rewrites nearly all calls. It
skips the ones that it can detect using frame script globals like
`sendAsyncMessage`, though.
Differential Revision: https://phabricator.services.mozilla.com/D53740
--HG--
extra : moz-landing-system : lando
The inclusions were removed with the following very crude script and the
resulting breakage was fixed up by hand. The manual fixups did either
revert the changes done by the script, replace a generic header with a more
specific one or replace a header with a forward declaration.
find . -name "*.idl" | grep -v web-platform | grep -v third_party | while read path; do
interfaces=$(grep "^\(class\|interface\).*:.*" "$path" | cut -d' ' -f2)
if [ -n "$interfaces" ]; then
if [[ "$interfaces" == *$'\n'* ]]; then
regexp="\("
for i in $interfaces; do regexp="$regexp$i\|"; done
regexp="${regexp%%\\\|}\)"
else
regexp="$interfaces"
fi
interface=$(basename "$path")
rg -l "#include.*${interface%%.idl}.h" . | while read path2; do
hits=$(grep -v "#include.*${interface%%.idl}.h" "$path2" | grep -c "$regexp" )
if [ $hits -eq 0 ]; then
echo "Removing ${interface} from ${path2}"
grep -v "#include.*${interface%%.idl}.h" "$path2" > "$path2".tmp
mv -f "$path2".tmp "$path2"
fi
done
fi
done
Differential Revision: https://phabricator.services.mozilla.com/D55444
--HG--
extra : moz-landing-system : lando
When launching a sandboxed child process that uses `firefox.exe`, we now
perform early initialization of the DLL blocklist.
Differential Revision: https://phabricator.services.mozilla.com/D53679
--HG--
extra : moz-landing-system : lando
With a fork server, the parameters to fork a new content process are
passed through a socket. This patch does following tasks to adapt
sandbox to work with a fork server,
- passing a FD of a chroot server,
- passing flags of SandboxFork, and
- setting LaunchOptions and its fork_delegate field at a fork server.
Depends on D46878
Differential Revision: https://phabricator.services.mozilla.com/D46879
--HG--
extra : moz-landing-system : lando
With a fork server, the parameters to fork a new content process are
passed through a socket. This patch does following tasks to adapt
sandbox to work with a fork server,
- passing a FD of a chroot server,
- passing flags of SandboxFork, and
- setting LaunchOptions and its fork_delegate field at a fork server.
Depends on D46878
Differential Revision: https://phabricator.services.mozilla.com/D46879
--HG--
extra : moz-landing-system : lando
This function works on all GeckoProcessTypes, not just those for child
processes.
Differential Revision: https://phabricator.services.mozilla.com/D54375
--HG--
extra : moz-landing-system : lando
This function works on all GeckoProcessTypes, not just those for child
processes.
Differential Revision: https://phabricator.services.mozilla.com/D54375
--HG--
extra : moz-landing-system : lando
The clockid_t type on Linux has a space of values with encode a pid and
refer to various measures of another process's CPU usage; clock_getres
would, thereby, allow probing whether other processes exist. This is
a relatively small information leak into the sandboxes, but there's no
reason to allow it.
Differential Revision: https://phabricator.services.mozilla.com/D54081
--HG--
extra : moz-landing-system : lando
The `clockid_t` type on Linux has a space of values which encode a pid
and allow measuring the CPU usage of other processes; we don't want to
allow sandboxed processes to do that.
Differential Revision: https://phabricator.services.mozilla.com/D54080
--HG--
extra : moz-landing-system : lando
It seems newer glibc versions implement nanosleep() in terms of
clock_nanosleep(), which broke the profiler due to the sandbox rules
whitelisting the former but not the later.
Unfortunate that the profiler will fail in old Firefox versions though... :/
Differential Revision: https://phabricator.services.mozilla.com/D53879
--HG--
extra : moz-landing-system : lando
Sylvestre Ledru
Eric Rahm
Michael Froman
Emilio Cobos Álvarez
David Major
Gian-Carlo Pascutto
Nika Layzell
Michael Forney
Bob Owen
Chris Peterson
Thinker Li
Kris Maglione
Mark Banner
shindli
Noemi Erli
Daniel Varga
Aaron Klotz
Gabriele Svelto
Bogdan Tara
Haik Aftandilian
Andrew McCreight
Coroiu Cristina
Jed Davis