There are two parts to this patch; both affect only Linux:
1. The GMP sandbox policy is adjusted to allow certain syscalls used in
shared memory creation (ftruncate and fallocate). However, the file
broker is not used; the process still has no access to files in /dev/shm.
2. The profiler is not initialized for GMP processes unless memfd_create
is available (so the process can create shared memory to send
profiling data back, without filesystem access), or the GMP sandbox
is disabled (either at runtime or build time).
As of this patch, profiling GMP processes on Linux should succeed on
distros with kernel >=3.17 (Oct. 2014), but native stack frames won't
have symbols (and may be incorrectly unwound, not that it matters much
without symbols); see the bug for more info. Pseudo-stack frames and
markers should work, however.
Differential Revision: https://phabricator.services.mozilla.com/D148470
The profiler may try to readlink `/proc/self/exe` to determine the
executable name; currently, its attempt to get information about loaded
objects is broken for other reasons, so this isn't helpful. Thus, this
patch has it fail with `EINVAL` (meaning "not a symbolic link) instead of
being treated as unexpected.
(In the future, if we need to, we could simulate that syscall by
recording the target of `/proc/self/exe` before sandboxing, and
recognizing that specific case in a trap function.)
Differential Revision: https://phabricator.services.mozilla.com/D148469
The patch for bug 1769499 lets the RDD process create a headless EGL
context using GBM, which needs access only to the GPU device files, not
the display server. This means that the X11 access recently added in
bug 1769182 can be turned back off.
Differential Revision: https://phabricator.services.mozilla.com/D147792
This transferred sandbox mitigations directly into child process memory, which
may have caused issues with some security software.
Depends on D146930
Differential Revision: https://phabricator.services.mozilla.com/D146931
This patch mostly turns on the features set up by the earlier patches:
allow connecting to the X server and reading various related things
(.Xauthority, GPU device info in sysfs, etc.). It also turns off Mesa's
shader cache in the RDD process; that shouldn't be needed here, and
disabling it lets us avoid dealing with a few things in the sandbox
policy that we'd rather not (e.g., `getpwuid`).
Differential Revision: https://phabricator.services.mozilla.com/D146275
This patch moves a lot of text but the idea is relatively simple and
no functional change is intended: factor out the parts of the content
sandbox policy needed to create and use an EGL context under X11.
(The `AddDriPaths` function already has some of the dependencies in a
conveniently separated form, but there are others.)
Differential Revision: https://phabricator.services.mozilla.com/D146274
These syscalls (at least send/recv) are used by X11 client libraries, and
allowing them doesn't really change anything about security or attack
surface, because they're strict subsets of sendmsg/recvmsg which we
already allow everywhere for use by IPC. So, this patch allows them in
all process types instead of only content.
Differential Revision: https://phabricator.services.mozilla.com/D146273
We're going to want to let the RDD process make a (brokered) connection
to a local X server, but the seccomp-bpf plumbing for that mostly lives
in the content process sandbox policy. This moves it into the common
policy, and subclasses can opt in.
Differential Revision: https://phabricator.services.mozilla.com/D146272
The arguments to the SandboxPolicyCommon contructor will get more
complicated as more optional features are added (e.g., the one added in
the next patch), and they're basically just mapped to boolean member
variables, so this patch lets the subclasses set them directly, to keep
things simpler and more readable.
Differential Revision: https://phabricator.services.mozilla.com/D146271
This patch mostly turns on the features set up by the earlier patches:
allow connecting to the X server and reading various related things
(.Xauthority, GPU device info in sysfs, etc.). It also turns off Mesa's
shader cache in the RDD process; that shouldn't be needed here, and
disabling it lets us avoid dealing with a few things in the sandbox
policy that we'd rather not (e.g., `getpwuid`).
Differential Revision: https://phabricator.services.mozilla.com/D146275
This patch moves a lot of text but the idea is relatively simple and
no functional change is intended: factor out the parts of the content
sandbox policy needed to create and use an EGL context under X11.
(The `AddDriPaths` function already has some of the dependencies in a
conveniently separated form, but there are others.)
Differential Revision: https://phabricator.services.mozilla.com/D146274
These syscalls (at least send/recv) are used by X11 client libraries, and
allowing them doesn't really change anything about security or attack
surface, because they're strict subsets of sendmsg/recvmsg which we
already allow everywhere for use by IPC. So, this patch allows them in
all process types instead of only content.
Differential Revision: https://phabricator.services.mozilla.com/D146273
We're going to want to let the RDD process make a (brokered) connection
to a local X server, but the seccomp-bpf plumbing for that mostly lives
in the content process sandbox policy. This moves it into the common
policy, and subclasses can opt in.
Differential Revision: https://phabricator.services.mozilla.com/D146272
The arguments to the SandboxPolicyCommon contructor will get more
complicated as more optional features are added (e.g., the one added in
the next patch), and they're basically just mapped to boolean member
variables, so this patch lets the subclasses set them directly, to keep
things simpler and more readable.
Differential Revision: https://phabricator.services.mozilla.com/D146271
#including ApplicationServices.h within `namespace ApplicationServices` indirectly causes emmintrin.h to also be #included in namespace ApplicationServices in non-unified builds.
In file included from security/sandbox/common/test/SandboxTestingChild.cpp:12:
In file included from objdir-x86_64-apple-darwin21.4.0-clang-mozbuild/dist/include/mozilla/ipc/UtilityProcessChild.h:10:
In file included from objdir-x86_64-apple-darwin21.4.0-clang-mozbuild/dist/include/mozilla/ipc/UtilityAudioDecoderParent.h:9:
In file included from objdir-x86_64-apple-darwin21.4.0-clang-mozbuild/ipc/ipdl/_ipdlheaders/mozilla/PRemoteDecoderManagerParent.h:23:
In file included from objdir-x86_64-apple-darwin21.4.0-clang-mozbuild/dist/include/PlatformDecoderModule.h:23:
In file included from objdir-x86_64-apple-darwin21.4.0-clang-mozbuild/dist/include/mozilla/layers/KnowsCompositor.h:10:
In file included from objdir-x86_64-apple-darwin21.4.0-clang-mozbuild/dist/include/mozilla/layers/LayersTypes.h:14:
In file included from objdir-x86_64-apple-darwin21.4.0-clang-mozbuild/dist/include/Units.h:19:
objdir-x86_64-apple-darwin21.4.0-clang-mozbuild/dist/include/nsRect.h:294:26: error: unknown type name '__m128i'; did you mean 'ApplicationServices::__m128i'?
static MOZ_ALWAYS_INLINE __m128i floor_ps2epi32(__m128 x) {
^~~~~~~
ApplicationServices::__m128i
/Users/chris/.mozbuild/clang/lib/clang/14.0.1/include/emmintrin.h:20:19: note: 'ApplicationServices::__m128i' declared here
typedef long long __m128i __attribute__((__vector_size__(16), __aligned__(16)));
Differential Revision: https://phabricator.services.mozilla.com/D145516
With MOZ_FORMAT_PRINTF annotations, the compiler expects a wchar_t*, and
it won't automatically consider char16ptr_t to be compatible with that.
While handling strings, there's one case of formatting that doesn't need
to use %S at all.
Differential Revision: https://phabricator.services.mozilla.com/D144919
browser/components/shell/WindowsUserChoice.cpp(233,23): error: comparison of integers of different signs: 'int' and 'const size_t' (aka 'const unsigned long long') [-Werror,-Wsign-compare]
for (int j = 0; j < DWORDS_PER_BLOCK; ++j) {
~ ^ ~~~~~~~~~~~~~~~~
browser/components/shell/WindowsUserChoice.cpp(388,21): error: comparison of integers of different signs: 'int' and 'size_t' (aka 'unsigned long long') [-Werror,-Wsign-compare]
for (int i = 0; i < ArrayLength(exts); ++i) {
~ ^ ~~~~~~~~~~~~~~~~~
browser/components/shell/nsWindowsShellService.cpp(1225,21): error: comparison of integers of different signs: 'int' and 'size_t' (aka 'unsigned long long') [-Werror,-Wsign-compare]
for (int i = 0; i < ArrayLength(shortcutCSIDLs); ++i) {
~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
browser/components/shell/nsWindowsShellService.cpp(1492,21): error: comparison of integers of different signs: 'int' and 'size_t' (aka 'unsigned long long') [-Werror,-Wsign-compare]
for (int i = 0; i < ArrayLength(folders); ++i) {
~ ^ ~~~~~~~~~~~~~~~~~~~~
dom/media/platforms/wmf/MFTDecoder.cpp(85,23): error: comparison of integers of different signs: 'int' and 'UINT32' (aka 'unsigned int') [-Werror,-Wsign-compare]
for (int i = 1; i < actsNum; i++) {
~ ^ ~~~~~~~
gfx/2d/Factory.cpp(1276,21): error: comparison of integers of different signs: 'int' and 'uint32_t' (aka 'unsigned int') [-Werror,-Wsign-compare]
for (int y = 0; y < height; y++) {
~ ^ ~~~~~~
gfx/layers/d3d11/CompositorD3D11.cpp(1096,36): error: comparison of integers of different signs: 'UINT' (aka 'unsigned int') and 'int' [-Werror,-Wsign-compare]
swapDesc.BufferDesc.Height == mSize.height) ||
~~~~~~~~~~~~~~~~~~~~~~~~~~ ^ ~~~~~~~~~~~~
gfx/layers/d3d11/CompositorD3D11.cpp(1095,35): error: comparison of integers of different signs: 'UINT' (aka 'unsigned int') and 'int' [-Werror,-Wsign-compare]
if (((swapDesc.BufferDesc.Width == mSize.width &&
~~~~~~~~~~~~~~~~~~~~~~~~~ ^ ~~~~~~~~~~~
gfx/layers/d3d11/TextureD3D11.cpp(1278,30): error: comparison of integers of different signs: 'UINT' (aka 'unsigned int') and 'int' [-Werror,-Wsign-compare]
currentDesc.Height != mSize.height ||
~~~~~~~~~~~~~~~~~~ ^ ~~~~~~~~~~~~
gfx/layers/d3d11/TextureD3D11.cpp(1277,29): error: comparison of integers of different signs: 'UINT' (aka 'unsigned int') and 'int' [-Werror,-Wsign-compare]
if (currentDesc.Width != mSize.width ||
~~~~~~~~~~~~~~~~~ ^ ~~~~~~~~~~~
gfx/layers/ipc/ContentCompositorBridgeParent.cpp(248,19): error: comparison of integers of different signs: 'const uint32_t' (aka 'const unsigned int') and 'int32_t' (aka 'int') [-Werror,-Wsign-compare]
if (sequenceNum == status.sequenceNumber() && !dm->HasDeviceReset()) {
~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~~~~~~~~~~
gfx/thebes/D3D11Checks.cpp(129,21): error: comparison of integers of different signs: 'int' and 'unsigned int' [-Werror,-Wsign-compare]
if (resultColor != 0xffffff00) {
~~~~~~~~~~~ ^ ~~~~~~~~~~
gfx/thebes/D3D11Checks.cpp(154,23): error: comparison of integers of different signs: 'int' and 'unsigned long long' [-Werror,-Wsign-compare]
for (int i = 0; i < PR_ARRAY_SIZE(checkModules); i += 1) {
~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
gfx/thebes/D3D11Checks.cpp(409,14): error: comparison of integers of different signs: 'int32_t' (aka 'int') and 'UINT' (aka 'unsigned int') [-Werror,-Wsign-compare]
if (vendor != desc.VendorId) {
~~~~~~ ^ ~~~~~~~~~~~~~
gfx/thebes/gfxDWriteFontList.cpp(1248,39): error: comparison of integers of different signs: 'unsigned int' and 'int' [-Werror,-Wsign-compare]
addFamily(names[index], index != sysLocIndex);
~~~~~ ^ ~~~~~~~~~~~
intl/lwbrk/nsUniscribeBreaker.cpp(121,21): error: comparison of integers of different signs: 'int' and 'uint32_t' (aka 'unsigned int') [-Werror,-Wsign-compare]
for (int i = 0; i < aLength; ++i) {
~ ^ ~~~~~~~
intl/lwbrk/nsUniscribeBreaker.cpp(132,23): error: comparison of integers of different signs: 'int' and 'uint32_t' (aka 'unsigned int') [-Werror,-Wsign-compare]
for (int i = 0; i < aLength; ++i) {
~ ^ ~~~~~~~
intl/lwbrk/nsUniscribeBreaker.cpp(138,23): error: comparison of integers of different signs: 'int' and 'uint32_t' (aka 'unsigned int') [-Werror,-Wsign-compare]
for (int i = 0; i < aLength; ++i) {
~ ^ ~~~~~~~
mozglue/misc/PreXULSkeletonUI.cpp(319,26): error: comparison of integers of different signs: 'std::basic_string<char>::size_type' (aka 'unsigned long long') and 'int' [-Werror,-Wsign-compare]
while (line.length() > whitespace &&
~~~~~~~~~~~~~ ^ ~~~~~~~~~~
mozglue/misc/PreXULSkeletonUI.cpp(1003,21): error: comparison of integers of different signs: 'int' and 'size_t' (aka 'unsigned long long') [-Werror,-Wsign-compare]
for (int i = 1; i < noPlaceholderSpans.length(); i++) {
~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
mozglue/misc/PreXULSkeletonUI.cpp(1708,21): error: comparison of integers of different signs: 'int' and 'unsigned long long' [-Werror,-Wsign-compare]
for (int i = 0; i < dataLen / (2 * sizeof(double)); i++) {
~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
security/sandbox/chromium-shim/sandbox/win/permissionsService.cpp(40,16): error: comparison of integers of different signs: 'int' and 'const std::basic_string<wchar_t>::size_type' (aka 'const unsigned long long') [-Werror,-Wsign-compare]
if (slashIdx != std::wstring::npos) {
~~~~~~~~ ^ ~~~~~~~~~~~~~~~~~~
toolkit/components/aboutthirdparty/tests/gtest/TestAboutThirdParty.cpp(107,21): error: comparison of integers of different signs: 'int' and 'size_t' (aka 'unsigned long long') [-Werror,-Wsign-compare]
for (int i = 0; i < ArrayLength(kDirectoriesUnsorted); ++i) {
~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
toolkit/crashreporter/breakpad-client/windows/crash_generation/crash_generation_server.cc(957,23): error: comparison of integers of different signs: 'int' and 'const size_t' (aka 'const unsigned long long') [-Werror,-Wsign-compare]
for (int i = 0; i < kExceptionAppMemoryRegions; i++) {
~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~
toolkit/crashreporter/client/crashreporter_win.cpp(373,21): error: comparison of integers of different signs: 'int' and 'unsigned long long' [-Werror,-Wsign-compare]
for (int i = 0; i < sizeof(kDefaultAttachedBottom) / sizeof(UINT); i++) {
~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
toolkit/crashreporter/client/crashreporter_win.cpp(671,21): error: comparison of integers of different signs: 'int' and 'unsigned long long' [-Werror,-Wsign-compare]
for (int i = 0; i < sizeof(controls) / sizeof(controls[0]); i++) {
~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
toolkit/crashreporter/client/crashreporter_win.cpp(1048,21): error: comparison of integers of different signs: 'int' and 'unsigned long long' [-Werror,-Wsign-compare]
for (int i = 0; i < sizeof(kDefaultAttachedBottom) / sizeof(UINT); i++) {
~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
toolkit/mozapps/defaultagent/SetDefaultBrowser.cpp(248,21): error: comparison of integers of different signs: 'int' and 'size_t' (aka 'unsigned long long') [-Werror,-Wsign-compare]
for (int i = 0; i < mozilla::ArrayLength(associations); ++i) {
~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
toolkit/system/windowsproxy/ProxyUtils.cpp(27,36): error: comparison of integers of different signs: 'const int' and 'nsTArray_base::size_type' (aka 'unsigned long long') [-Werror,-Wsign-compare]
if (i < addr.Length()) {
~ ^ ~~~~~~~~~~~~~
toolkit/xre/dllservices/mozglue/interceptor/Arm64.h(178,28): error: comparison of integers of different signs: 'int32_t' (aka 'int') and 'unsigned int' [-Werror,-Wsign-compare]
if (signbits && signbits != 0xFE000000) {
~~~~~~~~ ^ ~~~~~~~~~~
obj-build/dist/include/gtest/gtest.h(1842,54): note: expanded from macro 'EXPECT_EQ'
EXPECT_PRED_FORMAT2(::testing::internal::EqHelper::Compare, val1, val2)
^
obj-build/dist/include/gtest/gtest.h(1354,11): error: comparison of integers of different signs: 'const unsigned int' and 'const int' [-Werror,-Wsign-compare]
if (lhs == rhs) {
~~~ ^ ~~~
obj-build/dist/include/gtest/gtest.h(1373,12): note: in instantiation of function template specialization 'testing::internal::CmpHelperEQ<unsigned int, int>' requested here
return CmpHelperEQ(lhs_expression, rhs_expression, lhs, rhs);
^
toolkit/xre/dllservices/tests/gtest/TestUntrustedModules.cpp(35,5): note: in instantiation of function template specialization 'testing::internal::EqHelper::Compare<unsigned int, int, nullptr>' requested here
EXPECT_EQ(mCounters.Count(), N);
^
obj-build/dist/include/gtest/gtest.h(1842,54): note: expanded from macro 'EXPECT_EQ'
EXPECT_PRED_FORMAT2(::testing::internal::EqHelper::Compare, val1, val2)
^
toolkit/xre/dllservices/tests/gtest/TestUntrustedModules.cpp(210,28): note: in instantiation of function template specialization 'ModuleLoadCounter::Remains<1>' requested here
EXPECT_TRUE(waitForOne.Remains({kTestModules[0]}, {0}));
^
toolkit/xre/test/gtest/TestAssembleCommandLineWin.cpp(139,21): error: comparison of integers of different signs: 'int' and 'size_t' (aka 'unsigned long long') [-Werror,-Wsign-compare]
for (int i = 0; i < ArrayLength(kExpectedArgsW); ++i) {
~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
toolkit/xre/test/gtest/TestAssembleCommandLineWin.cpp(151,21): error: comparison of integers of different signs: 'int' and 'size_t' (aka 'unsigned long long') [-Werror,-Wsign-compare]
for (int i = 0; i < ArrayLength(kExpectedArgsW); ++i) {
~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
toolkit/xre/test/gtest/TestAssembleCommandLineWin.cpp(164,21): error: comparison of integers of different signs: 'int' and 'size_t' (aka 'unsigned long long') [-Werror,-Wsign-compare]
for (int i = 0; i < ArrayLength(kExpectedArgsW); ++i) {
~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
obj-build/dist/include/gtest/gtest.h(1354,11): error: comparison of integers of different signs: 'const int' and 'const unsigned long long' [-Werror,-Wsign-compare]
if (lhs == rhs) {
~~~ ^ ~~~
obj-build/dist/include/gtest/gtest.h(1373,12): note: in instantiation of function template specialization 'testing::internal::CmpHelperEQ<int, unsigned long long>' requested here
return CmpHelperEQ(lhs_expression, rhs_expression, lhs, rhs);
^
toolkit/xre/test/gtest/TestAssembleCommandLineWin.cpp(138,3): note: in instantiation of function template specialization 'testing::internal::EqHelper::Compare<int, unsigned long long, nullptr>' requested here
EXPECT_EQ(len, ArrayLength(kExpectedArgsW));
^
widget/windows/TSFTextStore.cpp(3455,28): error: comparison of integers of different signs: 'uint32_t' (aka 'unsigned int') and 'long' [-Werror,-Wsign-compare]
range.mEndOffset == end - mComposition->StartOffset() &&
~~~~~~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
widget/windows/TSFTextStore.cpp(3454,30): error: comparison of integers of different signs: 'uint32_t' (aka 'unsigned int') and 'long' [-Werror,-Wsign-compare]
if (range.mStartOffset == start - mComposition->StartOffset() &&
~~~~~~~~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
xpfe/appshell/AppWindow.cpp(1900,21): error: comparison of integers of different signs: 'int' and 'uint32_t' (aka 'unsigned int') [-Werror,-Wsign-compare]
for (int i = 0; i < toolbarSprings->Length(); i++) {
~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~
Differential Revision: https://phabricator.services.mozilla.com/D144695
browser/components/shell/WindowsUserChoice.cpp(233,23): error: comparison of integers of different signs: 'int' and 'const size_t' (aka 'const unsigned long long') [-Werror,-Wsign-compare]
for (int j = 0; j < DWORDS_PER_BLOCK; ++j) {
~ ^ ~~~~~~~~~~~~~~~~
browser/components/shell/WindowsUserChoice.cpp(388,21): error: comparison of integers of different signs: 'int' and 'size_t' (aka 'unsigned long long') [-Werror,-Wsign-compare]
for (int i = 0; i < ArrayLength(exts); ++i) {
~ ^ ~~~~~~~~~~~~~~~~~
browser/components/shell/nsWindowsShellService.cpp(1225,21): error: comparison of integers of different signs: 'int' and 'size_t' (aka 'unsigned long long') [-Werror,-Wsign-compare]
for (int i = 0; i < ArrayLength(shortcutCSIDLs); ++i) {
~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
browser/components/shell/nsWindowsShellService.cpp(1492,21): error: comparison of integers of different signs: 'int' and 'size_t' (aka 'unsigned long long') [-Werror,-Wsign-compare]
for (int i = 0; i < ArrayLength(folders); ++i) {
~ ^ ~~~~~~~~~~~~~~~~~~~~
dom/media/platforms/wmf/MFTDecoder.cpp(85,23): error: comparison of integers of different signs: 'int' and 'UINT32' (aka 'unsigned int') [-Werror,-Wsign-compare]
for (int i = 1; i < actsNum; i++) {
~ ^ ~~~~~~~
gfx/2d/Factory.cpp(1276,21): error: comparison of integers of different signs: 'int' and 'uint32_t' (aka 'unsigned int') [-Werror,-Wsign-compare]
for (int y = 0; y < height; y++) {
~ ^ ~~~~~~
gfx/layers/d3d11/CompositorD3D11.cpp(1096,36): error: comparison of integers of different signs: 'UINT' (aka 'unsigned int') and 'int' [-Werror,-Wsign-compare]
swapDesc.BufferDesc.Height == mSize.height) ||
~~~~~~~~~~~~~~~~~~~~~~~~~~ ^ ~~~~~~~~~~~~
gfx/layers/d3d11/CompositorD3D11.cpp(1095,35): error: comparison of integers of different signs: 'UINT' (aka 'unsigned int') and 'int' [-Werror,-Wsign-compare]
if (((swapDesc.BufferDesc.Width == mSize.width &&
~~~~~~~~~~~~~~~~~~~~~~~~~ ^ ~~~~~~~~~~~
gfx/layers/d3d11/TextureD3D11.cpp(1278,30): error: comparison of integers of different signs: 'UINT' (aka 'unsigned int') and 'int' [-Werror,-Wsign-compare]
currentDesc.Height != mSize.height ||
~~~~~~~~~~~~~~~~~~ ^ ~~~~~~~~~~~~
gfx/layers/d3d11/TextureD3D11.cpp(1277,29): error: comparison of integers of different signs: 'UINT' (aka 'unsigned int') and 'int' [-Werror,-Wsign-compare]
if (currentDesc.Width != mSize.width ||
~~~~~~~~~~~~~~~~~ ^ ~~~~~~~~~~~
gfx/layers/ipc/ContentCompositorBridgeParent.cpp(248,19): error: comparison of integers of different signs: 'const uint32_t' (aka 'const unsigned int') and 'int32_t' (aka 'int') [-Werror,-Wsign-compare]
if (sequenceNum == status.sequenceNumber() && !dm->HasDeviceReset()) {
~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~~~~~~~~~~
gfx/thebes/D3D11Checks.cpp(129,21): error: comparison of integers of different signs: 'int' and 'unsigned int' [-Werror,-Wsign-compare]
if (resultColor != 0xffffff00) {
~~~~~~~~~~~ ^ ~~~~~~~~~~
gfx/thebes/D3D11Checks.cpp(154,23): error: comparison of integers of different signs: 'int' and 'unsigned long long' [-Werror,-Wsign-compare]
for (int i = 0; i < PR_ARRAY_SIZE(checkModules); i += 1) {
~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
gfx/thebes/D3D11Checks.cpp(409,14): error: comparison of integers of different signs: 'int32_t' (aka 'int') and 'UINT' (aka 'unsigned int') [-Werror,-Wsign-compare]
if (vendor != desc.VendorId) {
~~~~~~ ^ ~~~~~~~~~~~~~
gfx/thebes/gfxDWriteFontList.cpp(1248,39): error: comparison of integers of different signs: 'unsigned int' and 'int' [-Werror,-Wsign-compare]
addFamily(names[index], index != sysLocIndex);
~~~~~ ^ ~~~~~~~~~~~
intl/lwbrk/nsUniscribeBreaker.cpp(121,21): error: comparison of integers of different signs: 'int' and 'uint32_t' (aka 'unsigned int') [-Werror,-Wsign-compare]
for (int i = 0; i < aLength; ++i) {
~ ^ ~~~~~~~
intl/lwbrk/nsUniscribeBreaker.cpp(132,23): error: comparison of integers of different signs: 'int' and 'uint32_t' (aka 'unsigned int') [-Werror,-Wsign-compare]
for (int i = 0; i < aLength; ++i) {
~ ^ ~~~~~~~
intl/lwbrk/nsUniscribeBreaker.cpp(138,23): error: comparison of integers of different signs: 'int' and 'uint32_t' (aka 'unsigned int') [-Werror,-Wsign-compare]
for (int i = 0; i < aLength; ++i) {
~ ^ ~~~~~~~
mozglue/misc/PreXULSkeletonUI.cpp(319,26): error: comparison of integers of different signs: 'std::basic_string<char>::size_type' (aka 'unsigned long long') and 'int' [-Werror,-Wsign-compare]
while (line.length() > whitespace &&
~~~~~~~~~~~~~ ^ ~~~~~~~~~~
mozglue/misc/PreXULSkeletonUI.cpp(1003,21): error: comparison of integers of different signs: 'int' and 'size_t' (aka 'unsigned long long') [-Werror,-Wsign-compare]
for (int i = 1; i < noPlaceholderSpans.length(); i++) {
~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
mozglue/misc/PreXULSkeletonUI.cpp(1708,21): error: comparison of integers of different signs: 'int' and 'unsigned long long' [-Werror,-Wsign-compare]
for (int i = 0; i < dataLen / (2 * sizeof(double)); i++) {
~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
security/sandbox/chromium-shim/sandbox/win/permissionsService.cpp(40,16): error: comparison of integers of different signs: 'int' and 'const std::basic_string<wchar_t>::size_type' (aka 'const unsigned long long') [-Werror,-Wsign-compare]
if (slashIdx != std::wstring::npos) {
~~~~~~~~ ^ ~~~~~~~~~~~~~~~~~~
toolkit/components/aboutthirdparty/tests/gtest/TestAboutThirdParty.cpp(107,21): error: comparison of integers of different signs: 'int' and 'size_t' (aka 'unsigned long long') [-Werror,-Wsign-compare]
for (int i = 0; i < ArrayLength(kDirectoriesUnsorted); ++i) {
~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
toolkit/crashreporter/breakpad-client/windows/crash_generation/crash_generation_server.cc(957,23): error: comparison of integers of different signs: 'int' and 'const size_t' (aka 'const unsigned long long') [-Werror,-Wsign-compare]
for (int i = 0; i < kExceptionAppMemoryRegions; i++) {
~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~
toolkit/crashreporter/client/crashreporter_win.cpp(373,21): error: comparison of integers of different signs: 'int' and 'unsigned long long' [-Werror,-Wsign-compare]
for (int i = 0; i < sizeof(kDefaultAttachedBottom) / sizeof(UINT); i++) {
~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
toolkit/crashreporter/client/crashreporter_win.cpp(671,21): error: comparison of integers of different signs: 'int' and 'unsigned long long' [-Werror,-Wsign-compare]
for (int i = 0; i < sizeof(controls) / sizeof(controls[0]); i++) {
~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
toolkit/crashreporter/client/crashreporter_win.cpp(1048,21): error: comparison of integers of different signs: 'int' and 'unsigned long long' [-Werror,-Wsign-compare]
for (int i = 0; i < sizeof(kDefaultAttachedBottom) / sizeof(UINT); i++) {
~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
toolkit/mozapps/defaultagent/SetDefaultBrowser.cpp(248,21): error: comparison of integers of different signs: 'int' and 'size_t' (aka 'unsigned long long') [-Werror,-Wsign-compare]
for (int i = 0; i < mozilla::ArrayLength(associations); ++i) {
~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
toolkit/system/windowsproxy/ProxyUtils.cpp(27,36): error: comparison of integers of different signs: 'const int' and 'nsTArray_base::size_type' (aka 'unsigned long long') [-Werror,-Wsign-compare]
if (i < addr.Length()) {
~ ^ ~~~~~~~~~~~~~
toolkit/xre/dllservices/mozglue/interceptor/Arm64.h(178,28): error: comparison of integers of different signs: 'int32_t' (aka 'int') and 'unsigned int' [-Werror,-Wsign-compare]
if (signbits && signbits != 0xFE000000) {
~~~~~~~~ ^ ~~~~~~~~~~
obj-build/dist/include/gtest/gtest.h(1842,54): note: expanded from macro 'EXPECT_EQ'
EXPECT_PRED_FORMAT2(::testing::internal::EqHelper::Compare, val1, val2)
^
obj-build/dist/include/gtest/gtest.h(1354,11): error: comparison of integers of different signs: 'const unsigned int' and 'const int' [-Werror,-Wsign-compare]
if (lhs == rhs) {
~~~ ^ ~~~
obj-build/dist/include/gtest/gtest.h(1373,12): note: in instantiation of function template specialization 'testing::internal::CmpHelperEQ<unsigned int, int>' requested here
return CmpHelperEQ(lhs_expression, rhs_expression, lhs, rhs);
^
toolkit/xre/dllservices/tests/gtest/TestUntrustedModules.cpp(35,5): note: in instantiation of function template specialization 'testing::internal::EqHelper::Compare<unsigned int, int, nullptr>' requested here
EXPECT_EQ(mCounters.Count(), N);
^
obj-build/dist/include/gtest/gtest.h(1842,54): note: expanded from macro 'EXPECT_EQ'
EXPECT_PRED_FORMAT2(::testing::internal::EqHelper::Compare, val1, val2)
^
toolkit/xre/dllservices/tests/gtest/TestUntrustedModules.cpp(210,28): note: in instantiation of function template specialization 'ModuleLoadCounter::Remains<1>' requested here
EXPECT_TRUE(waitForOne.Remains({kTestModules[0]}, {0}));
^
toolkit/xre/test/gtest/TestAssembleCommandLineWin.cpp(139,21): error: comparison of integers of different signs: 'int' and 'size_t' (aka 'unsigned long long') [-Werror,-Wsign-compare]
for (int i = 0; i < ArrayLength(kExpectedArgsW); ++i) {
~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
toolkit/xre/test/gtest/TestAssembleCommandLineWin.cpp(151,21): error: comparison of integers of different signs: 'int' and 'size_t' (aka 'unsigned long long') [-Werror,-Wsign-compare]
for (int i = 0; i < ArrayLength(kExpectedArgsW); ++i) {
~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
toolkit/xre/test/gtest/TestAssembleCommandLineWin.cpp(164,21): error: comparison of integers of different signs: 'int' and 'size_t' (aka 'unsigned long long') [-Werror,-Wsign-compare]
for (int i = 0; i < ArrayLength(kExpectedArgsW); ++i) {
~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
obj-build/dist/include/gtest/gtest.h(1354,11): error: comparison of integers of different signs: 'const int' and 'const unsigned long long' [-Werror,-Wsign-compare]
if (lhs == rhs) {
~~~ ^ ~~~
obj-build/dist/include/gtest/gtest.h(1373,12): note: in instantiation of function template specialization 'testing::internal::CmpHelperEQ<int, unsigned long long>' requested here
return CmpHelperEQ(lhs_expression, rhs_expression, lhs, rhs);
^
toolkit/xre/test/gtest/TestAssembleCommandLineWin.cpp(138,3): note: in instantiation of function template specialization 'testing::internal::EqHelper::Compare<int, unsigned long long, nullptr>' requested here
EXPECT_EQ(len, ArrayLength(kExpectedArgsW));
^
widget/windows/TSFTextStore.cpp(3455,28): error: comparison of integers of different signs: 'uint32_t' (aka 'unsigned int') and 'long' [-Werror,-Wsign-compare]
range.mEndOffset == end - mComposition->StartOffset() &&
~~~~~~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
widget/windows/TSFTextStore.cpp(3454,30): error: comparison of integers of different signs: 'uint32_t' (aka 'unsigned int') and 'long' [-Werror,-Wsign-compare]
if (range.mStartOffset == start - mComposition->StartOffset() &&
~~~~~~~~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
xpfe/appshell/AppWindow.cpp(1900,21): error: comparison of integers of different signs: 'int' and 'uint32_t' (aka 'unsigned int') [-Werror,-Wsign-compare]
for (int i = 0; i < toolbarSprings->Length(); i++) {
~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~
Differential Revision: https://phabricator.services.mozilla.com/D144695
Background: When 32-bit types are passed in registers on x86-64 (and
probably other platforms?), the function call ABI does not specify the
contents of the upper half, and the Linux kernel syscall ABI appears to
have the same behavior.
In practice, the upper half is usually zero (or maybe sign-extended from
the lower half), because 64-bit operations aren't cheaper than 32-bit,
and 32-bit operations zero-extend their outputs; therefore, this case
usually doesn't happen in the first place, and any kind of spill or
register move will zero the upper half. However, arbitrary values are
possible, and a case like this has occurred with the Firefox profiler
using `clock_gettime`. (This paragraph is applicable to x86-64 and
ARM64; other 64-bit architecutures may behave differently.)
But the Chromium seccomp-bpf compiler, when testing the value of a 32-bit
argument on a 64-bit platform, requires that the value be zero-extended
or sign-extended, and (incorrectly, as far as I can tell) considers
anything else an ABI violation.
With this patch, when that case is detected, we use the `SIGSYS` handler
to zero-extend the problematic argument and re-issue the syscall.
(It would also be possible to just ignore the upper half, and that would
be faster, but that could lead to subtle security holes if the type
used in `bpf_dsl` is incorrect and the kernel really does treat it as
64-bit.)
Differential Revision: https://phabricator.services.mozilla.com/D143964
Background: When 32-bit types are passed in registers on x86-64 (and
probably other platforms?), the function call ABI does not specify the
contents of the upper half, and the Linux kernel syscall ABI appears to
have the same behavior.
In practice, the upper half is usually zero (or maybe sign-extended from
the lower half), because 64-bit operations aren't cheaper than 32-bit,
and 32-bit operations zero-extend their outputs; therefore, this case
usually doesn't happen in the first place, and any kind of spill or
register move will zero the upper half. However, arbitrary values are
possible, and a case like this has occurred with the Firefox profiler
using `clock_gettime`. (This paragraph is applicable to x86-64 and
ARM64; other 64-bit architecutures may behave differently.)
But the Chromium seccomp-bpf compiler, when testing the value of a 32-bit
argument on a 64-bit platform, requires that the value be zero-extended
or sign-extended, and (incorrectly, as far as I can tell) considers
anything else an ABI violation.
With this patch, when that case is detected, we use the `SIGSYS` handler
to zero-extend the problematic argument and re-issue the syscall.
(It would also be possible to just ignore the upper half, and that would
be faster, but that could lead to subtle security holes if the type
used in `bpf_dsl` is incorrect and the kernel really does treat it as
64-bit.)
Differential Revision: https://phabricator.services.mozilla.com/D143964
Chris Martin
Jed Davis
Alexandre Lissy
Sylvestre Ledru
Alexandre Lissy
Bob Owen
Iulian Moraru
Nika Layzell
Chris Peterson
Mike Hommey
Norisz Fay
Kagami Sascha Rosylight
Akihiko Odaki
criss