# This file contains an extensive compile-time blacklist for silencing highly # frequent *un*signed integer overflows in our codebase, found by the use of # -fsanitize=unsigned-integer-overflow. Such overflows are not necessarily # bugs -- unsigned integer overflow has well-defined semantics in C/C++. But # overflow may still be *unexpected* and incorrectly handled, so we try to # annotate those places where unsigned overflow is correct and desired. # # The rules in this file are applied at compile time; changes to this list # usually require a full rebuild to apply. If you can modify the source in # question to exempt specific functions using MOZ_NO_SANITIZE_UNSIGNED_OVERFLOW, # do that instead. # # The extensive number of entries below is for two reasons. # # First, compiler instrumentation for unsigned integer overflows has a cost, at # compile time and at runtime. In places where code expects and depends upon # overflow behavior -- and especially in performance-critical code -- it makes # sense to turn off overflow detection to avoid both costs. (Indeed, # -fsanitize=signed-integer-overflow is unusably slow without this.) # # Second, many entries here are overly aggressive to get the build into a state # that allows any testing to happen at all. Some of the entries here are for # issues that are highly frequent in our test suites -- over 500 times per run. # Aggressive entries now let us start using this mode, without having to first # fix wide swaths of existing code. # # Entries should be removed 1) as issues are fixed; and 2) as blacklist entries # can be moved out of this centralized file, into source-level blacklist # attributes on individual functions. # All entries in this file are to suppress unsigned-integer-overflow problems. # Blacklists for other reasons should go in separate blacklist files. [unsigned-integer-overflow] # Overflows in the C++ std headers aren't necessarily bugs, because code inside # a language implementation can depend on compiler-specific behavior where C/C++ # leave the behavior undefined. src:*bits/basic_string.h # Assume everything running through CheckedInt.h is ok. The CheckedInt class # casts signed integers to unsigned first and then does a post-overflow # check causing lots of unsigned integer overflow messages. src:*/CheckedInt.h # Exclude bignum src:*/mfbt/double-conversion/source/bignum.cc # Exclude anything within gtests src:*/gtest/* # The JS engine has a lot of code doing all sorts of overflows. This code # is pretty well tested though and excluding it here will allow us to go # for other, less tested code. Ideally, we would include the JS engine here # at some point. src:*/js/src/* src:*/js/public/* src:*/js/*.h src:*/jsfriendapi.h # Atomics can overflow, but without a full stack we can't trace these back # to what is actually causing the overflow. Ignoring these for now, as it will # be too much effort to determine every single source here. src:*/mfbt/Atomics.h # No reason to instrument certain parts of NSS that explicitely deal with # arithmetics and crypto. src:*/security/nss/lib/freebl/mpi/* src:*/security/nss/lib/freebl/ecl/* # nsTArray_base::ShiftData performs overflows fun:*nsTArray_base*ShiftData* ### Frequent 0 - 1 overflows # # We have several code patterns in our codebase that cause these overflows, # but they are typically all harmless and could be filtered easily at runtime. # However, some of them are so frequent that suppressing them at compile-time # makes sense to increase runtime performance. # src:*/netwerk/base/nsSocketTransportService2.cpp src:*/nsCharTraits.h # Code in xpcom/base/CycleCollectedJSContext.cpp fun:*CycleCollectedJSContext*ProcessMetastableStateQueue* # Code in layout/painting/nsDisplayList.cpp fun:*nsDisplayOpacity*ShouldFlattenAway* # Code in modules/libpref/Preferences.cpp fun:*pref_InitInitialObjects* # Code in netwerk/base/nsIOService.cpp fun:*nsIOService*GetCachedProtocolHandler* # Code in layout/xul/nsXULPopupManager.cpp fun:*nsXULPopupManager*AdjustPopupsOnWindowChange* # Code in dom/base/nsDocument.cpp fun:*1nsDocument@@* # Code in gfx/layers/ipc/CompositorBridgeChild.cpp fun:*CompositorBridgeChild*Destroy* # Code in gfx/layers/ipc/ImageBridgeChild.cpp fun:*ImageBridgeChild*ShutdownStep1* # Code in dom/base/nsGlobalWindow.cpp fun:*nsGlobalWindow*ClearControllers* # Code in layout/style/AnimationCollection.cpp fun:*AnimationCollection*PropertyDtor* # Code in layout/style/nsStyleSet.cpp fun:*nsStyleSet*AddImportantRules* fun:*nsStyleSet*CounterStyleRuleForName* ### Misc overflows # Hot function in protobuf producing overflows fun:*CodedInputStream*ReadTagWithCutoff* # SQLite3 is full of overflows :/ src:*/third_party/sqlite3/src/sqlite3.c # zlib has some overflows, we can't deal with them right now src:*/modules/zlib/src/* # Our LZ4 implementation uses overflows. By listing it here we might # miss some unintended overflows in that implementation, but we can't # check for it right now. src:*/mfbt/lz4/* # Apparently this overflows a lot, because it contains some allocators # that keep overflowing, not sure why. Disabling by function didn't seem # to work here for operator new. src:*/xpcom/ds/nsArrayEnumerator.cpp # Memory usage reporting code in gfx/thebes/gfxASurface.cpp # We probably don't care about the frequent overflows there. fun:*SurfaceMemoryReporter*AdjustUsedMemory* # Frequent overflower in gfx/thebes/gfxFontEntry.cpp fun:*WeightDistance* # Another frequent overflower fun:*nsTObserverArray_base*AdjustIterators* # Overflows in Skia fun:*SkPathRef*makeSpace* fun:*SkPathRef*resetToSize* # Expat Parser has some overflows fun:*nsExpatDriver*ConsumeToken* # Frequent overflowers in harfbuzz fun:*hb_in_range* fun:*OT*collect_glyphs* # These look like harmless layouting-related overflows src:*/gfx/cairo/libpixman/src/pixman-region.c # Code in ipc/chromium/src/base/file_path.cc where a function returns -1 # being cast to unsigned and then overflowed. fun:*FilePath*Append* fun:*FilePath*StripTrailingSeparatorsInternal* # Code in dom/base/nsJSEnvironment.cpp fun:*FireForgetSkippable* # Code in gfx/thebes/gfxSkipChars.h fun:*gfxSkipCharsIterator*AdvanceSkipped* # Code in gfx/thebes/gfxScriptItemizer.cpp fun:*gfxScriptItemizer*fixup* fun:*gfxScriptItemizer*push* # Code in dom/base/nsDocument.cpp fun:*nsDocument*BlockOnload* # Code in layout/base/nsCSSFrameConstructor.cpp fun:*nsCSSFrameConstructor*FrameConstructionItemList*AdjustCountsForItem* # Code in nsprpub/lib/ds/plarena.c doing ptrdiffs fun:*PL_ArenaRelease* # This file contains a bunch of arithmetic operations on timestamps that # apparently are allowed to overflow. src:*/src/widget/SystemTimeConverter.h # Code in dom/media/flac/FlacDemuxer.cpp purposely uses overflowing arithmetics fun:*Frame*FindNext* # Code in netwerk/base/nsStandardURL.cpp, # these methods return signed but the subtraction is first performed unsigned fun:*nsStandardURL*ReplaceSegment* # Code in netwerk/protocol/http/nsHttpChannel.cpp # same as previous with the previous entry. fun:*nsHttpChannel*ReportNetVSCacheTelemetry* # Code in layout/tables/nsCellMap.cpp # again subtraction then cast to signed. fun:*nsTableCellMap*GetColInfoAt* # Code in layout/generic/nsTextFrame.cpp # again subtraction then cast to signed. fun:*nsTextFrame*CharacterDataChanged* # Not sure what is going on in this file, but it doesn't look # related to what we are looking for. src:*/xpcom/base/CountingAllocatorBase.h # Code in dom/base/nsDOMNavigationTiming.cpp # Timestamp related, probably expecting the overflow fun:*nsDOMNavigationTiming*TimeStampToDOM* # Several unsigned arithmetic operations with -1 src:*/hal/HalWakeLock.cpp # Code in layout/generic/nsGfxScrollFrame.cpp that produces # somewhat frequent signed integer overflows. Probably harmless # because it's layout code. fun:*ClampAndAlignWithPixels* # Likely benign overflow in mozglue/misc/TimeStamp_posix.cpp fun:*ClockResolutionNs* # This header has all sorts of operators that do post-operation # overflow and underflow checking, triggering frequent reports src:*/mozglue/misc/TimeStamp.h # # Various hashing functions, both regular and cryptographic ones # src:*/dom/canvas/MurmurHash3.cpp src:*/gfx/skia/skia/include/private/SkChecksum.h src:*/intl/icu/source/common/unifiedcache.h src:*/mfbt/SHA1.cpp src:*/modules/zlib/src/adler32.c src:*/netwerk/cache/nsDiskCacheDevice.cpp src:*/netwerk/cache2/CacheHashUtils.cpp src:*/netwerk/sctp/src/netinet/sctp_sha1.c src:*/netwerk/srtp/src/crypto/hash/sha1.c src:*/netwerk/sctp/src/netinet/sctp_sha1.c src:*/nsprpub/lib/ds/plhash.c src:*/security/manager/ssl/md4.c src:*/security/nss/lib/dbm/src/h_func.c src:*/security/nss/lib/freebl/sha512.c src:*/security/nss/lib/freebl/md5.c src:*/xpcom/ds/PLDHashTable.cpp # Hash/Cache function in Skia fun:*GradientShaderCache*Build32bitCache* # Hashing functions in Cairo fun:*_hash_matrix_fnv* fun:*_hash_mix_bits* fun:*_cairo_hash_string* fun:*_cairo_hash_bytes* # intl code hashing functions fun:*ustr_hash*CharsN* fun:*hashEntry* # harfbuzz hash/digest functions fun:*hb_set_digest_lowest_bits_t* # Hash function in gfx fun:*gfxFontStyle*Hash* # expat uses a CHAR_HASH macro in several places that causes # a high amount of overflows. We should try finding a better # way to disable this rather than blacklisting the whole thing. src:*/parser/expat/*