In is_ubsan_security builds, add fsanitize=vptr at gn level, not flag level
Before this change, is_ubsan_security=true explicitly added
-fsanitize=vptr to cflags.
After this change, is_ubsan_security=true instead makes is_ubsan_vptr
default to true, which adds the -fsanitize=vptr flag via the
ubsan_vptr_flags config.
This has the following advantages:
1. ubsan_vptr_flags adds -fsanitize-blacklist=$ubsan_vptr_blacklist_path
too, so tools/ubsan/security_blacklist.txt no longer needs to contain
a copy of that file. Instead, is_ubsan_security=true builds now
use both tools/ubsan/security_blacklist.txt and
tools/ubsan/vptr_blacklist.txt
2. Targets that use default_sanitizer_flags_but_ubsan_vptr don't get
a -fsanitize=vptr flag in is_ubsan_security, which fixes the linked
bug (see patch set 2 on the review for a different approach that has
only this effect).
3. If you wanted, you could now set
`is_ubsan_security=true is_ubsan_vptr=false` to get a build with
the ubsan security flags without vptr.
Bug: 1185181
Change-Id: Ic907752b495ce4497970e33bdf0bf1fde1128274
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2785568
Auto-Submit: Nico Weber <thakis@chromium.org>
Commit-Queue: Jonathan Metzman <metzman@chromium.org>
Reviewed-by: Jonathan Metzman <metzman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#866747}
diff --git a/build/config/sanitizers/BUILD.gn b/build/config/sanitizers/BUILD.gn
index f90b331..bc2717c8 100644
--- a/build/config/sanitizers/BUILD.gn
+++ b/build/config/sanitizers/BUILD.gn
@@ -495,7 +495,6 @@
"-fsanitize=shift",
"-fsanitize=signed-integer-overflow",
"-fsanitize=vla-bound",
- "-fsanitize=vptr",
"-fsanitize-blacklist=$ubsan_security_blacklist_path",
]
}
diff --git a/build/config/sanitizers/sanitizers.gni b/build/config/sanitizers/sanitizers.gni
index 39d197c..cf9c5081 100644
--- a/build/config/sanitizers/sanitizers.gni
+++ b/build/config/sanitizers/sanitizers.gni
@@ -37,9 +37,6 @@
# Compile for Undefined Behaviour Sanitizer's null pointer checks.
is_ubsan_null = false
- # Compile for Undefined Behaviour Sanitizer's vptr checks.
- is_ubsan_vptr = false
-
# Track where uninitialized memory originates from. From fastest to slowest:
# 0 - no tracking, 1 - track only the initial allocation site, 2 - track the
# chain of stores leading from allocation site to use site.
@@ -124,6 +121,9 @@
# TODO(krasin): remove this, when we're ready to add these checks by default.
# https://crbug.com/626794
use_cfi_cast = is_cfi && (is_chromeos_ash || is_chromeos_lacros)
+
+ # Compile for Undefined Behaviour Sanitizer's vptr checks.
+ is_ubsan_vptr = is_ubsan_security
}
# Disable sanitizers for non-target toolchains.
diff --git a/tools/ubsan/security_blacklist.txt b/tools/ubsan/security_blacklist.txt
index 79b44a4..b5b8fff 100644
--- a/tools/ubsan/security_blacklist.txt
+++ b/tools/ubsan/security_blacklist.txt
@@ -1,4 +1,6 @@
-# This black list is a merge of blacklist.txt and vptr_blacklist.txt.
+# This black list is the subset of blacklist.txt that's needed in
+# is_ubsan_security builds. is_ubsan_security builds also use
+# vptr_blacklist.txt. This file does not duplicate the contents of that file.
#############################################################################
# UBSan security blacklist.
@@ -72,118 +74,5 @@
fun:*RendererFrameManager*CullUnlockedFrames*
#############################################################################
-# UBSan vptr blacklist.
-# Function and type based blacklisting use a mangled name, and it is especially
-# tricky to represent C++ types. For now, any possible changes by name manglings
-# are simply represented as wildcard expressions of regexp, and thus it might be
-# over-blacklisted.
-
+# -fsanitize=vptr suppressions should go in vptr_blacklist.txt, not here.
#############################################################################
-# Identical layouts.
-# If base and derived classes have identifical memory layouts (i.e., the same
-# object size) and both have no virtual functions, we blacklist them as there
-# would be not much security implications.
-
-fun:*LifecycleNotifier*addObserver*
-fun:*LifecycleNotifier*removeObserver*
-fun:*toWebInputElement*
-type:*base*MessageLoopForIO*
-type:*BlockRefType*
-type:*SkAutoTUnref*
-type:*WDResult*
-type:*ExecutionContext*
-type:*WebInputElement*
-type:*WebFormControlElement*
-
-# Avoid identical layout cases for 86 different classes in InspectorTypeBuilder,
-# all of which are guarded using COMPILER_ASSERT on the object size. Two more
-# types are also blacklisted due to the template class (JSONArray <-> Array<T>).
-
-src:*InspectorTypeBuilder.h*
-type:*TypeBuilder*
-type:*JSONArray*
-
-#############################################################################
-# Base class's constructor accesses a derived class's member.
-
-fun:*DoublyLinkedListNode*
-type:*content*WebUIExtensionData*
-
-# RenderFrameObserverTracker<T>::RenderFrameObserverTracker()
-fun:*content*RenderFrameObserverTracker*RenderFrame*
-
-# RenderViewObserverTracker<T>::RenderViewObserverTracker()
-fun:*content*RenderViewObserverTracker*RenderView*
-
-#############################################################################
-# Base class's destructor accesses a derived class.
-
-fun:*DatabaseContext*contextDestroyed*
-
-# FIXME: Cannot handle template function LifecycleObserver<>::SetContext,
-# so exclude source file for now.
-src:*lifecycle_observer.h*
-
-#############################################################################
-# static_cast into itself in the constructor.
-
-fun:*RefCountedGarbageCollected*makeKeepAlive*
-fun:*ThreadSafeRefCountedGarbageCollected*makeKeepAlive*
-
-#############################################################################
-# Accessing data in destructors where the class has virtual inheritances.
-
-type:*content*RenderWidgetHost*
-
-# Match mangled name for X::~X().
-fun:*content*RenderThreadImplD*
-fun:*content*RenderViewHostImplD*
-fun:*content*UtilityThreadImplD*
-
-#############################################################################
-# Using raw pointer values.
-#
-# A raw pointer value (16) is used to infer the field offset by
-# GOOGLE_PROTOBUF_GENERATED_MESSAGE_FIELD_OFFSET.
-
-src:*/third_party/protobuf/src/google/protobuf/compiler/plugin.pb.cc
-src:*/third_party/protobuf/src/google/protobuf/compiler/cpp/cpp_message.cc
-src:*/third_party/protobuf/src/google/protobuf/descriptor.pb.cc
-
-#############################################################################
-# Avoid link errors.
-# Ubsan vptr needs typeinfo on the target class, but it looks like typeinfo is
-# not avaiable if the class is not exported. For now, simply blacklisted to
-# avoid link errors; e.g., undefined reference to 'typeinfo for [CLASS_NAME]'.
-
-# obj/ppapi/libppapi_proxy.a(obj/ppapi/proxy/ppapi_proxy.proxy_channel.o):../../ppapi/proxy/proxy_channel.cc:__unnamed_53: error: undefined reference to 'typeinfo for IPC::TestSink'
-src:*/ppapi/proxy/proxy_channel.cc
-
-# obj/chrome/libbrowser.a(obj/chrome/browser/net/browser.predictor.o):../../chrome/browser/net/predictor.cc:__unnamed_577: error: undefined reference to 'typeinfo for ProxyAdvisor'
-src:*/chrome/browser/net/predictor.cc
-
-# obj/third_party/libwebm/libwebm.a(obj/third_party/libwebm/source/libwebm.mkvmuxer.o)(.data.rel..L__unnamed_2+0x18): error: undefined reference to 'typeinfo for mkvparser::IMkvReader'
-src:*/third_party/libwebm/source/mkvmuxer.cpp
-
-#############################################################################
-# UBSan seems to be emit false positives when virtual base classes are
-# involved, see e.g. crbug.com/448102.
-
-type:*v8*internal*OFStream*
-
-#############################################################################
-# UBsan is unable to handle static_cast<A*>(nullptr) and crashes on SIGSEGV.
-#
-
-# static_cast<StartPageService*> in StartPageServiceFactory::GetForProfile.
-type:*StartPageService*
-
-# Remove once function attribute level blacklisting is implemented.
-# See crbug.com/476063.
-fun:*forbidGCDuringConstruction*
-
-#############################################################################
-# UBsan goes into an infinite recursion when __dynamic_cast instrumented with
-# "vptr". See crbug.com/609786.
-
-src:*/third_party/libc\+\+abi/trunk/src/private_typeinfo.cpp
