| # This black list is a merge of blacklist.txt and vptr_blacklist.txt. |
| |
| ############################################################################# |
| # UBSan security blacklist. |
| |
| ############################################################################# |
| # YASM does some funny things that UBsan doesn't like. |
| # https://crbug.com/489901 |
| src:*/third_party/yasm/* |
| |
| ############################################################################# |
| # V8 gives too many false positives. Ignore them for now. |
| src:*/v8/* |
| |
| ############################################################################# |
| # Ignore system libraries. |
| src:*/usr/* |
| |
| ############################################################################# |
| # V8 UBsan supressions, commented out for now since we are ignorning v8 |
| # completely. |
| # fun:*v8*internal*FastD2I* |
| # fun:*v8*internal*ComputeIntegerHash* |
| # fun:*v8*internal*ComputeLongHash* |
| # fun:*v8*internal*ComputePointerHash* |
| # src:*/v8/src/base/bits.cc |
| # src:*/v8/src/base/functional.cc |
| # Undefined behaviour (integer overflow) is expected but ignored in this |
| # function. |
| # fun:*JsonParser*ParseJsonNumber* |
| |
| # Runtime numeric functions. |
| # src:*/v8/src/runtime/runtime-numbers.cc |
| |
| # Shifts of negative numbers |
| # fun:*v8*internal*HPositionInfo*TagPosition* |
| # fun:*v8*internal*Range*Shl* |
| # fun:*v8*internal*RelocInfoWriter*WriteTaggedData* |
| |
| ############################################################################# |
| # Undefined arithmetic that can be safely ignored. |
| src:*/ppapi/shared_impl/id_assignment.h |
| |
| ############################################################################# |
| # ICU supressions. Mostly hash functions where integer overflow is OK. |
| fun:*hashEntry* |
| fun:*LocaleCacheKey*hashCode* |
| fun:*google*protobuf*hash* |
| fun:*(hash|Hash)* |
| |
| ############################################################################# |
| # Bounds blacklist. |
| # Array at the end of struct pattern: |
| # Maybe UBSan itself can be improved here? |
| # e.g. |
| # struct blah { |
| # int a; |
| # char foo[2]; // not actually 2 |
| # } |
| src:*/net/disk_cache/blockfile/backend_impl.cc |
| src:*/net/disk_cache/blockfile/entry_impl.cc |
| src:*/third_party/icu/source/common/rbbi.cpp |
| src:*/third_party/icu/source/common/rbbitblb.cpp |
| src:*/third_party/icu/source/common/ucmndata.c |
| |
| ############################################################################# |
| # Delete in destructor on a this where this == nullptr |
| fun:*re2*RegexpD* |
| |
| ############################################################################# |
| # Harmless float division by zero. |
| fun:*RendererFrameManager*CullUnlockedFrames* |
| |
| ############################################################################# |
| # UBSan vptr blacklist. |
| # Function and type based blacklisting use a mangled name, and it is especially |
| # tricky to represent C++ types. For now, any possible changes by name manglings |
| # are simply represented as wildcard expressions of regexp, and thus it might be |
| # over-blacklisted. |
| |
| ############################################################################# |
| # Identical layouts. |
| # If base and derived classes have identifical memory layouts (i.e., the same |
| # object size) and both have no virtual functions, we blacklist them as there |
| # would be not much security implications. |
| |
| fun:*LifecycleNotifier*addObserver* |
| fun:*LifecycleNotifier*removeObserver* |
| fun:*toWebInputElement* |
| type:*base*MessageLoopForIO* |
| type:*BlockRefType* |
| type:*SkAutoTUnref* |
| type:*WDResult* |
| type:*ExecutionContext* |
| type:*WebInputElement* |
| type:*WebFormControlElement* |
| |
| # Avoid identical layout cases for 86 different classes in InspectorTypeBuilder, |
| # all of which are guarded using COMPILER_ASSERT on the object size. Two more |
| # types are also blacklisted due to the template class (JSONArray <-> Array<T>). |
| |
| src:*InspectorTypeBuilder.h* |
| type:*TypeBuilder* |
| type:*JSONArray* |
| |
| ############################################################################# |
| # Base class's constructor accesses a derived class's member. |
| |
| fun:*DoublyLinkedListNode* |
| type:*content*WebUIExtensionData* |
| |
| # RenderFrameObserverTracker<T>::RenderFrameObserverTracker() |
| fun:*content*RenderFrameObserverTracker*RenderFrame* |
| |
| # RenderViewObserverTracker<T>::RenderViewObserverTracker() |
| fun:*content*RenderViewObserverTracker*RenderView* |
| |
| ############################################################################# |
| # Base class's destructor accesses a derived class. |
| |
| fun:*DatabaseContext*contextDestroyed* |
| |
| # FIXME: Cannot handle template function LifecycleObserver<>::SetContext, |
| # so exclude source file for now. |
| src:*lifecycle_observer.h* |
| |
| ############################################################################# |
| # static_cast into itself in the constructor. |
| |
| fun:*RefCountedGarbageCollected*makeKeepAlive* |
| fun:*ThreadSafeRefCountedGarbageCollected*makeKeepAlive* |
| |
| ############################################################################# |
| # Accessing data in destructors where the class has virtual inheritances. |
| |
| type:*content*RenderWidgetHost* |
| |
| # Match mangled name for X::~X(). |
| fun:*content*RenderThreadImplD* |
| fun:*content*RenderViewHostImplD* |
| fun:*content*UtilityThreadImplD* |
| |
| ############################################################################# |
| # Using raw pointer values. |
| # |
| # A raw pointer value (16) is used to infer the field offset by |
| # GOOGLE_PROTOBUF_GENERATED_MESSAGE_FIELD_OFFSET. |
| |
| src:*/third_party/protobuf/src/google/protobuf/compiler/plugin.pb.cc |
| src:*/third_party/protobuf/src/google/protobuf/compiler/cpp/cpp_message.cc |
| src:*/third_party/protobuf/src/google/protobuf/descriptor.pb.cc |
| |
| ############################################################################# |
| # Avoid link errors. |
| # Ubsan vptr needs typeinfo on the target class, but it looks like typeinfo is |
| # not avaiable if the class is not exported. For now, simply blacklisted to |
| # avoid link errors; e.g., undefined reference to 'typeinfo for [CLASS_NAME]'. |
| |
| # obj/ppapi/libppapi_proxy.a(obj/ppapi/proxy/ppapi_proxy.proxy_channel.o):../../ppapi/proxy/proxy_channel.cc:__unnamed_53: error: undefined reference to 'typeinfo for IPC::TestSink' |
| src:*/ppapi/proxy/proxy_channel.cc |
| |
| # obj/chrome/libbrowser.a(obj/chrome/browser/net/browser.predictor.o):../../chrome/browser/net/predictor.cc:__unnamed_577: error: undefined reference to 'typeinfo for ProxyAdvisor' |
| src:*/chrome/browser/net/predictor.cc |
| |
| # obj/third_party/libwebm/libwebm.a(obj/third_party/libwebm/source/libwebm.mkvmuxer.o)(.data.rel..L__unnamed_2+0x18): error: undefined reference to 'typeinfo for mkvparser::IMkvReader' |
| src:*/third_party/libwebm/source/mkvmuxer.cpp |
| |
| ############################################################################# |
| # UBSan seems to be emit false positives when virtual base classes are |
| # involved, see e.g. crbug.com/448102. |
| |
| type:*v8*internal*OFStream* |
| |
| ############################################################################# |
| # UBsan is unable to handle static_cast<A*>(nullptr) and crashes on SIGSEGV. |
| # |
| |
| # static_cast<StartPageService*> in StartPageServiceFactory::GetForProfile. |
| type:*StartPageService* |
| |
| # Remove once function attribute level blacklisting is implemented. |
| # See crbug.com/476063. |
| fun:*forbidGCDuringConstruction* |
| |
| ############################################################################# |
| # UBsan goes into an infinite recursion when __dynamic_cast instrumented with |
| # "vptr". See crbug.com/609786. |
| |
| src:*/third_party/libc\+\+abi/trunk/src/private_typeinfo.cpp |