Skip to content

Commit

Permalink
[libfuzzer] Add 'vptr' flag to builds with UndefinedBehaviourSanitizer.
Browse files Browse the repository at this point in the history 
security_blacklist.txt is a merge of blacklist.txt and vptr_blacklist.txt.

BUG=609786

Review-Url: https://codereview.chromium.org/2018973002
Cr-Commit-Position: refs/heads/master@{#397090}
  • Loading branch information
@Dor1s
Dor1s authored and Commit bot committed Jun 1, 2016
1 parent 5c0f047 commit 16e7bcd
Show file tree
Hide file tree
Showing 5 changed files with 239 additions and 10 deletions.
40 changes: 35 additions & 5 deletions build/common.gypi
View file
Original file line number Diff line number Diff line change
Expand Up @@ -498,10 +498,13 @@
# See http://clang.llvm.org/docs/UsersManual.html
'ubsan%': 0,
'ubsan_blacklist%': '<(PRODUCT_DIR)/../../tools/ubsan/blacklist.txt',
'ubsan_security_blacklist%': '<(PRODUCT_DIR)/../../tools/ubsan/security_blacklist.txt',
'ubsan_vptr_blacklist%': '<(PRODUCT_DIR)/../../tools/ubsan/vptr_blacklist.txt',

# Enable building with UBsan's vptr (Clang's -fsanitize=vptr option).
# -fsanitize=vptr only works with clang, but ubsan_vptr=1 implies clang=1
# ubsan_security also enables UBSan's vptr.
'ubsan_security%': 0,
'ubsan_vptr%': 0,

# Use dynamic libraries instrumented by one of the sanitizers
Expand Down Expand Up @@ -1206,8 +1209,10 @@
'tsan_blacklist%': '<(tsan_blacklist)',
'ubsan%': '<(ubsan)',
'ubsan_blacklist%': '<(ubsan_blacklist)',
'ubsan_vptr_blacklist%': '<(ubsan_vptr_blacklist)',
'ubsan_security%': '<(ubsan_security)',
'ubsan_security_blacklist%': '<(ubsan_security_blacklist)',
'ubsan_vptr%': '<(ubsan_vptr)',
'ubsan_vptr_blacklist%': '<(ubsan_vptr_blacklist)',
'use_instrumented_libraries%': '<(use_instrumented_libraries)',
'use_prebuilt_instrumented_libraries%': '<(use_prebuilt_instrumented_libraries)',
'use_custom_libcxx%': '<(use_custom_libcxx)',
Expand Down Expand Up @@ -1598,7 +1603,7 @@
# compiler_version works with clang.
# TODO(glider): set clang to 1 earlier for ASan and TSan builds so
# that it takes effect here.
['clang==0 and asan==0 and lsan==0 and tsan==0 and msan==0 and ubsan==0 and ubsan_vptr==0', {
['clang==0 and asan==0 and lsan==0 and tsan==0 and msan==0 and ubsan==0 and ubsan_security==0 and ubsan_vptr==0', {
'binutils_version%': '<!pymod_do_main(compiler_version target assembler)',
}],
# On Android we know the binutils version in the toolchain.
Expand Down Expand Up @@ -2246,6 +2251,9 @@
['ubsan==1', {
'clang%': 1,
}],
['ubsan_security==1', {
'clang%': 1,
}],
['ubsan_vptr==1', {
'clang%': 1,
}],
Expand Down Expand Up @@ -3573,7 +3581,7 @@
},
}],
# -Wl,-z,-defs doesn't work with the sanitiziers, http://crbug.com/452065
['(OS=="linux" or OS=="android") and asan==0 and msan==0 and tsan==0 and ubsan==0 and ubsan_vptr==0 and cfi_diag==0', {
['(OS=="linux" or OS=="android") and asan==0 and msan==0 and tsan==0 and ubsan==0 and ubsan_security==0 and ubsan_vptr==0 and cfi_diag==0', {
'target_defaults': {
'ldflags': [
'-Wl,-z,defs',
Expand Down Expand Up @@ -4300,7 +4308,7 @@
}],
# Common options for AddressSanitizer, LeakSanitizer,
# ThreadSanitizer, MemorySanitizer and non-official CFI builds.
['asan==1 or lsan==1 or tsan==1 or msan==1 or ubsan==1 or ubsan_vptr==1 or '
['asan==1 or lsan==1 or tsan==1 or msan==1 or ubsan==1 or ubsan_security==1 or ubsan_vptr==1 or '
'(cfi_vptr==1 and buildtype!="Official")', {
'target_conditions': [
['_toolset=="target"', {
Expand Down Expand Up @@ -4398,6 +4406,28 @@
}],
],
}],
['ubsan_security==1', {
'target_conditions': [
['_toolset=="target"', {
'cflags': [
'-fsanitize=signed-integer-overflow,shift,vptr',
'-fsanitize-blacklist=<(ubsan_security_blacklist)',
],
'cflags_cc!': [
'-fno-rtti',
],
'cflags!': [
'-fno-rtti',
],
'ldflags': [
'-fsanitize=signed-integer-overflow,shift,vptr',
],
'defines': [
'UNDEFINED_SANITIZER',
],
}],
],
}],
['ubsan_vptr==1', {
'target_conditions': [
['_toolset=="target"', {
Expand Down Expand Up @@ -4580,7 +4610,7 @@
],
'conditions': [
# TODO(thestig): Enable this for disabled cases.
[ 'buildtype!="Official" and chromeos==0 and release_valgrind_build==0 and asan==0 and lsan==0 and tsan==0 and msan==0 and ubsan==0 and ubsan_vptr==0', {
[ 'buildtype!="Official" and chromeos==0 and release_valgrind_build==0 and asan==0 and lsan==0 and tsan==0 and msan==0 and ubsan==0 and ubsan_security==0 and ubsan_vptr==0', {
'ldflags': [
'-Wl,--detect-odr-violations',
],
Expand Down
2 changes: 1 addition & 1 deletion build/config/compiler/BUILD.gn
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1098,7 +1098,7 @@ config("rtti") {
}
config("no_rtti") {
# CFI diagnostics and UBsan vptr require RTTI.
if (!use_cfi_diag && !is_ubsan_vptr) {
if (!use_cfi_diag && !is_ubsan_vptr && !is_ubsan_security) {
if (is_win) {
cflags_cc = [ "/GR-" ]
} else {
Expand Down
8 changes: 4 additions & 4 deletions build/config/sanitizers/BUILD.gn
View file
Original file line number Diff line number Diff line change
Expand Up @@ -352,11 +352,11 @@ config("ubsan_no_recover") {

config("ubsan_security_flags") {
if (is_ubsan_security) {
ubsan_blacklist_path =
rebase_path("//tools/ubsan/blacklist.txt", root_build_dir)
ubsan_security_blacklist_path =
rebase_path("//tools/ubsan/security_blacklist.txt", root_build_dir)
cflags = [
"-fsanitize=signed-integer-overflow,shift",
"-fsanitize-blacklist=$ubsan_blacklist_path",
"-fsanitize=signed-integer-overflow,shift,vptr",
"-fsanitize-blacklist=$ubsan_security_blacklist_path",
]
}
}
Expand Down
193 changes: 193 additions & 0 deletions tools/ubsan/security_blacklist.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,193 @@
# This black list is a merge of blacklist.txt and vptr_blacklist.txt.

#############################################################################
# UBSan security blacklist.

#############################################################################
# YASM does some funny things that UBsan doesn't like.
# https://crbug.com/489901
src:*/third_party/yasm/*

#############################################################################
# V8 gives too many false positives. Ignore them for now.
src:*/v8/*

#############################################################################
# Ignore system libraries.
src:*/usr/*

#############################################################################
# V8 UBsan supressions, commented out for now since we are ignorning v8
# completely.
# fun:*v8*internal*FastD2I*
# fun:*v8*internal*ComputeIntegerHash*
# fun:*v8*internal*ComputeLongHash*
# fun:*v8*internal*ComputePointerHash*
# src:*/v8/src/base/bits.cc
# src:*/v8/src/base/functional.cc
# Undefined behaviour (integer overflow) is expected but ignored in this
# function.
# fun:*JsonParser*ParseJsonNumber*

# Runtime numeric functions.
# src:*/v8/src/runtime/runtime-numbers.cc

# Shifts of negative numbers
# fun:*v8*internal*HPositionInfo*TagPosition*
# fun:*v8*internal*Range*Shl*
# fun:*v8*internal*RelocInfoWriter*WriteTaggedData*

#############################################################################
# Undefined arithmetic that can be safely ignored.
src:*/third_party/WebKit/Source/wtf/SaturatedArithmetic.h
src:*/ppapi/shared_impl/id_assignment.h

#############################################################################
# ICU supressions. Mostly hash functions where integer overflow is OK.
fun:*hashEntry*
fun:*LocaleCacheKey*hashCode*
fun:*google*protobuf*hash*
fun:*(hash|Hash)*

#############################################################################
# Bounds blacklist.
# Array at the end of struct pattern:
# Maybe UBSan itself can be improved here?
# e.g.
# struct blah {
# int a;
# char foo[2]; // not actually 2
# }
src:*/net/disk_cache/blockfile/backend_impl.cc
src:*/net/disk_cache/blockfile/entry_impl.cc
src:*/third_party/icu/source/common/rbbi.cpp
src:*/third_party/icu/source/common/rbbitblb.cpp
src:*/third_party/icu/source/common/ucmndata.c

#############################################################################
# Delete in destructor on a this where this == nullptr
fun:*re2*RegexpD*

#############################################################################
# Harmless float division by zero.
fun:*RendererFrameManager*CullUnlockedFrames*

#############################################################################
# UBSan vptr blacklist.
# Function and type based blacklisting use a mangled name, and it is especially
# tricky to represent C++ types. For now, any possible changes by name manglings
# are simply represented as wildcard expressions of regexp, and thus it might be
# over-blacklisted.

#############################################################################
# Identical layouts.
# If base and derived classes have identifical memory layouts (i.e., the same
# object size) and both have no virtual functions, we blacklist them as there
# would be not much security implications.

fun:*LifecycleNotifier*addObserver*
fun:*LifecycleNotifier*removeObserver*
fun:*toWebInputElement*
type:*base*MessageLoopForIO*
type:*BlockRefType*
type:*SkAutoTUnref*
type:*WDResult*
type:*ExecutionContext*
type:*WebInputElement*
type:*WebFormControlElement*

# Avoid identical layout cases for 86 different classes in InspectorTypeBuilder,
# all of which are guarded using COMPILER_ASSERT on the object size. Two more
# types are also blacklisted due to the template class (JSONArray <-> Array<T>).

src:*InspectorTypeBuilder.h*
type:*TypeBuilder*
type:*JSONArray*

#############################################################################
# Base class's constructor accesses a derived class's member.

fun:*DoublyLinkedListNode*
type:*content*WebUIExtensionData*

# RenderFrameObserverTracker<T>::RenderFrameObserverTracker()
fun:*content*RenderFrameObserverTracker*RenderFrame*

# RenderViewObserverTracker<T>::RenderViewObserverTracker()
fun:*content*RenderViewObserverTracker*RenderView*

#############################################################################
# Base class's destructor accesses a derived class.

fun:*DatabaseContext*contextDestroyed*

# FIXME: Cannot handle template function LifecycleObserver<>::setContext,
# so exclude source file for now.
src:*LifecycleObserver.h*

#############################################################################
# static_cast into itself in the constructor.

fun:*RefCountedGarbageCollected*makeKeepAlive*
fun:*ThreadSafeRefCountedGarbageCollected*makeKeepAlive*

#############################################################################
# Accessing data in destructors where the class has virtual inheritances.

type:*content*RenderWidgetHost*

# Match mangled name for X::~X().
fun:*content*RenderThreadImplD*
fun:*content*RenderViewHostImplD*
fun:*content*UtilityThreadImplD*

#############################################################################
# Using raw pointer values.
#
# A raw pointer value (16) is used to infer the field offset by
# GOOGLE_PROTOBUF_GENERATED_MESSAGE_FIELD_OFFSET.

src:*/third_party/protobuf/src/google/protobuf/compiler/plugin.pb.cc
src:*/third_party/protobuf/src/google/protobuf/compiler/cpp/cpp_message.cc
src:*/third_party/protobuf/src/google/protobuf/descriptor.pb.cc

#############################################################################
# Avoid link errors.
# Ubsan vptr needs typeinfo on the target class, but it looks like typeinfo is
# not avaiable if the class is not exported. For now, simply blacklisted to
# avoid link errors; e.g., undefined reference to 'typeinfo for [CLASS_NAME]'.

# obj/ppapi/libppapi_proxy.a(obj/ppapi/proxy/ppapi_proxy.proxy_channel.o):../../ppapi/proxy/proxy_channel.cc:__unnamed_53: error: undefined reference to 'typeinfo for IPC::TestSink'
src:*/ppapi/proxy/proxy_channel.cc

# obj/chrome/libbrowser.a(obj/chrome/browser/net/browser.predictor.o):../../chrome/browser/net/predictor.cc:__unnamed_577: error: undefined reference to 'typeinfo for ProxyAdvisor'
src:*/chrome/browser/net/predictor.cc

# obj/third_party/pdfium/libfpdfapi.a(obj/third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdfapi.fpdf_render_text.o):../../third_party/pdfium/core/src/fpdfapi/fpdf_render/:__unnamed_360: error: undefined reference to 'typeinfo for CPDF_InlineImages'
src:*/third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_text.cpp

# obj/third_party/libwebm/libwebm.a(obj/third_party/libwebm/source/libwebm.mkvmuxer.o)(.data.rel..L__unnamed_2+0x18): error: undefined reference to 'typeinfo for mkvparser::IMkvReader'
src:*/third_party/libwebm/source/mkvmuxer.cpp

#############################################################################
# UBSan seems to be emit false positives when virtual base classes are
# involved, see e.g. crbug.com/448102.

type:*v8*internal*OFStream*

#############################################################################
# UBsan is unable to handle static_cast<A*>(nullptr) and crashes on SIGSEGV.
#

# static_cast<StartPageService*> in StartPageServiceFactory::GetForProfile.
type:*StartPageService*

# Remove once function attribute level blacklisting is implemented.
# See crbug.com/476063.
fun:*forbidGCDuringConstruction*

#############################################################################
# UBsan goes into an infinite recursion when __dynamic_cast instrumented with
# "vptr". See crbug.com/609786.

src:*/third_party/libc\+\+abi/trunk/src/private_typeinfo.cpp
6 changes: 6 additions & 0 deletions tools/ubsan/vptr_blacklist.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,3 +111,9 @@ type:*StartPageService*
# Remove once function attribute level blacklisting is implemented.
# See crbug.com/476063.
fun:*forbidGCDuringConstruction*

#############################################################################
# UBsan goes into an infinite recursion when __dynamic_cast instrumented with
# "vptr". See crbug.com/609786.

src:*/third_party/libc\+\+abi/trunk/src/private_typeinfo.cpp

0 comments on commit 16e7bcd

Please sign in to comment.