1#############################################################################
2# UBSan vptr blacklist.
3# Function and type based blacklisting use a mangled name, and it is especially
4# tricky to represent C++ types. For now, any possible changes by name manglings
5# are simply represented as wildcard expressions of regexp, and thus it might be
6# over-blacklisted.
7
8#############################################################################
9# Identical layouts.
10# If base and derived classes have identifical memory layouts (i.e., the same
11# object size) and both have no virtual functions, we blacklist them as there
12# would be not much security implications.
13
14fun:*LifecycleNotifier*addObserver*
15fun:*LifecycleNotifier*removeObserver*
16fun:*toWebInputElement*
17type:*base*MessageLoopForIO*
18type:*BlockRefType*
19type:*SkAutoTUnref*
20type:*WDResult*
21type:*ExecutionContext*
22type:*WebInputElement*
23type:*WebFormControlElement*
24
25# Avoid identical layout cases for 86 different classes in InspectorTypeBuilder,
26# all of which are guarded using COMPILER_ASSERT on the object size. Two more
27# types are also blacklisted due to the template class (JSONArray <-> Array<T>).
28
29src:*InspectorTypeBuilder.h*
30type:*TypeBuilder*
31type:*JSONArray*
32
33#############################################################################
34# Base class's constructor accesses a derived class's member.
35
36fun:*DoublyLinkedListNode*
37type:*content*WebUIExtensionData*
38
39# RenderFrameObserverTracker<T>::RenderFrameObserverTracker()
40fun:*content*RenderFrameObserverTracker*RenderFrame*
41
42# RenderViewObserverTracker<T>::RenderViewObserverTracker()
43fun:*content*RenderViewObserverTracker*RenderView*
44
45#############################################################################
46# Base class's destructor accesses a derived class.
47
48fun:*DatabaseContext*contextDestroyed*
49
50# FIXME: Cannot handle template function LifecycleObserver<>::setContext,
51# so exclude source file for now.
52src:*LifecycleObserver.h*
53
54#############################################################################
55# static_cast into itself in the constructor.
56
57fun:*RefCountedGarbageCollected*makeKeepAlive*
58fun:*ThreadSafeRefCountedGarbageCollected*makeKeepAlive*
59
60#############################################################################
61# Accessing data in destructors where the class has virtual inheritances.
62
63type:*content*RenderWidgetHost*
64
65# Match mangled name for X::~X().
66fun:*content*RenderThreadImplD*
67fun:*content*RenderViewHostImplD*
68fun:*content*UtilityThreadImplD*
69
70#############################################################################
71# Using raw pointer values.
72#
73# A raw pointer value (16) is used to infer the field offset by
74# GOOGLE_PROTOBUF_GENERATED_MESSAGE_FIELD_OFFSET.
75
76src:*/third_party/protobuf/src/google/protobuf/compiler/plugin.pb.cc
77src:*/third_party/protobuf/src/google/protobuf/compiler/cpp/cpp_message.cc
78src:*/third_party/protobuf/src/google/protobuf/descriptor.pb.cc
79
80#############################################################################
81# Avoid link errors.
82# Ubsan vptr needs typeinfo on the target class, but it looks like typeinfo is
83# not avaiable if the class is not exported.  For now, simply blacklisted to
84# avoid link errors; e.g., undefined reference to 'typeinfo for [CLASS_NAME]'.
85
86# obj/ppapi/libppapi_proxy.a(obj/ppapi/proxy/ppapi_proxy.proxy_channel.o):../../ppapi/proxy/proxy_channel.cc:__unnamed_53: error: undefined reference to 'typeinfo for IPC::TestSink'
87src:*/ppapi/proxy/proxy_channel.cc
88
89# obj/chrome/libbrowser.a(obj/chrome/browser/net/browser.predictor.o):../../chrome/browser/net/predictor.cc:__unnamed_577: error: undefined reference to 'typeinfo for ProxyAdvisor'
90src:*/chrome/browser/net/predictor.cc
91
92# obj/third_party/pdfium/libfpdfapi.a(obj/third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdfapi.fpdf_render_text.o):../../third_party/pdfium/core/src/fpdfapi/fpdf_render/:__unnamed_360: error: undefined reference to 'typeinfo for CPDF_InlineImages'
93src:*/third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_text.cpp
94
95# obj/third_party/libwebm/libwebm.a(obj/third_party/libwebm/source/libwebm.mkvmuxer.o)(.data.rel..L__unnamed_2+0x18): error: undefined reference to 'typeinfo for mkvparser::IMkvReader'
96src:*/third_party/libwebm/source/mkvmuxer.cpp
97
98#############################################################################
99# LLVM is not UBSan vptr clean.
100src:*third_party/swiftshader/third_party/LLVM*
101
102#############################################################################
103# UBSan seems to be emit false positives when virtual base classes are
104# involved, see e.g. crbug.com/448102.
105
106type:*v8*internal*OFStream*
107
108#############################################################################
109# UBsan is unable to handle static_cast<A*>(nullptr) and crashes on SIGSEGV.
110#
111
112# static_cast<StartPageService*> in StartPageServiceFactory::GetForProfile.
113type:*StartPageService*
114
115# Remove once function attribute level blacklisting is implemented.
116# See crbug.com/476063.
117fun:*forbidGCDuringConstruction*
118
119#############################################################################
120# UBsan goes into an infinite recursion when __dynamic_cast instrumented with
121# "vptr". See crbug.com/609786.
122
123src:*/third_party/libc\+\+abi/trunk/src/private_typeinfo.cpp
124
125#############################################################################
126# invalid downcasts for IPC messages
127# https://crbug.com/520760
128src:*nacl_message_scanner.cc
129