15f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)############################################################################# 25f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)# UBSan vptr blacklist. 35f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)# Function and type based blacklisting use a mangled name, and it is especially 45f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)# tricky to represent C++ types. For now, any possible changes by name manglings 55f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)# are simply represented as wildcard expressions of regexp, and thus it might be 65f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)# over-blacklisted. 75f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 85f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)############################################################################# 95f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)# Identical layouts. 105f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)# If base and derived classes have identifical memory layouts (i.e., the same 115f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)# object size) and both have no virtual functions, we blacklist them as there 125f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)# would be not much security implications. 135f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 145f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)fun:*LifecycleNotifier*addObserver* 155f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)fun:*LifecycleNotifier*removeObserver* 165f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)fun:*toWebInputElement* 175f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)type:*base*MessageLoopForIO* 185f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)type:*BlockRefType* 195f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)type:*SkAutoTUnref* 205f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)type:*WDResult* 215f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)type:*ExecutionContext* 225f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)type:*WebInputElement* 235f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)type:*WebFormControlElement* 245f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 255f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)# Avoid identical layout cases for 86 different classes in InspectorTypeBuilder, 265f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)# all of which are guarded using COMPILER_ASSERT on the object size. Two more 275f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)# types are also blacklisted due to the template class (JSONArray <-> Array<T>). 285f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 295f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)src:*InspectorTypeBuilder.h* 305f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)type:*TypeBuilder* 315f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)type:*JSONArray* 325f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 335f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)############################################################################# 345f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)# Base class's constructor accesses a derived class's member. 355f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 365f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)fun:*DoublyLinkedListNode* 375f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)type:*content*WebUIExtensionData* 385f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)type:*v8*internal*CompilationInfo* 395f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 405f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)# RenderFrameObserverTracker<T>::RenderFrameObserverTracker() 415f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)fun:*content*RenderFrameObserverTracker*RenderFrame* 425f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 435f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)# RenderViewObserverTracker<T>::RenderViewObserverTracker() 445f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)fun:*content*RenderViewObserverTracker*RenderView* 455f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 465f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)############################################################################# 475f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)# Base class's destructor accesses a derived class. 485f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 495f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)fun:*DatabaseContext*contextDestroyed* 505f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 515f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)############################################################################# 525f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)# static_cast into itself in the constructor. 535f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 545f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)fun:*RefCountedGarbageCollected*makeKeepAlive* 5503b57e008b61dfcb1fbad3aea950ae0e001748b0Torne (Richard Coles)fun:*ThreadSafeRefCountedGarbageCollected*makeKeepAlive* 565f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 575f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)############################################################################# 585f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)# Accessing data in destructurors where the class has virtual inheritances. 595f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 605f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)type:*content*RenderWidgetHost* 615f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 625f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)# Mangled name for content::RenderViewHostImpl::~RenderViewHostImpl() 635f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)fun:*content*RenderViewHostImpl* 645f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 655f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)############################################################################# 665f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)# Using raw pointer values. 675f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)# 685f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)# A raw pointer value (16) is used to infer the field offset by 695f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)# GOOGLE_PROTOBUF_GENERATED_MESSAGE_FIELD_OFFSET. 705f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 715f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)src:*/third_party/protobuf/src/google/protobuf/compiler/plugin.pb.cc 725f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)src:*/third_party/protobuf/src/google/protobuf/compiler/cpp/cpp_message.cc 735f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)src:*/third_party/protobuf/src/google/protobuf/descriptor.pb.cc 745f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 755f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)############################################################################# 765f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)# Avoid link errors. 775f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)# Ubsan vptr needs typeinfo on the target class, but it looks like typeinfo is 785f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)# not avaiable if the class is not exported. For now, simply blacklisted to 795f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)# avoid link errors; e.g., undefined reference to 'typeinfo for [CLASS_NAME]'. 805f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 815f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)# obj/ppapi/libppapi_proxy.a(obj/ppapi/proxy/ppapi_proxy.proxy_channel.o):../../ppapi/proxy/proxy_channel.cc:__unnamed_53: error: undefined reference to 'typeinfo for IPC::TestSink' 825f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)src:*/ppapi/proxy/proxy_channel.cc 835f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 845f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)# obj/chrome/libbrowser.a(obj/chrome/browser/net/browser.predictor.o):../../chrome/browser/net/predictor.cc:__unnamed_577: error: undefined reference to 'typeinfo for ProxyAdvisor' 855f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)src:*/chrome/browser/net/predictor.cc 865f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 875f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)# obj/third_party/pdfium/libfpdfapi.a(obj/third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdfapi.fpdf_render_text.o):../../third_party/pdfium/core/src/fpdfapi/fpdf_render/:__unnamed_360: error: undefined reference to 'typeinfo for CPDF_InlineImages' 885f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)src:*/third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_text.cpp 895f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 905f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)# obj/third_party/libwebm/libwebm.a(obj/third_party/libwebm/source/libwebm.mkvmuxer.o)(.data.rel..L__unnamed_2+0x18): error: undefined reference to 'typeinfo for mkvparser::IMkvReader' 915f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)src:*/third_party/libwebm/source/mkvmuxer.cpp 92