New issue
Advanced search Search tips

Issue 598071 link

Starred by 1 user
Status: Available
Owner: ----
Cc:
scroggo@chromium.org
thakis@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 3
Type: Bug



Sign in to add a comment

Added instrumentation on SharedBuffer causes unnecessarily verbose callsites

Project Member Reported by pkasting@chromium.org, Mar 25 2016 
In https://codereview.chromium.org/1571233003 SharedBuffer was changed to use some new macros that try to restrict callers to only call with size_t.

This is excessively strict for e.g. callers calling with literal values.  For example, instead of:

getSomeData(buffer, 0)

Callers are now doing:

getSomeData(buffer, static_cast<size_t>(0));

At the very least, all the STRICT_ARG_TYPEs should probably be changed to ALLOW_NUMERIC_ARG_TYPES_PROMOTABLE_TO.

In general, though, the underlying pattern here is problematic.  Unsafe type conversions are a potential source of bugs everywhere in the codebase.  It doesn't really make sense to annotate one class in a way that tries to prevent one set of unsafe conversions.  Annotating all the potential trouble points in the codebase would basically mean annotating everything everywhere to eliminate automatic type conversions.  This is clearly infeasible.

I think SharedBuffer is not a special snowflake in this regard, and we should remove these annotations for it.  Instead, I suggest enabling the compiler warnings we have for unsafe type conversions in e.g. third_party/WebKit (it's not yet feasible to enable them across the whole codebase).  This will let the compiler catch these for us across a much broader spectrum of cases, without the need for or downsides of the explicit annotations here.

 Bug 81439  is the MSVC side of enabling some of these warnings globally; in particular, you'd probably want to enable C4244 and C4267.  I know gcc/clang have some warnings for this as well (that I don't think are part of -Wall), but I don't remember the details.

Comment 1 by junov@chromium.org, Mar 29 2016

Cc: thakis@chromium.org
I admit this was a bandaid solution. After catching two bad uses of SharedBuffer, I wanted systematically detect and eradicate the problem at this site.  Only checking in a few places is like only clearing the snow off the third stair because that's where I slipped last time. We had an e-mail thread about this a while back, but it kind of died off with no follow-up.  Thanks for bringing this back to the table.

FWIW, the STRICT_ARG_TYPE macro was used here to catch a pattern where a value that was originally a size_t got transiently stored in a 'long' local variable before being passed to SharedBuffer.  It was the first conversion (to long) that was dangerous, but I had no way to systematically instrument SharedBuffer to catch that pattern.

Unsafe casts are everywhere, so it would be hard to block them globally.  A more reasonable approach would be to turn on unsafe cast errors specifically for conversions to and from size_t and ptrdiff_t to focus on the conversions most susceptible of causing memory errors (and therefore security vulnerabilities).


thakis@: You said it would be possible to do this with a custom error in clang.
Is that going to happen?

Comment 2 by pkasting@chromium.org, Mar 29 2016 

Incidentally, MSVC warning C4267 is specifically for conversion from size_t to a smaller type, as you suggest.

It's unlikely to be feasible to turn this on globally yet, but we could probably turn it on in all or part of Blink.

Comment 3 by junov@chromium.org, Mar 29 2016 

That is very interesting. MSVC would give us coverage for a 64-bit build and a 32-bit build, which is pretty much all we need.

Comment 4 by junov@chromium.org, Mar 29 2016

Cc: junov@chromium.org
Owner: xidac...@chromium.org

Comment 5 by pkasting@chromium.org, Mar 29 2016 

I would suggest picking a project or projects you think gives sufficient coverage to catch at least the SharedBuffer issues you saw, and try enabling this warning just for those, plus disable warnings-as-errors for the same projects.  Run the change through the trybots (or build locally if you have a Windows machine) and see how many errors you get (hence the disabling warnings-as-errors, so the build doesn't terminate).  If the number is reasonably small, fix those and turn the warning on for those projects, and eliminate the changes previously made here.  If the number is large, send the list to me for help and we can figure something out.

Comment 6 by xidac...@chromium.org, Nov 29 2016

Cc: -junov@chromium.org
Owner: junov@chromium.org

Comment 7 by dtapu...@chromium.org, Nov 1 2017

Components: Blink>Canvas

Comment 8 by junov@chromium.org, Jul 25

Owner: ----
Status: Available (was: Assigned)

Sign in to add a comment