Comment some functions that should be UNSAFE_BUFFER_USAGE.
Whenever "passing the buck" to the caller to provide safe arguments used in an UNSAFE_BUFFERS() region of the code, enforcement must also be passed to the caller via UNSAFE_BUFFER_USAGE. Note places where this is not happening, but do not enforce as it would cause breakage. No code changes. -- Upcase one SAFETY comment found along the way. Change-Id: I5f5d0b877faf1ee289772efcc7a35cb7d04f4b4a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5789370 Commit-Queue: Tom Sepez <tsepez@chromium.org> Reviewed-by: Daniel Cheng <dcheng@chromium.org> Owners-Override: Daniel Cheng <dcheng@chromium.org> Cr-Commit-Position: refs/heads/main@{#1342288}
This commit is contained in:
Tom Sepez
committed by
Chromium LUCI CQ
Chromium LUCI CQ
parent
7f9782c1cc
commit
590a856c7c
base/android
gin
net/socket
ppapi/shared_impl/private
third_party/blink/renderer
ui/gfx/x
@ -46,7 +46,8 @@ ScopedJavaLocalRef<jbyteArray> ToJavaByteArray(JNIEnv* env,
|
||||
ScopedJavaLocalRef<jbooleanArray> ToJavaBooleanArray(JNIEnv* env,
|
||||
const bool* bools,
|
||||
size_t len) {
|
||||
// SAFETY: The caller must provide a valid pointer and length.
|
||||
// SAFETY: The caller must provide a valid pointer and length, as enforced
|
||||
// by UNSAFE_BUFFER_USAGE in the header.
|
||||
return ToJavaBooleanArray(env, UNSAFE_BUFFERS(base::span(bools, len)));
|
||||
}
|
||||
|
||||
@ -76,6 +77,7 @@ ScopedJavaLocalRef<jbooleanArray> ToJavaBooleanArray(JNIEnv* env,
|
||||
return ScopedJavaLocalRef<jbooleanArray>(env, boolean_array);
|
||||
}
|
||||
|
||||
// TODO(tsepez): this should be declared UNSAFE_BUFFER_USAGE in the header.
|
||||
ScopedJavaLocalRef<jintArray> ToJavaIntArray(JNIEnv* env,
|
||||
const int32_t* ints,
|
||||
size_t len) {
|
||||
@ -101,7 +103,8 @@ ScopedJavaLocalRef<jintArray> ToJavaIntArray(JNIEnv* env,
|
||||
ScopedJavaLocalRef<jlongArray> ToJavaLongArray(JNIEnv* env,
|
||||
const int64_t* longs,
|
||||
size_t len) {
|
||||
// SAFETY: The caller must provide a valid pointer and length.
|
||||
// SAFETY: The caller must provide a valid pointer and length, as enforced
|
||||
// by UNSAFE_BUFFER_USAGE in the header.
|
||||
return ToJavaLongArray(env, UNSAFE_BUFFERS(base::span(longs, len)));
|
||||
}
|
||||
|
||||
@ -126,7 +129,8 @@ BASE_EXPORT ScopedJavaLocalRef<jlongArray> ToJavaLongArray(
|
||||
// Returns a new Java float array converted from the given C++ float array.
|
||||
BASE_EXPORT ScopedJavaLocalRef<jfloatArray>
|
||||
ToJavaFloatArray(JNIEnv* env, const float* floats, size_t len) {
|
||||
// SAFETY: The caller must provide a valid pointer and length.
|
||||
// SAFETY: The caller must provide a valid pointer and length, as enforced
|
||||
// by UNSAFE_BUFFER_USAGE in the header.
|
||||
return ToJavaFloatArray(env, UNSAFE_BUFFERS(base::span(floats, len)));
|
||||
}
|
||||
|
||||
@ -150,7 +154,8 @@ BASE_EXPORT ScopedJavaLocalRef<jfloatArray> ToJavaFloatArray(
|
||||
|
||||
BASE_EXPORT ScopedJavaLocalRef<jdoubleArray>
|
||||
ToJavaDoubleArray(JNIEnv* env, const double* doubles, size_t len) {
|
||||
// SAFETY: The caller must provide a valid pointer and length.
|
||||
// SAFETY: The caller must provide a valid pointer and length, as enforced
|
||||
// by UNSAFE_BUFFER_USAGE in the header.
|
||||
return ToJavaDoubleArray(env, UNSAFE_BUFFERS(base::span(doubles, len)));
|
||||
}
|
||||
|
||||
|
||||
@ -66,7 +66,7 @@ std::optional<gin::V8SnapshotFileType> g_snapshot_file_type;
|
||||
|
||||
bool GenerateEntropy(unsigned char* buffer, size_t amount) {
|
||||
base::RandBytes(
|
||||
// SAFETY: This depends on callers providing a valid pointer/size pair.
|
||||
// SAFETY: This depends on v8 providing a valid pointer/size pair.
|
||||
//
|
||||
// TODO(crbug.com/338574383): The signature is fixed as it's a callback
|
||||
// from v8, but maybe v8 can use a span.
|
||||
|
||||
@ -391,6 +391,7 @@ SocketBIOAdapter* SocketBIOAdapter::GetAdapter(BIO* bio) {
|
||||
return adapter;
|
||||
}
|
||||
|
||||
// TODO(tsepez): should be declared UNSAFE_BUFFER_USAGE in header.
|
||||
int SocketBIOAdapter::BIOWriteWrapper(BIO* bio, const char* in, int len) {
|
||||
BIO_clear_retry_flags(bio);
|
||||
|
||||
@ -406,6 +407,7 @@ int SocketBIOAdapter::BIOWriteWrapper(BIO* bio, const char* in, int len) {
|
||||
UNSAFE_TODO(base::span(in, base::checked_cast<size_t>(len)))));
|
||||
}
|
||||
|
||||
// TODO(tsepez): should be declared UNSAFE_BUFFER_USAGE in header.
|
||||
int SocketBIOAdapter::BIOReadWrapper(BIO* bio, char* out, int len) {
|
||||
BIO_clear_retry_flags(bio);
|
||||
|
||||
|
||||
@ -143,6 +143,7 @@ uint16_t GetPort(const PP_NetAddress_Private* addr) {
|
||||
return net_addr->port;
|
||||
}
|
||||
|
||||
// TODO(tsepez): should be declared UNSAFE_BUFFER_USAGE.
|
||||
PP_Bool GetAddress(const PP_NetAddress_Private* addr,
|
||||
void* address,
|
||||
uint16_t address_size) {
|
||||
|
||||
@ -630,6 +630,7 @@ void ImageResource::OnePartInMultipartReceived(
|
||||
}
|
||||
}
|
||||
|
||||
// TODO(tsepez): should be declared UNSAFE_BUFFER_USAGE in the header.
|
||||
void ImageResource::MultipartDataReceived(const char* bytes, size_t size) {
|
||||
DCHECK(multipart_parser_);
|
||||
Resource::AppendData(
|
||||
|
||||
@ -126,6 +126,7 @@ class WTF_EXPORT SegmentedBuffer {
|
||||
|
||||
bool empty() const { return !size(); }
|
||||
|
||||
// TODO(tsepez): should be declared UNSAFE_BUFFER_USAGE.
|
||||
// TODO(crbug.com/40284755): Remove the pointer-based methods in favor of span
|
||||
// ones.
|
||||
HAS_STRICTLY_TYPED_ARG
|
||||
@ -136,6 +137,7 @@ class WTF_EXPORT SegmentedBuffer {
|
||||
// TODO(crbug.com/40284755): Remove this in favor of the span versions.
|
||||
UNSAFE_TODO(base::span(data, size)));
|
||||
}
|
||||
// TODO(tsepez): should be declared UNSAFE_BUFFER_USAGE.
|
||||
HAS_STRICTLY_TYPED_ARG
|
||||
void Append(const unsigned char* data, STRICTLY_TYPED_ARG(size)) {
|
||||
ALLOW_NUMERIC_ARG_TYPES_PROMOTABLE_TO(size_t);
|
||||
@ -281,6 +283,7 @@ class WTF_EXPORT SharedBuffer : public SegmentedBuffer,
|
||||
return base::AdoptRef(new SharedBuffer(std::move(data)));
|
||||
}
|
||||
|
||||
// TODO(tsepez): should be declared UNSAFE_BUFFER_USAGE.
|
||||
HAS_STRICTLY_TYPED_ARG
|
||||
static scoped_refptr<SharedBuffer> Create(const char* data,
|
||||
STRICTLY_TYPED_ARG(size)) {
|
||||
@ -291,6 +294,7 @@ class WTF_EXPORT SharedBuffer : public SegmentedBuffer,
|
||||
UNSAFE_TODO(base::span(data, size)));
|
||||
}
|
||||
|
||||
// TODO(tsepez): should be declared UNSAFE_BUFFER_USAGE.
|
||||
HAS_STRICTLY_TYPED_ARG
|
||||
static scoped_refptr<SharedBuffer> Create(const unsigned char* data,
|
||||
STRICTLY_TYPED_ARG(size)) {
|
||||
|
||||
@ -85,7 +85,7 @@ class COMPONENT_EXPORT(X11) ThrowAwaySizeRefCountedMemory final
|
||||
class COMPONENT_EXPORT(X11) SizedRefCountedMemory final
|
||||
: public base::RefCountedMemory {
|
||||
public:
|
||||
// Safety: The caller must ensure that the `mem` buffer points to at least
|
||||
// SAFETY: The caller must ensure that the `mem` buffer points to at least
|
||||
// `size` many bytes or Undefined Behaviour can result.
|
||||
UNSAFE_BUFFER_USAGE static scoped_refptr<SizedRefCountedMemory> From(
|
||||
scoped_refptr<UnsizedRefCountedMemory> mem,
|
||||
|
||||
Reference in New Issue
Block a user