0

Update documentation about unsafe libc calls.

This information can now be added since a recent compiler roll
has brought this behavior into scope.

Change-Id: I5a4dcf4ed5b906c4708c4b033b79e49594868960
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6199587
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1411873}
This commit is contained in:
Tom Sepez
2025-01-27 13:44:43 -08:00
committed by Chromium LUCI CQ
parent 0e5baedf0b
commit b142846c89

@@ -15,14 +15,23 @@ warnings here: https://clang.llvm.org/docs/SafeBuffers.html
[TOC] [TOC]
## Suppressions ## Preventing OOB by removing unsafe libc calls.
OOB bugs also commonly happen through C-style library calls such as
memcpy() and memset(). In order to encourage safer alternatives, the
Clang compiler can warn about unsafe calls which should be converted
to safer C++ alternatives.
These warnings are not yet enabled by default for chromium builds.
## Unsafe buffer suppressions
Our [compiler](../tools/clang/plugins/UnsafeBuffersPlugin.cpp) enables Our [compiler](../tools/clang/plugins/UnsafeBuffersPlugin.cpp) enables
the `-Wunsafe-buffer-usage` warning on all files by default. Because the the `-Wunsafe-buffer-usage` warning on all files by default. Because the
Chromium codebase is not yet compliant with these warnings, there are Chromium codebase is not yet compliant with these warnings, there are
mechanisms to opt out code on a directory, file, or per-occurence basis. mechanisms to opt out code on a directory, file, or per-occurence basis.
Entire directories are opted out of unsafe pointer usage warnings through Entire directories are opted out of unsafe buffer usage warnings through
the [`//build/config/unsafe_buffers_paths.txt`](../build/config/unsafe_buffers_paths.txt) the [`//build/config/unsafe_buffers_paths.txt`](../build/config/unsafe_buffers_paths.txt)
file. As work progresses, directories will be removed from this list, and file. As work progresses, directories will be removed from this list, and
non-compliant files marked on a per-file basis as below. Early results non-compliant files marked on a per-file basis as below. Early results
@@ -56,6 +65,26 @@ the `UNSAFE_BUFFERS()` macro, but allows easier searching for code in need
of revision. Add TODO() comment, along the lines of of revision. Add TODO() comment, along the lines of
`// TODO(crbug.com/xxxxxx): resolve safety issues`. `// TODO(crbug.com/xxxxxx): resolve safety issues`.
## Unsafe libc call suppressions.
The above mechanisms also suppress unsafe libc call warnings in addition
to the unsafe buffer warnings.
To prevent back-sliding on files which have been made safe with respect
to unsafe buffers, there is now a per-file pragma which suppresses the
libc warnings while still enforcing the unsafe buffer warnings.
```
#ifdef UNSAFE_BUFFERS_BUILD
// TODO(crbug.com/ABC): Remove this and convert code to safer constructs.
#pragma allow_unsafe_libc_calls
#endif
```
An initial set of files containing these suppressions will be uploaded
presently; please keep these in place until the pending libc enforcement
is enabled for Chromium.
## Container-based ecosystem ## Container-based ecosystem
Containers may be owning types or view types. The common owning containers that Containers may be owning types or view types. The common owning containers that