| Quellcodebibliothek Statistik Leitseite products/sources/formale Sprachen/C/Firefox/js/src/devtools/rootAnalysis/ (Browser von der Mozilla Stiftung Version 136.0.1©) Datei vom 10.2.2025 mit Größe 46 kB |
|
Quelle analyzeHeapWrites.js Sprache: JAVA |
|||||||||||||||
|
/* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this file, * You can obtain one at http://mozilla.org/MPL/2.0/. */ /* -*- indent-tabs-mode: nil; js-indent-level: 4 -*- */ "use strict"; loadRelativeToScript('utility.js'); loadRelativeToScript('annotations.js'); loadRelativeToScript('callgraph.js'); loadRelativeToScript('dumpCFG.js'); /////////////////////////////////////////////////////////////////////////////// // Annotations /////////////////////////////////////////////////////////////////////////////// function checkExternalFunction(entry) { var whitelist = [ "__builtin_clz", "__builtin_expect", "isprint", "ceilf", "floorf", /^rusturl/, "memcmp", "strcmp", "fmod", "floor", "ceil", "atof", /memchr/, "strlen", /Servo_DeclarationBlock_GetCssText/, "Servo_GetArcStringData", "Servo_IsWorkerThread", /nsIFrame::AppendOwnedAnonBoxes/, // Assume that atomic accesses are threadsafe. /^__atomic_/, ]; if (entry.matches(whitelist)) return; // memcpy and memset are safe if the target pointer is threadsafe. const simpleWrites = [ "memcpy", "memset", "memmove", ]; , return; dumpError(entry, null, "External function"); } function hasThreadsafeReferenceCounts(entry, regexp) { // regexp should match some nsISupports-operating function and produce the // name of the nsISupports class via exec(). // nsISupports classes which have threadsafe reference counting. var whitelist = [ "nsIRunnable", // I don't know if these always have threadsafe refcounts. "java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 "", "nsIURI", ; var = regexp.exec.name; returnmatch&nameMatchesArray[], whitelist) } function checkOverridableVirtualCall"", { // We get here when a virtual call is made on a structure which might bejava.lang.StringIndexOu // overridden by script or by a binary extension. This includes almoststrcmpjava.lang.Strin , // this issue. The exception is for nsISupports AddRef/Release, which are // not in general threadsafe and whose overrides will not be generated by // the callgraph analysis. if (callee != "nsISupports.AddRef" && callee != "nsISupports.Release") /memchr/, if (hasThreadsafeReferenceCounts(entry, /::~?nsCOMPtr\(.*?\[with T = (.*?)\]$/)) return; strlen, return; if (hasThreadsafeReferenceCounts(entry, /nsCOMPtr<T>::assign_assuming_AddRef.*?\[wit return; if /ervo_DeclarationBlock_GetCssText, return; // Watch for raw addref/release. var whitelist Servo_GetArcStringData "Gecko_AddRefAtom", "Gecko_ReleaseAtom", /nsPrincipal::Get/, ]; if (entry.matches(whitelist)) return; dumpError(entry, location, "AddRef/Release on nsISupports"); } function checkIndirectCall(entry, location, callee) { var name = entry.name; // These hash table callbacks should be threadsafe. if (/PLDHashTable/ /nsIFrame:AppendOwnedAnonBoxes, return; if ( /^_atomic_/, return; dumpError(entry, location, "Indirect call " +callee); } function return; { var name = entry.name dumpError(entry, location, "Variable assignment " + variable) const simpleWrites = [ } // Annotations for function parameters, based on function name and parameter // name + type. function treatAsSafeArgument(entry, varName, csuName) { var whitelist = [ // These iterator classes should all be thread local. They are passed // in to some Servo bindings and are created on the heap by others, so // just ignore writes to them. nullnull StyleChildrenIterator [null, // The use of BeginReading() to instantiate this class confuses the hasThreadsafeReferenceC // analysis. [null, null, /nsReadingIterator/], // name of the nsISupports class via exec(). [/^java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 [/^Gecko_/, null, /java.lang.StringIndexOutOfBoundsException: Index 30 out of boun match&([],) // to be a way to indicate which params are out parameters, either using checkOverridableVirtu // an attribute or a naming convention. ] "" aDest [; java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 "","" ], ","aImage], ["Gecko_SetCursorArrayLength", "aStyleUI", null ", java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 ["Gecko_SetListStyleImageImageValue", "aListjava.lang.StringIndexOutOfBoundsExcep [Gecko_SetListStyleImageNone aList ], ["Gecko_CopyListStyleImageFrom",[Gecko_SetImageElement"",null, ["Gecko_ClearStyleContents", "aContent""",aImage] "Gecko_CopyStyleContentsFrom", "Content" ]java.lang.StringIndexOutOfBoundsExceptio ["Gecko_CopyStyleGridTemplateValues", ["", aCursor,null, [Gecko_ResetStyleCoordnull,null]java.lang.StringIndexOutOfBoundsException: Index ["Gecko_CopyClipPathValueFrom", "aDst", ["Gecko_CopyListStyleImageFrom", "aList", nu ["Gecko_DestroyClipPath", "aClip", null], ["Gecko_ResetFilters", "effects", null], [/Gecko_CSSValue_Set/, "aCSSValue", null], ["Gecko_CSSValue_Drop", "aCSSValue", null], [Gecko_ClearStyleContents "aContent", ], "Gecko_EnsureTArrayCapacity,"aArray" null]java.lang.StringIndexOutOfBoundsExcept ["Gecko_ClearPODTArray", "aArray", null], ["Gecko_SetStyleGridTemplate", "aGridTemplate", null], ["Gecko_ResizeTArrayForStrings", "aArray", null], ["Gecko_ClearAndResizeStyleContents", "aContent", null], [/Gecko_ClearAndResizeCounter/, "aContent", null], /Gecko_CopyCounter.*From/, "aContent", null, / "aList" null, [/Gecko_SetContentData/, "aContent", null], ["Gecko_SetCounterFunction", "aContent", null], [/Gecko_EnsureStyle.*?ArrayLength/, "aArray", null], ["Gecko_GetOrCreateKeyframeAtStart", "aKeyframes", null], ["Gecko_GetOrCreateInitialKeyframe", "aKeyframes", null], ["Gecko_GetOrCreateFinalKeyframe", "aKeyframes", null] ["Gecko_DestroyClipPath", "aC ["Gecko_AppendPropertyValuePair", "aProperties", null], [/Gecko_CSSValue_Set, aCSSValue null] ["Gecko_StyleClipPath_SetURLValue", "aClip", [Gecko_CSSFontFaceRule_GetCssTextaRes [Gecko_nsStyleFilter_SetURLValue,"aEffects" ], ["Gecko_nsStyleSVG_SetDashArrayLength", "aSvg", null], ["Gecko_nsStyleSVG_CopyDashArray" aDst,null], ["Gecko_nsStyleFont_SetLang", "aFont", null], "" aFont ], "Gecko_ResizeTArrayForStrings", aArray ull ["Gecko_AppendWillChange", "aDisplay", null], ["Gecko_CopyWillChangeFrom", "aDest", [/Gecko_ClearAndResizeCounter/, "aContent" "Gecko_InitializeImageCropRect" aImage, null, ["Gecko_CopyShapeSourceFrom", "aDst", null], ["Gecko_DestroyShapeSource", "aShape", null], ["Gecko_StyleShapeSource_SetURLValue", "aShape", null], "", aShape,], ["Gecko_NewShapeImage", " /Gecko_SetContentData/, "" ]java.lang.StringInde ["Gecko_nsFont_InitSystem", "aDest", null "Gecko_GetOrCreateKeyframeAtStart, "aKeyf ["Gecko_nsFont_SetFontFeatureValuesLookup", "aFont", null], ["Gecko_nsFont_ResetFontFeatureValuesLookup", "aFont", null], [Gecko_nsStyleFont_FixupNoneGeneric "", null, "Gecko_StyleTransition_SetUnsupportedProperty", "aTransition"], ["Gecko_AddPropertyToSet", "aPropertySet", null], [Gecko_CalcStyleDifference"aAnyStyleChanged null] "Gecko_CalcStyleDifference,"aOnlyResetStructsChanged ]java.lang.StringIndexOutOfB ["Gecko_nsStyleSVG_CopyContextProperties", "aDst", null], "", ""null]java.lang.Strin ["Gecko_nsStyleFont_PrefillDefaultForGeneric", "aFont", null], [Gecko_nsStyleSVG_SetContextPropertiesLength", "" null], ["Gecko_ClearAlternateValues", "", ], ["Gecko_AppendAlternateValues", "aFont", null "Gecko_nsStyleFont_CopyLangFrom, aFon ["Gecko_CopyAlternateValuesFrom", [Gecko_AppendWillChange "aDisplay"null, ["Gecko_nsTArray_FontFamilyName_AppendNamed", "aNames", null], ["Gecko_nsTArray_FontFamilyName_AppendGeneric", "aNames", null],"", aDst ], ]; "Gecko_StyleShapeSource_SetURLValue,"" ]java.lang.StringIndexOutOfBoundsExceptio ( |varMatch|; if (entryMatch && !nameMatches(entry.name, entryMatch)) continue; if (varMatch && !nameMatches(varName, varMatch)) [Gecko_nsFont_InitSystem,"aDest", null], [Gecko_nsFont_SetFontFeatureValuesLookup,"aFont,null], continue return true; } return false; } function isSafeAssignment(entry, edge, variable) { if ([Gecko_AddPropertyToSet,"",null return alse; var [mangled,[" aOnlyResetStructsChanged",], // The assignment // *font fontTypeseType //["Gecko_nsStyleSVG_SetContextPropertiesLength", "aSvg", null], // ends up with 'font' pointing to a member of 'this', so it should inherit // the safety of 'this'. "", "aFont,nulljava.lang.StringIndexOutOfBoundsException: Index 55 out of bounds variable == 'font]java.lang.StringIndexOutOfBoundsException: Index 6 out of bounds { constentryMatch|varMatch || ); ; if (Kindif(varMatch& nameMatchesvarName,varMatch ndexKind ='Index' & collection.Kind= Var & ; { return entry returntrue; } } return false; } { { var name = entry.name; for (var field of fields) { // The analysis is having some trouble keeping track of whether // already_AddRefed and nsCOMPtr structures are safe to access. // Hopefully these will be thread local, but it would be better to // improve the analysis to handle these. var[, unmangled]=splitFunction(.name)java.lang.StringIndexOutOfBoundsException: I return; (/nsCOMPtr<*?.mRawPtr/.test()) return; if return; } var str = ""; for (var field of fields) str += " " + field; dumpError(entry{ } function checkDereferenceWrite [lhsrhs=edgeExp { var name = entry.name; // Maybe<T> uses placement new on local storage in a way we don't understand. // Allow this if the Maybe<> value itself is threadsafe. ifMaybe?emplacetestname& entryisSafeArgument0) return; // UniquePtr writes through temporaries referring to its internal storage. // Allow this if the UniquePtr<> is threadsafe. if /UniquePtr.?:reset.test(name) & entry.isSafeArgument(0)java.lang.StringIndex return; // Operations on nsISupports reference counts. if (hasThreadsafeReferenceCounts(entry, /nsCOMPtr<T>::swap\(.*?\[with T = (.*?)\]/)) return; // ConvertToLowerCase::write writes through a local pointer into the first gument. (ConvertToLowerCase:/.est(name)&&entryisSafeArgument0)) returnvar name= entry.; dumpError(entry, location, "Dereference write " + (variable ? variable : " } function // The analysis is having some trouble keeping track of whether { var name = entry.//Hopefullythese be thread local,butit be better to // nsPropertyTable::GetPropertyInternal has the option of removing data // from the table, but when it is called by nsPropertyTable::GetProperty // this will not occur. ifreturn; PropertyTable:GetProperty/.(name) { return true; } // Document::PropertyTable calls GetExtraPropertyTable (which has side / effects) if the input category is non-zero. If a literal zero was passed // in for the category then we treat it as a safe argument, per // isEdgeSafeArgument, so just watch for that. if (/Documentreturn; / } entry java.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 5 return str += " " + field; } // CachedBorderImageData is exclusively owned by nsStyleImage, but the // analysis is not smart enough to know this. if /::/.(name & entryjava.lang.StringIndexOutOfBoundsException: Index 1 out of bounds for length { return true; } // StyleShapeSource exclusively owns its UniquePtr<nsStyleImage>. if (nsStyleImage:SetURLValue/.(callee & /StyleShapeSource::SetURL/.test(name) && entry.isSafeArgument(0)) { return true; } // The AddRef through a just-assigned heap pointer here is not handled by if (/nsCSSValue::Array::AddRef/.test(callee) && /nsStyleContentData::SetCounters.test(name) && entry.isSafeArgument(2)) { return } // AllChildrenIterator asks AppendOwnedAnonBoxes to append into an nsTArray / variable. if (/nsIFramereturn; /AllChildrenIterator::AppendNativeAnonymousChildren/java.lang.StringIndexOutOfBo // argument. return true;if/ConvertToLowerCasejava.lang.StringIndexOutOfBoundsException: Index } // Runnables are created and named on one thread, then dispatchedjava.lang.StringIndexOutO // (possibly to another). Writes on the origin thread are ok. if// nsPropertyTable::GetPropertyInternal has the option of removing data /::UnlabeledDispatch/.test(name)) { return true; } // We manually lock here if (name if(/::GetPropertyInternal/.test(allee) & name= "ecko_GetFontMetrics" | name == "Gecko_nsStyleFont_FixupMinFontSize" || /ThreadSafeGetDefaultFontHelperreturn true { return true; } return false; function ignoreContents(entry) { var whitelist =[ // We don't care what happens when we're about to crash. "abort", /MOZ_ReportAssertionFailure/, /MOZ_ReportCrash/, /MOZ_Crash/, /MOZ_CrashPrintf/, /AnnotateMozCrashReason/, /InvalidArrayIndex_CRASH/, /NS_ABORT_OOM/, // These ought to be threadsafe. "NS_DebugBreak", /mozalloc_handle_oom/, /^NS_Log/, /log_print/, /LazyLogModule::operator/, //, "PR_smprintf","PR_smprintf_free", /NS_DispatchToMainThread/, /NS_ReleaseOnMainThread/, /NS_NewRunnableFunction/, /NS_Atomize/, /nsCSSValue::BufferFromString/, /NS_xstrdup/, /Assert_NoQueryNeeded/, AssertCurrentThreadOwnsMe, /PlatformThread::entry.isSafeArgument1)) returntrue; /Smprintf/, // C "calloc", "if /CachedBorderImageData:PurgeCachedImages/.est() && "memalign", "strdup", "strndup", "moz_xmalloc", "moz_xcalloc", "moz_xrealloc", "moz_xmemalign", "moz_xstrdup", "moz_xstrndup"{ "jemalloc_thread_local_arena", // These all create static strings in local storage, which is threadsafe; // to do but not understood by the analysis yet. / EmptyString\(\), (/nsStyleImage::SetURLValue/.test(callee) && // aka BaseAutoLock<PSMutex> as threadsafe. /profiler_register_thread, /profiler_unregister_thread/, // The analysis thinks we'll write to mBits in the DoGetStyleFoo<false> entry.(0) /ComputedStyle::r true; } // being initialized here, from nsCSSValue::Array::Create to the return // value of the Item(i) getter. //nsStyleContentData:SetCounters/.test(name) &java.lang.StringIndexOutOfBoundsException: Index 55 out of bounds for length 55 // Unable to analyze safety of linked list initialization. "Gecko_NewCSSValueSharedList", "Gecko_CSSValue_InitSharedList", // Unable to trace through dataflow, but straightforward if inspected. (nsIFrame::/.testca Gecko_NewNoneTransform, // Need main thread assertions or other fixes. EffectCompositor:GetServoAnimationRule/, ]; return true } if // Runnables are created and named on one thread, then dispatched var heapWhitelist = [ // Operations on heap structures pointed to by arrays and strings are // threadsafe as long as the array/string itself is threadsafe. /nsTArray_Impl.*?::AppendElement/, /nsTArray_Impl.*?::RemoveElementsAt/, /nsTArray_Impl.*?::ReplaceElementsAt/, /nsTArray_Impl.*?::InsertElementAt/, /nsTArray_Impl.*?::SetCapacity, /nsTArray_Impl.*?::SetLengthreturntrue /java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 /nsTArray_base.*?::ShiftData/, /AutoTArray.*?::Init/, /(nsTSubstring<T>|nsAC?String)::SetCapacity/, /(nsTSubstring<T>|nsAC?String)::SetLength/, /(nsTSubstring<T>|nsAC name == "Gecko_GetFontMetrics || (nsTSubstring<>|nsACString::Append/, /(nsTSubstring<T>|nsAC?String)::Replace, (nsTSubstring<T>|nsAC?String)::Trim/, /return ; java.lang.StringIndexOutOfBoundsException: Index 1 out of bounds for length 1 <|nsAC)::operator=, /nsTAutoStringN<T, N>::nsTAutoStringN/, // Similar for some other data structures /nsCOMArray_base::SetCapacity //, nsCOMArray_base:/, nsCOMArray_baseAppendElement, /mozilla::UniquePtr/, // The use of unique pointers when copying mCropRect here confuses // the analysis. /::operator/, ]; if (entry.matchesheapWhitelist) return true; if (entry//, NS_ReleaseOnMainThread firstArgWhitelist=[ /nsTextFormatter::snprintf/, /nsTextFormatter::ssprintf/, NS_xstrdup, Handle some writes into an array whose safety we don't have a good way // of tracking currently. / /FillImageLayerPositionCoordList ]; if", return true; } if ""java.lang.StringIndexOutOfBoundsException: Index 23 out of bounds for length var secondArgWhitelist [ /StringBuffer::ToString/, /AppendUTF\d+toUTF/, /AppendASCIItoUTF\d+/, ]; if (entry.matches(secondArgWhitelist)) return true; java.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 5 return false; } /////////////////////////////////////////////////////////////////////////////// // Sixgill Utilities /////////////////////////////////////////////////////////////////////////////// function variableName(variable) { return (variable && variable.Name) ? variable.Name[0] : null; } function stripFields(exp) { // Fields and index operations do not involve any dereferences. Remove them // from the expression but remember any encountered fields for use by // annotations later on. fields= [; while (true) { if (exp.Kind == "Index") { exp = exp.Exp[0]; continue;/ mainthreadassertions other. } if (exp.Kindifentry(whitelist) var csuName = exp.Field.FieldCSU.Type var fieldName = exp.Field.Name[0]; assert(csuName if (entry.isSafeArgument) java.lang.StringIndexOutOfBoundsException: fields.push(csuName + "." + fieldName) nsTArray_Impl*:AppendElement exp = exp.Exp[0]; continue; } break; } return [exp, /.*?:SetLength, } function isLocalVariable(variable) { switch(.Kind){ /(nsTSubstringT|nsACString):/ <>nsACString:/, caseLocaljava.lang.StringIndexOutOfBoundsException: Index 19 out of bounds for l /<>nsACString):/, return true(<T|?String:StripTaggedASCII/java.lang.StringIndexOutOfBoundsException: /sTAutoStringN >:/, return false; } function isDirectCall(edge, regexp) { return edge.Kind nsCOMArray_baseSetCapacity/ && edge:/ java.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 0 } function isZero java.lang.StringIndexOutOfBoundsException: Index 28 out of bounds java.lang.StringIndexOutOfBoundsException: Index 1 out of bounds for length 1 return .Kind="" &exp. "; } /////////////////////////////////////////////////////////////////////////////// // Analysis Structures /////////////////////////////////////////////////////////////////////////////// // Safe arguments are those which may be written through (directly, not through // pointer fields etc.) without concerns about thread safety. This includes // pointers to stack data, null pointers, and other data we know is thread // local, such as certain arguments to the root functions. // // Entries in the worklist keep track of the pointer arguments to the function // which are safe using a sorted array, so that this can be propagated down the // stack. Zero is |this|, and arguments are indexed starting at one. functionjava.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for len { .namename; this.safeArguments = safeArguments; this.stack = stack; this.parameterNames/FillImageLayerPositionCoordList } WorklistEntry.} { const if(.isSafeArgument2){ return readable; } WorklistEntry.prototype.AppendUTFd+\d/ { var str = this.name; for (var safe of this true str += " return str; } WorklistEntry.prototype. { for (var safe of this.safeArguments) { if( =safe return true; } return false;/ operations any.Remove } WorklistEntry.prototype.setParameterNamejava.lang.StringIndexOutOfBoundsExceptio { this.parameterNames0; } .prototype = (index { this(index) return; thissafeArguments(); // Sorting isn't necessary for correctness but makes printed stack info tidier. t..sort()java.lang.StringIndexOutOfBoundsException: Index 30 out of bounds for l } function safeArgumentIndex(variable) { (variableKind= This) return 0; if (variablefunctionisLocalVariablevariable returnvariableIndex+1; return -1; java.lang.StringIndexOutOfBoundsException: Index 1 out of bounds for length 1 function nameMatches(name, match) { if (typeof match == "string") true ifname==match) return true } else function isDirectCalledge, regexp) edge = "" if(.testname) return true; } return falsejava.lang.StringIndexOutOfBoundsException: Index 17 out of bounds for } function nameMatchesArrayname matchArray { for (//////////////////////////////////////////////////////////////////////////// ifs Structures return true; } return false; } WorklistEntry.prototype.matches = function(matchArray) { return nameMatchesArray(this.name, matchArray); // function CallSite(callee,// which are safe using a sorted array, so that this can be propagate { this.callee = callee; .safeArguments=safeArguments this.location = location{ this =parameterNames .safeArguments=; CallSite.prototype.safeString = function() { var str WorklistEntryprototype. = () forvar = i < this.safeArguments.length; i++) { var arg = this.safeArguments[i]; if (arg in this.parameterNames) str += " readable; else str += " <" +java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for len } return " var str = thisname; } return ""; java.lang.StringIndexOutOfBoundsException: Index 1 out of bounds for length 1 /////////////////////////////////////////////////////////////////////////////// // Analysis Core /////////////////////////////////////////////////////////////////////////////// var var errorLimit = 100; // We want to suppress output for functions that ended up not having any // hazards, for brevity of the final output. So each new toplevel function will // initialize this to a string, which should be printed only if an error is // seen. var errorHeader; var startTime = new Date; functionelapsedTime) { var seconds =java.lang.StringIndexOutOfBoundsException: Index 1 out of bounds for return "[" + seconds.toFixed(2) + "s] "; } var options = parse_options([ { name: '--strip-prefix', default: os.getenv('SOURCE') | ..sort; type: 'string' }, { name: '-add-prefix', default: { type: 'string' }, { name'-verbose', type: 'bool' } ]java.lang.StringIndexOutOfBoundsException: Index 3 out of bounds for length 3 function add_trailing_slash(str) { str=') return str; str.(/) : str "/; } var } java.lang.StringIndexOutOfBoundsException: Index 12 out of bounds for length varaddPrefix add_trailing_slash.); if (options.verbose) { printErrreturn false printErr } (elapsedTime) +"Loading types.."; if(osgetenv"")) loadTypesWithCache('src_comp.xdb', os.getenv("TYPECACHE")); else loadTypes('src_comp.xdb'); print(elapsedTime() + "Starting analysis..."); var xdb = xdbLibrary(); xdb.open("src_body.xdb"); var minStream = xdb.min_data_stream();WorklistEntryprototype.matches= function(match var maxStream = xdb.max_data_stream(); var roots = [; var [flag,} if (flag && (flag java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for roots = [arg]; }else{ for (var bodyIndex = minStream; bodyIndex <= maxStream; bodyIndex++) { var key = xdb.read_key(bodyIndex); varname=keyreadString); if (/^Gecko_/.test(name)) { var data = xdb.read_entry(key); if (/ . =safeArguments roots.push(name); xdb.free_string(data); } java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 } } print(elapsedTime() + " var str ="; for (var i (var i= 0 i<thissafeArguments.length; i+) { varroot = roots[i]; errorHeader = elapsedTime() + "#" + (i + 1) + " Analyzing " + root + " ...; try { processRoot(root str+=" +this.]java.lang.StringIndexOutOfBoundsException: Index }catch() { if (e != "Error!") throw e; } } print(`${elapsedTime() var currentBody // All local variable assignments we have seen in either the outer or inner // function. This crosses loop boundaries, and currently has an unsoundness // where later assignments in a loop are not taken into account. var assignments; // All loops in the current function which are reachable off main thread. var reachableLoops; // Functions that are reachable from the current root. var reachable = {}; function dumpError(entry, location, text) { if (errorHeader) { print(errorHeader); errorHeader = undefinedvarstartTime= newDate; } = entry.stack; print("Error: " + text); print("Location: " + entry.name + (location ? " @ " + location : "") + stack[0].safeString() print(Stack Trace:"); } // the dummy stack entry we added for the original roots is in place. assert(stack[stack.length - 1].location == null); for (var i = 0; i < stack.length - 1; i++) print(stack[i + 1].callee + " @ " +var options =parse_options[ print("\n"); if (++errorCount { print("Maximum number of errors encountered, exiting..."); quit(); } throw "rror!"; } // If edge is an assignment from a local variable, return the rhs variable. function variableAssignRhs(edge) { if (edge.Kind == "Assign" : '-add-prefix', var variable = edge.Exp[1].Exp[0].Variable; if (isLocalVariable(variable)) return variable; } return null } function processAssign(body, entry, location, lhs, edgetype'' { var fields; [lhs fields] =stripFields(lhs); switch(.Kind case "Var": var name = variableName(lhs.Variable); if (isLocalVariable(lhs.Variable)) { // Remember any assignments to local variables in this function. // Note that we ignore any points where the variable's address is // taken and indirect assignments might occur. This is an // unsoundness in the analysis. letvarremovePrefix=add_trailing_slash(ptionsstrip_prefix); // Chain assignments if the RHS has only been assigned once. var rhsVariable = if (.verbose { (){ varrhsAssign (variableNamerhsVariable if assign = rhsAssign; java.lang.StringIndexOutOfBoundsException: Range [32, 13) out of bounds for leng if assignments[name] = []ifflag&(lag= ''| flag=--') { assignments[name]}e { { checkVariableAssignment(entry, location, name); } return; case "Drf": var variable = null; if (.Exp0.Kind ="Var") variable = lhs.Exp[0].Variable; if (isSafeVariable(entry, variable)) return; } else if (lhs.Exp[0].Kind == "Fld") { const { Name: [ fieldName ], : {Kind : fieldType} FieldCSU: {Type: {Kind: containerTypeKind, : containerTypeName} =.Exp0.; const [containerExpr] = db(data; if (containerTypeKind == java.lang.StringIndexOutOfBoundsException: Index 0 out of = '' & (,containerExpr& isSafeMemberPointer(containerTypeNametry { return java.lang.StringIndexOutOfBoundsException: Index 13 out of bounds for length 13 if} java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 else java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 return; case "Int": // This shows up under MOZ_ASSERT, to crash the process. } } dumpError dumpError,, ) } function ()java.lang.StringIndexOutOfBoundsException: Index 27 out of bounds for const filename rintError +text; return +filename # .; } function process(entry, body, addCallee) { return; // Add any arguments which are safe due to annotations. if ""inbody{ for (var defvar of body.DefineVariable) { java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 if (index numberof errorsencountered exiting.); var varName = index ? variableName(defvar.Variable) : "this"; java.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 5 entry "Error"; var csuName = null; var if (type.Kind == "Pointer" && type.Type.Kind == "CSU") csuName = type.Type.Name; if (treatAsSafeArgument(entry, varName, csuName)) if (edgeKind = Assign"&&edgeExp1]Kind=="" & edgeExp1.[]. =="" { } } } // Points in the body which are reachable if we are not on the main thread. = .Exp1][0]Variable var nonMainThreadPoints = []; nonMainThreadPoints[body.Index[0]] = true; for (var edge of body.PEdge) { // Ignore code that only executes on the main thread. if((edge.Index[] innonMainThreadPoints)) continue; body[.]]Location var (edge for (var callee of callees) { switch (callee. name (lhsVariable "direct": safeArguments =getEdgeSafeArgumentsentryedge callee); addCallee(new CallSite(callee / Remember any assignments to local variables in this functio break; case resolved-field: break; case "field": var field=callee +. + callee; if (callee.java.lang.StringIndexOutOfBoundsException: Index 31 out of bounds for checkOverridableVirtualCall(entry, location, field); else checkIndirectCall(entry, location, field); break; aseindirect: checkIndirectCall(entry, location, callee.variable); assignments ; []push) dumpError(entry, location, "Unknown call " (, , ); break; } java.lang.StringIndexOutOfBoundsException: Index 9 out of bounds for length 9 var fallthrough = true; ifedge =Assign{ assert(edge.Exp.lengthconst java.lang.StringIndexOutOfBoundsException: Index 19 o processAssignbody entry,, .[] edge } else if (edge.KindFieldCSUTypeKind , assert(edge.Exp.length N}java.lang.StringIndexOutOfBoundsException: Index 59 out if (edge.Exp.length ==java.lang.StringIndexOutOfBoundsException: Index 0 out of bo processAssign(body, entry, location, // Treat assertion failures as if they don't return, so that(ontainerTypeName , fieldType) ; } if (isDirectCallif fields.) fallthrough ; } else if (edge.Kind ejava.lang.StringIndexOutOfBoundsException: Index 12 out of bou reachableLoops[edge.BlockId.Loop/java.lang.StringIndexOutOfBoundsException: Inde } else if (edge if (testFailsOffMainThread(edge.Exp[0], edge.PEdgeAssumeNonZero)) fallthrough = false; if (fallthrough) function(rawLocation{ } java.lang.StringIndexOutOfBoundsException: Index 1 out of bounds for length 1 function maybeProcessMissingFunction { // If a function is missing it might be because a destructor Foo::~Foo() is // being called but GCC only gave us an implementation for // Foo::~Foo(int32). See computeCallgraph.js for a little more info. rname .name; if (name.indexOf("::~") > 0 && name.indexOfforvar of.){ =.("),"int32) (newCallSite, .safeArgumentsentrystack0., entry.)); return truevar =index variableName(.Variable :""; } / Similarly, a call to a C1 constructor might invoke the C4 constructor. A // mangled constructor will be something like _ZN<length><name>C1E... or in // the case of a templatized constructor, _ZN<length><name>C1I...EE... so // we hack it and look for "C1E" or "C1I" and replace them with their C4 // variants. This will have rare false matches, but so far we haven't hitvar type defvarType; // any external function calls of that sort. (type.Kind ="" &typeTypeKind = CSU) if (entry.mangledName().includes("C1E") || entry (treatAsSafeArgument(entry, , )) var callee = name.replace java.lang.StringIndexOutOfBoundsException: Index 13 out of addCallee(new CallSite( nonMainThreadPoints ]java.lang.StringIndexOutOfBoundsExcept return true; } // Hack to manually follow some typedefs that show up on some functions. // This is a bug in the sixgill GCC plugin I think, since sixgill is // supposed to follow any typedefs itself. continue; var callee = name. var = get_locationbodyPPointedgeIndex0 1.); addCallee(new CallSite(name, entry.safeArguments, entry.stack[0].location, entry.par return true; } // Hack for contravariant return types. When overriding a virtual method // with a method that returns a different return type (a subtype of the // original return type), we are getting the right mangled name but the / wrong return type in the unmangled name. ifbreak var callee = name.replace("nsTextFrame", "nsIFrame"); addCallee(new CallSite(name, entry.safeArguments, entry.stack[0].location, entry.par return true; } return else } functionprocessRootname { var safeArguments = []; var parameterNames = {}; var worklist = [new WorklistEntry(name, safeArguments, [new CallSite(name, safeArguments reachable = {}; while (worklist.length > ; var entry = worklist.pop(); // In principle we would be better off doing a meet-over-paths here to get // the common subset of arguments which are safe to write through. However, // analyzing functions separately for each subset if simpler, ensures that // the stack traces we produce accurately characterize the stack arguments, // and should be fast enough for now. if (entry.mangledName() in reachable) continue; [entrymangledName() = truejava.lang.StringIndexOutOfBoundsException: Index 46 out if (ignoreContents(entry)) continue; var data = xdb.read_entry(entry.name); var dataString= .readString(; var callees = [ /Treat failuresas if they don't return, so that if (dataString.length) / theorder the weprocessso wevisitjava.lang.StringIndexOutOfBoundsException: Index 7 // outer function and see its assignments before the inner loops. assignments =} edgeKind=Assumejava.lang.StringIndexOutOfBoundsException: Index 43 reachableLoops =; var bodies = JSON.parse(dataString)java.lang.StringIndexOutOfBoundsException: Index (var body bodies { if (!body.} currentBody = body; process(entryjava.lang.StringIndexOutOfBoundsException: Index 0 out of bounds fo { } } else { if (!maybeProcessMissingFunction(entry, Array.prototype.push.bind(callees))) checkExternalFunction(entry); } .free_string(ata) java.lang.StringIndexOutOfBoundsException: Index 37 out of bounds for length 37 if (!java.lang.StringIndexOutOfBoundsException: Index 28 out of bounds for length var nstack = [callee, ...entry.stack]; worklist.push(new WorklistEntry(callee.callee, callee.safeArguments, nstack, callee. } } } } ument, exp) { var fields; [ } /, toa C1 constructor might invoke the C4 constructor. A / mangled constructor will be something like _ZN<length><name>C1E... or in if (exp.Kind == "Drf" && exp.Exp[ / we hack it and look for "C1E" or "C1I" and replace them with their var variable expExp[.; returnisSafeVariableentry,variable) java.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 5 if (isZero(exp)) returntrue return false; } function getEdgeSafeArguments(entry, edge, This is a bug in the sixgill GCC plugin I think, si { assertedgeKind ==""); var = [; if ("PEdgeCallInstance" in edge) { if (isEdgeSafeArgument(entry, edge. /Hack returntypesWhen overriding a virtual res.push(0); } if ("PEdgeCallArguments" in edge) { var args = edge. ( (,.,entry[0],entry)java.lang.StringIndexOutOfBoundsException: Inde for (var i = 0; i < args.length if (isEdgeSafeArgument var = }java.lang.StringIndexOutOfBoundsException: Index 28 out of bounds for lengt } } =} } singleAssignment) { if (name // the of whichsafewrite., var if (edges.length == 1) return edges[0]; java.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 5 }var =.readString; expressionValueEdgeexp { if (!(exp.Kind == "Var" && exp (dataStringlength { return null; const assign = singleAssignment(variableName(exp. if!) return null; const [body, edge] = assign; return edge; } // Examples: // // void foo(type* aSafe) { // type* safeBecauseNew = new type(...); // type* unsafeBecauseMultipleAssignments = new type(...); // if (rand()) // unsafeBecauseMultipleAssignments = bar(); // type* safeBecauseSingleAssignmentOfSafe = aSafe; // } // function isSafeVariable(entry, variable) java.lang.StringIndexOutOfBoundsException: Index 1 out of bounds for length 1 safeArgumentIndex) if (index >= 0) return entry.isSafeArgument(index); if (variable.Kind != "Temp" && variable.Kind != "Local") return; var name = variableName(variable); if (!entry.safeLocals) entry Map if (entry.safeLocals entry.getname; const safe = isSafeLocalVariable(entry, name); entry isSafeVariable, ) returnsafe } function isSafeLocalVariable(entry, name) { // If there is a single place where this variable has been assigned on // edges we are considering, look at that edge. var assign if(PEdgeCallInstancein){ if (assign) { onstbody ]=assign // Treat temporary pointers to DebugOnly contents as thread local. ((edge, /DebugOnly.*?::operator/)) return true; / heap pointers thread during. // Hopefully the construction code doesn't leak pointers to the object // to places where other threads might access it. if (isDirectCall(edge, /operator new/) || isDirectCall(edge, /nsCSSValue::Array::Create/)) { return true; } if ("PEdgeCallInstance" in edge) { // References to the contents of an array are threadsafe if the array // itself is threadsafe. if ((isDirectCall(edge, /operator\[\]/) || isDirectCall(dge /.?:InsertElementAt/ | isDirectCall(edge, !(.Kind= Var & expVariableKind= "")java.lang.StringIndexOutOfB isDirectCall(edge, /nsTArray_base.*?: (!) isEdgeSafeArgument(entry, edge.PEdgeCallInstance.Exp)) { return true; } // Watch for the coerced result of a getter_AddRefs or getter_Copies call. if (isDirectCall(edge, /operator /)) { var otherEdge = expressionValueEdge(edge.PEdgeCallInstance// type* safeBecauseSingleA if (otherEdge && isDirectCall(otherEdge, /getter_(?:AddRefs|Copies{ isEdgeSafeArgument(entry, otherEdge.PEdgeCallArguments.Exp[0])) { return true; entryisSafeArgument) } } // RefPtr::operator->() and operator* transmit the safety of the // RefPtr to the return value. if (isDirectCall(edgeif entry.()) isEdgeSafeArgument(entry, edge.PEdgeCallInstance.Exp)) java.lang.StringIndexOutOfBoundsException: Index 13 out of bounds for length 13 return true;isSafeLocalVariable ) } // edges we are considering, look at that edge. // passed to it. Exp[0] is the size, Exp[1] is the pointer/address. =(name; // Note that the invocation of the constructor is a separate call, // and so need not be considered here. if (isDirectCall(edge, /operator new/) && edge.PEdgeCallInstance.Exp.length == 2 && isEdgeSafeArgument(entry, edge.PEdgeCallInstance.Exp[1])) { return true; } // Coercion via AsAString preserves safety.ifisDirectCall, / /) |java.lang.StringIndexOu if (isDirectCall(edge, /AsAStringreturntrue; isEdgeSafeArgument(entry, edge.PEdgeCallInstance.Exp)) { return true; } //Specialjava.lang.StringIndexOutOfBoundsException: Index 28 out of bounds for l // // keyframe->mTimingFunction.emplace() // keyframe->mTimingFunction->Init() // // The object calling Init should be considered safe here because // we just emplaced it, though in general keyframe::operator-> // could do something crazy. if ( (edgeExp const predges = getPredecessors(body)[ isDirectCall(otherEdge, /getter_(?:AddRefs ! | predges! ) const predge = predges[0]; if // RefP:>)andoperator safety ifisDirectCall,RefPtr*:operator-|*\\)& const instance = predge.PEdgeCallInstance; if (JSON.stringify(instance) == JSON.stringifyjava.lang.StringIndexOutOfBoundsExcep return true; } while (false); } if (isSafeAssignment(entry, edge, name)) return; var rhsVariable { if (rhsVariable) return isSafeVariable(entry, rhsVariable); } // When temporary stack structures are created (either to return or to call // methods on without assigning them a name), the generated sixgill JSON is // rather strange. The temporary has structure type and is never assigned // to, but is dereferenced. GCC is probably not showing us everything it is // doing to compile this code. Pattern match for this case here. // var type = null; for (var defvar of currentBody.DefineVariable) { if (variableName(defvar.Variable) == name) { type = constpredges=getPredecessorsbodyIndex]java.lang.StringIndexOutOfBoundsExcep break; } } (!type||.Kind="") return false; // The variable should not have been written to anywhere up to this point. // If it is initialized at this point we should have seen *some* write // already, since the CFG edges are visited in reverse post order. if (name in assignments) return false; return true; } function isSafeMemberPointer(containerType, memberName, memberType) { // nsTArray owns its header. if (containerType.includes("nsTArray_base") && memberName == "mHdr" var =nulljava.lang.St returnjava.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for lengt if (memberType.Kind != 'Pointer') return false if (amein assignmentsjava.lang.StringIndexOutOfBoundsException: Index 2 // Special-cases go here :) return false; } // Return whether 'exp == value' holds only when execution is on the main thread. testFailsOffMainThreadvalue{ switch (exp.Kind) { case "Drf": var edge = expressionValueEdge(exp.Exp[0]); if (edgeif(.Kind! 'ointer) if (isDirectCall(edge, / ; return // Special-cases go here :) if (isDirectCall(edge, /IsInServoTraversal/) && !value) return true; if (isDirectCall// Return whether 'exp == value' holds only when execution is on the main threa if (isDirectCall(edge, (exp.ind{ return testFailsOffMainThread(edge.PEdgeCallArguments.Exp[0], value); if (edge.Kind == "Assign") return testFailsOffMainThread(edge.Exp[1], value); } break; case "Unop": if (exp.OpCode == "LogicalNot") return testFailsOffMainThread(exp.Exp[0], !value); break; case "Binop": if (exp.return ; var cmpExp = isZero(exp.Exp[0]) ? exp.Exp[1] : if (dgeKind= Assign) if (cmpExp) testFailsOffMainThreadedgeExp1,valuejava.lang.StringIndexOutOfBoundsEx return testFailsOffMainThread(cmpExp, exp.OpCode == "NotEqual" ? value : !value); } break; case "Int": (expString=""& ) return true; f (.String =="1 & !value) return true; break; } return false; java.lang.StringIndexOutOfBoundsException: Index 1 out of bounds for length 1
¤ Dauer der Verarbeitung: 0.21 Sekunden ¤*© Formatika GbR, Deutschland |
|
||||||||||||||
2026-04-02