#!special-case-list-v1
# TODO(crbug.com/41488956): update to glob patterns
# This file defines which warnings should be ignored while running clang's
# control flow integrity sanitizer, as run by the cfi_flags build target.
# ***If you think you need to add an entry here, read this comment first.***
#
# Generally prefer to add an attribute to whichever function needs it, instead
# of adding entries to this file. This can be done in the Chromium codebase
# using the NO_SANITIZE macro, e.g.
#
# NO_SANITIZE("cfi-unrelated-cast")
#
# or outside of Chromium using the no_sanitize attribute directly (potentially
# with guards against non-Clang compilers; see the definition of NO_SANITIZE in
# Chromium), e.g.
#
# __attribute__((no_sanitize("cfi-unrelated-cast")))
[cfi-unrelated-cast|cfi-derived-cast]
# e.g. RolloverProtectedTickClock
fun:*MutableInstance*
# WTF allocators. See https://crbug.com/713293.
fun:*Allocate*Backing*
# WTF::ThreadSpecific
fun:*ThreadSpecific*
# LLVM's allocator
src:*llvm/Support/Allocator.h
# Deliberate bad cast to derived class to hide functions.
type:*BlockIUnknownMethods*
type:*BlockRefType*
type:*SkAutoTUnref*
type:*SkBlockComRef*
type:*RemoveIUnknown*
src:*atlcomcli.h
# src/base/win/event_trace_provider_unittest.cc
type:*EtwTraceProvider*
# b/64003142
fun:*internal_default_instance*
# CAtlArray<T> casts to uninitialized T*.
src:*atlcoll.h
# https://github.com/grpc/grpc/issues/19375
src:*third_party/grpc/src/src/core/lib/gprpp/inlined_vector.h
# https://crbug.com/994752
src:*third_party/spirv-cross/spirv-cross/spirv_cross_containers.hpp
# Vulkan memory allocator
src:*third_party/vulkan_memory_allocator/include/vk_mem_alloc.h
#############################################################################
# Base class's constructor accesses a derived class.
fun:*DoublyLinkedListNode*
# RenderFrameObserverTracker<T>::RenderFrameObserverTracker()
fun:*content*RenderFrameObserverTracker*RenderFrame*
# RenderViewObserverTracker<T>::RenderViewObserverTracker()
fun:*content*RenderViewObserverTracker*RenderView*
fun:*RefCountedGarbageCollected*makeKeepAlive*
fun:*ThreadSafeRefCountedGarbageCollected*makeKeepAlive*
#############################################################################
# Base class's destructor accesses a derived class.
fun:*DatabaseContext*contextDestroyed*
# FIXME: Cannot handle template function LifecycleObserver<>::setContext,
# so exclude source file for now.
src:*lifecycle_observer.h*
#############################################################################
# Methods disabled due to perf considerations.
[cfi-vcall]
# Skia
# https://crbug.com/638056#c1
fun:*SkCanvas*onDrawRect*
# https://crbug.com/638064
fun:*SkCanvas*drawPicture*
# https://crbug.com/638060
fun:*SkCanvas*onDrawPicture*
# https://crbug.com/638064#c2
fun:*SkBaseDevice*accessPixels*
# https://crbug.com/638056
fun:*call_hline_blitter*
fun:*do_scanline*
fun:*antifilldot8*
# Unclear what could be done here
fun:*SkCanvas*drawRect*
fun:*SkPictureGpuAnalyzer*analyzePicture*
fun:*SkScalerContext*MakeRec*
# CC
# https://crbug.com/638056
fun:*LayerTreeHost*NotifySwapPromiseMonitorsOfSetNeedsCommit*
# WebKit
# The entries below have not been categorized
# cc::DisplayItemList::Inputs::~Inputs
fun:*cc*DisplayItemList*Inputs*
fun:*PaintInvalidationState*computePaintInvalidationRectInBacking*
fun:*AdjustAndMarkTrait*mark*
fun:*TraceTrait*trace*
fun:*ChromeClientImpl*scheduleAnimation*
fun:*hasAspectRatio*
fun:*nextBreakablePosition*
fun:*supportsCachedOffsets*
fun:*traceImpl*
#############################################################################
# Cross-DSO vcalls
[cfi-vcall|cfi-unrelated-cast|cfi-derived-cast]
# These classes are used to communicate between chrome.exe and
# chrome_child.dll (see src/sandbox/win/src/sandbox.h,
# src/chrome/app/chrome_main.cc).
type:sandbox::BrokerServices
type:sandbox::TargetPolicy
type:sandbox::TargetServices
#############################################################################
# Disabled indirect calls
[cfi-icall]
######### Cross-DSO icalls using dynamically resolved symbols crbug.com/771365
# ANGLE
src:*third_party/angle/src/common/vulkan/vulkan_icd.cpp
src:*third_party/angle/src/libANGLE/*
src:*third_party/angle/src/libEGL/*
src:*third_party/angle/src/third_party/libXNVCtrl/NVCtrl.c
# third_party/angle/src/gpu_info_util/SystemInfo_libpci.cpp
fun:*GetPCIDevicesWithLibPCI*
# third_party/angle/src/common/event_tracer.cpp
fun:*GetTraceCategoryEnabledFlag*
fun:*AddTraceEvent*
# dav1d, calls to dav1d shared library from crabbyavif (Rust library). cfi-icall
# does not work when the callback is a Rust function and the parameters are
# fixed width integer types (or pointers to fixed width integer types).
# TODO(crbug.com/40266913): Remove this entry once Rust CFI is built with
# -fsanitize-cfi-icall-experimental-normalize-integers and
# -Zsanitizer-cfi-normalize-integers.
src:*third_party/dav1d/libdav1d/src/ref.c
# Dawn, calls to OpenGL and Vulkan function pointers from shared library.
src:*third_party/dawn/src/dawn/native/*
# Dawn uses std::function for callbacks from the main binary to
# liboptimization_guide_internal.so.
# TODO(crbug.com/41483637): See if we can avoid disabling CFI for std::function.
src:*third_party/libc*/invoke.h
src:*third_party/libc*/function.h
# PPAPI
src:*ppapi/*
src:*content/renderer/pepper*
fun:*PpapiThread*
fun:*BrokerProcessDispatcher*
# Ignore base::{Once, Repeating}Callback due to https://crbug.com/845855
fun:*FunctorTraits*
# Calls to auto-generated stubs by generate_stubs.py
src:*audio/pulse/pulse_stubs.cc
src:*media/gpu/vaapi/va_stubs.cc
# Calls to auto-generated stubs by generate_library_loader.py
src:*content/browser/speech/tts_linux.cc
# Calls to auto-generated stubs by ui/gl/generate_bindings.py
src:*ui/gl/gl_bindings_autogen_*
# Calls to vulkan function pointers from shared library.
src:*third_party/vulkan_memory_allocator/include/vk_mem_alloc.h
src:*third_party/angle/third_party/vulkan-loader/src/loader*
src:*third_party/vulkan-loader/src/loader*
src:*third_party/vulkan-validation-layers/src/layers/*
src:*third_party/angle/src/common/vulkan/vulkan_icd.cpp
src:*components/os_crypt/sync/*
src:*ui/accessibility/platform/browser_accessibility_auralinux.cc
src:*ui/accessibility/platform/ax_platform_node_auralinux.cc
src:*ui/accessibility/platform/ax_platform_atk_hyperlink.cc
src:*ui/accessibility/platform/ax_platform_node_auralinux_unittest.cc
src:*chrome/browser/ui/zoom/chrome_zoom_level_prefs.cc
src:*third_party/webrtc/modules/desktop_capture/linux/x_server_pixel_buffer.cc
src:*third_party/webrtc/modules/desktop_capture/linux/x11/x_server_pixel_buffer.cc
src:*media/cdm/*
src:*third_party/swiftshader/*
src:*base/native_library_unittest.cc
src:*ui/gtk/app_indicator_icon.cc
src:*ui/gtk/unity_service.cc
src:*components/cronet/native/*
src:*third_party/breakpad/breakpad/src/client/linux/handler/exception_handler_unittest.cc
# chrome/browser/ui/views/frame/dbus_appmenu.cc
fun:*dbus_appmenu*
# third_party/skia/include/gpu/gl/GrGLFunctions.h
fun:*GrGLFunction*
# Call to libcurl.so from the symupload utility
src:*third_party/breakpad/breakpad/src/common/linux/http_upload.cc
# Indirect call to Xlib.
fun:*XImageDeleter*
src:*mojo/public/c/system/thunks.cc
# Call to vulkan function pointers from shared library.
src:*/third_party/skia/src/gpu/vk/*
src:*/third_party/skia/src/gpu/ganesh/vk/*
src:*/third_party/skia/third_party/vulkanmemoryallocator/*
# The follow entries are speculatively disabled. They're included in the
# chromium build and include calls to dynamically resolved symbols; however,
# they do not trigger cfi-icall failures in unit tests or normal chrome usage.
# They're disabled to avoid failing in uncommon code paths. Be careful removing.
src:*net/http/http_auth_gssapi_posix.cc
src:*third_party/breakpad/breakpad/src/common/linux/libcurl_wrapper.cc
src:*third_party/crashpad/crashpad/snapshot/crashpad_info_client_options_test.cc
src:*third_party/skia/src/ports/SkFontHost_FreeType.cpp
# WebRTC / PipeWire
fun:*pw_registry_bind*
fun:*pw_core_get_registry*
######### Function pointers cast to incorrect type signatures
# libicu is currently compiled such that in libicu the 'UChar' type is a
# defined as a char16_t internally, but for the rest of chromium it's an
# unsigned short, causing mismatched type signatures for icalls to/from icu
# https://crbug.com/732026
src:*third_party/icu/source/common/*
src:*third_party/blink/renderer/platform/wtf/*
# v8/src/intl.cc
fun:*LocaleConvertCase*
# PropertyCallbackArguments::Call methods cast function pointers
src:*v8/src/api-arguments-inl.h
src:*v8/src/api/api-arguments-inl.h
# v8 callback that casts argument template parameters
fun:*PendingPhantomCallback*Invoke*
# weak_callback_ is cast from original type.
fun:*GlobalHandles*PostGarbageCollectionProcessing*
fun:*InvokeAccessorGetterCallback*
# XNNPACK casts incorrect function signature to pthreadpool task type.
src:*third_party/pthreadpool/src/src/fastpath.c
src:*third_party/pthreadpool/src/src/portable-api.c
######### Uncategorized
src:*native_client/*
Codebase Browser
chromium