We have a lot of pointer casts in our tree [1][2][3] and some security holes involve these casts going wrong [4][5].
Should we make debug builds check casts to (vtableful?) pointer types? This could be done by adding and calling an "assert_cast" function, or by adding a new "sanitizer" mode [6] to clang. Questions: * Is this worth doing? ** When fuzzing, is it likely that we'd find security bugs that don't crash (or don't crash reliably even with ASan) but do trigger these new assertions? ** When debugging or dealing with intermittent oranges, would these checks save time? * Is it possible to 'query' vtableful objects by looking at vtable pointers, like gdb does [7]? Or does this quickly become so complicated that we might as well enable RTTI and use the same mechanism as dynamic_cast? * Should we use specialized 'query' methods for nsIFrame, nsISupports, and/or nsIClassInfo? * Should some of these checks be enabled in release builds? * Would Gecko trigger many false positives? [1] http://mxr.mozilla.org/mozilla-central/search?string=static_cast [2] http://mxr.mozilla.org/mozilla-central/search?string=reinterpret_cast [3] ack "\(ns[a-zA-Z]*\*\)" [4] https://bugzilla.mozilla.org/show_bug.cgi?id=704706#c2 [5] https://bugzilla.mozilla.org/show_bug.cgi?id=466607#c3 [6] http://clang.llvm.org/docs/UsersManual.html#controlling-code-generation [7] https://bugzilla.mozilla.org/show_bug.cgi?id=762071#c9 _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
