From 2f63d594a511598038fee9589195b49a64847e20 Mon Sep 17 00:00:00 2001
From: Tom Sepez <tsepez@chromium.org>
Date: Mon, 17 Mar 2025 18:12:42 -0700
Subject: [PATCH] Mark libc calls UNSAFE_TODO in non-base/
Change-Id: I8647303a28cd27a6ca44bd8e5d25c9cab094ab98
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6354281
Owners-Override: Daniel Cheng <dcheng@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1433917}
---
cc/paint/paint_op_buffer.cc | 2 +-
cc/paint/paint_op_reader.cc | 7 ++++---
cc/paint/paint_op_writer.cc | 4 ++--
chromecast/base/hash_util.cc | 6 ++++--
.../shared_dictionary_with_byte_buffer.cc | 4 +++-
.../embedder_support/user_agent_utils.cc | 3 ++-
.../local_device_info_util_fuchsia.cc | 5 +++++
.../vector_icons/vector_icons_unittest.cc | 6 ++++--
.../service_worker_installed_script_reader.cc | 3 ++-
...peg_h264_to_annex_b_bitstream_converter.cc | 3 ++-
...to_annex_b_bitstream_converter_unittest.cc | 5 +++++
ppapi/cpp/dev/file_chooser_dev.cc | 5 +++++
ppapi/cpp/directory_entry.cc | 5 +++++
ppapi/cpp/file_io.cc | 5 +++++
ppapi/cpp/private/pass_file_handle.h | 5 +++++
remoting/host/linux/gvariant_ref.h | 4 ++--
rlz/lib/lib_values.cc | 7 ++++++-
sandbox/mac/sandbox_logging.cc | 5 +++++
sandbox/policy/win/hook_util/hook_util.cc | 5 +++++
...ia_perfetto_producer_connector_unittest.cc | 5 +++++
skia/ext/skia_utils_ios.mm | 5 +++--
.../blink/renderer/core/css/css_selector.cc | 7 ++++---
.../blink/renderer/core/css/css_selector.h | 12 +++++++-----
.../renderer/core/css/css_selector_list.h | 3 ++-
.../core/css/parser/css_parser_fast_paths.cc | 12 ++++++------
.../find_length_of_declaration_list-inl.h | 2 +-
.../renderer/core/css/properties/css_bitset.h | 4 +++-
...e_system_access_incognito_file_delegate.cc | 3 ++-
.../modules/indexeddb/idb_value_wrapping.cc | 3 ++-
.../modules/mediarecorder/vpx_encoder.cc | 5 +++--
.../modules/storage/cached_storage_area.cc | 6 +++---
.../webaudio/audio_buffer_source_handler.cc | 4 ++--
.../audio_scheduled_source_handler.cc | 4 ++--
.../webaudio/audio_worklet_processor.cc | 19 +++++++++++--------
.../webaudio/script_processor_handler.cc | 3 ++-
.../renderer/modules/webcodecs/audio_data.cc | 3 ++-
.../websockets/websocket_channel_impl.cc | 4 ++--
.../websocket_message_chunk_accumulator.cc | 2 +-
.../platform/fonts/font_description.cc | 5 +++--
.../platform/fonts/font_platform_data.cc | 2 +-
ui/gtk/gtk_key_bindings_handler.cc | 5 +++--
41 files changed, 142 insertions(+), 65 deletions(-)
diff --git a/cc/paint/paint_op_buffer.cc b/cc/paint/paint_op_buffer.cc
index dd5e5e3e922ab..d3854b34d3b20 100644
--- a/cc/paint/paint_op_buffer.cc
+++ b/cc/paint/paint_op_buffer.cc
@@ -490,7 +490,7 @@ PaintOpBuffer::BufferDataPtr PaintOpBuffer::ReallocBuffer(size_t new_size) {
std::unique_ptr<char, base::AlignedFreeDeleter> new_data(
static_cast<char*>(base::AlignedAlloc(new_size, kPaintOpAlign)));
if (data_)
- memcpy(new_data.get(), data_.get(), used_);
+ UNSAFE_TODO(memcpy(new_data.get(), data_.get(), used_));
BufferDataPtr old_data = std::move(data_);
data_ = std::move(new_data);
reserved_ = new_size;
diff --git a/cc/paint/paint_op_reader.cc b/cc/paint/paint_op_reader.cc
index 95d3dd9c49d38..c524df7096a81 100644
--- a/cc/paint/paint_op_reader.cc
+++ b/cc/paint/paint_op_reader.cc
@@ -187,8 +187,8 @@ uint8_t* PaintOpReader::CopyScratchSpace(size_t bytes) {
if (options_.scratch_buffer.size() < bytes) {
options_.scratch_buffer.resize(bytes);
}
- memcpy(options_.scratch_buffer.data(), const_cast<const uint8_t*>(memory_),
- bytes);
+ UNSAFE_TODO(memcpy(options_.scratch_buffer.data(),
+ const_cast<const uint8_t*>(memory_), bytes));
return options_.scratch_buffer.data();
}
@@ -203,7 +203,8 @@ void PaintOpReader::ReadData(base::span<uint8_t> data) {
return;
}
- memcpy(data.data(), const_cast<const uint8_t*>(memory_), data.size());
+ UNSAFE_TODO(
+ memcpy(data.data(), const_cast<const uint8_t*>(memory_), data.size()));
DidRead(data.size());
}
diff --git a/cc/paint/paint_op_writer.cc b/cc/paint/paint_op_writer.cc
index b0f7b03e308f7..5e826f54ce37e 100644
--- a/cc/paint/paint_op_writer.cc
+++ b/cc/paint/paint_op_writer.cc
@@ -485,7 +485,7 @@ void PaintOpWriter::WriteImage(const gpu::Mailbox& mailbox,
return;
}
- memcpy(memory_, mailbox.name, sizeof(mailbox.name));
+ UNSAFE_TODO(memcpy(memory_, mailbox.name, sizeof(mailbox.name)));
DidWrite(sizeof(mailbox.name));
Write(reinterpret_as_srgb);
}
@@ -821,7 +821,7 @@ void PaintOpWriter::WriteData(base::span<const uint8_t> data) {
return;
}
- memcpy(memory_, data.data(), data.size());
+ UNSAFE_TODO(memcpy(memory_, data.data(), data.size()));
DidWrite(data.size());
}
diff --git a/chromecast/base/hash_util.cc b/chromecast/base/hash_util.cc
index 5640a0bc7eda8..1e44c8baefd43 100644
--- a/chromecast/base/hash_util.cc
+++ b/chromecast/base/hash_util.cc
@@ -5,9 +5,11 @@
#include "chromecast/base/hash_util.h"
#include <limits.h>
+
#include <vector>
#include "base/check_op.h"
+#include "base/compiler_specific.h"
#include "base/hash/sha1.h"
#include "base/logging.h"
#include "base/notreached.h"
@@ -30,7 +32,7 @@ uint64_t HashToUInt64(const std::string& value) {
uint64_t output;
const std::string sha1hash = base::SHA1HashString(value);
DCHECK_GE(sha1hash.size(), sizeof(output));
- memcpy(&output, sha1hash.data(), sizeof(output));
+ UNSAFE_TODO(memcpy(&output, sha1hash.data(), sizeof(output)));
return output;
}
@@ -38,7 +40,7 @@ uint32_t HashToUInt32(const std::string& value) {
uint32_t output;
const std::string sha1hash = base::SHA1HashString(value);
DCHECK_GE(sha1hash.size(), sizeof(output));
- memcpy(&output, sha1hash.data(), sizeof(output));
+ UNSAFE_TODO(memcpy(&output, sha1hash.data(), sizeof(output)));
return output;
}
diff --git a/components/cronet/android/shared_dictionary_with_byte_buffer.cc b/components/cronet/android/shared_dictionary_with_byte_buffer.cc
index da9b43e1ae067..4d17c4aea22e4 100644
--- a/components/cronet/android/shared_dictionary_with_byte_buffer.cc
+++ b/components/cronet/android/shared_dictionary_with_byte_buffer.cc
@@ -6,6 +6,7 @@
#include "base/android/jni_array.h"
#include "base/android/jni_string.h"
+#include "base/compiler_specific.h"
#include "net/base/net_errors.h"
namespace cronet {
@@ -21,7 +22,8 @@ net::SHA256HashValue ByteArrayToSHA256(
void* const bytes = env->GetPrimitiveArrayCritical(
jdictionary_sha256_hash.obj(), /*isCopy=*/nullptr);
CHECK(bytes);
- memcpy(&dictionary_sha256_hash.data, bytes, dictionary_sha256_hash_size);
+ UNSAFE_TODO(
+ memcpy(&dictionary_sha256_hash.data, bytes, dictionary_sha256_hash_size));
env->ReleasePrimitiveArrayCritical(jdictionary_sha256_hash.obj(), bytes,
JNI_ABORT);
return dictionary_sha256_hash;
diff --git a/components/embedder_support/user_agent_utils.cc b/components/embedder_support/user_agent_utils.cc
index 5b3f84d65c162..941788ea3ea81 100644
--- a/components/embedder_support/user_agent_utils.cc
+++ b/components/embedder_support/user_agent_utils.cc
@@ -13,6 +13,7 @@
#include <vector>
#include "base/command_line.h"
+#include "base/compiler_specific.h"
#include "base/containers/contains.h"
#include "base/debug/stack_trace.h"
#include "base/feature_list.h"
@@ -385,7 +386,7 @@ std::string BuildCpuInfo() {
uname(&unixinfo);
// special case for biarch systems
- if (strcmp(unixinfo.machine, "x86_64") == 0 &&
+ if (UNSAFE_TODO(strcmp(unixinfo.machine, "x86_64")) == 0 &&
sizeof(void*) == sizeof(int32_t)) {
cpuinfo.assign("i686 (x86_64)");
} else {
diff --git a/components/sync_device_info/local_device_info_util_fuchsia.cc b/components/sync_device_info/local_device_info_util_fuchsia.cc
index 299904e6c199c..95caec1b2720b 100644
--- a/components/sync_device_info/local_device_info_util_fuchsia.cc
+++ b/components/sync_device_info/local_device_info_util_fuchsia.cc
@@ -2,6 +2,11 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
+#ifdef UNSAFE_BUFFERS_BUILD
+// TODO(crbug.com/390223051): Remove C-library calls to fix the errors.
+#pragma allow_unsafe_libc_calls
+#endif
+
#include <limits.h>
#include <string.h>
#include <unistd.h>
diff --git a/components/vector_icons/vector_icons_unittest.cc b/components/vector_icons/vector_icons_unittest.cc
index 2b53462f754b8..4b7e3a6f9729e 100644
--- a/components/vector_icons/vector_icons_unittest.cc
+++ b/components/vector_icons/vector_icons_unittest.cc
@@ -4,6 +4,7 @@
#include "components/vector_icons/vector_icons_unittest.h"
+#include "base/compiler_specific.h"
#include "components/vector_icons/vector_icons.h"
#include "testing/gtest/include/gtest/gtest.h"
#include "ui/gfx/vector_icon_utils.h"
@@ -20,8 +21,9 @@ class VectorIconsTest : public ::testing::Test {
for (size_t i = 0; i < path_elements.size(); ++i) {
EXPECT_EQ(icon.reps[i].path.size(), path_elements[i].size());
for (size_t j = 0; j < path_elements[i].size(); ++j) {
- EXPECT_EQ(0, memcmp(&path_elements[i][j], &icon.reps[i].path[j],
- sizeof(gfx::PathElement)));
+ EXPECT_EQ(
+ 0, UNSAFE_TODO(memcmp(&path_elements[i][j], &icon.reps[i].path[j],
+ sizeof(gfx::PathElement))));
}
}
}
diff --git a/content/browser/service_worker/service_worker_installed_script_reader.cc b/content/browser/service_worker/service_worker_installed_script_reader.cc
index ed7e17dcbb30a..01977c47f6a31 100644
--- a/content/browser/service_worker/service_worker_installed_script_reader.cc
+++ b/content/browser/service_worker/service_worker_installed_script_reader.cc
@@ -6,6 +6,7 @@
#include <utility>
+#include "base/compiler_specific.h"
#include "base/containers/span.h"
#include "base/functional/bind.h"
#include "base/memory/ref_counted.h"
@@ -174,7 +175,7 @@ void ServiceWorkerInstalledScriptReader::OnReadDataPrepared(
// TODO(crbug.com/40120038): Avoid copying |metadata| if |client_| doesn't
// need it.
auto buffer = base::MakeRefCounted<net::IOBufferWithSize>(metadata->size());
- memmove(buffer->data(), metadata->data(), metadata->size());
+ UNSAFE_TODO(memmove(buffer->data(), metadata->data(), metadata->size()));
meta_data_sender_ = std::make_unique<MetaDataSender>(
std::move(buffer), std::move(meta_producer_handle));
meta_data_sender_->Start(base::BindOnce(
diff --git a/media/filters/ffmpeg_h264_to_annex_b_bitstream_converter.cc b/media/filters/ffmpeg_h264_to_annex_b_bitstream_converter.cc
index d984d2490e71b..d527071cdcfee 100644
--- a/media/filters/ffmpeg_h264_to_annex_b_bitstream_converter.cc
+++ b/media/filters/ffmpeg_h264_to_annex_b_bitstream_converter.cc
@@ -6,6 +6,7 @@
#include <stdint.h>
+#include "base/compiler_specific.h"
#include "base/logging.h"
#include "media/ffmpeg/ffmpeg_common.h"
#include "media/formats/mp4/box_definitions.h"
@@ -90,7 +91,7 @@ bool FFmpegH264ToAnnexBBitstreamConverter::ConvertPacket(AVPacket* packet) {
av_packet_unref(packet);
// Finally, replace the values in the input packet.
- memcpy(packet, &dest_packet, sizeof(*packet));
+ UNSAFE_TODO(memcpy(packet, &dest_packet, sizeof(*packet)));
return true;
}
diff --git a/media/filters/h264_to_annex_b_bitstream_converter_unittest.cc b/media/filters/h264_to_annex_b_bitstream_converter_unittest.cc
index 1f56fd053fc8d..4f46036140acf 100644
--- a/media/filters/h264_to_annex_b_bitstream_converter_unittest.cc
+++ b/media/filters/h264_to_annex_b_bitstream_converter_unittest.cc
@@ -2,6 +2,11 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
+#ifdef UNSAFE_BUFFERS_BUILD
+// TODO(crbug.com/390223051): Remove C-library calls to fix the errors.
+#pragma allow_unsafe_libc_calls
+#endif
+
#include "media/filters/h264_to_annex_b_bitstream_converter.h"
#include <stdint.h>
diff --git a/ppapi/cpp/dev/file_chooser_dev.cc b/ppapi/cpp/dev/file_chooser_dev.cc
index 1229990d0af73..5e0f81203e75a 100644
--- a/ppapi/cpp/dev/file_chooser_dev.cc
+++ b/ppapi/cpp/dev/file_chooser_dev.cc
@@ -2,6 +2,11 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
+#ifdef UNSAFE_BUFFERS_BUILD
+// TODO(crbug.com/390223051): Remove C-library calls to fix the errors.
+#pragma allow_unsafe_libc_calls
+#endif
+
#include "ppapi/cpp/dev/file_chooser_dev.h"
#include <stddef.h>
diff --git a/ppapi/cpp/directory_entry.cc b/ppapi/cpp/directory_entry.cc
index 7cdf76588bf5c..6cd7e1bfbae28 100644
--- a/ppapi/cpp/directory_entry.cc
+++ b/ppapi/cpp/directory_entry.cc
@@ -2,6 +2,11 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
+#ifdef UNSAFE_BUFFERS_BUILD
+// TODO(crbug.com/390223051): Remove C-library calls to fix the errors.
+#pragma allow_unsafe_libc_calls
+#endif
+
#include "ppapi/cpp/directory_entry.h"
#include <string.h>
diff --git a/ppapi/cpp/file_io.cc b/ppapi/cpp/file_io.cc
index cd117b21bf6c8..4110f55dcf671 100644
--- a/ppapi/cpp/file_io.cc
+++ b/ppapi/cpp/file_io.cc
@@ -2,6 +2,11 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
+#ifdef UNSAFE_BUFFERS_BUILD
+// TODO(crbug.com/390223051): Remove C-library calls to fix the errors.
+#pragma allow_unsafe_libc_calls
+#endif
+
#include "ppapi/cpp/file_io.h"
#include <string.h> // memcpy
diff --git a/ppapi/cpp/private/pass_file_handle.h b/ppapi/cpp/private/pass_file_handle.h
index e30733b8baf92..b5353dcf112b9 100644
--- a/ppapi/cpp/private/pass_file_handle.h
+++ b/ppapi/cpp/private/pass_file_handle.h
@@ -2,6 +2,11 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
+#ifdef UNSAFE_BUFFERS_BUILD
+// TODO(crbug.com/390223051): Remove C-library calls to fix the errors.
+#pragma allow_unsafe_libc_calls
+#endif
+
#ifndef PPAPI_CPP_PRIVATE_PASS_FILE_HANDLE_H_
#define PPAPI_CPP_PRIVATE_PASS_FILE_HANDLE_H_
diff --git a/remoting/host/linux/gvariant_ref.h b/remoting/host/linux/gvariant_ref.h
index 5d70d4730da53..7d01b0030353c 100644
--- a/remoting/host/linux/gvariant_ref.h
+++ b/remoting/host/linux/gvariant_ref.h
@@ -1081,7 +1081,7 @@ constexpr bool operator==(const ObjectPathCStr& lhs,
if (std::is_constant_evaluated()) {
return std::string_view(lhs.c_str()) == std::string_view(rhs.c_str());
} else {
- return std::strcmp(lhs.c_str(), rhs.c_str()) == 0;
+ return UNSAFE_TODO(std::strcmp(lhs.c_str(), rhs.c_str())) == 0;
}
}
@@ -1118,7 +1118,7 @@ constexpr bool operator==(const TypeSignatureCStr& lhs,
if (std::is_constant_evaluated()) {
return std::string_view(lhs.c_str()) == std::string_view(rhs.c_str());
} else {
- return std::strcmp(lhs.c_str(), rhs.c_str()) == 0;
+ return UNSAFE_TODO(std::strcmp(lhs.c_str(), rhs.c_str())) == 0;
}
}
diff --git a/rlz/lib/lib_values.cc b/rlz/lib/lib_values.cc
index a32d9e4224532..a277c7dba5b16 100644
--- a/rlz/lib/lib_values.cc
+++ b/rlz/lib/lib_values.cc
@@ -1,7 +1,12 @@
// Copyright 2012 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
-//
+
+#ifdef UNSAFE_BUFFERS_BUILD
+// TODO(crbug.com/390223051): Remove C-library calls to fix the errors.
+#pragma allow_unsafe_libc_calls
+#endif
+
// Key and value names of the location of the RLZ shared state.
#include "rlz/lib/lib_values.h"
diff --git a/sandbox/mac/sandbox_logging.cc b/sandbox/mac/sandbox_logging.cc
index 095c639b9893e..950cf7cfee4e1 100644
--- a/sandbox/mac/sandbox_logging.cc
+++ b/sandbox/mac/sandbox_logging.cc
@@ -2,6 +2,11 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
+#ifdef UNSAFE_BUFFERS_BUILD
+// TODO(crbug.com/390223051): Remove C-library calls to fix the errors.
+#pragma allow_unsafe_libc_calls
+#endif
+
#include "sandbox/mac/sandbox_logging.h"
#include <errno.h>
diff --git a/sandbox/policy/win/hook_util/hook_util.cc b/sandbox/policy/win/hook_util/hook_util.cc
index 48c1f299df073..bcf6847a8678e 100644
--- a/sandbox/policy/win/hook_util/hook_util.cc
+++ b/sandbox/policy/win/hook_util/hook_util.cc
@@ -2,6 +2,11 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
+#ifdef UNSAFE_BUFFERS_BUILD
+// TODO(crbug.com/390223051): Remove C-library calls to fix the errors.
+#pragma allow_unsafe_libc_calls
+#endif
+
#include "sandbox/policy/win/hook_util/hook_util.h"
#include <assert.h>
diff --git a/services/tracing/public/cpp/perfetto/fuchsia_perfetto_producer_connector_unittest.cc b/services/tracing/public/cpp/perfetto/fuchsia_perfetto_producer_connector_unittest.cc
index c8c5a7cefa19b..228493d320fc8 100644
--- a/services/tracing/public/cpp/perfetto/fuchsia_perfetto_producer_connector_unittest.cc
+++ b/services/tracing/public/cpp/perfetto/fuchsia_perfetto_producer_connector_unittest.cc
@@ -2,6 +2,11 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
+#ifdef UNSAFE_BUFFERS_BUILD
+// TODO(crbug.com/390223051): Remove C-library calls to fix the errors.
+#pragma allow_unsafe_libc_calls
+#endif
+
#include "services/tracing/public/cpp/perfetto/fuchsia_perfetto_producer_connector.h"
#include <fcntl.h>
diff --git a/skia/ext/skia_utils_ios.mm b/skia/ext/skia_utils_ios.mm
index 75eedf1d8721c..8022caf3d0ef9 100644
--- a/skia/ext/skia_utils_ios.mm
+++ b/skia/ext/skia_utils_ios.mm
@@ -10,6 +10,7 @@
#include <stdint.h>
#include "base/apple/scoped_cftyperef.h"
+#include "base/compiler_specific.h"
#include "base/ios/ios_util.h"
#include "base/logging.h"
#include "third_party/skia/include/utils/mac/SkCGUtils.h"
@@ -22,8 +23,8 @@ const uint8_t kICOHeaderMagic[4] = {0x00, 0x00, 0x01, 0x00};
bool EncodesIcoImage(NSData* image_data) {
if (image_data.length < std::size(kICOHeaderMagic))
return false;
- return memcmp(kICOHeaderMagic, image_data.bytes,
- std::size(kICOHeaderMagic)) == 0;
+ return UNSAFE_TODO(memcmp(kICOHeaderMagic, image_data.bytes,
+ std::size(kICOHeaderMagic))) == 0;
}
} // namespace
diff --git a/third_party/blink/renderer/core/css/css_selector.cc b/third_party/blink/renderer/core/css/css_selector.cc
index 4e78362b71677..259bed62e33cd 100644
--- a/third_party/blink/renderer/core/css/css_selector.cc
+++ b/third_party/blink/renderer/core/css/css_selector.cc
@@ -724,9 +724,10 @@ CSSSelector::PseudoType CSSSelector::NameToPseudoType(
DCHECK(entry.string);
// If strncmp returns 0, then either the keys are equal, or |name| sorts
// before |entry|.
- return strncmp(entry.string,
- reinterpret_cast<const char*>(name.Characters8()),
- name.length()) < 0;
+ return UNSAFE_TODO(
+ strncmp(entry.string,
+ reinterpret_cast<const char*>(name.Characters8()),
+ name.length())) < 0;
});
if (match == pseudo_type_map_end || match->string != name.GetString()) {
return CSSSelector::kPseudoUnknown;
diff --git a/third_party/blink/renderer/core/css/css_selector.h b/third_party/blink/renderer/core/css/css_selector.h
index bd7a2e295feb0..a56f842e418bc 100644
--- a/third_party/blink/renderer/core/css/css_selector.h
+++ b/third_party/blink/renderer/core/css/css_selector.h
@@ -938,8 +938,8 @@ inline CSSSelector::CSSSelector(CSSSelector&& o)
// constructor (i.e., using similar code as in the copy constructor above)
// after moving to Oilpan, copying the bits one by one. We already allow
// memcpy + memset by traits, so we can do it by ourselves, too.
- memcpy(this, &o, sizeof(*this));
- memset(&o, 0, sizeof(o));
+ UNSAFE_TODO(memcpy(this, &o, sizeof(*this)));
+ UNSAFE_TODO(memset(&o, 0, sizeof(o)));
}
inline CSSSelector::~CSSSelector() {
@@ -1004,9 +1004,11 @@ inline bool CSSSelector::IsIdClassOrAttributeSelector() const {
inline void swap(CSSSelector& a, CSSSelector& b) {
char tmp[sizeof(CSSSelector)];
- memcpy(tmp, &a, sizeof(CSSSelector));
- memcpy(&a, &b, sizeof(CSSSelector));
- memcpy(&b, tmp, sizeof(CSSSelector));
+ UNSAFE_TODO({
+ memcpy(tmp, &a, sizeof(CSSSelector));
+ memcpy(&a, &b, sizeof(CSSSelector));
+ memcpy(&b, tmp, sizeof(CSSSelector));
+ });
}
// Converts descendant to relative descendant, child to relative child
diff --git a/third_party/blink/renderer/core/css/css_selector_list.h b/third_party/blink/renderer/core/css/css_selector_list.h
index ff40b98e1570e..bfcf7d2ea2e5d 100644
--- a/third_party/blink/renderer/core/css/css_selector_list.h
+++ b/third_party/blink/renderer/core/css/css_selector_list.h
@@ -77,7 +77,8 @@ class CORE_EXPORT CSSSelectorList : public GarbageCollected<CSSSelectorList> {
explicit CSSSelectorList(base::PassKey<CSSSelectorList>) {}
CSSSelectorList(CSSSelectorList&& o) {
- memcpy(this, o.first_selector_, ComputeLength() * sizeof(CSSSelector));
+ UNSAFE_TODO(
+ memcpy(this, o.first_selector_, ComputeLength() * sizeof(CSSSelector)));
}
~CSSSelectorList() = default;
diff --git a/third_party/blink/renderer/core/css/parser/css_parser_fast_paths.cc b/third_party/blink/renderer/core/css/parser/css_parser_fast_paths.cc
index 876af08d4894b..a38df2b8acaec 100644
--- a/third_party/blink/renderer/core/css/parser/css_parser_fast_paths.cc
+++ b/third_party/blink/renderer/core/css/parser/css_parser_fast_paths.cc
@@ -307,7 +307,7 @@ static unsigned FindLengthOfValidDouble(const LChar* string, const LChar* end) {
#if defined(__SSE2__) || defined(__ARM_NEON__)
if (length >= 16) {
uint8_t b __attribute__((vector_size(16)));
- memcpy(&b, string, sizeof(b));
+ UNSAFE_TODO(memcpy(&b, string, sizeof(b)));
auto is_decimal_mask = (b >= '0' && b <= '9');
auto is_mark_mask = (b == '.');
#ifdef __SSE2__
@@ -853,7 +853,7 @@ ALWAYS_INLINE static bool ParseAlphaValue(const LChar*& string,
// Fast for LChar, reasonable for UChar.
template <int N>
static inline bool MatchesLiteral(const LChar* a, const char (&b)[N]) {
- return memcmp(a, b, N - 1) == 0;
+ return UNSAFE_TODO(memcmp(a, b, N - 1)) == 0;
}
template <int N>
@@ -911,8 +911,8 @@ static inline bool ConsumeFallbackValuesAndEndOfEnv(const LChar** a,
static inline bool MatchesCaseInsensitiveLiteral4(const LChar* a,
const char (&b)[5]) {
uint32_t av, bv;
- memcpy(&av, a, sizeof(av));
- memcpy(&bv, b, sizeof(bv));
+ UNSAFE_TODO(memcpy(&av, a, sizeof(av)));
+ UNSAFE_TODO(memcpy(&bv, b, sizeof(bv)));
uint32_t mask = 0;
if ((bv & 0xff) >= 'a' && (bv & 0xff) <= 'z') {
@@ -934,8 +934,8 @@ static inline bool MatchesCaseInsensitiveLiteral4(const LChar* a,
static inline bool MatchesCaseInsensitiveLiteral2(const LChar* a,
const char (&b)[3]) {
uint16_t av, bv;
- memcpy(&av, a, sizeof(av));
- memcpy(&bv, b, sizeof(bv));
+ UNSAFE_TODO(memcpy(&av, a, sizeof(av)));
+ UNSAFE_TODO(memcpy(&bv, b, sizeof(bv)));
uint16_t mask = 0;
if ((bv & 0xff) >= 'a' && (bv & 0xff) <= 'z') {
diff --git a/third_party/blink/renderer/core/css/parser/find_length_of_declaration_list-inl.h b/third_party/blink/renderer/core/css/parser/find_length_of_declaration_list-inl.h
index 3c0de8471b210..b866f83c5605a 100644
--- a/third_party/blink/renderer/core/css/parser/find_length_of_declaration_list-inl.h
+++ b/third_party/blink/renderer/core/css/parser/find_length_of_declaration_list-inl.h
@@ -468,7 +468,7 @@ static inline uint8x16_t LoadAndCollapseHighBytes(const UChar* ptr) {
}
static inline uint8x16_t LoadAndCollapseHighBytes(const LChar* ptr) {
uint8x16_t ret;
- memcpy(&ret, ptr, sizeof(ret));
+ UNSAFE_TODO(memcpy(&ret, ptr, sizeof(ret)));
return ret;
}
diff --git a/third_party/blink/renderer/core/css/properties/css_bitset.h b/third_party/blink/renderer/core/css/properties/css_bitset.h
index 94a7dab7bcfa2..1762e3d133226 100644
--- a/third_party/blink/renderer/core/css/properties/css_bitset.h
+++ b/third_party/blink/renderer/core/css/properties/css_bitset.h
@@ -83,7 +83,9 @@ class CORE_EXPORT CSSBitsetBase {
return false;
}
- inline void Reset() { std::memset(chunks_.data(), 0, sizeof(chunks_)); }
+ inline void Reset() {
+ UNSAFE_TODO(std::memset(chunks_.data(), 0, sizeof(chunks_)));
+ }
// Yields the CSSPropertyIDs which are set.
class Iterator {
diff --git a/third_party/blink/renderer/modules/file_system_access/file_system_access_incognito_file_delegate.cc b/third_party/blink/renderer/modules/file_system_access/file_system_access_incognito_file_delegate.cc
index 3daf0606ea523..2fb3752b6fe34 100644
--- a/third_party/blink/renderer/modules/file_system_access/file_system_access_incognito_file_delegate.cc
+++ b/third_party/blink/renderer/modules/file_system_access/file_system_access_incognito_file_delegate.cc
@@ -6,6 +6,7 @@
#include <optional>
+#include "base/compiler_specific.h"
#include "base/files/file.h"
#include "base/files/file_error_or.h"
#include "base/memory/scoped_refptr.h"
@@ -118,7 +119,7 @@ base::FileErrorOr<int> FileSystemAccessIncognitoFileDelegate::Read(
CHECK_LE(bytes_read, bytes_to_read);
CHECK_LE(buffer->size(), static_cast<uint64_t>(bytes_to_read));
- memcpy(data.data(), buffer->data(), bytes_to_read);
+ UNSAFE_TODO(memcpy(data.data(), buffer->data(), bytes_to_read));
} else {
CHECK_EQ(bytes_read, 0);
}
diff --git a/third_party/blink/renderer/modules/indexeddb/idb_value_wrapping.cc b/third_party/blink/renderer/modules/indexeddb/idb_value_wrapping.cc
index 2fcf40ace13b8..1761649830bc3 100644
--- a/third_party/blink/renderer/modules/indexeddb/idb_value_wrapping.cc
+++ b/third_party/blink/renderer/modules/indexeddb/idb_value_wrapping.cc
@@ -207,7 +207,8 @@ void IDBValueWrapper::MaybeCompress() {
// Compression wasn't very successful, but we still allocated a large chunk
// of memory, so we can repurpose it. This copy saves us from making another
// allocation later on in `MaybeStoreInBlob()` or `TakeWireBytes()`.
- memcpy(wire_data_buffer_.data(), wire_data_.data(), wire_data_size);
+ UNSAFE_TODO(
+ memcpy(wire_data_buffer_.data(), wire_data_.data(), wire_data_size));
wire_data_buffer_.resize(static_cast<wtf_size_t>(wire_data_size));
}
diff --git a/third_party/blink/renderer/modules/mediarecorder/vpx_encoder.cc b/third_party/blink/renderer/modules/mediarecorder/vpx_encoder.cc
index 536a881f88332..05aa68eed07cf 100644
--- a/third_party/blink/renderer/modules/mediarecorder/vpx_encoder.cc
+++ b/third_party/blink/renderer/modules/mediarecorder/vpx_encoder.cc
@@ -51,8 +51,9 @@ VpxEncoder::VpxEncoder(
use_vp9_(use_vp9),
is_screencast_(is_screencast),
on_error_cb_(on_error_cb) {
- std::memset(&codec_config_, 0, sizeof(codec_config_));
- std::memset(&alpha_codec_config_, 0, sizeof(alpha_codec_config_));
+ UNSAFE_TODO(std::memset(&codec_config_, 0, sizeof(codec_config_)));
+ UNSAFE_TODO(
+ std::memset(&alpha_codec_config_, 0, sizeof(alpha_codec_config_)));
codec_config_.g_timebase.den = 0; // Not initialized.
alpha_codec_config_.g_timebase.den = 0; // Not initialized.
}
diff --git a/third_party/blink/renderer/modules/storage/cached_storage_area.cc b/third_party/blink/renderer/modules/storage/cached_storage_area.cc
index 903eb70472494..1032fa34f69a2 100644
--- a/third_party/blink/renderer/modules/storage/cached_storage_area.cc
+++ b/third_party/blink/renderer/modules/storage/cached_storage_area.cc
@@ -731,7 +731,7 @@ String CachedStorageArea::Uint8VectorToString(const Vector<uint8_t>& input,
break;
}
StringBuffer<UChar> buffer(input_size / sizeof(UChar));
- std::memcpy(buffer.Characters(), input.data(), input_size);
+ UNSAFE_TODO(std::memcpy(buffer.Characters(), input.data(), input_size));
result = String::Adopt(buffer);
break;
}
@@ -797,7 +797,7 @@ Vector<uint8_t> CachedStorageArea::StringToUint8Vector(
unsigned length = input.length();
if (input.Is8Bit() && input.ContainsOnlyASCIIOrEmpty()) {
Vector<uint8_t> result(length);
- std::memcpy(result.data(), input.Characters8(), length);
+ UNSAFE_TODO(std::memcpy(result.data(), input.Characters8(), length));
return result;
}
// Handle 8 bit case where it's not only ascii.
@@ -824,7 +824,7 @@ Vector<uint8_t> CachedStorageArea::StringToUint8Vector(
StringUTF8Adaptor utf8(input,
WTF::Utf8ConversionMode::kStrictReplacingErrors);
Vector<uint8_t> result(utf8.size());
- std::memcpy(result.data(), utf8.data(), utf8.size());
+ UNSAFE_TODO(std::memcpy(result.data(), utf8.data(), utf8.size()));
return result;
}
case FormatOption::kLocalStorageDetectFormat: {
diff --git a/third_party/blink/renderer/modules/webaudio/audio_buffer_source_handler.cc b/third_party/blink/renderer/modules/webaudio/audio_buffer_source_handler.cc
index 705b5c997d91b..0c8595e3f7659 100644
--- a/third_party/blink/renderer/modules/webaudio/audio_buffer_source_handler.cc
+++ b/third_party/blink/renderer/modules/webaudio/audio_buffer_source_handler.cc
@@ -181,8 +181,8 @@ bool AudioBufferSourceHandler::RenderFromBuffer(
// Potentially zero out initial frames leading up to the offset.
if (destination_frame_offset) {
for (unsigned i = 0; i < number_of_channels; ++i) {
- memset(destination_channels_[i], 0,
- sizeof(float) * destination_frame_offset);
+ UNSAFE_TODO(memset(destination_channels_[i], 0,
+ sizeof(float) * destination_frame_offset));
}
}
diff --git a/third_party/blink/renderer/modules/webaudio/audio_scheduled_source_handler.cc b/third_party/blink/renderer/modules/webaudio/audio_scheduled_source_handler.cc
index 564e480f4b481..8a4039031f7e6 100644
--- a/third_party/blink/renderer/modules/webaudio/audio_scheduled_source_handler.cc
+++ b/third_party/blink/renderer/modules/webaudio/audio_scheduled_source_handler.cc
@@ -119,8 +119,8 @@ AudioScheduledSourceHandler::UpdateSchedulingInfo(size_t quantum_frame_size,
// start time in the middle of the quantum.
if (quantum_frame_offset) {
for (unsigned i = 0; i < output_bus->NumberOfChannels(); ++i) {
- memset(output_bus->Channel(i)->MutableData(), 0,
- sizeof(float) * quantum_frame_offset);
+ UNSAFE_TODO(memset(output_bus->Channel(i)->MutableData(), 0,
+ sizeof(float) * quantum_frame_offset));
}
}
diff --git a/third_party/blink/renderer/modules/webaudio/audio_worklet_processor.cc b/third_party/blink/renderer/modules/webaudio/audio_worklet_processor.cc
index 2686a3074eeb0..e35e4d16a32e7 100644
--- a/third_party/blink/renderer/modules/webaudio/audio_worklet_processor.cc
+++ b/third_party/blink/renderer/modules/webaudio/audio_worklet_processor.cc
@@ -370,8 +370,9 @@ void AudioWorkletProcessor::CopyPortToArrayBuffers(
auto backing_store = array_buffers[bus_index][channel_index]
.Get(isolate)
->GetBackingStore();
- memcpy(backing_store->Data(), audio_bus->Channel(channel_index)->Data(),
- bus_length * sizeof(float));
+ UNSAFE_TODO(memcpy(backing_store->Data(),
+ audio_bus->Channel(channel_index)->Data(),
+ bus_length * sizeof(float)));
}
}
}
@@ -394,10 +395,11 @@ void AudioWorkletProcessor::CopyArrayBuffersToPort(
// An ArrayBuffer might be transferred. So we need to check the byte
// length and silence the output buffer if needed.
if (backing_store->ByteLength() == bus_length) {
- memcpy(audio_bus->Channel(channel_index)->MutableData(),
- backing_store->Data(), bus_length);
+ UNSAFE_TODO(memcpy(audio_bus->Channel(channel_index)->MutableData(),
+ backing_store->Data(), bus_length));
} else {
- memset(audio_bus->Channel(channel_index)->MutableData(), 0, bus_length);
+ UNSAFE_TODO(memset(audio_bus->Channel(channel_index)->MutableData(), 0,
+ bus_length));
}
}
}
@@ -412,7 +414,8 @@ void AudioWorkletProcessor::ZeroArrayBuffers(
auto backing_store = array_buffers[bus_index][channel_index]
.Get(isolate)
->GetBackingStore();
- memset(backing_store->Data(), 0, backing_store->ByteLength());
+ UNSAFE_TODO(
+ memset(backing_store->Data(), 0, backing_store->ByteLength()));
}
}
}
@@ -551,8 +554,8 @@ bool AudioWorkletProcessor::CopyParamValueMapToObject(
return false;
}
- memcpy(float32_array->Buffer()->GetBackingStore()->Data(),
- param_array->Data(), array_length * sizeof(float));
+ UNSAFE_TODO(memcpy(float32_array->Buffer()->GetBackingStore()->Data(),
+ param_array->Data(), array_length * sizeof(float)));
}
return true;
diff --git a/third_party/blink/renderer/modules/webaudio/script_processor_handler.cc b/third_party/blink/renderer/modules/webaudio/script_processor_handler.cc
index 0b0ba0152eaf3..1f22a92b8303c 100644
--- a/third_party/blink/renderer/modules/webaudio/script_processor_handler.cc
+++ b/third_party/blink/renderer/modules/webaudio/script_processor_handler.cc
@@ -192,7 +192,8 @@ void ScriptProcessorHandler::Process(uint32_t frames_to_process) {
const float* source = UNSAFE_TODO(
static_cast<float*>(shared_output_buffer->channels()[i].Data()) +
buffer_read_write_index_);
- memcpy(destination, source, sizeof(float) * frames_to_process);
+ UNSAFE_TODO(
+ memcpy(destination, source, sizeof(float) * frames_to_process));
}
}
diff --git a/third_party/blink/renderer/modules/webcodecs/audio_data.cc b/third_party/blink/renderer/modules/webcodecs/audio_data.cc
index 70e9562a7533d..7462b37a3094e 100644
--- a/third_party/blink/renderer/modules/webcodecs/audio_data.cc
+++ b/third_party/blink/renderer/modules/webcodecs/audio_data.cc
@@ -672,7 +672,8 @@ void AudioData::CopyConvert(base::span<uint8_t> dest,
int32_t* dest_data = reinterpret_cast<int32_t*>(dest.data());
CHECK_LE(UNSAFE_TODO(offset_src_data + frame_count),
UNSAFE_TODO(src_data + data_as_f32_bus_->frames()));
- memcpy(dest_data, offset_src_data, sizeof(float) * frame_count);
+ UNSAFE_TODO(
+ memcpy(dest_data, offset_src_data, sizeof(float) * frame_count));
return;
}
default:
diff --git a/third_party/blink/renderer/modules/websockets/websocket_channel_impl.cc b/third_party/blink/renderer/modules/websockets/websocket_channel_impl.cc
index 97325e0638510..d7f5c10b6f82d 100644
--- a/third_party/blink/renderer/modules/websockets/websocket_channel_impl.cc
+++ b/third_party/blink/renderer/modules/websockets/websocket_channel_impl.cc
@@ -716,7 +716,7 @@ WebSocketChannelImpl::Message::Message(v8::Isolate* isolate,
type_(kMessageTypeText),
did_call_send_message_(did_call_send_message),
completion_callback_(std::move(completion_callback)) {
- memcpy(message_data_.get(), text.data(), text.length());
+ UNSAFE_TODO(memcpy(message_data_.get(), text.data(), text.length()));
pending_payload_ =
UNSAFE_TODO(base::span(message_data_.get(), text.length()));
}
@@ -738,7 +738,7 @@ WebSocketChannelImpl::Message::Message(v8::Isolate* isolate,
type_(kMessageTypeArrayBuffer),
did_call_send_message_(did_call_send_message),
completion_callback_(std::move(completion_callback)) {
- memcpy(message_data_.get(), message.data(), message.size());
+ UNSAFE_TODO(memcpy(message_data_.get(), message.data(), message.size()));
pending_payload_ =
UNSAFE_TODO(base::span(message_data_.get(), message.size()));
}
diff --git a/third_party/blink/renderer/modules/websockets/websocket_message_chunk_accumulator.cc b/third_party/blink/renderer/modules/websockets/websocket_message_chunk_accumulator.cc
index db0bd0b500196..b8efd9db237fd 100644
--- a/third_party/blink/renderer/modules/websockets/websocket_message_chunk_accumulator.cc
+++ b/third_party/blink/renderer/modules/websockets/websocket_message_chunk_accumulator.cc
@@ -47,7 +47,7 @@ void WebSocketMessageChunkAccumulator::Append(base::span<const char> data) {
pool_.pop_back();
}
const size_t to_be_written = std::min(data.size(), kSegmentSize);
- memcpy(segment_ptr.get(), data.data(), to_be_written);
+ UNSAFE_TODO(memcpy(segment_ptr.get(), data.data(), to_be_written));
data = data.subspan(to_be_written);
size_ += to_be_written;
segments_.push_back(std::move(segment_ptr));
diff --git a/third_party/blink/renderer/platform/fonts/font_description.cc b/third_party/blink/renderer/platform/fonts/font_description.cc
index 8bc1515591afd..4af1ad6ac6669 100644
--- a/third_party/blink/renderer/platform/fonts/font_description.cc
+++ b/third_party/blink/renderer/platform/fonts/font_description.cc
@@ -29,6 +29,7 @@
#include "third_party/blink/renderer/platform/fonts/font_description.h"
+#include "base/compiler_specific.h"
#include "base/memory/values_equivalent.h"
#include "base/strings/to_string.h"
#include "build/build_config.h"
@@ -67,13 +68,13 @@ bool FontDescription::use_subpixel_text_positioning_ = false;
// static
FontDescription FontDescription::CreateHashTableEmptyValue() {
FontDescription result;
- memset(&result, 0, sizeof(FontDescription));
+ UNSAFE_TODO(memset(&result, 0, sizeof(FontDescription)));
DCHECK(result.IsHashTableEmptyValue());
return result;
}
FontDescription::FontDescription(WTF::HashTableDeletedValueType) {
- memset(this, 0, sizeof(FontDescription));
+ UNSAFE_TODO(memset(this, 0, sizeof(FontDescription)));
fields_.hash_category_ = kHashDeletedValue;
}
diff --git a/third_party/blink/renderer/platform/fonts/font_platform_data.cc b/third_party/blink/renderer/platform/fonts/font_platform_data.cc
index 2f603329975ad..807b9fb53a847 100644
--- a/third_party/blink/renderer/platform/fonts/font_platform_data.cc
+++ b/third_party/blink/renderer/platform/fonts/font_platform_data.cc
@@ -215,7 +215,7 @@ unsigned FontPlatformData::GetHash() const {
// rules. Memcpy is generally optimized enough so that performance doesn't
// matter here.
uint32_t text_size_bytes;
- memcpy(&text_size_bytes, &text_size_, sizeof(uint32_t));
+ UNSAFE_TODO(memcpy(&text_size_bytes, &text_size_, sizeof(uint32_t)));
h ^= text_size_bytes;
return h;
diff --git a/ui/gtk/gtk_key_bindings_handler.cc b/ui/gtk/gtk_key_bindings_handler.cc
index 818ff1f48eab4..5f13e404e4c78 100644
--- a/ui/gtk/gtk_key_bindings_handler.cc
+++ b/ui/gtk/gtk_key_bindings_handler.cc
@@ -6,6 +6,7 @@
#include <array>
+#include "base/compiler_specific.h"
#include "base/logging.h"
#include "ui/base/ime/text_edit_commands.h"
#include "ui/events/event_constants.h"
@@ -118,7 +119,7 @@ ui::TextEditCommand GtkKeyBindingsHandler::MatchEvent(const ui::Event& event) {
void GtkKeyBindingsHandler::OnSettingsChanged(GSettings* settings,
const char* key) {
DCHECK(settings);
- if (strcmp(key, kGtkKeyTheme) != 0) {
+ if (UNSAFE_TODO(strcmp(key, kGtkKeyTheme)) != 0) {
return;
}
auto g_free_deleter = [](gchar* s) { g_free(s); };
@@ -127,7 +128,7 @@ void GtkKeyBindingsHandler::OnSettingsChanged(GSettings* settings,
if (!key_theme) {
return;
}
- emacs_theme_ = strcmp(key_theme.get(), kEmacsKeyTheme) == 0;
+ emacs_theme_ = UNSAFE_TODO(strcmp(key_theme.get(), kEmacsKeyTheme)) == 0;
}
} // namespace gtk