spanification: automatically spanify .../tracing/perfetto/privacy_filtering_check.cc etc. [chromium/src : main]

0 views
Skip to first unread message

Daniel Angulo (Gerrit)

unread,
Feb 13, 2026, 5:02:44 PMFeb 13
to Stephen Nusko, Arthur Sonzogni, Chromium LUCI CQ, AyeAye, spang...@chromium.org, tracing...@chromium.org, wfh+...@chromium.org
Attention needed from Arthur Sonzogni and Stephen Nusko

Daniel Angulo voted Commit-Queue+1

Commit-Queue+1
Open in Gerrit

Related details

Attention is currently required from:
  • Arthur Sonzogni
  • Stephen Nusko
Submit Requirements:
  • requirement satisfiedCode-Coverage
  • requirement is not satisfiedCode-Owners
  • requirement is not satisfiedCode-Review
  • requirement is not satisfiedReview-Enforcement
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: comment
Gerrit-Project: chromium/src
Gerrit-Branch: main
Gerrit-Change-Id: Id28596d051629e66bec29f70a4fe700a121137e9
Gerrit-Change-Number: 7571428
Gerrit-PatchSet: 6
Gerrit-Owner: Daniel Angulo <angd...@google.com>
Gerrit-Reviewer: Arthur Sonzogni <arthurs...@chromium.org>
Gerrit-Reviewer: Daniel Angulo <angd...@google.com>
Gerrit-Reviewer: Stephen Nusko <nus...@chromium.org>
Gerrit-Attention: Stephen Nusko <nus...@chromium.org>
Gerrit-Attention: Arthur Sonzogni <arthurs...@chromium.org>
Gerrit-Comment-Date: Fri, 13 Feb 2026 22:02:38 +0000
Gerrit-HasComments: No
Gerrit-Has-Labels: Yes
satisfied_requirement
unsatisfied_requirement
open
diffy

Stephen Nusko (Gerrit)

unread,
Feb 15, 2026, 10:51:05 PM (12 days ago) Feb 15
to Daniel Angulo, Arthur Sonzogni, Chromium LUCI CQ, AyeAye, spang...@chromium.org, tracing...@chromium.org, wfh+...@chromium.org
Attention needed from Arthur Sonzogni and Daniel Angulo

Stephen Nusko added 10 comments

File services/tracing/perfetto/privacy_filtering_check.cc
Line 56, Patchset 6 (Latest):size_t acceptedFieldIdSize(const int* accepted_field_ids) {
size_t size = 0;
while (UNSAFE_TODO(accepted_field_ids[size]) != -1) {
size++;
}
return size;
}
Stephen Nusko . unresolved

This is highly performance sensitive code, I think we shouldn't be computing the size. As I said I think we should keep this as unsafe until we update the generator to use bounds checked objects.

Line 80, Patchset 6 (Latest): // SAFETY: proto is a pointer to the serialized trace proto which is a
// kProtoZeroMessageSet, which is a repeated field of
// TracePacket. TracePacket has a maximum size of 256 MiB - far below the
// threshold where we would need to use unsafe buffers.
Stephen Nusko . unresolved

What does this mean about "far below the threshold"? This comment doesn't explain why this is safe? I think the fact is ProtoDecoder is a span like type, and it doesn't do bounds checking, at the moment it has 1 unsafe constructor and 2 safe-ish constructors, we can't claim UNSAFE_BUFFERS here and wash our hands of it. Lets leave it as UNSAFE_TODO.

Line 84, Patchset 6 (Latest): auto proto_span = UNSAFE_BUFFERS(base::span(
Stephen Nusko . unresolved

Also this type is non-obvious type so auto hides the information.

```
base::span<uint8_t> proto_span = UNSAFE_TODO(base:span(proto->begin(), proto->bytes_left()));
```

Line 85, Patchset 6 (Latest): proto->begin(), static_cast<size_t>(proto->end() - proto->begin())));
Stephen Nusko . unresolved

use bytes_left()

Line 93, Patchset 6 (Latest): // SAFETY: MessageInfo states that the accepted_field_id is terminated by
Stephen Nusko . unresolved

Can you link to this?

Line 97, Patchset 6 (Latest): root->accepted_field_ids,
Stephen Nusko . unresolved

It feels like we should spanify this, but this is coming from generated code see (go/how-do-i-chrometto), so for now this needs to remain UNSAFE_TODO.

Line 119, Patchset 6 (Latest): output.append(proto_span.subspan(current_field_start).data(),
proto_span.subspan(next_field_start).data());
Stephen Nusko . unresolved

This doesn't look great (also two subspans being created)

```
const std::string_view msg_data =
base::as_string_view(proto_span.subspan(current_field_start, next_field_start - current_field_start));
output.append(msg_data.begin(), msg_data.end());
```

Perhaps?

Actually thinking about this a bit more we are just looping over `proto` and reading one by one, we can instead of creating a bunch of subspans just use SpanReader?

I.E.

```
base::SpanReader reader (proto_span);
size_t current_field_start = 0;
size_t next_field_start = 0;
for (auto f = proto->ReadField(); f.valid();
f = proto->ReadField(), current_field_start = next_field_start) {
next_field_start = proto->read_offset();
CHECK_EQ(reader.num_read(), current_field_start);
...
maybe_data = reader.Read(next_field_start - current_field_start);
output.append(maybe_data->begin(), maybe_data->end());
```
Line 157, Patchset 6 (Latest): .copy_from(base::as_byte_span(output).subspan(out_msg_start_offset,
Stephen Nusko . resolved

note: this has to remain copy_from (since it is potentially overlapping).

Line 163, Patchset 6 (Latest): .copy_from(base::span(field_id_buf).first(field_id_length));
Stephen Nusko . unresolved

copy_from_nonoverlapping

Line 167, Patchset 6 (Latest): .copy_from(base::span(payload_size_buf).first(payload_size_length));
Stephen Nusko . unresolved

copy_from_nonoverlapping

Open in Gerrit

Related details

Attention is currently required from:
  • Arthur Sonzogni
  • Daniel Angulo
Submit Requirements:
    • requirement satisfiedCode-Coverage
    • requirement is not satisfiedCode-Owners
    • requirement is not satisfiedCode-Review
    • requirement is not satisfiedNo-Unresolved-Comments
    • requirement is not satisfiedReview-Enforcement
    Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
    Gerrit-MessageType: comment
    Gerrit-Project: chromium/src
    Gerrit-Branch: main
    Gerrit-Change-Id: Id28596d051629e66bec29f70a4fe700a121137e9
    Gerrit-Change-Number: 7571428
    Gerrit-PatchSet: 6
    Gerrit-Owner: Daniel Angulo <angd...@google.com>
    Gerrit-Reviewer: Arthur Sonzogni <arthurs...@chromium.org>
    Gerrit-Reviewer: Daniel Angulo <angd...@google.com>
    Gerrit-Reviewer: Stephen Nusko <nus...@chromium.org>
    Gerrit-Attention: Daniel Angulo <angd...@google.com>
    Gerrit-Attention: Arthur Sonzogni <arthurs...@chromium.org>
    Gerrit-Comment-Date: Mon, 16 Feb 2026 03:50:33 +0000
    Gerrit-HasComments: Yes
    Gerrit-Has-Labels: No
    satisfied_requirement
    unsatisfied_requirement
    open
    diffy

    Arthur Sonzogni (Gerrit)

    unread,
    Feb 18, 2026, 8:34:11 AM (10 days ago) Feb 18
    to Daniel Angulo, Stephen Nusko, Chromium LUCI CQ, AyeAye, spang...@chromium.org, tracing...@chromium.org, wfh+...@chromium.org
    Attention needed from Daniel Angulo

    Arthur Sonzogni added 1 comment

    File services/tracing/perfetto/privacy_filtering_check.cc
    Line 163, Patchset 6: .copy_from(base::span(field_id_buf).first(field_id_length));
    Stephen Nusko . unresolved

    copy_from_nonoverlapping

    Arthur Sonzogni

    Hi @nus...@chromium.org, I have a different opinion about `copy_from`/`copy_from_nonoverlapping`. I don't really believe there are meaningful performance difference and we should use the short/safe version by default.

    I added some arguments below:
    https://chromium-review.googlesource.com/c/chromium/src/+/7541348/comment/7892b7db_f5eb5c23/

    WDYT?

    Open in Gerrit

    Related details

    Attention is currently required from:
    • Daniel Angulo
    Submit Requirements:
    • requirement satisfiedCode-Coverage
    • requirement is not satisfiedCode-Owners
    • requirement is not satisfiedCode-Review
    • requirement is not satisfiedNo-Unresolved-Comments
    • requirement is not satisfiedReview-Enforcement
    Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
    Gerrit-MessageType: comment
    Gerrit-Project: chromium/src
    Gerrit-Branch: main
    Gerrit-Change-Id: Id28596d051629e66bec29f70a4fe700a121137e9
    Gerrit-Change-Number: 7571428
    Gerrit-PatchSet: 8
    Gerrit-Owner: Daniel Angulo <angd...@google.com>
    Gerrit-Reviewer: Arthur Sonzogni <arthurs...@chromium.org>
    Gerrit-Reviewer: Daniel Angulo <angd...@google.com>
    Gerrit-Reviewer: Stephen Nusko <nus...@chromium.org>
    Gerrit-Attention: Daniel Angulo <angd...@google.com>
    Gerrit-Comment-Date: Wed, 18 Feb 2026 13:33:54 +0000
    Gerrit-HasComments: Yes
    Gerrit-Has-Labels: No
    Comment-In-Reply-To: Stephen Nusko <nus...@chromium.org>
    satisfied_requirement
    unsatisfied_requirement
    open
    diffy

    Daniel Angulo (Gerrit)

    unread,
    Feb 24, 2026, 5:12:07 PM (3 days ago) Feb 24
    to Stephen Nusko, Arthur Sonzogni, Chromium LUCI CQ, AyeAye, spang...@chromium.org, tracing...@chromium.org, wfh+...@chromium.org
    Attention needed from Stephen Nusko

    Daniel Angulo added 8 comments

    File services/tracing/perfetto/privacy_filtering_check.cc
    Line 56, Patchset 6:size_t acceptedFieldIdSize(const int* accepted_field_ids) {

    size_t size = 0;
    while (UNSAFE_TODO(accepted_field_ids[size]) != -1) {
    size++;
    }
    return size;
    }
    Stephen Nusko . resolved

    This is highly performance sensitive code, I think we shouldn't be computing the size. As I said I think we should keep this as unsafe until we update the generator to use bounds checked objects.

    Daniel Angulo

    Done

    Line 80, Patchset 6: // SAFETY: proto is a pointer to the serialized trace proto which is a

    // kProtoZeroMessageSet, which is a repeated field of
    // TracePacket. TracePacket has a maximum size of 256 MiB - far below the
    // threshold where we would need to use unsafe buffers.
    Stephen Nusko . resolved

    What does this mean about "far below the threshold"? This comment doesn't explain why this is safe? I think the fact is ProtoDecoder is a span like type, and it doesn't do bounds checking, at the moment it has 1 unsafe constructor and 2 safe-ish constructors, we can't claim UNSAFE_BUFFERS here and wash our hands of it. Lets leave it as UNSAFE_TODO.

    Daniel Angulo

    I leave it as UNSAFE_TODO for now.

    Line 84, Patchset 6: auto proto_span = UNSAFE_BUFFERS(base::span(
    Stephen Nusko . resolved

    Also this type is non-obvious type so auto hides the information.

    ```
    base::span<uint8_t> proto_span = UNSAFE_TODO(base:span(proto->begin(), proto->bytes_left()));
    ```

    Daniel Angulo

    Done

    Line 85, Patchset 6: proto->begin(), static_cast<size_t>(proto->end() - proto->begin())));
    Stephen Nusko . resolved

    use bytes_left()

    Daniel Angulo

    Done

    Line 93, Patchset 6: // SAFETY: MessageInfo states that the accepted_field_id is terminated by
    Stephen Nusko . resolved

    Can you link to this?

    Daniel Angulo

    Done

    Line 97, Patchset 6: root->accepted_field_ids,
    Stephen Nusko . resolved

    It feels like we should spanify this, but this is coming from generated code see (go/how-do-i-chrometto), so for now this needs to remain UNSAFE_TODO.

    Daniel Angulo

    Done

    Line 119, Patchset 6: output.append(proto_span.subspan(current_field_start).data(),
    proto_span.subspan(next_field_start).data());
    Stephen Nusko . resolved

    This doesn't look great (also two subspans being created)

    ```
    const std::string_view msg_data =
    base::as_string_view(proto_span.subspan(current_field_start, next_field_start - current_field_start));
    output.append(msg_data.begin(), msg_data.end());
    ```

    Perhaps?

    Actually thinking about this a bit more we are just looping over `proto` and reading one by one, we can instead of creating a bunch of subspans just use SpanReader?

    I.E.

    ```
    base::SpanReader reader (proto_span);
    size_t current_field_start = 0;
    size_t next_field_start = 0;
    for (auto f = proto->ReadField(); f.valid();
    f = proto->ReadField(), current_field_start = next_field_start) {
    next_field_start = proto->read_offset();
    CHECK_EQ(reader.num_read(), current_field_start);
    ...
    maybe_data = reader.Read(next_field_start - current_field_start);
    output.append(maybe_data->begin(), maybe_data->end());
    ```
    Daniel Angulo

    Done

    Line 167, Patchset 6: .copy_from(base::span(payload_size_buf).first(payload_size_length));
    Stephen Nusko . resolved

    copy_from_nonoverlapping

    Daniel Angulo

    Done

    Open in Gerrit

    Related details

    Attention is currently required from:
    • Stephen Nusko
    Submit Requirements:
    • requirement satisfiedCode-Coverage
    • requirement is not satisfiedCode-Owners
    • requirement is not satisfiedCode-Review
    • requirement is not satisfiedNo-Unresolved-Comments
    • requirement is not satisfiedReview-Enforcement
    Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
    Gerrit-MessageType: comment
    Gerrit-Project: chromium/src
    Gerrit-Branch: main
    Gerrit-Change-Id: Id28596d051629e66bec29f70a4fe700a121137e9
    Gerrit-Change-Number: 7571428
    Gerrit-PatchSet: 8
    Gerrit-Owner: Daniel Angulo <angd...@google.com>
    Gerrit-Reviewer: Arthur Sonzogni <arthurs...@chromium.org>
    Gerrit-Reviewer: Daniel Angulo <angd...@google.com>
    Gerrit-Reviewer: Stephen Nusko <nus...@chromium.org>
    Gerrit-Attention: Stephen Nusko <nus...@chromium.org>
    Gerrit-Comment-Date: Tue, 24 Feb 2026 22:12:01 +0000
    satisfied_requirement
    unsatisfied_requirement
    open
    diffy

    Stephen Nusko (Gerrit)

    unread,
    Feb 24, 2026, 8:32:59 PM (3 days ago) Feb 24
    to Daniel Angulo, Arthur Sonzogni, Chromium LUCI CQ, AyeAye, spang...@chromium.org, tracing...@chromium.org, wfh+...@chromium.org
    Attention needed from Daniel Angulo

    Stephen Nusko added 2 comments

    Patchset-level comments
    File-level comment, Patchset 8 (Latest):
    Stephen Nusko . resolved

    Let me know when the tests are passing.

    File services/tracing/perfetto/privacy_filtering_check.cc
    Line 163, Patchset 6: .copy_from(base::span(field_id_buf).first(field_id_length));
    Stephen Nusko . resolved

    copy_from_nonoverlapping

    Arthur Sonzogni

    Hi @nus...@chromium.org, I have a different opinion about `copy_from`/`copy_from_nonoverlapping`. I don't really believe there are meaningful performance difference and we should use the short/safe version by default.

    I added some arguments below:
    https://chromium-review.googlesource.com/c/chromium/src/+/7541348/comment/7892b7db_f5eb5c23/

    WDYT?

    Stephen Nusko

    Interesting let me reply there, I'm happy to go with copy_from as a default, I had been operating as a clearly different buffers should be done with non_overlapping to ensure maximum performance to avoid impact due to our rewrites.

    In this code we're finishing a trace which isn't super performance critical happy to go with the safe versions here.

    Open in Gerrit

    Related details

    Attention is currently required from:
    • Daniel Angulo
    Submit Requirements:
      • requirement satisfiedCode-Coverage
      • requirement is not satisfiedCode-Owners
      • requirement is not satisfiedCode-Review
      • requirement is not satisfiedReview-Enforcement
      Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
      Gerrit-MessageType: comment
      Gerrit-Project: chromium/src
      Gerrit-Branch: main
      Gerrit-Change-Id: Id28596d051629e66bec29f70a4fe700a121137e9
      Gerrit-Change-Number: 7571428
      Gerrit-PatchSet: 8
      Gerrit-Owner: Daniel Angulo <angd...@google.com>
      Gerrit-Reviewer: Arthur Sonzogni <arthurs...@chromium.org>
      Gerrit-Reviewer: Daniel Angulo <angd...@google.com>
      Gerrit-Reviewer: Stephen Nusko <nus...@chromium.org>
      Gerrit-Attention: Daniel Angulo <angd...@google.com>
      Gerrit-Comment-Date: Wed, 25 Feb 2026 01:32:29 +0000
      Gerrit-HasComments: Yes
      Gerrit-Has-Labels: No
      Comment-In-Reply-To: Stephen Nusko <nus...@chromium.org>
      Comment-In-Reply-To: Arthur Sonzogni <arthurs...@chromium.org>
      satisfied_requirement
      unsatisfied_requirement
      open
      diffy
      Reply all
      Reply to author
      Forward
      0 new messages