Port CFI build configuration to GN.

BUG=464797 R=brettw@chromium.org Review URL: https://codereview.chromium.org/1326053003 Cr-Original-Commit-Position: refs/heads/master@{#348323} Cr-Mirrored-From: https://chromium.googlesource.com/chromium/src Cr-Mirrored-Commit: 34ab19d59ff4a5bc098d90eb7c4fc76afec568ef
2015-09-10 20:08:14 -07:00 · 2015-09-10 20:08:14 -07:00 · 1d304d9444
--- a/config/compiler/BUILD.gn
+++ b/config/compiler/BUILD.gn
@ -199,9 +199,9 @@ config("compiler") {
      ldflags += [ "-Wl,--fatal-warnings" ]
    }

-    # Common options for AddressSanitizer, LeakSanitizer, ThreadSanitizer and
-    # MemorySanitizer
-    if (using_sanitizer) {
+    # Common options for AddressSanitizer, LeakSanitizer, ThreadSanitizer,
+    # MemorySanitizer and non-official CFI builds.
+    if (using_sanitizer || (is_cfi && !is_official_build)) {
      cflags += [
        "-fno-omit-frame-pointer",
        "-gline-tables-only",
@ -239,6 +239,57 @@ config("compiler") {
        "-fsanitize-blacklist=$msan_blacklist_path",
      ]
    }
+    if (is_cfi && !is_nacl) {
+      cfi_blacklist_path =
+          rebase_path("//tools/cfi/blacklist.txt", root_build_dir)
+      cflags += [
+        "-flto",
+        "-fsanitize=cfi-vcall",
+        "-fsanitize=cfi-derived-cast",
+        "-fsanitize=cfi-unrelated-cast",
+        "-fsanitize-blacklist=$cfi_blacklist_path",
+      ]
+      ldflags += [
+        "-flto",
+        "-fsanitize=cfi-vcall",
+        "-fsanitize=cfi-derived-cast",
+        "-fsanitize=cfi-unrelated-cast",
+      ]
+
+      # Apply a lower LTO optimization level in non-official builds.
+      if (!is_official_build) {
+        if (is_linux) {
+          ldflags += [ "-Wl,-plugin-opt,O1" ]
+        } else if (is_mac) {
+          ldflags += [ "-Wl,-mllvm,-O1" ]
+        }
+      }
+
+      # Work-around for http://openradar.appspot.com/20356002
+      if (is_mac) {
+        ldflags += [ "-Wl,-all_load" ]
+      }
+
+      # Without this flag, LTO produces a .text section that is larger
+      # than the maximum call displacement, preventing the linker from
+      # relocating calls (http://llvm.org/PR22999).
+      if (current_cpu == "arm") {
+        ldflags += [ "-Wl,-plugin-opt,-function-sections" ]
+      }
+
+      if (use_cfi_diag) {
+        cflags += [
+          "-fno-sanitize-trap=cfi",
+          "-fsanitize-recover=cfi",
+        ]
+        ldflags += [
+          "-fno-sanitize-trap=cfi",
+          "-fsanitize-recover=cfi",
+        ]
+      } else {
+        defines += [ "CFI_ENFORCEMENT" ]
+      }
+    }

    if (use_custom_libcxx) {
      cflags_cc += [ "-nostdinc++" ]
@ -466,7 +517,7 @@ config("compiler") {
      "-Wl,-z,now",
      "-Wl,-z,relro",
    ]
-    if (!using_sanitizer) {
+    if (!using_sanitizer && !use_cfi_diag) {
      ldflags += [ "-Wl,-z,defs" ]
    }
  }
@ -1103,11 +1154,14 @@ config("rtti") {
  }
 }
 config("no_rtti") {
-  if (is_win) {
-    cflags_cc = [ "/GR-" ]
-  } else {
-    cflags_cc = [ "-fno-rtti" ]
-    cflags_objcc = cflags_cc
+  # CFI diagnostics require RTTI.
+  if (!use_cfi_diag) {
+    if (is_win) {
+      cflags_cc = [ "/GR-" ]
+    } else {
+      cflags_cc = [ "-fno-rtti" ]
+      cflags_objcc = cflags_cc
+    }
  }
 }

--- a/config/sanitizers/sanitizers.gni
+++ b/config/sanitizers/sanitizers.gni
@ -22,6 +22,14 @@ declare_args() {
  # errors. Only works on Windows. See
  # https://code.google.com/p/sawbuck/wiki/SyzyASanHowTo
  is_syzyasan = false
+
+  # Compile with Control Flow Integrity to protect virtual calls and casts.
+  # See http://clang.llvm.org/docs/ControlFlowIntegrity.html
+  is_cfi = false
+
+  # By default, Control Flow Integrity will crash the program if it detects a
+  # violation. Set this to true to print detailed diagnostics instead.
+  use_cfi_diag = false
 }

 # MSan only links Chrome properly in release builds (brettw -- 9/1/2015). The
--- a/toolchain/gcc_toolchain.gni
+++ b/toolchain/gcc_toolchain.gni
@ -2,6 +2,7 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

+import("//build/config/sanitizers/sanitizers.gni")
 import("//build/toolchain/toolchain.gni")

 # This value will be inherited in the toolchain below.
@ -173,7 +174,14 @@ template("gcc_toolchain") {

    tool("alink") {
      rspfile = "{{output}}.rsp"
-      command = "rm -f {{output}} && $ar rcs {{output}} @$rspfile"
+      arflags = ""
+      if (is_cfi && invoker.toolchain_os != "nacl") {
+        gold_plugin_path = rebase_path(
+                "//third_party/llvm-build/Release+Asserts/lib/LLVMgold.so",
+                root_build_dir)
+        arflags = "--plugin $gold_plugin_path"
+      }
+      command = "rm -f {{output}} && $ar rcs $arflags {{output}} @$rspfile"
      description = "AR {{output}}"
      rspfile_content = "{{inputs}}"
      outputs = [