Bug 1618782 - Enable hardening on win64-aarch64 build when the compiler supports it. r=rstewart

We only enabled hardening with an explicit --enable-hardening because we
needed a patch. That patch was applied to upstream clang 8.0.1, so we
can now enable automatically whenever using the right version.

The explicit --enable-hardening was also not applied to win64-aarch64
debug builds, and this indirectly enables it there too, matching other
debug builds. This also avoids breaking debug builds when enabling
winchecksec on cross builds.

Differential Revision: https://phabricator.services.mozilla.com/D68161

--HG--
extra : moz-landing-system : lando

browser/config/mozconfigs/win64-aarch64/common-opt

@@ -26,9 +26,3 @@ export MOZ_PACKAGE_JSSHELL=1
 if test -n "$MOZ_ARTIFACT_TASK_WIN32_OPT"; then
   ac_add_options --enable-eme=widevine
 fi
-
-# Temporary signal to toolchain.configure that our compiler is patched to
-# support CFG, until such support can be assumed.
-if test -z "$USE_ARTIFACT"; then
-  ac_add_options --enable-hardening
-fi

build/moz.configure/toolchain.configure

@@ -1635,10 +1635,8 @@ def security_hardening_cflags(hardening_flag, asan, debug, optimize, c_compiler,
             js_ldflags.append("-Wl,--dynamicbase")
 
         # Control Flow Guard (CFG) ----------------------------
-        # On aarch64, this is enabled only with explicit --enable-hardening
-        # (roughly: automation) due to a dependency on a patched clang-cl.
         if c_compiler.type == 'clang-cl' and c_compiler.version >= '8' and \
-           (target.cpu != 'aarch64' or hardening_flag):
+           (target.cpu != 'aarch64' or c_compiler.version >= '8.0.1'):
             flags.append("-guard:cf")
             js_flags.append("-guard:cf")
             # nolongjmp is needed because clang doesn't emit the CFG tables of