diff options
| author | krasin <krasin@google.com> | 2015-12-14 14:59:58 -0800 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2015-12-14 23:00:37 +0000 |
| commit | efe55ae0c0f26165d71d540ac319ccc9bc569cb3 (patch) | |
| tree | 5d9176cbaff1f68b4433a79a63f86fcf75419a19 /build/common.gypi | |
| parent | 506fb607874c407b10c0047871dc2365cecdb69a (diff) | |
| download | chromium_src-efe55ae0c0f26165d71d540ac319ccc9bc569cb3.zip chromium_src-efe55ae0c0f26165d71d540ac319ccc9bc569cb3.tar.gz chromium_src-efe55ae0c0f26165d71d540ac319ccc9bc569cb3.tar.bz2 | |
Enable Control Flow Integrity for the official Linux Chrome.
This CL turns on CFI, a security check:
https://sites.google.com/a/chromium.org/dev/developers/testing/control-flow-integrity
http://clang.llvm.org/docs/ControlFlowIntegrity.html
This feature enables LTO (Link-Time Optimization) builds, which slow down the linker by 3x-4x.
CFI also comes with a code size overhead of about 7%-9%. The runtime CPU cost is less than 1%,
and should not be an issue.
BUG=chromium:464797
Intent to Implement thread:
https://groups.google.com/a/chromium.org/d/msg/chromium-dev/pbJqt6ccMII/7iJC2oklCAAJ
This is a fifth attempt to land the CL. Previous attempts:
https://codereview.chromium.org/1502373003/
https://codereview.chromium.org/1501593003/
https://codereview.chromium.org/1393283005/
https://codereview.chromium.org/1502233004/
The last time it failed, it was primarily due to the new Clang roll,
that had a bug in the linker. This is now fixed upstream and
the new Clang roll happened: https://crbug.com/568248
Perf bots were purple and got a RAM upgrade: https://crbug.com/567787
precice64 official buildbot got OOM due to too many Gold instances
running in parallel: https://crbug.com/568011, a more conservative
limit was submitted: https://codereview.chromium.org/1509733004/
TBR=thestig@chromium.org
Review URL: https://codereview.chromium.org/1513623004
Cr-Commit-Position: refs/heads/master@{#365117}
Diffstat (limited to 'build/common.gypi')
| -rw-r--r-- | build/common.gypi | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/build/common.gypi b/build/common.gypi index b81acbe..4fe6f67 100644 --- a/build/common.gypi +++ b/build/common.gypi @@ -847,6 +847,13 @@ 'enable_prod_wallet_service%': 1, }], + # Enable Control Flow Integrity for the official Linux Chrome. + # This triggers an LTO build that requires LLVM Gold plugin to be + # downloaded. See src/tools/clang/scripts/update.py + ['OS=="linux" and target_arch=="x64" and buildtype=="Official" and branding=="Chrome" and chromeos==0', { + 'cfi_vptr%': 1, + }], + # Enable hotwording on Chrome-branded ChromeOS builds. ['branding=="Chrome" and chromeos==1', { 'enable_hotwording%': 1, |