diff options
author | krasin <krasin@google.com> | 2015-12-15 22:12:59 -0800 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2015-12-16 06:13:52 +0000 |
commit | 14cb7878cb522ad05480547690ec3990f4bbb156 (patch) | |
tree | d20346fc53ea9eecd22292d0e7bef79a7bc5094c /build/common.gypi | |
parent | 4e0992ba1a9d3c8d15bae3ffbb60f52a02f52680 (diff) | |
download | chromium_src-14cb7878cb522ad05480547690ec3990f4bbb156.zip chromium_src-14cb7878cb522ad05480547690ec3990f4bbb156.tar.gz chromium_src-14cb7878cb522ad05480547690ec3990f4bbb156.tar.bz2 |
Enable Control Flow Integrity for the official Linux Chrome. Try 6.
This CL turns on CFI, a security check:
https://sites.google.com/a/chromium.org/dev/developers/testing/control-flow-integrity
http://clang.llvm.org/docs/ControlFlowIntegrity.html
This feature enables LTO (Link-Time Optimization) builds, which slow down the linker by 3x-4x.
CFI also comes with a code size overhead of about 7%-9%. The runtime CPU cost is less than 1%,
and should not be an issue.
BUG=chromium:464797
Intent to Implement thread:
https://groups.google.com/a/chromium.org/d/msg/chromium-dev/pbJqt6ccMII/7iJC2oklCAAJ
This is a sixth attempt to land the CL. Previous attempts:
https://codereview.chromium.org/1502373003/
https://codereview.chromium.org/1501593003/
https://codereview.chromium.org/1393283005/
https://codereview.chromium.org/1502233004/
https://codereview.chromium.org/1513623004/
The last time it failed, it was primarily due to the perf build slaves
being much slower then the local build or other GCE slaves,
see https://crbug.com/569732. This is still under investigation,
and the timeout has been increased in the mean time:
https://codereview.chromium.org/1528533003/
Review URL: https://codereview.chromium.org/1529993002
Cr-Commit-Position: refs/heads/master@{#365486}
Diffstat (limited to 'build/common.gypi')
-rw-r--r-- | build/common.gypi | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/build/common.gypi b/build/common.gypi index 800cefe..b2e8e6e 100644 --- a/build/common.gypi +++ b/build/common.gypi @@ -855,6 +855,13 @@ 'enable_prod_wallet_service%': 1, }], + # Enable Control Flow Integrity for the official Linux Chrome. + # This triggers an LTO build that requires LLVM Gold plugin to be + # downloaded. See src/tools/clang/scripts/update.py + ['OS=="linux" and target_arch=="x64" and buildtype=="Official" and branding=="Chrome" and chromeos==0', { + 'cfi_vptr%': 1, + }], + # Enable hotwording on Chrome-branded ChromeOS builds. ['branding=="Chrome" and chromeos==1', { 'enable_hotwording%': 1, |