diff options
| author | krasin <krasin@google.com> | 2015-12-08 17:54:07 -0800 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2015-12-09 01:55:05 +0000 |
| commit | 64719eadd90a3131a744baa89a1183bdcb1e2375 (patch) | |
| tree | 22eb720997672e4d6d8b621e00bff1703c29e479 /build | |
| parent | 21f29b1808232f12997f82fe7768d4dd12046ea9 (diff) | |
| download | chromium_src-64719eadd90a3131a744baa89a1183bdcb1e2375.zip chromium_src-64719eadd90a3131a744baa89a1183bdcb1e2375.tar.gz chromium_src-64719eadd90a3131a744baa89a1183bdcb1e2375.tar.bz2 | |
Enable Control Flow Integrity for the official Linux Chrome.
This CL turns on CFI, a security check:
https://sites.google.com/a/chromium.org/dev/developers/testing/control-flow-integrity
http://clang.llvm.org/docs/ControlFlowIntegrity.html
This feature enables LTO (Link-Time Optimization) builds, which slow down the linker by 3x-4x.
CFI also comes with a code size overhead of about 7%-9%. The runtime CPU cost is less than 1%,
and should not be an issue.
BUG=chromium:464797
Intent to Implement thread:
https://groups.google.com/a/chromium.org/d/msg/chromium-dev/pbJqt6ccMII/7iJC2oklCAAJ
This is a fourth attempt to land the CL. Previous attempts:
https://codereview.chromium.org/1502373003/
https://codereview.chromium.org/1501593003/
https://codereview.chromium.org/1393283005/
The last time it failed, it was https://crbug.com/567637
(mismatched deps expectations for the installer).
Fixing the expectations.
Review URL: https://codereview.chromium.org/1502233004
Cr-Commit-Position: refs/heads/master@{#363895}
Diffstat (limited to 'build')
| -rw-r--r-- | build/common.gypi | 7 | ||||
| -rw-r--r-- | build/config/sanitizers/sanitizers.gni | 11 |
2 files changed, 14 insertions, 4 deletions
diff --git a/build/common.gypi b/build/common.gypi index 91dd68a..850c370 100644 --- a/build/common.gypi +++ b/build/common.gypi @@ -847,6 +847,13 @@ 'enable_prod_wallet_service%': 1, }], + # Enable Control Flow Integrity for the official Linux Chrome. + # This triggers an LTO build that requires LLVM Gold plugin to be + # downloaded. See src/tools/clang/scripts/update.sh + ['OS=="linux" and target_arch=="x64" and buildtype=="Official" and branding=="Chrome" and chromeos==0', { + 'cfi_vptr%': 1, + }], + # Enable hotwording on Chrome-branded ChromeOS builds. ['branding=="Chrome" and chromeos==1', { 'enable_hotwording%': 1, diff --git a/build/config/sanitizers/sanitizers.gni b/build/config/sanitizers/sanitizers.gni index ddf28f1..a845da5 100644 --- a/build/config/sanitizers/sanitizers.gni +++ b/build/config/sanitizers/sanitizers.gni @@ -2,6 +2,8 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. +import("//build/config/chrome_build.gni") + declare_args() { # Compile for Address Sanitizer to find memory bugs. is_asan = false @@ -37,10 +39,6 @@ declare_args() { # https://code.google.com/p/sawbuck/wiki/SyzyASanHowTo is_syzyasan = false - # Compile with Control Flow Integrity to protect virtual calls and casts. - # See http://clang.llvm.org/docs/ControlFlowIntegrity.html - is_cfi = false - # By default, Control Flow Integrity will crash the program if it detects a # violation. Set this to true to print detailed diagnostics instead. use_cfi_diag = false @@ -54,6 +52,11 @@ declare_args() { # declare_args block. User overrides are only applied at the end of a # declare_args block. declare_args() { + # Compile with Control Flow Integrity to protect virtual calls and casts. + # See http://clang.llvm.org/docs/ControlFlowIntegrity.html + is_cfi = is_linux && !is_chromeos && target_cpu == "x64" && + is_chrome_branded && is_official_build + # Use libc++ (buildtools/third_party/libc++ and # buildtools/third_party/libc++abi) instead of stdlibc++ as standard library. # This is intended to be used for instrumented builds. |