From c367ee543983852e39c06b8009f9ef9678556a4b Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Tue, 21 Nov 2017 08:16:42 -0500 Subject: [PATCH] Add a CFI build flag. This uses Clang's CFI feature. Bug: 201 Change-Id: I7a42ec73dc8bfb3893ec69f2d2f4d7e3a2fd2cc4 Reviewed-on: https://boringssl-review.googlesource.com/23225 Commit-Queue: David Benjamin CQ-Verified: CQ bot account: commit-bot@chromium.org Reviewed-by: Steven Valdez --- CMakeLists.txt | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/CMakeLists.txt b/CMakeLists.txt index 338f212a..eb8717ac 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -238,6 +238,24 @@ if (ASAN) set(OPENSSL_NO_ASM "1") endif() +if(CFI) + if(NOT CLANG) + message(FATAL_ERROR "Cannot enable CFI unless using Clang") + endif() + + # TODO(crbug.com/785442): Remove -fsanitize-cfi-icall-generalize-pointers. + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=cfi -fno-sanitize-trap=cfi -fsanitize-cfi-icall-generalize-pointers -flto") + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=cfi -fno-sanitize-trap=cfi -fsanitize-cfi-icall-generalize-pointers -flto") + # We use Chromium's copy of clang, which requires -fuse-ld=lld if building + # with -flto. That, in turn, can't handle -ggdb. + set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -fuse-ld=lld") + string(REPLACE "-ggdb" "-g" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}") + string(REPLACE "-ggdb" "-g" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") + # -flto causes object files to contain LLVM bitcode. Mixing those with + # assembly output in the same static library breaks the linker. + set(OPENSSL_NO_ASM "1") +endif() + if (GCOV) set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fprofile-arcs -ftest-coverage") set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fprofile-arcs -ftest-coverage")