# Copyright 2014 The Chromium Authors. All rights reserved. # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. import("//build/config/clang/clang.gni") import("//build/config/ohos/config.gni") import("//build/config/sanitizers/sanitizers.gni") import("//build/misc/overrides/build.gni") import("//build/ohos_var.gni") import("//build/toolchain/toolchain.gni") # Contains the dependencies needed for sanitizers to link into executables and # shared_libraries. group("deps") { if (using_sanitizer && !is_mingw) { public_configs = [ ":sanitizer_options_link_helper", # Even when a target removes default_sanitizer_flags, it may be depending # on a library that did not remove default_sanitizer_flags. Thus, we need # to add the ldflags here as well as in default_sanitizer_flags. ":default_sanitizer_ldflags", ] if (use_musl) { public_configs -= [ ":sanitizer_options_link_helper" ] public_configs -= [ ":default_sanitizer_ldflags" ] } deps = [ ":options_sources" ] if (is_win) { exe = ".exe" } else { exe = "" } data = [ "//tools/valgrind/asan/", "$clang_base_path/bin/llvm-symbolizer${exe}", ] if (use_prebuilt_instrumented_libraries || use_locally_built_instrumented_libraries) { deps += [ "//third_party/instrumented_libraries:deps" ] } # ASAN is supported on iOS but the runtime library depends on the compiler # used (Chromium version of clang versus Xcode version of clang). Only copy # the ASAN runtime on iOS if building with Chromium clang. if (is_win || is_mac || !use_xcode_clang) { data_deps = [ ":copy_asan_runtime" ] } if (is_mac || !use_xcode_clang) { public_deps = [ ":asan_runtime_bundle_data" ] } } } if ((is_mac || is_win || !use_xcode_clang || is_ohos) && using_sanitizer) { if (is_mac) { _clang_rt_dso_path = "darwin/libclang_rt.asan_osx_dynamic.dylib" } else if (is_win && target_cpu == "x86") { _clang_rt_dso_path = "windows/clang_rt.asan_dynamic-i386.dll" } else if (is_win && target_cpu == "x64") { _clang_rt_dso_path = "windows/clang_rt.asan_dynamic-x86_64.dll" } else if (is_ohos) { if (target_cpu == "arm64") { if (use_hwasan) { _clang_rt_dso_path = "aarch64-linux-ohos/libclang_rt.hwasan.so" } else { _clang_rt_dso_path = "aarch64-linux-ohos/libclang_rt.asan.so" } } else if (target_cpu == "arm") { _clang_rt_dso_path = "arm-linux-ohos/libclang_rt.asan.so" } else if (target_cpu == "x86_64") { _clang_rt_dso_path = "x86_64-linux-ohos/libclang_rt.asan.so" } else if (target_cpu == "riscv64") { _clang_rt_dso_path = "riscv64-linux-ohos/libclang_rt.asan.so" } } _clang_rt_dso_full_path = "$clang_base_path/lib/clang/$clang_version/lib/$_clang_rt_dso_path" copy("copy_asan_runtime") { sources = [ _clang_rt_dso_full_path ] outputs = [ "$root_out_dir/{{source_file_part}}" ] } if (is_mac || !use_xcode_clang) { bundle_data("asan_runtime_bundle_data") { sources = get_target_outputs(":copy_asan_runtime") outputs = [ "{{bundle_executable_dir}}/{{source_file_part}}" ] public_deps = [ ":copy_asan_runtime" ] } } } config("sanitizer_options_link_helper") { if (is_mac) { ldflags = [ "-Wl,-U,_sanitizer_options_link_helper" ] } else if (!is_win && !is_mingw) { ldflags = [ "-Wl,-u_sanitizer_options_link_helper" ] } } static_library("options_sources") { # This is a static_library instead of a source_set, as it shouldn't be # unconditionally linked into targets. visibility = [ ":deps", "//:gn_visibility", ] sources = [ "//build/misc/sanitizers/sanitizer_options.cc" ] # Don't compile this target with any sanitizer code. It can be called from # the sanitizer runtimes, so instrumenting these functions could cause # recursive calls into the runtime if there is an error. configs -= [ "//build/config/sanitizers:default_sanitizer_flags" ] if (is_asan) { if (!defined(asan_suppressions_file)) { asan_suppressions_file = "//build/misc/sanitizers/asan_suppressions.cc" } sources += [ asan_suppressions_file ] } if (is_lsan) { if (!defined(lsan_suppressions_file)) { lsan_suppressions_file = "//build/misc/sanitizers/lsan_suppressions.cc" } sources += [ lsan_suppressions_file ] } if (is_tsan) { if (!defined(tsan_suppressions_file)) { tsan_suppressions_file = "//build/misc/sanitizers/tsan_suppressions.cc" } sources += [ tsan_suppressions_file ] } } # Applies linker flags necessary when either :deps or :default_sanitizer_flags # are used. config("default_sanitizer_ldflags") { visibility = [ ":default_sanitizer_flags", ":deps", ] if (is_posix && !is_mingw) { ldflags = [] if (is_asan) { if (!use_musl) { ldflags += [ "-fsanitize=address" ] } if (is_mac) { # https://crbug.com/708707 ldflags += [ "-fno-sanitize-address-use-after-scope" ] } else { ldflags += [ "-fsanitize-address-use-after-scope" ] } ldflags += [ "-fsanitize-recover=address" ] } if (is_lsan) { ldflags += [ "-fsanitize=leak" ] } if (is_tsan) { ldflags += [ "-fsanitize=thread" ] } if (is_msan) { ldflags += [ "-fsanitize=memory" ] } if (is_ubsan || is_ubsan_security) { ldflags += [ "-fsanitize=undefined" ] } if (is_ubsan_null) { ldflags += [ "-fsanitize=null" ] } if (is_ubsan_vptr) { ldflags += [ "-fsanitize=vptr" ] } if (is_safestack) { ldflags += [ "-fsanitize=safe-stack" ] } if (use_sanitizer_coverage) { if (use_libfuzzer && !is_mac) { ldflags += [ "-fsanitize=fuzzer-no-link" ] fuzzer_lib_path = rebase_path( "$clang_base_path/lib/clang/$clang_version/lib/$abi_target/libclang_rt.fuzzer_no_main.a", root_build_dir) ldflags += [ "-Wl,--whole-archive", "$fuzzer_lib_path", "-Wl,--no-whole-archive", ] } else { ldflags += [ "-fsanitize-coverage=$sanitizer_coverage_flags" ] } } if (is_cfi && current_toolchain == default_toolchain) { ldflags += [ "-fsanitize=cfi-vcall" ] if (use_cfi_cast) { ldflags += [ "-fsanitize=cfi-derived-cast", "-fsanitize=cfi-unrelated-cast", ] } if (use_cfi_icall) { ldflags += [ "-fsanitize=cfi-icall" ] } if (use_cfi_diag) { ldflags += [ "-fno-sanitize-trap=cfi" ] if (use_cfi_recover) { ldflags += [ "-fsanitize-recover=cfi" ] } } } } else if (is_win) { # Windows directly calls link.exe instead of the compiler driver when # linking. Hence, pass the runtime libraries instead of -fsanitize=address # or -fsanitize=fuzzer. if (is_asan && is_component_build) { # In the static-library build, ASan libraries are different for # executables and dlls, see link_executable and link_shared_library below. # This here handles only the component build. if (target_cpu == "x64") { # Windows 64-bit. libs = [ "clang_rt.asan_dynamic-x86_64.lib", "clang_rt.asan_dynamic_runtime_thunk-x86_64.lib", ] } else { assert(target_cpu == "x86", "WinASan unsupported architecture") libs = [ "clang_rt.asan_dynamic-i386.lib", "clang_rt.asan_dynamic_runtime_thunk-i386.lib", ] } } if (use_libfuzzer) { assert(target_cpu == "x64", "LibFuzzer unsupported architecture") assert(!is_component_build, "LibFuzzer only supports non-component builds on Windows") # Incremental linking causes padding that messes up SanitizerCoverage. # Don't do it. ldflags = [ "/INCREMENTAL:NO" ] libs = [ "clang_rt.fuzzer_no_main-x86_64.lib" ] } } } config("common_sanitizer_flags") { cflags = [] if (using_sanitizer && !is_mingw) { assert(is_clang, "sanitizers only supported with clang") assert(!is_official_build, "sanitizers not supported in official builds") cflags += [ # Column info in debug data confuses Visual Studio's debugger, so don't # use this by default. However, clusterfuzz needs it for good # attribution of reports to CLs, so turn it on there. "-gcolumn-info", ] # Frame pointers are controlled in //build/config/compiler:default_stack_frames } } config("asan_flags") { cflags = [] if (is_asan && !is_mingw && !use_hwasan) { cflags += [ "-fsanitize=address" ] if (!is_mac) { cflags += [ "-fsanitize-address-use-after-scope" ] } else { # https://crbug.com/708707 cflags += [ "-fno-sanitize-address-use-after-scope" ] } if (!asan_globals) { cflags += [ "-mllvm", "-asan-globals=0", ] } cflags += [ "-fsanitize-recover=address" ] } } config("hwasan_flags") { cflags = [] if (is_asan && use_hwasan && !is_mingw && current_cpu == "arm64") { cflags += [ "-fsanitize=hwaddress", "-fno-emulated-tls", "-mllvm", "-hwasan-globals=0", ] } } config("link_executable") { if (is_asan && is_win && !is_component_build) { if (target_cpu == "x64") { ldflags = [ "-wholearchive:clang_rt.asan-x86_64.lib" ] } else { assert(target_cpu == "x86", "WinASan unsupported architecture") ldflags = [ "-wholearchive:clang_rt.asan-i386.lib" ] } } else if (is_asan && is_ohos) { libs = [ "$_clang_rt_dso_full_path" ] if (target_cpu == "arm") { ldflags = [ "-Wl,--dynamic-linker=/lib/ld-musl-arm-asan.so.1" ] } else if (target_cpu == "arm64") { ldflags = [ "-Wl,--dynamic-linker=/lib/ld-musl-aarch64-asan.so.1" ] } else if (target_cpu == "riscv64") { ldflags = [ "-Wl,--dynamic-linker=/lib/ld-musl-riscv64-asan.so.1" ] } } } config("link_shared_library") { if (is_asan && is_win && !is_component_build) { if (target_cpu == "x64") { libs = [ "clang_rt.asan_dll_thunk-x86_64.lib" ] } else { assert(target_cpu == "x86", "WinASan unsupported architecture") libs = [ "clang_rt.asan_dll_thunk-i386.lib" ] } } else if (is_asan && is_ohos) { libs = [ "$_clang_rt_dso_full_path" ] } } config("cfi_flags") { cflags = [] if (is_cfi && current_toolchain == default_toolchain) { if (!defined(cfi_blocklist_path)) { cfi_blocklist_path = rebase_path("//tools/cfi/blocklist.txt", root_build_dir) } cflags += [ "-fsanitize=cfi-vcall", "-fsanitize-blacklist=$cfi_blocklist_path", ] if (use_cfi_cast) { cflags += [ "-fsanitize=cfi-derived-cast", "-fsanitize=cfi-unrelated-cast", ] } if (use_cfi_icall) { cflags += [ "-fsanitize=cfi-icall" ] } if (use_cfi_diag) { cflags += [ "-fno-sanitize-trap=cfi" ] if (is_win) { cflags += [ "/Oy-", "/Ob0", ] } else { cflags += [ "-fno-inline-functions", "-fno-inline", "-fno-omit-frame-pointer", "-O1", ] } if (use_cfi_recover) { cflags += [ "-fsanitize-recover=cfi" ] } } } } config("coverage_flags") { cflags = [] if (use_sanitizer_coverage) { # Used by sandboxing code to allow coverage dump to be written on the disk. defines = [ "SANITIZER_COVERAGE" ] if (use_libfuzzer && !is_mac) { # Adding -fsanitize=fuzzer-no-link will add -fsanitize-coverage=inline-8bit-counters, # indirect-calls, trace-cmp, pc-table cflags += [ "-fsanitize=fuzzer-no-link" ] } else { cflags += [ "-fsanitize-coverage=$sanitizer_coverage_flags", "-mllvm", "-sanitizer-coverage-prune-blocks=1", ] if (current_cpu == "arm") { # http://crbug.com/517105 cflags += [ "-mllvm", "-sanitizer-coverage-block-threshold=0", ] } } } } config("lsan_flags") { if (is_lsan) { cflags = [ "-fsanitize=leak" ] } } config("msan_flags") { if (is_msan) { assert(is_linux, "msan only supported on linux x86_64") if (!defined(msan_blocklist_path)) { msan_blocklist_path = rebase_path("//tools/msan/blocklist.txt", root_build_dir) } cflags = [ "-fsanitize=memory", "-fsanitize-memory-track-origins=$msan_track_origins", "-fsanitize-blacklist=$msan_blocklist_path", ] } } config("safestack_flags") { if (is_safestack) { cflags = [ "-fsanitize=safe-stack" ] } } config("tsan_flags") { if (is_tsan) { assert(is_linux, "tsan only supported on linux x86_64") if (!defined(tsan_blocklist_path)) { tsan_blocklist_path = rebase_path("//tools/memory/tsan_v2/ignores.txt", root_build_dir) } cflags = [ "-fsanitize=thread", "-fsanitize-blacklist=$tsan_blocklist_path", ] } } config("ubsan_flags") { cflags = [] if (is_ubsan) { if (!defined(ubsan_blocklist_path)) { ubsan_blocklist_path = rebase_path("//tools/ubsan/blocklist.txt", root_build_dir) } cflags += [ # Yasm dies with an "Illegal instruction" error when bounds checking is # enabled. See http://crbug.com/489901 # "-fsanitize=bounds", "-fsanitize=float-divide-by-zero", "-fsanitize=integer-divide-by-zero", "-fsanitize=null", "-fsanitize=object-size", "-fsanitize=pointer-overflow", "-fsanitize=return", "-fsanitize=returns-nonnull-attribute", "-fsanitize=shift-exponent", "-fsanitize=signed-integer-overflow", "-fsanitize=unreachable", "-fsanitize=vla-bound", "-fsanitize-blacklist=$ubsan_blocklist_path", ] # Chromecast ubsan builds fail to compile with these # experimental flags, so only add them to non-chromecast ubsan builds. if (!is_chromecast) { cflags += [ # Employ the experimental PBQP register allocator to avoid slow # compilation on files with too many basic blocks. # See http://crbug.com/426271. "-mllvm", "-regalloc=pbqp", # Speculatively use coalescing to slightly improve the code generated # by PBQP regallocator. May increase compile time. "-mllvm", "-pbqp-coalescing", ] } } } config("ubsan_no_recover") { if (is_ubsan_no_recover) { cflags = [ "-fno-sanitize-recover=undefined" ] } } config("ubsan_security_flags") { if (is_ubsan_security) { if (!defined(ubsan_security_blocklist_path)) { ubsan_security_blocklist_path = rebase_path("//tools/ubsan/security_blocklist.txt", root_build_dir) } cflags = [ "-fsanitize=function", "-fsanitize=pointer-overflow", "-fsanitize=shift", "-fsanitize=signed-integer-overflow", "-fsanitize=vla-bound", "-fsanitize=vptr", "-fsanitize-blacklist=$ubsan_security_blocklist_path", ] } } config("ubsan_null_flags") { if (is_ubsan_null) { cflags = [ "-fsanitize=null" ] } } config("ubsan_vptr_flags") { if (is_ubsan_vptr) { if (!defined(ubsan_vptr_blocklist_path)) { ubsan_vptr_blocklist_path = rebase_path("//tools/ubsan/vptr_blocklist.txt", root_build_dir) } cflags = [ "-fsanitize=vptr", "-fsanitize-blacklist=$ubsan_vptr_blocklist_path", ] } } config("fuzzing_build_mode") { if (use_fuzzing_engine && optimize_for_fuzzing) { defines = [ "FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION" ] } } all_sanitizer_configs = [ ":common_sanitizer_flags", ":coverage_flags", ":default_sanitizer_ldflags", ":asan_flags", ":hwasan_flags", ":cfi_flags", ":lsan_flags", ":msan_flags", ":safestack_flags", ":tsan_flags", ":ubsan_flags", ":ubsan_no_recover", ":ubsan_null_flags", ":ubsan_security_flags", ":ubsan_vptr_flags", ":fuzzing_build_mode", ] # This config is applied by default to all targets. It sets the compiler flags # for sanitizer usage, or, if no sanitizer is set, does nothing. # # This needs to be in a separate config so that targets can opt out of # sanitizers (by removing the config) if they desire. Even if a target # removes this config, executables & shared libraries should still depend on # :deps if any of their dependencies have not opted out of sanitizers. # Keep this list in sync with default_sanitizer_flags_but_ubsan_vptr. config("default_sanitizer_flags") { configs = all_sanitizer_configs } # This config is equivalent to default_sanitizer_flags, but excludes ubsan_vptr. # This allows to selectively disable ubsan_vptr, when needed. In particular, # if some third_party code is required to be compiled without rtti, which # is a requirement for ubsan_vptr. config("default_sanitizer_flags_but_ubsan_vptr") { configs = all_sanitizer_configs - [ ":ubsan_vptr_flags" ] } config("default_sanitizer_flags_but_coverage") { configs = all_sanitizer_configs - [ ":coverage_flags" ] } config("sanitizer_trap_all_flags") { cflags = [ "-fsanitize-trap=all", "-ftrap-function=abort", ] ldflags = cflags } # By default, cfi is in release mode config("cfi_config_release") { if (is_ohos) { _cfi_blocklist_path = "//build/config/sanitizers/cfi_blocklist.txt" configs = [ "//build/config/gcc:symbol_visibility_default" ] cflags = [ "-flto", "-fsanitize=cfi", "-fsanitize-blacklist=" + rebase_path(_cfi_blocklist_path, root_build_dir), ] # Remove some platforms because version-script is only meaningful for elf platform that support shared libraries. # Add a cfi version script to ensure cfi related symbols can be exported. if (!is_win) { _cfi_version_script = rebase_path("//build/config/sanitizers/cfi.versionscript") ldflags = [ "-Wl,--version-script=${_cfi_version_script}" ] } } } # Debug mode, add no-trap and recover options over release mode config("cfi_config_debug") { if (is_ohos) { configs = [ ":cfi_config_release" ] cflags = [ "-fno-sanitize-trap=cfi", "-fsanitize-recover=cfi,undefined", ] } } config("cfi_cross_dso_release") { configs = [ ":cfi_config_release" ] cflags = [ "-fsanitize-cfi-cross-dso" ] ldflags = [ "-flto", "-fsanitize=cfi", "-fsanitize-cfi-cross-dso", ] } config("cfi_cross_dso_debug") { configs = [ ":cfi_cross_dso_release" ] cflags = [ "-fno-sanitize-trap=cfi", "-fsanitize-recover=cfi,undefined", ] ldflags = cflags } config("shadow_call_stack_config") { if (target_cpu == "arm64") { cflags = [ # See https://clang.llvm.org/docs/ShadowCallStack.html "-fsanitize=shadow-call-stack", ] ldflags = cflags configs = [ ":sanitizer_trap_all_flags" ] } } template("config_plus_compiler_rt") { forward_variables_from(invoker, [ "compiler_rt_shared_lib_names" ]) not_needed([ "compiler_rt_shared_lib_names" ]) _clang_rt_dso_paths = [] if ((host_os == "linux" || host_os == "mac") && target_os == "ohos" && !is_mingw && is_ohos) { _dso_names = [] foreach(dso_name, compiler_rt_shared_lib_names) { # Add runtime shared library support _dso_names += [ "${abi_target}/libclang_rt.${dso_name}.so" ] } foreach(rt_lib, _dso_names) { _clang_rt_dso_paths += [ "$clang_lib_base_path/${rt_lib}" ] } } config(target_name) { forward_variables_from(invoker, [ "cflags", "cflags_cc", "asmflags", "ldflags", "libs", "configs", ]) # Link library by its fullpath if (defined(libs)) { libs += _clang_rt_dso_paths } else { libs = _clang_rt_dso_paths } } } config_plus_compiler_rt("scudo_config") { cflags = [ "-fsanitize=scudo" ] configs = [ ":sanitizer_trap_all_flags" ] compiler_rt_shared_lib_names = [ "scudo_minimal" ] } config("all_undefined_behavior_sanitize_config_release") { cflags = [ "-fsanitize=undefined", "-fno-sanitize-trap=integer,undefined", "-fno-sanitize-recover=integer,undefined", ] } config("all_undefined_behavior_sanitize_config_debug") { cflags = [ "-fsanitize=undefined", "-fno-sanitize-trap=integer,undefined", "-fsanitize-recover=integer,undefined", ] } config("undefined_behavior_sanitize_config_release") { cflags = [ "-fsanitize=bool,integer-divide-by-zero,return,returns-nonnull-attribute,shift-exponent,unreachable,vla-bound", "-fno-sanitize-trap=integer,undefined", "-fno-sanitize-recover=integer,undefined", "-fno-sanitize=implicit-integer-sign-change", ] } config("undefined_behavior_sanitize_config_debug") { cflags = [ "-fsanitize=bool,integer-divide-by-zero,return,returns-nonnull-attribute,shift-exponent,unreachable,vla-bound", "-fno-sanitize-trap=integer,undefined", "-fsanitize-recover=integer,undefined", "-fno-sanitize=implicit-integer-sign-change", ] } config("boundary_sanitize_config_release") { cflags = [ "-fsanitize=bounds", "-fno-sanitize-trap=integer,undefined", "-fno-sanitize-recover=integer,undefined", "-fno-sanitize=implicit-integer-sign-change", ] } config("boundary_sanitize_config_debug") { cflags = [ "-fsanitize=bounds", "-fno-sanitize-trap=integer,undefined", "-fsanitize-recover=integer,undefined", "-fno-sanitize=implicit-integer-sign-change", ] } config("common_integer_overflow_config_release") { _integer_overflow_blocklist = "./integer_overflow_blocklist.txt" cflags = [ "-fsanitize-blacklist=" + rebase_path(_integer_overflow_blocklist, root_build_dir), "-fno-sanitize-trap=integer,undefined", "-fno-sanitize-recover=integer,undefined", ] } config("common_integer_overflow_config_debug") { _integer_overflow_blocklist = "./integer_overflow_blocklist.txt" cflags = [ "-fsanitize-blacklist=" + rebase_path(_integer_overflow_blocklist, root_build_dir), "-fno-sanitize-trap=integer,undefined", "-fsanitize-recover=integer,undefined", ] } config("signed_integer_overflow_config") { cflags = [ "-fsanitize=signed-integer-overflow" ] } config("unsigned_integer_overflow_config") { cflags = [ "-fsanitize=unsigned-integer-overflow" ] } config_plus_compiler_rt("compiler_rt_debug") { compiler_rt_shared_lib_names = [ "ubsan_standalone" ] } config_plus_compiler_rt("compiler_rt_release") { cflags = [ "-fsanitize-minimal-runtime" ] compiler_rt_shared_lib_names = [ "ubsan_minimal" ] }