build / config / sanitizers / BUILD.gn [blame]

# Copyright 2014 The Chromium Authors
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

import("//build/config/cast.gni")
import("//build/config/chrome_build.gni")
import("//build/config/clang/clang.gni")
import("//build/config/rust.gni")
import("//build/config/sanitizers/sanitizers.gni")
import("//build/toolchain/toolchain.gni")
import("//build_overrides/build.gni")

if (is_ios) {
  import("//build/config/apple/mobile_config.gni")
}

# libfuzzer can't cope with shared objects being unloaded, which sometimes
# occurs for large fuzzers that involve our graphics stack. Shim out dlclose
# so that this doesn't occur.
#
# dlclose() is defined by POSIX, making `is_posix` a tempting condition to use.
# However the linker does not necessarily support `-wrap` on all POSIX
# platforms, hence the restriction to Linux and ChromeOS. We might eventually
# want to disable shared library unloading on all platforms, but we have not
# noticed a need for it as the known-affected large fuzzers only run on Linux.
use_dlcloseshim = use_libfuzzer && (is_linux || is_chromeos)

# Contains the dependencies needed for sanitizers to link into executables and
# shared_libraries.
group("deps") {
  deps = []
  data = []
  if (using_sanitizer) {
    public_configs = [
      # Even when a target removes default_sanitizer_flags, it may be depending
      # on a library that did not remove default_sanitizer_flags. Thus, we need
      # to add the ldflags here as well as in default_sanitizer_flags.
      ":default_sanitizer_ldflags",
    ]
    if (!is_fuchsia) {
      if (is_win) {
        exe = ".exe"
      } else {
        exe = ""
      }
      data += [
        "//tools/valgrind/asan/",
        "$clang_base_path/bin/llvm-symbolizer${exe}",
      ]
    }
    if (is_asan || is_lsan || is_msan || is_tsan || is_ubsan_any) {
      public_configs += [ ":sanitizer_options_link_helper" ]
      deps += [ ":options_sources" ]
    }
    if (use_prebuilt_instrumented_libraries ||
        use_locally_built_instrumented_libraries) {
      deps += [ "//third_party/instrumented_libs:deps" ]
    }
  }
  if (fail_on_san_warnings) {
    data += [ "//tools/memory/sanitizer/escalate_sanitizer_warnings.py" ]
  }
  if (is_asan || is_ubsan_any) {
    if (is_win || is_apple) {
      data_deps = [ ":copy_sanitizer_runtime" ]
    }
    if (is_apple) {
      public_deps = [ ":sanitizer_runtime_bundle_data" ]
    }
  }
  if (use_centipede || enable_fuzztest_fuzz) {
    # For executables which aren't actual fuzzers, we need stubs for
    # the sanitizer coverage symbols, because we'll still be generating
    # .o files which depend on them.
    deps += [ "//third_party/fuzztest:centipede_weak_sancov_stubs" ]
  }
}

assert(!(is_win && is_asan && current_cpu == "x86"),
       "ASan is only supported in 64-bit builds on Windows.")

if ((is_apple || is_win) && (is_asan || is_ubsan_any)) {
  if (is_mac || (is_ios && target_environment == "catalyst")) {
    if (is_asan) {
      _clang_rt_dso_path = "darwin/libclang_rt.asan_osx_dynamic.dylib"
    } else {
      assert(is_ubsan_any)
      _clang_rt_dso_path = "darwin/libclang_rt.ubsan_osx_dynamic.dylib"
    }
  } else if (is_ios) {
    if (is_asan) {
      if (target_environment == "simulator") {
        _clang_rt_dso_path = "darwin/libclang_rt.asan_iossim_dynamic.dylib"
      } else {
        _clang_rt_dso_path = "darwin/libclang_rt.asan_ios_dynamic.dylib"
      }
    } else {
      assert(is_ubsan_any)
      _clang_rt_dso_path = "darwin/libclang_rt.ubsan_iossim_dynamic.dylib"
    }
  } else if (is_win && current_cpu == "x64") {
    if (is_asan) {
      _clang_rt_dso_path = "windows/clang_rt.asan_dynamic-x86_64.dll"
    } else {
      assert(is_ubsan_any)
      _clang_rt_dso_path = "windows/clang_rt.ubsan_dynamic-x86_64.dll"
    }
  }

  _clang_rt_dso_full_path =
      "$clang_base_path/lib/clang/$clang_version/lib/$_clang_rt_dso_path"

  if (!is_ios) {
    copy("copy_sanitizer_runtime") {
      sources = [ _clang_rt_dso_full_path ]
      outputs = [ "$root_out_dir/{{source_file_part}}" ]
    }
  } else {
    # On iOS, the runtime library need to be code signed (adhoc signature)
    # starting with Xcode 8, so use an action instead of a copy on iOS.
    action("copy_sanitizer_runtime") {
      script = "//build/config/apple/codesign.py"
      sources = [ _clang_rt_dso_full_path ]
      outputs = [ "$root_out_dir/" + get_path_info(sources[0], "file") ]
      args = [
        "code-sign-file",
        "--identity=" + ios_code_signing_identity,
        "--output=" + rebase_path(outputs[0], root_build_dir),
        rebase_path(sources[0], root_build_dir),
      ]
    }
  }

  if (is_apple) {
    bundle_data("sanitizer_runtime_bundle_data") {
      sources = get_target_outputs(":copy_sanitizer_runtime")
      outputs = [ "{{bundle_executable_dir}}/{{source_file_part}}" ]
      public_deps = [ ":copy_sanitizer_runtime" ]
    }
  }
}

config("sanitizer_options_link_helper") {
  if (is_apple) {
    ldflags = [ "-Wl,-u,__sanitizer_options_link_helper" ]
  } else if (!is_win) {
    ldflags = [ "-Wl,-u_sanitizer_options_link_helper" ]
  }
}

static_library("options_sources") {
  # This is a static_library instead of a source_set, as it shouldn't be
  # unconditionally linked into targets.
  visibility = [
    ":deps",
    "//:gn_all",
  ]
  sources = [ "//build/sanitizers/sanitizer_options.cc" ]

  # Don't compile this target with any sanitizer code. It can be called from
  # the sanitizer runtimes, so instrumenting these functions could cause
  # recursive calls into the runtime if there is an error.
  configs -= [ "//build/config/sanitizers:default_sanitizer_flags" ]

  if (is_asan) {
    if (!defined(asan_suppressions_file)) {
      asan_suppressions_file = "//build/sanitizers/asan_suppressions.cc"
    }
    sources += [ asan_suppressions_file ]
  }

  if (is_lsan) {
    if (!defined(lsan_suppressions_file)) {
      lsan_suppressions_file = "//build/sanitizers/lsan_suppressions.cc"
    }
    sources += [ lsan_suppressions_file ]
  }

  if (is_tsan) {
    if (!defined(tsan_suppressions_file)) {
      tsan_suppressions_file = "//build/sanitizers/tsan_suppressions.cc"
    }
    sources += [ tsan_suppressions_file ]
  }
}

if (use_dlcloseshim) {
  source_set("dlclose_shim") {
    sources = [ "//build/sanitizers/dlcloseshim.c" ]
  }
} else {
  group("dlclose_shim") {
    deps = []
  }
}

# Applies linker flags necessary when either :deps or :default_sanitizer_flags
# are used.
config("default_sanitizer_ldflags") {
  visibility = [
    ":default_sanitizer_flags",
    ":deps",

    # https://crbug.com/360158.
    "//tools/ipc_fuzzer/fuzzer:ipc_fuzzer",
  ]

  if (is_posix || is_fuchsia) {
    sanitizers = []  # sanitizers applicable to both clang and rustc
    ldflags = []
    rustflags = []
    if (is_asan) {
      sanitizers += [ "address" ]
    }
    if (is_hwasan) {
      sanitizers += [ "hwaddress" ]
    }
    if (is_lsan) {
      # In Chromium, is_lsan always implies is_asan. ASAN includes LSAN.
      # It seems harmless to pass both options to clang, but it doesn't
      # work on rustc, so apply this option to clang only.
      ldflags += [ "-fsanitize=leak" ]
    }
    if (is_tsan) {
      sanitizers += [ "thread" ]
    }
    if (is_msan) {
      sanitizers += [ "memory" ]
    }
    if (is_ubsan || is_ubsan_security) {
      ldflags += [ "-fsanitize=undefined" ]
    }
    if (is_ubsan_vptr) {
      ldflags += [ "-fsanitize=vptr" ]
    }
    foreach(sanitizer, sanitizers) {
      ldflags += [ "-fsanitize=$sanitizer" ]
      rustflags += [ "-Zsanitizer=$sanitizer" ]
    }

    if (use_sanitizer_coverage) {
      if (use_libfuzzer) {
        ldflags += [ "-fsanitize=fuzzer-no-link" ]
        if (is_mac) {
          # TODO(crbug.com/40611636): on macOS, dead code stripping does not work
          # well with `pc-table` instrumentation enabled by `fuzzer-no-link`.
          ldflags += [ "-fno-sanitize-coverage=pc-table" ]
        }
      } else {
        ldflags += [ "-fsanitize-coverage=$sanitizer_coverage_flags" ]
      }
      if (is_mac && use_centipede) {
        # OS X linking doesn't allow undefined symbols at link time
        # and in a component build, component shared objects will
        # need to use this symbol to report control flow coverage
        # to the main binary
        ldflags += [ "-Wl,-undefined,dynamic_lookup" ]
      }
    }

    if (is_cfi && current_toolchain == default_toolchain) {
      ldflags += [ "-fsanitize=cfi-vcall" ]
      if (use_cfi_cast) {
        ldflags += [
          "-fsanitize=cfi-derived-cast",
          "-fsanitize=cfi-unrelated-cast",
        ]
      }
      if (use_cfi_icall) {
        ldflags += [ "-fsanitize=cfi-icall" ]
      }
      if (use_cfi_diag) {
        ldflags += [ "-fno-sanitize-trap=cfi" ]
        if (use_cfi_recover) {
          ldflags += [ "-fsanitize-recover=cfi" ]
        }
      }
    }
  } else if (is_win) {
    # Windows directly calls link.exe instead of the compiler driver when
    # linking.  Hence, pass the runtime libraries instead of -fsanitize=address
    # or -fsanitize=fuzzer.
    ldflags = []
    if (is_asan) {
      assert(current_cpu == "x64", "WinASan unsupported architecture")
      libs = [ "clang_rt.asan_dynamic-x86_64.lib" ]
      if (is_component_build) {
        ldflags +=
            [ "-wholearchive:clang_rt.asan_dynamic_runtime_thunk-x86_64.lib" ]
      } else {
        ldflags +=
            [ "-wholearchive:clang_rt.asan_static_runtime_thunk-x86_64.lib" ]
      }
    }
    if (use_libfuzzer) {
      assert(current_cpu == "x64", "LibFuzzer unsupported architecture")
      assert(!is_component_build,
             "LibFuzzer only supports non-component builds on Windows")

      # Incremental linking causes padding that messes up SanitizerCoverage.
      # Don't do it.
      ldflags += [ "/INCREMENTAL:NO" ]
    }
  }
  if (use_dlcloseshim) {
    ldflags += [ "-Wl,-wrap,dlclose" ]
  }
}

config("common_sanitizer_flags") {
  cflags = []

  if (using_sanitizer) {
    assert(is_clang, "sanitizers only supported with clang")

    # Allow non-default toolchains to enable sanitizers in toolchain_args even
    # in official builds.
    assert(current_toolchain != default_toolchain || !is_official_build,
           "sanitizers not supported in official builds")

    cflags += [
      # Column info in debug data confuses Visual Studio's debugger, so don't
      # use this by default.  However, clusterfuzz needs it for good
      # attribution of reports to CLs, so turn it on there.
      "-gcolumn-info",
    ]

    # Frame pointers are controlled in //build/config/compiler:default_stack_frames
  }
}

config("asan_flags") {
  cflags = []
  rustflags = []
  if (is_asan) {
    cflags += [ "-fsanitize=address" ]
    rustflags += [ "-Zsanitizer=address" ]
    if (!is_win && !is_apple && !is_fuchsia) {
      # TODO(crbug.com/1459233, crbug.com/1462248): This causes asan
      # odr-violation errors in rust code, and link failures for cros/asan.
      # Clang recently turned it on by default for all ELF targets (it was
      # already on for Fuchsia). Pass the flag to turn it back off.
      cflags += [ "-fno-sanitize-address-globals-dead-stripping" ]
    }
    if (is_win) {
      if (!defined(asan_win_blocklist_path)) {
        asan_win_blocklist_path =
            rebase_path("//tools/memory/asan/blocklist_win.txt", root_build_dir)
      }
      cflags += [ "-fsanitize-ignorelist=$asan_win_blocklist_path" ]
    }
  }
}

config("cfi_flags") {
  cflags = []
  rustflags = []
  if (is_cfi && current_toolchain == default_toolchain) {
    if (!defined(cfi_ignorelist_path)) {
      cfi_ignorelist_path =
          rebase_path("//tools/cfi/ignores.txt", root_build_dir)
    }
    cflags += [
      "-fsanitize=cfi-vcall",
      "-fsanitize-ignorelist=$cfi_ignorelist_path",
    ]

    if (toolchain_supports_rust_thin_lto) {
      # sanitize=cfi implies -fsplit-lto-unit, and Rust needs to match
      # behaviour.  Rust needs to know the linker will be doing LTO in this case
      # or it rejects the Zsplit-lto-unit flag.
      # TODO(crbug.com/40266913): Add -Zsanitize=cfi instead.
      rustflags += [
        "-Zsplit-lto-unit",
        "-Clinker-plugin-lto=yes",
      ]
    } else {
      # Don't include bitcode if it won't be used.
      rustflags += [ "-Cembed-bitcode=no" ]
    }

    if (use_cfi_cast) {
      cflags += [
        "-fsanitize=cfi-derived-cast",
        "-fsanitize=cfi-unrelated-cast",
      ]
    }

    if (use_cfi_icall) {
      cflags += [ "-fsanitize=cfi-icall" ]
      # TODO(crbug.com/40266913): Add cflags += [
      # "-fsanitize-cfi-icall-experimental-normalize-integers" ]
      # TODO(crbug.com/40266913): Add rustflags += [
      # "-Zsanitizer-cfi-normalize-integers" ].
    }

    if (use_cfi_diag) {
      cflags += [ "-fno-sanitize-trap=cfi" ]
      if (is_win) {
        cflags += [
          "/Oy-",
          "/Ob0",
        ]
      } else {
        cflags += [
          "-fno-inline-functions",
          "-fno-inline",
          "-fno-omit-frame-pointer",
          "-O1",
        ]
      }
      if (use_cfi_recover) {
        cflags += [ "-fsanitize-recover=cfi" ]
      }
    }
  }
}

# crbug.com/785442: Fix cfi-icall failures for code that casts pointer argument
# types in function pointer type signatures.
config("cfi_icall_generalize_pointers") {
  if (is_clang && is_cfi && use_cfi_icall) {
    cflags = [ "-fsanitize-cfi-icall-generalize-pointers" ]
  }
}

config("cfi_icall_disable") {
  if (is_clang && is_cfi && use_cfi_icall) {
    cflags = [ "-fno-sanitize=cfi-icall" ]
  }
}

config("coverage_flags") {
  cflags = []
  if (use_sanitizer_coverage) {
    # Used by sandboxing code to allow coverage dump to be written on the disk.
    defines = [ "SANITIZER_COVERAGE" ]

    if (use_libfuzzer) {
      cflags += [ "-fsanitize=fuzzer-no-link" ]
      if (is_mac) {
        # TODO(crbug.com/40611636): on macOS, dead code stripping does not work
        # well with `pc-table` instrumentation enabled by `fuzzer-no-link`.
        cflags += [ "-fno-sanitize-coverage=pc-table" ]
      }
    } else {
      cflags += [
        "-fsanitize-coverage=$sanitizer_coverage_flags",
        "-mllvm",
        "-sanitizer-coverage-prune-blocks=1",
      ]
      if (current_cpu == "arm") {
        # http://crbug.com/517105
        cflags += [
          "-mllvm",
          "-sanitizer-coverage-block-threshold=0",
        ]
      }
    }
    if (sanitizer_coverage_allowlist != "") {
      cflags += [ "-fsanitize-coverage-allowlist=" +
                  rebase_path(sanitizer_coverage_allowlist, root_build_dir) ]
    }
  }
  if (use_centipede) {
    # Centipede intercepts calls such as memcmp and memcpy in order to improve
    # its testcase generation.
    cflags += [ "-fno-builtin" ]
  }
}

config("hwasan_flags") {
  if (is_hwasan) {
    asmflags = [ "-fsanitize=hwaddress" ]
    cflags = [ "-fsanitize=hwaddress" ]
  }
}

config("lsan_flags") {
  if (is_lsan) {
    cflags = [ "-fsanitize=leak" ]
  }
}

config("msan_flags") {
  if (is_msan) {
    assert(is_linux || is_chromeos,
           "msan only supported on linux x86_64/ChromeOS")
    if (!defined(msan_ignorelist_path)) {
      msan_ignorelist_path =
          rebase_path("//tools/msan/ignorelist.txt", root_build_dir)
    }
    cflags = [
      "-fsanitize=memory",
      "-fsanitize-memory-track-origins=$msan_track_origins",
      "-fsanitize-ignorelist=$msan_ignorelist_path",
    ]

    if (!msan_check_use_after_dtor) {
      # TODO(crbug.com/40222690): evaluate and possibly enable
      cflags += [ "-fno-sanitize-memory-use-after-dtor" ]
    }

    if (!msan_eager_checks) {
      cflags += [ "-fno-sanitize-memory-param-retval" ]
    }
  }
}

config("tsan_flags") {
  if (is_tsan) {
    assert(is_linux || is_chromeos, "tsan only supported on linux x86_64")
    if (!defined(tsan_ignorelist_path)) {
      tsan_ignorelist_path =
          rebase_path("//tools/memory/tsan_v2/ignores.txt", root_build_dir)
    }
    cflags = [
      "-fsanitize=thread",
      "-fsanitize-ignorelist=$tsan_ignorelist_path",
    ]
  }
}

config("ubsan_flags") {
  cflags = []
  if (is_ubsan) {
    if (!defined(ubsan_ignorelist_path)) {
      ubsan_ignorelist_path =
          rebase_path("//tools/ubsan/ignorelist.txt", root_build_dir)
    }

    # TODO(crbug.com/40942951): Enable all of -fsanitize=undefined. Note that
    # both this list and Clang's defaults omit -fsanitize=float-divide-by-zero.
    # C and C++ leave it undefined to accommodate non-IEEE floating point, but
    # we assume the compiler implements IEEE floating point, which does define
    # division by zero.
    cflags += [
      "-fsanitize=alignment",
      "-fsanitize=bool",
      "-fsanitize=bounds",
      "-fsanitize=builtin",
      "-fsanitize=integer-divide-by-zero",
      "-fsanitize=null",
      "-fsanitize=nonnull-attribute",
      "-fsanitize=object-size",
      "-fsanitize=pointer-overflow",
      "-fsanitize=return",
      "-fsanitize=returns-nonnull-attribute",
      "-fsanitize=shift",
      "-fsanitize=signed-integer-overflow",
      "-fsanitize=unreachable",
      "-fsanitize=vla-bound",
      "-fsanitize-ignorelist=$ubsan_ignorelist_path",
    ]
  }
}

config("ubsan_no_recover") {
  if (is_ubsan_no_recover) {
    cflags = [ "-fno-sanitize-recover=undefined" ]
  }
}

config("ubsan_security_flags") {
  if (is_ubsan_security) {
    if (!defined(ubsan_security_ignorelist_path)) {
      ubsan_security_ignorelist_path =
          rebase_path("//tools/ubsan/security_ignorelist.txt", root_build_dir)
    }
    cflags = [
      "-fsanitize=function",
      "-fsanitize=shift",
      "-fsanitize=signed-integer-overflow",
      "-fsanitize=vla-bound",
      "-fsanitize-ignorelist=$ubsan_security_ignorelist_path",
    ]
  }
}

config("ubsan_vptr_flags") {
  if (is_ubsan_vptr) {
    if (!defined(ubsan_vptr_ignorelist_path)) {
      ubsan_vptr_ignorelist_path =
          rebase_path("//tools/ubsan/vptr_ignorelist.txt", root_build_dir)
    }
    cflags = [
      "-fsanitize=vptr",
      "-fsanitize-ignorelist=$ubsan_vptr_ignorelist_path",
    ]
  }
}

config("fuzzing_build_mode") {
  if (use_fuzzing_engine) {
    defines = [ "FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION" ]
  }
}

all_sanitizer_configs = [
  ":common_sanitizer_flags",
  ":coverage_flags",
  ":default_sanitizer_ldflags",
  ":asan_flags",
  ":cfi_flags",
  ":hwasan_flags",
  ":lsan_flags",
  ":msan_flags",
  ":tsan_flags",
  ":ubsan_flags",
  ":ubsan_no_recover",
  ":ubsan_security_flags",
  ":ubsan_vptr_flags",
  ":fuzzing_build_mode",
]

# This config is applied by default to all targets. It sets the compiler flags
# for sanitizer usage, or, if no sanitizer is set, does nothing.
#
# This needs to be in a separate config so that targets can opt out of
# sanitizers (by removing the config) if they desire. Even if a target
# removes this config, executables & shared libraries should still depend on
# :deps if any of their dependencies have not opted out of sanitizers.
# Keep this list in sync with default_sanitizer_flags_but_ubsan_vptr.
config("default_sanitizer_flags") {
  configs = all_sanitizer_configs

  if (use_sanitizer_configs_without_instrumentation) {
    configs = []
  }
}

# This config is equivalent to default_sanitizer_flags, but excludes ubsan_vptr.
# This allows to selectively disable ubsan_vptr, when needed. In particular,
# if some third_party code is required to be compiled without rtti, which
# is a requirement for ubsan_vptr.
config("default_sanitizer_flags_but_ubsan_vptr") {
  configs = all_sanitizer_configs - [ ":ubsan_vptr_flags" ]

  if (use_sanitizer_configs_without_instrumentation) {
    configs = []
  }
}

config("default_sanitizer_flags_but_coverage") {
  configs = all_sanitizer_configs - [ ":coverage_flags" ]

  if (use_sanitizer_configs_without_instrumentation) {
    configs = []
  }
}

# This config is used by parts of code that aren't targeted in fuzzers and
# therefore don't need coverage instrumentation and possibly wont need
# sanitizer instrumentation either. The config also tells the compiler to
# perform additional optimizations on the configured code and ensures that
# linking it to the rest of the binary which is instrumented with sanitizers
# works. The config only does anything if the build is a fuzzing build.
config("not_fuzzed") {
  if (use_fuzzing_engine) {
    # Since we aren't instrumenting with coverage, code size is less of a
    # concern, so use a more aggressive optimization level than
    # optimize_for_fuzzing (-O1). When given multiple optimization flags, clang
    # obeys the last one, so as long as this flag comes after -O1, it should work.
    # Since this config will always be depended on after
    # "//build/config/compiler:default_optimization" (which adds -O1 when
    # optimize_for_fuzzing is true), -O2 should always be the second flag. Even
    # though this sounds fragile, it isn't a big deal if it breaks, since proto
    # fuzzers will still work, they will just be slightly slower.
    cflags = [ "-O2" ]

    # We need to include this config when we remove default_sanitizer_flags or
    # else there will be linking errors. We would remove default_sanitizer_flags
    # here as well, but gn doesn't permit this.
    if (!is_msan) {
      # We don't actually remove sanitization when MSan is being used so there
      # is no need to add default_sanitizer_ldflags in that case
      configs = [ ":default_sanitizer_ldflags" ]
    }
  }
}