Issue 1501593003: Enable Control Flow Integrity for the official Linux Chrome.

Issue 1501593003: Enable Control Flow Integrity for the official Linux Chrome. (Closed)

Created:
5 years ago by krasin

Modified:
5 years ago

Reviewers:
Nico

CC:
chromium-reviews, kcc, pcc

Base URL:
https://chromium.googlesource.com/chromium/src.git@master

Target Ref:
refs/pending/heads/master

Project:
chromium

Visibility:
Public.

More Reviews

Description

Enable Control Flow Integrity for the official Linux Chrome. This CL turns on CFI, a security check: https://sites.google.com/a/chromium.org/dev/developers/testing/control-flow-integrity http://clang.llvm.org/docs/ControlFlowIntegrity.html This feature enables LTO (Link-Time Optimization) builds, which slow down the linker by 3x-4x. CFI also comes with a code size overhead of about 7%-9%. The runtime CPU cost is less than 1%, and should not be an issue. BUG=chromium:464797 Intent to Implement thread: https://groups.google.com/a/chromium.org/d/msg/chromium-dev/pbJqt6ccMII/7iJC2oklCAAJ This is a second attempt to land the CL. The first one: https://codereview.chromium.org/1393283005/ Committed: https://crrev.com/abbfcc7930834381e05c31068ac2256cb9ea4f49 Cr-Commit-Position: refs/heads/master@{#363267}

Patch Set 1 #

Created: 5 years ago

Download [raw] [tar.bz2]

		Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+14 lines, -4 lines)			Patch
	M	build/common.gypi	View		1 chunk	+7 lines, -0 lines	0 comments	Download
	M	build/config/sanitizers/sanitizers.gni	View		3 chunks	+7 lines, -4 lines	0 comments	Download

Messages

Total messages: 19 (7 generated)

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages

krasin

Hi Nico, please, approve this CL. I will submit it once master.chromium.perf is restarted (https://crbug.com/565486). ...

5 years ago (2015-12-04 06:32:06 UTC) #3

krasin

The restart happened. We don't have any blockers anymore and it should be ok to ...

5 years ago (2015-12-04 17:08:47 UTC) #4

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1501593003/1 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1501593003/1

5 years ago (2015-12-04 17:27:06 UTC) #7

krasin

On 2015/12/04 17:23:18, Nico wrote: > lgtm, good luck on this try :-) Thank you! ...

5 years ago (2015-12-04 17:27:20 UTC) #8

krasin

Err. Not the timeout issue (that is still not solved generically), but the link concurrency ...

5 years ago (2015-12-04 17:28:20 UTC) #9

commit-bot: I haz the power

Try jobs failed on following builders: linux_chromium_asan_rel_ng on tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_asan_rel_ng/builds/87710)

5 years ago (2015-12-04 18:16:08 UTC) #12

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1501593003/1 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1501593003/1

5 years ago (2015-12-04 18:18:31 UTC) #14

commit-bot: I haz the power

Patchset 1 (id:??) landed as https://crrev.com/abbfcc7930834381e05c31068ac2256cb9ea4f49 Cr-Commit-Position: refs/heads/master@{#363267}

5 years ago (2015-12-04 19:29:32 UTC) #18

krasin

5 years ago (2015-12-05 00:01:20 UTC) #19

Message was sent while issue was closed.

A revert of this CL (patchset #1 id:1) has been created in
https://codereview.chromium.org/1501873002/ by krasin@google.com.

The reason for reverting is: Buildbot timed out:
https://build.chromium.org/p/chromium.chrome/builders/Google%20Chrome%20Linux...

"command timed out: 3600 seconds without output, attempting to kill"

It's hard to say why does the buildbot so much slower than a local build.
Possibly, not enough RAM..

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages