Enable CFI for virtual calls on Linux x86-64 official builds.

build/config/sanitizers/sanitizers.gni

 # Copyright 2015 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
+import("//build/config/chrome_build.gni")
+
 declare_args() {
   # Compile for Address Sanitizer to find memory bugs.
   is_asan = false
 
   # Compile for Leak Sanitizer to find leaks.
   is_lsan = false
 
   # Compile for Memory Sanitizer to find uninitialized reads.
   is_msan = false
 
@@ skipping 28 matching lines @@
   use_locally_built_instrumented_libraries = false
 
   # Enable building with SyzyAsan which can find certain types of memory
   # errors. Only works on Windows. See
   # https://github.com/google/syzygy/wiki/SyzyASanHowTo
   is_syzyasan = false
 
   # Compile with Control Flow Integrity to protect virtual calls and casts.
   # See http://clang.llvm.org/docs/ControlFlowIntegrity.html
   #
-  # TODO(pcc): Remove this flag if/when CFI is enabled in official builds.
-  is_cfi = false
+  # TODO(pcc): Remove this flag if/when CFI is enabled in all official builds.
+  is_cfi = target_os == "linux" && !is_chromeos && target_cpu == "x64" &&
+           is_chrome_branded && is_official_build

[Dirk Pranke, 2016/08/19 20:22:09]

Should we move this to //build/config/compiler/compiler.gni or toolchain.gni,
since this'll be being used in non-sanitizer builds?

[krasin, 2016/08/19 20:30:45]

Yes, theoretically it's worth discussing. But given that this CL has high
chances to be reverted, I would prefer to delay the discussion until later to
avoid complication aforementioned revert.

Let me know if you feel strongly, I am personally fine to move the setting
around.

 
   # Enable checks for bad casts: derived cast and unrelated cast.
   # TODO(krasin): remove this, when we're ready to add these checks by default.
   # https://crbug.com/626794
   use_cfi_cast = false
 
   # By default, Control Flow Integrity will crash the program if it detects a
   # violation. Set this to true to print detailed diagnostics instead.
   use_cfi_diag = false
 
@@ skipping 102 matching lines @@
 # this condition. We may also be able to find another way to enable your case
 # without having people accidentally get broken builds by compiling an
 # unsupported or unadvisable configurations.
 #
 # For one-off testing, just comment this assertion out.
 assert(!is_debug || !(is_msan || is_ubsan || is_ubsan_null || is_ubsan_vptr),
        "Sanitizers should generally be used in release (set is_debug=false).")
 
 assert(!is_msan || (is_linux && current_cpu == "x64"),
        "MSan currently only works on 64-bit Linux and ChromeOS builds.")