xref: /aosp_15_r20/external/cronet/build/config/sanitizers/sanitizers.gni (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1# Copyright 2015 The Chromium Authors
2# Use of this source code is governed by a BSD-style license that can be
3# found in the LICENSE file.
4
5import("//build/config/cast.gni")
6import("//build/config/chrome_build.gni")
7import("//build/config/chromeos/args.gni")
8import("//build/config/chromeos/ui_mode.gni")
9import("//build/config/profiling/profiling.gni")
10import("//build/toolchain/toolchain.gni")
11
12declare_args() {
13  # Compile for Address Sanitizer to find memory bugs.
14  is_asan = false
15
16  # Compile for Hardware-Assisted Address Sanitizer to find memory bugs
17  # (android/arm64 only).
18  # See http://clang.llvm.org/docs/HardwareAssistedAddressSanitizerDesign.html
19  is_hwasan = false
20
21  # Compile for Leak Sanitizer to find leaks.
22  is_lsan = false
23
24  # Compile for Memory Sanitizer to find uninitialized reads.
25  is_msan = false
26
27  # Compile for Thread Sanitizer to find threading bugs.
28  is_tsan = false
29
30  # Compile for Undefined Behaviour Sanitizer to find various types of
31  # undefined behaviour (excludes vptr checks).
32  is_ubsan = false
33
34  # Halt the program if a problem is detected.
35  is_ubsan_no_recover = false
36
37  # Track where uninitialized memory originates from. From fastest to slowest:
38  # 0 - no tracking, 1 - track only the initial allocation site, 2 - track the
39  # chain of stores leading from allocation site to use site.
40  msan_track_origins = 2
41
42  # Enables "param-retval" mode, which finds more uses of uninitialized data and
43  # reduces code size. Behind a flag as there are a number of previously
44  # undetected violations that still need to be fixed.
45  # TODO(crbug.com/1369167): Default this to true and remove.
46  msan_eager_checks = false
47
48  # Use dynamic libraries instrumented by one of the sanitizers instead of the
49  # standard system libraries. Set this flag to build the libraries from source.
50  use_locally_built_instrumented_libraries = false
51
52  # Compile with Control Flow Integrity to protect virtual calls and casts.
53  # See http://clang.llvm.org/docs/ControlFlowIntegrity.html
54  #
55  # TODO(pcc): Remove this flag if/when CFI is enabled in all official builds.
56  is_cfi = is_official_build && is_clang &&
57           ((target_os == "linux" && target_cpu == "x64") ||
58            (is_chromeos && is_chromeos_device))
59
60  # Enable checks for indirect function calls via a function pointer.
61  # TODO(pcc): remove this when we're ready to add these checks by default.
62  # https://crbug.com/701919
63  use_cfi_icall =
64      target_os == "linux" && target_cpu == "x64" && is_official_build
65
66  # Print detailed diagnostics when Control Flow Integrity detects a violation.
67  use_cfi_diag = false
68
69  # Let Control Flow Integrity continue execution instead of crashing when
70  # printing diagnostics (use_cfi_diag = true).
71  use_cfi_recover = false
72
73  # Compile for fuzzing with LLVM LibFuzzer.
74  # See http://www.chromium.org/developers/testing/libfuzzer
75  use_libfuzzer = false
76
77  # Compile for fuzzing with centipede.
78  # See https://github.com/google/centipede
79  use_centipede = false
80
81  # Compile for fuzzing with AFL.
82  use_afl = false
83
84  # Compile for fuzzing with an external engine (e.g., Grammarinator).
85  use_external_fuzzing_engine = false
86
87  # Enables core ubsan security features. Will later be removed once it matches
88  # is_ubsan.
89  is_ubsan_security = false
90
91  # Helper variable for testing builds with disabled libfuzzer.
92  # Not for client use.
93  disable_libfuzzer = false
94
95  # Value for -fsanitize-coverage flag. Setting this causes
96  # use_sanitizer_coverage to be enabled.
97  # This flag is not used for libFuzzer (use_libfuzzer=true). Instead, we use:
98  #     -fsanitize=fuzzer-no-link
99  # Default value when unset and use_fuzzing_engine=true:
100  #     trace-pc-guard
101  # Default value when unset and use_sanitizer_coverage=true:
102  #     trace-pc-guard,indirect-calls
103  sanitizer_coverage_flags = ""
104
105  # A sanitizer coverage allowlist, specifying exactly which
106  # files or symbol names should be instrumented, rather than all of them.
107  sanitizer_coverage_allowlist = ""
108
109  # When enabled, only relevant sanitizer defines are set, but compilation
110  # happens with no extra flags. This is useful when in component build
111  # enabling sanitizers only in some of the components.
112  use_sanitizer_configs_without_instrumentation = false
113
114  # When true, seed corpora archives are built.
115  archive_seed_corpus = true
116
117  # When true, sanitizer warnings will cause test case failures.
118  fail_on_san_warnings = false
119
120  # When true, only builds fuzzer targets that require high end machines to run.
121  # Otherwise, builds all the targets.
122  # TODO(paulsemel): once we have everything implemented on the recipe side, we
123  # can change the behaviour for the false case, and only build the non high-end
124  # jobs, so that they do not appear in the zip. As for now, this behaviour
125  # ensures nothing breaks.
126  high_end_fuzzer_targets = false
127}
128
129declare_args() {
130  # Enable checks for bad casts: derived cast and unrelated cast.
131  # TODO(krasin): remove this, when we're ready to add these checks by default.
132  # https://crbug.com/626794
133  use_cfi_cast = is_cfi && is_chromeos
134
135  # Compile for Undefined Behaviour Sanitizer's vptr checks.
136  is_ubsan_vptr = is_ubsan_security
137}
138
139declare_args() {
140  # Builds fuzztest test executables such that they support the
141  # --fuzz= argument, which requires some sanitizer coverage.
142  # We want to enable this only when we're *NOT* using a fuzzing
143  # engine such as libfuzzer or centipede. It's generally a
144  # useful option, but it requires sanitizer coverage, and that
145  # could conceivably disrupt normal unit testing workflows, so we'll
146  # enable it by default only in sanitizer builds.
147  # Also be sure not to enable this on non-Chromium builds where
148  # the required //third_party/fuzztest dependency may be absent.
149  # TODO(crbug.com/1495713): enable on component builds
150  enable_fuzztest_fuzz =
151      !(use_libfuzzer || use_afl || use_centipede ||
152        use_external_fuzzing_engine) &&
153      (is_asan || is_hwasan || is_lsan || is_tsan || is_msan || is_ubsan ||
154       is_ubsan_vptr || is_ubsan_security) && !is_component_build && is_linux &&
155      build_with_chromium
156}
157
158assert(!is_hwasan || (target_os == "android" && target_cpu == "arm64"),
159       "HWASan only supported on Android ARM64 builds.")
160
161assert(
162    !(enable_fuzztest_fuzz && use_libfuzzer),
163    "Can't specify enable_fuzztest_fuzz and use_libfuzzer. When libfuzzer is enabled, fuzztest executables automatically support --fuzz but provide output that's libfuzzer compatible.")
164
165assert(
166    !(enable_fuzztest_fuzz && use_centipede),
167    "Can't specify enable_fuzztest_fuzz and use_centipede. The same binaries are built in a different mode to add centipede support.")
168
169assert(
170    !(enable_fuzztest_fuzz && is_component_build),
171    "Can't specify enable_fuzztest_fuzz in component builds; fuzztest doesn't yet support it. Consider using use_libfuzzer=true instead which provides superficially similar functionality.")
172
173# Disable sanitizers for non-target toolchains, and for the toolchain using
174# the prebuilt Rust stdlib which has no sanitizer support with it.
175if (!is_a_target_toolchain || toolchain_for_rust_host_build_tools) {
176  is_asan = false
177  is_cfi = false
178  is_hwasan = false
179  is_lsan = false
180  is_msan = false
181  is_tsan = false
182  is_ubsan = false
183  is_ubsan_no_recover = false
184  is_ubsan_security = false
185  is_ubsan_vptr = false
186  fail_on_san_warnings = false
187  msan_track_origins = 0
188  sanitizer_coverage_flags = ""
189  use_afl = false
190  use_centipede = false
191  use_cfi_diag = false
192  use_cfi_recover = false
193  use_libfuzzer = false
194  use_locally_built_instrumented_libraries = false
195  use_sanitizer_coverage = false
196  enable_fuzztest_fuzz = false
197} else if (current_cpu != "arm64") {
198  is_hwasan = false
199}
200
201# Use dynamic libraries instrumented by one of the sanitizers instead of the
202# standard system libraries. We have instrumented system libraries for msan,
203# which requires them to prevent false positives.
204# TODO(thakis): Maybe remove this variable.
205use_prebuilt_instrumented_libraries = is_msan
206
207# Whether we are doing a fuzzer build. Normally this should be checked instead
208# of checking "use_libfuzzer || use_afl" because often developers forget to
209# check for "use_afl", and "use_centipede" is new.
210use_fuzzing_engine =
211    use_libfuzzer || use_afl || use_centipede || use_external_fuzzing_engine
212
213# Whether the current fuzzing engine supports libprotobuf_mutator.
214use_fuzzing_engine_with_lpm = use_libfuzzer || use_centipede
215
216# Whether the fuzzing engine supports fuzzers which supply their own
217# "main" function.
218fuzzing_engine_supports_custom_main = use_libfuzzer || use_centipede
219
220# Args that are in turn dependent on other args must be in a separate
221# declare_args block. User overrides are only applied at the end of a
222# declare_args block.
223declare_args() {
224  # Generates an owners file for each fuzzer test.
225  # TODO(crbug.com/1194183): Remove this arg when finding OWNERS is faster.
226  generate_fuzzer_owners = use_fuzzing_engine
227
228  use_sanitizer_coverage =
229      !use_clang_coverage && (use_fuzzing_engine || enable_fuzztest_fuzz ||
230                              sanitizer_coverage_flags != "")
231
232  # https://crbug.com/1002058: Code coverage works inside the sandbox via the
233  # help of several helper IPCs. Unfortunately, the sandbox-only path does not
234  # work well for fuzzing builds. Since fuzzing builds already disable the
235  # sandbox when dumping coverage, limit the sandbox-only path to non-fuzzing
236  # builds.
237  # Everything is IPC on Fuchsia, so this workaround for code coverage inside
238  # the sandbox does not apply.
239  use_clang_profiling_inside_sandbox =
240      use_clang_profiling && !use_fuzzing_engine && !is_fuchsia
241}
242
243if (sanitizer_coverage_flags == "") {
244  if (enable_fuzztest_fuzz) {
245    # ./fuzztest_executable --fuzz=
246    # requires only this single type of coverage
247    sanitizer_coverage_flags = "inline-8bit-counters"
248  } else if (use_fuzzing_engine) {
249    sanitizer_coverage_flags = "trace-pc-guard"
250    if (use_centipede) {
251      # Centipede's minimal flags are listed in //third_party/fuzztest/src/centipede/clang-flags.txt.
252      # But, for users like Chromium using an up-to-date clang, we can also
253      # enable extra optional types of coverage which may make Centipede more
254      # effective. This list is not currently documented and has been derived
255      # from discussion with centipede creators (though one is warned about at
256      # https://github.com/google/centipede/blob/main/centipede_callbacks.cc#L68)
257      sanitizer_coverage_flags = sanitizer_coverage_flags +
258                                 ",pc-table,trace-cmp,control-flow,trace-loads"
259    }
260  } else if (use_sanitizer_coverage) {
261    sanitizer_coverage_flags = "trace-pc-guard,indirect-calls"
262  }
263}
264
265# Whether we are linking against a sanitizer runtime library. Among other
266# things, this changes the default symbol level and other settings in order to
267# prepare to create stack traces "live" using the sanitizer runtime.
268using_sanitizer =
269    is_asan || is_hwasan || is_lsan || is_tsan || is_msan || is_ubsan ||
270    is_ubsan_vptr || is_ubsan_security || use_sanitizer_coverage || use_cfi_diag
271
272assert(!using_sanitizer || is_clang,
273       "Sanitizers (is_*san) require setting is_clang = true in 'gn args'")
274
275assert(!is_cfi || is_clang,
276       "is_cfi requires setting is_clang = true in 'gn args'")
277
278prebuilt_instrumented_libraries_available =
279    is_msan && (msan_track_origins == 0 || msan_track_origins == 2)
280
281if (use_libfuzzer && (is_linux || is_chromeos)) {
282  if (is_asan) {
283    # We do leak checking with libFuzzer on Linux. Set is_lsan for code that
284    # relies on LEAK_SANITIZER define to avoid false positives.
285    is_lsan = true
286  }
287}
288
289# MSan only links Chrome properly in release builds (brettw -- 9/1/2015). The
290# same is possibly true for the other non-ASan sanitizers. But regardless of
291# whether it links, one would normally never run a sanitizer in debug mode.
292# Running in debug mode probably indicates you forgot to set the "is_debug =
293# false" flag in the build args. ASan seems to run fine in debug mode.
294#
295# If you find a use-case where you want to compile a sanitizer in debug mode
296# and have verified it works, ask brettw and we can consider removing it from
297# this condition. We may also be able to find another way to enable your case
298# without having people accidentally get broken builds by compiling an
299# unsupported or unadvisable configurations.
300#
301# For one-off testing, just comment this assertion out.
302assert(!is_debug || !(is_msan || is_ubsan || is_ubsan_vptr),
303       "Sanitizers should generally be used in release (set is_debug=false).")
304
305assert(!is_msan || ((is_linux || is_chromeos) && current_cpu == "x64"),
306       "MSan currently only works on 64-bit Linux and ChromeOS builds.")
307
308assert(!is_lsan || is_asan, "is_lsan = true requires is_asan = true also.")
309
310# ASAN build on Windows is not working in debug mode. Intercepting memory
311# allocation functions is hard on Windows and not yet implemented in LLVM.
312assert(!is_win || !is_debug || !is_asan,
313       "ASan on Windows doesn't work in debug (set is_debug=false).")
314
315# libFuzzer targets can fail to build or behave incorrectly when built without
316# ASAN on Windows.
317assert(!is_win || !use_libfuzzer || is_asan,
318       "use_libfuzzer on Windows requires setting is_asan = true")
319
320# Make sure that if we recover on detection (i.e. not crash), diagnostics are
321# printed.
322assert(!use_cfi_recover || use_cfi_diag,
323       "Only use CFI recovery together with diagnostics.")
324
325# TODO(crbug.com/753445): the use_sanitizer_coverage arg is currently
326# not supported by the Chromium mac_clang_x64 toolchain on iOS distribution.
327# The coverage works with iOS toolchain but it is broken when the mac
328# toolchain is used as a secondary one on iOS distribution. E.g., it should be
329# possible to build the "net" target for iOS with the sanitizer coverage
330# enabled.
331assert(
332    !(use_sanitizer_coverage && is_mac && target_os == "ios"),
333    "crbug.com/753445: use_sanitizer_coverage=true is not supported by the " +
334        "Chromium mac_clang_x64 toolchain on iOS distribution. Please set " +
335        "the argument value to false.")
336
337assert(
338    sanitizer_coverage_allowlist == "" || use_sanitizer_coverage,
339    "Can't specify a sanitizer coverage allowlist without using sanitizer coverage.")
340
341# Use these lists of configs to disable instrumenting code that is part of a
342# fuzzer, but which isn't being targeted (such as libprotobuf-mutator, *.pb.cc
343# and libprotobuf when they are built as part of a proto fuzzer). Adding or
344# removing these lists does not have any effect if use_libfuzzer or use_afl are
345# not passed as arguments to gn.
346not_fuzzed_remove_configs = []
347not_fuzzed_remove_nonasan_configs = []
348
349if (use_fuzzing_engine) {
350  # Removing coverage should always just work.
351  not_fuzzed_remove_configs += [ "//build/config/coverage:default_coverage" ]
352  not_fuzzed_remove_nonasan_configs +=
353      [ "//build/config/coverage:default_coverage" ]
354
355  if (!is_msan) {
356    # Allow sanitizer instrumentation to be removed if we are not using MSan
357    # since binaries cannot be partially instrumented with MSan.
358    not_fuzzed_remove_configs +=
359        [ "//build/config/sanitizers:default_sanitizer_flags" ]
360
361    # Certain parts of binaries must be instrumented with ASan if the rest of
362    # the binary is. For these, only remove non-ASan sanitizer instrumentation.
363    if (!is_asan) {
364      not_fuzzed_remove_nonasan_configs +=
365          [ "//build/config/sanitizers:default_sanitizer_flags" ]
366
367      assert(not_fuzzed_remove_nonasan_configs == not_fuzzed_remove_configs)
368    }
369  }
370}
371
372# Options common to different fuzzer engines.
373# Engine should be compiled without coverage (infinite loop in trace_cmp).
374fuzzing_engine_remove_configs = [
375  "//build/config/coverage:default_coverage",
376  "//build/config/sanitizers:default_sanitizer_flags",
377]
378
379# Add any sanitizer flags back. In MSAN builds, instrumenting libfuzzer with
380# MSAN is necessary since all parts of the binary need to be instrumented for it
381# to work. ASAN builds are more subtle: libfuzzer depends on features from the
382# C++ STL. If it were not instrumented, templates would be insantiated without
383# ASAN from libfuzzer and with ASAN in other TUs. The linker might merge
384# instrumented template instantiations with non-instrumented ones (which could
385# have a different ABI) in the final binary, which is problematic for TUs
386# expecting one particular ABI (https://crbug.com/915422). The other sanitizers
387# are added back for the same reason.
388fuzzing_engine_add_configs =
389    [ "//build/config/sanitizers:default_sanitizer_flags_but_coverage" ]
390