New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 659765 link

Starred by 6 users
Status: Archived
Owner: ----
Closed: Jan 10
Cc:
kcc@chromium.org
p...@chromium.org
penny...@chromium.org
scottmg@chromium.org
r...@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 3
Type: Bug

Blocked on:
issue 584575
Blocking:
issue 82385



Sign in to add a comment

Investigate CFG vs CFI story on Windows

Project Member Reported by thakis@chromium.org, Oct 26 2016 
cl.exe has /CFG, which allegedly also enables CFG checks in Microsoft-built libraries linked to.

clang-cl has CFI (not quite there on Windows, but it'll get there), but only for code we build.

We should figure out if there's a way to get CFI for clang-cl-built files but still opt in for CFG for Microsoft libraries. I don't know if we have to do adjusted calls for things in these libraries, and have adjusted landing sites for calls from libraries into our code.

Comment 1 by p...@chromium.org, Oct 26 2016

Cc: kcc@chromium.org
This should in principle be possible. Clang has a concept of "hidden LTO visibility" [0] which essentially controls whether we may emit CFI checks for a particular class. What we would need to do in the case where CFI and CFG are both enabled is emit CFG checks for classes without hidden LTO visibility.

[0] http://clang.llvm.org/docs/LTOVisibility.html

Comment 2 by thakis@chromium.org, Dec 14 2016 

(Since kcc apparently was confused by this: We do use /guard:cf today, it was enabled in https://codereview.chromium.org/2412983006)

Comment 3 by kcc@chromium.org, Dec 14 2016 

This confuses me even more :) 
Do we use CFG on the entire chrome, or we just enabled it at link time but
did not actually instrument the code? 

If we do instrument all the code, do we have any performance and code size
numbers?

Comment 4 by thakis@chromium.org, Dec 14 2016

Cc: penny...@chromium.org scottmg@chromium.org
From my reading of https://codereview.chromium.org/2412983006/ we instrument only the handful of cc files that are directly part of chrome_initial and chrome_elf, so we don't use it for most of the code. Ah yes, https://codereview.chromium.org/2412983006/#msg11 says the same (also talks about binary size and whatnot). It looks like we didn't turn it on more than that since (https://cs.chromium.org/search/?q=win_msvc_cfg&sq=package:chromium&type=cs).

So we use it a bit, but not much, as far as I can tell. cc'ing folks who know better.

Comment 5 by penny...@chromium.org, Dec 19 2016 

#4 is currently accurate.  I have CLs underway to add support for dynamically adding addresses to the valid function call table at run time.  This is required to instrument most of chrome - due to our hooking.

Also, note that Return Flow Guard will soon be enabled and released by MS.  That will be accessible through the same "/guard:x" compile and link arguments.

Comment 6 by wfh@google.com, Dec 20 2016

Blockedon: 584575

Comment 7 by brucedaw...@chromium.org, Sep 22 2017 

Some other relevant research: as part of the investigation of fixes for  crbug.com/766236  (longjmp crashes) I measured the binary-size cost of compiling all of Chromium with /guard:cf. Comment #10 has the details (and links to a CL) but the summary is that I saw 3.0% and 3.9% increases in binary size for chrome_child.dll and chrome.dll, 64-bit release builds.

Comment 8 by benhenry@google.com, Jan 10

Status: Archived (was: Untriaged)
Archiving P3s older than 1 year with no owner or component.

Sign in to add a comment