Enable -flto and -fsanitize=cfi in clang

oneapi-src · Nov 7, 2024 · b6bc080 · b6bc080
1 parent f01741a
commit b6bc080
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 7 deletions.
diff --git a/cmake/helpers.cmake b/cmake/helpers.cmake
@@ -63,6 +63,11 @@ if(CMAKE_SYSTEM_NAME STREQUAL Linux)
     check_cxx_compiler_flag("-fstack-clash-protection" CXX_HAS_FSTACK_CLASH_PROTECTION)
 endif()
 
+set(SAVED_CMAKE_REQUIRED_FLAGS ${CMAKE_REQUIRED_FLAGS})
+set(CMAKE_REQUIRED_FLAGS "-flto -fvisibility=hidden")
+check_cxx_compiler_flag("-fsanitize=cfi" CXX_HAS_CFI_SANITIZE)
+set(CMAKE_REQUIRED_FLAGS ${SAVED_CMAKE_REQUIRED_FLAGS})
+
 function(add_ur_target_compile_options name)
     if(NOT MSVC)
         target_compile_definitions(${name} PRIVATE -D_FORTIFY_SOURCE=2)
@@ -78,11 +83,10 @@ function(add_ur_target_compile_options name)
             # Hardening options
             -fPIC
             -fstack-protector-strong
-            -fvisibility=hidden # Required for -fsanitize=cfi
-            # -fsanitize=cfi requires -flto, which breaks a lot of things
-            # See: https://github.com/oneapi-src/unified-runtime/issues/2120
-            # -flto
-            # $<$<CXX_COMPILER_ID:Clang,AppleClang>:-fsanitize=cfi>
+            -fvisibility=hidden
+            # cfi-icall requires called functions in shared libraries to also be built with cfi-icall, which we can't
+            # guarantee. -fsanitize=cfi depends on -flto
+            $<$<BOOL:${CXX_HAS_CFI_SANITIZE}>:-flto -fsanitize=cfi -fno-sanitize=cfi-icall -fdebug-default-version=4>
             $<$<BOOL:${CXX_HAS_FCF_PROTECTION_FULL}>:-fcf-protection=full>
             $<$<BOOL:${CXX_HAS_FSTACK_CLASH_PROTECTION}>:-fstack-clash-protection>
 
@@ -119,7 +123,10 @@ endfunction()
 function(add_ur_target_link_options name)
     if(NOT MSVC)
         if (NOT APPLE)
-            target_link_options(${name} PRIVATE "LINKER:-z,relro,-z,now,-z,noexecstack")
+            target_link_options(${name} PRIVATE
+                $<$<BOOL:${CXX_HAS_CFI_SANITIZE}>:-v -flto -fsanitize=cfi -fno-sanitize=cfi-icall -fdebug-default-version=4>
+                "LINKER:-z,relro,-z,now,-z,noexecstack"
+            )
             if (UR_DEVELOPER_MODE)
                 target_link_options(${name} PRIVATE -Werror -Wextra)
             endif()

diff --git a/test/conformance/enqueue/enqueue_adapter_opencl.match b/test/conformance/enqueue/enqueue_adapter_opencl.match
@@ -0,0 +1,3 @@
+# Note: This file is only for use with cts_exe.py
+# Fails when -fsanitize=cfi
+{{OPT}}urEnqueueEventsWaitMultiDeviceMTTest.EnqueueWaitOnAllQueues/MultiThread
diff --git a/test/conformance/exp_command_buffer/exp_command_buffer_adapter_cuda.match b/test/conformance/exp_command_buffer/exp_command_buffer_adapter_cuda.match
@@ -0,0 +1,11 @@
+# Note: This file is only for use with cts_exe.py
+# These cause SIGILL when built with -fsanitize=cfi on Nvidia
+{{OPT}}urCommandBufferKernelHandleUpdateTest.Success/*
+{{OPT}}urCommandBufferKernelHandleUpdateTest.UpdateAgain/*
+{{OPT}}urCommandBufferKernelHandleUpdateTest.RestoreOriginalKernel/*
+{{OPT}}urCommandBufferKernelHandleUpdateTest.KernelAlternativeNotRegistered/*
+{{OPT}}urCommandBufferKernelHandleUpdateTest.RegisterInvalidKernelAlternative/*
+{{OPT}}urCommandBufferValidUpdateParametersTest.UpdateDimensionsWithoutUpdatingKernel/*
+{{OPT}}urCommandBufferValidUpdateParametersTest.UpdateOnlyLocalWorkSize/*
+{{OPT}}urCommandBufferValidUpdateParametersTest.SuccessNullptrHandle/*
+{{OPT}}KernelCommandEventSyncUpdateTest.TwoWaitEvents/*
diff --git a/test/conformance/exp_command_buffer/exp_command_buffer_adapter_hip.match b/test/conformance/exp_command_buffer/exp_command_buffer_adapter_hip.match
@@ -0,0 +1,10 @@
+# Note: This file is only for use with cts_exe.py
+# These cause SIGILL when built with -fsanitize=cfi on AMD
+{{OPT}}urCommandBufferKernelHandleUpdateTest.Success/*
+{{OPT}}urCommandBufferKernelHandleUpdateTest.UpdateAgain/*
+{{OPT}}urCommandBufferKernelHandleUpdateTest.RestoreOriginalKernel/*
+{{OPT}}urCommandBufferKernelHandleUpdateTest.KernelAlternativeNotRegistered/*
+{{OPT}}urCommandBufferKernelHandleUpdateTest.RegisterInvalidKernelAlternative/*
+{{OPT}}urCommandBufferValidUpdateParametersTest.UpdateDimensionsWithoutUpdatingKernel/*
+{{OPT}}urCommandBufferValidUpdateParametersTest.UpdateOnlyLocalWorkSize/*
+{{OPT}}urCommandBufferValidUpdateParametersTest.SuccessNullptrHandle/*
diff --git a/test/fuzz/CMakeLists.txt b/test/fuzz/CMakeLists.txt
@@ -51,7 +51,9 @@ target_link_libraries(fuzztest-base
     ${PROJECT_NAME}::headers
     ${PROJECT_NAME}::common
     -fsanitize=fuzzer)
-target_compile_options(fuzztest-base PRIVATE -g -fsanitize=fuzzer)
+# When built with -g and -flto (which is required by some hardening flags), this causes a segfault in (upstream)
+# LLVM 14-15 while linking when CMAKE_BUILD_TYPE is Release
+target_compile_options(fuzztest-base PRIVATE -fsanitize=fuzzer)
 target_compile_definitions(fuzztest-base PRIVATE -DKERNEL_IL_PATH="${UR_CONFORMANCE_DEVICE_BINARIES_DIR}/fill/spir64.bin.0")
 target_include_directories(fuzztest-base PRIVATE ${UR_CONFORMANCE_DEVICE_BINARIES_DIR})
 add_dependencies(fuzztest-base generate_device_binaries)