Skip to content

Revert "[SYCL] Refresh hardening flags applied to the project (#18447)" #18472

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
May 15, 2025
Merged

Revert "[SYCL] Refresh hardening flags applied to the project (#18447)" #18472

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
244 changes: 55 additions & 189 deletions llvm/cmake/modules/AddSecurityFlags.cmake
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
macro(add_compile_option_ext flag name)
cmake_parse_arguments(ARG "" "" "" ${ARGN})
cmake_parse_arguments(ARG "" "" "" ${ARGN})
set(CHECK_STRING "${flag}")
if(MSVC)
if (MSVC)
set(CHECK_STRING "/WX ${CHECK_STRING}")
else()
set(CHECK_STRING "-Werror ${CHECK_STRING}")
endif()

check_c_compiler_flag("${CHECK_STRING}" "C_SUPPORTS_${name}")
check_cxx_compiler_flag("${CHECK_STRING}" "CXX_SUPPORTS_${name}")
if(C_SUPPORTS_${name} AND CXX_SUPPORTS_${name})
if (C_SUPPORTS_${name} AND CXX_SUPPORTS_${name})
message(STATUS "Building with ${flag}")
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${flag}")
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${flag}")
Expand All @@ -31,207 +31,73 @@ macro(add_link_option_ext flag name)
endif()
endmacro()

set(is_gcc FALSE)
set(is_clang FALSE)
set(is_msvc FALSE)
set(is_icpx FALSE)

if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
set(is_clang TRUE)
endif()
if(CMAKE_CXX_COMPILER_ID MATCHES "GNU")
set(is_gcc TRUE)
endif()
if(CMAKE_CXX_COMPILER_ID MATCHES "IntelLLVM")
set(is_icpx TRUE)
endif()
if(CMAKE_CXX_COMPILER_ID MATCHES "MSVC")
set(is_msvc TRUE)
endif()

macro(append_common_extra_security_flags)
# Compiler Warnings and Error Detection
# Note: in intel/llvm we build both linux and win with --ci-defaults.
# This flag also enables -Werror or /WX.
if(is_gcc
OR is_clang
OR (is_icpx AND MSVC))
add_compile_option_ext("-Wall" WALL)
add_compile_option_ext("-Wextra" WEXTRA)
elseif(is_icpx)
add_compile_option_ext("/Wall" WALL)
elseif(is_msvc)
add_compile_option_ext("/W4" WALL)
endif()

if(CMAKE_BUILD_TYPE MATCHES "Release")
if(is_gcc
OR is_clang
OR (is_icpx AND MSVC))
add_compile_option_ext("-Wconversion" WCONVERSION)
add_compile_option_ext("-Wimplicit-fallthrough" WIMPLICITFALLTHROUGH)
endif()
endif()

# Control Flow Integrity
if(is_gcc
OR is_clang
OR (is_icpx AND MSVC))
add_compile_option_ext("-fcf-protection=full" FCFPROTECTION)
elseif(is_icpx)
add_compile_option_ext("/Qcf-protection:full" FCFPROTECTION)
elseif(is_msvc)
add_link_option_ext("/LTCG" LTCG CMAKE_EXE_LINKER_FLAGS
CMAKE_MODULE_LINKER_FLAGS CMAKE_SHARED_LINKER_FLAGS)
add_compile_option_ext("/sdl" SDL)
add_compile_option_ext("/guard:cf" GUARDCF)
add_link_option_ext("/CETCOMPAT" CETCOMPAT CMAKE_EXE_LINKER_FLAGS
CMAKE_MODULE_LINKER_FLAGS CMAKE_SHARED_LINKER_FLAGS)
endif()

# Format String Defense
if(is_gcc
OR is_clang
OR (is_icpx AND MSVC))
add_compile_option_ext("-Wformat" WFORMAT)
add_compile_option_ext("-Wformat-security" WFORMATSECURITY)
elseif(is_icpx)
add_compile_option_ext("/Wformat" WFORMAT)
add_compile_option_ext("/Wformat-security" WFORMATSECURITY)
elseif(is_msvc)
add_compile_option_ext("/analyze" ANALYZE)
endif()

if(CMAKE_BUILD_TYPE MATCHES "Release")
if(is_gcc
OR is_clang
OR (is_icpx AND MSVC))
add_compile_option_ext("-Werror=format-security" WERRORFORMATSECURITY)
endif()
endif()

# Inexecutable Stack
if(CMAKE_BUILD_TYPE MATCHES "Release")
if(is_gcc
OR is_clang
OR (is_icpx AND MSVC))
add_link_option_ext(
"-Wl,-z,noexecstack" NOEXECSTACK CMAKE_EXE_LINKER_FLAGS
CMAKE_MODULE_LINKER_FLAGS CMAKE_SHARED_LINKER_FLAGS)
endif()
endif()

# Position Independent Code
if(is_gcc
OR is_clang
OR (is_icpx AND MSVC))
add_compile_option_ext("-fPIC" FPIC)
elseif(is_msvc)
add_compile_option_ext("/Gy" GY)
endif()

# Position Independent Execution
if(is_gcc
OR is_clang
OR (is_icpx AND MSVC))
# The project should be configured with -DCMAKE_POSITION_INDEPENDENT_CODE=ON
add_compile_option_ext("-fPIE" FPIE)
add_link_option_ext("-pie" PIE CMAKE_EXE_LINKER_FLAGS
CMAKE_MODULE_LINKER_FLAGS CMAKE_SHARED_LINKER_FLAGS)
elseif(is_msvc)
add_link_option_ext("/DYNAMICBASE" DYNAMICBASE CMAKE_EXE_LINKER_FLAGS
CMAKE_MODULE_LINKER_FLAGS CMAKE_SHARED_LINKER_FLAGS)
endif()

if(CMAKE_BUILD_TYPE MATCHES "Release")
if(is_msvc)
add_link_option_ext("/NXCOMPAT" NXCOMPAT CMAKE_EXE_LINKER_FLAGS
CMAKE_MODULE_LINKER_FLAGS CMAKE_SHARED_LINKER_FLAGS)
endif()
endif()

# Stack Protection
if(is_msvc)
add_compile_option_ext("/GS" GS)
elseif(
is_gcc
OR is_clang
OR (is_icpx AND MSVC))
if(CMAKE_BUILD_TYPE STREQUAL "Debug")
add_compile_option_ext("-fstack-protector" FSTACKPROTECTOR)
elseif(CMAKE_BUILD_TYPE MATCHES "Release")
add_compile_option_ext("-fstack-protector-strong" FSTACKPROTECTORSTRONG)
add_compile_option_ext("-fstack-clash-protection" FSTACKCLASHPROTECTION)
endif()
endif()

if(LLVM_ON_UNIX)
if( LLVM_ON_UNIX )
# Fortify Source (strongly recommended):
if(CMAKE_BUILD_TYPE STREQUAL "Debug")
message(WARNING "-D_FORTIFY_SOURCE=3 can only be used with optimization.")
message(WARNING "-D_FORTIFY_SOURCE=3 is not supported.")
if (CMAKE_BUILD_TYPE STREQUAL "Debug")
message(WARNING
"-D_FORTIFY_SOURCE=2 can only be used with optimization.")
message(WARNING "-D_FORTIFY_SOURCE=2 is not supported.")
else()
# Sanitizers do not work with checked memory functions, such as
# __memset_chk. We do not build release packages with sanitizers, so just
# avoid -D_FORTIFY_SOURCE=3 under LLVM_USE_SANITIZER.
if(NOT LLVM_USE_SANITIZER)
message(STATUS "Building with -D_FORTIFY_SOURCE=3")
add_definitions(-D_FORTIFY_SOURCE=3)
# Sanitizers do not work with checked memory functions,
# such as __memset_chk. We do not build release packages
# with sanitizers, so just avoid -D_FORTIFY_SOURCE=2
# under LLVM_USE_SANITIZER.
if (NOT LLVM_USE_SANITIZER)
message(STATUS "Building with -D_FORTIFY_SOURCE=2")
add_definitions(-D_FORTIFY_SOURCE=2)
else()
message(
WARNING "-D_FORTIFY_SOURCE=3 dropped due to LLVM_USE_SANITIZER.")
message(WARNING
"-D_FORTIFY_SOURCE=2 dropped due to LLVM_USE_SANITIZER.")
endif()
endif()

if(LLVM_ENABLE_ASSERTIONS)
add_definitions(-D_GLIBCXX_ASSERTIONS)
endif()
# Format String Defense
add_compile_option_ext("-Wformat" WFORMAT)
add_compile_option_ext("-Wformat-security" WFORMATSECURITY)
add_compile_option_ext("-Werror=format-security" WERRORFORMATSECURITY)

# Stack Protection
add_compile_option_ext("-fstack-protector-strong" FSTACKPROTECTORSTRONG)

# Full Relocation Read Only
if(CMAKE_BUILD_TYPE MATCHES "Release")
add_link_option_ext("-Wl,-z,relro" ZRELRO CMAKE_EXE_LINKER_FLAGS
CMAKE_MODULE_LINKER_FLAGS CMAKE_SHARED_LINKER_FLAGS)
endif()
add_link_option_ext("-Wl,-z,relro" ZRELRO
CMAKE_EXE_LINKER_FLAGS CMAKE_MODULE_LINKER_FLAGS
CMAKE_SHARED_LINKER_FLAGS)

# Immediate Binding (Bindnow)
if(CMAKE_BUILD_TYPE MATCHES "Release")
add_link_option_ext("-Wl,-z,now" ZNOW CMAKE_EXE_LINKER_FLAGS
CMAKE_MODULE_LINKER_FLAGS CMAKE_SHARED_LINKER_FLAGS)
add_link_option_ext("-Wl,-z,nodlopen" ZDLOPEN CMAKE_EXE_LINKER_FLAGS
CMAKE_MODULE_LINKER_FLAGS CMAKE_SHARED_LINKER_FLAGS)
endif()
add_link_option_ext("-Wl,-z,now" ZNOW
CMAKE_EXE_LINKER_FLAGS CMAKE_MODULE_LINKER_FLAGS
CMAKE_SHARED_LINKER_FLAGS)
endif()
endmacro()

if(EXTRA_SECURITY_FLAGS)
if(EXTRA_SECURITY_FLAGS STREQUAL "none")
if ( EXTRA_SECURITY_FLAGS )
if (EXTRA_SECURITY_FLAGS STREQUAL "none")
# No actions.
elseif(EXTRA_SECURITY_FLAGS STREQUAL "default")
append_common_extra_security_flags()
elseif(EXTRA_SECURITY_FLAGS STREQUAL "sanitize")
append_common_extra_security_flags()
if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
add_compile_option_ext("-fsanitize=cfi" FSANITIZE_CFI)
add_link_option_ext(
"-fsanitize=cfi" FSANITIZE_CFI_LINK CMAKE_EXE_LINKER_FLAGS
CMAKE_MODULE_LINKER_FLAGS CMAKE_SHARED_LINKER_FLAGS)
# Recommended option although linking a DSO with SafeStack is not
# currently supported by compiler.
# add_compile_option_ext("-fsanitize=safe-stack" FSANITIZE_SAFESTACK)
# add_link_option_ext("-fsanitize=safe-stack" FSANITIZE_SAFESTACK_LINK
# CMAKE_EXE_LINKER_FLAGS CMAKE_MODULE_LINKER_FLAGS
# CMAKE_SHARED_LINKER_FLAGS)
elseif (EXTRA_SECURITY_FLAGS STREQUAL "default")
append_common_extra_security_flags()
elseif (EXTRA_SECURITY_FLAGS STREQUAL "sanitize")
append_common_extra_security_flags()
if (CMAKE_CXX_COMPILER_ID MATCHES "Clang")
add_compile_option_ext("-fsanitize=cfi" FSANITIZE_CFI)
add_link_option_ext("-fsanitize=cfi" FSANITIZE_CFI_LINK
CMAKE_EXE_LINKER_FLAGS CMAKE_MODULE_LINKER_FLAGS
CMAKE_SHARED_LINKER_FLAGS)
# Recommended option although linking a DSO with SafeStack is not currently supported by compiler.
#add_compile_option_ext("-fsanitize=safe-stack" FSANITIZE_SAFESTACK)
#add_link_option_ext("-fsanitize=safe-stack" FSANITIZE_SAFESTACK_LINK
# CMAKE_EXE_LINKER_FLAGS CMAKE_MODULE_LINKER_FLAGS
# CMAKE_SHARED_LINKER_FLAGS)
else()
add_compile_option_ext("-fcf-protection=full -mcet" FCF_PROTECTION)
# need to align compile and link option set, link now is set unconditionally
add_link_option_ext("-fcf-protection=full -mcet" FCF_PROTECTION_LINK
CMAKE_EXE_LINKER_FLAGS CMAKE_MODULE_LINKER_FLAGS
CMAKE_SHARED_LINKER_FLAGS)
endif()
else()
add_compile_option_ext("-fcf-protection=full -mcet" FCF_PROTECTION)
# need to align compile and link option set, link now is set
# unconditionally
add_link_option_ext(
"-fcf-protection=full -mcet" FCF_PROTECTION_LINK CMAKE_EXE_LINKER_FLAGS
CMAKE_MODULE_LINKER_FLAGS CMAKE_SHARED_LINKER_FLAGS)
message(FATAL_ERROR "Unsupported value of EXTRA_SECURITY_FLAGS: ${EXTRA_SECURITY_FLAGS}")
endif()
else()
message(
FATAL_ERROR
"Unsupported value of EXTRA_SECURITY_FLAGS: ${EXTRA_SECURITY_FLAGS}")
endif()
endif()

Loading