diff options
| author | Peter Collingbourne <peter@pcc.me.uk> | 2016-04-27 20:39:53 +0000 |
|---|---|---|
| committer | Peter Collingbourne <peter@pcc.me.uk> | 2016-04-27 20:39:53 +0000 |
| commit | 47213cf975fecb2ccbf38ff1d0a86e8c66b44634 (patch) | |
| tree | a52f5f1c3bb09c40775ae6a7161501fa16c90baf /docs/ControlFlowIntegrity.rst | |
| parent | a2bd0cef6588e4a9eb4a273c90648c2eae41e656 (diff) | |
| download | clang-47213cf975fecb2ccbf38ff1d0a86e8c66b44634.tar.gz | |
Rework interface for bitset-using features to use a notion of LTO visibility.
Bitsets, and the compiler features they rely on (vtable opt, CFI),
only have visibility within the LTO'd part of the linkage unit. Therefore,
only enable these features for classes with hidden LTO visibility. This
notion is based on object file visibility or (on Windows)
dllimport/dllexport attributes.
We provide the [[clang::lto_visibility_public]] attribute to override the
compiler's LTO visibility inference in cases where the class is defined
in the non-LTO'd part of the linkage unit, or where the ABI supports
calling classes derived from abstract base classes with hidden visibility
in other linkage units (e.g. COM on Windows).
If the cross-DSO CFI mode is enabled, bitset checks are emitted even for
classes with public LTO visibility, as that mode uses a separate mechanism
to cause bitsets to be exported.
This mechanism replaces the whole-program-vtables blacklist, so remove the
-fwhole-program-vtables-blacklist flag.
Because __declspec(uuid()) now implies [[clang::lto_visibility_public]], the
support for the special attr:uuid blacklist entry is removed.
Differential Revision: http://reviews.llvm.org/D18635
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@267784 91177308-0d34-0410-b5e6-96231b3b80d8
Diffstat (limited to 'docs/ControlFlowIntegrity.rst')
| -rw-r--r-- | docs/ControlFlowIntegrity.rst | 36 |
1 files changed, 23 insertions, 13 deletions
diff --git a/docs/ControlFlowIntegrity.rst b/docs/ControlFlowIntegrity.rst index c403610952..eed5ac5120 100644 --- a/docs/ControlFlowIntegrity.rst +++ b/docs/ControlFlowIntegrity.rst @@ -25,13 +25,25 @@ As currently implemented, all schemes rely on link-time optimization (LTO); so it is required to specify ``-flto``, and the linker used must support LTO, for example via the `gold plugin`_. -To allow the checks to be implemented efficiently, the program must be -structured such that certain object files are compiled with CFI +To allow the checks to be implemented efficiently, the program must +be structured such that certain object files are compiled with CFI enabled, and are statically linked into the program. This may preclude -the use of shared libraries in some cases. Experimental support for -:ref:`cross-DSO control flow integrity <cfi-cross-dso>` exists that -does not have these requirements. This cross-DSO support has unstable -ABI at this time. +the use of shared libraries in some cases. + +The compiler will only produce CFI checks for a class if it can infer hidden +LTO visibility for that class. LTO visibility is a property of a class that +is inferred from flags and attributes. For more details, see the documentation +for :doc:`LTO visibility <LTOVisibility>`. + +The ``-fsanitize=cfi-{vcall,nvcall,derived-cast,unrelated-cast}`` flags +require that a ``-fvisibility=`` flag also be specified. This is because the +default visibility setting is ``-fvisibility=default``, which would disable +CFI checks for classes without visibility attributes. Most users will want +to specify ``-fvisibility=hidden``, which enables CFI checks for such classes. + +Experimental support for :ref:`cross-DSO control flow integrity +<cfi-cross-dso>` exists that does not require classes to have hidden LTO +visibility. This cross-DSO support has unstable ABI at this time. .. _gold plugin: http://llvm.org/docs/GoldPlugin.html @@ -233,11 +245,6 @@ A :doc:`SanitizerSpecialCaseList` can be used to relax CFI checks for certain source files, functions and types using the ``src``, ``fun`` and ``type`` entity types. -In addition, if a type has a ``uuid`` attribute and the blacklist contains -the type entry ``attr:uuid``, CFI checks are suppressed for that type. This -allows all COM types to be easily blacklisted, which is useful as COM types -are typically defined outside of the linked program. - .. code-block:: bash # Suppress checking for code in a file. @@ -247,8 +254,6 @@ are typically defined outside of the linked program. fun:*MyFooBar* # Ignore all types in the standard library. type:std::* - # Ignore all types with a uuid attribute. - type:attr:uuid .. _cfi-cross-dso: @@ -260,6 +265,11 @@ flow integrity mode, which allows all CFI schemes listed above to apply across DSO boundaries. As in the regular CFI, each DSO must be built with ``-flto``. +Normally, CFI checks will only be performed for classes that have hidden LTO +visibility. With this flag enabled, the compiler will emit cross-DSO CFI +checks for all classes, except for those which appear in the CFI blacklist +or which use a ``no_sanitize`` attribute. + Design ====== |