diff options
Diffstat (limited to 'build')
-rw-r--r-- | build/android/BUILD.gn | 7 | ||||
-rw-r--r-- | build/config/BUILDCONFIG.gn | 35 | ||||
-rw-r--r-- | build/config/c++/c++.gni | 4 | ||||
-rw-r--r-- | build/config/clang/BUILD.gn | 23 | ||||
-rw-r--r-- | build/config/compiler/BUILD.gn | 43 | ||||
-rw-r--r-- | build/config/compiler/compiler.gni | 6 | ||||
-rw-r--r-- | build/config/ios/ios_sdk_overrides.gni | 11 | ||||
-rw-r--r-- | build/config/mac/mac_sdk.gni | 4 | ||||
-rw-r--r-- | build/config/siso/PRESUBMIT.py | 2 | ||||
-rw-r--r-- | build/config/siso/clang_all.star | 12 | ||||
-rw-r--r-- | build/config/siso/clang_mac.star | 12 | ||||
-rw-r--r-- | build/config/siso/clang_windows.star | 9 | ||||
-rw-r--r-- | build/config/unsafe_buffers_paths.txt | 22 | ||||
-rw-r--r-- | build/fuchsia/linux_internal.sdk.sha1 | 2 | ||||
-rw-r--r-- | build/sanitizers/tsan_suppressions.cc | 3 | ||||
-rw-r--r-- | build/toolchain/apple/toolchain.gni | 2 | ||||
-rw-r--r-- | build/toolchain/gcc_toolchain.gni | 2 | ||||
-rw-r--r-- | build/toolchain/rbe.gni | 14 | ||||
-rw-r--r-- | build/toolchain/win/toolchain.gni | 2 | ||||
-rw-r--r-- | build/util/LASTCHANGE | 2 | ||||
-rw-r--r-- | build/util/LASTCHANGE.committime | 2 |
21 files changed, 170 insertions, 49 deletions
diff --git a/build/android/BUILD.gn b/build/android/BUILD.gn index bd8417e303..7edbf0964c 100644 --- a/build/android/BUILD.gn +++ b/build/android/BUILD.gn @@ -11,6 +11,10 @@ import("//build/config/gclient_args.gni") import("//build/config/python.gni") import("//build_overrides/build.gni") +if (build_with_chromium) { + import("//base/allocator/partition_allocator/partition_alloc.gni") +} + if (enable_java_templates) { # Create or update the API versions cache if necessary by running a # functionally empty lint task. This prevents racy creation of the @@ -193,6 +197,9 @@ group("test_runner_device_support") { if (is_asan) { data_deps += [ "//tools/android/asan/third_party:asan_device_setup" ] } + if (use_full_mte) { + data_deps += [ "//tools/android/mte:mte_device_setup" ] + } } # Proguard is needed only when using apks (rather than native executables). diff --git a/build/config/BUILDCONFIG.gn b/build/config/BUILDCONFIG.gn index 2694fe9983..223693dc67 100644 --- a/build/config/BUILDCONFIG.gn +++ b/build/config/BUILDCONFIG.gn @@ -386,8 +386,9 @@ if (is_android) { if (is_clang && !is_nacl) { default_compiler_configs += [ - "//build/config/clang:find_bad_constructs", "//build/config/clang:extra_warnings", + "//build/config/clang:find_bad_constructs", + "//build/config/clang:unsafe_buffers", ] } @@ -517,6 +518,29 @@ TESTONLY_AND_VISIBILITY = [ "visibility", ] +# Sets default dependencies for static_library and source_set targets. +foreach(_target_type, + [ + "static_library", + "source_set", + ]) { + template(_target_type) { + target(_target_type, target_name) { + forward_variables_from(invoker, "*", TESTONLY_AND_VISIBILITY) + forward_variables_from(invoker, TESTONLY_AND_VISIBILITY) + if (!defined(inputs)) { + inputs = [] + } + + # Consumed by the unsafe-buffers plugin during compile. + # + # TODO(crbug.com/326584510): Reclient doesn't respect this variable, see + # rbe_bug_326584510_missing_inputs in //build/config/rbe.gni. + inputs += [ "//build/config/unsafe_buffers_paths.txt" ] + } + } +} + # Sets default dependencies for executable and shared_library targets. # # Variables @@ -538,6 +562,15 @@ foreach(_target_type, "*", TESTONLY_AND_VISIBILITY + [ "no_default_deps" ]) forward_variables_from(invoker, TESTONLY_AND_VISIBILITY) + if (!defined(inputs)) { + inputs = [] + } + + # Consumed by the unsafe-buffers plugin during compile. + # + # TODO(crbug.com/326584510): Reclient doesn't respect this variable, see + # rbe_bug_326584510_missing_inputs in //build/config/rbe.gni. + inputs += [ "//build/config/unsafe_buffers_paths.txt" ] if (!defined(deps)) { deps = [] } diff --git a/build/config/c++/c++.gni b/build/config/c++/c++.gni index 3c0b549b25..bd8e7118e3 100644 --- a/build/config/c++/c++.gni +++ b/build/config/c++/c++.gni @@ -59,6 +59,10 @@ declare_args() { # enable libc++ hardening there as well. use_safe_libcxx = (use_custom_libcxx && enable_safe_libcxx) || is_nacl_saigo +# libstdc++ has its own hardening assertions that we want to enable by default +# in Chromium builds. +use_safe_libstdcxx = is_linux && !use_custom_libcxx && enable_safe_libstdcxx + # libc++abi needs to be exported from executables to be picked up by shared # libraries on certain instrumented builds. export_libcxxabi_from_executables = diff --git a/build/config/clang/BUILD.gn b/build/config/clang/BUILD.gn index 6ff35215c9..e63990575e 100644 --- a/build/config/clang/BUILD.gn +++ b/build/config/clang/BUILD.gn @@ -2,6 +2,7 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. +import("//build/buildflag_header.gni") import("//build/config/rust.gni") import("clang.gni") @@ -84,6 +85,28 @@ config("find_bad_constructs") { } } +# A plugin for incrementally applying the -Wunsafe-buffer-usage warning. +config("unsafe_buffers") { + if (clang_use_chrome_plugins) { + cflags = [ + "-Xclang", + "-add-plugin", + "-Xclang", + "unsafe-buffers", + + "-Xclang", + "-plugin-arg-unsafe-buffers", + "-Xclang", + rebase_path("//build/config/unsafe_buffers_paths.txt", root_build_dir), + ] + } +} + +buildflag_header("unsafe_buffers_buildflags") { + header = "unsafe_buffers_buildflags.h" + flags = [ "UNSAFE_BUFFERS_WARNING_ENABLED=$clang_use_chrome_plugins" ] +} + # Enables some extra Clang-specific warnings. Some third-party code won't # compile with these so may want to remove this config. config("extra_warnings") { diff --git a/build/config/compiler/BUILD.gn b/build/config/compiler/BUILD.gn index 1b3c1bd478..5312e68a71 100644 --- a/build/config/compiler/BUILD.gn +++ b/build/config/compiler/BUILD.gn @@ -1069,6 +1069,12 @@ config("compiler") { } else { defines += [ "_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_NONE" ] } + + # Enable libstdc++ hardening lightweight assertions. Those have a low + # performance penalty but are considered a bare minimum for security. + if (use_safe_libstdcxx) { + defines += [ "_GLIBCXX_ASSERTIONS=1" ] + } } # The BUILDCONFIG file sets this config on targets by default, which means when @@ -1773,6 +1779,12 @@ config("default_warnings") { # When compiling Objective-C, warns if a selector named via @selector has # not been defined in any visible interface. cflags += [ "-Wundeclared-selector" ] + + # Blink builds use a higher deployment target than non-Blink builds, so + # suppress deprecation warnings in these builds. + if (use_blink) { + cflags += [ "-Wno-deprecated-declarations" ] + } } # Suppress warnings about ABI changes on ARM (Clang doesn't give this @@ -1954,35 +1966,6 @@ config("prevent_unsafe_narrowing") { } } -# unsafe_buffer_warning ------------------------------------------------------- - -# Paths of third-party headers that violate Wunsafe-buffer-usage, but which we -# have been unable to fix yet. We use this list to be able to make progress and -# enable the warning on code that we do control/own. -# -# WARNING: This will disable all warnings in the files. ONLY USE THIS for -# third-party code which we do not control/own. Fix the warnings instead in -# our own code. -if (is_clang) { - unsafe_buffer_warning_header_allowlist = - [ "third_party/googletest/src/googletest/include/gtest" ] -} - -# Enables warnings on pointer arithmetic/indexing or calls to functions -# annotated with `UNSAFE_BUFFER_USAGE`. -config("unsafe_buffer_warning") { - if (is_clang) { - cflags = [ "-Wunsafe-buffer-usage" ] - foreach(h, unsafe_buffer_warning_header_allowlist) { - if (is_win) { - cflags += [ "/clang:--system-header-prefix=$h" ] - } else { - cflags += [ "--system-header-prefix=$h" ] - } - } - } -} - # chromium_code --------------------------------------------------------------- # # Toggles between higher and lower warnings for code that is (or isn't) @@ -2429,7 +2412,7 @@ config("optimize") { if (is_fuchsia) { cflags = [ "-Oz" ] + common_optimize_on_cflags - } else { + } else { cflags = [ "-Os" ] + common_optimize_on_cflags } diff --git a/build/config/compiler/compiler.gni b/build/config/compiler/compiler.gni index 636652d159..753748328a 100644 --- a/build/config/compiler/compiler.gni +++ b/build/config/compiler/compiler.gni @@ -135,9 +135,9 @@ declare_args() { enable_cet_shadow_stack = target_cpu == "x64" # Set to true to enable using the ML inliner in LLVM. This currently only - # enables the ML inliner when targeting Android. - # Currently the ML inliner is only supported on linux hosts - use_ml_inliner = host_os == "linux" && is_android && + # enables the ML inliner when targeting Android for a size-optimized build. + # Currently the ML inliner is only supported on linux hosts. + use_ml_inliner = host_os == "linux" && is_android && optimize_for_size && !llvm_android_mainline # https://crbug.com/1468680 # Set to true to use the android unwinder V2 implementation. diff --git a/build/config/ios/ios_sdk_overrides.gni b/build/config/ios/ios_sdk_overrides.gni index a2373c6c9d..0bb60c6d08 100644 --- a/build/config/ios/ios_sdk_overrides.gni +++ b/build/config/ios/ios_sdk_overrides.gni @@ -5,13 +5,20 @@ # This file contains arguments that subprojects may choose to override. It # asserts that those overrides are used, to prevent unused args warnings. +import("//build/config/features.gni") + declare_args() { # Version of iOS that we're targeting. - ios_deployment_target = "15.0" + if (use_blink) { + ios_deployment_target = "17.4" + } else { + ios_deployment_target = "15.0" + } } # Always assert that ios_deployment_target is used on non-iOS platforms to # prevent unused args warnings. if (!is_ios) { - assert(ios_deployment_target == "15.0" || true) + assert(ios_deployment_target == "15.0" || ios_deployment_target == "17.4" || + true) } diff --git a/build/config/mac/mac_sdk.gni b/build/config/mac/mac_sdk.gni index cc4e1e2a37..7025bdfb86 100644 --- a/build/config/mac/mac_sdk.gni +++ b/build/config/mac/mac_sdk.gni @@ -10,9 +10,7 @@ import("//build/toolchain/rbe.gni") import("//build/toolchain/siso.gni") import("//build/toolchain/toolchain.gni") -assert( - current_os == "mac" || current_toolchain == default_toolchain || - (current_os == "ios" && current_toolchain == "${default_toolchain}_blink")) +assert(current_os == "mac" || current_toolchain == default_toolchain) declare_args() { # The following two variables control the minimum supported version for diff --git a/build/config/siso/PRESUBMIT.py b/build/config/siso/PRESUBMIT.py index 9a0f7863ec..25fbefc005 100644 --- a/build/config/siso/PRESUBMIT.py +++ b/build/config/siso/PRESUBMIT.py @@ -15,7 +15,7 @@ def CheckTryjobFooters(input_api, output_api): message = ( "Missing 'Cq-Include-Trybots:' field required for Siso config changes" "\nPlease add the following fields to run Siso tryjobs.\n\n" - "Cq-Include-Trybots: luci.chromium.try:fuchsia-binary-size-siso\n" "Cq-Include-Trybots: luci.chromium.try:linux_chromium_asan_siso_rel_ng\n" + "Cq-Include-Trybots: luci.chromium.try:linux_chromium_tsan_siso_rel_ng\n" ) return [output_api.PresubmitPromptWarning(message)] diff --git a/build/config/siso/clang_all.star b/build/config/siso/clang_all.star index acd603419e..0946eec116 100644 --- a/build/config/siso/clang_all.star +++ b/build/config/siso/clang_all.star @@ -45,6 +45,18 @@ __input_deps = { "third_party/libc++/src/include": [ "buildtools/third_party/libc++:headers", ], + "third_party/llvm-build/Release+Asserts/bin/clang": [ + "build/config/unsafe_buffers_paths.txt", + ], + "third_party/llvm-build/Release+Asserts/bin/clang++": [ + "build/config/unsafe_buffers_paths.txt", + ], + "third_party/llvm-build/Release+Asserts/bin/clang-cl": [ + "build/config/unsafe_buffers_paths.txt", + ], + "third_party/llvm-build/Release+Asserts/bin/clang-cl.exe": [ + "build/config/unsafe_buffers_paths.txt", + ], } clang_all = module( diff --git a/build/config/siso/clang_mac.star b/build/config/siso/clang_mac.star index 1c21a1a556..99affc5d59 100644 --- a/build/config/siso/clang_mac.star +++ b/build/config/siso/clang_mac.star @@ -89,6 +89,9 @@ def __step_config(ctx, step_config): "name": "clang/cxx", "action": "(.*_)?cxx", "command_prefix": "../../third_party/llvm-build/Release+Asserts/bin/clang++", + "inputs": [ + "third_party/llvm-build/Release+Asserts/bin/clang++", + ], "exclude_input_patterns": ["*.stamp"], "platform_ref": "clang", "remote": True, @@ -98,6 +101,9 @@ def __step_config(ctx, step_config): "name": "clang/cc", "action": "(.*_)?cc", "command_prefix": "../../third_party/llvm-build/Release+Asserts/bin/clang", + "inputs": [ + "third_party/llvm-build/Release+Asserts/bin/clang", + ], "exclude_input_patterns": ["*.stamp"], "platform_ref": "clang", "remote": True, @@ -107,6 +113,9 @@ def __step_config(ctx, step_config): "name": "clang/objcxx", "action": "(.*_)?objcxx", "command_prefix": "../../third_party/llvm-build/Release+Asserts/bin/clang++", + "inputs": [ + "third_party/llvm-build/Release+Asserts/bin/clang++", + ], "exclude_input_patterns": ["*.stamp"], "platform_ref": "clang", "remote": True, @@ -117,6 +126,9 @@ def __step_config(ctx, step_config): "name": "clang/objc", "action": "(.*_)?objc", "command_prefix": "../../third_party/llvm-build/Release+Asserts/bin/clang", + "inputs": [ + "third_party/llvm-build/Release+Asserts/bin/clang", + ], "exclude_input_patterns": ["*.stamp"], "platform_ref": "clang", "remote": True, diff --git a/build/config/siso/clang_windows.star b/build/config/siso/clang_windows.star index 9f8dc03759..8f58ca4b15 100644 --- a/build/config/siso/clang_windows.star +++ b/build/config/siso/clang_windows.star @@ -229,6 +229,9 @@ def __step_config(ctx, step_config): path.join(win_toolchain_dir, "Windows Kits/10/Include/10.0.22621.0/shared/Devpropdef.h"), # third_party/dawn/third_party/dxc/include/dxc/Support/WinIncludes.h "ObjIdl.h" path.join(win_toolchain_dir, "Windows Kits/10/Include/10.0.22621.0/um/ObjIdl.h"), + # third_party/dawn/third_party/dxc/lib/Support includes "D3Dcommon.h" + # https://github.com/microsoft/DirectXShaderCompiler/pull/6380 + path.join(win_toolchain_dir, "Windows Kits/10/Include/10.0.22621.0/um/D3Dcommon.h"), ], }) remote = True @@ -237,6 +240,9 @@ def __step_config(ctx, step_config): "name": "clang-cl/cxx", "action": "(.*_)?cxx", "command_prefix": "..\\..\\third_party\\llvm-build\\Release+Asserts\\bin\\clang-cl.exe", + "inputs": [ + "third_party/llvm-build/Release+Asserts/bin/clang-cl.exe", + ], "exclude_input_patterns": ["*.stamp"], "platform_ref": "clang-cl", "remote": remote, @@ -247,6 +253,9 @@ def __step_config(ctx, step_config): "name": "clang-cl/cc", "action": "(.*_)?cc", "command_prefix": "..\\..\\third_party\\llvm-build\\Release+Asserts\\bin\\clang-cl.exe", + "inputs": [ + "third_party/llvm-build/Release+Asserts/bin/clang-cl.exe", + ], "exclude_input_patterns": ["*.stamp"], "platform_ref": "clang-cl", "remote": remote, diff --git a/build/config/unsafe_buffers_paths.txt b/build/config/unsafe_buffers_paths.txt new file mode 100644 index 0000000000..329334afc2 --- /dev/null +++ b/build/config/unsafe_buffers_paths.txt @@ -0,0 +1,22 @@ +# Copyright 2024 The Chromium Project. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +# The set of path prefixes that should be checked for unsafe buffer usage (see +# -Wunsafe-buffer-usage in Clang). +# +# *** +# Paths should be written as relative to the root of the source tree with +# unix-style path separators. Directory prefixes should end with `/`, such +# as `base/`. +# *** +# +# Files in this set are known to not use pointer arithmetic/subscripting, and +# make use of constructs like base::span or containers like std::vector instead. +# +# See `docs/unsafe_buffers.md`. + +base/containers/buffer_iterator_nocompile.nc +base/containers/span.h +base/unsafe_buffers_unittest.cc +base/unsafe_buffers_nocompile.nc diff --git a/build/fuchsia/linux_internal.sdk.sha1 b/build/fuchsia/linux_internal.sdk.sha1 index 278c67bfe6..743912105b 100644 --- a/build/fuchsia/linux_internal.sdk.sha1 +++ b/build/fuchsia/linux_internal.sdk.sha1 @@ -1 +1 @@ -18.20240224.2.1 +19.20240302.2.1 diff --git a/build/sanitizers/tsan_suppressions.cc b/build/sanitizers/tsan_suppressions.cc index 2f3b3826b2..e228610433 100644 --- a/build/sanitizers/tsan_suppressions.cc +++ b/build/sanitizers/tsan_suppressions.cc @@ -42,9 +42,6 @@ char kTSanDefaultSuppressions[] = // http://crbug.com/476529 "deadlock:cc::VideoLayerImpl::WillDraw\n" - // http://crbug.com/328826 - "race:skia::(anonymous namespace)::g_pixel_geometry\n" - // http://crbug.com/328868 "race:PR_Lock\n" diff --git a/build/toolchain/apple/toolchain.gni b/build/toolchain/apple/toolchain.gni index 2d5ea8185d..2ad540ccc5 100644 --- a/build/toolchain/apple/toolchain.gni +++ b/build/toolchain/apple/toolchain.gni @@ -171,7 +171,7 @@ template("single_apple_toolchain") { } # C/C++ (clang) rewrapper prefix to use when use_remoteexec is true. - compiler_prefix = "${rbe_bin_dir}/rewrapper -cfg=${toolchain_rbe_cc_cfg_file} -exec_root=${rbe_exec_root} " + compiler_prefix = "${rbe_bin_dir}/rewrapper -cfg=${toolchain_rbe_cc_cfg_file}${rbe_bug_326584510_missing_inputs} -exec_root=${rbe_exec_root} " } else if (toolchain_uses_goma) { assert(toolchain_cc_wrapper == "", "Goma and cc_wrapper can't be used together.") diff --git a/build/toolchain/gcc_toolchain.gni b/build/toolchain/gcc_toolchain.gni index 94592ecb5b..a74a4ffb75 100644 --- a/build/toolchain/gcc_toolchain.gni +++ b/build/toolchain/gcc_toolchain.gni @@ -214,7 +214,7 @@ template("single_gcc_toolchain") { } # C/C++ (clang) rewrapper prefix to use when use_remoteexec is true. - compiler_prefix = "${rbe_bin_dir}/rewrapper -cfg=${toolchain_rbe_cc_cfg_file} -exec_root=${rbe_exec_root} " + compiler_prefix = "${rbe_bin_dir}/rewrapper -cfg=${toolchain_rbe_cc_cfg_file}${rbe_bug_326584510_missing_inputs} -exec_root=${rbe_exec_root} " } else if (toolchain_uses_goma && (!defined(invoker.needs_gomacc_path_arg) || !invoker.needs_gomacc_path_arg)) { diff --git a/build/toolchain/rbe.gni b/build/toolchain/rbe.gni index 7975b499dc..5652700963 100644 --- a/build/toolchain/rbe.gni +++ b/build/toolchain/rbe.gni @@ -1,3 +1,7 @@ +# Copyright 2024 The Chromium Authors +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + # Defines the configuration of Remote Build Execution (RBE). declare_args() { @@ -73,3 +77,13 @@ if (is_mac || is_ios) { use_remoteexec_links = false } } + +# TODO(crbug.com/326584510): Reclient does not upload `inputs` from C/C++ +# targets. This file is added to `inputs` for all C targets in +# //build/config/BUILDCONFIG.gn. We work around the bug in Reclient by +# specifying the file here. +# +# This is a comma-delimited list of paths relative to the source tree root. The +# leading space is important, if the string is non-empty. :) +rbe_bug_326584510_missing_inputs = + " -inputs=build/config/unsafe_buffers_paths.txt" diff --git a/build/toolchain/win/toolchain.gni b/build/toolchain/win/toolchain.gni index 9a70191a0d..de45c13ed2 100644 --- a/build/toolchain/win/toolchain.gni +++ b/build/toolchain/win/toolchain.gni @@ -81,7 +81,7 @@ template("msvc_toolchain") { if (toolchain_uses_remoteexec) { if (toolchain_is_clang) { - cl_prefix = "${rbe_bin_dir}/rewrapper -cfg=${rbe_cc_cfg_file} -exec_root=${rbe_exec_root} -labels=type=compile,compiler=clang-cl,lang=cpp " + cl_prefix = "${rbe_bin_dir}/rewrapper -cfg=${rbe_cc_cfg_file}${rbe_bug_326584510_missing_inputs} -exec_root=${rbe_exec_root} -labels=type=compile,compiler=clang-cl,lang=cpp " } else { cl_prefix = "" } diff --git a/build/util/LASTCHANGE b/build/util/LASTCHANGE index e0ab542792..93e7b6fcdf 100644 --- a/build/util/LASTCHANGE +++ b/build/util/LASTCHANGE @@ -1,2 +1,2 @@ -LASTCHANGE=dd4da8c1d89df4b45b3afe584cf083c28f362244-refs/heads/main@{#1266264} +LASTCHANGE=83910d02946c38386d9f6f4bfbb7a1fd01040bfe-refs/heads/main@{#1267703} LASTCHANGE_YEAR=2024 diff --git a/build/util/LASTCHANGE.committime b/build/util/LASTCHANGE.committime index c7ee6255f3..fc9f092a58 100644 --- a/build/util/LASTCHANGE.committime +++ b/build/util/LASTCHANGE.committime @@ -1 +1 @@ -1709100810
\ No newline at end of file +1709534243
\ No newline at end of file |