mstorsjo · mstorsjo · Oct 1, 2022 · Sep 28, 2022 · Sep 28, 2022 · Sep 29, 2022
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -51,10 +51,12 @@ jobs:
           cat versions >> $GITHUB_ENV
           mkdir -p install/llvm-mingw
           cp versions install/llvm-mingw
+          echo Enabling CFGuard when building with latest llvm and mingw-w64
+          echo CFGUARD_PARAMS=--enable-cfguard >> $GITHUB_ENV
       - name: Build
         run: |
           sudo apt-get update && sudo apt-get install ninja-build
-          ./build-all.sh $(pwd)/install/llvm-mingw --disable-clang-tools-extra --disable-lldb
+          ./build-all.sh $(pwd)/install/llvm-mingw --disable-clang-tools-extra --disable-lldb $CFGUARD_PARAMS
           cd install
           tar -Jcf ../llvm-mingw-linux.tar.xz llvm-mingw
       - uses: actions/upload-artifact@v2
@@ -89,10 +91,12 @@ jobs:
           cat versions >> $GITHUB_ENV
           mkdir -p install/llvm-mingw
           cp versions install/llvm-mingw
+          echo Enabling CFGuard when building with latest llvm and mingw-w64
+          echo CFGUARD_PARAMS=--enable-cfguard >> $GITHUB_ENV
       - name: Build
         run: |
           sudo apt-get update && sudo apt-get install ninja-build
-          ./build-all.sh $(pwd)/install/llvm-mingw --disable-clang-tools-extra --disable-lldb --enable-asserts
+          ./build-all.sh $(pwd)/install/llvm-mingw --disable-clang-tools-extra --disable-lldb --enable-asserts $CFGUARD_PARAMS
           cd install
           tar -Jcf ../llvm-mingw-linux.tar.xz llvm-mingw
       - uses: actions/upload-artifact@v2
@@ -118,6 +122,8 @@ jobs:
           . versions
           echo Building llvm-project $LLVM_VERSION mingw-w64 $MINGW_W64_VERSION
           cat versions >> $GITHUB_ENV
+          echo Enabling CFGuard when building with latest llvm and mingw-w64
+          echo CFGUARD_PARAMS=--enable-cfguard >> $GITHUB_ENV
       - uses: actions/checkout@v2
       - name: Build
         run: |
@@ -127,7 +133,7 @@ jobs:
           # (and gets picked up), but only exists in native form.
           # Disable use of zstd too - it's also available, but only in native
           # form.
-          MACOS_REDIST=1 LLVM_CMAKEFLAGS="-DLLVM_ENABLE_ZSTD=OFF" ./build-all.sh $(pwd)/install/llvm-mingw --disable-clang-tools-extra --disable-lldb
+          MACOS_REDIST=1 LLVM_CMAKEFLAGS="-DLLVM_ENABLE_ZSTD=OFF" ./build-all.sh $(pwd)/install/llvm-mingw --disable-clang-tools-extra --disable-lldb $CFGUARD_PARAMS
           cd install
           tar -Jcf ../llvm-mingw-macos.tar.xz llvm-mingw
       - uses: actions/upload-artifact@v2
@@ -181,10 +187,12 @@ jobs:
           . versions
           echo Building llvm-project $LLVM_VERSION mingw-w64 $MINGW_W64_VERSION
           cat versions >> $GITHUB_ENV
+          echo Enabling CFGuard when building with latest llvm and mingw-w64
+          echo CFGUARD_PARAMS=--enable-cfguard >> $GITHUB_ENV
       - uses: actions/checkout@v2
       - name: Build
         run: |
-          ./build-all.sh $(pwd)/install/llvm-mingw --disable-clang-tools-extra --disable-lldb
+          ./build-all.sh $(pwd)/install/llvm-mingw --disable-clang-tools-extra --disable-lldb $CFGUARD_PARAMS
           ./run-tests.sh $(pwd)/install/llvm-mingw
 
   # Use the Linux cross compilers built in the first step to cross compile

diff --git a/Dockerfile b/Dockerfile
@@ -44,25 +44,27 @@ ARG TOOLCHAIN_ARCHS="i686 x86_64 armv7 aarch64"
 
 ARG DEFAULT_CRT=ucrt
 
+ARG CFGUARD_ARGS=--disable-cfguard
+
 # Build everything that uses the llvm monorepo. We need to build the mingw runtime before the compiler-rt/libunwind/libcxxabi/libcxx runtimes.
 COPY build-llvm.sh build-lldb-mi.sh strip-llvm.sh install-wrappers.sh build-mingw-w64.sh build-mingw-w64-tools.sh build-compiler-rt.sh build-libcxx.sh build-mingw-w64-libraries.sh build-openmp.sh ./
 COPY wrappers/*.sh wrappers/*.c wrappers/*.h ./wrappers/
 RUN ./build-llvm.sh $TOOLCHAIN_PREFIX && \
     ./build-lldb-mi.sh $TOOLCHAIN_PREFIX && \
     ./strip-llvm.sh $TOOLCHAIN_PREFIX && \
     ./install-wrappers.sh $TOOLCHAIN_PREFIX && \
-    ./build-mingw-w64.sh $TOOLCHAIN_PREFIX --with-default-msvcrt=$DEFAULT_CRT && \
+    ./build-mingw-w64.sh $TOOLCHAIN_PREFIX --with-default-msvcrt=$DEFAULT_CRT $CFGUARD_ARGS && \
     ./build-mingw-w64-tools.sh $TOOLCHAIN_PREFIX && \
-    ./build-compiler-rt.sh $TOOLCHAIN_PREFIX && \
-    ./build-libcxx.sh $TOOLCHAIN_PREFIX && \
-    ./build-mingw-w64-libraries.sh $TOOLCHAIN_PREFIX && \
+    ./build-compiler-rt.sh $TOOLCHAIN_PREFIX $CFGUARD_ARGS && \
+    ./build-libcxx.sh $TOOLCHAIN_PREFIX $CFGUARD_ARGS && \
+    ./build-mingw-w64-libraries.sh $TOOLCHAIN_PREFIX $CFGUARD_ARGS && \
     ./build-compiler-rt.sh $TOOLCHAIN_PREFIX --build-sanitizers && \
-    ./build-openmp.sh $TOOLCHAIN_PREFIX && \
+    ./build-openmp.sh $TOOLCHAIN_PREFIX $CFGUARD_ARGS && \
     rm -rf /build/*
 
 # Build libssp
 COPY build-libssp.sh libssp-Makefile ./
-RUN ./build-libssp.sh $TOOLCHAIN_PREFIX && \
+RUN ./build-libssp.sh $TOOLCHAIN_PREFIX $CFGUARD_ARGS && \
     rm -rf /build/*
 
 ENV PATH=$TOOLCHAIN_PREFIX/bin:$PATH
diff --git a/Dockerfile.dev b/Dockerfile.dev
@@ -67,24 +67,26 @@ RUN ./install-wrappers.sh $TOOLCHAIN_PREFIX
 
 ARG DEFAULT_CRT=ucrt
 
+ARG CFGUARD_ARGS=--disable-cfguard
+
 # Build MinGW-w64
 COPY build-mingw-w64.sh ./
-RUN ./build-mingw-w64.sh $TOOLCHAIN_PREFIX --with-default-msvcrt=$DEFAULT_CRT
+RUN ./build-mingw-w64.sh $TOOLCHAIN_PREFIX --with-default-msvcrt=$DEFAULT_CRT $CFGUARD_ARGS
 
 COPY build-mingw-w64-tools.sh ./
 RUN ./build-mingw-w64-tools.sh $TOOLCHAIN_PREFIX
 
 # Build compiler-rt
 COPY build-compiler-rt.sh ./
-RUN ./build-compiler-rt.sh $TOOLCHAIN_PREFIX
+RUN ./build-compiler-rt.sh $TOOLCHAIN_PREFIX $CFGUARD_ARGS
 
 # Build libunwind/libcxxabi/libcxx
 COPY build-libcxx.sh ./
-RUN ./build-libcxx.sh $TOOLCHAIN_PREFIX
+RUN ./build-libcxx.sh $TOOLCHAIN_PREFIX $CFGUARD_ARGS
 
 # Build mingw-w64's extra libraries
 COPY build-mingw-w64-libraries.sh ./
-RUN ./build-mingw-w64-libraries.sh $TOOLCHAIN_PREFIX
+RUN ./build-mingw-w64-libraries.sh $TOOLCHAIN_PREFIX $CFGUARD_ARGS
 
 # Build C test applications
 ENV PATH=$TOOLCHAIN_PREFIX/bin:$PATH
@@ -152,7 +154,7 @@ RUN cd test && \
 
 # Build libssp
 COPY build-libssp.sh libssp-Makefile ./
-RUN ./build-libssp.sh $TOOLCHAIN_PREFIX
+RUN ./build-libssp.sh $TOOLCHAIN_PREFIX $CFGUARD_ARGS
 
 RUN cd test && \
     for arch in $TOOLCHAIN_ARCHS; do \
@@ -167,7 +169,7 @@ RUN cd test && \
 
 # Build OpenMP
 COPY build-openmp.sh ./
-RUN ./build-openmp.sh $TOOLCHAIN_PREFIX
+RUN ./build-openmp.sh $TOOLCHAIN_PREFIX $CFGUARD_ARGS
 
 # OpenMP on windows only supports x86.
 RUN cd test && \

diff --git a/build-all.sh b/build-all.sh
@@ -18,6 +18,7 @@ set -e
 
 LLVM_ARGS=""
 MINGW_ARGS=""
+CFGUARD_ARGS="--disable-cfguard"
 
 while [ $# -gt 0 ]; do
     case "$1" in
@@ -47,6 +48,12 @@ while [ $# -gt 0 ]; do
     --with-default-win32-winnt=*)
         MINGW_ARGS="$MINGW_ARGS $1"
         ;;
+    --enable-cfguard)
+        CFGUARD_ARGS="--enable-cfguard"
+        ;;
+    --disable-cfguard)
+        CFGUARD_ARGS="--disable-cfguard"
+        ;;
     *)
         if [ -n "$PREFIX" ]; then
             echo Unrecognized parameter $1
@@ -58,7 +65,7 @@ while [ $# -gt 0 ]; do
     shift
 done
 if [ -z "$PREFIX" ]; then
-    echo $0 [--enable-asserts] [--disable-dylib] [--full-llvm] [--with-python] [--symlink-projects] [--disable-lldb] [--disable-lldb-mi] [--disable-clang-tools-extra] [--host=triple] [--with-default-win32-winnt=0x601] [--with-default-msvcrt=ucrt] dest
+    echo "$0 [--enable-asserts] [--disable-dylib] [--full-llvm] [--with-python] [--symlink-projects] [--disable-lldb] [--disable-lldb-mi] [--disable-clang-tools-extra] [--host=triple] [--with-default-win32-winnt=0x601] [--with-default-msvcrt=ucrt] [--enable-cfguard|--disable-cfguard] dest"
     exit 1
 fi
 
@@ -77,11 +84,11 @@ if [ -z "$FULL_LLVM" ]; then
     ./strip-llvm.sh $PREFIX
 fi
 ./install-wrappers.sh $PREFIX
-./build-mingw-w64.sh $PREFIX $MINGW_ARGS
+./build-mingw-w64.sh $PREFIX $MINGW_ARGS $CFGUARD_ARGS
 ./build-mingw-w64-tools.sh $PREFIX
-./build-compiler-rt.sh $PREFIX
-./build-libcxx.sh $PREFIX
-./build-mingw-w64-libraries.sh $PREFIX
+./build-compiler-rt.sh $PREFIX $CFGUARD_ARGS
+./build-libcxx.sh $PREFIX $CFGUARD_ARGS
+./build-mingw-w64-libraries.sh $PREFIX $CFGUARD_ARGS
 ./build-compiler-rt.sh $PREFIX --build-sanitizers
-./build-libssp.sh $PREFIX
-./build-openmp.sh $PREFIX
+./build-libssp.sh $PREFIX $CFGUARD_ARGS
+./build-openmp.sh $PREFIX $CFGUARD_ARGS
diff --git a/build-compiler-rt.sh b/build-compiler-rt.sh
@@ -18,21 +18,34 @@ set -e
 
 SRC_DIR=../lib/builtins
 BUILD_SUFFIX=
+BUILD_BUILTINS=TRUE
+ENABLE_CFGUARD=
+CFGUARD_CFLAGS=
 
 while [ $# -gt 0 ]; do
     if [ "$1" = "--build-sanitizers" ]; then
         SRC_DIR=..
         BUILD_SUFFIX=-sanitizers
         SANITIZERS=1
+        BUILD_BUILTINS=FALSE
+    elif [ "$1" = "--enable-cfguard" ]; then
+        CFGUARD_CFLAGS="-mguard=cf"
+        ENABLE_CFGUARD=1
+    elif [ "$1" = "--disable-cfguard" ]; then
+        CFGUARD_CFLAGS=
+        ENABLE_CFGUARD=
     else
         PREFIX="$1"
     fi
     shift
 done
 if [ -z "$PREFIX" ]; then
-    echo $0 [--build-sanitizers] dest
+    echo "$0 [--build-sanitizers] [--enable-cfguard|--disable-cfguard] dest"
     exit 1
 fi
+if [ -n "$SANITIZERS" ] && [ -n "$ENABLE_CFGUARD" ]; then
+    echo "warning: Sanitizers may not work correctly with Control Flow Guard enabled." 1>&2
+fi
 
 mkdir -p "$PREFIX"
 PREFIX="$(cd "$PREFIX" && pwd)"
@@ -95,8 +108,11 @@ for arch in $ARCHS; do
         -DCMAKE_C_COMPILER_TARGET=$arch-windows-gnu \
         -DCOMPILER_RT_DEFAULT_TARGET_ONLY=TRUE \
         -DCOMPILER_RT_USE_BUILTINS_LIBRARY=TRUE \
+        -DCOMPILER_RT_BUILD_BUILTINS=$BUILD_BUILTINS \
         -DLLVM_CONFIG_PATH="" \
         -DSANITIZER_CXX_ABI=libc++ \
+        -DCMAKE_C_FLAGS_INIT="$CFGUARD_CFLAGS" \
+        -DCMAKE_CXX_FLAGS_INIT="$CFGUARD_CFLAGS" \
         $SRC_DIR
     $BUILDCMD ${CORES+-j$CORES}
     $BUILDCMD install

diff --git a/build-libcxx.sh b/build-libcxx.sh
@@ -18,6 +18,7 @@ set -e
 
 BUILD_STATIC=ON
 BUILD_SHARED=ON
+CFGUARD_CFLAGS=
 
 while [ $# -gt 0 ]; do
     if [ "$1" = "--disable-shared" ]; then
@@ -28,13 +29,17 @@ while [ $# -gt 0 ]; do
         BUILD_STATIC=OFF
     elif [ "$1" = "--enable-static" ]; then
         BUILD_STATIC=ON
+    elif [ "$1" = "--enable-cfguard" ]; then
+        CFGUARD_CFLAGS="-mguard=cf"
+    elif [ "$1" = "--disable-cfguard" ]; then
+        CFGUARD_CFLAGS=
     else
         PREFIX="$1"
     fi
     shift
 done
 if [ -z "$PREFIX" ]; then
-    echo $0 [--disable-shared] [--disable-static] dest
+    echo "$0 [--disable-shared] [--disable-static] [--enable-cfguard|--disable-cfguard] dest"
     exit 1
 fi
 
@@ -107,6 +112,8 @@ for arch in $ARCHS; do
         -DLIBCXXABI_USE_LLVM_UNWINDER=ON \
         -DLIBCXXABI_ENABLE_SHARED=OFF \
         -DLIBCXXABI_LIBDIR_SUFFIX="" \
+        -DCMAKE_C_FLAGS_INIT="$CFGUARD_CFLAGS" \
+        -DCMAKE_CXX_FLAGS_INIT="$CFGUARD_CFLAGS" \
         ..
 
     $BUILDCMD ${CORES+-j$CORES}

diff --git a/build-libssp.sh b/build-libssp.sh
@@ -16,8 +16,24 @@
 
 set -e
 
-if [ $# -lt 1 ]; then
-    echo $0 dest
+CFGUARD_CFLAGS=
+
+while [ $# -gt 0 ]; do
+    case "$1" in
+    --enable-cfguard)
+        CFGUARD_CFLAGS="-mguard=cf"
+        ;;
+    --disable-cfguard)
+        CFGUARD_CFLAGS=
+        ;;
+    *)
+        PREFIX="$1"
+        ;;
+    esac
+    shift
+done
+if [ -z "$PREFIX" ]; then
+    echo "$0 [--enable-cfguard|--disable-cfguard] dest"
     exit 1
 fi
 
@@ -26,7 +42,6 @@ if command -v gmake >/dev/null; then
     MAKE=gmake
 fi
 
-PREFIX="$1"
 mkdir -p "$PREFIX"
 PREFIX="$(cd "$PREFIX" && pwd)"
 export PATH="$PREFIX/bin:$PATH"
@@ -80,7 +95,7 @@ for arch in $ARCHS; do
     [ -z "$CLEAN" ] || rm -rf build-$arch
     mkdir -p build-$arch
     cd build-$arch
-    $MAKE -f ../Makefile -j$CORES CROSS=$arch-w64-mingw32-
+    $MAKE -f ../Makefile -j$CORES CROSS=$arch-w64-mingw32- CFGUARD_CFLAGS="$CFGUARD_CFLAGS"
     mkdir -p "$PREFIX/$arch-w64-mingw32/bin"
     cp libssp.a "$PREFIX/$arch-w64-mingw32/lib"
     cp libssp_nonshared.a "$PREFIX/$arch-w64-mingw32/lib"

diff --git a/build-mingw-w64-libraries.sh b/build-mingw-w64-libraries.sh
@@ -16,11 +16,26 @@
 
 set -e
 
-if [ $# -lt 1 ]; then
-    echo $0 dest
+USE_CFLAGS="-g -O2"
+
+while [ $# -gt 0 ]; do
+    case "$1" in
+    --enable-cfguard)
+        USE_CFLAGS="-g -O2 -mguard=cf"
+        ;;
+    --disable-cfguard)
+        USE_CFLAGS="-g -O2"
+        ;;
+    *)
+        PREFIX="$1"
+        ;;
+    esac
+    shift
+done
+if [ -z "$PREFIX" ]; then
+    echo "$0 [--enable-cfguard|--disable-cfguard] dest"
     exit 1
 fi
-PREFIX="$1"
 mkdir -p "$PREFIX"
 PREFIX="$(cd "$PREFIX" && pwd)"
 export PATH="$PREFIX/bin:$PATH"
@@ -43,7 +58,9 @@ for lib in winpthreads winstorecompat; do
         mkdir -p build-$arch
         cd build-$arch
         arch_prefix="$PREFIX/$arch-w64-mingw32"
-        ../configure --host=$arch-w64-mingw32 --prefix="$arch_prefix" --libdir="$arch_prefix/lib"
+        ../configure --host=$arch-w64-mingw32 --prefix="$arch_prefix" --libdir="$arch_prefix/lib" \
+            CFLAGS="$USE_CFLAGS" \
+            CXXFLAGS="$USE_CFLAGS"
         make -j$CORES
         make install
         cd ..

diff --git a/build-mingw-w64.sh b/build-mingw-w64.sh
@@ -20,6 +20,8 @@ set -e
 : ${DEFAULT_MSVCRT:=ucrt}
 : ${MINGW_W64_VERSION:=d4a0c84d908243a45255a06dc293d3d7c06db98c}
 
+CFGUARD_FLAGS=
+
 while [ $# -gt 0 ]; do
     case "$1" in
     --skip-include-triplet-prefix)
@@ -31,6 +33,12 @@ while [ $# -gt 0 ]; do
     --with-default-msvcrt=*)
         DEFAULT_MSVCRT="${1#*=}"
         ;;
+    --enable-cfguard)
+        CFGUARD_FLAGS="--enable-cfguard"
+        ;;
+    --disable-cfguard)
+        CFGUARD_FLAGS=
+        ;;
     *)
         PREFIX="$1"
         ;;
@@ -39,7 +47,7 @@ while [ $# -gt 0 ]; do
 done
 if [ -z "$CHECKOUT_ONLY" ]; then
     if [ -z "$PREFIX" ]; then
-        echo $0 [--skip-include-triplet-prefix] [--with-default-win32-winnt=0x601] [--with-default-msvcrt=ucrt] dest
+        echo "$0 [--skip-include-triplet-prefix] [--with-default-win32-winnt=0x601] [--with-default-msvcrt=ucrt] [--enable-cfguard|--disable-cfguard] dest"
         exit 1
     fi
 
@@ -118,7 +126,7 @@ for arch in $ARCHS; do
         ;;
     esac
     FLAGS="$FLAGS --with-default-msvcrt=$DEFAULT_MSVCRT"
-    ../configure --host=$arch-w64-mingw32 --prefix="$PREFIX/$arch-w64-mingw32" $FLAGS
+    ../configure --host=$arch-w64-mingw32 --prefix="$PREFIX/$arch-w64-mingw32" $FLAGS $CFGUARD_FLAGS
     $MAKE -j$CORES
     $MAKE install
     cd ..