From a210b80e2a94b70bcac3aa6bcab2db598bd84879 Mon Sep 17 00:00:00 2001 From: Ross Brunton Date: Fri, 18 Oct 2024 14:14:24 +0100 Subject: [PATCH] Enable -flto and -fsanitize=cfi in clang --- .github/workflows/build-hw-reusable.yml | 3 +++ cmake/helpers.cmake | 19 +++++++++++++------ .../enqueue/enqueue_adapter_opencl.match | 3 +++ .../exp_command_buffer_adapter_cuda.match | 11 +++++++++++ .../exp_command_buffer_adapter_hip.match | 10 ++++++++++ test/fuzz/CMakeLists.txt | 4 +++- 6 files changed, 43 insertions(+), 7 deletions(-) create mode 100644 test/conformance/enqueue/enqueue_adapter_opencl.match create mode 100644 test/conformance/exp_command_buffer/exp_command_buffer_adapter_cuda.match create mode 100644 test/conformance/exp_command_buffer/exp_command_buffer_adapter_hip.match diff --git a/.github/workflows/build-hw-reusable.yml b/.github/workflows/build-hw-reusable.yml index 3e332c73fc..f29b4120c8 100644 --- a/.github/workflows/build-hw-reusable.yml +++ b/.github/workflows/build-hw-reusable.yml @@ -82,6 +82,8 @@ jobs: tar -xvf ${{github.workspace}}/dpcpp_compiler.tar.gz -C dpcpp_compiler - name: Configure CMake + # CFI sanitization seems to fail on our CUDA nodes + # https://github.com/oneapi-src/unified-runtime/issues/2309 run: > cmake -B${{github.workspace}}/build @@ -94,6 +96,7 @@ jobs: -DUR_BUILD_ADAPTER_${{matrix.adapter.name}}=ON -DUR_CONFORMANCE_TEST_LOADER=${{ matrix.adapter.other_name != '' && 'ON' || 'OFF' }} ${{ matrix.adapter.other_name != '' && format('-DUR_BUILD_ADAPTER_{0}=ON', matrix.adapter.other_name) || '' }} + ${{ matrix.adapter.name == 'CUDA' && '-DCXX_HAS_CFI_SANITIZE=OFF' || '' }} -DUR_STATIC_LOADER=${{matrix.adapter.static_Loader}} -DUR_STATIC_ADAPTER_${{matrix.adapter.name}}=${{matrix.adapter.static_adapter}} -DUR_DPCXX=${{github.workspace}}/dpcpp_compiler/bin/clang++ diff --git a/cmake/helpers.cmake b/cmake/helpers.cmake index a6e3a344a4..77ac2b42b3 100644 --- a/cmake/helpers.cmake +++ b/cmake/helpers.cmake @@ -63,6 +63,11 @@ if(CMAKE_SYSTEM_NAME STREQUAL Linux) check_cxx_compiler_flag("-fstack-clash-protection" CXX_HAS_FSTACK_CLASH_PROTECTION) endif() +set(SAVED_CMAKE_REQUIRED_FLAGS ${CMAKE_REQUIRED_FLAGS}) +set(CMAKE_REQUIRED_FLAGS "-flto -fvisibility=hidden") +check_cxx_compiler_flag("-fsanitize=cfi" CXX_HAS_CFI_SANITIZE) +set(CMAKE_REQUIRED_FLAGS ${SAVED_CMAKE_REQUIRED_FLAGS}) + function(add_ur_target_compile_options name) if(NOT MSVC) target_compile_definitions(${name} PRIVATE -D_FORTIFY_SOURCE=2) @@ -78,11 +83,10 @@ function(add_ur_target_compile_options name) # Hardening options -fPIC -fstack-protector-strong - -fvisibility=hidden # Required for -fsanitize=cfi - # -fsanitize=cfi requires -flto, which breaks a lot of things - # See: https://github.com/oneapi-src/unified-runtime/issues/2120 - # -flto - # $<$:-fsanitize=cfi> + -fvisibility=hidden + # cfi-icall requires called functions in shared libraries to also be built with cfi-icall, which we can't + # guarantee. -fsanitize=cfi depends on -flto + $<$:-flto -fsanitize=cfi -fno-sanitize=cfi-icall> $<$:-fcf-protection=full> $<$:-fstack-clash-protection> @@ -119,7 +123,10 @@ endfunction() function(add_ur_target_link_options name) if(NOT MSVC) if (NOT APPLE) - target_link_options(${name} PRIVATE "LINKER:-z,relro,-z,now,-z,noexecstack") + target_link_options(${name} PRIVATE + $<$:-flto -fsanitize=cfi -fno-sanitize=cfi-icall> + "LINKER:-z,relro,-z,now,-z,noexecstack" + ) if (UR_DEVELOPER_MODE) target_link_options(${name} PRIVATE -Werror -Wextra) endif() diff --git a/test/conformance/enqueue/enqueue_adapter_opencl.match b/test/conformance/enqueue/enqueue_adapter_opencl.match new file mode 100644 index 0000000000..7f0e36cd6c --- /dev/null +++ b/test/conformance/enqueue/enqueue_adapter_opencl.match @@ -0,0 +1,3 @@ +# Note: This file is only for use with cts_exe.py +# Fails when -fsanitize=cfi +{{OPT}}urEnqueueEventsWaitMultiDeviceMTTest.EnqueueWaitOnAllQueues/MultiThread diff --git a/test/conformance/exp_command_buffer/exp_command_buffer_adapter_cuda.match b/test/conformance/exp_command_buffer/exp_command_buffer_adapter_cuda.match new file mode 100644 index 0000000000..40182b9125 --- /dev/null +++ b/test/conformance/exp_command_buffer/exp_command_buffer_adapter_cuda.match @@ -0,0 +1,11 @@ +# Note: This file is only for use with cts_exe.py +# These cause SIGILL when built with -fsanitize=cfi on Nvidia +{{OPT}}urCommandBufferKernelHandleUpdateTest.Success/* +{{OPT}}urCommandBufferKernelHandleUpdateTest.UpdateAgain/* +{{OPT}}urCommandBufferKernelHandleUpdateTest.RestoreOriginalKernel/* +{{OPT}}urCommandBufferKernelHandleUpdateTest.KernelAlternativeNotRegistered/* +{{OPT}}urCommandBufferKernelHandleUpdateTest.RegisterInvalidKernelAlternative/* +{{OPT}}urCommandBufferValidUpdateParametersTest.UpdateDimensionsWithoutUpdatingKernel/* +{{OPT}}urCommandBufferValidUpdateParametersTest.UpdateOnlyLocalWorkSize/* +{{OPT}}urCommandBufferValidUpdateParametersTest.SuccessNullptrHandle/* +{{OPT}}KernelCommandEventSyncUpdateTest.TwoWaitEvents/* diff --git a/test/conformance/exp_command_buffer/exp_command_buffer_adapter_hip.match b/test/conformance/exp_command_buffer/exp_command_buffer_adapter_hip.match new file mode 100644 index 0000000000..da8d6dee07 --- /dev/null +++ b/test/conformance/exp_command_buffer/exp_command_buffer_adapter_hip.match @@ -0,0 +1,10 @@ +# Note: This file is only for use with cts_exe.py +# These cause SIGILL when built with -fsanitize=cfi on AMD +{{OPT}}urCommandBufferKernelHandleUpdateTest.Success/* +{{OPT}}urCommandBufferKernelHandleUpdateTest.UpdateAgain/* +{{OPT}}urCommandBufferKernelHandleUpdateTest.RestoreOriginalKernel/* +{{OPT}}urCommandBufferKernelHandleUpdateTest.KernelAlternativeNotRegistered/* +{{OPT}}urCommandBufferKernelHandleUpdateTest.RegisterInvalidKernelAlternative/* +{{OPT}}urCommandBufferValidUpdateParametersTest.UpdateDimensionsWithoutUpdatingKernel/* +{{OPT}}urCommandBufferValidUpdateParametersTest.UpdateOnlyLocalWorkSize/* +{{OPT}}urCommandBufferValidUpdateParametersTest.SuccessNullptrHandle/* diff --git a/test/fuzz/CMakeLists.txt b/test/fuzz/CMakeLists.txt index b48a6a1d44..e2a62a216d 100644 --- a/test/fuzz/CMakeLists.txt +++ b/test/fuzz/CMakeLists.txt @@ -51,7 +51,9 @@ target_link_libraries(fuzztest-base ${PROJECT_NAME}::headers ${PROJECT_NAME}::common -fsanitize=fuzzer) -target_compile_options(fuzztest-base PRIVATE -g -fsanitize=fuzzer) +# When built with -g and -flto (which is required by some hardening flags), this causes a segfault in (upstream) +# LLVM 14-15 while linking when CMAKE_BUILD_TYPE is Release +target_compile_options(fuzztest-base PRIVATE -fsanitize=fuzzer) target_compile_definitions(fuzztest-base PRIVATE -DKERNEL_IL_PATH="${UR_CONFORMANCE_DEVICE_BINARIES_DIR}/fill/spir64.bin.0") target_include_directories(fuzztest-base PRIVATE ${UR_CONFORMANCE_DEVICE_BINARIES_DIR}) add_dependencies(fuzztest-base generate_device_binaries)