[PATCH] Implement Control Flow Integrity for virtual calls.

[Kostya Serebryany]

So, you've decided to implement this in clang, as opposed to llvm.
My concern with this is that if devirtualization (either partial or full) happens later in llvm
the checks will remain. Or even worse, the checks may potentially inhibit devirtualization and we will never know.

Your valid concern that it might be hard to carry the dynamic type information through the LLVM passes. 
However I think that we can achieve that with reasonable effort:

- simple approach is to use metadata attached to the call site and some way to ensure that the metadata is preserved (e.g. a special calling convention that requires the metadata to be present).
- or extra call parameter that will be removed in a clean-up path

We had a lengthy off-line conversation with Peter and did not reach any conclusion, 
so maybe someone else has thoughts....
Meanwhile, Peter, please write several tests were partial and complete devirtualization may happen
and see how this interoperates with the CFI checks. 
Note that LLVM today does not have devirtualization (other than very simple full one),
so we should be careful not to create problems for ourselves in future.


================
Comment at: docs/ControlFlowIntegrity.rst:5
@@ +4,3 @@
+
+Clang includes an implementation of a number of control flow integrity (CFI)
+schemes, which are designed to abort the program upon detecting certain forms
----------------
Mention that this is under development.

http://reviews.llvm.org/D7424

EMAIL PREFERENCES
  http://reviews.llvm.org/settings/panel/emailpreferences/