I think this call to ml.exe needs to have "-SAFESEH": 0:35.33 ml.exe -Fod:/build/msys/s/central/obj/asan/security/nss/lib/freebl/intel-aes-x86-masm.obj -nologo -Cp -Sn -Zi -coff -Id:/build/msys/s/central/obj/asan/dist/include/nspr -Id:/build/msys/s/central/obj/asan/dist/include/nspr -Id:/build/msys/s/central/obj/asan/dist/include/nss -Id:/build/msys/s/central/obj/asan/dist/private/nss -Impi -Iecl -c intel-aes-x86-masm.asm Presumably, MSVC builds do have -SAFESEH, or else we'd see the same linker failure there? But I haven't confirmed.

They don't, but the NSS build system also doesn't link with -SAFESEH. I hit this issue in bug 1295937 using gyp files + moz.build to build NSS instead of their build system, where our LDFLAGS do include -SAFESEH. Presumably this is just the clang-cl linker having a different default here? (Or clang-cl + ASan?)

Interesting. Plain (non-ASan) clang-cl builds are fine. I wonder if the fact that my ASan mozconfig contains... export LDFLAGS="clang_rt.asan_dynamic-i386.lib clang_rt.asan_dynamic_runtime_thunk-i386.lib" ...somehow messes up the LDFLAGS defaults or propagation or something?

It sounds like the linker in the clang-cl build is getting passed -SAFESEH...or maybe the ASan libraries are compiled -SAFESEH and the linker complains about the mismatch? Which of those is the case?

The former: 10:52.08 C:/PROGRA~2/MICROS~1.0/VC/bin/AMD64_~2/link.exe -nologo -DLL -SUBSYSTEM:WINDOWS -DYNAMICBASE -OUT:d:/build/msys/s/central/obj/asan/security/nss/lib/freebl/freebl3.dll -DEBUG -OPT:REF -DEF:d:/build/msys/s/central/obj/asan/security/nss/lib/freebl/freebl.def clang_rt.asan_dynamic-i386.lib clang_rt.asan_dynamic_runtime_thunk-i386.lib -LARGEADDRESSAWARE -NXCOMPAT -DYNAMICBASE -SAFESEH -MAP d:\\build\\msys\\s\\central\\obj\\asan\\security\\nss\\lib\\freebl\\freeblver.obj [etc]

Interesting. Is that coming from your mozconfig? The NSS build system doesn't pass that anywhere: https://dxr.mozilla.org/mozilla-central/search?q=safeseh+path%3Asecurity%2Fnss&redirect=true and we don't pass it in the Makefile that drives the NSS build system: https://dxr.mozilla.org/mozilla-central/source/config/external/nss/Makefile.in

Nope, there's no mention of SAFESEH in my mozconfig. My suspicion is that defining LDFLAGS at all in my mozconfig, somehow forces the top-level LDFLAGS to get used in NSS?

I am now hitting this. I tried some silly things (e.g. adding SAFESEH, SAFESEH:NO to my mozconfig, I tried removing the LDFLAGS entry, adding SAFESEH to the make file for fleebl) none of these worked.

FWIW, I got past this locally by pasting the failed link command into my command line and adding -SAFESEH. (I fully admit that this is a horrible hack and we'll need to fix it in a better way, but for the time being I just want to get unblocked)

In case it helps, here's my mozconfig. I don't get this error if I simply remove --enable-address-sanitizer and leave the rest intact. mk_add_options MOZ_OBJDIR=@TOPSRCDIR@/obj/asan ac_add_options --enable-address-sanitizer ac_add_options --disable-jemalloc export CC=clang-cl export CXX=clang-cl export LDFLAGS="clang_rt.asan_dynamic-i386.lib clang_rt.asan_dynamic_runtime_thunk-i386.lib" export LIB="$LIB;D:\\tools\\llvm-active\\lib\\clang\\4.0.0\\lib\\windows" export HOST_CFLAGS=" " export HOST_CXXFLAGS=" " export HOST_LDFLAGS=" "

-SAFESEH is added at https://dxr.mozilla.org/mozilla-central/rev/3b80868f7a8fe0361918a814fbbbfb9308ae0c0a/old-configure.in#1219 It is applied because --enable-address-sanitizer defines MOZ_ASAN, and https://dxr.mozilla.org/mozilla-central/rev/3b80868f7a8fe0361918a814fbbbfb9308ae0c0a/config/external/nss/Makefile.in#254 adds it to XLDFLAGS which is later used for linking the dll: https://dxr.mozilla.org/mozilla-central/rev/3b80868f7a8fe0361918a814fbbbfb9308ae0c0a/security/nss/coreconf/rules.mk#304

I am not sure if there's anything different for landing a patch to nss, but I guess I just need to land it in both m-c and projects/nss.

Ted, is this patch the right approach in light of your comment 1?

Comment on attachment 8807460 [details] Bug 1307933 - Add asflag /safeseh to avoid linking error when /SAFESEH is passed to the linker. https://reviewboard.mozilla.org/r/90602/#review93502 It certainly won't hurt anything, we'll just stop using these Makefiles as soon as I get my other patches landed.

We don't need this patch if we're going to replace the Makefiles, just make sure bug 1295937 will fix it.

Landed in NSS. https://hg.mozilla.org/projects/nss/rev/ac9fa421aa74a165d214fdb1d29f0bc5bd799cdb

I've confirmed that bug 1295937 fixes it.