fix: LNK4291 on Native AOT WinExe with Control Flow Guard

[jamescrosswell]

Fixes #4801

Problem

Publishing a Native AOT WinExe with <ControlFlowGuard>Guard</ControlFlowGuard> emits LNK4291 for every sentry-native.lib translation unit that contains __try/__except:

sentry-native.lib(sentry_core.obj) : warning LNK4291: module may contain '__except' (Structured Exception
Handling) but was not compiled with /guard:ehcont; generating conservative metadata
...

The prebuilt sentry-native.lib we ship is compiled without /guard:cf / /guard:ehcont, so its objects carry no EH-continuation (CFG) metadata. When a consumer links it into a CFG-enabled image, the linker can't find per-function records and falls back to conservative metadata, warning once per object. Upstream sentry-native only applies /guard:cf to its sentry_example test target — never to the sentry static lib — so the shipped .lib has zero CFG metadata.

Fix

1. src/Sentry/Platforms/Native/windows-config.cmake — build the static lib with Control Flow Guard metadata:

   • /guard:cf on both x64 and arm64,
   • /guard:ehcont on x64 only (EH-continuation metadata — and LNK4291 itself — are x64 concepts; gating avoids a cl : D9002 on the arm64 leg).

2. .github/workflows/build.yml — add windows-config.cmake to the sentry-native cache keys. They were keyed only on build-sentry-native.ps1 + the submodule HEAD, so a flags-only change to the cmake file would otherwise restore a stale cached lib and the fix would silently not take effect in CI.

No submodule bump and no change to consumer-facing link flags — only the metadata baked into the .lib we ship.

Note to reviewers

Before/after, reproduced locally on Windows (MSVC 14.50, .NET 10):

1. Build the native lib: scripts/build-sentry-native.ps1 (run from a VS Developer prompt).
2. Create a minimal NAOT WinExe that links sentry-native.lib exactly as Sentry.Native.targets does (DirectPInvoke + NativeLibrary + /NODEFAULTLIB:MSVCRT + the dbghelp/winhttp/Gdi32/Synchronization libs), with:

   <OutputType>Exe</OutputType>
   <RuntimeIdentifier>win-x64</RuntimeIdentifier>
   <PublishAot>true</PublishAot>
   <ControlFlowGuard>Guard</ControlFlowGuard>

   …and a P/Invoke into a real export (e.g. sentry_options_new) so the SEH-bearing objects are pulled into the link.
3. dotnet publish -c Release -r win-x64.

	LNK4291 warnings
Before (lib without the flags)	21 (sentry_core.obj, sentry_os.obj, sentry_options.obj, …)
After (lib rebuilt with this PR)	0

The published .exe builds successfully in both cases; the only difference is the warnings. The rebuilt .lib grows ~12 KB, consistent with the added CFG/EHCONT tables, and CMakeCache.txt shows …/DNDEBUG /guard:cf /guard:ehcont.

Tip

Gist to make all of the above easier at #5298 (comment)

🤖 Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.11%. Comparing base (83bbeb7) to head (09cbb9e).
⚠️ Report is 5 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5298      +/-   ##
==========================================
+ Coverage   74.09%   74.11%   +0.01%     
==========================================
  Files         508      508              
  Lines       18320    18353      +33     
  Branches     3584     3586       +2     
==========================================
+ Hits        13575    13603      +28     
- Misses       3872     3879       +7     
+ Partials      873      871       -2     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[jamescrosswell]

Minimal repro to verify the fix

For anyone who wants to reproduce the original LNK4291 wall and confirm this PR clears it, here's a self-contained repro:

Gist: https://gist.github.com/jamescrosswell/fe9bf0a748b24ab68f4b0541de9f8013

It contains a tiny WinExe (PublishAot=true, ControlFlowGuard=Guard) plus a PowerShell driver that:

1. packs Sentry locally from a checkout you point it at,
2. publishes the WinExe consuming that local nupkg,
3. greps the publish log for LNK4291 and prints a count.

Verifying

git clone https://gist.github.com/jamescrosswell/fe9bf0a748b24ab68f4b0541de9f8013 lnk4291-repro
cd lnk4291-repro

# Run against main — expect ~22 LNK4291 lines against sentry-native.lib obj files
git -C <sentry-dotnet> checkout main
Remove-Item -Recurse -Force <sentry-dotnet>/src/Sentry/Platforms/Native/sentry-native, <sentry-dotnet>/modules/sentry-native/build -ErrorAction SilentlyContinue
./repro.ps1 -SentryRepo <sentry-dotnet>

# Run against this branch — expect "LNK4291 warnings: 0  ✓"
git -C <sentry-dotnet> checkout fix/lnk4291-naot-cfg-ehcont
Remove-Item -Recurse -Force <sentry-dotnet>/src/Sentry/Platforms/Native/sentry-native, <sentry-dotnet>/modules/sentry-native/build -ErrorAction SilentlyContinue
./repro.ps1 -SentryRepo <sentry-dotnet>

Requires Windows + .NET 10 SDK + the toolchain build-sentry-native.ps1 expects (VS Build Tools / CMake).