RFR: 8130017: use _FORTIFY_SOURCE in gcc fastdebug builds - was : RE: gcc FORTIFY_SOURCE application security flags
sgehwolf at redhat.com
sgehwolf at redhat.com
Wed May 8 17:10:01 UTC 2019
Hi Matthias,
For some background about the -O2 -ffp-contract=off flags for
sharedRuntimeTrig.cpp and sharedRuntimeTrans.cpp see:
https://bugs.openjdk.java.net/browse/JDK-8210425
My understanding is that if there is a per-file override of the
optimization level, the compilation command will end up containing both
-O3 and a later, possible override, via the per-file settings. The -O3
flag originates from it being a release/fastdebug build.
Thanks,
Severin
On Wed, 2019-05-08 at 13:27 +0000, Baesken, Matthias wrote:
> Hello, I looked a bit more into it .
> It seems to me , that when -ffp-contract=off is
> available which is the case with current gcc versions , we want to
> optimize the 2 special files ( sharedRuntimeTrig.cpp /
> sharedRuntimeTrans.cpp ).
> see the following comments :
>
> jdk/make/hotspot/lib/JvmOverrideFiles.gmk
>
> 47# If the FDLIBM_CFLAGS variable is non-empty we know
> 48# that the fdlibm-fork in hotspot can get optimized
> 49# by using -ffp-contract=off on GCC/Clang platforms.
> ......
> 58 BUILD_LIBJVM_sharedRuntimeTrig.cpp_CXXFLAGS := -DNO_PCH
> $(FDLIBM_CFLAGS) $(LIBJVM_FDLIBM_COPY_OPT_FLAG)
> 59 BUILD_LIBJVM_sharedRuntimeTrans.cpp_CXXFLAGS := -DNO_PCH
> $(FDLIBM_CFLAGS) $(LIBJVM_FDLIBM_COPY_OPT_FLAG)
> 60
>
> But still, setting both -O3 and -O2 in one compile call looks not
> nice to me .
>
> In case of ancient gcc ***without*** -ffp-contract=off , we
> might still run into issues for these 2 special files when
> _FORTIFY_SOURCE is set .
> Don't know if this is still relevant .
> In case we want to be on the very safe side , we
> might need to filter out -D_FORTIFY_SOURCE=2 for these 2
> compilation units .
>
>
> Best regards, Matthias
>
>
>
> > Hi David, thanks for the comment .
> >
> > Currently I do not see the issue in our fastdebug builds .
> > So I think the opt-flag filtering got changed/removed in the
> > years after the
> > issues were reported .
> >
> >
> > https://bugs.openjdk.java.net/browse/JDK-8047952
> >
> > mentions special O-level settings for sharedRuntimeTrig.cpp and
> > sharedRuntimeTrans.cpp .
> >
> > But the files have optimization set in both fastdebug
> > and opt builds :
> >
> > Linux x86_64 gcc-7 based builds :
> >
> > fastdebug build (with the added -D_FORTIFY_SOURCE=2 flag) :
> >
> > -Werror -O3 -D_FORTIFY_SOURCE=2 -DNO_PCH -ffp-contract=off -O2 -
> > D_FORTIFY_SOURCE=2
> >
> >
> > Opt build (without -D_FORTIFY_SOURCE=... ) :
> >
> > -O3 -DNO_PCH -ffp-contract=off -O2 ....
> >
> >
> > (btw. the setting of both -O3 AND -O2 looks strange to me ,
> > but that’s
> > unrelated to my change ; I noticed that already in OpenJDK 11 ).
> >
> >
> > Best regards, Matthias
> >
> >
> >
> >
> > > Hi Matthias,
> > >
> > > On 8/05/2019 6:05 pm, Baesken, Matthias wrote:
> > > > Hello, here is a webrev, I used the existing bug
> > > > "JDK-8130017 : use _FORTIFY_SOURCE in gcc fastdebug builds"
> > > >
> > > > Hope that’s fine .
> > >
> > > That is fine, but please add a comment to the bug explaining
> > > exactly how
> > > you fixed the issue and how the issues raised in the bug
> > > description
> > > regarding optimisation levels have been addressed.
> > >
> > > Not a review - I'll leave that to build team. The proof of this
> > > will be
> > > in the building and testing.
> > >
> > > Thanks,
> > > David
> > >
> > > > https://bugs.openjdk.java.net/browse/JDK-8130017
> > > >
> > > > http://cr.openjdk.java.net/~mbaesken/webrevs/8130017.0/
> > > >
> > > >
> > > > Our internal OpenJDK Linux (x86_64, ppc64, ppc64le ,
> > > > s390x) fastdebug
> > > builds are fine with the added flag .
> > > >
More information about the build-dev
mailing list