RFR: 8130017: use _FORTIFY_SOURCE in gcc fastdebug builds - was : RE: gcc FORTIFY_SOURCE application security flags

Fri May 10 14:28:57 UTC 2019

Hello Matthias,

I think just -U_FORTIFY_SOURCE should be enough to unset it, no need to 
also set it to 0. Also, I think it would be good to use an extra set of 
variables to avoid repeating the flag, like this:

ENABLE_FORTIFY_CFLAGS="-D_FORTIFY_SOURCE=2"
DISABLE_FORTIFY_CFLAGS="-U_FORTIFY_SOURCE"
C_O_FLAG_HIGHEST_JVM="${C_O_FLAG_HIGHEST_JVM} ${ENABLE_FORTIFY_CFLAGS}"
...

/Erik

On 2019-05-09 22:46, Baesken, Matthias wrote:
> Hello, here  is  the  new webrev  with the
>
> "-U_FORTIFY_SOURCE  -D_FORTIFY_SOURCE=0"
>
> Set for the lower level optimization flags :
>
> http://cr.openjdk.java.net/~mbaesken/webrevs/8130017.1/
>
>
> I would suggest to leave the pre-gcc4.8 cleanup to a separate change.
>
> Best regards, Matthias
>
>
>
>> Configure will protest if GCC version is less than 4.8 (see toolchain.m4
>> *_MINIMUM_VERSION variables).
>>
>> That said, as long as we conditionally set the FDLIBM_CFLAGS like this,
>> I would say we need to continue honoring the result of that check. You
>> could also remove the check altogether since it seems to no longer be
>> needed.
>>
>> /Erik
>>
>> On 2019-05-09 07:14, Baesken, Matthias wrote:
>>> Hello,
>>> I tried  setting
>>>
>>> "-U_FORTIFY_SOURCE  -D_FORTIFY_SOURCE=0"
>>>
>>> And this seems indeed to work , no warning any more .
>>>
>>> Let's hope gcc does not change  the command line parsing .
>>>
>>> Btw.  is there a gcc version  that   a) still compiles jdk/jdk    and  b)   would
>> show the issue  ?
>>> (with our internally used gcc's we are always > 4.6   in jdk/jdk )
>>>
>>> Best regards, Matthias
>>>
>>>
>>>> -----Original Message-----
>>>> From: Erik Joelsson <erik.joelsson at oracle.com>
>>>> Sent: Donnerstag, 9. Mai 2019 15:18
>>>> To: Baesken, Matthias <matthias.baesken at sap.com>; David Holmes
>>>> <david.holmes at oracle.com>; 'build-dev at openjdk.java.net' <build-
>>>> dev at openjdk.java.net>
>>>> Subject: Re: RFR: 8130017: use _FORTIFY_SOURCE in gcc fastdebug builds -
>>>> was : RE: gcc FORTIFY_SOURCE application security flags
>>>>
>>>> Hello,
>>>>
>>>> I just tried this and you are correct. However, it does seem to work if
>>>> you instead use -U_FORTIFY_SOURCE.
>>>>
>>>> /Erik
>>>>
>>>> On 2019-05-09 05:36, Baesken, Matthias wrote:
>>>>> Hi Erik, while  setting -O<x>  and -O<y>  (with x != y )   in one gcc/g++
>>>> command line call  works ,
>>>>>      setting  together  -D_FORTIFY_SOURCE=2  and   -
>> D_FORTIFY_SOURCE=0
>>>> in one command line call  generates a warning , so I think we cannot do
>> that .
>>>>> Best regards, Matthias
>>>>>