RFR: 8130017: use _FORTIFY_SOURCE in gcc fastdebug builds - was : RE: gcc FORTIFY_SOURCE application security flags
Erik Joelsson
erik.joelsson at oracle.com
Tue May 14 13:23:09 UTC 2019
Looks good, thanks!
/Erik
On 2019-05-14 03:16, Baesken, Matthias wrote:
> Hi Erik, here is the updated webrev :
>
> http://cr.openjdk.java.net/~mbaesken/webrevs/8130017.2/
>
>
> Best regards, Matthias
>
>
>> -----Original Message-----
>> From: Erik Joelsson <erik.joelsson at oracle.com>
>> Sent: Freitag, 10. Mai 2019 16:29
>> To: Baesken, Matthias <matthias.baesken at sap.com>; David Holmes
>> <david.holmes at oracle.com>; 'build-dev at openjdk.java.net' <build-
>> dev at openjdk.java.net>
>> Subject: Re: RFR: 8130017: use _FORTIFY_SOURCE in gcc fastdebug builds -
>> was : RE: gcc FORTIFY_SOURCE application security flags
>>
>> Hello Matthias,
>>
>> I think just -U_FORTIFY_SOURCE should be enough to unset it, no need to
>> also set it to 0. Also, I think it would be good to use an extra set of
>> variables to avoid repeating the flag, like this:
>>
>> ENABLE_FORTIFY_CFLAGS="-D_FORTIFY_SOURCE=2"
>> DISABLE_FORTIFY_CFLAGS="-U_FORTIFY_SOURCE"
>> C_O_FLAG_HIGHEST_JVM="${C_O_FLAG_HIGHEST_JVM}
>> ${ENABLE_FORTIFY_CFLAGS}"
>> ...
>>
>> /Erik
>>
>> On 2019-05-09 22:46, Baesken, Matthias wrote:
>>> Hello, here is the new webrev with the
>>>
>>> "-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=0"
>>>
>>> Set for the lower level optimization flags :
>>>
>>> http://cr.openjdk.java.net/~mbaesken/webrevs/8130017.1/
>>>
>>>
>>> I would suggest to leave the pre-gcc4.8 cleanup to a separate change.
>>>
>>> Best regards, Matthias
>>>
>>>
>>>
>>>> Configure will protest if GCC version is less than 4.8 (see toolchain.m4
>>>> *_MINIMUM_VERSION variables).
>>>>
>>>> That said, as long as we conditionally set the FDLIBM_CFLAGS like this,
>>>> I would say we need to continue honoring the result of that check. You
>>>> could also remove the check altogether since it seems to no longer be
>>>> needed.
>>>>
>>>> /Erik
>>>>
>>>> On 2019-05-09 07:14, Baesken, Matthias wrote:
>>>>> Hello,
>>>>> I tried setting
>>>>>
>>>>> "-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=0"
>>>>>
>>>>> And this seems indeed to work , no warning any more .
>>>>>
>>>>> Let's hope gcc does not change the command line parsing .
>>>>>
>>>>> Btw. is there a gcc version that a) still compiles jdk/jdk and b) would
>>>> show the issue ?
>>>>> (with our internally used gcc's we are always > 4.6 in jdk/jdk )
>>>>>
>>>>> Best regards, Matthias
>>>>>
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Erik Joelsson <erik.joelsson at oracle.com>
>>>>>> Sent: Donnerstag, 9. Mai 2019 15:18
>>>>>> To: Baesken, Matthias <matthias.baesken at sap.com>; David Holmes
>>>>>> <david.holmes at oracle.com>; 'build-dev at openjdk.java.net' <build-
>>>>>> dev at openjdk.java.net>
>>>>>> Subject: Re: RFR: 8130017: use _FORTIFY_SOURCE in gcc fastdebug
>> builds -
>>>>>> was : RE: gcc FORTIFY_SOURCE application security flags
>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> I just tried this and you are correct. However, it does seem to work if
>>>>>> you instead use -U_FORTIFY_SOURCE.
>>>>>>
>>>>>> /Erik
>>>>>>
>>>>>> On 2019-05-09 05:36, Baesken, Matthias wrote:
>>>>>>> Hi Erik, while setting -O<x> and -O<y> (with x != y ) in one gcc/g++
>>>>>> command line call works ,
>>>>>>> setting together -D_FORTIFY_SOURCE=2 and -
>>>> D_FORTIFY_SOURCE=0
>>>>>> in one command line call generates a warning , so I think we cannot do
>>>> that .
>>>>>>> Best regards, Matthias
>>>>>>>
More information about the build-dev
mailing list