Skip to content

Commit 8636288

Browse files
fanquakefanquake
committed
Merge #20720: build: more robustly check for fcf-protection support
e9189a7 build: more robustly check for fcf-protection support (fanquake) Pull request description: When using Clang 7, we may end up trying to use the flag when it won't work properly, which can lead to confusing errors. i.e: ```bash /usr/bin/ld: error: ... <corrupt x86 feature size: 0x8> ``` Use `AX_CHECK_LINK_FLAG` & `--fatal-warnings` to ensure we wont use the flag in this case. We do this as even when the error is emitted, compilation succeeds, and the binaries produced will run. This means we can't just check if the compiler accepts the flag, or if compilation succeeds (without or without `-Werror`, and/or passing `-Wl,--fatal-warnings`, which may not be passed through to the linker). This was reported by someone configuring for fuzzing, on Debian 10, where Clang 7 is the default. See here for a minimal example of the problematic behaviour: https://gist.github.com/fanquake/9b33555fcfebef8eb8c0795a71732bc6 ACKs for top commit: pstratem: tested ACK e9189a7 MarcoFalke: not an ACK e9189a7 , I only tested configure on my system (gcc-10, clang-11): hebasto: ACK e9189a7, tested with clang-7, clang-10 and gcc: the `-fcf-protection=full` is not applied for clang-7, but applied for others compilers. Tree-SHA512: ec24b0cc5523b90139c96cbb33bb98d1e6a24d858c466aa7dfb3c474caf8c50aca53e570fdbc0ff88378406b0ac5d687542452637b1b5fa062e829291b886fc1
2 parents cf26ca3 + e9189a7 commit 8636288

File tree

1 file changed

+4
-1
lines changed

1 file changed

+4
-1
lines changed

configure.ac

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -854,7 +854,10 @@ if test x$use_hardening != xno; then
854854
AX_CHECK_COMPILE_FLAG([-Wstack-protector],[HARDENED_CXXFLAGS="$HARDENED_CXXFLAGS -Wstack-protector"])
855855
AX_CHECK_COMPILE_FLAG([-fstack-protector-all],[HARDENED_CXXFLAGS="$HARDENED_CXXFLAGS -fstack-protector-all"])
856856

857-
AX_CHECK_COMPILE_FLAG([-fcf-protection=full],[HARDENED_CXXFLAGS="$HARDENED_CXXFLAGS -fcf-protection=full"])
857+
dnl -fcf-protection used with Clang 7 causes ld to emit warnings:
858+
dnl ld: error: ... <corrupt x86 feature size: 0x8>
859+
dnl Use CHECK_LINK_FLAG & --fatal-warnings to ensure we wont use the flag in this case.
860+
AX_CHECK_LINK_FLAG([-fcf-protection=full],[HARDENED_CXXFLAGS="$HARDENED_CXXFLAGS -fcf-protection=full"],, [[$LDFLAG_WERROR]])
858861

859862
dnl stack-clash-protection does not work properly when building for Windows.
860863
dnl We use the test case from https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90458

0 commit comments

Comments
 (0)