Bug 2009958
| Summary: | annobin: Plugin diagnostics for -D_FORTIFY_SOURCE break autoconf tests | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Florian Weimer <fweimer> |
| Component: | annobin | Assignee: | Nick Clifton <nickc> |
| Status: | CLOSED ERRATA | QA Contact: | Václav Kadlčík <vkadlcik> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 9.0 | CC: | agk, fweimer, mcermak, nickc, tschelle, vkadlcik, zbyszek |
| Target Milestone: | rc | Keywords: | Bugfix, Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | annobin-10.58-1.el9 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-11-15 09:52:25 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Florian Weimer
2021-10-02 11:41:36 UTC
I am not sure what the expected behaviour is here. Clearly the warning message from the annobin plugin is correct, the -D_FORTIFY_SOURCE=2 option has not been provided on the compilation command line. So the obvious solution would be to update the configure scripts to add the option.
As an alternative, there is a command line option which can disable this warning message: -fplugin-arg-annobin-no-active-checks
So that could be added to configure's compilation command line.
If neither of these solutions is acceptable then either the warning needs to be completely disabled or else the plugin needs some method t distinguish between compilation of configure tests and compilation of real code.
> I believe this is a recently introduced regression. annobin-9.83-3.el9 did
> not produce an error here, but annobin-10.06-1.el9 does.
The reason that the plugin generates the warning is that the -flto option is being used. Since LTO compilation works on precompiled byte code the LTO compiler command line is stripped of all preprocessor options. Hence the annobin plugin that is run during LTO cannot check the -D_FORTIFY_SOURCE option. So instead the annobin plugin that is run during the creation of LTO-enhanced object files checks the command line (which does have the preprocessor options) and it generates a warning if the FORTIFY_SOURCE option is missing.
Thoughts ?
(In reply to Nick Clifton from comment #1) > I am not sure what the expected behaviour is here. Clearly the warning > message from the annobin plugin is correct, the -D_FORTIFY_SOURCE=2 option > has not been provided on the compilation command line. So the obvious > solution would be to update the configure scripts to add the option. Would it be possible to serialize the fact whether _FORITFY_SOURCE was present along with the LTO data, perhaps as a plugin-specific function attribute? > As an alternative, there is a command line option which can disable this > warning message: -fplugin-arg-annobin-no-active-checks > So that could be added to configure's compilation command line. If we had that level of consistent control over package build systems, we wouldn't need annobin. I find it somewhat unlikely that maintainers are going to notice the warning in the build logs. But if we add it, we need to roll it out more carefully and check that it does not alter configure checks in more cases. (In reply to Florian Weimer from comment #2) > Would it be possible to serialize the fact whether _FORITFY_SOURCE was > present along with the LTO data, perhaps as a plugin-specific function > attribute? Hmm, if that is possible then it would certainly be a better way to solve annocheck's need to detect the -D_FORTIFY_SOURCE option. I will ask Marek if this can be done. > I find it somewhat unlikely that maintainers are going to notice the warning > in the build logs. But if we add it, we need to roll it out more carefully > and check that it does not alter configure checks in more cases. I had hoped that maintainers would use -Werror as a matter of course, but you are, this cannot be relied upon. But I did also assume that it is safe for a plugin to generate a warning message, since without a deliberate use of -Werror they do not stop compilation. As a matter of interest, why is the autoconf test enabling -Werror ? (In reply to Nick Clifton from comment #3) > As a matter of interest, why is the autoconf test enabling -Werror ? I think it checks if using inline (and by extension __inline__) produces a pedantic warning. (In reply to Florian Weimer from comment #4) > > As a matter of interest, why is the autoconf test enabling -Werror ? > > I think it checks if using inline (and by extension __inline__) produces a > pedantic warning. Ah, OK - so this test would be vulnerable to other new warning messages from gcc, if they were triggered by the test code. What about the command line options used for the test ? They appear to have been generated from something like `rpm --eval %build_cflags` except not quite, as otherwise the -D_FORTIFY_SOURCE=2 option would be present. Another question: Can I rely upon autoconf tests defining NDEBUG ? Maybe I could gate the warning message on the absence of that define ... (In reply to Nick Clifton from comment #6) > Another question: Can I rely upon autoconf tests defining NDEBUG ? > Maybe I could gate the warning message on the absence of that define ... -DNDEBUG is specific to the pmix package. From config/pmix.m4: if test "$WANT_DEBUG" = "0"; then CFLAGS="-DNDEBUG $CFLAGS" fi Resetting ITR to 9.1.0 as this is going to need some time to investigate. It may possible for the annobin plugin to inject information into the LTO data generated by gcc, but this is likely to be tricky. If it is not possible, then the only other option is to disable the warning message by default. Hmm, I'm seeing this in rawhide mock now. I'm trying to build ruby, and configure fails:
<mock-chroot> sh-5.1# cat conftest.c
int main(void){return 0;}
<mock-chroot> sh-5.1# gcc -c -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -m64 conftest.c
conftest.c: warning: -D_FORTIFY_SOURCE not defined
<mock-chroot> sh-5.1# gcc -fplugin-arg-annobin-no-active-checks -c -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -m64 conftest.c
cc1: error: plugin annobin should be specified before ‘-fplugin-arg-annobin-no-active-checks’ in the command line
<mock-chroot> sh-5.1# gcc -c -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -m64 conftest.c
conftest.c: warning: -D_FORTIFY_SOURCE not defined
<mock-chroot> sh-5.1# gcc -c -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -m64 conftest.c
conftest.c: warning: -D_FORTIFY_SOURCE not defined
<mock-chroot> sh-5.1# gcc -c -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -m64 conftest.c
conftest.c: warning: -D_FORTIFY_SOURCE not defined
I tried -fplugin-arg-annobin-no-active-checks, but it doesn't seem to work:
<mock-chroot> sh-5.1# gcc -c -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fplugin-arg-annobin-no-active-checks -m64 conftest.c
cc1: error: plugin annobin should be specified before ‘-fplugin-arg-annobin-no-active-checks’ in the command line
<mock-chroot> sh-5.1# gcc -c -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fplugin-arg-annobin-no-active-checks -m64 conftest.c
cc1: error: plugin annobin should be specified before ‘-fplugin-arg-annobin-no-active-checks’ in the command line
Any advice?
annobin-plugin-gcc-10.47-2.fc36.x86_64 gcc-12.0.1-0.2.fc36.x86_64 (In reply to Zbigniew Jędrzejewski-Szmek from comment #9) Hi Zbigniew, > Hmm, I'm seeing this in rawhide mock now. I'm trying to build ruby, and > configure fails: > I tried -fplugin-arg-annobin-no-active-checks, but it doesn't seem to work: > cc1: error: plugin annobin should be specified before > ‘-fplugin-arg-annobin-no-active-checks’ in the command line > Any advice? The problem here is a bug in gcc's command line option processing. When it sees a -specs=... option it delays processing the contents until after the rest of the command line has been examined. So the -spec=redhat-annobin-cc1 option does not load the annobin plugin until after the rest of the command line has been processed. Hence the -fplugin-arg-annobin option does not work. :-( There is a workaround however: Simply load the plugin first, and then add the plugin argument option. Ie instead of adding: -fplugin-arg-annobin-no-active-checks add: -fplugin=annobin -fplugin-arg-annobin-no-active-checks This does mean that the annobin plugin ought to be loaded twice, but gcc is smart enough to detect that it has already been loaded, so the second load attempt (from the -spec=redhar-annobin-cc1 option) will be ignored. I hope that this helps. Cheers Nick Thanks, I'll try that. In the meantime I was testing annobin versions: only annobin-10.50-1.fc36 has the problem. Both annobin-10.49-1.fc36 and annobin-10.48-6.fc36 work fine without any workarounds. Right - I have a check to the gcc plugin in annobin-10.58-1.el9 so that it will only generate warning messages about the FORTIFY_SOURCE definition being missing if the source file's name does not start with "conftest.". This should handle any source file generated by autoconf. If the user has explicitly requested[1] that error messages are generated however, then these will still be issued, regardless of the source file name. [1]: Via -fplugin-arg-annobin-active-checks Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (annobin bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:7957 |