Description of problem: Latest tbb build is stuck in gating: https://bodhi.fedoraproject.org/updates/FEDORA-2023-4acfa3bbcc While the reason is the tier0 test, there are other failures worth considering. One of them is fedora-ci.koji-build.rpminspect.static-analysis More specifically, annocheck reports: Hardened: /usr/lib/libtbb.so.2: FAIL: fortify test because -D_FORTIFY_SOURCE=[2|3] was not present on the command line (function: _ZN3tbb4task7destroyERS0_). Hardened: /usr/lib/libtbbmalloc.so.2: FAIL: fortify test because -D_FORTIFY_SOURCE=[2|3] was not present on the command line (function: scalable_allocation_command). Hardened: /usr/lib/python3.11/site-packages/tbb/_api.cpython-311-i386-linux-gnu.so: FAIL: fortify test because -D_FORTIFY_SOURCE=[2|3] was not present on the command line (function: PyInit__api). Another way to reproduce the problem is downloading and checking the build's RPMs: koji download-build --arch={x86_64,i686,noarch} tbb-2020.3-16.fc39 annocheck --ignore-unknown --profile=rawhide *.rpm Version-Release number of selected component (if applicable): tbb-2020.3-16.fc39
tbb.spec has: # Insert --as-needed before the libraries to be linked. sed -i "s/-fPIC/& -Wl,--as-needed/" build/linux.gcc.inc This should probably be adding all the RPM_OPT_FLAGS not just this tweak. It probably also makes sense to backport https://github.com/oneapi-src/oneTBB/pull/1017 and stop sed'ing the python files in the spec's %prep.
Just adding some context. The predecessor to tbb-2020.3-16.fc39 in Rawhide was tbb-2020.3-15.fc38. I'm using annobin-annocheck-11.11-1.fc39.x86_64. While annocheck --ignore-unknown --profile=rawhide *.rpm passes on the RPMs of tbb-2020.3-15.fc38, it fails on tbb-2020.3-16.fc39. From the rpminspect's POV, it looks like a regression. If it's a genuine false positive then we can try to find a way of making an exception the rpminspect's configuration.
Nothing changed in the sources or the build system between -15.fc38 and -16.fc39 so I'm unsure how it can have regressed. scalable_allocation_command is defined in this translation unit: g++ -c -MMD -O2 -g -DDO_ITT_NOTIFY -DUSE_PTHREAD -pthread -m64 -mrtm -Wall -Wextra -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -DUSE_PTHREAD -DTBB_SUPPRESS_DEPRECATED_MESSAGES=1 -fno-rtti -fno-exceptions -fno-strict-aliasing -D__TBBMALLOC_BUILD=1 -Wno-parentheses -Wno-sized-deallocation -fPIC -Wl,--as-needed -flifetime-dse=1 -I../../src -I../../src/rml/include -I../../include -I../../src/tbbmalloc -I../../src/tbbmalloc -I. ../../src/tbbmalloc/frontend.cpp tbb::task::destroy is defined in this translation unit: g++ -o task_v2.o -c -MMD -O2 -g -DDO_ITT_NOTIFY -DUSE_PTHREAD -pthread -m64 -mrtm -fPIC -Wl,--as-needed -flifetime-dse=1 -D__TBB_BUILD=1 -Wall -Wextra -Wno-parentheses -Wno-sized-deallocation -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -DUSE_PTHREAD -DTBB_SUPPRESS_DEPRECATED_MESSAGES=1 -std=c++14 -I../../src -I../../src/rml/include -I../../include ../../src/old/task_v2.cpp They're both built with _FORTIFY_SOURCE=3
That output is taken from https://kojipkgs.fedoraproject.org//packages/tbb/2020.3/16.fc39/data/logs/x86_64/build.log
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle. Changing version to 39.
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Still failing annocheck with tbb-2021.11 https://artifacts.dev.testing-farm.io/edc5e569-6b2f-4c1a-a9df-e2fce728018f/
(In reply to Jonathan Wakely from comment #8) > Still failing annocheck with tbb-2021.11 > > https://artifacts.dev.testing-farm.io/edc5e569-6b2f-4c1a-a9df-e2fce728018f/ The cause is different now and this is still a real bug: Hardened: /usr/lib/libtbb.so.12.11: FAIL: cf-protection test because .note.gnu.property section did not contain the necessary flags This means that the hardware control flow integrity flags don't make it all the way down the generated binary and so we're missing some security features. We should look into why the DSO isn't built with the flags and resolve the sisue to improve Fedora's security.