зеркало из https://github.com/github/ruby.git
0ccb80d6bf
This changes the automatic detection of -fstack-protector, -D_FORTIFY_SOURCE, and -mbranch-protection to write to $hardenflags instead of $XCFLAGS. The definition of $cflags is changed to "$hardenflags $orig_cflags $optflags $debugflags $warnflags" to match. Furthermore, these flags are _prepended_ to $hardenflags, rather than appended. The implications of doing this are as follows: * If a CRuby builder specifies cflags="-mbranch-protection=foobar" at the ./configure script, and the configure script detects that -mbranch-protection=pac-ret is accepted, then GCC will be invoked as "gcc -mbranch-protection=pac-ret -mbranch-protection=foobar". Since the last flags take precedence, that means that user-supplied values of these flags in $cflags will take priority. * Likewise, if a CRuby builder explicitly specifies "hardenflags=-mbranch-protection=foobar", because we _prepend_ to $hardenflags in our autoconf script, we will still invoke GCC as "gcc -mbranch-protection=pac-ret -mbranch-protection=foobar". * If a CRuby builder specifies CFLAGS="..." at the configure line, automatic detection of hardening flags is ignored as before. * C extensions will _also_ be built with hardening flags now as well (this was not the case by default before because the detected flags went into $XCFLAGS). Additionally, as part of this work, I changed how the detection of PAC/BTI in Context.S works. Rather than appending the autodetected option to ASFLAGS, we simply compile a set of test programs with the actual CFLAGS in use to determine what PAC/BTI settings were actually chosen by the builder. Context.S is made aware of these choices through some custom macros. The result of this work is that: * Ruby will continue to choose some sensible defaults for hardening options for the C compiler * Distributors are able to specify CFLAGS that are consistent with their distribution and override these defaults * Context.S will react to whatever -mbranch-protection is actually in use, not what was autodetected * Extensions get built with hardening flags too. [Bug #20154] [Bug #20520] |
||
|---|---|---|
| .. | ||
| annocheck | ||
| bundler | ||
| lib | ||
| lrama | ||
| m4 | ||
| releng | ||
| rjit | ||
| ruby_vm | ||
| test | ||
| test_for_warn_bundled_gems | ||
| asm_parse.rb | ||
| bisect.sh | ||
| build-transcode | ||
| checksum.rb | ||
| colors | ||
| darwin-ar | ||
| darwin-cc | ||
| disable_ipv6.sh | ||
| downloader.rb | ||
| enc-case-folding.rb | ||
| enc-emoji-citrus-gen.rb | ||
| enc-emoji4unicode.rb | ||
| enc-unicode.rb | ||
| eval.rb | ||
| expand-config.rb | ||
| extlibs.rb | ||
| fake.rb | ||
| fetch-bundled_gems.rb | ||
| file2lastrev.rb | ||
| format-release | ||
| gen-github-release.rb | ||
| gen-mailmap.rb | ||
| gen_dummy_probes.rb | ||
| gen_ruby_tapset.rb | ||
| generic_erb.rb | ||
| git-refresh | ||
| gperf.sed | ||
| id2token.rb | ||
| ifchange | ||
| insns2vm.rb | ||
| install-sh | ||
| intern_ids.rb | ||
| leaked-globals | ||
| ln_sr.rb | ||
| make-snapshot | ||
| make_hgraph.rb | ||
| mdoc2man.rb | ||
| merger.rb | ||
| missing-baseruby.bat | ||
| mk_builtin_loader.rb | ||
| mkconfig.rb | ||
| mkrunnable.rb | ||
| node_name.rb | ||
| outdate-bundled-gems.rb | ||
| parse.rb | ||
| prereq.status | ||
| probes_to_wiki.rb | ||
| rbinstall.rb | ||
| rbs_skip_tests | ||
| rbuninstall.rb | ||
| rdoc-srcdir | ||
| redmine-backporter.rb | ||
| release.sh | ||
| rmdirs | ||
| run-gcov.rb | ||
| run-lcov.rb | ||
| runruby.rb | ||
| search-cgvars.rb | ||
| strip-rdoc.rb | ||
| sync_default_gems.rb | ||
| test-annocheck.sh | ||
| test-bundled-gems.rb | ||
| test-coverage.rb | ||
| transcode-tblgen.rb | ||
| travis_retry.sh | ||
| travis_wait.sh | ||
| update-NEWS-gemlist.rb | ||
| update-NEWS-refs.rb | ||
| update-bundled_gems.rb | ||
| update-deps | ||
| vtlh.rb | ||
| wasm-clangw | ||