gh-112301: Enable compiler flags with low performance impact and no warnings (gh-120975)

This commit is contained in:
Nate Ohlson 2024-06-25 22:11:05 -05:00 committed by GitHub
parent a905721b9c
commit 7fb32e0209
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 136 additions and 0 deletions

View File

@ -0,0 +1,2 @@
Add default compiler options to improve security. Enable
-Wimplicit-fallthrough, -fstack-protector-strong, -Wtrampolines.

124
configure generated vendored
View File

@ -9605,6 +9605,130 @@ else $as_nop
BASECFLAGS="$BASECFLAGS $NO_STRICT_OVERFLOW_CFLAGS"
fi
# Enable flags that warn and protect for potential security vulnerabilities.
# These flags should be enabled by default for all builds.
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -Wimplicit-fallthrough" >&5
printf %s "checking whether C compiler accepts -Wimplicit-fallthrough... " >&6; }
if test ${ax_cv_check_cflags___Wimplicit_fallthrough+y}
then :
printf %s "(cached) " >&6
else $as_nop
ax_check_save_flags=$CFLAGS
CFLAGS="$CFLAGS -Wimplicit-fallthrough"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main (void)
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_compile "$LINENO"
then :
ax_cv_check_cflags___Wimplicit_fallthrough=yes
else $as_nop
ax_cv_check_cflags___Wimplicit_fallthrough=no
fi
rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
CFLAGS=$ax_check_save_flags
fi
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___Wimplicit_fallthrough" >&5
printf "%s\n" "$ax_cv_check_cflags___Wimplicit_fallthrough" >&6; }
if test "x$ax_cv_check_cflags___Wimplicit_fallthrough" = xyes
then :
BASECFLAGS="$BASECFLAGS -Wimplicit-fallthrough"
else $as_nop
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: -Wimplicit-fallthrough not supported" >&5
printf "%s\n" "$as_me: WARNING: -Wimplicit-fallthrough not supported" >&2;}
fi
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fstack-protector-strong" >&5
printf %s "checking whether C compiler accepts -fstack-protector-strong... " >&6; }
if test ${ax_cv_check_cflags___fstack_protector_strong+y}
then :
printf %s "(cached) " >&6
else $as_nop
ax_check_save_flags=$CFLAGS
CFLAGS="$CFLAGS -fstack-protector-strong"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main (void)
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_compile "$LINENO"
then :
ax_cv_check_cflags___fstack_protector_strong=yes
else $as_nop
ax_cv_check_cflags___fstack_protector_strong=no
fi
rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
CFLAGS=$ax_check_save_flags
fi
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fstack_protector_strong" >&5
printf "%s\n" "$ax_cv_check_cflags___fstack_protector_strong" >&6; }
if test "x$ax_cv_check_cflags___fstack_protector_strong" = xyes
then :
BASECFLAGS="$BASECFLAGS -fstack-protector-strong"
else $as_nop
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: -fstack-protector-strong not supported" >&5
printf "%s\n" "$as_me: WARNING: -fstack-protector-strong not supported" >&2;}
fi
case $CC in
*gcc*)
# Add GCC-specific compiler flags
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -Wtrampolines" >&5
printf %s "checking whether C compiler accepts -Wtrampolines... " >&6; }
if test ${ax_cv_check_cflags___Wtrampolines+y}
then :
printf %s "(cached) " >&6
else $as_nop
ax_check_save_flags=$CFLAGS
CFLAGS="$CFLAGS -Wtrampolines"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
main (void)
{
;
return 0;
}
_ACEOF
if ac_fn_c_try_compile "$LINENO"
then :
ax_cv_check_cflags___Wtrampolines=yes
else $as_nop
ax_cv_check_cflags___Wtrampolines=no
fi
rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
CFLAGS=$ax_check_save_flags
fi
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___Wtrampolines" >&5
printf "%s\n" "$ax_cv_check_cflags___Wtrampolines" >&6; }
if test "x$ax_cv_check_cflags___Wtrampolines" = xyes
then :
BASECFLAGS="$BASECFLAGS -Wtrampolines"
else $as_nop
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: -Wtrampolines not supported" >&5
printf "%s\n" "$as_me: WARNING: -Wtrampolines not supported" >&2;}
fi
esac
case $GCC in
yes)
CFLAGS_NODIST="$CFLAGS_NODIST -std=c11"

View File

@ -2451,6 +2451,16 @@ AS_VAR_IF([with_strict_overflow], [yes],
[BASECFLAGS="$BASECFLAGS $STRICT_OVERFLOW_CFLAGS"],
[BASECFLAGS="$BASECFLAGS $NO_STRICT_OVERFLOW_CFLAGS"])
# Enable flags that warn and protect for potential security vulnerabilities.
# These flags should be enabled by default for all builds.
AX_CHECK_COMPILE_FLAG([-Wimplicit-fallthrough], [BASECFLAGS="$BASECFLAGS -Wimplicit-fallthrough"], [AC_MSG_WARN([-Wimplicit-fallthrough not supported])])
AX_CHECK_COMPILE_FLAG([-fstack-protector-strong], [BASECFLAGS="$BASECFLAGS -fstack-protector-strong"], [AC_MSG_WARN([-fstack-protector-strong not supported])])
case $CC in
*gcc*)
# Add GCC-specific compiler flags
AX_CHECK_COMPILE_FLAG([-Wtrampolines], [BASECFLAGS="$BASECFLAGS -Wtrampolines"], [AC_MSG_WARN([-Wtrampolines not supported])])
esac
case $GCC in
yes)
CFLAGS_NODIST="$CFLAGS_NODIST -std=c11"