8000 gh-112301: Make fortify source option check -Werror by nohlson · Pull Request #122141 · python/cpython · GitHub
[go: up one dir, main page]
Skip to content

gh-112301: Make fortify source option check -Werror #122141

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jul 25, 2024
Merged

gh-112301: Make fortify source option check -Werror #122141

merged 5 commits into from
Jul 25, 2024

Conversation

nohlson
Copy link
Contributor
@nohlson nohlson commented Jul 22, 2024
edited by bedevere-app bot
Loading

Add autoconf option to AX_CHECK_COMPILE_FLAG in configure.ac to treat checking for -D_FORTIFY_SOURCE=3 compiler option availability with -Werror to match other options.

Suggested in previous PR for adding this option: #121520 (comment)

@bedevere-app bedevere-app bot mentioned this pull request Jul 22, 2024
Open
corona10
corona10 requested changes Jul 23, 2024
View reviewed changes
Copy link
Member
@corona10 corona10 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please rebase the PR.

@bedevere-app
Copy link
bedevere-app bot commented Jul 23, 2024

A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated.

Once you have made the requested changes, please leave a comment on this pull request containing the phrase I have made the requested changes; please review again. I will then notify any core developers who have left a review that you're ready for them to take another look at this pull request.

@corona10
Copy link
Member

If you want to test the option with build bot please move the option under the --disable-safety then we can run the options with buildbot and if the build is success let's move the option to the --enable-slower-safety .

We can add --enable-slower-safety to the buildbot options with separate PRs.

@nohlson nohlson force-pushed the foritfy-source-compile-flag-check-werror branch from 5d075bc to 505016a Compare July 23, 2024 08:34
@nohlson
Copy link
Contributor Author
nohlson commented Jul 23, 2024

@corona10 I have pushed a commit to put -D_FORTIFY_SOURCE=3 to --disable-safety so we can test with buildbots

@corona10 corona10 added the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Jul 23, 2024
@bedevere-bot
Copy link

🤖 New build scheduled with the buildbot fleet by @corona10 for commit 505016a 🤖

If you want to schedule another build, you need to add the 🔨 test-with-buildbots label again.

@bedevere-bot bedevere-bot removed the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Jul 23, 2024
corona10
corona10 reviewed Jul 23, 2024
View reviewed changes
configure.ac Outdated
@@ -2510,6 +2510,7 @@ if test "$disable_safety" = "no"
then
AX_CHECK_COMPILE_FLAG([-fstack-protector-strong], [BASECFLAGS="$BASECFLAGS -fstack-protector-strong"], [AC_MSG_WARN([-fstack-protector-strong not supported])], [-Werror])
AX_CHECK_COMPILE_FLAG([-Wtrampolines], [BASECFLAGS="$BASECFLAGS -Wtrampolines"], [AC_MSG_WARN([-Wtrampolines not supported])], [-Werror])
AX_CHECK_COMPILE_FLAG([-D_FORTIFY_SOURCE=3], [BASECFLAGS="$BASECFLAGS -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3"], [AC_MSG_WARN([-D_FORTIFY_SOURCE=3 not supported])], [-Werror])
Copy link
Member
@corona10 corona10 Jul 23, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cc @encukou

It will be moved to ./configure --enable-slower-safety after the buildbot is passed.
And maybe we can discuss about using CFLAGS_NODIST in this PR too.

corona10
corona10 reviewed Jul 23, 2024
View reviewed changes
configure.ac
@@ -2519,7 +2520,6 @@ AC_MSG_RESULT([$enable_slower_safety])

if test "$enable_slower_safety" = "yes"
then
AX_CHECK_COMPILE_FLAG([-D_FORTIFY_SOURCE=3], [BASECFLAGS="$BASECFLAGS -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3"], [AC_MSG_WARN([-D_FORTIFY_SOURCE=3 not supported])])
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nohlson you can remove whole code block for testing purpose.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed. Ready to test with buildbots

@nohlson
Copy link
Contributor Author
nohlson commented Jul 23, 2024

I have made the requested changes; please review again

@bedevere-app
Copy link
bedevere-app bot commented Jul 23, 2024

Thanks for making the requested changes!

@corona10: please review the changes made to this pull request.

@bedevere-app bedevere-app bot requested a review from corona10 July 23, 2024 20:10
@corona10 corona10 added the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Jul 23, 2024
@bedevere-bot
Copy link

🤖 New build scheduled with the buildbot fleet by @corona10 for commit ea8ded7 🤖

If you want to schedule another build, you need to add the 🔨 test-with-buildbots label again.

8000
@bedevere-bot bedevere-bot removed the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Jul 23, 2024
@corona10
Copy link
Member
corona10 commented Jul 24, 2024
edited
Loading

@nohlson

  • Refleaks from test_types does not related to this PR
Objects/object.c:1061:16: runtime error: call to function long_hash through pointer to incorrect function type 'long (*)(struct _object *)'
/buildbot/buildarea/pull_request.pablogsal-arch-x86_64.clang-ubsan/build/Objects/longobject.c:3618: note: long_hash defined here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior Objects/object.c:1061:16 in
make: *** [Makefile:1691: Python/frozen_modules/getpath.h] Error

also does not related to this PR.

So the change itself looks fine.
Could you move the fortify source option to --enable-slower-safety?

@nohlson
Copy link
Contributor Author
nohlson commented Jul 24, 2024

I have made the requested changes; please review again

@bedevere-app
Copy link
bedevere-app bot commented Jul 24, 2024

Thanks for making the requested changes!

@corona10: please review the changes made to this pull request.

corona10
corona10 approved these changes Jul 25, 2024
View reviewed changes
Copy link
Member
@corona10 corona10 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

Let's update BASECFLAGS into CFLAGS_NODIST with separate PR.

@corona10 corona10 merged commit ca0f7c4 into python:main Jul 25, 2024
36 of 37 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@corona10 corona10 corona10 approved these changes

@erlend-aasland erlend-aasland Awaiting requested review from erlend-aasland erlend-aasland is a code owner

Assignees
No one assigned
Labels
skip news
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nohlson @corona10 @bedevere-bot
0