Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8223219

Backport of JDK-8199552 to OpenJDK 8 leads to duplicate -fstack-protector flags, overriding --with-extra-cflags

    Details

    • Subcomponent:
    • Understanding:
      Fix Understood
    • Introduced In Version:
    • CPU:
      generic
    • OS:
      linux

      Description

      8199552 appears in OpenJDK 11 as:

      https://hg.openjdk.java.net/jdk-updates/jdk11u/rev/8b060cdf0251

      A backport for 8u was not provided to us prior to the upstream availability of 8u20{1,2}, so we did our own along the lines of the 11u version. This added -fstack-protector in the same place after -pipe for the JDK in flags.m4 and after -fcheck-new in the HotSpot repository gcc.make makefiles for Linux, BSD and Solaris.

      When the 8u version did become available, it was quite different:

      https://hg.openjdk.java.net//jdk8u/jdk8u/rev/2c9ec0970599

      Here, the addition is restricted to x86 and it adds them to LEGACY_EXTRA_CFLAGS and LEGACY_EXTRA_CXXFLAGS rather than altering the HotSpot build itself.

      For the JDK part, the change adds it to both CCXXFLAGS_JDK and CFLAGS_JDK. As the former is used by C and C++ compiles, this has the effect of adding -fstack-protector twice.

      The CFLAGS_JDK addition is particularly problematic because it occurs after with_extra_cflags is appended. This means that -fstack-protector overrides user options like -fstack-protector-strong, weakening such protection.

      e.g.

       [7] CFLAGS := -Wall -Wno-parentheses -Wextra -Wno-unused -Wno-unused-parameter -Wformat=2 -pipe -D_GNU_SOURCE -D_REENTRANT -D_LARGEFILE64_SOURCE -fno-omit-frame-pointer -fstack-protector -D_LP64=1 -D_LITTLE_ENDIAN -DLINUX -DARCH='"amd64"' -Damd64 -DNDEBUG -DRELEASE='"1.8.0-internal"' -I/home/andrew/builder/8u-dev/jdk/include -I/home/andrew/builder/8u-dev/jdk/include/linux -I/home/andrew/projects/openjdk/upstream/jdk8u-dev/jdk/src/share/javavm/export -I/home/andrew/projects/openjdk/upstream/jdk8u-dev/jdk/src/solaris/javavm/export -I/home/andrew/projects/openjdk/upstream/jdk8u-dev/jdk/src/share/native/common -I/home/andrew/projects/openjdk/upstream/jdk8u-dev/jdk/src/solaris/native/common -O2 -pipe -march=core2 -ggdb -mno-tls-direct-seg-refs -fno-strict-aliasing -fstack-protector -fno-delete-null-pointer-checks -fno-lifetime-dse -fPIC -I/home/andrew/builder/8u-dev/jdk/gensrc_headers -I/home/andrew/projects/openjdk/upstream/jdk8u-dev/jdk/src/share/native/java/lang/fdlibm/include

      In the above, the -fstack-protector after -fno-omit-frame-pointer comes from CCXXFLAGS_JDK. The one after -fno-strict-aliasing comes from CFLAGS_JDK and is after the extra CFLAGS specified by the user (-O2 -pipe -march=core2 -ggdb -mno-tls-direct-seg-refs)

      I suggest we drop the CFLAGS_JDK and also apply this change across all architectures, as is done in OpenJDK 11.

        Attachments

          Activity

            People

            • Assignee:
              andrew Andrew Hughes
              Reporter:
              andrew Andrew Hughes
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: