[PATCH] configure: Test for _FORTIFY_SOURCE=3 support.

[PATCH] configure: Test for _FORTIFY_SOURCE=3 support.

[Mark Wielaard]

_FORTIFY_SOURCE=3 adds extra glibc (dynamic) fortification checks
when using GCC 12.

This adds a configure check to see if -D_FORTIFY_SOURCE=3 can be used.
If not, configure will fall back to -D_FORTIFY_SOURCE=2.

On some older glibc versions (glibc 2.17) using -D_FORTIFY_SOURCE=3
provides the same fortification as _FORTIFY_SOURCE=2. On some newer
glibc versions and older GCC (glibc 2.34 amd gcc 11) using
-D_FORTIFY_SOURCE=3 produces a not supported warning (and we fall
back to -D_FORTIFY_SOURCE=2). With newer glibc and newer GCC versions
(glibc 2.35 and gcc 12) -D_FORTIFY_SOURCE=3 will use the newer dynamic
fortification checks.

This patch also makes sure that AC_PROG_CXX is used earlier so that
CXXFLAGS is always setup correctly (even if we then don't use it).
And it outputs both the CFLAGS and CXXFLAGS as used at the end.

Signed-off-by: Mark Wielaard <mark@klomp.org>
---

https://code.wildebeest.org/git/user/mjw/elfutils/commit/?h=_FORTIFY_SOURCE3

 ChangeLog    |  6 ++++++
 configure.ac | 37 +++++++++++++++++++++++++++----------
 2 files changed, 33 insertions(+), 10 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index f00db17b..bfa666c0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2022-03-10  Mark Wielaard  <mark@klomp.org>
+
+	* configure.ac: Move AC_PROG_CXX earlier. Check for both
+	-D_FORTIFY_SOURCE=3 and -D_FORTIFY_SOURCE=2 support. Also
+	set CXXFLAGS. Output final CFLAGS and CXXFLAGS setting.
+
 2021-12-04  Mark Wielaard  <mark@klomp.org>
 
 	* configure.ac: Add --enable-sanitize-address.
diff --git a/configure.ac b/configure.ac
index 48071165..52882fa9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2,6 +2,7 @@ dnl Process this file with autoconf to produce a configure script.
 dnl Configure input file for elfutils.                     -*-autoconf-*-
 dnl
 dnl Copyright (C) 1996-2019 Red Hat, Inc.
+dnl Copyright (C) 2022 Mark J. Wielaard <mark@klomp.org>
 dnl
 dnl This file is part of elfutils.
 dnl
@@ -88,6 +89,7 @@ AS_IF([test "$use_locks" = yes],
 AH_TEMPLATE([USE_LOCKS], [Defined if libraries should be thread-safe.])
 
 AC_PROG_CC_C99
+AC_PROG_CXX
 AC_PROG_RANLIB
 AC_PROG_YACC
 AM_PROG_LEX
@@ -231,25 +233,38 @@ AC_CACHE_CHECK([whether fts.h is bad when included (with LFS)], ac_cv_bad_fts,
 AS_IF([test "x$ac_cv_bad_fts" = "xyes"],
       [CFLAGS="$CFLAGS -DBAD_FTS=1" CXXFLAGS="$CXXFLAGS -DBAD_FTS=1"])
 
-# See if we can add -D_FORTIFY_SOURCE=2. Don't do it if it is already
+# See if we can add -D_FORTIFY_SOURCE=2 or =3. Don't do it if it is already
 # (differently) defined or if it generates warnings/errors because we
 # don't use the right optimisation level (string.h will warn about that).
-AC_MSG_CHECKING([whether to add -D_FORTIFY_SOURCE=2 to CFLAGS])
+AC_MSG_CHECKING([whether to add -D_FORTIFY_SOURCE=2 or =3 to CFLAGS])
 case "$CFLAGS" in
-  *-D_FORTIFY_SOURCE=2*)
+  *-D_FORTIFY_SOURCE=*)
     AC_MSG_RESULT([no, already there])
     ;;
   *)
     save_CFLAGS="$CFLAGS"
-    CFLAGS="-D_FORTIFY_SOURCE=2 $CFLAGS -Werror"
+    # Try 3 first.
+    CFLAGS="-D_FORTIFY_SOURCE=3 $save_CFLAGS -Werror"
+    fortified_cflags=""
     AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
       #include <string.h>
       int main() { return 0; }
-    ]])], [ AC_MSG_RESULT([yes])
-            CFLAGS="-D_FORTIFY_SOURCE=2 $save_CFLAGS" ],
-          [ AC_MSG_RESULT([no])
-            CFLAGS="$save_CFLAGS"])
-  ;;
+    ]])], [ AC_MSG_RESULT([yes -D_FORTIFY_SOURCE=3])
+            fortified_cflags="-D_FORTIFY_SOURCE=3" ], [])
+
+    # If that didn't work, try 2.
+    if test -z "$fortified_cflags"; then
+      CFLAGS="-D_FORTIFY_SOURCE=2 $save_CFLAGS -Werror"
+      AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
+        #include <string.h>
+        int main() { return 0; }
+      ]])], [ AC_MSG_RESULT([yes -D_FORTIFY_SOURCE=2])
+              fortified_cflags="-D_FORTIFY_SOURCE=2" ],
+              [ AC_MSG_RESULT([no, cannot be used])])
+    fi
+    CFLAGS="$fortified_cflags $save_CFLAGS"
+    CXXFLAGS="$fortified_cflags $CXXFLAGS"
+    ;;
 esac
 
 dnl enable debugging of branch prediction.
@@ -757,7 +772,6 @@ AM_CONDITIONAL([DUMMY_LIBDEBUGINFOD],[test "x$enable_libdebuginfod" = "xdummy"])
 # Look for libmicrohttpd, libarchive, sqlite for debuginfo server
 # minimum versions as per rhel7.
 AC_ARG_ENABLE([debuginfod],AC_HELP_STRING([--enable-debuginfod], [Build debuginfod server]))
-AC_PROG_CXX
 AS_IF([test "x$enable_debuginfod" != "xno"], [
     AC_MSG_NOTICE([checking debuginfod C++11 support, --disable-debuginfod to skip])
     AX_CXX_COMPILE_STDCXX(11, noext, mandatory)
@@ -804,6 +818,9 @@ AC_MSG_NOTICE([
     Maintainer mode                    : ${enable_maintainer_mode}
     build arch                         : ${ac_cv_build}
 
+    CFLAGS=${CFLAGS}
+    CXXFLAGS=${CXXFLAGS}
+
   RECOMMENDED FEATURES (should all be yes)
     gzip support                       : ${with_zlib}
     bzip2 support                      : ${with_bzlib}
-- 
2.18.4

Re: [PATCH] configure: Test for _FORTIFY_SOURCE=3 support.

[Mark Wielaard]

Hi,

On Thu, 2022-03-10 at 18:06 +0100, Mark Wielaard wrote:
> _FORTIFY_SOURCE=3 adds extra glibc (dynamic) fortification checks
> when using GCC 12.
> 
> This adds a configure check to see if -D_FORTIFY_SOURCE=3 can be
> used.
> If not, configure will fall back to -D_FORTIFY_SOURCE=2.
> 
> On some older glibc versions (glibc 2.17) using -D_FORTIFY_SOURCE=3
> provides the same fortification as _FORTIFY_SOURCE=2. On some newer
> glibc versions and older GCC (glibc 2.34 amd gcc 11) using
> -D_FORTIFY_SOURCE=3 produces a not supported warning (and we fall
> back to -D_FORTIFY_SOURCE=2). With newer glibc and newer GCC versions
> (glibc 2.35 and gcc 12) -D_FORTIFY_SOURCE=3 will use the newer
> dynamic
> fortification checks.
> 
> This patch also makes sure that AC_PROG_CXX is used earlier so that
> CXXFLAGS is always setup correctly (even if we then don't use it).
> And it outputs both the CFLAGS and CXXFLAGS as used at the end.

Pushed.

Cheers,

Mark