All,
I'm hoping for some suggestions particularly from the toolchain and
hardened profile folk.
We have a compiler that goes via C and uses gcc as it's backend. This
compiler does some pretty unpleasant things with the assembler output of
gcc. For one thing it doesn't use the C stack. It strips off the prelude
and epilogue of each function. Anyway, Suffice to say that it doesn't
work with hardened gcc; that is both PIE and the stack protector.
However turning these features off (by passing -nopie
-fno-stack-protector to gcc) is not so easy when we consider that people
can upgrade their gcc or change from a vanilla to a hardened profile
*after* emerging ghc.
gcc-3 supports both -nopie and -fno-stack-protector. So always using
these would be ok if it were not for gcc-4 which doesn't grok
-fno-stack-protector.
If we don't use -fno-stack-protector then if someone changes from a
vanilla gcc profile to a hardened one then the users will get breakage
when they start using ghc again.
We could have the ghc driver script work out dynamically which flags to
pass to gcc to suppress the hardened stuff but I think we can all see
the downside to that.
We could say "don't switch to a hardened gcc profile - it doesn't work".
We could say "don't use gcc 4 - it' not supported". However this will
not last forever.
We could ask the gcc-config people for some assistance. Perhaps by
adding an extra env var GHC_CFLAGS that gives us the right flags. Or
perhaps by hooking into gcc-config to have our flags updated whenever
the user changes profile.
Does anyone have any other suggestions?
--
Duncan Coutts : Gentoo Developer (Haskell herd team lead)
email : dcoutts at gentoo dot org
--
gentoo-dev@gentoo.org mailing list
I'm hoping for some suggestions particularly from the toolchain and
hardened profile folk.
We have a compiler that goes via C and uses gcc as it's backend. This
compiler does some pretty unpleasant things with the assembler output of
gcc. For one thing it doesn't use the C stack. It strips off the prelude
and epilogue of each function. Anyway, Suffice to say that it doesn't
work with hardened gcc; that is both PIE and the stack protector.
However turning these features off (by passing -nopie
-fno-stack-protector to gcc) is not so easy when we consider that people
can upgrade their gcc or change from a vanilla to a hardened profile
*after* emerging ghc.
gcc-3 supports both -nopie and -fno-stack-protector. So always using
these would be ok if it were not for gcc-4 which doesn't grok
-fno-stack-protector.
If we don't use -fno-stack-protector then if someone changes from a
vanilla gcc profile to a hardened one then the users will get breakage
when they start using ghc again.
We could have the ghc driver script work out dynamically which flags to
pass to gcc to suppress the hardened stuff but I think we can all see
the downside to that.
We could say "don't switch to a hardened gcc profile - it doesn't work".
We could say "don't use gcc 4 - it' not supported". However this will
not last forever.
We could ask the gcc-config people for some assistance. Perhaps by
adding an extra env var GHC_CFLAGS that gives us the right flags. Or
perhaps by hooking into gcc-config to have our flags updated whenever
the user changes profile.
Does anyone have any other suggestions?
--
Duncan Coutts : Gentoo Developer (Haskell herd team lead)
email : dcoutts at gentoo dot org
--
gentoo-dev@gentoo.org mailing list