From nobody Fri Jan 31 12:15:34 2025
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Ykvx31Ggwz5mZBk;
	Fri, 31 Jan 2025 12:15:35 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Ykvx30cLhz3Bys;
	Fri, 31 Jan 2025 12:15:35 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1738325735;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=wfzTgznr7sfOiFf74ujSP50M1bGFakVRNZz/JtZ+b88=;
	b=SAhC5DBBnMKwfZoAd0IbRtfZiZU0zZjxGFRYnbiOO5uhmzg+SYPhC4Rf1NWteY6EmCH7R0
	8v9rLjEPkwxPdIE5R62UPu1Il+9INWk3rsLRyOpHj8JIKrhE8B4ZY6GLtCmxSIn40/dO7m
	81ty7qzeLv8w5ILBIJVJxV+adCJH10V/sYEWdURe4J1GRMGCXDK4hEdCgimHDQLC33xS9W
	X4XDx4L2HKUAq32MBmBntX3z6+uJxBNP16aMRLJW8HpPtUG64STSEEEgzsSUFBCtULyxGQ
	mfdkOMiQqQV6yNOMTEmmIEmYN4C8PHAunGhineoGjm4MwnNB2Ac3A+Zx5H1uVg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1738325735;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=wfzTgznr7sfOiFf74ujSP50M1bGFakVRNZz/JtZ+b88=;
	b=dHqYx70/MUoZHttsFjIf5kNmo6vGDnC5VtnPgg+Je0SxgXCtOcWWHaF6rVOCCFcChv83QL
	HTGP98oZrg1kfO5+RnPhuYMbRpk+I1/bhq2lXOgTf/19lMwTqSA//G/ZwJMzeR4kj+Qls5
	vbcfO9OFg2kM6aX6EHAPtSQUs4KvUHLYCQs3fXDpFsCpMR6l0oc85RP6N1fLsVZH5Ev5jT
	W1/Oei/VGBdpUx4OUEhIuBoR8JzLNSee1vdcV5QlxsRCeY6GbK21hAj6mtN/JG8h4zMfM/
	5OzbN5S3Fyn1bDD2uVay6tsmuLfIWVWqaWSYTP3p6sqUI/pa44S0ijHHRLu3wQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1738325735; a=rsa-sha256; cv=none;
	b=mfjQUORXEGwDCFOc7AKRVS8yd4tMAYCTixQ8ei43TJqkehIH5KVPw7GxjhxbTZ40C5Q2M6
	e68laoyBy7s50Fx241UpEO+jgZUpmwrGp6VOoiie7LasJN1S7tPXN+74KE5D/kbHfTpl+s
	ln17lM1NB1bLNiHHnz8P2z2rdj6YGjUmdeDOZ/ew8UKGuj5VYosTmNvdRvn6hSluclJKzs
	sk15BHvYhx9om2Qs9WU08Gi648RHEK+PoW30IjJUx6hepMaAGD8S2nVCHUILN/57VOGNRN
	c8Rms6NMo4bRN5EWcWMWVhLEsumgGRHBTV96xT/AmXOjRAiqFqs7JIz/+vPtZQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Ykvx3041yz2qx;
	Fri, 31 Jan 2025 12:15:35 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 50VCFYbx008198;
	Fri, 31 Jan 2025 12:15:34 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 50VCFYfl008195;
	Fri, 31 Jan 2025 12:15:34 GMT
	(envelope-from git)
Date: Fri, 31 Jan 2025 12:15:34 GMT
Message-Id: <202501311215.50VCFYfl008195@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Alexander Leidinger <netchild@FreeBSD.org>
Subject: git: 1c2ae9233b0e - main - Limit some cc options based
  upon features
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: netchild
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 1c2ae9233b0ed4f6b92c59c0e4026f6ddc073e4a
Auto-Submitted: auto-generated

The branch main has been updated by netchild:

URL: https://cgit.FreeBSD.org/src/commit/?id=1c2ae9233b0ed4f6b92c59c0e4026f6ddc073e4a

commit 1c2ae9233b0ed4f6b92c59c0e4026f6ddc073e4a
Author:     Alexander Leidinger <netchild@FreeBSD.org>
AuthorDate: 2025-01-31 12:11:06 +0000
Commit:     Alexander Leidinger <netchild@FreeBSD.org>
CommitDate: 2025-01-31 12:15:29 +0000

    Limit some cc options based upon features
    
    Limit the use of stack clash protection and zeroregs based upon
    compiler features:
     - switch unconditional use of stack clash protection into a compiler
       feature
     - limit the use of stack clash protection on unsupported architectures
       (I did not wade into the source of each compiler to determine when
       support arrived for each architecture, I used the compiler version
       when it was introduced with what is supported currently)
     - add a safeguard for stack clash protection in places where we have no
       SSP provisions (we may not need it, but better safe than sorry when
       something changes or is overridden by the user)
     - limit the use of zeroregs the same way, so that even specifying it
       will not lead to build failures (useful for universe builds when
       WITH_ZEROREGS is specified in src.conf)
    
    Differential Revision:  https://reviews.freebsd.org/D48724
---
 share/mk/bsd.compiler.mk | 13 ++++++++++++-
 share/mk/bsd.lib.mk      | 10 +++++-----
 share/mk/bsd.sys.mk      |  4 ++++
 3 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/share/mk/bsd.compiler.mk b/share/mk/bsd.compiler.mk
index bf6ef3956d7d..f93d3495b1aa 100644
--- a/share/mk/bsd.compiler.mk
+++ b/share/mk/bsd.compiler.mk
@@ -24,6 +24,7 @@
 # - retpoline: supports the retpoline speculative execution vulnerability
 #              mitigation.
 # - init-all:  supports stack variable initialization.
+# - stackclash:supports stack clash protection
 # - zeroregs:  supports zeroing used registers on return
 # - aarch64-sha512: supports the AArch64 sha512 intrinsic functions.
 #
@@ -264,8 +265,18 @@ ${X_}COMPILER_FEATURES+=	compressed-debug
 ${X_}COMPILER_FEATURES+=	fileprefixmap
 .endif
 
+.if (${${X_}COMPILER_TYPE} == "clang" && ${${X_}COMPILER_VERSION} >= 70000 \
+	&& ${MACHINE_ARCH:Mriscv*} != "" && ${MACHINE_ARCH:Mpower*} != "") || \
+	(${${X_}COMPILER_TYPE} == "gcc" && ${${X_}COMPILER_VERSION} >= 81000 \
+	&& ${MACHINE_ARCH:Mriscv*} != "")
+${X_}COMPILER_FEATURES+=	stackclash
+.endif
+
+
 .if (${${X_}COMPILER_TYPE} == "clang" && ${${X_}COMPILER_VERSION} >= 150000) || \
-	(${${X_}COMPILER_TYPE} == "gcc" && ${${X_}COMPILER_VERSION} >= 110000)
+	(${${X_}COMPILER_TYPE} == "gcc" && ${${X_}COMPILER_VERSION} >= 110000) && \
+	${MACHINE_ARCH:Mriscv*} != "" && ${MACHINE_ARCH:Mpower*} != "" && \
+	${MACHINE_ARCH:Marmv7*} != "" 
 ${X_}COMPILER_FEATURES+=	zeroregs
 .endif
 
diff --git a/share/mk/bsd.lib.mk b/share/mk/bsd.lib.mk
index cf4140d0b3e6..cf8057907a1f 100644
--- a/share/mk/bsd.lib.mk
+++ b/share/mk/bsd.lib.mk
@@ -170,7 +170,7 @@ PO_FLAG=-pg
 	${CTFCONVERT_CMD}
 
 .c.nossppico:
-	${CC} ${PICFLAG} -DPIC ${SHARED_CFLAGS:C/^-fstack-protector.*$//:C/^-fsanitize.*$//} ${CFLAGS:C/^-fstack-protector.*$//:C/^-fsanitize.*$//} -c ${.IMPSRC} -o ${.TARGET}
+	${CC} ${PICFLAG} -DPIC ${SHARED_CFLAGS:C/^-fstack-protector.*$//:C/^-fstack-clash-protection.*$//:C/^-fsanitize.*$//} ${CFLAGS:C/^-fstack-protector.*$//:C/^-fstack-clash-protection.*$//:C/^-fsanitize.*$//} -c ${.IMPSRC} -o ${.TARGET}
 	${CTFCONVERT_CMD}
 
 .c.pieo:
@@ -184,7 +184,7 @@ PO_FLAG=-pg
 	${CXX} ${PICFLAG} -DPIC ${SHARED_CXXFLAGS} ${CXXFLAGS} -c ${.IMPSRC} -o ${.TARGET}
 
 .cc.nossppico .C.nossppico .cpp.nossppico .cxx.nossppico:
-	${CXX} ${PICFLAG} -DPIC ${SHARED_CXXFLAGS:C/^-fstack-protector.*$//:C/^-fsanitize.*$//} ${CXXFLAGS:C/^-fstack-protector.*$//:C/^-fsanitize.*$//} -c ${.IMPSRC} -o ${.TARGET}
+	${CXX} ${PICFLAG} -DPIC ${SHARED_CXXFLAGS:C/^-fstack-protector.*$//:C/^-fstack-clash-protection.*$//:C/^-fsanitize.*$//} ${CXXFLAGS:C/^-fstack-protector.*$//:C/^-fstack-clash-protection.*$//:C/^-fsanitize.*$//} -c ${.IMPSRC} -o ${.TARGET}
 
 .cc.pieo .C.pieo .cpp.pieo .cxx.pieo:
 	${CXX} ${PIEFLAG} ${SHARED_CXXFLAGS} ${CXXFLAGS} -c ${.IMPSRC} -o ${.TARGET}
@@ -198,7 +198,7 @@ PO_FLAG=-pg
 	${CTFCONVERT_CMD}
 
 .f.nossppico:
-	${FC} ${PICFLAG} -DPIC ${FFLAGS:C/^-fstack-protector.*$//} -o ${.TARGET} -c ${.IMPSRC}
+	${FC} ${PICFLAG} -DPIC ${FFLAGS:C/^-fstack-protector.*$//:C/^-fstack-clash-protection.*$//} -o ${.TARGET} -c ${.IMPSRC}
 	${CTFCONVERT_CMD}
 
 .s.po .s.pico .s.nossppico .s.pieo:
@@ -217,7 +217,7 @@ PO_FLAG=-pg
 
 .asm.nossppico:
 	${CC:N${CCACHE_BIN}} -x assembler-with-cpp ${PICFLAG} -DPIC \
-	    ${CFLAGS:C/^-fstack-protector.*$//} ${ACFLAGS} -c ${.IMPSRC} -o ${.TARGET}
+	    ${CFLAGS:C/^-fstack-protector.*$//:C/^-fstack-clash-protection.*$//} ${ACFLAGS} -c ${.IMPSRC} -o ${.TARGET}
 	${CTFCONVERT_CMD}
 
 .asm.pieo:
@@ -236,7 +236,7 @@ PO_FLAG=-pg
 	${CTFCONVERT_CMD}
 
 .S.nossppico:
-	${CC:N${CCACHE_BIN}} ${PICFLAG} -DPIC ${CFLAGS:C/^-fstack-protector.*$//} ${ACFLAGS} \
+	${CC:N${CCACHE_BIN}} ${PICFLAG} -DPIC ${CFLAGS:C/^-fstack-protector.*$//:C/^-fstack-clash-protection.*$//} ${ACFLAGS} \
 	    -c ${.IMPSRC} -o ${.TARGET}
 	${CTFCONVERT_CMD}
 
diff --git a/share/mk/bsd.sys.mk b/share/mk/bsd.sys.mk
index 06f8e6e9fe78..c136bf1e1aff 100644
--- a/share/mk/bsd.sys.mk
+++ b/share/mk/bsd.sys.mk
@@ -304,7 +304,11 @@ CXXFLAGS.clang+=	 -Wno-c++11-extensions
 FORTIFY_SOURCE?=	0
 .if ${MK_SSP} != "no"
 # Don't use -Wstack-protector as it breaks world with -Werror.
+.if ${COMPILER_FEATURES:Mstackclash}
 SSP_CFLAGS?=	-fstack-protector-strong -fstack-clash-protection
+.else
+SSP_CFLAGS?=	-fstack-protector-strong
+.endif
 CFLAGS+=	${SSP_CFLAGS}
 .endif # SSP
 .if ${FORTIFY_SOURCE} > 0