Make -fstack-protector-strong the default in gcc 4.9

Attached is an updated version of gcc-default-ssp.diff that enables -fstack-protector-strong by default for gcc-4.9. In addition to enabling the default, it fixes the following testsuite failures:

-FAIL: gcc.dg/fstack-protector-strong.c scan-assembler-times stack_chk_fail 10
-FAIL: g++.dg/fstack-protector-strong.C -std=gnu++98 scan-assembler-times stack_chk_fail 2
-FAIL: g++.dg/fstack-protector-strong.C -std=gnu++11 scan-assembler-times stack_chk_fail 2
-FAIL: g++.dg/fstack-protector-strong.C -std=gnu++1y scan-assembler-times stack_chk_fail 2

I did need to update one of the tests that was generating an additional test failure; I'll attach that patch in just a second.

I've added tests to lp:qa-regression-testing to verify that -fstack-protector-strong works and is the default option for utopic's compiler.

Attached is the updated testsuite-hardening-updates.diff patch that incorporates another adjustment to gcc's testsuite to prevent a failure caused by enabling -fstack-protector-strong by default.

The attachment "gcc-default-ssp.diff" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

The attached is an updated version of the testsuite-hardening-updates.diff patch, which addresses more test failures caused by enabling -fstack-protector and _FORTIFY_SOURCE by default. The updated testcases are the following:

+ c-c++-common/cilk-plus/CK/spawnee_inline.c | 2 +-
+ g++.dg/fstack-protector-strong.C | 2 +-
+ gcc.c-torture/execute/memset-1.x | 5 +++++
+ gcc.dg/fstack-protector-strong.c | 2 +-
+ gcc.target/i386/sw-1.c | 2 +-

It includes the added testcase that was included in the patch in comment #2.

The attached is an updated version of the testsuite-hardening-format.diff patch, to fix more gcc testcases that were failing due to enabling -Wformat=1 by default. The 22 updated testcases are the following:

+ src/boehm-gc/testsuite/boehm-gc.c/middle.c | 3 +++
+ src/gcc/testsuite/c-c++-common/torture/vector-compare-1.c | 1 +
+ src/gcc/testsuite/g++.dg/abi/pragma-pack1.C | 2 ++
+ src/gcc/testsuite/g++.dg/abi/regparm1.C | 1 +
+ src/gcc/testsuite/g++.dg/cpp0x/constexpr-tuple.C | 1 +
+ src/gcc/testsuite/g++.dg/torture/pr51436.C | 1 +
+ src/gcc/testsuite/g++.old-deja/g++.law/weak.C | 2 +-
+ src/gcc/testsuite/g++.old-deja/g++.other/std1.C | 1 +
+ src/gcc/testsuite/gcc.dg/ipa/ipa-sra-1.c | 2 +-
+ src/gcc/testsuite/gcc.dg/lto/20090218-2_0.c | 2 ++
+ src/gcc/testsuite/gcc.dg/pr59418.c | 2 +-
+ src/gcc/testsuite/gcc.dg/torture/tls/tls-test.c | 2 +-
+ src/gcc/testsuite/gcc.dg/tree-ssa/builtin-fprintf-1.c | 2 +-
+ src/gcc/testsuite/gcc.dg/tree-ssa/builtin-fprintf-chk-1.c | 2 +-
+ src/gcc/testsuite/gcc.dg/tree-ssa/builtin-printf-1.c | 2 +-
+ src/gcc/testsuite/gcc.dg/tree-ssa/builtin-printf-chk-1.c | 2 +-
+ src/gcc/testsuite/gcc.dg/tree-ssa/builtin-vfprintf-1.c | 2 +-
+ src/gcc/testsuite/gcc.dg/tree-ssa/builtin-vfprintf-chk-1.c | 2 +-
+ src/gcc/testsuite/gcc.dg/tree-ssa/builtin-vprintf-1.c | 2 +-
+ src/gcc/testsuite/gcc.dg/tree-ssa/builtin-vprintf-chk-1.c | 2 +-
+ src/gcc/testsuite/gcc.dg/tree-ssa/isolate-4.c | 2 +-
+ src/gcc/testsuite/objc.dg/torture/strings/const-str-3.m | 2 +-

The attached is an additional patch to fix a couple of gcc testcases caused by glibc annotating functions to warn if the result is not checked. This will require the following change to debian/rules.patch to apply it during builds:

diff -u gcc-4.9-4.9.0/debian/rules.patch gcc-4.9-4.9.0/debian/rules.patch
--- gcc-4.9-4.9.0/debian/rules.patch
+++ gcc-4.9-4.9.0/debian/rules.patch
@@ -102,7 +102,8 @@
        gcc-default-relro \
        testsuite-hardening-format \
        testsuite-hardening-printf-types \
- testsuite-hardening-updates
+ testsuite-hardening-updates \
+ testsuite-glibc-warnings
   endif
 endif

For clarification purposes, I'm attaching interdiff output between the updated version of the gcc-default-ssp.diff and the version in gcc 4.9.0-4ubuntu2 currently in utopic-proposed. The differences are threefold:

  1) update the definition of the SSP_DEFAULT_SPEC macro to default to -fstack-protector-strong, and to disable that definition additionally if -fstack-protector is given on the command line.

  2) Adjust the invocation documentation to inform users that the default is now -fstack-protector-strong by default.

  3) Adjust in the invocation documentation the location of the description of the default minimum ssp-buffer-size to actually fall under the section for 'ssp-buffer-size' as due to fuzzy patching, it was getting applied incorrectly under the section on 'min-size-for-stack-sharing'

(The reason we lowered the minimum buffer size in Ubuntu 10.10 that gcc would consider for determining whether to apply stack protection to that function or not was to get a few more functions covered by -fstack-protector without going to -fstack-protector-all and paying the costs thereof.)

This bug was fixed in the package gcc-4.9 - 4.9.0-4ubuntu4

---------------
gcc-4.9 (4.9.0-4ubuntu4) utopic; urgency=medium

  * Update to SVN 20140520 (r210646) from the gcc-4_9-branch.
  * Revert the fix for PR rtl-optimization/60969, causing bootstrap failure
    on ppc64el.
 -- Matthias Klose <email address hidden> Tue, 20 May 2014 18:01:45 +0200