[ML] Use hardened compiler options to build 3rd party libraries #453
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This change adds the stack protector, relro and fortify source options to the commands used to build the 3rd party libraries we use on Linux. (We already used these options when building our own code.)
droberts195
commented
Apr 5, 2019
| ENV PATH /usr/local/gcc73/bin:/usr/bin:/bin:/usr/sbin:/sbin | ||
|
|
||
| # For compiling in C++14 mode | ||
| # For compiling in C++14 mode with hardening and optimisation |
There was a problem hiding this comment.
Note that optimisation was not added in this commit. If CFLAGS is not specified then the configure scripts use a default value for it, and this invariably includes optimisation. It's only because we are now specifying CFLAGS that we have to explicitly add the optimisation option now.
| ``` | ||
| ./b2 -j6 --layout=versioned --disable-icu pch=off optimization=speed inlining=full define=BOOST_MATH_NO_LONG_DOUBLE_MATH_FUNCTIONS | ||
| sudo env PATH="$PATH" ./b2 install --prefix=/usr/local/gcc73 --layout=versioned --disable-icu pch=off optimization=speed inlining=full define=BOOST_MATH_NO_LONG_DOUBLE_MATH_FUNCTIONS | ||
| ./b2 -j6 --layout=versioned --disable-icu pch=off optimization=speed inlining=full define=BOOST_MATH_NO_LONG_DOUBLE_MATH_FUNCTIONS define=_FORTIFY_SOURCE=2 cxxflags=-std=gnu++14 cxxflags=-fstack-protector linkflags=-Wl,-z,relro linkflags=-Wl,-z,now |
There was a problem hiding this comment.
should we have a second define here?
There was a problem hiding this comment.
It’s fine to have two (or more) defines here. They become multiple -D arguments on the compiler command line, which is a very usual thing to have.
| ./b2 -j6 --layout=versioned --disable-icu pch=off optimization=speed inlining=full define=BOOST_MATH_NO_LONG_DOUBLE_MATH_FUNCTIONS | ||
| sudo env PATH="$PATH" ./b2 install --prefix=/usr/local/gcc73 --layout=versioned --disable-icu pch=off optimization=speed inlining=full define=BOOST_MATH_NO_LONG_DOUBLE_MATH_FUNCTIONS | ||
| ./b2 -j6 --layout=versioned --disable-icu pch=off optimization=speed inlining=full define=BOOST_MATH_NO_LONG_DOUBLE_MATH_FUNCTIONS define=_FORTIFY_SOURCE=2 cxxflags=-std=gnu++14 cxxflags=-fstack-protector linkflags=-Wl,-z,relro linkflags=-Wl,-z,now | ||
| sudo env PATH="$PATH" ./b2 install --prefix=/usr/local/gcc73 --layout=versioned --disable-icu pch=off optimization=speed inlining=full define=BOOST_MATH_NO_LONG_DOUBLE_MATH_FUNCTIONS define=_FORTIFY_SOURCE=2 cxxflags=-std=gnu++14 cxxflags=-fstack-protector linkflags=-Wl,-z,relro linkflags=-Wl,-z,now |
| echo " Building..." | ||
| ./b2 -j$NUMCPUS --layout=versioned --disable-icu pch=off optimization=speed inlining=full define=BOOST_MATH_NO_LONG_DOUBLE_MATH_FUNCTIONS > b2_make.log 2>&1 | ||
| ./b2 install --prefix=/usr/local/gcc73 --layout=versioned --disable-icu pch=off optimization=speed inlining=full define=BOOST_MATH_NO_LONG_DOUBLE_MATH_FUNCTIONS > b2_make_install.log 2>&1 | ||
| ./b2 -j$NUMCPUS --layout=versioned --disable-icu pch=off optimization=speed inlining=full define=BOOST_MATH_NO_LONG_DOUBLE_MATH_FUNCTIONS define=_FORTIFY_SOURCE=2 cxxflags=-std=gnu++14 cxxflags=-fstack-protector linkflags=-Wl,-z,relro linkflags=-Wl,-z,now > b2_make.log 2>&1 |
There was a problem hiding this comment.
second define in this and the following line is well (if it is an issue)
droberts195
added a commit
to droberts195/ml-cpp
that referenced
this pull request
Apr 8, 2019
This change adds the stack protector, relro and fortify source options to the commands used to build the 3rd party libraries we use on Linux. (We already used these options when building our own code.) Backport of elastic#453
droberts195
added a commit
that referenced
this pull request
Apr 8, 2019
This change adds the stack protector, relro and fortify source options to the commands used to build the 3rd party libraries we use on Linux. (We already used these options when building our own code.) Backport of #453
droberts195
added a commit
to droberts195/ml-cpp
that referenced
this pull request
Apr 24, 2019
This is a follow on to elastic#453 The stack protector, relro and fortify source options need to be used when building gcc, because we redistribute two libraries that are built as part of it, namely libgcc_s.so.1 and libstdc++.so.6.
droberts195
added a commit
that referenced
this pull request
Apr 25, 2019
This is a follow on to #453 The stack protector, relro and fortify source options need to be used when building gcc, because we redistribute two libraries that are built as part of it, namely libgcc_s.so.1 and libstdc++.so.6.
droberts195
added a commit
to droberts195/ml-cpp
that referenced
this pull request
Apr 25, 2019
This is a follow on to elastic#453 The stack protector, relro and fortify source options need to be used when building gcc, because we redistribute two libraries that are built as part of it, namely libgcc_s.so.1 and libstdc++.so.6. Backport of elastic#470
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change adds the stack protector, relro and fortify source
options to the commands used to build the 3rd party libraries
we use on Linux.
(We already used these options when building our own code.)