build: remove -mretpoline and NO_EXTRA_CFLAGS

The -mretpoline flag is not documented in the current versions of gcc and clang and it is what causes scan-build to fail: $ ./configure CC=clang | grep retpoline checking whether C compiler accepts -mretpoline... yes EXTRA_CFLAGS: -mretpoline -fstack-clash-protection -fstack-protector-strong $ scan-build --status-bugs make scan-build: Using '/usr/bin/clang-15' for static analysis make -C src/lib make[1]: Entering directory '/tmp/firejail/src/lib' /usr/bin/../lib/clang/ccc-analyzer [...] -mretpoline [...] -c common.c -o common.o gcc: error: unrecognized command-line option ‘-mretpoline’ make[1]: *** [../../src/prog.mk:16: common.o] Error 1 make[1]: Leaving directory '/tmp/firejail/src/lib' make: *** [Makefile:59: src/lib] Error 2 scan-build: Analysis run complete. scan-build: Removing directory '/tmp/scan-build-[...]' because it contains no reports. scan-build: No bugs found. Environment: clang 15.0.7-9 and gcc 13.1.1-1 on Artix Linux. Note: NO_EXTRA_CFLAGS was added to work around this issue by causing all of the flags in EXTRA_CFLAGS to be ignored. Note2: -mretpoline was added on commit 4a99c8aa2 ("spectre support for clang compiler", 2018-03-30) and NO_EXTRA_CFLAGS was added on commit 490918c35 ("fix make scan-build for debian 10 and arch", 2019-07-22). See also commit 2c64d1fdd ("use AX_CHECK_COMPILE_FLAG to check for spectre flags", 2019-06-21). Closes #5509. Kind of relates to #2661.
author: Kelvin M. Klann <kmk3.code@protonmail.com> 2023-06-18 11:28:21 -0300
committer: Kelvin M. Klann <kmk3.code@protonmail.com> 2023-06-18 13:43:55 -0300
commit: 63f1a045ba675568a1e92b204c301359dbccc85b (patch)
tree: 3b4168433e6b430606cf51b833f0a4d0eeb04191
parent: Merge pull request #5857 from kmk3/ci-standardize-apt (diff)
download: firejail-63f1a045ba675568a1e92b204c301359dbccc85b.tar.gz
firejail-63f1a045ba675568a1e92b204c301359dbccc85b.tar.zst
firejail-63f1a045ba675568a1e92b204c301359dbccc85b.zip
5 files changed, 2 insertions, 48 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index e32f827e1..c2b035e11 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -105,7 +105,7 @@ jobs:
        --enable-selinux
        || (cat config.log; exit 1)
    - name: scan-build
-      run: NO_EXTRA_CFLAGS="yes" scan-build-14 --status-bugs make
+      run: scan-build-14 --status-bugs make
  cppcheck:
    runs-on: ubuntu-22.04
    steps:
diff --git a/Makefile b/Makefile
index c69c1894f..49c97c382 100644
--- a/Makefile
+++ b/Makefile
@@ -358,7 +358,7 @@ cppcheck: clean
 .PHONY: scan-build
 scan-build: clean
-        NO_EXTRA_CFLAGS="yes" scan-build make
+        scan-build make
 .PHONY: codespell
 codespell: clean
diff --git a/config.mk.in b/config.mk.in
index 6b6cf1b99..dea3d8a52 100644
--- a/config.mk.in
+++ b/config.mk.in
@@ -61,9 +61,5 @@ LDFLAGS=@LDFLAGS@
 # Project variables
 LIBS=@LIBS@
-ifdef NO_EXTRA_CFLAGS
-else
 EXTRA_CFLAGS +=@EXTRA_CFLAGS@
-endif
 EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
diff --git a/configure b/configure
index ceb09bd31..068274fea 100755
--- a/configure
+++ b/configure
@@ -2925,44 +2925,6 @@ else
  :
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -mretpoline" >&5
-$as_echo_n "checking whether C compiler accepts -mretpoline... " >&6; }
-if ${ax_cv_check_cflags___mretpoline+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  ax_check_save_flags=$CFLAGS
-  CFLAGS="$CFLAGS  -mretpoline"
-  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-int
-main ()
-{
-  ;
-  return 0;
-}
-_ACEOF
-if ac_fn_c_try_compile "$LINENO"; then :
-  ax_cv_check_cflags___mretpoline=yes
-else
-  ax_cv_check_cflags___mretpoline=no
-fi
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-  CFLAGS=$ax_check_save_flags
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___mretpoline" >&5
-$as_echo "$ax_cv_check_cflags___mretpoline" >&6; }
-if test "x$ax_cv_check_cflags___mretpoline" = xyes; then :
-        HAVE_SPECTRE="yes"
-        EXTRA_CFLAGS="$EXTRA_CFLAGS -mretpoline"
-else
-  :
-fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fstack-clash-protection" >&5
 $as_echo_n "checking whether C compiler accepts -fstack-clash-protection... " >&6; }
 if ${ax_cv_check_cflags___fstack_clash_protection+:} false; then :
diff --git a/configure.ac b/configure.ac
index 30b031801..93de61b95 100644
--- a/configure.ac
+++ b/configure.ac
@@ -25,10 +25,6 @@ AX_CHECK_COMPILE_FLAG([-mindirect-branch=thunk], [
        HAVE_SPECTRE="yes"
        EXTRA_CFLAGS="$EXTRA_CFLAGS -mindirect-branch=thunk"
 ])
-AX_CHECK_COMPILE_FLAG([-mretpoline], [
-        HAVE_SPECTRE="yes"
-        EXTRA_CFLAGS="$EXTRA_CFLAGS -mretpoline"
-])
 AX_CHECK_COMPILE_FLAG([-fstack-clash-protection], [
        HAVE_SPECTRE="yes"
        EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-clash-protection"
author	Kelvin M. Klann <kmk3.code@protonmail.com>	2023-06-18 11:28:21 -0300
committer	Kelvin M. Klann <kmk3.code@protonmail.com>	2023-06-18 13:43:55 -0300
commit	63f1a045ba675568a1e92b204c301359dbccc85b (patch)
tree	3b4168433e6b430606cf51b833f0a4d0eeb04191
parent	Merge pull request #5857 from kmk3/ci-standardize-apt (diff)
download	firejail-63f1a045ba675568a1e92b204c301359dbccc85b.tar.gz firejail-63f1a045ba675568a1e92b204c301359dbccc85b.tar.zst firejail-63f1a045ba675568a1e92b204c301359dbccc85b.zip

diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index e32f827e1..c2b035e11 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml
@@ -105,7 +105,7 @@ jobs:
105	--enable-selinux	105	--enable-selinux
106	\|\| (cat config.log; exit 1)	106	\|\| (cat config.log; exit 1)
107	- name: scan-build	107	- name: scan-build
108	run: NO_EXTRA_CFLAGS="yes" scan-build-14 --status-bugs make	108	run: scan-build-14 --status-bugs make
109	cppcheck:	109	cppcheck:
110	runs-on: ubuntu-22.04	110	runs-on: ubuntu-22.04
111	steps:	111	steps:


diff --git a/Makefile b/Makefile index c69c1894f..49c97c382 100644 --- a/Makefile +++ b/Makefile
@@ -358,7 +358,7 @@ cppcheck: clean
358		358
359	.PHONY: scan-build	359	.PHONY: scan-build
360	scan-build: clean	360	scan-build: clean
361	NO_EXTRA_CFLAGS="yes" scan-build make	361	scan-build make
362		362
363	.PHONY: codespell	363	.PHONY: codespell
364	codespell: clean	364	codespell: clean


diff --git a/config.mk.in b/config.mk.in index 6b6cf1b99..dea3d8a52 100644 --- a/config.mk.in +++ b/config.mk.in
@@ -61,9 +61,5 @@ LDFLAGS=@LDFLAGS@
61	# Project variables	61	# Project variables
62	LIBS=@LIBS@	62	LIBS=@LIBS@
63		63
64	ifdef NO_EXTRA_CFLAGS
65	else
66	EXTRA_CFLAGS +=@EXTRA_CFLAGS@	64	EXTRA_CFLAGS +=@EXTRA_CFLAGS@
67	endif
68
69	EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@	65	EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@


diff --git a/configure b/configure index ceb09bd31..068274fea 100755 --- a/configure +++ b/configure
@@ -2925,44 +2925,6 @@ else
2925	:	2925	:
2926	fi	2926	fi
2927		2927
2928	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -mretpoline" >&5
2929	$as_echo_n "checking whether C compiler accepts -mretpoline... " >&6; }
2930	if ${ax_cv_check_cflags___mretpoline+:} false; then :
2931	$as_echo_n "(cached) " >&6
2932	else
2933
2934	ax_check_save_flags=$CFLAGS
2935	CFLAGS="$CFLAGS -mretpoline"
2936	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
2937	/* end confdefs.h. */
2938
2939	int
2940	main ()
2941	{
2942
2943	;
2944	return 0;
2945	}
2946	_ACEOF
2947	if ac_fn_c_try_compile "$LINENO"; then :
2948	ax_cv_check_cflags___mretpoline=yes
2949	else
2950	ax_cv_check_cflags___mretpoline=no
2951	fi
2952	rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
2953	CFLAGS=$ax_check_save_flags
2954	fi
2955	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___mretpoline" >&5
2956	$as_echo "$ax_cv_check_cflags___mretpoline" >&6; }
2957	if test "x$ax_cv_check_cflags___mretpoline" = xyes; then :
2958
2959	HAVE_SPECTRE="yes"
2960	EXTRA_CFLAGS="$EXTRA_CFLAGS -mretpoline"
2961
2962	else
2963	:
2964	fi
2965
2966	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fstack-clash-protection" >&5	2928	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fstack-clash-protection" >&5
2967	$as_echo_n "checking whether C compiler accepts -fstack-clash-protection... " >&6; }	2929	$as_echo_n "checking whether C compiler accepts -fstack-clash-protection... " >&6; }
2968	if ${ax_cv_check_cflags___fstack_clash_protection+:} false; then :	2930	if ${ax_cv_check_cflags___fstack_clash_protection+:} false; then :


diff --git a/configure.ac b/configure.ac index 30b031801..93de61b95 100644 --- a/configure.ac +++ b/configure.ac
@@ -25,10 +25,6 @@ AX_CHECK_COMPILE_FLAG([-mindirect-branch=thunk], [
25	HAVE_SPECTRE="yes"	25	HAVE_SPECTRE="yes"
26	EXTRA_CFLAGS="$EXTRA_CFLAGS -mindirect-branch=thunk"	26	EXTRA_CFLAGS="$EXTRA_CFLAGS -mindirect-branch=thunk"
27	])	27	])
28	AX_CHECK_COMPILE_FLAG([-mretpoline], [
29	HAVE_SPECTRE="yes"
30	EXTRA_CFLAGS="$EXTRA_CFLAGS -mretpoline"
31	])
32	AX_CHECK_COMPILE_FLAG([-fstack-clash-protection], [	28	AX_CHECK_COMPILE_FLAG([-fstack-clash-protection], [
33	HAVE_SPECTRE="yes"	29	HAVE_SPECTRE="yes"
34	EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-clash-protection"	30	EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-clash-protection"