From 63f1a045ba675568a1e92b204c301359dbccc85b Mon Sep 17 00:00:00 2001
From: "Kelvin M. Klann" <kmk3.code@protonmail.com>
Date: Sun, 18 Jun 2023 11:28:21 -0300
Subject: build: remove -mretpoline and NO_EXTRA_CFLAGS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The -mretpoline flag is not documented in the current versions of gcc
and clang and it is what causes scan-build to fail:

    $ ./configure CC=clang | grep retpoline
    checking whether C compiler accepts -mretpoline... yes
       EXTRA_CFLAGS:  -mretpoline -fstack-clash-protection -fstack-protector-strong
    $ scan-build --status-bugs make
    scan-build: Using '/usr/bin/clang-15' for static analysis
    make -C src/lib
    make[1]: Entering directory '/tmp/firejail/src/lib'
    /usr/bin/../lib/clang/ccc-analyzer [...] -mretpoline [...] -c common.c -o common.o
    gcc: error: unrecognized command-line option ‘-mretpoline’
    make[1]: *** [../../src/prog.mk:16: common.o] Error 1
    make[1]: Leaving directory '/tmp/firejail/src/lib'
    make: *** [Makefile:59: src/lib] Error 2
    scan-build: Analysis run complete.
    scan-build: Removing directory '/tmp/scan-build-[...]' because it contains no reports.
    scan-build: No bugs found.

Environment: clang 15.0.7-9 and gcc 13.1.1-1 on Artix Linux.

Note: NO_EXTRA_CFLAGS was added to work around this issue by causing all
of the flags in EXTRA_CFLAGS to be ignored.

Note2: -mretpoline was added on commit 4a99c8aa2 ("spectre support for
clang compiler", 2018-03-30) and NO_EXTRA_CFLAGS was added on commit
490918c35 ("fix make scan-build for debian 10 and arch", 2019-07-22).
See also commit 2c64d1fdd ("use AX_CHECK_COMPILE_FLAG to check for
spectre flags", 2019-06-21).

Closes #5509.

Kind of relates to #2661.
---
 .github/workflows/build-extra.yml |  2 +-
 Makefile                          |  2 +-
 config.mk.in                      |  4 ----
 configure                         | 38 --------------------------------------
 configure.ac                      |  4 ----
 5 files changed, 2 insertions(+), 48 deletions(-)

diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index e32f827e1..c2b035e11 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -105,7 +105,7 @@ jobs:
         --enable-selinux
         || (cat config.log; exit 1)
     - name: scan-build
-      run: NO_EXTRA_CFLAGS="yes" scan-build-14 --status-bugs make
+      run: scan-build-14 --status-bugs make
   cppcheck:
     runs-on: ubuntu-22.04
     steps:
diff --git a/Makefile b/Makefile
index c69c1894f..49c97c382 100644
--- a/Makefile
+++ b/Makefile
@@ -358,7 +358,7 @@ cppcheck: clean
 
 .PHONY: scan-build
 scan-build: clean
-	NO_EXTRA_CFLAGS="yes" scan-build make
+	scan-build make
 
 .PHONY: codespell
 codespell: clean
diff --git a/config.mk.in b/config.mk.in
index 6b6cf1b99..dea3d8a52 100644
--- a/config.mk.in
+++ b/config.mk.in
@@ -61,9 +61,5 @@ LDFLAGS=@LDFLAGS@
 # Project variables
 LIBS=@LIBS@
 
-ifdef NO_EXTRA_CFLAGS
-else
 EXTRA_CFLAGS +=@EXTRA_CFLAGS@
-endif
-
 EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
diff --git a/configure b/configure
index ceb09bd31..068274fea 100755
--- a/configure
+++ b/configure
@@ -2925,44 +2925,6 @@ else
   :
 fi
 
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -mretpoline" >&5
-$as_echo_n "checking whether C compiler accepts -mretpoline... " >&6; }
-if ${ax_cv_check_cflags___mretpoline+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-
-  ax_check_save_flags=$CFLAGS
-  CFLAGS="$CFLAGS  -mretpoline"
-  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-if ac_fn_c_try_compile "$LINENO"; then :
-  ax_cv_check_cflags___mretpoline=yes
-else
-  ax_cv_check_cflags___mretpoline=no
-fi
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-  CFLAGS=$ax_check_save_flags
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___mretpoline" >&5
-$as_echo "$ax_cv_check_cflags___mretpoline" >&6; }
-if test "x$ax_cv_check_cflags___mretpoline" = xyes; then :
-
-	HAVE_SPECTRE="yes"
-	EXTRA_CFLAGS="$EXTRA_CFLAGS -mretpoline"
-
-else
-  :
-fi
-
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fstack-clash-protection" >&5
 $as_echo_n "checking whether C compiler accepts -fstack-clash-protection... " >&6; }
 if ${ax_cv_check_cflags___fstack_clash_protection+:} false; then :
diff --git a/configure.ac b/configure.ac
index 30b031801..93de61b95 100644
--- a/configure.ac
+++ b/configure.ac
@@ -25,10 +25,6 @@ AX_CHECK_COMPILE_FLAG([-mindirect-branch=thunk], [
 	HAVE_SPECTRE="yes"
 	EXTRA_CFLAGS="$EXTRA_CFLAGS -mindirect-branch=thunk"
 ])
-AX_CHECK_COMPILE_FLAG([-mretpoline], [
-	HAVE_SPECTRE="yes"
-	EXTRA_CFLAGS="$EXTRA_CFLAGS -mretpoline"
-])
 AX_CHECK_COMPILE_FLAG([-fstack-clash-protection], [
 	HAVE_SPECTRE="yes"
 	EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-clash-protection"
-- 
cgit v1.2.3-54-g00ecf