Created attachment 222188 [details] enable WITH_PIE by default on 64-bit archs There is a review open to enable WITH_PIE by default in the base system bsd.opts.mk on 64-bit architectures. I'd like to request an exp-run. Only amd64 should be of interest.
New failure logs: http://gohan04.nyi.freebsd.org/data/main-amd64-PR253275-default/2021-02-10_07h42m33s/logs/errors/play-1.0_1.log http://gohan04.nyi.freebsd.org/data/main-amd64-PR253275-default/2021-02-10_07h42m33s/logs/errors/birda-1.3.log http://gohan04.nyi.freebsd.org/data/main-amd64-PR253275-default/2021-02-10_07h42m33s/logs/errors/cvs-1.20120905_7.log http://gohan04.nyi.freebsd.org/data/main-amd64-PR253275-default/2021-02-10_07h42m33s/logs/errors/cvs+ipv6-1.20120905_3.log http://gohan04.nyi.freebsd.org/data/main-amd64-PR253275-default/2021-02-10_07h42m33s/logs/errors/libphk-0.3.20080902_1.log http://gohan04.nyi.freebsd.org/data/main-amd64-PR253275-default/2021-02-10_07h42m33s/logs/errors/ja-kon2-14dot-0.3_7.log http://gohan04.nyi.freebsd.org/data/main-amd64-PR253275-default/2021-02-10_07h42m33s/logs/errors/ja-kon2-16dot-0.3_7.log http://gohan04.nyi.freebsd.org/data/main-amd64-PR253275-default/2021-02-10_07h42m33s/logs/errors/ja-man-1.1j_9.log http://gohan04.nyi.freebsd.org/data/main-amd64-PR253275-default/2021-02-10_07h42m33s/logs/errors/mailest-emacs27_canna-0.9.24_3.log http://gohan04.nyi.freebsd.org/data/main-amd64-PR253275-default/2021-02-10_07h42m33s/logs/errors/mailest-emacs28-0.9.24_3.log http://gohan04.nyi.freebsd.org/data/main-amd64-PR253275-default/2021-02-10_07h42m33s/logs/errors/mailest-emacs28_nox-0.9.24_3.log http://gohan04.nyi.freebsd.org/data/main-amd64-PR253275-default/2021-02-10_07h42m33s/logs/errors/mailest-emacs27_nox-0.9.24_3.log http://gohan04.nyi.freebsd.org/data/main-amd64-PR253275-default/2021-02-10_07h42m33s/logs/errors/mailest-emacs27-0.9.24_3.log http://gohan04.nyi.freebsd.org/data/main-amd64-PR253275-default/2021-02-10_07h42m33s/logs/errors/cx88-1.5.3_2.log http://gohan04.nyi.freebsd.org/data/main-amd64-PR253275-default/2021-02-10_07h42m33s/logs/errors/freebsd-uucp-1.07.4_3.log http://gohan04.nyi.freebsd.org/data/main-amd64-PR253275-default/2021-02-10_07h42m33s/logs/errors/freevrrpd-1.1_1.log http://gohan04.nyi.freebsd.org/data/main-amd64-PR253275-default/2021-02-10_07h42m33s/logs/errors/packetdrill-0.0.2020082101.log http://gohan04.nyi.freebsd.org/data/main-amd64-PR253275-default/2021-02-10_07h42m33s/logs/errors/sup-2.0.20200824.log http://gohan04.nyi.freebsd.org/data/main-amd64-PR253275-default/2021-02-10_07h42m33s/logs/errors/ipv6toolkit-2.0.log http://gohan04.nyi.freebsd.org/data/main-amd64-PR253275-default/2021-02-10_07h42m33s/logs/errors/mathopd-1.5p8_1.log http://gohan04.nyi.freebsd.org/data/main-amd64-PR253275-default/2021-02-10_07h42m33s/logs/errors/nostromo-1.9.6.log http://gohan04.nyi.freebsd.org/data/main-amd64-PR253275-default/2021-02-10_07h42m33s/logs/errors/obhttpd-6.6.20191023.log http://gohan04.nyi.freebsd.org/data/main-amd64-PR253275-default/2021-02-10_07h42m33s/logs/errors/rssroll-0.6.2.log Note: there is unfinished PIE support in the ports tree: Mk/bsd.port.mk:1793:# XXX PIE support to be added here Mk/bsd.port.mk:1794:MAKE_ENV+= NO_PIE=yes
I had a quick look at the logs, all appear to be link errors linking against an object/library built by the port itself, for example from audio/play: ld: error: can't create dynamic relocation R_X86_64_32 against local symbol in readonly segment; recompile object files with -fPIC or pass '-Wl,-z,notext' to allow text relocations in the output >>> defined in encode_riff.o >>> referenced by encode_riff.c >>> encode_riff.o:(check_riff) i.e. PIE flags are being added to link commands but not compiles.
Hi! Indeed. Due to include dependencies the PIE flag was enabled not only for the base system (src.opts.mk) but for all binaries, including ports (bsd.opts.mk). One thing that is to explicitly limit the change to base system only, which was requested in the review. @emaste - what about failing ports. Should we attempt to fix them now or stop at what I mentioned above? If yes - how to proceed: try on our own, ask maintainers of each package? Best regards, Marcin
As kevans pointed out in the review it is ports that use bmake and rely on the system's Makefiles that will be affected by this setting. IMO this is reasonable and we shouldn't try to "fix" it in bsd.opts.mk or similar. My guess is that the fix will be simple and common to most/all. There are 23 failures here, 19 ports audio/play comms/birda devel/cvs devel/cvs+ipv6 devel/libphk japanese/kon2-14dot japanese/kon2-16dot japanese/man mail/mailest multimedia/cx88 net/freebsd-uucp net/freevrrpd net/packetdrill net/sup security/ipv6toolkit www/mathopd www/nostromo www/obhttpd www/rssroll 10 unique maintainers plus ports@FreeBSD.org
We will go one-by-one and try to submit fixes, wherever possible.
Something like this is probably sufficient: diff --git a/net/freevrrpd/Makefile b/net/freevrrpd/Makefile index 3a51a780d006..996cb4fd22ac 100644 --- a/net/freevrrpd/Makefile +++ b/net/freevrrpd/Makefile @@ -17,7 +17,8 @@ GH_PROJECT= FreeVRRPd DISTVERSIONPREFIX= v MAKE_ENV= PTHREAD_CFLAGS="${PTHREAD_CFLAGS}" \ - PTHREAD_LIBS="${PTHREAD_LIBS}" + PTHREAD_LIBS="${PTHREAD_LIBS}" \ + WITHOUT_PIE=true do-install: ${INSTALL_PROGRAM} ${WRKSRC}/freevrrpd ${STAGEDIR}${PREFIX}/sbin (works for freevrrpd)
freevrrpd submitted in https://reviews.freebsd.org/D28595
CC'd MAINTAINERs of affected ports
mathopd maintainer here. I'm a bit rusty with all of this, so forgive me if I go about this the wrong way. I did a quick build of the mathopd port with WITH_PIE=yes on a -CURRENT snapshot and did not see anything wrong. Looking at the build log, it appears that the binaries are linked with "-pie". Then should not the source files be compiled with "-fPIE" also?
(In reply to michiel from comment #9) I'm not sure if setting WITH_PIE will work, it may require the changed default as in the linked review. I tried building www/mathopd on my laptop (with the PIE default changed) and do see the failure. You are correct, objects are being compiled w/o -fPIE but linking is attempted with -pie. (After a moment) I see what's happening here - www/mathopd/Makefile has: CFLAGS+= -DFREEBSD_SENDFILE MAKE_ARGS= CFLAGS="${CFLAGS}" Because option processing (bsd.opts.mk) does not happen in the context of the ports Makefile, CFLAGS is just "-O2 -pipe" at this point, and we set MAKE_ARGS=CFLAGS="-O2 -pipe -DFREEBSD_SENDFILE". This is used as CFLAGS by bsd.prog.mk later on. If I make this (hacky) change: -CFLAGS+= -DFREEBSD_SENDFILE +CFLAGS+= -DFREEBSD_SENDFILE -fPIE the port builds successfully as PIE. I'm not sure how to do this properly though.
I "maintain" comms/birda, but I haven't used it in 10 years now. I suspect few people use infrared these days. If birda ends up blocking WITH_PIE, one option is to mark the port for removal. I looked briefly at the ports Makefile. The only interesting thing is # Fix build with clang11 CFLAGS+= -fcommon Is there a bad interaction between -fcommon and PIE?
(In reply to mjl from comment #11) This is a similar problem to comment #10, although even with a workaround it fails due to a base system bug (rules for .a always build non-PIE objects). birda builds if I add: MAKE_ARGS= WITHOUT_PIE=true I think this is a fine workaround for the small handful of ports that fail now, and once the base system issues are resolved I'll check for WITHOUT_PIE remnants.
(In reply to mjl from comment #11) MJL, to your question. There isn't a bad interaction between -fcommon and -fPIE. We build our 1400+ ports for i386 and amd64 without issue. We explicitly require -fcommon for all ports but disable it as needed, similarly for -fPIE. Though many ports that fail to build with -fPIE usually build with -fPIC. Few require both to be disabled. (The gcc10 man page is excellent in describing these directives https://www.freebsd.org/cgi/man.cgi?query=gcc10&apropos=0&sektion=0&manpath=FreeBSD+12.2-RELEASE+and+Ports&arch=default&format=html ) We also run everything under aslr ;)
I haven't looked at all the ports yet, but from what I've seen, ports fail due to few reasons. Some ports build static libraries and it seems that currently the best way to fix this is by setting WITHOUT_PIE. Some other ports could most likely work with PIE enabled, but makefiles override default system CFLAGS and still use default LDFLAGS. This causes linker to try linking with -pie but without -fPIC being used in compiling. audio/play is an example, it overrides CFLAGS with -O. Another reason that I've seen is caused by setting CFLAGS="${CFLAGS}" in MAKE_ARGS. I'm not really sure how bmake works in this case, but I think that it starts ignoring any further processing of CFLAGS and we are left with CFLAGS from sys.mk and no modifications made in bsd.prog.mk are taken into account. This happens for www/mathopd. I removed MAKE_ARGS for that and it built fine. -DFREEBSD_SENDFILE was also properly passed further. I haven't tested if it works after building though, but I don't see any reason why it shouldn't.
A commit references this bug: Author: emaste Date: Fri Feb 19 14:27:29 UTC 2021 New revision: 566067 URL: https://svnweb.freebsd.org/changeset/ports/566067 Log: net/freevrrpd: force PIE off to fix build if base system PIE enabled Static PIE is not yet supported in the base system, so force it off in advance of the base system's default changing. PR: 253275 [exp-run] Approved by: lwhsu Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D28595 Changes: head/net/freevrrpd/Makefile
(In reply to Dawid Gorecki from comment #14) > Some ports build static libraries and it seems that currently the best way to > fix this is by setting WITHOUT_PIE. Yes. This affects two classes of ports: 1. those that build their own static libraries using the base system Mk infrastructure, such as devel/libphk Example error: ld: error: can't create dynamic relocation R_X86_64_32 against local symbol in readonly segment; recompile object files with -fPIC or pass '-Wl,-z,notext' to allow text relocations in the output >>> defined in ../../libphk.a(phk_argv.o) >>> referenced by phk_argv.c >>> phk_argv.o:(PhkArgvParse) in archive ../../libphk.a A patch for this one is now open in D28790 https://reviews.freebsd.org/D28790 2. those that link against static libraries provided by the base system, such as net/freevrrpd ld: error: can't create dynamic relocation R_X86_64_32 against local symbol in readonly segment; recompile object files with -fPIC or pass '-Wl,-z,notext' to allow text relocations in the output >>> defined in /usr/lib/libnetgraph.a(sock.o) >>> referenced by sock.c:78 (/poudriere/data/src-PR253275/lib/libnetgraph/sock.c:78) >>> sock.o:(NgMkSockNode) in archive /usr/lib/libnetgraph.a For this one, PIE disabled in the port's Makefile in r566067. > Another reason that I've seen is caused by setting CFLAGS="${CFLAGS}" in > MAKE_ARGS. I'm not really sure how bmake works in this case, but I think that > it starts ignoring any further processing of CFLAGS and we are left with > CFLAGS from sys.mk and no modifications made in bsd.prog.mk are taken into > account. This happens for www/mathopd. I removed MAKE_ARGS for that and it > built fine. -DFREEBSD_SENDFILE was also properly passed further. I haven't > tested if it works after building though, but I don't see any reason why it > shouldn't. Right - port Makefiles are processed w/o using bsd.opts.mk, and so in that context CFLAGS does not contain -fPIE. Then the submake for the software itself is invoked as make CLFAGS=<whatever> ... (as a result of MAKE_ARGS) and that overrides bsd.prog.mk's attempt to add -fPIE. I tried building www/mathopd with and without MAKE_ARGS set, and without it there are a number of additional CFLAGS set, in addition to -fPIE: -MD -MF.depend.base64.o -MTbase64.o -std=gnu99 -Wno-format-zero-length -nobuiltininc -idirafter /usr/lib/clang/11.0.1/include -fstack-protector-strong -Qunused-arguments so it would definitely need testing.
https://reviews.freebsd.org/D28790 - devel/libphk https://reviews.freebsd.org/D28791 - japanese/man https://reviews.freebsd.org/D28792 - devel/cvs (and devel/cvs+ipv6) https://reviews.freebsd.org/D28794 - audio/play
A commit references this bug: Author: emaste Date: Fri Feb 19 17:12:45 UTC 2021 New revision: 566081 URL: https://svnweb.freebsd.org/changeset/ports/566081 Log: devel/libphk: fix build with base system PIE default PIE static libraries are currently not supported by the base system mk files. For now just disable PIE in the affected ports as a workaround. PR: 253275 Approved by: lwhsu Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D28790 Changes: head/devel/libphk/Makefile
A commit references this bug: Author: emaste Date: Fri Feb 19 17:15:40 UTC 2021 New revision: 566082 URL: https://svnweb.freebsd.org/changeset/ports/566082 Log: japanese/man: fix build with base system PIE default PIE static libraries are currently not supported by the base system mk files. For now just disable PIE in the affected ports as a workaround. PR: 253275 [exp-run] Approved by: lwhsu Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D28791 Changes: head/japanese/man/Makefile
A commit references this bug: Author: emaste Date: Fri Feb 19 17:17:22 UTC 2021 New revision: 566083 URL: https://svnweb.freebsd.org/changeset/ports/566083 Log: audio/play: fix build with base system PIE default PR: 253275 [exp-run] Approved by: lwhsu Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D28794 Changes: head/audio/play/Makefile
https://reviews.freebsd.org/D28793 - www/mathopd https://reviews.freebsd.org/D28800 - www/obhttpd https://reviews.freebsd.org/D28801 - net/sup I also have www/nostromo and comms/birda ready, but it's already late here, so I'll send them tomorrow or after the weekend.
A commit references this bug: Author: dinoex Date: Fri Feb 19 22:03:32 UTC 2021 New revision: 566104 URL: https://svnweb.freebsd.org/changeset/ports/566104 Log: - force PIE off to fix build if base system PIE enabled PR: 253275 Changes: head/net/freebsd-uucp/Makefile head/net/freebsd-uucp/pkg-plist
https://reviews.freebsd.org/D28867 - comms/birda https://reviews.freebsd.org/D28868 - japanese/kon2-16dot(and 14dot) https://reviews.freebsd.org/D28866 - mail/mailest https://reviews.freebsd.org/D28869 - multimedia/cx88 https://reviews.freebsd.org/D28865 - net/packetdrill https://reviews.freebsd.org/D28864 - www/nostromo https://reviews.freebsd.org/D28863 - www/rssroll I think that that's all for now. I couldn't find some some of the maintainers' accounts on phabricator, so I couldn't add them as reviewers there. I don't know what is the proper way to deal with that.
A commit references this bug: Author: emaste Date: Mon Feb 22 16:27:15 UTC 2021 New revision: 566307 URL: https://svnweb.freebsd.org/changeset/ports/566307 Log: www/mathopd: Fix build with default PIE Mathopd Makefile passed CFLAGS in MAKE_ENV variable. This caused CFLAGS processing in bsd.prog.mk to be ignored, which in turn left non-PIE CFLAGS from sys.mk and LDFLAGS with PIE enabled from bsd.prog.mk. PR: 253275 [exp-run] Submitted by: Dawid G?recki <dgr@semihalf.com> Approved by: lwhsu, Michiel Boland [maintainer] Differential Revision: https://reviews.freebsd.org/D28793 Changes: head/www/mathopd/Makefile
(In reply to Dawid Gorecki from comment #23) > I think that that's all for now. I couldn't find some some of the maintainers' > accounts on phabricator, so I couldn't add them as reviewers there. I don't > know what is the proper way to deal with that. Thanks. For anyone without a Phabricator account I think just send mail to $MAINTAINER, with a link to the review and to this PR.
A commit references this bug: Author: emaste Date: Mon Feb 22 16:34:43 UTC 2021 New revision: 566308 URL: https://svnweb.freebsd.org/changeset/ports/566308 Log: devel/cvs: prepare for base system PIE default PIE static libraries are currently not supported by the base system /usr/share/mk files. PR: 253275 [exp-run] Approved by: lwhsu, schaiba@gmail.com (maintainer) Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D28792 Changes: head/devel/cvs/Makefile
A commit references this bug: Author: emaste Date: Mon Feb 22 16:37:02 UTC 2021 New revision: 566309 URL: https://svnweb.freebsd.org/changeset/ports/566309 Log: www/obhttpd: Prepare for base system default PIE PR: 253275 Submitted by: Dawid Gorecki <dgr@semihalf.com> Approved by: lwhsu, Nikola Kolev (maintainer) Differential Revision: https://reviews.freebsd.org/D28800 Changes: head/www/obhttpd/Makefile
A commit references this bug: Author: emaste Date: Mon Feb 22 16:40:16 UTC 2021 New revision: 566310 URL: https://svnweb.freebsd.org/changeset/ports/566310 Log: www/rssroll: Prepare for base system default PIE PIE with static libraries is currently unsupported in FreeBSD, which results in multiple errors when building with PIE. Explicitly disable PIE for now. PR: 253275 Submitted by: Dawid G?recki <dgr@semihalf.com> Approved by: kevans, Nikola Kolev (maintainer) Differential Revision: https://reviews.freebsd.org/D28863 Changes: head/www/rssroll/Makefile
A commit references this bug: Author: kbowling Date: Mon Feb 22 17:12:36 UTC 2021 New revision: 566315 URL: https://svnweb.freebsd.org/changeset/ports/566315 Log: net/packetdrill: Fix build with PIE PR: 253275 Submitted by: Dawid Gorecki <dgr@semihalf.com> Approved by: kbowling (maintainer) Differential Revision: https://reviews.freebsd.org/D28865 Changes: head/net/packetdrill/Makefile
(In reply to Dawid Gorecki from comment #23) I am the maintainer of comms/birda. Committing that patch is fine with me.
A commit references this bug: Author: kbowling Date: Mon Feb 22 23:57:48 UTC 2021 New revision: 566349 URL: https://svnweb.freebsd.org/changeset/ports/566349 Log: comms/birda: Fix build with default PIE. PIE with static libraries is currently unsupported in FreeBSD, which results in multiple errors when building with PIE. Explicitly disable PIE for now. PR: 253275 Submitted by: Dawid Gorecki <dgr@semihalf.com> Approved by: mjl@luckie.org.nz (maintainer) Differential Revision: https://reviews.freebsd.org/D28867 Changes: head/comms/birda/Makefile
A commit references this bug: Author: emaste Date: Mon Mar 1 20:52:34 UTC 2021 New revision: 566909 URL: https://svnweb.freebsd.org/changeset/ports/566909 Log: multimedia/cx88: fix build with base system PIE default PIE with static libraries is currently unsupported in the FreeBSD base system. Explicitly disable PIE for in affected ports for now. PR: 253275 Submitted by: Dawid Gorecki <dgr@semihalf.com> Approved by: jah (maintainer), lwhsu Differential Revision: https://reviews.freebsd.org/D28869 Changes: head/multimedia/cx88/Makefile
A commit references this bug: Author: emaste Date: Tue Mar 9 14:10:35 UTC 2021 New revision: 567931 URL: https://svnweb.freebsd.org/changeset/ports/567931 Log: japanese/kon2-16dot: fix build with base system PIE default PIE with static libraries is currently unsupported in the FreeBSD base system. Explicitly disable PIE for in affected ports for now. Emailed maintainer for approval, no objection. PR: 253275 [exp-run] Submitted by: Dawid Gorecki <dgr@semihalf.com> Approved by: lwhsu Differential Revision: https://reviews.freebsd.org/D28868 Changes: head/japanese/kon2-16dot/Makefile
A commit references this bug: Author: emaste Date: Wed Mar 10 18:19:02 UTC 2021 New revision: 568019 URL: https://svnweb.freebsd.org/changeset/ports/568019 Log: net/sup: fix build with base system PIE default PIE with static libraries is currently unsupported in the FreeBSD base system. Explicitly disable PIE for in affected ports for now. PR: 253275 [exp-run] Submitted by: Dawid Gorecki <dgr@semihalf.com> Approved by: lwhsu Approved by: Maintainer timeout Differential Revision: https://reviews.freebsd.org/D28801 Changes: head/net/sup/Makefile
A commit references this bug: Author: emaste Date: Wed Mar 10 18:21:05 UTC 2021 New revision: 568020 URL: https://svnweb.freebsd.org/changeset/ports/568020 Log: mail/mailest: fix build with base system PIE default PIE with static libraries is currently unsupported in the FreeBSD base system. Explicitly disable PIE for in affected ports for now. PR: 253275 [exp-run] Submitted by: Dawid Gorecki <dgr@semihalf.com> Approved by: lwhsu Approved by: Maintainer timeout Differential Revision: https://reviews.freebsd.org/D28866 Changes: head/mail/mailest/Makefile
A commit references this bug: Author: emaste Date: Wed Mar 10 18:24:00 UTC 2021 New revision: 568022 URL: https://svnweb.freebsd.org/changeset/ports/568022 Log: www/nostromo: fix build with base system PIE default PIE with static libraries is currently unsupported in the FreeBSD base system. Explicitly disable PIE for in affected ports for now. PR: 253275 [exp-run] Submitted by: Dawid Gorecki <dgr@semihalf.com> Approved by: lwhsu Approved by: Maintainer timeout Differential Revision: https://reviews.freebsd.org/D28864 Changes: head/www/nostromo/Makefile
MARKED AS SPAM