Merge remote-tracking branch 'up/main' into main-riscv64

Signed-off-by: David Abdurachmanov <davidlt@rivosinc.com>

brp-llvm-compile-lto-elf

@@ -16,14 +16,20 @@ check_convert_bitcode () {
   CLANG_FLAGS="$@"
 
   if [[ "${file_type}" == *"LLVM IR bitcode"* ]]; then
-    # check for an indication that the bitcode was
-    # compiled with -flto
-    llvm-bcanalyzer -dump ${file_name} | grep -xP '.*\-flto((?!-fno-lto).)*' 2>&1 > /dev/null
-    if [ $? -eq 0 ]; then
-      echo "Compiling LLVM bitcode file ${file_name}."
-      clang ${CLANG_FLAGS} -fno-lto -Wno-unused-command-line-argument \
-        -x ir ${file_name} -c -o ${file_name}
-    fi
+    # Check the output of llvm-strings for the command line, which is in the LLVM bitcode because
+    # we pass -frecord-gcc-switches.
+    # Check for a line that has "-flto" after (or without) "-fno-lto".
+    llvm-strings ${file_name} | while read line ; do
+      flto=$(echo $line   | grep -o -b -e -flto     | tail -n 1 | cut -d : -f 1)
+      fnolto=$(echo $line | grep -o -b -e -fno-lto  | tail -n 1 | cut -d : -f 1)
+
+      if test -n "$flto" && { test -z "$fnolto" || test "$flto" -gt "$fnolto"; } ; then
+        echo "Compiling LLVM bitcode file ${file_name}."
+        clang ${CLANG_FLAGS} -fno-lto -Wno-unused-command-line-argument \
+          -x ir ${file_name} -c -o ${file_name}
+        break
+      fi
+      done
   elif [[ "${file_type}" == *"current ar archive"* ]]; then
     echo "Unpacking ar archive ${file_name} to check for LLVM bitcode components."
     # create archive stage for objects
@@ -43,4 +49,4 @@ check_convert_bitcode () {
 echo "Checking for LLVM bitcode artifacts"
 export -f check_convert_bitcode
 find "$RPM_BUILD_ROOT" -type f -name "*.[ao]" -print0 | \
-  xargs -0 -n1 -P$NCPUS sh -c "check_convert_bitcode \$@ $CLANG_FLAGS" ARG0
+  xargs -0 -r -n1 -P$NCPUS sh -c "check_convert_bitcode \$@ $CLANG_FLAGS" ARG0

buildflags.md

@@ -6,7 +6,7 @@ and how to use them.
 # Using RPM build flags
 
 The %set_build_flags macro sets the environment variables `CFLAGS`,
-`CXXFLAGS`, `FFLAGS`, `FCFLAGS`, `LDFLAGS` and `LT_SYS_LIBRARY_PATH` to
+`CXXFLAGS`, `FFLAGS`, `FCFLAGS`, `VALAFLAGS`, `LDFLAGS` and `LT_SYS_LIBRARY_PATH` to
 the value of their corresponding rpm macros. `%set_build_flags` is automatically
 called prior to the `%build`, `%check`, and `%install` phases so these flags can be
 used by makefiles and other build tools.
@@ -43,6 +43,7 @@ Individual build flags are also available through RPM macros:
   the `CXXFLAGS` shell variable).
 * `%{build_fflags}` for `FFLAGS` (the Fortran compiler flags, also
   known as the `FCFLAGS` variable).
+* `%{build_valaflags}` for `VALAFLAGS` (the Vala compiler flags)
 * `%{build_ldflags}` for the linker (`ld`) flags, usually known as
   `LDFLAGS`. Note that the contents quote linker arguments using
   `-Wl`, so this variable is intended for use with the `gcc` compiler
@@ -123,6 +124,16 @@ are set as well during libtool-.  This can be switched off using:
 
 Further patching happens in LTO mode, see below.
 
+### Other autotools compatibility settings
+
+During `%configure`, `--runstatedir` is automatically passed to the
+`configure` script if support for this option is detected.  This
+detection can fail if the package has multiple `configure` scripts
+that invoke each other, and only some of them support `--runstatedir`.
+To disable passing `--runstatedir`, use:
+
+    %undefine _configure_use_runstatedir
+
 ### Disabling Link-Time Optimization
 
 By default, builds use link-time optimization.  In this build mode,
@@ -161,6 +172,30 @@ This turns off certain hardening features, as described in detail
 below.  The main difference is that executables will be
 position-dependent (no full ASLR) and use lazy binding.
 
+### Source Fortification
+
+By default, the build flags include `-Wp,-D_FORTIFY_SOURCE=3`: Source
+fortification activates various hardening features in glibc:
+
+* String functions such as `memcpy` attempt to detect buffer lengths
+  and terminate the process if a buffer overflow is detected.
+* `printf` format strings may only contain the `%n` format specifier
+  if the format string resides in read-only memory.
+* `open` and `openat` flags are checked for consistency with the
+  presence of a *mode* argument.
+* Plus other minor hardening changes.
+
+These changes can, on rare occasions, break valid programs. The source
+fortification level can be overridden by adding this in the RPM spec file:
+
+    %define _fortify_level 2
+
+to reduce source fortification level to 2 or:
+
+    %undefine _fortify_level
+
+to disable fortification altogether.
+
 ### Annotated builds/watermarking
 
 By default, the build flags cause a special output section to be
@@ -267,6 +302,17 @@ will be used to generate `%_package_note_file`. If `%_package_note_flags`
 is undefined, the linker argument that injects the script will not be added
 to `%build_ldfags`, but the linker script would still be generated.
 
+### Frame pointers
+
+Frame pointers will be included by default via the `%_include_frame_pointers`
+macro. To opt out, the best way is to undefine the macro. Include this in the
+spec file:
+
+    %undefine _include_frame_pointers
+
+Note that opting out might still result in frame pointers being included on
+architectures where they are part of the ABI (e.g. aarch64) depending on
+compiler defaults.
 
 ### Post-build ELF object processing
 
@@ -362,16 +408,9 @@ The general (architecture-independent) build flags are:
   This can occasionally result in compilation errors. In that case,
   the best option is to rewrite the source code so that only constant
   format strings (string literals) are used.
-* `-Wp,-D_FORTIFY_SOURCE=2`: Source fortification activates various
-  hardening features in glibc:
-    * String functions such as `memcpy` attempt to detect buffer lengths
-      and terminate the process if a buffer overflow is detected.
-    * `printf` format strings may only contain the `%n` format specifier
-      if the format string resides in read-only memory.
-    * `open` and `openat` flags are checked for consistency with the
-      presence of a *mode* argument.
-    * Plus other minor hardening changes.
-  (These changes can occasionally break valid programs.)
+* `-U_FORTIFY_SOURCE, -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3`:
+  See the Source Fortification section above and the `%_fortify_level`
+  override.
 * `-fexceptions`: Provide exception unwinding support for C programs.
   See the [`-fexceptions` option in the GCC
   manual](https://gcc.gnu.org/onlinedocs/gcc/Code-Gen-Options.html#index-fexceptions)
@@ -450,6 +489,12 @@ by undefining the `%_annotated_build` RPM macro (see above).  Binary
 watermarks are currently disabled on armhpf, and with the `clang`
 toolchain.
 
+If frame pointers are enabled by default (via `%_include_frame_pointers`),
+the `-fno-omit-frame-pointer` will be added on all architectures except i686
+and s390x. Additional flags will be added on specific architectures:
+
+* `-mno-omit-leaf-frame-pointer` on x86_64 and aarch64
+
 ### Architecture-specific compiler flags
 
 These compiler flags are enabled for all builds (hardened/annotated or
@@ -493,6 +538,13 @@ tuning in the `gcc` package.  These settings are:
    beneficial for a broad range of current CPUs.
 * **aarch64** does not have any architecture-specific tuning.
 
+### Vala-specific compiler flags
+
+ * `-g`: causes valac to emit `#line` directives in the generated C
+   source code. This improves backtrace generation by causing gdb to
+   point to Vala source file and line number instead of the generated C
+   source when possible.
+
 # Individual linker flags
 
 Linker flags end up in the environment variable `LDFLAGS`.

forge.lua

@@ -42,7 +42,10 @@ local function checkforgeurl(url, id, silent)
       description = 'https://code.googlesource.com/…/repo'},
     ["bitbucket.org"] = {
       pattern     = 'https://[^/]+/[^/]+/[^/#?]+',
-      description = 'https://bitbucket.org/owner/repo'}}
+      description = 'https://bitbucket.org/owner/repo'},
+    sourcehut = {
+      pattern     = 'https://[^/]+/~[^/]+/[^/#?]+',
+      description = 'https://git.sr.ht/~owner/repo'}}
   if (urlpatterns[id] ~= nil) then
     checkedurl = string.match(url,urlpatterns[id]["pattern"])
     if (checkedurl == nil) then
@@ -81,6 +84,8 @@ local function idforge(url, silent)
         forge = "gitlab"
       elseif (string.match(forge, "^github[%.-]") or string.match(forge, "[%.-]github[%.]")) then
         forge = "github"
+        elseif  string.match(url, "[^:]+://git.sr.ht/") then
+        forge = "sourcehut"
       end
       forgeurl, forge = checkforgeurl(url, forge, silent)
     end
@@ -150,7 +155,12 @@ local function meta(suffix, verbose, informative, silent)
       shortcommit = '%{lua:print(string.sub(rpm.expand("%{commit'     .. suffix .. '}"), 1, 12))}',
       owner       = '%{lua:print(string.match(rpm.expand("%{forgeurl' .. suffix .. '}"), "^[^:]+://[^/]+/([^/?#]+)"))}',
       archivename = "%{owner"        .. suffix .. "}-%{repo"          .. suffix .. "}-%{shortcommit" .. suffix .. "}",
-      archiveurl  = "%{forgeurl"     .. suffix .. "}/get/%{ref"       .. suffix .. "}.%{archiveext"  .. suffix .. "}" } }
+      archiveurl  = "%{forgeurl"     .. suffix .. "}/get/%{ref"       .. suffix .. "}.%{archiveext"  .. suffix .. "}" }, 
+    sourcehut = {
+      archiveext  = "tar.gz",
+      archivename = "%{repo"         .. suffix .. "}-%{fileref"       .. suffix .. "}",
+      archiveurl = "%{forgeurl"      .. suffix .. "}/archive/%{ref"   .. suffix .. "}.%{archiveext"  .. suffix .. "}",
+      topdir     = "%{repo"          .. suffix .. "}-%{ref"           .. suffix .. "}" } }
   -- Packaging a moving branch is quite a bad idea, but since at least Gitlab
   -- will treat branches and tags the same way better support branches explicitly
   -- than have packagers hijack %{tag} to download branch states
@@ -212,6 +222,15 @@ local function meta(suffix, verbose, informative, silent)
       if (spec["commit"] == "") then
         rpm.expand("%{error:All BitBucket URLs require commit value knowledge: you need to define %{commit}!}")
       end
+    elseif (forge == "sourcehut") then
+      local fileref = ref
+      if (fileref ~= "%{?commit" .. suffix .. "}") and
+             string.match(rpm.expand(fileref), "^v[%d]") then
+        fileref = string.gsub(rpm.expand(fileref), "^v", "")
+      elseif (string.match(rpm.expand(fileref), "/")) then
+        fileref = string.gsub(rpm.expand(fileref), "/", "-")
+      end
+      fedora.safeset("fileref" .. suffix, fileref, verbose)
     end
     fedora.safeset("ref" .. suffix, ref, verbose)
     -- Mass setting of the remaining variables

macros

@@ -12,6 +12,7 @@
 #      from the defaults.
 #
 %_localstatedir		/var
+%_runstatedir		/run
 
 %_pkgdocdir             %{_docdir}/%{name}
 %_docdir_fmt            %%{NAME}
@@ -19,6 +20,7 @@
 %_fmoddir		%{_libdir}/gfortran/modules
 
 %source_date_epoch_from_changelog 1
+%clamp_mtime_to_source_date_epoch %source_date_epoch_from_changelog
 
 %_enable_debug_packages 1
 %_include_minidebuginfo 1
@@ -64,6 +66,9 @@
 # the corresponding variable names.
 %build_fflags %{optflags} -I%{_fmoddir}
 
+# Vala compiler flags. This is used to set VALAFLAGS.
+%build_valaflags -g
+
 # When clang is used as a linker driver, it does not auto-detect the LTO
 # bytecode and neither does bfd, so we need to explicitly pass the -flto
 # flag when linking.
@@ -77,8 +82,8 @@
 %build_ldflags -Wl,-z,relro %{_ld_as_needed_flags} %{_ld_symbols_flags} %{_hardened_ldflags} %{_annotation_ldflags} %[ "%{toolchain}" == "clang" ? "%{?_clang_extra_ldflags}" : "" ] %{_build_id_flags} %{?_package_note_flags}
 
 # Expands to shell code to set the compiler/linker environment
-# variables CFLAGS, CXXFLAGS, FFLAGS, FCFLAGS, LDFLAGS if they have
-# not been set already.  RPM_OPT_FLAGS and RPM_LD_FLAGS have already
+# variables CFLAGS, CXXFLAGS, FFLAGS, FCFLAGS, VALAFLAGS, LDFLAGS if they
+# have not been set already.  RPM_OPT_FLAGS and RPM_LD_FLAGS have already
 # been set implicitly at the start of the %%build section.
 # LT_SYS_LIBRARY_PATH is used by libtool script.
 %set_build_flags \
@@ -86,6 +91,7 @@
   CXXFLAGS="${CXXFLAGS:-%{build_cxxflags}}" ; export CXXFLAGS ; \
   FFLAGS="${FFLAGS:-%{build_fflags}}" ; export FFLAGS ; \
   FCFLAGS="${FCFLAGS:-%{build_fflags}}" ; export FCFLAGS ; \
+  VALAFLAGS="${VALAFLAGS:-%{build_valaflags}}" ; export VALAFLAGS ; \
   LDFLAGS="${LDFLAGS:-%{build_ldflags}}" ; export LDFLAGS ; \
   LT_SYS_LIBRARY_PATH="${LT_SYS_LIBRARY_PATH:-%_libdir:}" ; export LT_SYS_LIBRARY_PATH ; \
   CC="${CC:-%{__cc}}" ; export CC ; \
@@ -134,7 +140,7 @@ print(result)
 %__cflags_arch_x86_64 %[0%{?rhel} >= 9 ? "-march=x86-64-v2" : ""]
 
 # Also used for s390.
-%__cflags_arch_s390x %[0%{?rhel} >= 9 ? "-march=z14 -mtune=z15" : "-march=zEC12 -mtune=z13"]
+%__cflags_arch_s390x %[0%{?rhel} >= 9 ? "-march=z14 -mtune=z15" : "-march=z13 -mtune=z14"]
 
 %__cflags_arch_ppc64le %[0%{?rhel} >= 9 ? "-mcpu=power9 -mtune=power9" : "-mcpu=power8 -mtune=power8"]
 
@@ -149,6 +155,9 @@ print(result)
 # way to turn it back off.
 # %_configure_disable_silent_rules 1
 
+# Pass --runstatedir to configure.
+%_configure_use_runstatedir 1
+
 # This fixes various easy resolved configure tests that are compromised by LTO.
 #
 # We use this within the standard %configure macro, but also make it available
@@ -212,6 +221,7 @@ print(result)
 	--libdir=%{_libdir} \\\
 	--libexecdir=%{_libexecdir} \\\
 	--localstatedir=%{_localstatedir} \\\
+	%{?_configure_use_runstatedir:$(grep -q "runstatedir=DIR" %{_configure} && echo '--runstatedir=%{_runstatedir}')} \\\
 	--sharedstatedir=%{_sharedstatedir} \\\
 	--mandir=%{_mandir} \\\
 	--infodir=%{_infodir}
@@ -324,6 +334,15 @@ print(result)
 # to move the annobin notes into the separate debuginfo file.
 %_find_debuginfo_extra_opts %{?_annotated_build:--remove-section .gnu.build.attributes}
 
+# Include frame pointer information by default, except on RHEL
+# https://fedoraproject.org/wiki/Changes/fno-omit-frame-pointer
+# Use "%undefine _include_frame_pointers" to disable.
+%_include_frame_pointers %{undefined rhel}
+%_frame_pointers_cflags %{expr:0%{?_include_frame_pointers} ? "-fno-omit-frame-pointer" : ""}
+%_frame_pointers_cflags_x86_64 %{expr:0%{?_include_frame_pointers} ? "-mno-omit-leaf-frame-pointer" : ""}
+%_frame_pointers_cflags_aarch64 %{expr:0%{?_include_frame_pointers} ? "-mno-omit-leaf-frame-pointer" : ""}
+%_frame_pointers_cflags_s390x %{expr:0%{?_include_frame_pointers} ? "-mbackchain" : ""}
+
 # Fail linking if there are undefined symbols.  Required for proper
 # ELF symbol versioning support.  Disabled by default.
 # Use "%define _ld_strict_symbol_defs 1" to enable.
@@ -344,16 +363,25 @@ print(result)
 # way we can detect installing an unusable .o/.a file.  This is on the TODO
 # list for F34.
 %_gcc_lto_cflags	-flto=auto -ffat-lto-objects
-%_clang_lto_cflags	-flto
+%_clang_lto_cflags	-flto=thin
 %_lto_cflags		%{expand:%%{_%{toolchain}_lto_cflags}}
 
+# Default fortification level.
+#   "%define _fortify_level 2" to downgrade and
+#   "%define _fortify_level 0" or "%undefine _fortify_level" to disable
+#
+# We use a single -Wp here to enforce order so that ccache does not ever
+# reorder them.
+%_fortify_level		3
+%_fortify_level_flags	%[ 0%{?_fortify_level} > 0 ? "-Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=%{_fortify_level}" : "" ]
+
 # Some linkers default to a build-id algoritim that is not supported by rpmbuild,
 # so we need to specify the right algorithm to use.
 %_build_id_flags	-Wl,--build-id=sha1
 
 %_general_options       -O2 %{?_lto_cflags} -fexceptions -g -grecord-gcc-switches -pipe
 %_warning_options       -Wall -Werror=format-security
-%_preprocessor_defines  -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
+%_preprocessor_defines  %{_fortify_level_flags} -Wp,-D_GLIBCXX_ASSERTIONS
 
 # Common variables are no longer generated by default by gcc and clang
 # If they are needed then add "%define _legacy_common_support 1" to the spec file.

macros.shell-completions

@@ -0,0 +1,3 @@
+%bash_completions_dir   %{_datadir}/bash-completion/completions
+%zsh_completions_dir    %{_datadir}/zsh/site-functions
+%fish_completions_dir   %{_datadir}/fish/vendor_completions.d

redhat-annobin-cc1

@@ -1,2 +0,0 @@
-*cc1_options:
-+ %{!-fno-use-annobin:%{!iplugindir*:%:find-plugindir()} -fplugin=annobin}

redhat-annobin-cc1

@@ -0,0 +1 @@
+redhat-annobin-select-annobin-built-plugin

redhat-annobin-plugin-select.sh

@@ -0,0 +1,199 @@
+#!/usr/bin/sh
+# This is a script to select which GCC spec file fragment
+# should be the destination of the redhat-annobin-cc1 symlink.
+
+# Author: Nick Clifton  <nickc@redhat.com>
+# Copyright (c) 2021 Red Hat.
+#
+# This is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published
+# by the Free Software Foundation; either version 2, or (at your
+# option) any later version.
+
+# It is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# Usage:
+#   redhat-annobin-plugin-select [script-dir]
+#
+# If script-dir is not provided then /usr/lib/rpm/redhat is used
+# as the location where all of the annobin plugin selection files
+# can be found.
+
+if test "x$1" = "x" ;
+then
+    rrcdir=/usr/lib/rpm/redhat
+else
+    rrcdir=$1
+fi
+
+# Set this variable to non-zero to enable the generation of debugging
+# messages.
+debug=0
+
+# Decide which version of the annobin plugin for gcc should be used.
+# There are two possible versions, one created by the annobin package and one
+# created by the gcc package.  The logic selects the gcc version unless both
+# have been built by the same version of the compiler.  In that case the
+# annobin version is selected instead.
+#
+# The point of all this is that the annobin plugin is very sensitive to
+# mismatches with the version of gcc that built it.  If the plugin is built
+# by version A of gcc, but then run on version B of gcc, it is possible for
+# the plugin to misbehave, which then causes problems if gating tests examine
+# the plugin's output.  (This has happened more than once in RHEL...).
+#
+# So the plugin is built both by gcc and by the annobin package.  This means
+# that whenever gcc is updated a fresh plugin is built, and the logic below
+# will select that version.  But in order to allow annobin development to
+# proceed independtently of gcc, the annobin package can also update its
+# version of the plugin, and the logic will select this new version.
+
+# This is where the annobin package stores the information on the version
+# of gcc that built the annobin plugin.
+aver=`gcc --print-file-name=plugin`/annobin-plugin-version-info
+
+# This is where the gcc package stores its version information.
+gver=`gcc --print-file-name=rpmver`
+
+aplugin=`gcc --print-file-name=plugin`/annobin.so.0.0.0
+gplugin=`gcc --print-file-name=plugin`/gcc-annobin.so.0.0.0
+
+# This is the file that needs to be updated when either of those version
+# files changes.
+rac1=redhat-annobin-cc1
+
+# This is the GCC spec file fragment that selects the gcc-built version of
+# the annobin plugin
+select_gcc=redhat-annobin-select-gcc-built-plugin
+
+# This is the GCC spec file fragment that selects the annobin-built version
+# of the annobin plugin
+select_annobin=redhat-annobin-select-annobin-built-plugin
+
+install_annobin_version=0
+install_gcc_version=0
+
+if [ -f $aplugin ]
+then
+    if [ -f $gplugin ]
+    then
+	if [ $debug -eq 1 ]
+	then
+	    echo "  redhat-rpm-config: Both plugins exist, checking version information"
+	fi
+
+	if [ -f $gver ]
+	then
+	    if [ -f $aver ]
+	    then
+		if [ $debug -eq 1 ]
+		then
+		    echo "  redhat-rpm-config: Both plugin version files exist - comparing..."
+		fi
+
+		# Get the first line from the version info files.  This is just in
+		# vase there are extra lines in the files.
+		avers=`head --lines=1 $aver`
+		gvers=`head --lines=1 $gver`
+
+		if [ $debug -eq 1 ]
+		then
+		    echo "  redhat-rpm-config: Annobin plugin built by gcc $avers"
+		    echo "  redhat-rpm-config: GCC     plugin built by gcc $gvers"
+		fi
+
+		# If both plugins were built by the same version of gcc then select
+		# the one from the annobin package (in case it is built from newer
+		# sources).  If the plugin builder versions differ, select the gcc
+		# built version instead.  This assumes that the gcc built version
+		# always matches the installed gcc, which should be true.
+		if [ $avers = $gvers ]
+		then
+		    if [ $debug -eq 1 ]
+		    then
+			echo "  redhat-rpm-config: Both plugins built by the same compiler - using annobin-built plugin"
+		    fi
+		    install_annobin_version=1
+		else
+		    if [ $debug -eq 1 ]
+		    then
+			echo "  redhat-rpm-config: Versions differ - using gcc-built plugin"
+		    fi
+		    install_gcc_version=1
+		fi
+	    else
+		if [ $debug -eq 1 ]
+		then
+		    echo "  redhat-rpm-config: Annobin version file does not exist, using gcc-built plugin"
+		fi
+		install_gcc_version=1
+	    fi
+	else
+	    if [ -f $aver ]
+	    then
+		# FIXME: This is suspicious.  If the installed GCC does not supports plugins
+		# then enabling the annobin plugin will not work.
+		if [ $debug -eq 1 ]
+		then
+		    echo "  redhat-rpm-config: GCC plugin version file does not exist, using annobin-built plugin"
+		fi
+		install_annobin_version=1
+	    else
+		if [ $debug -eq 1 ]
+		then
+		    echo "  redhat-rpm-config: Neither version file exists - playing safe and using gcc-built plugin"
+		    echo "  redhat-rpm-config: Note: expected to find $aver and/or $gver"
+		fi
+		install_gcc_version=1
+	    fi
+	fi
+    else
+	if [ $debug -eq 1 ]
+	then
+	    echo "  redhat-rpm-config: Only the annobin plugin exists - using that"
+	fi
+	install_annobin_version=1
+    fi
+else
+    if [ -f $gplugin ]
+    then
+	if [ $debug -eq 1 ]
+	then
+	    echo "  redhat-rpm-config: Only the gcc plugin exists - using that"
+	fi
+    else
+	if [ $debug -eq 1 ]
+	then
+	    echo "  redhat-rpm-config: Neither plugin exists - playing safe and using gcc-built plugin"
+	    echo "  redhat-rpm-config: Note: expected to find $aplugin and/or $gplugin"
+	fi
+    fi
+    install_gcc_version=1
+fi
+
+if [ $install_annobin_version -eq 1 ]
+then
+    if [ $debug -eq 1 ]
+    then
+	echo "  redhat-rpm-config: Installing annobin version of $rac1"
+    fi
+    pushd $rrcdir > /dev/null
+    rm -f $rac1
+    ln -s $select_annobin "$rac1"
+    popd > /dev/null
+    
+else if [ $install_gcc_version -eq 1 ]
+     then
+	if [ $debug -eq 1 ]
+	then
+	    echo "  redhat-rpm-config: Installing gcc version of $rac1"
+	fi
+	pushd $rrcdir > /dev/null
+	rm -f $rac1
+	ln -s $select_gcc $rac1
+	popd > /dev/null
+     fi
+fi

redhat-annobin-select-annobin-built-plugin

@@ -0,0 +1,3 @@
+*cc1_options:
++ %{!-fno-use-annobin:%{!iplugindir*:%:find-plugindir()} -fplugin=annobin}
+

redhat-annobin-select-gcc-built-plugin

@@ -0,0 +1,3 @@
+*cc1_options:
++ %{!-fno-use-annobin:%{!iplugindir*:%:find-plugindir()} -fplugin=gcc-annobin}
+

redhat-rpm-config.spec

@@ -4,12 +4,12 @@
 # 2) When making changes, increment the version (in baserelease) by 1.
 #    rpmdev-bumpspec and other tools update the macro below, which is used
 #    in Version: to get the desired effect.
-%global baserelease 226
+%global baserelease 244
 
 Summary: Red Hat specific rpm configuration files
 Name: redhat-rpm-config
 Version: %{baserelease}
-Release: 1.7.riscv64%{?dist}
+Release: 1%{?dist}
 # No version specified.
 License: GPL+
 URL: https://src.fedoraproject.org/rpms/redhat-rpm-config
@@ -25,6 +25,9 @@ Source52: redhat-hardened-clang.cfg
 
 # gcc specs files for annobin builds
 Source60: redhat-annobin-cc1
+Source61: redhat-annobin-select-gcc-built-plugin
+Source62: redhat-annobin-select-annobin-built-plugin
+Source63: redhat-annobin-plugin-select.sh
 
 # The macros defined by these files are for things that need to be defined
 # at srpm creation time when it is not feasible to require the base packages
@@ -45,6 +48,7 @@ Source152: macros.fedora-misc
 Source153: macros.forge
 Source155: macros.ldconfig
 Source156: macros.vpath
+Source157: macros.shell-completions
 
 # Build policy scripts
 # this comes from https://github.com/rpm-software-management/rpm/pull/344
@@ -96,7 +100,7 @@ Requires: ocaml-srpm-macros
 Requires: openblas-srpm-macros
 Requires: perl-srpm-macros
 # ↓ Has Python BRPs originaly present in redhat-rpm-config
-Requires: python-srpm-macros >= 3.10-6
+Requires: python-srpm-macros >= 3.11-7
 Requires: qt5-srpm-macros
 Requires: rust-srpm-macros
 Requires: rpmautospec-rpm-macros
@@ -113,6 +117,7 @@ Requires: rpm >= 4.11.0
 Requires: dwz >= 0.4
 Requires: zip
 Requires: (annobin-plugin-gcc if gcc)
+Requires: (gcc-plugin-annobin if gcc)
 
 # for brp-mangle-shebangs
 Requires: %{_bindir}/find
@@ -165,6 +170,21 @@ mkdir -p %{buildroot}%{_rpmluadir}/fedora/{rpm,srpm}
 install -p -m 644 -t %{buildroot}%{_rpmluadir}/fedora common.lua
 install -p -m 644 -t %{buildroot}%{_rpmluadir}/fedora/srpm forge.lua
 
+# This trigger is used to decide which version of the annobin plugin for gcc
+# should be used.  See comments in the script for full details.
+
+%triggerin -- annobin-plugin-gcc gcc
+%{rrcdir}/redhat-annobin-plugin-select.sh
+%end
+
+# We also trigger when annobin is uninstalled.  This allows us to switch
+# over to the gcc generated version of the plugin.  It does not matter if
+# gcc is uninstalled, since if that happens the plugin cannot be used.
+
+%triggerpostun -- annobin-plugin-gcc
+%{rrcdir}/redhat-annobin-plugin-select.sh
+%end
+
 %files
 %dir %{rrcdir}
 %{rrcdir}/macros
@@ -185,6 +205,7 @@ install -p -m 644 -t %{buildroot}%{_rpmluadir}/fedora/srpm forge.lua
 %{_rpmconfigdir}/macros.d/macros.fedora-misc
 %{_rpmconfigdir}/macros.d/macros.forge
 %{_rpmconfigdir}/macros.d/macros.ldconfig
+%{_rpmconfigdir}/macros.d/macros.shell-completions
 %{_rpmconfigdir}/macros.d/macros.vpath
 %dir %{_rpmluadir}/fedora
 %dir %{_rpmluadir}/fedora/srpm
@@ -192,17 +213,70 @@ install -p -m 644 -t %{buildroot}%{_rpmluadir}/fedora/srpm forge.lua
 %{_rpmluadir}/fedora/*.lua
 %{_rpmluadir}/fedora/srpm/*lua
 
+%attr(0755,-,-) %{rrcdir}/redhat-annobin-plugin-select.sh
+%verify(owner group mode) %{rrcdir}/redhat-annobin-cc1
+%{rrcdir}/redhat-annobin-select-gcc-built-plugin
+%{rrcdir}/redhat-annobin-select-annobin-built-plugin
+
 %doc buildflags.md
 
 %changelog
-* Mon Aug 15 2022 David Abdurachmanov <davidlt@rivosinc.com> - 226-1.7.riscv64
-- New annobin available for GCC 12.1
+* Mon Jan 16 2023 Tom Stellard <tstellar@redhat.com> - 244-1
+- Make -flto=thin the default lto flag for clang
 
-* Wed Aug 10 2022 David Abdurachmanov <davidlt@rivosinc.com> - 226-1.5.riscv64
-- Re-enable package notes
+* Mon Jan 16 2023 Siddhesh Poyarekar <siddhesh@redhat.com> - 243-1
+- Consolidate the _FORTIFY_SOURCE switches.
 
-* Thu Aug 05 2022 David Abdurachmanov <davidlt@rivosinc.com> - 226-1.3.riscv64
-- Remove gcc-plugin-annobin support (doesn't exist in GCC 11)
+* Fri Jan 13 2023 Miro Hrončok <mhroncok@redhat.com> - 242-1
+- Don't use %%[ ] expressions with %%{undefined}
+- Fixes: rhbz#2160716
+
+* Thu Jan 12 2023 Stephen Gallagher <sgallagh@redhat.com> - 241-1
+- Do not include frame pointers on RHEL
+
+* Tue Jan 10 2023 Davide Cavalca <dcavalca@fedoraproject.org> - 240-1
+- Do not include frame pointers on i686 and s390x for now
+
+* Wed Jan  4 2023 Davide Cavalca <dcavalca@fedoraproject.org> - 239-1
+- Enable frame pointers by default
+- Set arch specific flags for frame pointers support
+
+* Tue Jan  3 2023 Miro Hrončok <mhroncok@redhat.com> - 238-1
+- Set %%source_date_epoch_from_changelog to 1
+- https://fedoraproject.org/wiki/Changes/ReproducibleBuildsClampMtimes
+
+* Tue Jan  3 2023 Siddhesh Poyarekar <siddhesh@redhat.com> - 237-1
+- Make _FORTIFY_SOURCE configurable and bump default to 3.
+
+* Wed Dec 28 2022 Davide Cavalca <dcavalca@fedoraproject.org> - 236-1
+- Add conditional support for always including frame pointers
+
+* Sat Dec 10 2022 Florian Weimer <fweimer@redhat.com> - 235-1
+- Add %%_configure_use_runstatedir to disable --runstatedir configure option
+
+* Fri Nov  4 2022 Tom Stellard <tstellar@redhat.com> - 234-1
+- Remove unsupported arches from rpmrc
+
+* Fri Nov  4 2022 Florian Weimer <fweimer@redhat.com> - 233-1
+- Set -g when building Vala applications
+
+* Fri Sep 23 2022 Timm Bäder <tbaeder@redhat.com> - 232-1
+- Fix brp-compile-lto-elf to not rely on a backtracking regex
+
+* Thu Sep 08 2022 Maxwell G <gotmax@e.email> - 231-1
+- forge macros: Support Sourcehut. Fixes rhbz#2035935.
+
+* Tue Aug 30 2022 Frederic Berat <fberat@redhat.com> - 230-1
+- Add support for runstatedir in %%configure
+
+* Fri Aug 26 2022 Dan Horák <dan[at]danny.cz> - 229-1
+- Move the baseline s390x arch to z13 for F-38+
+
+* Mon Aug 8 2022 Maxwell G <gotmax@e.email> - 228-1
+- Add macros.shell-completions
+
+* Fri Aug 05 2022 Nikita Popov <npopov@redhat.com> - 227-1
+- brp-llvm-compile-lto-elf: Pass -r to xargs
 
 * Wed Jun 22 2022 Timm Bäder <tbaeder@redhat.com> - 226-1
 - Move llvm_compile_lto_to_elf before __debug_install_post

rpmrc

@@ -5,78 +5,18 @@ optflags: i486 %{__global_compiler_flags} -m32 -march=i486 -fasynchronous-unwind
 optflags: i586 %{__global_compiler_flags} -m32 -march=i586 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection
 optflags: i686 %{__global_compiler_flags} -m32 -march=i686 -mtune=generic -msse2 -mfpmath=sse -mstackrealign -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
 optflags: athlon %{__global_compiler_flags} -m32 -march=athlon -fasynchronous-unwind-tables -fstack-clash-protection
-optflags: ia64 %{__global_compiler_flags}
-optflags: x86_64 %{__global_compiler_flags} -m64 %{__cflags_arch_x86_64} -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
+optflags: x86_64 %{__global_compiler_flags} -m64 %{__cflags_arch_x86_64} -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection %{_frame_pointers_cflags} %{_frame_pointers_cflags_x86_64}
 
-optflags: alpha %{__global_compiler_flags} -mieee
-optflags: alphaev5 %{__global_compiler_flags} -mieee -mcpu=ev5
-optflags: alphaev56 %{__global_compiler_flags} -mieee -mcpu=ev56
-optflags: alphapca56 %{__global_compiler_flags} -mieee -mcpu=pca56
-optflags: alphaev6 %{__global_compiler_flags} -mieee -mcpu=ev6
-optflags: alphaev67 %{__global_compiler_flags} -mieee -mcpu=ev67
+optflags: ppc64le %{__global_compiler_flags} -m64 %{__cflags_arch_ppc64le} -fasynchronous-unwind-tables -fstack-clash-protection %{_frame_pointers_cflags}
 
-optflags: sparc %{__global_compiler_flags} -m32 -mcpu=v7 -mtune=ultrasparc
-optflags: sparcv8 %{__global_compiler_flags} -m32 -mcpu=v8
-optflags: sparcv9 %{__global_compiler_flags} -m32 -mcpu=ultrasparc
-optflags: sparcv9v %{__global_compiler_flags} -m32 -mcpu=niagara
-optflags: sparc64 %{__global_compiler_flags} -m64 -mcpu=ultrasparc
-optflags: sparc64v %{__global_compiler_flags} -m64 -mcpu=niagara
+# TODO: Remove armv7hl once f36 goes EOL.
+optflags: armv7hl %{__global_compiler_flags} -march=armv7-a -mfpu=vfpv3-d16 -mtune=generic-armv7-a -mabi=aapcs-linux -mfloat-abi=hard %{_frame_pointers_cflags}
 
-optflags: m68k %{__global_compiler_flags}
-
-optflags: ppc %{__global_compiler_flags} -m32 -fasynchronous-unwind-tables
-optflags: ppciseries %{__global_compiler_flags} -m32
-optflags: ppcpseries %{__global_compiler_flags} -m32
-optflags: ppc64 %{__global_compiler_flags} -m64 -fasynchronous-unwind-tables -fstack-clash-protection
-optflags: ppc64p7 %{__global_compiler_flags} -m64 -O3 -mcpu=power7 -mtune=power7 -fasynchronous-unwind-tables -fstack-clash-protection
-optflags: ppc64le %{__global_compiler_flags} -m64 %{__cflags_arch_ppc64le} -fasynchronous-unwind-tables -fstack-clash-protection
-optflags: ppc64iseries %{__global_compiler_flags} -m64
-optflags: ppc64pseries %{__global_compiler_flags} -m64
-optflags: ppc8260 %{__global_compiler_flags} -m32
-optflags: ppc8560 %{__global_compiler_flags} -m32
-
-optflags: parisc %{__global_compiler_flags} -mpa-risc-1-0
-optflags: hppa1.0 %{__global_compiler_flags} -mpa-risc-1-0
-optflags: hppa1.1 %{__global_compiler_flags} -mpa-risc-1-0
-optflags: hppa1.2 %{__global_compiler_flags} -mpa-risc-1-0
-optflags: hppa2.0 %{__global_compiler_flags} -mpa-risc-1-0
-
-optflags: mips %{__global_compiler_flags} -march=mips32r2 -mfpxx
-optflags: mipsel %{__global_compiler_flags} -march=mips32r2 -mfpxx
-optflags: mips64 %{__global_compiler_flags} -march=mips64r2 -mabi=64
-optflags: mips64el %{__global_compiler_flags} -march=mips64r2 -mabi=64
-optflags: mipsr6 %{__global_compiler_flags} -march=mips32r6
-optflags: mipsr6el %{__global_compiler_flags} -march=mips32r6
-optflags: mips64r6 %{__global_compiler_flags} -march=mips64r6
-optflags: mips64r6el %{__global_compiler_flags} -march=mips64r6
-
-optflags: armv3l %{__global_compiler_flags} -fsigned-char -march=armv3
-optflags: armv4b %{__global_compiler_flags} -fsigned-char -march=armv4
-optflags: armv4l %{__global_compiler_flags} -fsigned-char -march=armv4
-optflags: armv4tl %{__global_compiler_flags} -march=armv4t
-optflags: armv5tel %{__global_compiler_flags} -march=armv5te -mfloat-abi=soft
-optflags: armv5tejl %{__global_compiler_flags} -march=armv5te -mfloat-abi=soft
-optflags: armv6l %{__global_compiler_flags} -march=armv6 -mfloat-abi=soft
-optflags: armv6hl %{__global_compiler_flags} -march=armv6 -mfpu=vfp -mfloat-abi=hard
-optflags: armv6hnl %{__global_compiler_flags} -march=armv6 -mfpu=neon -mfloat-abi=hard
-optflags: armv7l %{__global_compiler_flags} -march=armv7-a -mfloat-abi=soft
-optflags: armv7hl %{__global_compiler_flags} -march=armv7-a -mfpu=vfpv3-d16 -mtune=generic-armv7-a -mabi=aapcs-linux -mfloat-abi=hard
-optflags: armv7hnl %{__global_compiler_flags} -march=armv7-a -mfpu=neon  -mfloat-abi=hard
-
-optflags: atarist %{__global_compiler_flags}
-optflags: atariste %{__global_compiler_flags}
-optflags: ataritt %{__global_compiler_flags}
-optflags: falcon %{__global_compiler_flags}
-optflags: atariclone %{__global_compiler_flags}
-optflags: milan %{__global_compiler_flags}
-optflags: hades %{__global_compiler_flags}
-
-optflags: s390 %{__global_compiler_flags} -m31 %{__cflags_arch_s390x} -fasynchronous-unwind-tables
 optflags: s390x %{__global_compiler_flags} -m64 %{__cflags_arch_s390x} -fasynchronous-unwind-tables -fstack-clash-protection
 
-optflags: aarch64 %{__global_compiler_flags} -mbranch-protection=standard -fasynchronous-unwind-tables %[ "%{toolchain}" == "gcc" ? "-fstack-clash-protection" : "" ]
+optflags: aarch64 %{__global_compiler_flags} -mbranch-protection=standard -fasynchronous-unwind-tables %[ "%{toolchain}" == "gcc" ? "-fstack-clash-protection" : "" ] %{_frame_pointers_cflags} %{_frame_pointers_cflags_aarch64}
 
-optflags: riscv64 %{__global_compiler_flags} -fasynchronous-unwind-tables %[ "%{toolchain}" == "gcc" ? "-fstack-clash-protection" : "" ]
+optflags: riscv64 %{__global_compiler_flags} -fasynchronous-unwind-tables %[ "%{toolchain}" == "gcc" ? "-fstack-clash-protection" : "" ] %{_frame_pointers_cflags}
 
 # set build arch to fedora buildarches on hardware capable of running it
 # saves having to do rpmbuild --target=
@@ -87,11 +27,5 @@ buildarchtranslate: pentium3: i686
 buildarchtranslate: i686: i686
 buildarchtranslate: i586: i586
 
-buildarchtranslate: sparcv9: sparcv9
-buildarchtranslate: sparcv9v: sparcv9
-
-buildarchtranslate: armv5tejl: armv5tel
-buildarchtranslate: armv6l: armv5tel
-buildarchtranslate: armv7l: armv5tel
 buildarchtranslate: armv7hl: armv7hl
 buildarchtranslate: armv7hnl: armv7hl

tests/include-frame-pointers/main.fmf

@@ -0,0 +1,7 @@
+summary: Test that conditional support for frame pointers works
+
+require:
+  - grep
+  - redhat-rpm-config
+  - rpm
+test: ./runtest.sh

tests/include-frame-pointers/runtest.sh

@@ -0,0 +1,61 @@
+#!/bin/sh
+
+# Not using set -e on purpose as we manually validate the exit codes to print
+# useful messages.
+set -u
+
+passed=0
+failed=0
+
+rpmeval() {
+  # Note: --eval needs to always be *last* here
+  rpm "$@" --eval='%optflags'
+}
+
+validate() {
+  ret=$?
+  if [ $ret -eq 0 ]; then
+    echo "PASS: $*"
+    passed=$((passed+1))
+  else
+    echo "FAIL: $*"
+    failed=$((failed+1))
+  fi
+}
+
+for arch in aarch64 armv7hl x86_64 ppc64le riscv64; do
+  case "$arch" in
+    x86_64|aarch64)
+      flags='-fno-omit-frame-pointer -mno-omit-leaf-frame-pointer'
+      ;;
+    *)
+      flags='-fno-omit-frame-pointer'
+      ;;
+  esac
+
+  rpmeval --target="${arch}-linux" --define='_include_frame_pointers 1' | grep -q -- "$flags"
+  validate "[${arch}] Test that the flags are included if the macro is defined"
+
+  rpmeval --target="${arch}-linux" --undefine='_include_frame_pointers' | grep -qv -- "$flags"
+  validate "[${arch}] Test that the flags are _not_ included if the macro is undefined"
+
+  rpmeval --target="${arch}-linux" --define='fedora 1' | grep -q -- "$flags"
+  validate "[${arch}] Test that the flags are included by default on Fedora"
+
+  rpmeval --target="${arch}-linux" --define='rhel 1' | grep -qv -- "$flags"
+  validate "[${arch}] Test that the flags are _not_ included by default on RHEL"
+done
+
+flags='-fno-omit-frame-pointer'
+for arch in i386 i486 i586 i686 athlon s390x; do
+  rpmeval --target="${arch}-linux" --define='_include_frame_pointers 1' | grep -qv -- "$flags"
+  validate "[${arch}] Test that the flags are not included if the macro is defined"
+
+  rpmeval --target="${arch}-linux" | grep -qv -- "$flags"
+  validate "[${arch}] Test that the flags are not included by default"
+done
+
+echo
+echo "${passed} passed, ${failed} failed"
+
+exit "$failed"