Fix compiling coroutines with aarch64's branch protection.

Armv8.3+ capable CPUs might segfault with incorrect compilation options.
See related upstream report: https://bugs.ruby-lang.org/issues/20085

We have hit this on COPR which uses [0] c7g.xlarge AWS flavor for aarch64
architecture builds. This machine flavor seems to fall into the ARMv8.3+
range.

Fedora CFLAGS come with `-mbranch-protection=standard` which means that
both BTI and the PAC protections are used. The option is equivalent
to `-mbranch-protection=pac-ret+bti`.

However, since the upstream configure.ac automatically appends
`-mbranch-protection=pac-ret`, the BTI protection is not used
as the last used option seems to overwrite [1] the Fedora
default for this.

To resolve both of these issues, of BTI being skipped and the potential
segfaults a patch is applied.

To fix segfaults an upstream patch was applied [2].

To fix the issue of overridden option I have patched the
configure.ac file to check for the `=standard` first when searching for a usable
`-mbranch-protection` option.

The overriding of our options was reported upstream:
<https://bugs.ruby-lang.org/issues/20154>
In the same issue I provided the extension of compilation option as an
attachment, to showcase a workaround that fixes the situation in Fedora.

[0] <https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/Y4GPCGQAZT2LJ5CE7MTIEFKGAPP6O2DW/>
[1] <https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/QWLEBS4YQH73HJNNLKCCGIIOU3SSXAYK/>
[2] <02973b78f4>

ruby-3.4.0-fix-branch-protection-compilation-for-arm.patch

@@ -0,0 +1,59 @@
+From 8af8f327457738620d2c85bd65db8cc5594585db Mon Sep 17 00:00:00 2001
+From: Yuta Saito <kateinoigakukun@gmail.com>
+Date: Wed, 27 Dec 2023 06:22:45 +0000
+Subject: [PATCH 1/2] [Bug #20085] Use consistent default options for
+ `-mbranch-protection`
+
+We need to use the same options for both C compiler and assembler
+when `-mbranch-protection` is guessed by configure. Otherwise,
+`coroutine/arm64/Context.{h,S}` will use incompatible PAC strategies.
+---
+ configure.ac | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index 9286946fc1..18b4247991 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -830,7 +830,10 @@ AS_IF([test "$GCC" = yes], [
+ 	AS_FOR(option, opt, [-mbranch-protection=pac-ret -msign-return-address=all], [
+             RUBY_TRY_CFLAGS(option, [branch_protection=yes], [branch_protection=no])
+             AS_IF([test "x$branch_protection" = xyes], [
++                # C compiler and assembler must be consistent for -mbranch-protection
++                # since they both check `__ARM_FEATURE_PAC_DEFAULT` definition.
+                 RUBY_APPEND_OPTION(XCFLAGS, option)
++                RUBY_APPEND_OPTION(ASFLAGS, option)
+                 break
+             ])
+         ])
+-- 
+2.43.0
+
+
+From 80281e14e411e8e5fe4955effbb2c650a2f52667 Mon Sep 17 00:00:00 2001
+From: Jarek Prokop <jprokop@redhat.com>
+Date: Fri, 12 Jan 2024 18:33:34 +0100
+Subject: [PATCH 2/2] aarch64: Prepend -mbranch-protection=standard option when
+ checking branch protection.
+
+Related Upstream issue: https://bugs.ruby-lang.org/issues/20154
+---
+ configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index 18b4247991..5ea8ada8f7 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -827,7 +827,7 @@ AS_IF([test "$GCC" = yes], [
+ 
+     # aarch64 branch protection
+     AS_CASE(["$target_cpu"], [aarch64], [
+-	AS_FOR(option, opt, [-mbranch-protection=pac-ret -msign-return-address=all], [
++	AS_FOR(option, opt, [-mbranch-protection=standard -mbranch-protection=pac-ret -msign-return-address=all], [
+             RUBY_TRY_CFLAGS(option, [branch_protection=yes], [branch_protection=no])
+             AS_IF([test "x$branch_protection" = xyes], [
+                 # C compiler and assembler must be consistent for -mbranch-protection
+-- 
+2.43.0
+

ruby.spec

@@ -167,7 +167,7 @@
 Summary: An interpreter of object-oriented scripting language
 Name: ruby
 Version: %{ruby_version}%{?development_release}
-Release: 1%{?dist}
+Release: 2%{?dist}
 # BSD-3-Clause: missing/{crypt,mt19937,setproctitle}.c
 # ISC: missing/strl{cat,cpy}.c
 # Public Domain for example for: include/ruby/st.h, strftime.c, missing/*, ...
@@ -239,6 +239,10 @@ Patch10: ruby-3.3.0-Revert-Optimize-allocations-in-Hash-compare_by_identity.patc
 # https://github.com/ruby/ruby/commit/d3933fc753187a055a4904af82f5f3794c88c416
 # https://bugs.ruby-lang.org/issues/20106
 Patch11: ruby-3.4.0-ruby-net-http-Renew-test-certificates.patch
+# Armv8.3+ capable CPUs might segfault with incorrect compilation options.
+# See related upstream report: https://bugs.ruby-lang.org/issues/20085
+# https://bugs.ruby-lang.org/issues/20154
+Patch12: ruby-3.4.0-fix-branch-protection-compilation-for-arm.patch
 
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 %{?with_rubypick:Suggests: rubypick}
@@ -710,6 +714,7 @@ analysis result in RBS format, a standard type description format for Ruby
 %patch 9 -p1
 %patch 10 -p1
 %patch 11 -p1
+%patch 12 -p1
 
 # Provide an example of usage of the tapset:
 cp -a %{SOURCE3} .
@@ -1645,6 +1650,9 @@ make -C %{_vpath_builddir} runruby TESTRUN_SCRIPT=" \
 
 
 %changelog
+* Mon Jan 15 2024 Jarek Prokop <jprokop@redhat.com> - 3.3.0-2
+- Fix compiling coroutines with aarch64's branch protection.
+
 * Tue Jan 02 2024 Vít Ondruch <vondruch@redhat.com> - 3.3.0-1
 - Upgrade to Ruby 3.3.0.
   Resolves: rhbz#2255918