308b2c0ab2
Armv8.3+ capable CPUs might segfault with incorrect compilation options.
See related upstream report: https://bugs.ruby-lang.org/issues/20085
We have hit this on COPR which uses [0] c7g.xlarge AWS flavor for aarch64
architecture builds. This machine flavor seems to fall into the ARMv8.3+
range.
Fedora CFLAGS come with `-mbranch-protection=standard` which means that
both BTI and the PAC protections are used. The option is equivalent
to `-mbranch-protection=pac-ret+bti`.
However, since the upstream configure.ac automatically appends
`-mbranch-protection=pac-ret`, the BTI protection is not used
as the last used option seems to overwrite [1] the Fedora
default for this.
To resolve both of these issues, of BTI being skipped and the potential
segfaults a patch is applied.
To fix segfaults an upstream patch was applied [2].
To fix the issue of overridden option I have patched the
configure.ac file to check for the `=standard` first when searching for a usable
`-mbranch-protection` option.
The overriding of our options was reported upstream:
<https://bugs.ruby-lang.org/issues/20154>
In the same issue I provided the extension of compilation option as an
attachment, to showcase a workaround that fixes the situation in Fedora.
[0] <https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/Y4GPCGQAZT2LJ5CE7MTIEFKGAPP6O2DW/>
[1] <https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/QWLEBS4YQH73HJNNLKCCGIIOU3SSXAYK/>
[2] <02973b78f4>
60 lines
2.3 KiB
Diff
60 lines
2.3 KiB
Diff
From 8af8f327457738620d2c85bd65db8cc5594585db Mon Sep 17 00:00:00 2001
|
|
From: Yuta Saito <kateinoigakukun@gmail.com>
|
|
Date: Wed, 27 Dec 2023 06:22:45 +0000
|
|
Subject: [PATCH 1/2] [Bug #20085] Use consistent default options for
|
|
`-mbranch-protection`
|
|
|
|
We need to use the same options for both C compiler and assembler
|
|
when `-mbranch-protection` is guessed by configure. Otherwise,
|
|
`coroutine/arm64/Context.{h,S}` will use incompatible PAC strategies.
|
|
---
|
|
configure.ac | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
diff --git a/configure.ac b/configure.ac
|
|
index 9286946fc1..18b4247991 100644
|
|
--- a/configure.ac
|
|
+++ b/configure.ac
|
|
@@ -830,7 +830,10 @@ AS_IF([test "$GCC" = yes], [
|
|
AS_FOR(option, opt, [-mbranch-protection=pac-ret -msign-return-address=all], [
|
|
RUBY_TRY_CFLAGS(option, [branch_protection=yes], [branch_protection=no])
|
|
AS_IF([test "x$branch_protection" = xyes], [
|
|
+ # C compiler and assembler must be consistent for -mbranch-protection
|
|
+ # since they both check `__ARM_FEATURE_PAC_DEFAULT` definition.
|
|
RUBY_APPEND_OPTION(XCFLAGS, option)
|
|
+ RUBY_APPEND_OPTION(ASFLAGS, option)
|
|
break
|
|
])
|
|
])
|
|
--
|
|
2.43.0
|
|
|
|
|
|
From 80281e14e411e8e5fe4955effbb2c650a2f52667 Mon Sep 17 00:00:00 2001
|
|
From: Jarek Prokop <jprokop@redhat.com>
|
|
Date: Fri, 12 Jan 2024 18:33:34 +0100
|
|
Subject: [PATCH 2/2] aarch64: Prepend -mbranch-protection=standard option when
|
|
checking branch protection.
|
|
|
|
Related Upstream issue: https://bugs.ruby-lang.org/issues/20154
|
|
---
|
|
configure.ac | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/configure.ac b/configure.ac
|
|
index 18b4247991..5ea8ada8f7 100644
|
|
--- a/configure.ac
|
|
+++ b/configure.ac
|
|
@@ -827,7 +827,7 @@ AS_IF([test "$GCC" = yes], [
|
|
|
|
# aarch64 branch protection
|
|
AS_CASE(["$target_cpu"], [aarch64], [
|
|
- AS_FOR(option, opt, [-mbranch-protection=pac-ret -msign-return-address=all], [
|
|
+ AS_FOR(option, opt, [-mbranch-protection=standard -mbranch-protection=pac-ret -msign-return-address=all], [
|
|
RUBY_TRY_CFLAGS(option, [branch_protection=yes], [branch_protection=no])
|
|
AS_IF([test "x$branch_protection" = xyes], [
|
|
# C compiler and assembler must be consistent for -mbranch-protection
|
|
--
|
|
2.43.0
|
|
|