You've already forked mariadb-columnstore-engine
mirror of
https://github.com/mariadb-corporation/mariadb-columnstore-engine.git
synced 2025-12-03 08:20:57 +03:00
Add compiler flag checks and hardening flags
This commit is contained in:
Ben Thompson
@@ -106,17 +106,30 @@ if(NOT AWK_EXECUTABLE)
|
|||||||
message(FATAL_ERROR "awk not found!")
|
message(FATAL_ERROR "awk not found!")
|
||||||
endif()
|
endif()
|
||||||
|
|
||||||
|
INCLUDE(check_compiler_flag.cmake)
|
||||||
|
|
||||||
FOREACH(BUILD_TYPE RELEASE RELWITHDEBINFO MINSIZEREL)
|
MY_CHECK_AND_SET_COMPILER_FLAG("-g -O3 -fno-strict-aliasing -Wall -fno-tree-vectorize -DDBUG_OFF -DHAVE_CONFIG_H" RELEASE RELWITHDEBINFO MINSIZEREL)
|
||||||
SET(CMAKE_CXX_FLAGS_${BUILD_TYPE} "-g -O3 -fno-strict-aliasing -Wall -fno-tree-vectorize -DDBUG_OFF -DHAVE_CONFIG_H")
|
MY_CHECK_AND_SET_COMPILER_FLAG("-ggdb3 -fno-tree-vectorize -DSAFE_MUTEX -DSAFEMALLOC -DENABLED_DEBUG_SYNC -O0 -Wall -D_DEBUG -DHAVE_CONFIG_H" DEBUG)
|
||||||
SET(CMAKE_C_FLAGS_${BUILD_TYPE} "-g -O3 -fno-strict-aliasing -Wall -fno-tree-vectorize -DDBUG_OFF -DHAVE_CONFIG_H")
|
|
||||||
ENDFOREACH()
|
|
||||||
|
|
||||||
SET(CMAKE_CXX_FLAGS_DEBUG "${CMAKE_CXX_FLAGS_DEBUG} -ggdb3 -fno-tree-vectorize -DSAFE_MUTEX -DSAFEMALLOC -DENABLED_DEBUG_SYNC -O0 -Wall -D_DEBUG -DHAVE_CONFIG_H")
|
# enable security hardening features, like most distributions do
|
||||||
SET(CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} -ggdb3 -fno-tree-vectorize -DSAFE_MUTEX -DSAFEMALLOC -DENABLED_DEBUG_SYNC -O0 -Wall -D _DEBUG -DHAVE_CONFIG_H")
|
# in our benchmarks that costs about ~1% of performance, depending on the load
|
||||||
|
IF(CMAKE_C_COMPILER_VERSION VERSION_LESS "4.6")
|
||||||
|
SET(security_default OFF)
|
||||||
|
ELSE()
|
||||||
|
SET(security_default ON)
|
||||||
|
ENDIF()
|
||||||
|
OPTION(SECURITY_HARDENED "Use security-enhancing compiler features (stack protector, relro, etc)" ${security_default})
|
||||||
|
IF(SECURITY_HARDENED)
|
||||||
|
# security-enhancing flags
|
||||||
|
MY_CHECK_AND_SET_COMPILER_FLAG("-pie -fPIC")
|
||||||
|
MY_CHECK_AND_SET_COMPILER_FLAG("-Wl,-z,relro,-z,now")
|
||||||
|
MY_CHECK_AND_SET_COMPILER_FLAG("-fstack-protector --param=ssp-buffer-size=4")
|
||||||
|
MY_CHECK_AND_SET_COMPILER_FLAG("-D_FORTIFY_SOURCE=2" RELEASE RELWITHDEBINFO)
|
||||||
|
ENDIF()
|
||||||
|
|
||||||
SET (ENGINE_LDFLAGS "-Wl,--no-as-needed -Wl,--add-needed")
|
SET (ENGINE_LDFLAGS "-Wl,--no-as-needed -Wl,--add-needed")
|
||||||
|
|
||||||
|
|
||||||
FIND_PACKAGE(Boost 1.53.0 REQUIRED COMPONENTS system filesystem thread regex date_time)
|
FIND_PACKAGE(Boost 1.53.0 REQUIRED COMPONENTS system filesystem thread regex date_time)
|
||||||
|
|
||||||
SET (ENGINE_LIBDIR "${INSTALL_ENGINE}/lib")
|
SET (ENGINE_LIBDIR "${INSTALL_ENGINE}/lib")
|
||||||
|
|||||||
56
check_compiler_flag.cmake
Normal file
56
check_compiler_flag.cmake
Normal file
@@ -0,0 +1,56 @@
|
|||||||
|
include(CheckCSourceCompiles)
|
||||||
|
include(CheckCXXSourceCompiles)
|
||||||
|
# We need some extra FAIL_REGEX patterns
|
||||||
|
# Note that CHECK_C_SOURCE_COMPILES is a misnomer, it will also link.
|
||||||
|
SET(fail_patterns
|
||||||
|
FAIL_REGEX "argument unused during compilation"
|
||||||
|
FAIL_REGEX "unsupported .*option"
|
||||||
|
FAIL_REGEX "unknown .*option"
|
||||||
|
FAIL_REGEX "unrecognized .*option"
|
||||||
|
FAIL_REGEX "ignoring unknown option"
|
||||||
|
FAIL_REGEX "warning:.*ignored"
|
||||||
|
FAIL_REGEX "warning:.*is valid for.*but not for"
|
||||||
|
FAIL_REGEX "warning:.*redefined"
|
||||||
|
FAIL_REGEX "[Ww]arning: [Oo]ption"
|
||||||
|
)
|
||||||
|
|
||||||
|
MACRO (MY_CHECK_C_COMPILER_FLAG flag)
|
||||||
|
STRING(REGEX REPLACE "[-,= +]" "_" result "have_C_${flag}")
|
||||||
|
SET(SAVE_CMAKE_REQUIRED_FLAGS "${CMAKE_REQUIRED_FLAGS}")
|
||||||
|
SET(CMAKE_REQUIRED_FLAGS "${CMAKE_REQUIRED_FLAGS} ${flag}")
|
||||||
|
CHECK_C_SOURCE_COMPILES("int main(void) { return 0; }" ${result}
|
||||||
|
${fail_patterns})
|
||||||
|
SET(CMAKE_REQUIRED_FLAGS "${SAVE_CMAKE_REQUIRED_FLAGS}")
|
||||||
|
ENDMACRO()
|
||||||
|
|
||||||
|
MACRO (MY_CHECK_CXX_COMPILER_FLAG flag)
|
||||||
|
STRING(REGEX REPLACE "[-,= +]" "_" result "have_CXX_${flag}")
|
||||||
|
SET(SAVE_CMAKE_REQUIRED_FLAGS "${CMAKE_REQUIRED_FLAGS}")
|
||||||
|
SET(CMAKE_REQUIRED_FLAGS "${CMAKE_REQUIRED_FLAGS} ${flag}")
|
||||||
|
CHECK_CXX_SOURCE_COMPILES("int main(void) { return 0; }" ${result}
|
||||||
|
${fail_patterns})
|
||||||
|
SET(CMAKE_REQUIRED_FLAGS "${SAVE_CMAKE_REQUIRED_FLAGS}")
|
||||||
|
ENDMACRO()
|
||||||
|
|
||||||
|
FUNCTION(MY_CHECK_AND_SET_COMPILER_FLAG flag)
|
||||||
|
# At the moment this is gcc-only.
|
||||||
|
# Let's avoid expensive compiler tests on Windows:
|
||||||
|
IF(WIN32)
|
||||||
|
RETURN()
|
||||||
|
ENDIF()
|
||||||
|
MY_CHECK_C_COMPILER_FLAG(${flag})
|
||||||
|
MY_CHECK_CXX_COMPILER_FLAG(${flag})
|
||||||
|
STRING(REGEX REPLACE "[-,= +]" "_" result "${flag}")
|
||||||
|
FOREACH(lang C CXX)
|
||||||
|
IF (have_${lang}_${result})
|
||||||
|
IF(ARGN)
|
||||||
|
FOREACH(type ${ARGN})
|
||||||
|
SET(CMAKE_${lang}_FLAGS_${type} "${CMAKE_${lang}_FLAGS_${type}} ${flag}" PARENT_SCOPE)
|
||||||
|
ENDFOREACH()
|
||||||
|
ELSE()
|
||||||
|
SET(CMAKE_${lang}_FLAGS "${CMAKE_${lang}_FLAGS} ${flag}" PARENT_SCOPE)
|
||||||
|
ENDIF()
|
||||||
|
ENDIF()
|
||||||
|
ENDFOREACH()
|
||||||
|
ENDFUNCTION()
|
||||||
|
|
||||||
Reference in New Issue
Block a user