Support extra compiler flags during building (#39191)

Many Linux distributions like to use an extra set of compiler flags (via `CFLAGS`, `CXXFLAGS` and `LDFLAGS`) to produce builds that are hardened against vulnerabilities and exploits. The flags sometimes also enable extra warnings to inform packagers about potential memory issues. This pach adds support for that to dotnet/runtime. The obvious method to make this work is to just export the `CFLAGS`, `CXXFLAGS`, and `LDFLAGS` directly. This, however, enables those flags during configure-time (aka `cmake` without `--build` too). That means several cmake configure tests get executed with unexpected compiler flags. These configure tests can then report incorrect results. For example, https://bugzilla.redhat.com/show_bug.cgi?id=1712158 demonstrates an issue where the check for `strerror_r` in the runtime comes to the wrong conclusion because `-Wall` is enabled and a variable is unused. A slightly longer fix is to support another set of environment variables, and use them to set `CFLAGS`, `CXXFLAGS`, `LDFLAGS`, but only for the invocation of `cmake --build`/`make`. See #35727 for the complete details. Fixes #35727
dotnet · Aug 10, 2020 · 1ec6939 · 1ec6939
1 parent 7281349
commit 1ec6939
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 0 deletions.
diff --git a/docs/workflow/building/coreclr/README.md b/docs/workflow/building/coreclr/README.md
@@ -22,6 +22,8 @@ CoreCLR also supports a 'checked' build type which has asserts enabled like 'deb
 ./build.sh -subset clr -configuration checked
 ```
 
+To pass extra compiler/linker flags to the coreclr build, set the environment variables `EXTRA_CFLAGS`, `EXTRA_CXXFLAGS` and `EXTRA_LDFLAGS` as needed. Don't set `CFLAGS`/`CXXFLAGS`/`LDFLAGS` directly as that might lead to configure-time tests failing.
+
 This will produce outputs as follows:
 
 - Product binaries will be dropped in `artifacts\bin\coreclr\<OS>.<arch>.<flavor>` folder.

diff --git a/eng/build.sh b/eng/build.sh
@@ -97,6 +97,9 @@ usage()
   echo "* Build CoreCLR for Linux x64 on Debug configuration using GCC 8.4."
   echo "./build.sh clr -gcc8.4"
   echo ""
+  echo "* Build CoreCLR for Linux x64 using extra compiler flags (-fstack-clash-protection)."
+  echo "EXTRA_CFLAGS=-fstack-clash-protection EXTRA_CXXFLAGS=-fstack-clash-protection ./build.sh clr"
+  echo ""
   echo "* Cross-compile CoreCLR runtime for Linux ARM64 on Release configuration."
   echo "./build.sh clr.runtime -arch arm64 -c release -cross"
   echo ""

diff --git a/eng/native/build-commons.sh b/eng/native/build-commons.sh
@@ -158,6 +158,17 @@ EOF
         return
     fi
 
+    SAVED_CFLAGS="${CFLAGS}"
+    SAVED_CXXFLAGS="${CXXFLAGS}"
+    SAVED_LDFLAGS="${LDFLAGS}"
+
+    # Let users provide additional compiler/linker flags via EXTRA_CFLAGS/EXTRA_CXXFLAGS/EXTRA_LDFLAGS.
+    # If users directly override CFLAG/CXXFLAGS/LDFLAGS, that may lead to some configure tests working incorrectly.
+    # See https://github.com/dotnet/runtime/issues/35727 for more information.
+    export CFLAGS="${CFLAGS} ${EXTRA_CFLAGS}"
+    export CXXFLAGS="${CXXFLAGS} ${EXTRA_CXXFLAGS}"
+    export LDFLAGS="${LDFLAGS} ${EXTRA_LDFLAGS}"
+
     if [[ "$__StaticAnalyzer" == 1 ]]; then
         pushd "$intermediatesDir"
 
@@ -176,6 +187,10 @@ EOF
         $cmake_command --build "$intermediatesDir" --target install -- -j "$__NumProc"
     fi
 
+    CFLAGS="${SAVED_CFLAGS}"
+    CXXFLAGS="${SAVED_CXXFLAGS}"
+    LDFLAGS="${SAVED_LDFLAGS}"
+
     local exit_code="$?"
     if [[ "$exit_code" != 0 ]]; then
         echo "${__ErrMsgPrefix}Failed to build \"$message\"."