This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 3.x development tree".
The branch, master has been updated via 48c0a8414ddae2a6e443a0fdd253f7944cb6a8a7 (commit) from 7ed3355c04f0978ec16f7c83214172add4e8adad (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 48c0a8414ddae2a6e443a0fdd253f7944cb6a8a7 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Mar 24 10:55:33 2023 +0000
gcc: Harden this package
This is a major rewrite of this package which should probably be broken down into several commits, but since GCC takes many hours to build, this has now been mushed into one to keep us moving forward.
This patch re-introduces a full bootstrap of GCC.
We also build GCC with our own compiler flags and make it pass our hardening checks which includes patching the build system to build GCC itself as PIE.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: gcc/gcc.nm | 182 ++++++++------------- gcc/patches/0001-gcc-Build-with-PIE.patch | 77 +++++++++ gcc/patches/0002-libcc1-Export-all-symbols.patch | 80 +++++++++ .../a25982ada523689c8745d7fb4b1b93c8f5dab2e7.patch | 78 +++++++++ 4 files changed, 303 insertions(+), 114 deletions(-) create mode 100644 gcc/patches/0001-gcc-Build-with-PIE.patch create mode 100644 gcc/patches/0002-libcc1-Export-all-symbols.patch create mode 100644 gcc/patches/a25982ada523689c8745d7fb4b1b93c8f5dab2e7.patch
Difference in files: diff --git a/gcc/gcc.nm b/gcc/gcc.nm index 84243e48e..011329e66 100644 --- a/gcc/gcc.nm +++ b/gcc/gcc.nm @@ -8,7 +8,7 @@ build_graphite = 1
name = gcc version = 12.2.0 -release = 3 +release = 4
maintainer = Michael Tremer michael.tremer@ipfire.org groups = Development/Compilers @@ -65,15 +65,9 @@ build # Build libubsan build_libubsan = 0
- # A couple of configure arguments depending on the architecture and - # configuration. - configure_options = - - #make_bootstrap = profiledbootstrap + DIR_BUILD = %{DIR_SRC}/gcc-build
if "%{DISTRO_ARCH}" == "x86_64" - configure_options = --disable-multilib - build_libquadmath = 1 build_liblsan = 1 build_libtsan = 1 @@ -84,14 +78,7 @@ build build_libubsan = 1 end
- if "%{build_graphite}" == "1" - configure_options += \ - --with-isl - end - prepare_cmds - mkdir -v %{DIR_SRC}/gcc-build - # Remove unneeded features that will save some compile time rm -rf lib{gfortran,java,objc} gcc/{fortran,java,objc,objcp}
@@ -103,108 +90,82 @@ build # Branding gcc echo "%{DISTRO_NAME} %{version}-%{release}" > gcc/DEV-PHASE
- # Libgomp uses -Werror regardless of --disable-werror, and this will cause a - # build failure when -D_FORTIFY_SOURCE=2 causes build time warnings: - sed -e "s/-Werror//" -i libgomp/configure - # The fixincludes script is known to occasionally erroneously attempt to # "fix" the system headers installed so far. As the headers up to this point # are known to not require fixing, issue the following command to prevent # the fixincludes script from running: sed -i 's@./fixinc.sh@-c true@' gcc/Makefile.in - - sed -i gcc/Makefile.in \ - -e "s/-fno-exceptions/& -fno-asynchronous-unwind-tables/" - - #./contrib/gcc_update --touch end
- export CC=gcc - export CXX=g++ - # Disable LTO LTO_CFLAGS =
- build - cd %{DIR_SRC}/gcc-build - - # Modify CFLAGS - CFLAGS="%{CFLAGS}" - CFLAGS=$(echo ${CFLAGS} | sed -e 's/(-Wp,)?-D_FORTIFY_SOURCE=[12]//g') - CFLAGS=$(echo ${CFLAGS} | sed -e 's/-Werror=format-security//g') - CFLAGS=$(echo ${CFLAGS} | sed -e 's/-m64//g;s/-m32//g;s/-m31//g') - CFLAGS=$(echo ${CFLAGS} | sed -e 's/-mfpmath=sse/-mfpmath=sse -msse2/g') - CFLAGS=$(echo ${CFLAGS} | sed -e 's/-march=i.86//g') - CFLAGS=$(echo ${CFLAGS} | sed -e 's/ -pipe / /g') - CFLAGS=$(echo "${CFLAGS}" | sed -e 's/[[:blank:]]+/ /g') - CXXFLAGS=$(echo ${CFLAGS} | sed -e 's/ -Wall//g') - CXXFLAGS=$(echo ${CXXFLAGS} | sed -e 's/ -fexceptions / /g') - #CXXFLAGS=$(echo ${CXXFLAGS} | sed -e 's/ -Werror=format-security / -Wformat -Werror=format-security /g') - - case "${CFLAGS}" in - *-fasynchronous-unwind-tables*) - sed -i -e "s/-fno-exceptions /-fno-exceptions -fno-asynchronous-unwind-tables/" \ - ../%{thisapp}/Makefile.in - ;; - esac - - CFLAGS="${CFLAGS}" \ - CXXFLAGS="${CXXFLAGS}" \ - XCFLAGS="${CFLAGS}" \ - TCFLAGS="${CFLAGS}" \ - ../%{thisapp}/configure \ - --build=%{DISTRO_BUILDTARGET} \ - --prefix=/usr \ - --libdir=%{libdir} \ - --libexecdir=%{libdir} \ - --mandir=%{mandir} \ - --with-boot-ldflags="%{LDFLAGS}" \ - --enable-esp \ - --enable-shared \ - --enable-threads=posix \ - --enable-__cxa_atexit \ - --enable-clocale=gnu \ - --enable-languages=c,c++,lto \ - --disable-bootstrap \ - --enable-checking=release \ - --enable-default-pie \ - --enable-default-ssp \ - --disable-werror \ - --disable-libssp \ - --with-system-zlib \ - --with-bugurl=https://bugzilla.ipfire.org/ \ - --disable-libunwind-exceptions \ - --enable-gnu-unique-object \ - --enable-linker-build-id \ - --with-linker-hash-style=gnu \ - --enable-plugin \ - --enable-initfini-array \ - --disable-libgcj \ - --enable-gnu-indirect-function \ - %{configure_options} - - # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58012 - # XXX disabled flags: --disable-static - - # GCC does not support a parallel build. - make %{make_bootstrap} BOOT_CFLAGS="${CFLAGS}" %{PARALLELISMFLAGS} - - # Generate man pages. - perl -pi -e 's/head3/head2/' ../contrib/texi2pod.pl - for i in %{DIR_APP}/gcc/doc/*.texi; do - cp -a $i $i.orig; sed 's/ftable/table/' $i.orig > $i - done - make -C gcc generated-manpages - for i in %{DIR_APP}/gcc/doc/*.texi; do mv -f $i.orig $i; done + # Disable any string format security checks + STRING_FORMAT_SECURITY_CFLAGS = + + configure_options = \ + CFLAGS="%{CFLAGS}" \ + CXXFLAGS="%{CXXFLAGS}" \ + XCFLAGS="%{CFLAGS}" \ + TCFLAGS="%{CFLAGS}" \ + --build=%{DISTRO_BUILDTARGET} \ + --prefix=%{prefix} \ + --libdir=%{libdir} \ + --libexecdir=%{libdir} \ + --mandir=%{mandir} \ + --disable-static \ + --enable-shared \ + --enable-threads=posix \ + --enable-__cxa_atexit \ + --enable-languages=c,c++,lto \ + --enable-bootstrap \ + --with-build-config=bootstrap-lto \ + --enable-link-serialization=1 \ + --enable-checking=release \ + --enable-default-pie \ + --enable-default-ssp \ + --disable-werror \ + --disable-libssp \ + --with-system-zlib \ + --with-bugurl=https://bugzilla.ipfire.org/ \ + --enable-libstdcxx-backtrace \ + --disable-libstdcxx-pch \ + --with-libstdcxx-zoneinfo=%{datadir}/zoneinfo \ + --disable-libunwind-exceptions \ + --enable-gnu-unique-object \ + --enable-linker-build-id \ + --with-linker-hash-style=gnu \ + --enable-decimal-float \ + --enable-plugin \ + --enable-initfini-array \ + --disable-libgcj \ + --enable-gnu-indirect-function + + if "%{build_graphite}" == "1" + configure_options += \ + --with-isl end
+ if "%{DISTRO_ARCH}" == "x86_64" + configure_options += \ + --with-arch_64=x86-64-v2 \ + --with-arch_32=x86-64 \ + --enable-cet \ + --with-tune=generic + end + + make_build_targets += \ + profiledbootstrap \ + BOOT_CFLAGS="%{CFLAGS}" \ + BOOT_LDFLAGS="%{LDFLAGS}" \ + LDFLAGS_FOR_TARGET="%{LDFLAGS}" + #test # cd %{DIR_SRC}/gcc-build && make -k check || true # cd %{DIR_APP} && ./contrib/test_summary #end
install - cd %{DIR_SRC}/gcc-build make install DESTDIR=%{BUILDROOT}
# Check if the installation path exists. @@ -223,7 +184,8 @@ build
OUTPUT_FORMAT('`gcc -Wl,--print-output-format -nostdlib -r -o /dev/null`') GROUP ( /%{libdir}/libgcc_s.so.1 libgcc.a )' > ${FULLPATH}/libgcc_s.so - chmod 755 %{BUILDROOT}%{libdir}/libgcc_s.so.1 + chmod -v 755 ${FULLPATH}/libgcc_s.so + chmod -v 755 %{BUILDROOT}%{libdir}/libgcc_s.so.1
# Remove some GNU debugger stuff. rm -vf %{BUILDROOT}%{libdir}/lib*.py @@ -231,48 +193,40 @@ build # libgomp mv -vf %{BUILDROOT}%{libdir}/libgomp.spec ${FULLPATH}/ ln -svf ../../../libgomp.so.1.0.0 ${FULLPATH}/libgomp.so - chmod 755 %{BUILDROOT}%{libdir}/libgomp.so.1.* + chmod -v 755 %{BUILDROOT}%{libdir}/libgomp.so.1.*
# libstdc++ ln -svf ../../../libstdc++.so.6.0.30 ${FULLPATH}/libstdc++.so - mv -vf %{BUILDROOT}%{libdir}/lib{std,sup}c++.a ${FULLPATH}
# libquadmath if [ "%{build_libquadmath}" = "1" ]; then ln -svf ../../../libquadmath.so.0.0.0 ${FULLPATH}/libquadmath.so - chmod 755 %{BUILDROOT}%{libdir}/libquadmath.so.0.* + chmod -v 755 %{BUILDROOT}%{libdir}/libquadmath.so.0.* fi
# libitm mv -vf %{BUILDROOT}%{libdir}/libitm.spec ${FULLPATH}/ ln -svf ../../../libitm.so.1.0.0 ${FULLPATH}/libitm.so - chmod 755 %{BUILDROOT}%{libdir}/libitm.so.1.* + chmod -v 755 %{BUILDROOT}%{libdir}/libitm.so.1.*
# liblsan if [ "%{build_liblsan}" = "1" ]; then ln -svf ../../../liblsan.so.0.0.0 ${FULLPATH}/liblsan.so - chmod 755 %{BUILDROOT}%{libdir}/liblsan.so.* + chmod -v 755 %{BUILDROOT}%{libdir}/liblsan.so.* fi
# libtsan if [ "%{build_libtsan}" = "1" ]; then ln -svf ../../../libtsan.so.2.0.0 ${FULLPATH}/libtsan.so - chmod 755 %{BUILDROOT}%{libdir}/libtsan.so.* + chmod -v 755 %{BUILDROOT}%{libdir}/libtsan.so.* fi
# libubsan if [ "%{build_libubsan}" = "1" ]; then ln -svf ../../../libubsan.so.1.0.0 ${FULLPATH}/libubsan.so - chmod 755 %{BUILDROOT}%{libdir}/libubsan.so.* + chmod -v 755 %{BUILDROOT}%{libdir}/libubsan.so.* fi end - - keep_libraries - %{libdir}/gcc/%{DISTRO_BUILDTARGET}/%{version}/libgcc.a - %{libdir}/gcc/%{DISTRO_BUILDTARGET}/%{version}/libgcc_eh.a - %{libdir}/gcc/%{DISTRO_BUILDTARGET}/%{version}/libstdc++.a - %{libdir}/gcc/%{DISTRO_BUILDTARGET}/%{version}/libsupc++.a - end end
packages diff --git a/gcc/patches/0001-gcc-Build-with-PIE.patch b/gcc/patches/0001-gcc-Build-with-PIE.patch new file mode 100644 index 000000000..d70839599 --- /dev/null +++ b/gcc/patches/0001-gcc-Build-with-PIE.patch @@ -0,0 +1,77 @@ +From 8690dbe058f3ca8af0499a545c4b4cc6a5dc089a Mon Sep 17 00:00:00 2001 +From: Michael Tremer michael.tremer@ipfire.org +Date: Tue, 21 Mar 2023 16:58:02 +0000 +Subject: [PATCH 1/2] gcc: Build with PIE + +This patch removes that GCC will be compiled with -fno-PIE/-no-pie. + +This will break PCH. + +Signed-off-by: Michael Tremer michael.tremer@ipfire.org +--- + gcc/Makefile.in | 9 --------- + gcc/configure.ac | 28 ---------------------------- + 2 files changed, 37 deletions(-) + +diff --git a/gcc/Makefile.in b/gcc/Makefile.in +index 31ff95500c9..530928a3cde 100644 +--- a/gcc/Makefile.in ++++ b/gcc/Makefile.in +@@ -267,15 +267,6 @@ endif + CET_HOST_FLAGS = @CET_HOST_FLAGS@ + COMPILER += $(CET_HOST_FLAGS) + +-NO_PIE_CFLAGS = @NO_PIE_CFLAGS@ +-NO_PIE_FLAG = @NO_PIE_FLAG@ +- +-# We don't want to compile the compilers with -fPIE, it make PCH fail. +-COMPILER += $(NO_PIE_CFLAGS) +- +-# Link with -no-pie since we compile the compiler with -fno-PIE. +-LINKER += $(NO_PIE_FLAG) +- + # Like LINKER, but use a mutex for serializing front end links. + ifeq (@DO_LINK_MUTEX@,true) + LLINKER = $(SHELL) $(srcdir)/lock-and-run.sh linkfe.lck $(LINKER) +diff --git a/gcc/configure.ac b/gcc/configure.ac +index 992a50e7b20..62cd94bffb8 100644 +--- a/gcc/configure.ac ++++ b/gcc/configure.ac +@@ -7641,34 +7641,6 @@ if test x$enable_default_pie = xyes ; then + fi + AC_SUBST([enable_default_pie]) + +-# Check if -fno-PIE works. +-AC_CACHE_CHECK([for -fno-PIE option], +- [gcc_cv_c_no_fpie], +- [saved_CXXFLAGS="$CXXFLAGS" +- CXXFLAGS="$CXXFLAGS -fno-PIE" +- AC_COMPILE_IFELSE([AC_LANG_SOURCE([int main(void) {return 0;}])], +- [gcc_cv_c_no_fpie=yes], +- [gcc_cv_c_no_fpie=no]) +- CXXFLAGS="$saved_CXXFLAGS"]) +-if test "$gcc_cv_c_no_fpie" = "yes"; then +- NO_PIE_CFLAGS="-fno-PIE" +-fi +-AC_SUBST([NO_PIE_CFLAGS]) +- +-# Check if -no-pie works. +-AC_CACHE_CHECK([for -no-pie option], +- [gcc_cv_no_pie], +- [saved_LDFLAGS="$LDFLAGS" +- LDFLAGS="$LDFLAGS -no-pie" +- AC_LINK_IFELSE([AC_LANG_SOURCE([int main(void) {return 0;}])], +- [gcc_cv_no_pie=yes], +- [gcc_cv_no_pie=no]) +- LDFLAGS="$saved_LDFLAGS"]) +-if test "$gcc_cv_no_pie" = "yes"; then +- NO_PIE_FLAG="-no-pie" +-fi +-AC_SUBST([NO_PIE_FLAG]) +- + # Enable Intel CET on Intel CET enabled host if jit is enabled. + GCC_CET_HOST_FLAGS(CET_HOST_FLAGS) + case x$enable_languages in +-- +2.30.2 + diff --git a/gcc/patches/0002-libcc1-Export-all-symbols.patch b/gcc/patches/0002-libcc1-Export-all-symbols.patch new file mode 100644 index 000000000..113c314c4 --- /dev/null +++ b/gcc/patches/0002-libcc1-Export-all-symbols.patch @@ -0,0 +1,80 @@ +From 439c8e21de5245d3f345bd796f3131be319f54d2 Mon Sep 17 00:00:00 2001 +From: Michael Tremer michael.tremer@ipfire.org +Date: Tue, 21 Mar 2023 17:52:04 +0000 +Subject: [PATCH 2/2] libcc1: Export all symbols + +This patches removes the -export-symbols option when linking libcc1 and +its plugins as it is breaking our hardening check where we are looking +for a reference to __stack_chk_fail in the symbol table. + +Signed-off-by: Michael Tremer michael.tremer@ipfire.org +--- + libcc1/Makefile.am | 6 +++--- + libcc1/Makefile.in | 6 +++--- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/libcc1/Makefile.am b/libcc1/Makefile.am +index 6e3a34ff7e2..7eb8ec9178c 100644 +--- a/libcc1/Makefile.am ++++ b/libcc1/Makefile.am +@@ -54,7 +54,7 @@ shared_source = callbacks.cc callbacks.hh connection.cc connection.hh \ + marshall_c_source = marshall-c.hh + marshall_cxx_source = marshall-cp.hh + +-libcc1plugin_la_LDFLAGS = -module -export-symbols $(srcdir)/libcc1plugin.sym ++libcc1plugin_la_LDFLAGS = -module + libcc1plugin_la_SOURCES = libcc1plugin.cc context.cc context.hh \ + $(shared_source) $(marshall_c_source) + libcc1plugin.lo_CPPFLAGS = $(CPPFLAGS_FOR_C) +@@ -64,7 +64,7 @@ libcc1plugin_la_LINK = $(LIBTOOL) --tag=CXX $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CXXLD) $(AM_CXXFLAGS) \ + $(CXXFLAGS) $(libcc1plugin_la_LDFLAGS) $(LTLDFLAGS) -o $@ + +-libcp1plugin_la_LDFLAGS = -module -export-symbols $(srcdir)/libcp1plugin.sym ++libcp1plugin_la_LDFLAGS = -module + libcp1plugin_la_SOURCES = libcp1plugin.cc context.cc context.hh \ + $(shared_source) $(marshall_cxx_source) + libcp1plugin.lo_CPPFLAGS = $(CPPFLAGS_FOR_CXX) +@@ -75,7 +75,7 @@ libcp1plugin_la_LINK = $(LIBTOOL) --tag=CXX $(AM_LIBTOOLFLAGS) \ + $(CXXFLAGS) $(libcp1plugin_la_LDFLAGS) $(LTLDFLAGS) -o $@ + + LTLDFLAGS = $(shell $(SHELL) $(top_srcdir)/../libtool-ldflags $(LDFLAGS)) +-libcc1_la_LDFLAGS = -module -export-symbols $(srcdir)/libcc1.sym ++libcc1_la_LDFLAGS = -module + libcc1_la_SOURCES = findcomp.cc libcc1.cc libcp1.cc \ + compiler.cc compiler.hh names.cc names.hh $(shared_source) \ + $(marshall_c_source) $(marshall_cxx_source) +diff --git a/libcc1/Makefile.in b/libcc1/Makefile.in +index f8f590d71e9..aa3d45bcef4 100644 +--- a/libcc1/Makefile.in ++++ b/libcc1/Makefile.in +@@ -405,7 +405,7 @@ shared_source = callbacks.cc callbacks.hh connection.cc connection.hh \ + + marshall_c_source = marshall-c.hh + marshall_cxx_source = marshall-cp.hh +-libcc1plugin_la_LDFLAGS = -module -export-symbols $(srcdir)/libcc1plugin.sym ++libcc1plugin_la_LDFLAGS = -module + libcc1plugin_la_SOURCES = libcc1plugin.cc context.cc context.hh \ + $(shared_source) $(marshall_c_source) + +@@ -416,7 +416,7 @@ libcc1plugin_la_LINK = $(LIBTOOL) --tag=CXX $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CXXLD) $(AM_CXXFLAGS) \ + $(CXXFLAGS) $(libcc1plugin_la_LDFLAGS) $(LTLDFLAGS) -o $@ + +-libcp1plugin_la_LDFLAGS = -module -export-symbols $(srcdir)/libcp1plugin.sym ++libcp1plugin_la_LDFLAGS = -module + libcp1plugin_la_SOURCES = libcp1plugin.cc context.cc context.hh \ + $(shared_source) $(marshall_cxx_source) + +@@ -428,7 +428,7 @@ libcp1plugin_la_LINK = $(LIBTOOL) --tag=CXX $(AM_LIBTOOLFLAGS) \ + $(CXXFLAGS) $(libcp1plugin_la_LDFLAGS) $(LTLDFLAGS) -o $@ + + LTLDFLAGS = $(shell $(SHELL) $(top_srcdir)/../libtool-ldflags $(LDFLAGS)) +-libcc1_la_LDFLAGS = -module -export-symbols $(srcdir)/libcc1.sym ++libcc1_la_LDFLAGS = -module + libcc1_la_SOURCES = findcomp.cc libcc1.cc libcp1.cc \ + compiler.cc compiler.hh names.cc names.hh $(shared_source) \ + $(marshall_c_source) $(marshall_cxx_source) +-- +2.30.2 + diff --git a/gcc/patches/a25982ada523689c8745d7fb4b1b93c8f5dab2e7.patch b/gcc/patches/a25982ada523689c8745d7fb4b1b93c8f5dab2e7.patch new file mode 100644 index 000000000..6a0f4d2f0 --- /dev/null +++ b/gcc/patches/a25982ada523689c8745d7fb4b1b93c8f5dab2e7.patch @@ -0,0 +1,78 @@ +From a25982ada523689c8745d7fb4b1b93c8f5dab2e7 Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" hjl.tools@gmail.com +Date: Thu, 14 Jul 2022 08:23:38 -0700 +Subject: [PATCH] stack-protector: Check stack canary before throwing exception + +Check stack canary before throwing exception to avoid stack corruption. + +gcc/ + + PR middle-end/58245 + * calls.cc: Include "tree-eh.h". + (expand_call): Check stack canary before throwing exception. + +gcc/testsuite/ + + PR middle-end/58245 + * g++.dg/fstack-protector-strong.C: Adjusted. + * g++.dg/pr58245-1.C: New test. +--- + gcc/calls.cc | 6 +++++- + gcc/testsuite/g++.dg/fstack-protector-strong.C | 2 +- + gcc/testsuite/g++.dg/pr58245-1.C | 10 ++++++++++ + 3 files changed, 16 insertions(+), 2 deletions(-) + create mode 100644 gcc/testsuite/g++.dg/pr58245-1.C + +diff --git a/gcc/calls.cc b/gcc/calls.cc +index bc96aff38f0..6dd6f73e978 100644 +--- a/gcc/calls.cc ++++ b/gcc/calls.cc +@@ -60,6 +60,7 @@ along with GCC; see the file COPYING3. If not see + #include "attr-fnspec.h" + #include "value-query.h" + #include "tree-pretty-print.h" ++#include "tree-eh.h" + + /* Like PREFERRED_STACK_BOUNDARY but in units of bytes, not bits. */ + #define STACK_BYTES (PREFERRED_STACK_BOUNDARY / BITS_PER_UNIT) +@@ -3154,7 +3155,10 @@ expand_call (tree exp, rtx target, int ignore) + if (pass && (flags & ECF_MALLOC)) + start_sequence (); + +- if (pass == 0 ++ /* Check the canary value for sibcall or function which doesn't ++ return and could throw. */ ++ if ((pass == 0 ++ || ((flags & ECF_NORETURN) != 0 && tree_could_throw_p (exp))) + && crtl->stack_protect_guard + && targetm.stack_protect_runtime_enabled_p ()) + stack_protect_epilogue (); +diff --git a/gcc/testsuite/g++.dg/fstack-protector-strong.C b/gcc/testsuite/g++.dg/fstack-protector-strong.C +index ae6d2fdb8df..034af2ce9ab 100644 +--- a/gcc/testsuite/g++.dg/fstack-protector-strong.C ++++ b/gcc/testsuite/g++.dg/fstack-protector-strong.C +@@ -85,4 +85,4 @@ int foo7 (B *p) + return p->return_slot ().a1; + } + +-/* { dg-final { scan-assembler-times "stack_chk_fail" 7 } } */ ++/* { dg-final { scan-assembler-times "stack_chk_fail" 8 } } */ +diff --git a/gcc/testsuite/g++.dg/pr58245-1.C b/gcc/testsuite/g++.dg/pr58245-1.C +new file mode 100644 +index 00000000000..1439bc62e71 +--- /dev/null ++++ b/gcc/testsuite/g++.dg/pr58245-1.C +@@ -0,0 +1,10 @@ ++/* { dg-do compile { target i?86-*-* x86_64-*-* rs6000-*-* s390x-*-* } } */ ++/* { dg-options "-O2 -fstack-protector-all" } */ ++ ++void ++bar (void) ++{ ++ throw 1; ++} ++ ++/* { dg-final { scan-assembler-times "stack_chk_fail" 1 } } */ +-- +2.31.1 +
hooks/post-receive -- IPFire 3.x development tree