Update Temurin linux builds to use suggested Security Audit gcc compiler flags

andrew-m-leonard commented 3 months ago

The Adoptium security audit outlined some suggested compiler flags for enhanced security, we need to look at evaluating those, and implementing and testing their use.

As part of the Eclipse Adoptium security audit, the following gcc options were suggested as being used to enhance the security of the JDK binaries. Code generation suggestions:

-fstack-protector-strong : Extends the basic stack protection without impacting all functions, see: https://lwn.net/Articles/584225/
--param=ssp-buffer-size=4 : param The minimum size of buffers (i.e. arrays) that receive stack smashing protection when -fstack-protector is used. This ties in with -fstack-protector-strong to better cover the stack protection.

Compiler Warning suggestions:

-Wformat : printf/scanf string checks
-D_FORTIFY_SOURCE=2 : string related compile time checks
-Wformat-security : enahnced printf/scanf string security checks
-Wshadow : warn about variable/function shadowing
-Wconversion : Warn for implicit conversions that may alter a value

sxa commented 3 months ago

Builds of jdk-22+35 (Not the GA level!) with a bunch of options. Note that while there are a lot of links in here and the builds are being retained for now this is purely as a convenience while they are being tested and they will not be retained in the future.

Architecture	Options set	AQA Result	Perf result
x64	1	TBC s/o e/o	TBC
aarch64	1	TBC s/o e/o	TBC
x64	2	TBC	TBC
aarch64	2	TBC	TBC
x64	3	TBC s/o e/o	TBC
aarch64	3	TBC s/o e/o	TBC

Initial AQA runs have been done but the openjdk set are being re-run due to them missing the testimage archive which caused a number of failures.

sxa commented 2 months ago

Noting that the -W options generate a significant amount of additional content in the logs. This is from the aarch64 builds:

$ grep -irw warning: jdk22w.none.log | cut -d: -f4-   | sort | uniq -c
      2 
      3  call to 'free' declared with attribute warning: use os::free [-Wattribute-warning]
      1  warning: call to 'calloc' declared with attribute warning: use os::malloc and zero out manually [-Wattribute-warning]
      2  warning: call to '_exit' declared with attribute warning: use os::exit [-Wattribute-warning]
      2  warning: call to 'exit' declared with attribute warning: use os::exit [-Wattribute-warning]
   1520  warning: call to 'free' declared with attribute warning: use os::free [-Wattribute-warning]
    740  warning: call to 'malloc' declared with attribute warning: use os::malloc [-Wattribute-warning]
     18  warning: call to 'posix_memalign' declared with attribute warning: don't use [-Wattribute-warning]
      7  warning: call to 'realloc' declared with attribute warning: use os::realloc [-Wattribute-warning]
      4  warning: call to 'realpath' declared with attribute warning: use os::Posix::realpath [-Wattribute-warning]
     29  warning: call to 'vsnprintf' declared with attribute warning: use os::vsnprintf [-Wattribute-warning]
      1  warning: 'jfr_event_writer_flush' violates the C++ One Definition Rule [-Wodr]
      1  warning: 'jfr_register_stack_filter' violates the C++ One Definition Rule [-Wodr]
      1  warning: 'jfr_type_id' violates the C++ One Definition Rule [-Wodr]
      1  warning: 'jfr_unregister_stack_filter' violates the C++ One Definition Rule [-Wodr]
      1  warning: 'memset' writing 696 bytes into a region of size 0 overflows the destination [-Wstringop-overflow=]
      1  warning: type of 'get_lwp_regs' does not match original declaration [-Wlto-type-mismatch]
      1  warning: type of 'init_libproc' does not match original declaration [-Wlto-type-mismatch]
sxa@fedora:~/bench/x$

sxa commented 2 months ago

I'm going to ignore that earlier table for now as there were some issues with those executions. These are all run with:

JDK_REPO=https://github.com/adoptium/jdk22u
JDK_BRANCH=jdk-22+35
USE_TESTENV_PROPERTIES=false

Architecture	Job number	Options	sanity	extended[*]	perf result	Comment
x64	22+35-ea	None	(G9769nti) G9785 ✅	G9806 ❌🏃⛛	3 failures (2*net+⛛) on test-docker-ubuntu2204-x64-2 G9842 🪄
aarch64	22+35-ea	None	(G9768nti) G9783 ✅	(G9776nti) G9784 ❌🏃		Multicast test-docker-centos8-armv8-1 Re-run:9803 ➡️ G9843 🪄 ➡️
x64	38	RO	G9782 ✅	G9804 🏃⛛		⛛ on test-docker-ubuntu2004-x64-2 G9841 🪄
aarch64	24	RO	G9770 ✅	G9777 🏃➡️		➡️ on test-docker-sles15-armv8l-1 Re-run G9802 ❌ ➡️+⛛ G9744 🪄 ⛛
x64	51	-cfi-vh	G9786 ✅	G9787 ✅		test-docker-ubuntu2004-x64-5
aarch64	34	-cfi-vh	G9771 ✅	G9778 ❌🏃		sun/tools/jssdb failures on test-aws-rhel76-armv8-1 Re-run:G9801 ✅ G9745 🪄🏃⛛
x64	42	All	G9877 ❌	G9789 ❌ 🏃		Failed java/foreign in sanity, various JFR, JMX etc. tests on test-docker-ubuntu2204-x64-6 Re-run e/o G9846🪄
aarch64	26	All	G9772 ❌	G9779 🏃⛛		Failed java/foreign in sanity, ⛛ on extended)

[*] - Note: A number of the extended runs failed RuntimeImageTest - I am excluding those from the analysis here as they have been seen elsewhere as per this slack thread and this triage comment so those are unrelated to the new compiler options and should therefore be discarded in drawing any conclusions here

Notes:

Noting that the SLES15 machine fails the finalizer test but is ok with TestJCmdDump (which is generally an `OutOfMemoryError" so can possibly be ignored as it's inconsistent) The "magic machines" (Marked 🪄 for re-runs) which passed everything were test-docker-ubuntu2004-x64-5 and test-docker-ubuntu2310-armv8l-1 EDIT: Finalizer is also an OutOfMemory exception - visible in the logs and discovered in triage on some runs in the recent cycle. Table icons for the tests are:
- 🏃 RuntimeImageTest failure
- ➡️ Finaliser test failure (Seems about 50% pass rate based on G9848 from test-docker-ubuntu2004-armv8l-2) G9851 had 7/20 Finalizer fail, TestJCmdDump and RuntimeImageTest passed 20/20 Also for competeness to hold these together, Runtime and TestJcmdDump all passed but a couple of SSL ones failed 2/50 times on ubu2004-x64-5 at G9849 (re-run of 9806 from the first row of the table)
- ⛛ TestJCmdDump failure
For the "Options" column, the following were set in the configure arguments with --with-extra-cflags and --with-extra-cxxflags:
- -cfi-vh is with -fstack-protector-all -fstack-clash-protection -flto
- RO is with fstack-protector-strong --param=ssp-buffer-size=4
- all is with -fvisibility=hidden -fstack-protector-all -fstack-clash-protection -fvisibility=hidden -flto (Note that -fvisibility=hidden is included in some of the default options for the JDK, but likely not HotSpot)
- "None" is the base Temurin build with no additional options.

andrew-m-leonard commented 4 weeks ago

Noting that the -W options generate a significant amount of additional content in the logs. This is from the aarch64 builds:

$ grep -irw warning: jdk22w.none.log | cut -d: -f4-   | sort | uniq -c
      2 
      3  call to 'free' declared with attribute warning: use os::free [-Wattribute-warning]
      1  warning: call to 'calloc' declared with attribute warning: use os::malloc and zero out manually [-Wattribute-warning]
      2  warning: call to '_exit' declared with attribute warning: use os::exit [-Wattribute-warning]
      2  warning: call to 'exit' declared with attribute warning: use os::exit [-Wattribute-warning]
   1520  warning: call to 'free' declared with attribute warning: use os::free [-Wattribute-warning]
    740  warning: call to 'malloc' declared with attribute warning: use os::malloc [-Wattribute-warning]
     18  warning: call to 'posix_memalign' declared with attribute warning: don't use [-Wattribute-warning]
      7  warning: call to 'realloc' declared with attribute warning: use os::realloc [-Wattribute-warning]
      4  warning: call to 'realpath' declared with attribute warning: use os::Posix::realpath [-Wattribute-warning]
     29  warning: call to 'vsnprintf' declared with attribute warning: use os::vsnprintf [-Wattribute-warning]
      1  warning: 'jfr_event_writer_flush' violates the C++ One Definition Rule [-Wodr]
      1  warning: 'jfr_register_stack_filter' violates the C++ One Definition Rule [-Wodr]
      1  warning: 'jfr_type_id' violates the C++ One Definition Rule [-Wodr]
      1  warning: 'jfr_unregister_stack_filter' violates the C++ One Definition Rule [-Wodr]
      1  warning: 'memset' writing 696 bytes into a region of size 0 overflows the destination [-Wstringop-overflow=]
      1  warning: type of 'get_lwp_regs' does not match original declaration [-Wlto-type-mismatch]
      1  warning: type of 'init_libproc' does not match original declaration [-Wlto-type-mismatch]
sxa@fedora:~/bench/x$

Yes, this is an awful lot of warnings! Given it's usefulness, I won't try adding these extra -W flags

adoptium / temurin-build

Update Temurin linux builds to use suggested Security Audit gcc compiler flags #3685

Notes: