# CONSTANTS/VARIABLES
# Regex to catch compiler commands.
-my $cc_regex = qr/(?:[a-z0-9_]+-(?:linux-|kfreebsd-)?gnu(?:eabi|eabihf)?-)?
- (?<!\.)(?:cc|gcc|g\+\+|c\+\+)
- (?:-[\d.]+)?/x;
+my $cc_regex = qr/
+ (?<!\.)(?:cc|gcc|g\+\+|c\+\+)
+ (?:-[\d.]+)?
+ /x;
+# Full regex which matches the complete compiler name. Used in a few places to
+# prevent false negatives.
+my $cc_regex_full = qr/
+ (?:[a-z0-9_]+-(?:linux-|kfreebsd-)?gnu(?:eabi|eabihf)?-)?
+ $cc_regex
+ /x;
# Regex to catch (GCC) compiler warnings.
my $warning_regex = qr/^(.+?):([0-9]+):[0-9]+: warning: (.+?) \[(.+?)\]$/;
'-fPIE',
);
my @def_cxxflags = (
- '-g',
- '-O(?:2|3)',
+ @def_cflags,
);
# @def_cxxflags_* is the same as @def_cflags_*.
my @def_cppflags = ();
'-fPIE',
'-pie',
);
-# Renaming rules for the output so the regex parts are not visible.
+my @def_ldflags_pic = (
+ '-fPIC',
+ '-fpic',
+);
+# Renaming rules for the output so the regex parts are not visible. Also
+# stores string values of flag regexps above, see compile_flag_regexp().
my %flag_renames = (
'-O(?:2|3)' => '-O2',
'-Wl,(-z,)?relro' => '-Wl,-z,relro',
sub error_flags {
my ($message, $missing_flags_ref, $flag_renames_ref, $line) = @_;
- # Rename flags if requested.
+ # Get string value of qr//-escaped regexps and if requested rename them.
my @missing_flags = map {
- (exists $flag_renames_ref->{$_})
- ? $flag_renames_ref->{$_}
- : $_
- } @{$missing_flags_ref};
+ $flag_renames_ref->{$_}
+ } @{$missing_flags_ref};
my $flags = join ' ', @missing_flags;
printf "%s (%s)%s %s",
my ($line, @flags) = @_;
foreach my $flag (@flags) {
- return 1 if $line =~ /\s$flag(?:\s|\\)/;
+ return 1 if $line =~ /$flag/;
}
return 0;
my @missing_flags = ();
foreach my $flag (@flags) {
- if ($line !~ /\s$flag(?:\s|\\)/) {
+ if (not $line =~ /$flag/) {
push @missing_flags, $flag;
}
}
my ($line, $pie, $missing_flags_ref, @flags_pie) = @_;
return 0 if not $pie;
- return 0 if not any_flags_used($line, ('-fPIC', '-fpic'));
+ return 0 if not any_flags_used($line, @def_ldflags_pic);
my %flags = map { $_ => 1 } @flags_pie;
return 1;
}
+sub compile_flag_regexp {
+ my ($flag_renames_ref, @flags) = @_;
+
+ my @result = ();
+ foreach my $flag (@flags) {
+ # Store flag name in replacement string for correct flags in messages
+ # with qr//ed flag regexps.
+ $flag_renames_ref->{qr/\s$flag(?:\s|\\)/}
+ = (exists $flag_renames_ref->{$flag})
+ ? $flag_renames_ref->{$flag}
+ : $flag;
+
+ # Compile flag regexp for faster execution.
+ push @result, qr/\s$flag(?:\s|\\)/;
+ }
+ return @result;
+}
+
sub extension_found {
my ($extensions_ref, @extensions) = @_;
$option_bindnow = 1;
}
+# Precompile all flag regexps. any_flags_used(), all_flags_used() get a lot
+# faster with this.
+@def_cflags = compile_flag_regexp(\%flag_renames, @def_cflags);
+@def_cflags_format = compile_flag_regexp(\%flag_renames, @def_cflags_format);
+@def_cflags_fortify = compile_flag_regexp(\%flag_renames, @def_cflags_fortify);
+@def_cflags_stack = compile_flag_regexp(\%flag_renames, @def_cflags_stack);
+@def_cflags_pie = compile_flag_regexp(\%flag_renames, @def_cflags_pie);
+@def_cxxflags = compile_flag_regexp(\%flag_renames, @def_cxxflags);
+@def_cppflags = compile_flag_regexp(\%flag_renames, @def_cppflags);
+@def_cppflags_fortify = compile_flag_regexp(\%flag_renames, @def_cppflags_fortify);
+@def_ldflags = compile_flag_regexp(\%flag_renames, @def_ldflags);
+@def_ldflags_relro = compile_flag_regexp(\%flag_renames, @def_ldflags_relro);
+@def_ldflags_bindnow = compile_flag_regexp(\%flag_renames, @def_ldflags_bindnow);
+@def_ldflags_pie = compile_flag_regexp(\%flag_renames, @def_ldflags_pie);
+@def_ldflags_pic = compile_flag_regexp(\%flag_renames, @def_ldflags_pic);
+
# Final exit code.
my $exit = 0;
my $harden_bindnow = $option_bindnow; # defaults to 0
my $harden_pie = $option_pie; # defaults to 0
- # Input lines, contain only the lines with compiler commands.
- my @input = ();
-
- my $start = 0;
- my $continuation = 0;
- my $complete_line = undef;
while (my $line = <$fh>) {
# dpkg-buildflags only provides hardening flags since 1.16.1, don't
# check for hardening flags in buildd mode if an older dpkg-dev is
#
# Packages which were built before 1.16.1 but used their own hardening
# flags are not checked.
- if ($option_buildd and not $start
- and $line =~ /^Toolchain package versions: /) {
+ if ($option_buildd and $line =~ /^Toolchain package versions: /) {
require Dpkg::Version;
if ($line !~ /dpkg-dev_(\S+)/
or Dpkg::Version::version_compare($1, '1.16.1') < 0) {
# If hardening wrapper is used (wraps calls to gcc and adds hardening
# flags automatically) we can't perform any checks, abort.
- if (not $start and $line =~ /^Build-Depends: .*\bhardening-wrapper\b/) {
+ if ($line =~ /^Build-Depends: .*\bhardening-wrapper\b/) {
error_hardening_wrapper();
$exit |= 1 << 4;
next FILE;
# We skip over unimportant lines at the beginning of the log to
# prevent false positives.
- $start = 1 if $line =~ /^dpkg-buildpackage:/;
- next if not $start;
+ last if $line =~ /^dpkg-buildpackage:/;
+ }
+
+ # Input lines, contain only the lines with compiler commands.
+ my @input = ();
+
+ my $continuation = 0;
+ my $complete_line = undef;
+ while (my $line = <$fh>) {
# And stop at the end of the build log. Package details (reported by
# the buildd logs) are not important for us. This also prevents false
# positives.
and $line =~ /^(?:checking|(?:C|c)onfigure:) /;
next if $line =~ /^\s*(?:Host\s+)?(?:C\s+)?
(?:C|c)ompiler[\s.]*:?\s+
- $cc_regex
+ $cc_regex_full
(?:\s-std=[a-z0-9:+]+)?\s*$
/xo
- or $line =~ /^\s*(?:- )?(?:HOST_)?(?:CC|CXX)\s*=\s*$cc_regex\s*$/o
+ or $line =~ /^\s*(?:- )?(?:HOST_)?(?:CC|CXX)\s*=\s*$cc_regex_full\s*$/o
or $line =~ /^\s*-- Check for working (?:C|CXX) compiler: /
or $line =~ /^\s*(?:echo )?Using [A-Z_]+\s*=\s*/;
# `make` output.