gh-1262: Allow to disable backtraces entirely

* Fix hardening if backtraces are off * Ensure that all tests are passed with hardened flags * RPM: add --with/--without backtrace option (default is --with) * RPM: remove dependency on libbfd, libiberty, libz if --without backtrace * RPM: enable stripping and debuginfo if --without backtrace Backtraces are still enabled by default. Hardened flags used by RedHat: -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector-strong --param=ssp-buffer-size=4 -pie -fPIC

gh-1262: Allow to disable backtraces entirely
a6997b0c · Roman Tsisyk · 2db60897 · a6997b0c · a6997b0c · a6997b0c
Commit a6997b0c authored 9 years ago by Roman Tsisyk
--- a/cmake/compiler.cmake
+++ b/cmake/compiler.cmake
@@ -103,14 +103,24 @@ unset(CC_DEBUG_OPT)
 #
 # Set flags for all include files: those maintained by us and
 # coming from third parties.
-# We must set -fno-omit-frame-pointer here, since we rely
-# on frame pointer when getting a backtrace, and it must
-# be used consistently across all object files.
-# The same reasoning applies to -fno-stack-protector switch.
 # Since we began using luajit, which uses gcc stack unwind
 # internally, we also need to make sure all code is compiled
 # with unwind info.
 #
+
+add_compile_flags("C;CXX" "-fexceptions" "-funwind-tables")
+
+# We must set -fno-omit-frame-pointer here, since we rely
+# on frame pointer when getting a backtrace, and it must
+# be used consistently across all object files.
+# The same reasoning applies to -fno-stack-protector switch.
+
+if (ENABLE_BACKTRACE)
+    add_compile_flags("C;CXX"
+        "-fno-omit-frame-pointer"
+        "-fno-stack-protector")
+endif()
+
 # In C a global variable without a storage specifier (static/extern) and
 # without an initialiser is called a ’tentative definition’. The
 # language permits multiple tentative definitions in the single
@@ -129,12 +139,7 @@ unset(CC_DEBUG_OPT)
 # are platforms lacking proper support for common symbols (osx).
 #

-add_compile_flags("C;CXX"
-    "-fno-common"
-    "-fno-omit-frame-pointer"
-    "-fno-stack-protector"
-    "-fexceptions"
-    "-funwind-tables")
+add_compile_flags("C;CXX" "-fno-common")

 if (NOT CMAKE_BUILD_TYPE STREQUAL "Debug")
 # Remove VALGRIND code and assertions in *any* type of release build.

--- a/rpm/tarantool.spec
+++ b/rpm/tarantool.spec
@@ -9,9 +9,6 @@ BuildRequires: readline-devel
 BuildRequires: cmake >= 2.8
 BuildRequires: gcc >= 4.5
 BuildRequires: libyaml-devel
-# binutils and zlib are needed for stack traces in fiber.info()
-BuildRequires: binutils-devel
-BuildRequires: zlib-devel
 %if 0%{?fedora} > 0
 # pod2man is needed to build man pages
 BuildRequires: perl-podlators
@@ -31,6 +28,12 @@ Requires(preun): chkconfig
 Requires(preun): initscripts
 %endif

+%bcond_without backtrace # enabled by default
+
+%if %{with backtrace}
+# binutils and zlib are needed for stack traces in fiber.info()
+BuildRequires: binutils-devel
+BuildRequires: zlib-devel
 #
 # Disable stripping of /usr/bin/tarantool to allow the debug symbols
 # in runtime. Tarantool uses the debug symbols to display fiber's stack
@@ -40,6 +43,7 @@ Requires(preun): initscripts
 # -fPIE break backtraces
 # https://github.com/tarantool/tarantool/issues/1262
 %undefine _hardened_build
+%endif

 Name: tarantool
 # ${major}.${major}.${minor}.${patch}, e.g. 1.6.8.175
@@ -83,7 +87,11 @@ C and Lua/C modules.
         -DCMAKE_INSTALL_LOCALSTATEDIR:PATH=%{_localstatedir} \
         -DCMAKE_INSTALL_SYSCONFDIR:PATH=%{_sysconfdir} \
         -DENABLE_BUNDLED_LIBYAML:BOOL=OFF \
+%if %{with backtrace}
         -DENABLE_BACKTRACE:BOOL=ON \
+%else
+         -DENABLE_BACKTRACE:BOOL=OFF \
+%endif
 %if %{with systemd}
         -DWITH_SYSTEMD:BOOL=ON \
         -DSYSTEMD_UNIT_DIR:PATH=%{_unitdir} \

--- a/src/main.cc
+++ b/src/main.cc
@@ -179,10 +179,11 @@ sig_fatal_cb(int signo)

 	fdprintf(fd, "Current time: %u\n", (unsigned) time(0));
 	fdprintf(fd,
-		 "Please file a bug at http://github.com/tarantool/tarantool/issues\n"
-		 "Attempting backtrace... Note: since the server has "
-		 "already crashed, \nthis may fail as well\n");
+		 "Please file a bug at http://github.com/tarantool/tarantool/issues\n");
+
 #ifdef ENABLE_BACKTRACE
+	fdprintf(fd, "Attempting backtrace... Note: since the server has "
+		 "already crashed, \nthis may fail as well\n");
 	print_backtrace();
 #endif
 end: