| 1 |
Kirby Walborn <kirby@×××××××××××××.com> posted |
| 2 |
44895C73.7090207@×××××××××××××.com, excerpted below, on Fri, 09 Jun 2006 |
| 3 |
05:33:07 -0600: |
| 4 |
|
| 5 |
> I see you have some ldflags listed. Where can a person find information |
| 6 |
> on these. I've tried to google around about them and haven't had much |
| 7 |
> luck trying to figure it out. |
| 8 |
> |
| 9 |
> BTW my cflags are: |
| 10 |
> |
| 11 |
> CFLAGS="-march=k8 -Os -pipe -fomit-frame-pointer -frename-registers - |
| 12 |
> -funit-at-a-time -fweb -freorder-blocks -freorder-blocks-and-partition - |
| 13 |
> -ftree-pre -fmerge-all-constants" |
| 14 |
> CXXFLAGS="-march=k8 -Os -pipe -fomit-frame-pointer -frename-registers - |
| 15 |
> -funit-at-a-time -fweb -freorder-blocks -ftree-pre -fmerge-all-constants" |
| 16 |
> |
| 17 |
> Duncan mentioned these a while ago and I used them with no problems. But I |
| 18 |
> was curious about ldflags if anybody has pointers. |
| 19 |
|
| 20 |
I noticed they looked familiar. =8^) |
| 21 |
|
| 22 |
The only ldflags I use are: |
| 23 |
|
| 24 |
LDFLAGS="-Wl,-z,now" |
| 25 |
|
| 26 |
If you pay attention to your emerge output, you will have likely seen |
| 27 |
warnings about various SETUID/SETGID applications, where the ebuild hasn't |
| 28 |
set this flag. It's a minor security issue for these apps, as one attack |
| 29 |
vector would be preloading an exploitable library into an otherwise safe |
| 30 |
SETUID/SETGID app run as root, then exploiting the hole in the library to |
| 31 |
run your choice of malware -- as root! Obviously, this isn't a huge issue |
| 32 |
on a system where all the human users have root access anyway, but those |
| 33 |
running hardened systems (note that Gentoo-hardened has a slightly |
| 34 |
different solution in their hardened-patched gcc that does the same thing, |
| 35 |
a slightly different way) will be interested, and the flag is a good idea |
| 36 |
for SETGID/SETUID executables even on single-human-user systems, as it |
| 37 |
shrinks the potential exposure to crackers and malware, helping keep Linux |
| 38 |
from becoming another MSWormOS. |
| 39 |
|
| 40 |
What the flag actually does is cause the resolution of all called |
| 41 |
routines up front at application load time, thus triggering the |
| 42 |
immediate load of all required dynamic-load libraries they are in, rather |
| 43 |
than leaving some of them to "lazy load" later, as they are actually |
| 44 |
needed. |
| 45 |
|
| 46 |
Other than the security aspect for SETGID/UID, this has the effect on |
| 47 |
all apps of increasing the initial load time of apps somewhat, as the |
| 48 |
various libraries are all loaded and linked in, resolving the various |
| 49 |
stubs into the full routines. Memory use can also be slightly higher, |
| 50 |
where libraries are loaded that otherwise wouldn't be, because the part of |
| 51 |
the application that uses them never happens to be run in that particular |
| 52 |
session. However, over time, they'd likely be loaded by some app or |
| 53 |
another anyway, so the practical effect isn't much more than increasing |
| 54 |
the initial load time slightly, at the same time increasing responsiveness |
| 55 |
later, when the app would otherwise have to load that library off of disk |
| 56 |
or at least load it into its memory space (if it's already in memory |
| 57 |
generally) and fully resolve the call triggering the load. |
| 58 |
|
| 59 |
Completely resolving at load time the calls that would otherwise be |
| 60 |
resolved as needed also has a debugging/troubleshooting effect. Any |
| 61 |
failed resolutions happen right away, at application load, rather than |
| 62 |
later. This is one of the reasons I like it, as if it's possible, I much |
| 63 |
prefer the failure up front to having it occur after I've spent some time |
| 64 |
with the app and possibly have unsaved work. |
| 65 |
|
| 66 |
So basically... it's not so much an optimization as a configuring my |
| 67 |
system to work the way I prefer it to work. I prefer to front-end load |
| 68 |
the library loading and routine resolution process, and know right away if |
| 69 |
there is a problem. I prefer waiting a half-second or so longer at |
| 70 |
application load time to a pause later. On tight memory systems, the |
| 71 |
additional memory use might be significant, but it certainly wasn't when I |
| 72 |
had a gig of memory (I've since upgraded to eight). Note that if the |
| 73 |
memory is needed for something else and the library hasn't been used, that |
| 74 |
memory will be flushed to swap along with other non-actively used memory, |
| 75 |
so it's not as if it should be a big problem for most even with a half a |
| 76 |
gig of memory, tho below that, I'd not recommend it. |
| 77 |
|
| 78 |
Problems? None I've found with one SIGNIFICANT exception, but I deal with |
| 79 |
it. The exception is modular-X, specifically xorg-server and certain |
| 80 |
xf86-video-* drivers (among them -ati, which I use, but also a via driver |
| 81 |
IIRC and there may be others). The problem is that for years, as xfree86 |
| 82 |
and xorg before it went modular, these things used a build and module load |
| 83 |
system that encouraged seriously interlocking dependencies, and these |
| 84 |
haven't been fully ironed out as yet. Various modules depend on functions |
| 85 |
from other modules, which in turn depend on functions in the first |
| 86 |
modules, so it's impossible to create a load order that resolves all |
| 87 |
function dependencies as they are loaded. Resolution of certain |
| 88 |
dependencies MUST be put off until later, to load the first module, so the |
| 89 |
second one, that requires the first, can load, thereby resolving the stubs |
| 90 |
in the first one as well. After they are all loaded, everything is |
| 91 |
resolved, but they are so interdependent that there is no order |
| 92 |
they can be loaded in without at least a couple (temporarily) unresolved |
| 93 |
symbols, so forcing all symbols to be resolved immediately simply doesn't |
| 94 |
work, and X will fail to start with an error about unresolved symbols. |
| 95 |
|
| 96 |
There are two possible fixes. One is to simply remember which packages |
| 97 |
won't work (simple since it's just two), and always either comment out |
| 98 |
your LDFLAGS line before merging them, or use |
| 99 |
|
| 100 |
LDFLAGS="" emerge xorg-server |
| 101 |
|
| 102 |
(and the same for xf86-drivers-ati or whatever your video driver is). The |
| 103 |
second is to add a simple filter-ldflags call to the ebuild's |
| 104 |
package_setup() function. Here's the patch I filed for xorg-server: |
| 105 |
|
| 106 |
--- xorg-server-1.0.99.903.ebuild 2006-05-13 08:36:22.000000000 -0700 |
| 107 |
+++ xorg-server-1.0.99.903.ebuild.new 2006-05-14 03:57:03.000000000 -0700 |
| 108 |
@@ -519,6 +519,9 @@ pkg_setup() { |
| 109 |
# (#121394) Causes window corruption |
| 110 |
filter-flags -fweb |
| 111 |
|
| 112 |
+ # (#116698) breaks loading |
| 113 |
+ filter-ldflags -Wl,-z,now |
| 114 |
+ |
| 115 |
# Nothing else provides new enough glxtokens.h |
| 116 |
ewarn "Forcing on xorg-x11 for new enough glxtokens.h..." |
| 117 |
OLD_IMPLEM="$(eselect opengl show)" |
| 118 |
|
| 119 |
You'll notice the bug number listed, but here's a link: |
| 120 |
|
| 121 |
http://bugs.gentoo.org/show_bug.cgi?id=116698 |
| 122 |
|
| 123 |
If nothing else, it makes for interesting reading (for those into this |
| 124 |
sort of thing <g>), with further links to the hardened bug it was |
| 125 |
originally called a duplicate of, and to a related discussion on the |
| 126 |
gentoo-devel list. My main point was that while it's one thing to say |
| 127 |
"don't use those flags then", it's quite another to say that when portage |
| 128 |
itself is saying to use them, when merging that very package! When |
| 129 |
those only following the instructions output by portage when merging a |
| 130 |
package end up with a broken installation as a result, the ebuild |
| 131 |
shouldn't be cleared for stabilization (a certain amount of such things |
| 132 |
might be expected in ~arch, but not for stable). The bug, BTW, is marked |
| 133 |
resolved/fixed, altho the fix to the ebuild wasn't quite the same as my |
| 134 |
suggested patch and I've not yet verified that it indeed totally solves |
| 135 |
the problem, as I had with my patch. |
| 136 |
|
| 137 |
Anyway, since the ldflags I use cause can cause occasional problems, and |
| 138 |
aren't much more than a personal preference thing with real tradeoffs even |
| 139 |
when they work, it's not something I can recommend, but it's something |
| 140 |
that works for me, and since you asked about what people had for their |
| 141 |
ldflags and why, I thought I'd answer. |
| 142 |
|
| 143 |
As for other LDFLAGS, I too haven't found a lot on them. Since I |
| 144 |
believe the advice elsewhere to only use them if you know what you are |
| 145 |
doing, and I don't know enough about any others to be confident using |
| 146 |
them, I don't. |
| 147 |
|
| 148 |
|
| 149 |
|
| 150 |
-- |
| 151 |
Duncan - List replies preferred. No HTML msgs. |
| 152 |
"Every nonfree program has a lord, a master -- |
| 153 |
and if you use the program, he is your master." Richard Stallman |
| 154 |
|
| 155 |
-- |
| 156 |
gentoo-amd64@g.o mailing list |
Archives