1 |
The email I replied to was originally posted by "Hinnerk van Bruinehsen". |
2 |
|
3 |
Let's see my question in details, that might clarify it. Here is the part |
4 |
of the ebuild I'm asking questions about: |
5 |
|
6 |
" |
7 |
if [[ $(gcc-major-version) -lt 4 ]]; then |
8 |
append-cxxflags -fno-stack-protector |
9 |
elif [[ $(gcc-major-version) -gt 4 || $(gcc-minor-version) -gt 3 |
10 |
]]; then |
11 |
if use amd64 || use x86; then |
12 |
append-flags -mno-avx |
13 |
fi |
14 |
fi |
15 |
" |
16 |
|
17 |
Break it down: |
18 |
|
19 |
" |
20 |
if [[ $(gcc-major-version) -lt 4 ]]; then |
21 |
append-cxxflags -fno-stack-protector |
22 |
" |
23 |
The first part is a historical remnant from times before Zorry. We used |
24 |
gcc-3.4.6 for a long time. It used a different implementation for SSP. |
25 |
|
26 |
" |
27 |
elif [[ $(gcc-major-version) -gt 4 || $(gcc-minor-version) -gt 3 |
28 |
]]; then |
29 |
if use amd64 || use x86; then |
30 |
append-flags -mno-avx |
31 |
fi |
32 |
fi |
33 |
" |
34 |
|
35 |
The second part disables avx optimisations if the gcc version is newer |
36 |
than 4.3. However avx support isn't around so long and it's not mature. |
37 |
Avx is an instruction set extension, that is getting some attention |
38 |
lately. I'm lucky to have a system, with a capable processor. The block |
39 |
disabling the optimisations resides right besides the stack-protector |
40 |
statement. That's why I thought some hardened floks put it there. And I'm |
41 |
curious about the reason. |
42 |
|
43 |
Of course it might be simply there, because enabling avx optimizations can |
44 |
actually decrease performance. Like you can see it here: |
45 |
http://www.phoronix.com/scan.php?page=article&item=intel_avx_gcc&num=1 |
46 |
|
47 |
Security is more important for me compared to speed. That's why I'm |
48 |
interested in any security effect of a compiler option (like creating |
49 |
textrels or so). If it's a security problem, I won't use corei7-avx, but |
50 |
rather go for simple corei7. |
51 |
|
52 |
Regards: |
53 |
Dw. |
54 |
-- |
55 |
dr Tóth Attila, Radiológus, 06-20-825-8057 |
56 |
Attila Toth MD, Radiologist, +36-20-825-8057 |
57 |
|
58 |
2012.Február 19.(V) 19:32 időpontban Grant ezt írta: |
59 |
>> There's a snippet in your ebuild: |
60 |
>> "append-flags -mno-avx" |
61 |
>> |
62 |
>> What is the problem with avx? Is it an option counteracting with |
63 |
>> security? |
64 |
> |
65 |
> I'm sorry but I'm not sure what you mean. I should change the firefox |
66 |
> ebuild? |
67 |
> |
68 |
> - Grant |
69 |
> |
70 |
> |
71 |
>>>>>>>> Firefox won't compile on my system due to the issue |
72 |
>>>>>>>> described here: |
73 |
>>>>>>>> |
74 |
>>>>>>>> http://www.gossamer-threads.com/lists/gentoo/hardened/245060 |
75 |
>>>>>>> |
76 |
>>>>>>> |
77 |
>>>>>>>> |
78 |
>>> FWIW: I had no trouble compiling Firefox 9.0 on my amd64 system |
79 |
>>>>>>> using the current stable 3.2.2-r1 kernel, gcc 4.5.3, |
80 |
>>>>>>> grsec/pax enabled. |
81 |
>>>>>> |
82 |
>>>>>> To confirm, you aren't on a hardened profile? |
83 |
>>>>> |
84 |
>>>>> I am on a hardened profile, currently using |
85 |
>>>>> hardened/linux/amd64/no-multilib/selinux profile, only running |
86 |
>>>>> stable software. |
87 |
>>>> |
88 |
>>>> I don't get it then. Does anyone know why I can't compile Firefox |
89 |
>>>> as described in the link above? This sums it up: |
90 |
>>>> |
91 |
>>>> "firefox-9.0 ebuild stalls at the install phase while xpcshell |
92 |
>>>> command tops CPU usage for hours." |
93 |
>>>> |
94 |
>>>> Although xpcshell doesn't use any CPU for me. It just sits there |
95 |
>>>> and the install phase doesn't proceed. |
96 |
>>>> |
97 |
>>>> - Grant |
98 |
>>>> |
99 |
>>> |
100 |
>>> I can compile Icecat with a customized ebuild. since it's basically |
101 |
>>> the same as Firefox, maybe that helps. Basically it disables jit. |
102 |
> |
103 |
> |