# Compiling openjdk with extra flags. Flags ignored during build.



## Alain De Vos (Dec 13, 2021)

Make.conf:

```
MYFLAGS=" -D_FORTIFY_SOURCE=2 -D_GLIBCXX_ASSERTIONS -fident -mno-unaligned-access -Wformat -Wformat-security -Werror=format-security -fPIC -fPIE -fcf-protection -fexceptions -fno-short-enums -fomit-frame-pointer -fstrict-aliasing -fstack-protector-all -fstack-protector -fstack-protector-strong -fstack-clash-protection -O2 -pipe "
CFLAGS+="${MYFLAGS}"
CXXFLAGS+="${MYFLAGS}"
WITH_EXTRA_CFLAGS+="${MYFLAGS}"
WITH_EXTRA_CXXFLAGS+="${MYFLAGS}"
WITH-EXTRA-CFLAGS+="${MYFLAGS}"
WITH-EXTRA-CXXFLAGS+="${MYFLAGS}"
```
openjdk configure log,

```
[00:01:07] configure: Using user selected toolchain clang (clang/LLVM). Default toolchain is gcc.
[00:01:07] configure: WARNING: Ignoring CFLAGS(-O2 -pipe  -D_FORTIFY_SOURCE=2 -D_GLIBCXX_ASSERTIONS -fident -mno-unaligned-access -Wformat -Wformat-security -Werror=format-security -fPIC -fPIE -fcf-protection -fexceptions -fno-short-enums -fomit-frame-pointer -fstrict-aliasing -fstack-protector-all -fstack-protector -fstack-protector-strong -fstack-clash-protection -O2 -pipe  -march=ivybridge  -DLIBICONV_PLUG -fstack-protector-strong -fno-strict-aliasing ) found in environment. Use --with-extra-cflags
[00:01:07] configure: WARNING: Ignoring CXXFLAGS(-O2 -pipe  -D_FORTIFY_SOURCE=2 -D_GLIBCXX_ASSERTIONS -fident -mno-unaligned-access -Wformat -Wformat-security -Werror=format-security -fPIC -fPIE -fcf-protection -fexceptions -fno-short-enums -fomit-frame-pointer -fstrict-aliasing -fstack-protector-all -fstack-protector -fstack-protector-strong -fstack-clash-protection -O2 -pipe  -march=ivybridge -DLIBICONV_PLUG -fstack-protector-strong -fno-strict-aliasing  -D_FORTIFY_SOURCE=2 -D_GLIBCXX_ASSERTIONS -fident -mno-unaligned-access -Wformat -Wformat-security -Werror=format-security -fPIC -fPIE -fcf-protection -fexceptions -fno-short-enums -fomit-frame-pointer -fstrict-aliasing -fstack-protector-all -fstack-protector -fstack-protector-strong -fstack-clash-protection -O2 -pipe   -DLIBICONV_PLUG ) found in environment. Use --with-extra-cxxflags
[00:01:07] configure: WARNING: Ignoring LDFLAGS( -fstack-protector-strong ) found in environment. Use --with-extra-ldflags
[00:01:07] configure: Will use user supplied compiler CC=cc
```


----------



## SirDice (Dec 13, 2021)

It's explained in the warning:

```
Use --with-extra-cflags
```


```
Use --with-extra-cxxflags
```


```
Use --with-extra-ldflags
```


----------



## Alain De Vos (Dec 13, 2021)

Currently trying,

```
MYFLAGS=" --with-extra-cflags --with-extra-cxxflags --with-extra-ldflags -D_FORTIFY_SOURCE=2 -D_GLIBCXX_ASSERTIONS -fident -mno-unaligned-access -Wformat -Wformat-security -Werror=format-security -fPIC -fPIE -fcf-protection -fexceptions -fno-short-enums -fomit-frame-pointer -fstrict-aliasing -fstack-protector-all -fstack-protector -fstack-protector-strong -fstack-clash-protection -O2 -pipe "
CFLAGS+="${MYFLAGS}"
CXXFLAGS+="${MYFLAGS}"
WITH_EXTRA_CFLAGS+="${MYFLAGS}"
WITH_EXTRA_CXXFLAGS+="${MYFLAGS}"
WITH-EXTRA-CFLAGS+="${MYFLAGS}"
WITH-EXTRA-CXXFLAGS+="${MYFLAGS}"
```


----------



## SirDice (Dec 13, 2021)

Those look like options for ./configure as that seems to do the complaining. When it's a port then CONFIGURE_ARGS should probably be set. 









						Chapter 6. Special Considerations
					

Special considerations when creating a new FreeBSD Port




					docs.freebsd.org


----------



## Alain De Vos (Dec 13, 2021)

New log,

```
[00:01:07] The following warnings were produced. Repeated here for convenience:
[00:01:07] WARNING: Ignoring value of MAKE from the environment. Use command line variables instead.
[00:01:07] WARNING: Ignoring CFLAGS(-O2 -pipe  --with-extra-cflags --with-extra-cxxflags --with-extra-ldflags -D_FORTIFY_SOURCE=2 -D_GLIBCXX_ASSERTIONS -fident -mno-unaligned-access -Wformat -Wformat-security -Werror=format-security -fPIC -fPIE -fcf-protection -fexceptions -fno-short-enums -fomit-frame-pointer -fstrict-aliasing -fstack-protector-all -fstack-protector -fstack-protector-strong -fstack-clash-protection -O2 -pipe  -march=ivybridge  -DLIBICONV_PLUG -fstack-protector-strong -fno-strict-aliasing ) found in environment. Use --with-extra-cflags
```
As I use poudriere i cannot set the environment directly. I'll try CONFIGURE_ARGS.


----------



## Alain De Vos (Dec 13, 2021)

No he does not want to.

Make.conf,

```
MYFLAGS=" --with-extra-cflags --with-extra-cxxflags --with-extra-ldflags -D_FORTIFY_SOURCE=2 -D_GLIBCXX_ASSERTIONS -fident -mno-unaligned-access -Wformat -Wformat-security -Werror=format-security -fPIC -fPIE -fcf-protection -fexceptions -fno-short-enums -fomit-frame-pointer -fstrict-aliasing -fstack-protector-all -fstack-protector -fstack-protector-strong -fstack-clash-protection -O2 -pipe "
CFLAGS+="${MYFLAGS}"
CXXFLAGS+="${MYFLAGS}"
.if ${.CURDIR:M*/java/openjdk7}
CONFIGURE_ARGS=" --with-extra-cflags --with-extra-cxxflags --with-extra-ldflags "
WITH_EXTRA_CFLAGS+="${MYFLAGS}"
WITH_EXTRA_CXXFLAGS+="${MYFLAGS}"
WITH-EXTRA-CFLAGS+="${MYFLAGS}"
WITH-EXTRA-CXXFLAGS+="${MYFLAGS}"
.endif
```

Log,

```
00:01:11] * Memory limit:   8120 MB
[00:01:11]
[00:01:11] The following warnings were produced. Repeated here for convenience:
[00:01:11] WARNING: Ignoring value of MAKE from the environment. Use command line variables instead.
[00:01:11] WARNING: Ignoring CFLAGS(-O2 -pipe  --with-extra-cflags --with-extra-cxxflags --with-extra-ldflags -D_FORTIFY_SOURCE=2 -D_GLIBCXX_ASSERTIONS -fident -mno-unaligned-access -Wformat -Wformat-security -Werror=format-security -fPIC -fPIE -fcf-protection -fexceptions -fno-short-enums -fomit-frame-pointer -fstrict-aliasing -fstack-protector-all -fstack-protector -fstack-protector-strong -fstack-clash-protection -O2 -pipe  -march=ivybridge  -DLIBICONV_PLUG -fstack-protector-strong -fno-strict-aliasing ) found in environment. Use --with-extra-cflags
[00:01:11] WARNING: Ignoring CXXFLAGS(-O2 -pipe  --with-extra-cflags --with-extra-cxxflags --with-extra-ldflags -D_FORTIFY_SOURCE=2 -D_GLIBCXX_ASSERTIONS -fident -mno-unaligned-access -Wformat -Wformat-security -Werror=format-security -fPIC -fPIE -fcf-protection -fexceptions -fno-short-enums -fomit-frame-pointer -fstrict-aliasing -fstack-protector-all -fstack-protector -fstack-protector-strong -fstack-clash-protection -O2 -pipe  -march=ivybridge -DLIBICONV_PLUG -fstack-protector-strong -fno-strict-aliasing  --with-extra-cflags --with-extra-cxxflags --with-extra-ldflags -D_FORTIFY_SOURCE=2 -D_GLIBCXX_ASSERTIONS -fident -mno-unaligned-access -Wformat -Wformat-security -Werror=format-security -fPIC -fPIE -fcf-protection -fexceptions -fno-short-enums -fomit-frame-pointer -fstrict-aliasing -fstack-protector-all -fstack-protector -fstack-protector-strong -fstack-clash-protection -O2 -pipe   -DLIBICONV_PLUG ) found in environment. Use --with-extra-cxxflags
[00:01:11] WARNING: Ignoring LDFLAGS( -fstack-protector-strong ) found in environment. Use --with-extra-ldflags
[00:01:11] WARNING: Option --enable-hotspot-gtest is deprecated and will be ignored.
```

And something weird in the log,

```
[00:00:58] =======================<phase: configure      >============================
[00:00:58] ===>  Configuring for openjdk17-17+35.1
[00:01:06] Warning: You are using legacy autoconf cross-compilation flags.
[00:01:06] It is recommended that you use --openjdk-target instead.
[0
```


----------



## covacat (Dec 13, 2021)

with my finger on the trigger
i run dot slash configure
yo, this package is big
but my package is bigger
            --monzy -- kill dash nine


----------



## Alain De Vos (Dec 13, 2021)

Two fingers in the nose. Where's the faxnumber of  'OpenJDK BSD Porting Team'


----------



## mark_j (Dec 14, 2021)

Does not -fcf-protection also require shadow stack -mshstk or is that with -fcf-protection=return?


----------



## Alain De Vos (Dec 14, 2021)

Good question. No idea. Gnu says,

-fcf-protection=[full|branch|return|none|check]
Enable code instrumentation of control-flow transfers to increase program security by checking that target addresses of control-flow transfer instructions (such as indirect function call, function return, indirect jump) are valid.  This prevents diverting the flow of control to an unexpected target.  This is intended to protect against such threats as Return-oriented Programming (ROP), and similarly call/jmp-oriented programming (COP/JOP).
The value branch tells the compiler to implement checking of validity of control-flow transfer at the point of indirect branch instructions, i.e. call/jmp instructions.  The value return implements checking of validity at the point of returning from a function.  The value full is an alias for specifying both branch and return. The value none turns off instrumentation.
The value check is used for the final link with link-time optimization (LTO).  An error is issued if LTO object files are compiled with different -fcf-protection values.  The value check is ignored at the compile time.
The macro __CET__ is defined when -fcf-protection is used.  The first bit of __CET__ is set to 1 for the value branch and the second bit of __CET__ is set to 1 for the return.
You can also use the nocf_check attribute to identify which functions and calls should be skipped from instrumentation (see Function Attributes).
Currently the x86 GNU/Linux target provides an implementation based on Intel Control-flow Enforcement Technology (CET) which works for i686 processor or newer.

I have in my make.conf unset options gold & lto. So i'll ignore this flag.


----------



## covacat (Dec 14, 2021)

you need to hack the Makefile to set CONFIGURE_ARGS because they are hardwired
including --with-extra-cflags
openjdk17


----------

