Skip to content

[SYCL][CMake] Fix and apply hardening flags to sycl-rel-6_2 #19444

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 14 commits into from
Jul 16, 2025
Merged

[SYCL][CMake] Fix and apply hardening flags to sycl-rel-6_2 #19444

merged 14 commits into from
Jul 16, 2025

Conversation

AlexeySachkov
Copy link
Contributor

@AlexeySachkov AlexeySachkov commented Jul 15, 2025
edited
Loading

This PR contains several cherry-picks and some unique changes which have not been applied to the sycl branch yet.

The intent of this PR is to enable as much (quickly) possible hardening flags to be in better compliance with our SDL requirements.
The main thing this PR is after are things like immediate bindings, fortify source, stack protection and relro.
The thing that this PR is not after are extra warning flags - some of them we can't apply globally because LLVM itself isn't warning free, some of them we can't apply even locally to SYCL RT because we haven't fixed corresponding warnings yet.

Patches which were cherry-picked from the sycl branch:

Additional changes which have not been applied to the sycl branch:

  • Adjusted configure.py to the new way of -fPIE handling
  • Dropped /sdl flag because LLVM isn't warning-free
    • it will be applied locally to SYCL RT in a separate PR against the sycl branch for future releases
  • Dropped /analyze flag because SYCL RT isn't warning-free
    • it will be applied locally to SYCL RT in a separate PR against the sycl branch for future releases

AlexeySachkov and others added 13 commits July 11, 2025 15:01
@AlexeySachkov
[SYCL] Fix AddSecurityFlags having no side effects (#17690)
156fbe1 
CMake has a notion of scopes for variables and we fell into a pitfall of
setting local variables instead of applying changes globally to the
whole project.

For reference, see:
- https://cmake.org/cmake/help/v3.20/command/set.html
- https://cmake.org/cmake/help/v3.20/command/include.html
@KornevNikita @AlexeySachkov
[SYCL] Refresh hardening flags applied to the project (#18398)
eac6c88 
Co-authored-by: Alexey Sachkov <[email protected]>
@AlexeySachkov
[SYCL][CMAKE] Refactor -fPIE handling (#19235)
9307ed8 
CMake is capable of setting `-fPIE` correctly and we don't need to
intervene with that.

Without the patch, I see the following errors:

```
FAILED: lib/libze_trace_collector.so
: && /usr/bin/clang++ -fPIC -fPIC -fno-semantic-interposition -fvisibility-inlines-hidden -Werror=date-time -Werror=unguarded-availability-new -Wall -Wextra -Wno-unused-parameter -Wwrite
-strings -Wcast-qual -Wmissing-field-initializers -pedantic -Wno-long-long -Wc++98-compat-extra-semi -Wimplicit-fallthrough -Wcovered-switch-default -Wno-noexcept-type -Wnon-virtual-dtor
 -Wdelete-non-virtual-dtor -Wsuggest-override -Wstring-conversion -Wmisleading-indentation -Wctad-maybe-unsupported -fdiagnostics-color -ffunction-sections -fdata-sections -Wall -Wextra 
-fcf-protection=full -Wformat -Wformat-security -fPIC -fPIE -Wno-covered-switch-default -Wall -Wextra -Werror -O2 -g -DNDEBUG  -Wl,-z,defs -Wl,-z,nodelete -pie -shared -Wl,-soname,libze_
trace_collector.so -o lib/libze_trace_collector.so tools/sycl/tools/sycl-trace/CMakeFiles/ze_trace_collector.dir/ze_trace_collector.cpp.o  -Wl,-rpath,build/lib:  lib/libxptifw.so  -ldl && :
clang++: error: argument unused during compilation: '-pie' [-Werror,-Wunused-command-line-argument]
```
@AlexeySachkov
[SYCL][CMAKE] Drop nodlopen from hardening flags (#19357)
a72b0de 
We can't have this flag being applied globally, because it then affects
SYCL RT which has plenty of libraries that are supposed to be `dlopen`ed
by design.

It probably makes sense to apply `nodlopen` for some of our executables,
but that should be done on a case-by-case basis.

For now, let's just fix the toolchain with hardening flags applied, any
improvements can be done as a follow-up later.
@AlexeySachkov
[SYCL][CMAKE] Fix _FORTIFY_SOURCE=3 (#19268)
7264235 
The problem here is that the macro is actually handled by glibc and
value `3` isn't supported with older compiler/glibc combinations,
causing warnings about the macro redefinition.

We still have to support older compilers/glibc and therefore two changes
were made:
- UR skips setting their own `_FORTIFY_SOURCE` in favor of a global one
if it is built as part of LLVM (i.e. not standalone)
- Before setting `_FORTIFY_SOURCE` globally we check the compiler and
fallback to value `2` for older gcc
@AlexeySachkov
[SYCL][CMAKE] Drop extra warnings for now
df6fafa
@AlexeySachkov
Automatically enable CMAKE_POSITION_INDEPENDENT_CODE for hardening flags
3322d25
@AlexeySachkov
Drop /sdl flag - LLVM isn't warning-free so we can't apply it globally
b8519cb
@AlexeySachkov
Silence weird warning on Windows
00eb54c
@AlexeySachkov
Disable -Werror on windows if hardening flags are enabled
da704f2
@AlexeySachkov
Revert "Silence weird warning on Windows"
5ac4656 
This reverts commit 00eb54c.
@AlexeySachkov
Also disable -Werror for XPTI on Windows
847d442
@AlexeySachkov
Drop /analyze instead of /WX
a34584e
@AlexeySachkov
Copy link
Contributor Author

Notes for reviewers:

Additional changes which have not been applied to the sycl branch - these are the only 3 commits which introduce changes that haven't been reviewed at the sycl branch.

  • Adjusted configure.py to the new way of -fPIE handling - 3322d25
  • Dropped /sdl flag because LLVM isn't warning-free - b8519cb
  • Dropped /analyze flag because SYCL RT isn't warning-free - a34584e

I didn't put those commit references to the PR description, because they will be useless in the final squashed commit that will go into the repo.

You can also see more commits in this PR, but this was a process of some trial and error in figuring out the best approach at getting the project buildable with hardening flags enabled. They were all effectively reverted and all changes that remained are outlined above.

I also ran nightly validation for this PR to increase scope of testing here: https://github.com/intel/llvm/actions/runs/16271004049
I consider it successful and the only two failures I see there are some sporadic unrelated things.

@AlexeySachkov AlexeySachkov marked this pull request as ready for review July 15, 2025 10:29
@AlexeySachkov AlexeySachkov requested review from a team as code owners July 15, 2025 10:29
sarnex
sarnex approved these changes Jul 15, 2025
View reviewed changes
Copy link
Contributor

@sarnex sarnex left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

configure.py lgtm

@sarnex sarnex requested a review from a team July 15, 2025 18:38
@AlexeySachkov
[SYCL][CMake] Properly enable -pie hardening flag (#19447)
4c5bd04 
We rely on CMake to set the right set of compliation and link flags to
enable positition independent code and position independent execution.

Before this commit, necessary compliation flags were applied just fine,
but link flags were missing. To get link flags, some extra CMake
functions should be called.
@AlexeySachkov
Copy link
Contributor Author

An updated nightly validation run which includes the new cherry-picked commit about -pie: https://github.com/intel/llvm/actions/runs/16312203635 - once again I consider it successful - there is only one failure, which is flaky and unrelated.

maarquitos14
maarquitos14 reviewed Jul 16, 2025
View reviewed changes
Copy link
Contributor

@maarquitos14 maarquitos14 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@AlexeySachkov
Copy link
Contributor Author

Pre-commit on this release branch isn't fully configured, because some CI scripts are out-of-date. However, I did perform nightly validation on the PR and its results were good, I will proceed with the merge

@AlexeySachkov AlexeySachkov merged commit 05e047c into sycl-rel-6_2 Jul 16, 2025
21 of 35 checks passed
@AlexeySachkov AlexeySachkov deleted the private/asachkov/fix-and-apply-hardening-flags branch July 16, 2025 14:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kbenzie kbenzie kbenzie approved these changes

@sarnex sarnex sarnex approved these changes

@maarquitos14 maarquitos14 maarquitos14 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@AlexeySachkov @kbenzie @sarnex @maarquitos14 @KornevNikita