Control: retitle -1 support more than one ignore-line-regexp line
Control: severity -1 wishlist
Hello Simon,
On 5/3/23 18:50, Simon Ruderich wrote:
On Wed, May 03, 2023 at 12:21:02PM +0200, Uwe Kleine-König wrote:
Do you have a nice idea how to fix the test that does involve neither
disabling the blhc tests nor disabling the perf tests? One idea is to
not check debug builds (-Og or -O0) for the fortify stuff. Another is to
allow specifying a regexp of (possible) false positives.
Hi Uwe,
the method suggested by Diederik [1] is the recommended way to
handle false positives in blhc. It's documented in the blhc man
page: man blhc | less -p 'FALSE POSITIVES':
To suppress false positives you can embed the following
string in the build log:
blhc: ignore-line-regexp: REGEXP
All lines fully matching REGEXP (see --ignore-line for
details) will be ignored. [...]
That's how we did it now. I thought I checked the docs but somehow
missed that before reporting the bug.
As Diederik pointed out there was already a ignore-line regexp in the
kernel. As it addresses several different thing, it's a long and ugly
regexp. I tried the following simplification:
index b39c230a94a6..909d53c8dfdf 100755
--- a/debian/rules
+++ b/debian/rules
@@ -35,14 +35,25 @@ build: build-arch build-indep
build-arch: debian/control
dh_testdir
+
# The perf-read-vdso* programs are built for different architectures,
# without standard flags, but are not exposed to untrusted input.
+ @printf '%s\n' 'blhc: ignore-line-regexp: .* -o *[^
]*/perf-read-vdso.*'
+
# Kernel code needs different hardening options that blhc doesn't know
# about.
+ @printf '%s\n' 'blhc: ignore-line-regexp: .* -D__KERNEL__ .*'
+
# We need to use terse builds in CI due to the log size limit. This
# mostly affects the output for builds of kernel code, which need
# different options for hardening anyway.
- @printf '%s\n' 'blhc: ignore-line-regexp: (.* -o *[^
]*/perf-read-vdso.*|.* -D__KERNEL__ .*$(if $(filter
terse,$(DEB_BUILD_OPTIONS)),| *(CC(LD)?|LD|LINK)\b.*))'
+ifeq ($(filter terse,$(DEB_BUILD_OPTIONS)),)
+ @printf '%s\n' 'blhc: ignore-line-regexp: *(CC(LD)?|LD|LINK)\b.*))'
+endif
(Let's hope thunderbird keeps the diff as pretty after sending as it
looks now :-)
The idea is to have several ignore-line-regexp specs, where each is
simpler and can be documented individually. However that doesn't work as
blhc only uses one of them (don't remember, probably the first or the last).
I would consider it a very nice feature of blhc to support using them
all. Now that the original bug is degraded to a RTFM, I made this bug a
wishlist item for this feature.
Best regards
Uwe
