For a few months now QEMU has had options to enable compiler-based control-flow integrity if built with clang.
While this feature has a low maintenance, It's probably still better to add tests to the CI environment to check that an update doesn't break it. As an added benefit, this also inherently tests LTO. The patch allow gitlab testing of: * --enable-cfi: forward-edge cfi (function pointers) * --enable-safe-stack: backward-edge cfi (return pointers) My original intention was to create a single chain of build -> check -> acceptance, with all the targets compiled by default. Unfortunately, the resulting artifact is too big and won't be uploaded. So I split the test in two chains, that should cover all non-deprecated targets as of today. I also had to add a small patch to allow a custom selection for make parallelism. This is because the gitlab runner nodes only have ~3.5GB of ram, and with the default parallelism (2), in some cases two ld instances will start working on two binaries and exaust the memory. By only forcing one make job at a time, this is avoided. Test runs of the full pipeline are here (cfi-ci branch): https://gitlab.com/dbuono/qemu/-/pipelines/259931154 Daniele Buono (2): gitlab-ci.yml: Allow custom make parallelism gitlab-ci.yml: Add jobs to test CFI flags .gitlab-ci.yml | 94 +++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 93 insertions(+), 1 deletion(-) -- 2.30.0
