Daniele Buono <dbu...@linux.vnet.ibm.com> writes:
> For a few months now QEMU has had options to enable compiler-based > control-flow integrity if built with clang. > > While this feature has a low maintenance, It's probably still better to > add tests to the CI environment to check that an update doesn't break it. > > The patchset allow gitlab testing of: > * --enable-cfi: forward-edge cfi (function pointers) > * --enable-safe-stack: backward-edge cfi (return pointers) > As an added benefit, this also inherently tests LTO. > > The first patch allows a custom selection for linker parallelism. > Currently, make parallelism at build time is based on the number > of cpus available. > This doesn't work well with LTO at linking, because the linker has to > load in memory all the intermediate object files for optimization. > If the gitlab runner happens to run two linking processes at the same > time, the job will fail with an out-of-memory error, > The patch leverages the ability to maintain high parallelism at > compile time, but limit the number of linkers executed in parallel. > > The second patch introduces the ci/cd jobs in the gitlab pipeline. > To maintain a limited number of short jobs, Daniel suggested to only > test targets where KVM is available. This restricted the jobs to > x86_64, ppc64, aarch64 and s390x. To keep the jobs under 1 hour, I > created three chains of build -> check -> acceptance jobs, divided by > architecture vendor (Intel, ARM, IBM). > > For build, we have to select --enable-slirp=git, because CFI needs a > statically linked version of slirp, with CFI information. More info on > this can be found in a comment in .gitlab-ci.yml, or on a patch for > mason currently in ML: > https://www.mail-archive.com/qemu-devel@nongnu.org/msg787636.html > > Test runs of the full pipeline are here (cfi-ci-v3 branch): > https://gitlab.com/dbuono/qemu/-/pipelines/264484574 Queued to testing/next, thanks. -- Alex Bennée
