toolchain: gcc: add fanalyzer config option

Add gcc config option for fanalyzer. As a result of this option, a static
analysis of the program flow is conducted, allowing interprocedural paths
to be identified and warnings to be issued if problems are identified.

Link: https://github.com/openwrt/openwrt/pull/12576
Signed-off-by: Nick Hainke <vincent@systemli.org>

2 files changed, 15 insertions, 0 deletions

diff --git a/config/Config-build.in b/config/Config-build.in
index caeae79944..5eaca5a945 100644
--- a/config/Config-build.in
+++ b/config/Config-build.in
@@ -250,6 +250,15 @@ menu "Global build settings"
 
 	comment "Hardening build options"
 
+	config PKG_FANALYZER
+		bool
+		prompt "Enable gcc fanalyzer"
+		default n
+		help
+		  Add -fanalyzer to the CFLAGS. As a result of this option, a static analysis
+		  of the program flow is conducted, allowing interprocedural paths to be
+		  identified and warnings to be issued if problems are identified.
+
 	config PKG_CHECK_FORMAT_SECURITY
 		bool
 		prompt "Enable gcc format-security"
diff --git a/include/hardening.mk b/include/hardening.mk
index 1565e5aa27..c5d836eec0 100644
--- a/include/hardening.mk
+++ b/include/hardening.mk
@@ -9,6 +9,7 @@ PKG_SSP ?= 1
 PKG_FORTIFY_SOURCE ?= 1
 PKG_RELRO ?= 1
 PKG_DT_RELR ?= 1
+PKG_FANALYZER ?= 0
 
 ifdef CONFIG_PKG_CHECK_FORMAT_SECURITY
   ifeq ($(strip $(PKG_CHECK_FORMAT_SECURITY)),1)
@@ -77,3 +78,8 @@ ifdef CONFIG_PKG_DT_RELR
   endif
 endif
 
+ifdef CONFIG_PKG_FANALYZER
+  ifeq ($(strip $(PKG_FANALYZER)),1)
+    TARGET_CFLAGS +=  -fanalyzer
+  endif
+endif