[libcxx-commits] [PATCH] D158823: DRAFT [libc++][hardening] Add the hardened-plus mode.
Louis Dionne via Phabricator via libcxx-commits
libcxx-commits at lists.llvm.org
Fri Aug 25 12:56:14 PDT 2023
var-const created this revision.
Herald added a project: All.
ldionne added subscribers: thakis, ldionne.
ldionne published this revision for review.
ldionne added inline comments.
Herald added a reviewer: jdoerfert.
Herald added subscribers: libcxx-commits, jplehr, sstefan1.
Herald added a project: libc++.
Herald added a reviewer: libc++.
================
Comment at: libcxx/CMakeLists.txt:51
# Basic options ---------------------------------------------------------------
option(LIBCXX_ENABLE_SHARED "Build libc++ as a shared library." ON)
option(LIBCXX_ENABLE_STATIC "Build libc++ as a static library." ON)
----------------
We need tests.
================
Comment at: libcxx/CMakeLists.txt:53
option(LIBCXX_ENABLE_STATIC "Build libc++ as a static library." ON)
option(LIBCXX_ENABLE_FILESYSTEM
"Whether to include support for parts of the library that rely on a filesystem being
----------------
@thakis We brainstormed on some names here:
```
_LIBCPP_ENABLE_HARDENED_PLUS_MODE
_LIBCPP_ENABLE_EXTENDED_HARDENED_MODE
_LIBCPP_ENABLE_STRONG_HARDENED_MODE
_LIBCPP_ENABLE_STRICT_MODE
_LIBCPP_ENABLE_PARANOID_MODE
_LIBCPP_ENABLE_FORTIFIED_MODE
_LIBCPP_ENABLE_SAFE_MODE
```
Do you have any thoughts? Our thoughts so far:
```
HARDENED_PLUS, EXTENDED_HARDENED, STRONG_HARDENED // those are kind of heavyweight names
PARANOID // has negative connotation and doesn't make it clear whether it is stronger than DEBUG
STRICT // could be confused with the notion of not having non-standard extensions
FORTIFIED // not clear whether it is stronger than HARDENED or not
SAFE // our current preference
```
In fact, before LLVM 17 we had something called the `SAFE` mode, and I think what we discovered with Chromium's use case is that it still had its place. Hence, I think what we should do is call this the `SAFE` mode, backport this change, and rework the way we announced our 17 release notes not to say that we "replaced' the safe mode, but instead that we added new modes and that we changed how the safe mode is enabled. This is IMO a superior design and a superior way of rolling it out based on our experience so far.
================
Comment at: libcxx/include/__algorithm/three_way_comp_ref_type.h:53
__expected = _Order::less;
- _LIBCPP_ASSERT(__comp_(__l, __r) == __expected, "Comparator does not induce a strict weak ordering");
+ _LIBCPP_ASSERT_UNCATEGORIZED(__comp_(__l, __r) == __expected, "Comparator does not induce a strict weak ordering");
(void)__l;
----------------
I think this should be a separate (almost NFC) patch. There might be more of those, we should fix all.
The hardened-plus mode is in-between the hardened and the debug modes,
extending the checks contained in the hardened mode with certain checks
that are relatively cheap and prevent common sources of errors but
aren't security-critical. Thus, the hardened-plus mode trades off some
performance for a wider set of checks, but unlike the debug mode, it can
still be used in production.
Repository:
rG LLVM Github Monorepo
https://reviews.llvm.org/D158823
Files:
libcxx/CMakeLists.txt
libcxx/include/__algorithm/three_way_comp_ref_type.h
libcxx/include/__config
libcxx/include/__config_site.in
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D158823.553406.patch
Type: text/x-patch
Size: 7830 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/libcxx-commits/attachments/20230825/0d94b591/attachment.bin>
More information about the libcxx-commits
mailing list