[llvm-dev] Why are the sanitizer compiled with -fno-stack-protector ?
Kostya Serebryany via llvm-dev
llvm-dev at lists.llvm.org
Mon Nov 22 10:08:24 PST 2021
Hi Tom,
Before we try to answer "are there any other reasons to not do X",
(and I don't know the answer off the top of my head)
I'd like to hear your "reasons to do X".
Bundling -fno-stack-protector with e.g. ASAN serves no purpose that I can
see.
-fno-stack-protector is a production feature.
It is a (weak but useful) security mitigation, it doesn't help to find
bugs.
ASAN (and other sanitizers) are testing tools, not commonly used in
production.
They find stack buffer overflows much better than fno-stack-protector does.
The exception is perhaps UBSAN with minimal run-time or in trap mode.
This one *is* commonly used in production and it would be reasonable to
allow it together with -fno-stack-protector.
--kcc
On Fri, Nov 19, 2021 at 4:21 PM Tom Stellard via llvm-dev <
llvm-dev at lists.llvm.org> wrote:
> Hi,
>
> According to
> https://github.com/llvm/llvm-project/commit/5829a98c48cf9009e4887e89e3075b3058909e8e
> the sanitizers are compiled with -fno-stack-protector to avoid introducing
> a libc dependency.
> Is this still necessary? Are there any other reasons why sanitizers
> cannot be compiled with
> stack protector enabled?
>
> -Tom
>
> _______________________________________________
> LLVM Developers mailing list
> llvm-dev at lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20211122/9e1b42de/attachment.html>
More information about the llvm-dev
mailing list