diff options
| author | Sergey Vojtovich <svoj@mariadb.org> | 2019-06-07 12:24:27 +0400 |
|---|---|---|
| committer | Sergey Vojtovich <svoj@mariadb.org> | 2019-06-07 12:47:41 +0400 |
| commit | e7695f95ae714f3168ce953fd022ddfb40f03e67 (patch) | |
| tree | c8b568e7c698a813b5d0ede6d87b9a7488525ff6 /CMakeLists.txt | |
| parent | c97c8c28b5c8b33d9b1b8563f4ce015c1668b7f1 (diff) | |
| download | mariadb-git-e7695f95ae714f3168ce953fd022ddfb40f03e67.tar.gz | |
MDEV-19360 - Disable _FORTIFY_SOURCE for ASAN builds
Those two may work incorrectly together. Namely, ASAN may produce
false positives or false negatives. For details see
https://github.com/google/sanitizers/wiki/AddressSanitizer#faq
Make SECURITY_HARDENED disabled by default if WITH_ASAN=ON
Based on contribution by Eugene Kosov.
Diffstat (limited to 'CMakeLists.txt')
| -rw-r--r-- | CMakeLists.txt | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt index 32e9b1e9498..083fa753b88 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -191,6 +191,8 @@ INCLUDE(check_compiler_flag) OPTION(WITH_ASAN "Enable address sanitizer" OFF) IF (WITH_ASAN) + # this flag might be set by default on some OS + MY_CHECK_AND_SET_COMPILER_FLAG("-U_FORTIFY_SOURCE" DEBUG RELWITHDEBINFO) # gcc 4.8.1 and new versions of clang MY_CHECK_AND_SET_COMPILER_FLAG("-fsanitize=address -O1 -Wno-error -fPIC" DEBUG RELWITHDEBINFO) @@ -216,22 +218,22 @@ ENDIF() OPTION(WITH_UBSAN "Enable undefined behavior sanitizer" OFF) IF (WITH_UBSAN) - IF(SECURITY_HARDENED) - MESSAGE(FATAL_ERROR "WITH_UBSAN and SECURITY_HARDENED are mutually exclusive") - ENDIF() - MY_CHECK_AND_SET_COMPILER_FLAG("-fsanitize=undefined" DEBUG RELWITHDEBINFO) + MY_CHECK_AND_SET_COMPILER_FLAG("-fsanitize=undefined -U_FORTIFY_SOURCE" DEBUG RELWITHDEBINFO) ENDIF() # enable security hardening features, like most distributions do # in our benchmarks that costs about ~1% of performance, depending on the load -IF(CMAKE_C_COMPILER_VERSION VERSION_LESS "4.6") +IF(CMAKE_C_COMPILER_VERSION VERSION_LESS "4.6" OR WITH_ASAN OR WITH_UBSAN) SET(security_default OFF) ELSE() SET(security_default ON) ENDIF() OPTION(SECURITY_HARDENED "Use security-enhancing compiler features (stack protector, relro, etc)" ${security_default}) IF(SECURITY_HARDENED) + IF(WITH_ASAN OR WITH_UBSAN) + MESSAGE(FATAL_ERROR "WITH_ASAN/WITH_UBSAN and SECURITY_HARDENED are mutually exclusive") + ENDIF() # security-enhancing flags MY_CHECK_AND_SET_COMPILER_FLAG("-pie -fPIC") MY_CHECK_AND_SET_COMPILER_FLAG("-Wl,-z,relro,-z,now") |