| 1 |
From the info page of GCC 4.3.3 |
| 2 |
NOTE: In Gentoo, `-D_FORTIFY_SOURCE=2' is set by default, and is |
| 3 |
activated when `-O' is set to 2 or higher. This enables additional |
| 4 |
compile-time and run-time checks for several libc functions. To |
| 5 |
disable, specify either `-U_FORTIFY_SOURCE' or |
| 6 |
`-D_FORTIFY_SOURCE=0'. |
| 7 |
|
| 8 |
I have seen some FORTIFY_SOURCE bugs in the bugzilla and in some cases, |
| 9 |
people claim the the bug lies in the FORTIFY_SOURCE feature itself |
| 10 |
(that is, people claim that FORTIFY_SOURCE misidentifies a buffer overflow). |
| 11 |
One example: http://bugs.gentoo.org/show_bug.cgi?id=257016 |
| 12 |
|
| 13 |
I have installed GCC-4.3.3 (but have not enabled it through gcc-config yet), |
| 14 |
but my system is otherwise mostly stable. |
| 15 |
|
| 16 |
1) I would like to use GCC-4.3.3 because it is the latest bugfix release |
| 17 |
and is presumably more bug-free (correct?). |
| 18 |
|
| 19 |
2) But until FORTIFY_SOURCE is stable on Gentoo, I don't want it. |
| 20 |
How can I disable it? |
| 21 |
If I add -U_FORTIFY_SOURCE to CPPFLAGS (this would be the correct |
| 22 |
place to add it, right?), wouldn't it disable the feature for every |
| 23 |
package, even for those that specify FORTIFY_SOURCE on their own? |
| 24 |
|
| 25 |
I want the traditional behavior: packages that ask for FORTIFY_SOURCE |
| 26 |
get it, those that don't ask don't get it. |
| 27 |
|
| 28 |
And of course, do you know if FORTIFY_SOURECE has a significant |
| 29 |
performance cost and if it is really ready to be default (as in, |
| 30 |
it is unlikely for new false positives to appear)? |
| 31 |
|
| 32 |
Also, am I wise to use GCC 4.3.3 compiler in a mostly stable system? |
| 33 |
|
| 34 |
-- |
| 35 |
Software is like sex: it is better when it is free. --Linus Torvalds |
Archives