On 2025-10-22 14:09, Basil L. Contovounesios wrote:
does it make sense to update the Info node
"(gnulib) Writing reliable code" to mention any of
_FORTIFY_SOURCE=3, GCC's -fhardened, or -fsanitize-trap=all in
place of the now-deprecated -fsanitize-undefined-trap-on-error?
Thanks for the suggestion. I took a stab at that by installing the
attached. Comments welcome.From 39540147a0b7e9bb76379d6f2231a3149903eac9 Mon Sep 17 00:00:00 2001
From: Paul Eggert <[email protected]>
Date: Thu, 23 Oct 2025 23:10:44 -0700
Subject: [PATCH 1/2] doc: allow for _FORTIFY_SOURCE = 3
Problem reported by Basil L. Contovounesios in:
https://lists.gnu.org/r/bug-gnulib/2025-10/msg00068.html
---
doc/gnulib-readme.texi | 4 ++--
doc/posix-functions/longjmp.texi | 2 +-
lib/vasnprintf.c | 2 +-
m4/printf.m4 | 4 ++--
tests/test-sigsegv-catch-stackoverflow1.c | 2 +-
tests/test-sigsegv-catch-stackoverflow2.c | 2 +-
6 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/doc/gnulib-readme.texi b/doc/gnulib-readme.texi
index 051babc516..495b7359e3 100644
--- a/doc/gnulib-readme.texi
+++ b/doc/gnulib-readme.texi
@@ -672,7 +672,7 @@ options appropriate for your compiler. For example:
./configure \
CPPFLAGS='-Wall'\
CFLAGS='-g3 -O2'\
-' -D_FORTIFY_SOURCE=2'\
+' -D_FORTIFY_SOURCE=3'\
' -fsanitize=undefined'\
' -fsanitize-undefined-trap-on-error'
@end example
@@ -682,7 +682,7 @@ Here:
@itemize @bullet
@item
-@code{-D_FORTIFY_SOURCE=2} enables extra security hardening checks in
+@code{-D_FORTIFY_SOURCE=3} enables extra security hardening checks in
the GNU C library.
@item
@code{-fsanitize=undefined} enables GCC's undefined behavior sanitizer
diff --git a/doc/posix-functions/longjmp.texi b/doc/posix-functions/longjmp.texi
index 8860133b6b..a78f6a3f71 100644
--- a/doc/posix-functions/longjmp.texi
+++ b/doc/posix-functions/longjmp.texi
@@ -24,7 +24,7 @@ you need to clear the @code{SS_ONSTACK} flag in the @code{stack_t}
structure managed by the kernel.
@item
This function may crash when the invoker code was compiled with option
-@code{-D_FORTIFY_SOURCE=2},
+@code{_FORTIFY_SOURCE >= 2}
@c https://sourceware.org/PR32522
on Hurd.
@end itemize
diff --git a/lib/vasnprintf.c b/lib/vasnprintf.c
index 614da3187c..5ca73e92a7 100644
--- a/lib/vasnprintf.c
+++ b/lib/vasnprintf.c
@@ -6959,7 +6959,7 @@ VASNPRINTF (DCHAR_T *resultbuf, size_t *lengthp,
/* The following platforms forbid %n:
- On glibc2 systems from 2004-10-18 or newer, the use of
%n in format strings in writable memory may crash the
- program (if compiled with _FORTIFY_SOURCE=2).
+ program (if compiled with _FORTIFY_SOURCE >= 2).
- On macOS 10.13 or newer, the use of %n in format
strings in writable memory by default crashes the
program.
diff --git a/m4/printf.m4 b/m4/printf.m4
index 3aadf99c5b..ccd856fc1a 100644
--- a/m4/printf.m4
+++ b/m4/printf.m4
@@ -937,7 +937,7 @@ int main ()
_CrtSetReportMode (_CRT_ASSERT, 0);
#endif
signal (SIGABRT, abort_handler);
- /* Copy the format string. Some systems (glibc with _FORTIFY_SOURCE=2)
+ /* Copy the format string. Some systems (glibc with _FORTIFY_SOURCE >= 2)
support %n in format strings in read-only memory but not in writable
memory. */
strcpy (fmtstring, "%d %n");
@@ -1849,7 +1849,7 @@ int main ()
{
int count = -1;
signal (SIGABRT, abort_handler);
- /* Copy the format string. Some systems (glibc with _FORTIFY_SOURCE=2)
+ /* Copy the format string. Some systems (glibc with _FORTIFY_SOURCE >= 2)
support %n in format strings in read-only memory but not in writable
memory. */
strcpy (fmtstring, "%d %n");
diff --git a/tests/test-sigsegv-catch-stackoverflow1.c b/tests/test-sigsegv-catch-stackoverflow1.c
index a37912f3dd..d2d15b9899 100644
--- a/tests/test-sigsegv-catch-stackoverflow1.c
+++ b/tests/test-sigsegv-catch-stackoverflow1.c
@@ -18,7 +18,7 @@
#include <config.h>
-/* On GNU/Hurd, when compiling with -D_FORTIFY_SOURCE=2, avoid an error
+/* On GNU/Hurd, when compiling with _FORTIFY_SOURCE >= 2, avoid an error
"*** longjmp causes uninitialized stack frame ***: terminated".
Cf. <https://sourceware.org/PR32522> */
#ifdef __gnu_hurd__
diff --git a/tests/test-sigsegv-catch-stackoverflow2.c b/tests/test-sigsegv-catch-stackoverflow2.c
index 8d10ebeefa..830fca04c7 100644
--- a/tests/test-sigsegv-catch-stackoverflow2.c
+++ b/tests/test-sigsegv-catch-stackoverflow2.c
@@ -18,7 +18,7 @@
#include <config.h>
-/* On GNU/Hurd, when compiling with -D_FORTIFY_SOURCE=2, avoid an error
+/* On GNU/Hurd, when compiling with _FORTIFY_SOURCE >= 2, avoid an error
"*** longjmp causes uninitialized stack frame ***: terminated".
Cf. <https://sourceware.org/PR32522> */
#ifdef __gnu_hurd__
--
2.48.1
From f4038dcb346fccb58d910e2f0a62c0f45022d2a8 Mon Sep 17 00:00:00 2001
From: Paul Eggert <[email protected]>
Date: Thu, 23 Oct 2025 23:35:36 -0700
Subject: [PATCH 2/2] doc: mention -fsanitize-trap=all etc
* doc/gnulib-readme.texi: Mention _GLIBCXX_ASSERTIONS,
-fsanitize-trap=all, -fhardened.
Problem reported by Basil L. Contovounesios in:
https://lists.gnu.org/r/bug-gnulib/2025-10/msg00068.html
---
doc/gnulib-readme.texi | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/doc/gnulib-readme.texi b/doc/gnulib-readme.texi
index 495b7359e3..9066949645 100644
--- a/doc/gnulib-readme.texi
+++ b/doc/gnulib-readme.texi
@@ -673,8 +673,9 @@ options appropriate for your compiler. For example:
CPPFLAGS='-Wall'\
CFLAGS='-g3 -O2'\
' -D_FORTIFY_SOURCE=3'\
+' -D_GLIBCXX_ASSERTIONS'\
' -fsanitize=undefined'\
-' -fsanitize-undefined-trap-on-error'
+' -fsanitize-trap=all'
@end example
@noindent
@@ -682,23 +683,24 @@ Here:
@itemize @bullet
@item
-@code{-D_FORTIFY_SOURCE=3} enables extra security hardening checks in
-the GNU C library.
+@code{-D_FORTIFY_SOURCE=3} and @code{-D_GLIBCXX_ASSERTIONS}
+enable extra security hardening checks in
+the GNU C library and GNU C++ library, respectively.
@item
@code{-fsanitize=undefined} enables GCC's undefined behavior sanitizer
(@code{ubsan}), and
@item
-@code{-fsanitize-undefined-trap-on-error} causes @code{ubsan} to
+@code{-fsanitize-trap=all} causes @code{ubsan} to
abort the program (through an ``illegal instruction'' signal). This
measure stops exploit attempts and also allows you to debug the issue.
@end itemize
-Without the @code{-fsanitize-undefined-trap-on-error} option,
+Without the @code{-fsanitize-trap=all} option,
@code{-fsanitize=undefined} causes messages to be printed, and
execution continues after an undefined behavior situation.
The message printing causes GCC-like compilers to arrange for the
program to dynamically link to libraries it might not otherwise need.
-With GCC, instead of @code{-fsanitize-undefined-trap-on-error} you can
+With GCC, instead of @code{-fsanitize-trap=all} you can
use the @code{-static-libubsan} option to arrange for two of the extra
libraries (@code{libstdc++} and @code{libubsan}) to be linked
statically rather than dynamically, though this typically bloats the
@@ -708,4 +710,9 @@ dynamically.
It is also good to occasionally run the programs under @code{valgrind}
(@pxref{Running self-tests under valgrind}).
+GCC's @code{-fhardened} option can also be used, but with caution
+because it is designed for production more than testing, and therefore
+enables @code{-ftrivial-auto-var-init=zero} which can mask program
+errors.
+
@include join-gnu.texi
--
2.48.1
