Source: urweb
Version: 20170720+dfsg-2
Ur/Web’s C runtime currently builds with -D_FORTIFY_SOURCE=2 (really,
with DEB_BUILD_MAINT_OPTIONS=hardening=+all), since it’s a library in
the serving path. However, the runtime makes heavy use of %n format
specifiers, and _FORTIFY_SOURCE=2 causes that format specifier to be
incredibly slow:
/tmp$ cat stuff.c
#include <stdio.h>
int main(int argc, char* argv[]) {
int n;
for (int i = 0; i < 1000000; ++i) {
printf("%s%n\n", argv[1], &n);
printf("%d\n", n);
}
}
/tmp$ gcc -O3 -o stuff stuff.c
/tmp$ time ./stuff 'Hello, world!' >/dev/null
real 0m0.167s
user 0m0.167s
sys 0m0.000s
/tmp$ gcc -O3 -D_FORTIFY_SOURCE=1 -o stuff stuff.c
/tmp$ time ./stuff 'Hello, world!' >/dev/null
real 0m0.170s
user 0m0.170s
sys 0m0.000s
/tmp$ gcc -O3 -D_FORTIFY_SOURCE=2 -o stuff stuff.c
/tmp$ time ./stuff 'Hello, world!' >/dev/null
real 0m8.605s
user 0m2.058s
sys 0m6.482s
This has been confirmed to affect Ur/Web benchmark results [1, 2].
(Short version: TechEmpower switched from a custom build of Ur/Web to
using the package out of the archive and observed a 100× slowdown.)
One of Ur/Web’s major selling points is its speed, and while hardening
is valuable, users are likely to be surprised by Debian shipping an
Ur/Web that runs orders of magnitude slower than published benchmark
results. We should probably force _FORTIFY_SOURCE=1 in Ur/Web builds.
[1] http://www.impredicative.com/pipermail/ur/2019-July/002850.html
[2] http://www.impredicative.com/pipermail/ur/2019-August/002854.html
