python
gh-112301: Add fortify source level 3 to default compiler options
gh-112301: Added -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3 to default compiler options for all builds
This option adds runtime protections for glibc to abort execution when unsafe behavior is encountered. Here are the GNU docs on the option
This is a very brief writeup that I found useful from Red Hat explaining some benefits
Also the OpenSSF compiler hardening guidance gives a very good description of the option
This is an option that theoretically affects the runtime so pyperformance benchmarks were run. The benchmark for this branch shows little overall impact but does impact some benchmark types:
NOTE: I would recommend looking into the details of the benchmarks in the links
| Tag | Geometric Mean |
|---|---|
| apps | 1.00x slower |
| asyncio | Not Significant |
| math | 1.01x faster |
| regex | 1.03x slower |
| serialize | 1.01x faster |
| startup | 1.00x faster |
| template | 1.00x slower |
| overall | 1.00x faster |
A benchmark was run a few weeks ago with this option that was slightly different:
| Tag | Geometric Mean |
|---|---|
| apps | 1.03x slower |
| asyncio | 1.01x slower |
| math | 1.00x slower |
| regex | 1.02x faster |
| serialize | 1.01x slower |
| startup | 1.01x slower |
| template | 1.01x slower |
| overall | 1.01x slower |
The benchmarks show that overall there is little memory impact and overall very small performance impact but within benchmark types there is some movement . Many compilers use -D_FORTIFY_SOURCE=2 by default. Level 3 adds additional bounds checking. My recommendation and the recommendation of the OpenSSF guidance is to raise to level 3 for this protection but would like to discuss further.
Attn: @mdboom
