Add additional compiler hardening flags (#1783)

* Add additional compiler hardening flags * Turn on hardening only for release builds * Add compiler check for flag support
tklengyel · Mar 26, 2024 · c6664a1 · c6664a1
1 parent 4d26695
commit c6664a1
Showing 1 changed file with 22 additions and 6 deletions.
diff --git a/meson.build b/meson.build
@@ -16,8 +16,9 @@ project('DRAKVUF (C) Tamas K Lengyel 2014-2024', 'c', 'cpp',
 )
 
 # Check if C++ compiler is suitable
+cpp=meson.get_compiler('cpp')
 code='''int main(void) { bool test[2] = { [1] = 1, [0] = 0 }; return 0; }'''
-if meson.get_compiler('cpp').compiles(code) == false
+if cpp.compiles(code) == false
     error('Unsupported C++ compiler, please install clang')
 endif
 
@@ -46,6 +47,8 @@ add_project_arguments('-Wno-unused-parameter', language : ['c', 'cpp'])
 add_project_arguments('-Wno-missing-field-initializers', language : ['c', 'cpp'])
 add_project_arguments('-Wno-packed', language : ['c', 'cpp'])
 
+hardened_link_args=[]
+
 # Declare additional debug flags
 if get_option('buildtype').startswith('debug')
     add_project_arguments('-DDRAKVUF_DEBUG', language : ['c', 'cpp'])
@@ -63,17 +66,30 @@ if get_option('buildtype').startswith('debug')
     add_project_arguments('-Wfloat-equal', language : ['cpp'])
     add_project_arguments('-Wundef', language : ['cpp'])
     add_project_arguments('-Wvla', language : ['cpp'])
-endif
-
-# Runtime hardening
-hardened_link_args=[]
-if get_option('hardening')
+    add_project_arguments('-ftrivial-auto-var-init=pattern', language: ['c', 'cpp'])
+elif get_option('hardening')
+    # Runtime hardening for release builds
     add_project_arguments('-Wno-strict-overflow', language : ['c', 'cpp'])
     add_project_arguments('-D_FORTIFY_SOURCE=2', language : ['c', 'cpp'])
     add_project_arguments('-fstack-protector-all', language : ['c', 'cpp'])
     add_project_arguments('--param', language : ['c', 'cpp'])
     add_project_arguments('ssp-buffer-size=1', language : ['c', 'cpp'])
 
+    code='''int test(int x) { int y=~x; return x+y; } int main(void) { return test(123); }'''
+    if cpp.compiles(code, name: 'zero-vars', args: ['-ftrivial-auto-var-init=zero'])
+        add_project_arguments('-ftrivial-auto-var-init=zero', language: ['c', 'cpp'])
+    elif cpp.compiles(code, name: 'zero-vars2',
+                      args: ['-ftrivial-auto-var-init=zero',
+                             '-enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang'])
+        add_project_arguments('-ftrivial-auto-var-init=zero', language: ['c', 'cpp'])
+        add_project_arguments('-enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang', language: ['c', 'cpp'])
+    endif
+
+    code='''struct { void (*cb)(void); } s; void f(void) { s.cb(); }'''
+    if cpp.compiles(code, name: '-fzero-call-used-regs=all', args: ['-O2', '-fzero-call-used-regs=all'])
+        add_project_arguments('-fzero-call-used-regs=all', language: ['c', 'cpp'])
+    endif
+
     hardened_link_args += '-Wl,-z,noexecstack'
     hardened_link_args += '-Wl,-z,relro'
     hardened_link_args += '-Wl,-z,now'