Review compiler options for Clang and GCC

jviotti · jviotti · commit aec701a6db6d · 2025-04-01T14:49:06.000-04:00
Signed-off-by: Juan Cruz Viotti &lt;jv@jviotti.com&gt;
diff --git a/cmake/common/compiler/options.cmake b/cmake/common/compiler/options.cmake
@@ -51,7 +51,29 @@ function(sourcemeta_add_default_options visibility target)
       # multiplication wraps around using twos-complement representation
       # See https://users.cs.utah.edu/~regehr/papers/overflow12.pdf
       # See https://www.postgresql.org/message-id/1689.1134422394@sss.pgh.pa.us
-      -fwrapv)
+      -fwrapv
+
+      # See https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html
+      -Wformat
+      -Wformat=2
+      -Werror=format-security
+      -fstrict-flex-arrays=3
+      -fstack-clash-protection
+      -fstack-protector-strong
+      -Werror=implicit 
+      -Werror=incompatible-pointer-types)
+
+    if(CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64")
+      target_compile_options("${target}" ${visibility} -fcf-protection=full)
+    elseif(CMAKE_SYSTEM_PROCESSOR STREQUAL "aarch64" OR CMAKE_SYSTEM_PROCESSOR STREQUAL "arm64")
+      target_compile_options("${target}" ${visibility} -mbranch-protection=standard)
+    endif()
+
+    target_compile_definitions("${target}" ${visibility} _FORTIFY_SOURCE=3)
+    target_compile_definitions("${target}" ${visibility} $<$<CONFIG:Debug>:_GLIBCXX_ASSERTIONS>)
+    target_compile_options("${target}" ${visibility} 
+      $<$<CONFIG:Release>:-fno-delete-null-pointer-checks -fno-strict-overflow -fno-strict-aliasing -ftrivial-auto-var-init=zero> 
+      $<$<CONFIG:RelWithDebInfo>:-fno-delete-null-pointer-checks -fno-strict-overflow -fno-strict-aliasing -ftrivial-auto-var-init=zero>)
   endif()
 
   if(SOURCEMETA_COMPILER_LLVM)
@@ -88,7 +110,11 @@ function(sourcemeta_add_default_options visibility target)
       # GCC seems to print a lot of false-positives here
       -Wno-free-nonheap-object
       # Disables runtime type information
-      -fno-rtti)
+      -fno-rtti
+
+      # See https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html
+      -Wtrampolines
+      -Wbidi-chars=any)
   endif()
 endfunction()
 
diff --git a/cmake/common/targets/executable.cmake b/cmake/common/targets/executable.cmake
@@ -30,5 +30,20 @@ function(sourcemeta_executable)
 
   add_executable("${TARGET_NAME}" ${SOURCEMETA_EXECUTABLE_SOURCES})
   sourcemeta_add_default_options(PRIVATE ${TARGET_NAME})
+
+  # See https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html
+  if(SOURCEMETA_COMPILER_LLVM OR SOURCEMETA_COMPILER_GCC)
+    target_compile_options(${TARGET_NAME} PRIVATE
+      $<$<CONFIG:Release>:-fPIE -pie>
+      $<$<CONFIG:RelWithDebInfo>:-fPIE -pie>)
+    target_link_options(${TARGET_NAME} PRIVATE
+      -Wl,-z,nodlopen
+      -Wl,-z,noexecstack
+      -Wl,-z,relro
+      -Wl,-z,now
+      -Wl,--as-needed
+      -Wl,--no-copy-dt-needed-entries)
+  endif()
+
   set_target_properties("${TARGET_NAME}" PROPERTIES FOLDER "${FOLDER_NAME}")
 endfunction()
