build(gcc): use -fhardened option for gcc14

b1ackviking · b1ackviking · commit 86efbbb585ff · 2024-09-27T00:39:45.000+07:00
also, switch off hardenings for debug builds,
and move fortify sources under hardenings flag
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -98,8 +98,7 @@ jobs:
           -D ENABLE_LSAN:BOOL=${{ matrix.build.type == 'Debug' }}
           -D ENABLE_CPPCHECK:BOOL=TRUE
           -D ENABLE_CLANG_TIDY:BOOL=${{ contains(matrix.config.cc, 'clang') }}
-          -D ENABLE_HARDENINGS:BOOL=TRUE
-          -D ENABLE_FORTIFY_SOURCE:BOOL=${{ matrix.build.type != 'Debug' }}
+          -D ENABLE_HARDENINGS:BOOL=${{ matrix.build.type != 'Debug' }}
 
       - name: Build
         run: cmake --build --preset ${{ matrix.build.preset }}
@@ -198,8 +197,7 @@ jobs:
           -D ENABLE_ASAN:BOOL=${{ matrix.build.type == 'Debug' }}
           -D ENABLE_UBSAN:BOOL=${{ matrix.build.type == 'Debug' }}
           -D ENABLE_LSAN:BOOL=${{ matrix.build.type == 'Debug' }}
-          -D ENABLE_HARDENINGS:BOOL=TRUE
-          -D ENABLE_FORTIFY_SOURCE:BOOL=${{ matrix.build.type != 'Debug' }}
+          -D ENABLE_HARDENINGS:BOOL=${{ matrix.build.type != 'Debug' }}
 
       - name: Build
         run: cmake --build --preset ${{ matrix.build.preset }}
@@ -303,7 +301,7 @@ jobs:
           poetry run cmake --preset ${{ matrix.build.preset }}
           -D ENABLE_COVERAGE:BOOL=${{ matrix.build.type == 'Debug' }}
           -D ENABLE_ASAN:BOOL=${{ matrix.build.type == 'Debug' && matrix.config.cc == 'cl' }}
-          -D ENABLE_HARDENINGS:BOOL=TRUE
+          -D ENABLE_HARDENINGS:BOOL=${{ matrix.build.type != 'Debug' }}
 
       - name: Build
         run: cmake --build --preset ${{ matrix.build.preset }}
diff --git a/README.md b/README.md
@@ -64,7 +64,6 @@ cmake --preset <preset> \
   -D ENABLE_DOXYGEN=<bool> \
   -D ENABLE_COVERAGE=<bool> \
   -D ENABLE_HARDENINGS=<bool> \
-  -D ENABLE_FORTIFY_SOURCE=<bool> \
   -D ENABLE_ASAN=<bool> \
   -D ENABLE_LSAN=<bool> \
   -D ENABLE_UBSAN=<bool> \
diff --git a/cmake/defaults.cmake b/cmake/defaults.cmake
@@ -12,8 +12,6 @@ if(CMAKE_CXX_COMPILER_ID MATCHES ".*Clang|GNU")
   option(ENABLE_LSAN "Enable leak sanitizer" OFF)
   option(ENABLE_UBSAN "Enable undefined behavior sanitizer" OFF)
   option(ENABLE_TSAN "Enable thread sanitizer" OFF)
-  option(ENABLE_FORTIFY_SOURCE
-         "Enable -D_FORTIFY_SOURCE=3 (requires optimized build)" OFF)
 endif()
 option(ENABLE_HARDENINGS "Enable hardenings" OFF)
 
@@ -290,12 +288,13 @@ function(enable_hardenings target_name)
         /DYNAMICBASE
         /LARGEADDRESSAWARE
         /HIGHENTROPYVA)
-    elseif(CMAKE_CXX_COMPILER_ID MATCHES ".*Clang|GNU")
+    elseif(CMAKE_CXX_COMPILER_ID STREQUAL "GNU")
+      target_compile_options(${target_name} INTERFACE -fhardened)
+    elseif(CMAKE_CXX_COMPILER_ID MATCHES ".*Clang")
       target_compile_definitions(${target_name} INTERFACE _GLIBCXX_ASSERTIONS)
-      if(ENABLE_FORTIFY_SOURCE)
-        target_compile_options(${target_name} INTERFACE -U_FORTIFY_SOURCE
-                                                        -D_FORTIFY_SOURCE=3)
-      endif()
+      target_compile_options(${target_name} INTERFACE -U_FORTIFY_SOURCE
+                                                      -D_FORTIFY_SOURCE=3)
+
       if(LINUX)
         target_link_options(${target_name} INTERFACE -Wl,-z,noexecstack)
       endif()
