On Mon, Dec 5, 2022 at 3:17 PM Gary Buhrmaster <gary.buhrmaster@xxxxxxxxx> wrote: > > On Mon, Dec 5, 2022 at 7:58 PM Ben Cotton <bcotton@xxxxxxxxxx> wrote: > > > > https://fedoraproject.org/wiki/Changes/Add_FORTIFY_SOURCE%3D3_to_distribution_build_flags > > > > It is my vague recollection (I could easily be wrong, so > correct me as appropriate) that _FORTIFY_SOURCE=3 > adds some runtime overhead that did not apply in > previous levels. > > If that is correct, has the potential performance impact > been evaluated and documented somewhere? And, if > correct, the change proposal should probably be modified > to mention the potential performance impacts. There is indeed a theoretical concern over performance due to size expressions vs constants, but none have been reported in practice. OpenSUSE and Gentoo (at least) have had _FORTIFY_SOURCE=3 enabled by default for nearly a year and there haven't seen any reports of performance degradation. Besides, the magnitude of mitigation coverage is *immense*. For example with bash, where only 3% of the calls were fortified, now nearly half of the calls are fortified. Likewise, sudo has gone from about 1% to nearly half. Note that it doesn't mean that all those new calls have an additional overhead; the compiler and glibc can also detect which of these accesses are always safe and it simplifies the calls to the regular ones. Overall even if there is a miniscule performance overhead, I reckon the reward is much higher. Just ask the folks over at OpenSUSE, they've uncovered a bunch of bugs over the last year thanks to this feature. I did a code size analysis though (since it's a much clearler problem to analyze) and funnily, _FORTIFY_SOURCE=3 ended up *reducing* code size by a tiny bit on average. Very few packages saw code size increases beyond 1%, most were in the nearly negligible range. The numbers are in the Google spreadsheet I linked to in the proposal, under the "size summary" tab. Sid _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
