On Tue, Dec 6, 2022 at 7:50 AM Siddhesh Poyarekar <siddhesh@xxxxxxxxxx> wrote: > > On Mon, Dec 5, 2022 at 5:53 PM Neal Gompa <ngompa13@xxxxxxxxx> wrote: > > > > On Mon, Dec 5, 2022 at 3:17 PM Gary Buhrmaster > > <gary.buhrmaster@xxxxxxxxx> wrote: > > > > > > On Mon, Dec 5, 2022 at 7:58 PM Ben Cotton <bcotton@xxxxxxxxxx> wrote: > > > > > > > > https://fedoraproject.org/wiki/Changes/Add_FORTIFY_SOURCE%3D3_to_distribution_build_flags > > > > > > > > > > It is my vague recollection (I could easily be wrong, so > > > correct me as appropriate) that _FORTIFY_SOURCE=3 > > > adds some runtime overhead that did not apply in > > > previous levels. > > > > > > If that is correct, has the potential performance impact > > > been evaluated and documented somewhere? And, if > > > correct, the change proposal should probably be modified > > > to mention the potential performance impacts. > > > > It has a similar impact that turning back on frame pointers would. > > > > Cf. https://developers.redhat.com/articles/2022/09/17/gccs-new-fortification-level#the_gains_of_improved_security_coverage_outweigh_the_cost > > > > I'm extremely displeased now, as the toolchain team basically told us > > they wouldn't accept register pressure on x86_64 and then turned > > around and made a proposal that does the same thing. Apparently > > quality of life improvements for developers and real-time tracing > > (e.g. making bpftrace useful) isn't worth it, but this is. > > > > I want a really good justification for not doing both at the same time > > if we're going to accept this. > > They're only similar to the extent of potentially having a performance > impact. One may improve debugging experience while the other improves > security mitigation coverage by a factor of 2.4x in the average case > and 5-10x in some key cases. > "may improve" is proven to be "does improve significantly". We had GNOME and other desktop software developers and hyperscale developers telling us it would be helpful to have. Entire classes of tracing and debugging tools *don't work* without frame pointers. I say that the impact is about equal, just in different areas, with the same kind of performance hit. (But who cares about developers, I guess?) > They're apples and butter chicken. > Well, okay then, that's one I hadn't heard before. :P -- 真実はいつも一つ!/ Always, there's only one truth! _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
