On 11/26/21 10:58, Siddhesh Poyarekar wrote:
sure it works) and saw no issues in any of those builds. I did some
rudimentary analysis of the generated binaries using fortify-metrics[1]
to confirm that there was a difference in coverage between the two
fortification levels.
Here is a summary of coverage in the above packages:
F = number of fortified calls
T = Total number of calls to fortifiable functions (fortified as well as
unfortified)
C = F * 100/ T
Package F(2) T(2) F(3) T(3) C(2) C(3)
bash 428 1220 1005 1196 35.08% 84.03%
wpa_supplicant 1635 3232 2350 3408 50.59% 68.96%
systemtap 324 1990 343 1994 16.28% 17.20%
cmake 830 14181 958 14196 5.85% 6.75%
The numbers are slightly lower than the previous patch series because in
the interim I pushed an improvement to folding of the _chk builtins so
that they can use ranges to simplify the calls to their regular
variants. Also note that even _FORTIFY_SOURCE=2 coverage should be
improved due to negative offset handling.
[1] https://github.com/siddhesh/fortify-metrics
