Am 18.04.2013 20:25, schrieb John Moser: > Meant to go to list > On Apr 18, 2013 2:15 PM, "John Moser" <john.r.mo...@gmail.com> wrote: > >> >> On Apr 18, 2013 2:07 PM, "Insanity Bit" <colintre...@gmail.com> wrote: >>> >>> On 64bit multiple services (pulseaudio, rsyslogd, many others) are >> shipping without Position Independent Code. On 32bit there is a potential >> performance hit for startup time... but there shouldn't be any performance >> hit (or negligible) on 64bit. >>> >> >> There is a continuous performance hit of under 1% without >> -fomit-frame-pointer and under 6% with -fomit-frame-pointer on IA-32. The >> impact is statistically insignificant (i got 0.002% +/- 0.5%) on x86-64. >> >> The performance hit on IA-32 only applies to main executable code because >> library code is PIC already. This accounts for under 2% runtime, except in >> X where it used to be 5%. That makes the overall impact 2% of 6% or >> 0.12%--which is non-existent if your CPU is ever at less than 99.88% load >> because you would swiftly catch up. >> >> In other words: there is NO PERFORMANCE HIT for PIE in any >> non-laboratory, non-theoretical situation. (Theo de Raadt argued this with >> me once, using the term "very expensive" a lot. I built two identical >> Gentoo boxes and profiled them both extensively with oprofile. It is >> exactly a theoretical cost, and the performance concerns come from people >> who have no clue what the execution flow of modern software looks like)
I'm tired to repeat that there *is* a performance penalty. Building the python interpreters with -fPIE results in about 15% slower benchmarks. Building GCC with -fPIE slows down the build times by 10-20%. So maybe you want to have a python interpreter with -fPIE, accepting this performance penalty, and gaining some security? But what else do you gain by building GCC with -fPIE besides forcing longer build times on developers? I don't think that -fPIE is ready to be enabled by default, but maybe we need to think about a better or easier way to enable it. However the current method using the hardening-wrapper seems to work fine. Matthias -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
