cflags/linux.txt at main · elide-dev/cflags · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
# Linux-only C flags — appended after cflags/base.txt for any build that
# targets Linux (the linux-amd64 or linux-arm64 profile). Apple's clang
# either does not implement these, or the macOS runtime does not back
# them, so they have to live outside base.txt.

# Probe + clobber the unallocated stack to defeat Stack Clash attacks. clang
# implements this for Linux/{x86,x86_64,riscv} and Linux/aarch64; Apple's
# clang does not enable the codegen on darwin.
-fstack-clash-protection

# Force LLD as the linker. Required on Alpine + clang22 + ThinLTO: the
# default linker clang picks up is binutils-ld (Alpine's compiler-rt
# config), which can't read bitcode .o members from .a archives — autoconf
# conftests then fail with `member ...(foo.o) in archive is not an object`
# during the C-compiler-works check. lld handles bitcode natively. Apple's
# clang on darwin uses Apple's `ld -bitcode_bundle`-aware linker so this
# flag belongs to Linux only.
-fuse-ld=lld

# Relative C++ ABI vtables — emits a `.rtti_proxy` indirection per RTTI
# entry that the linker dedupes via COMDAT. ELF supports COMDAT (via
# section groups) so this works on Linux clang/lld; MachO does not, and
# clang aborts with `LLVM ERROR: MachO doesn't support COMDATs,
# '<symbol>.rtti_proxy' cannot be lowered` when the BoringSSL build's
# C++ test executables (decrepit_test, ssl_test, bssl, …) try to link.
# Net effect on Linux: smaller vtables + faster startup; net effect on
# darwin: cmake build aborts. Linux only.
-fexperimental-relative-c++-abi-vtables

# NOTE: -fno-semantic-interposition and -fno-plt are parked in
# labs.disabled.txt — both are incompatible with default-visibility
# `Java_*` aliases that JNI exports require. The compiler treats own-DSO
# default-visibility symbols as PC-rel-addressable under
# -fno-semantic-interposition, and the aarch64 linker (ld.lld) then
# rejects the resulting `R_AARCH64_ADR_PREL_PG_HI21` relocation against
# the alias with "cannot be used against symbol 'Java_…'; recompile with
# -fPIC". Re-enable only if we move JNI exports to STV_PROTECTED (which
# would need a coordinated change to NETTY_JNI_ALIAS) or stop emitting
# default-visibility aliases altogether.

# NOTE: -U_FORTIFY_SOURCE, -D_FORTIFY_SOURCE=2, and
# -D_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_FAST are parked in
# labs.disabled.txt while we prioritise startup time. They will be
# re-enabled once we have a perf bench harness that catches the per-
# call cost of the fortified __*_chk variants and the libc++ iterator/
# index checks on the str/mem and Netty I/O hot paths. Cut-and-paste
# the *exact* spellings from labs.disabled.txt back here when
# re-enabling.

# NOTE: -mllvm -polly is parked in labs.disabled.txt — Alpine's clang22
# package (the toolchain we use for production Linux static-archive
# builds) is compiled without the Polly LLVM plugin and rejects the flag
# with "Unknown command line argument '-polly'". Re-enable here once the
# Linux toolchain consistently ships a Polly-enabled clang.

# Mark assembler-produced objects as not requiring an executable stack.
# Without this, a single .s/.S input lacking a .note.GNU-stack section
# poisons the linker into emitting PT_GNU_STACK as RWX for the whole binary,
# silently undoing -Wl,-z,noexecstack.
-Wa,--noexecstack

# Linker hardening + size flags. Anything that drops sections from the
# output (--gc-sections) is intentionally NOT here: dependency builds run
# intermediate links (autoconf conftests, BoringSSL test executables, …)
# and a too-eager DCE pass at this stage strips symbols that a later
# build stage still wants. The compiler still emits per-function/data
# sections via -ffunction-sections / -fdata-sections in base.txt, so the
# consuming project can run --gc-sections at its final link step and get
# the same DCE for free.
#
#   relro                  - mark GOT and other ELF sections read-only after relocation.
#   now                    - disable lazy PLT binding; resolve all symbols at load time.
#                            Combined with relro this yields full RELRO, hardening the
#                            GOT against overwrite (and it's required to make -fno-plt
#                            useful, since there is no longer a lazy resolver to fall
#                            back to).
#   noexecstack            - set PT_GNU_STACK to non-executable; blocks shellcode
#                            execution from the stack.
#   separate-code          - place executable code in its own pages with no readable
#                            data alongside, reducing info leaks and limiting ROP
#                            gadget exposure.
#   pack-relative-relocs   - emit DT_RELR-format relative relocations instead of the
#                            full RELA encoding. Substantially smaller .rela.dyn for
#                            PIE/PIC binaries on glibc 2.36+ / lld 15+.
#   --as-needed            - skip DT_NEEDED entries for shared libs whose symbols are
#                            never actually referenced; trims runtime dep surface.
#   --icf=safe             - lld identical-code-folding, "safe" variant: only fold
#                            functions whose address isn't taken. Doesn't drop sections,
#                            so safe to apply at every link stage.
#   --build-id=sha1        - embed a deterministic build ID for crash-server lookup.
#   --hash-style=gnu       - use the gnu-hash dynamic-symbol hash format and drop
#                            the legacy sysv-hash. Smaller .dynsym layout and
#                            ~2x faster symbol lookup at load (gnu-hash is sized
#                            for a Bloom-filter prefilter, which sysv-hash isn't).
#                            Universally supported by every glibc and musl version
#                            we target.
#   -O3                    - linker-side string/section optimization. Bumped from
#                            -O2 — pure link-time cost, smaller output, and the
#                            smaller binary load is a small startup win.
-Wl,-z,relro
-Wl,-z,now
-Wl,-z,noexecstack
-Wl,-z,separate-code
-Wl,-z,pack-relative-relocs
-Wl,--as-needed
-Wl,--icf=safe
-Wl,--build-id=sha1
-Wl,--hash-style=gnu
-Wl,-O3