Options -Wtrampolines and -fstack-clash-protection not universal

[david-a-wheeler]

In the compiler option hardening materials, running the new "make" test on clang on MacOS causes failures with clang:

make
cc -O2 -Wall -Wformat=2 -Wconversion -Wtrampolines -Wimplicit-fallthrough  -D_FORTIFY_SOURCE=3  -D_GLIBCXX_ASSERTIONS  -fstack-clash-protection -fstack-protector-strong  -Wl,-z,nodlopen -Wl,-z,noexecstack  -Wl,-z,relro -Wl,-z,now  -fPIE -pie -fPIC -shared     demo.c   -o demo
clang: warning: argument unused during compilation: '-fstack-clash-protection' [-Wunused-command-line-argument]
clang: warning: argument unused during compilation: '-pie' [-Wunused-command-line-argument]
warning: unknown warning option '-Wtrampolines' [-Wunknown-warning-option]
1 warning generated.
ld: unknown option: -z

The -pie problem is known, and resolved by using -fpie. But -Wtrampolines and -fstack-clash-protection are not universal.

[thomasnyman]

The -Wtrampolines issue is fixed by #358. The `-fstack-clash-protection' may just be a compiler version issue.

[siddhesh]

Maybe the -fstack-clash-protection error you're seeing is because the aarch64 support was lacking? That has been added only recently: llvm/llvm-project#66524

[david-a-wheeler]

@siddhesh - No, not in my specific case, since it's an Intel-based Mac:

clang --version
Apple clang version 14.0.3 (clang-1403.0.22.14.1)
Target: x86_64-apple-darwin22.6.0
Thread model: posix
InstalledDir: /Library/Developer/CommandLineTools/usr/bin

[siddhesh]

That's odd, it's been in clang since 2020, so I'm guessing clang 11-ish. I wonder why Apple hasn't enabled it.

[david-a-wheeler]

My guess is that Apple is not deploying the latest and greatest versions. That's really common, which is why we identify compiler versions for things.

[SecurityCRob]

Has this been addressed by the C/C++ Compiler Hardening options guide? @gkunz @thomasnyman @david-a-wheeler