2 of the notes for libc++ 18 for the harding mode are:
QUOTE
Enabling hardening has no impact on the ABI.
. .
Since the static and shared library components of libc++ are built by the
vendor, setting this macro will have no impact on the hardening mode for the
pre-built components. Most libc++ code is header-based, so a user-provided
value for _LIBCPP_HARDENING_MODE will be mostly respected.
END QUOTE
The modes are described by:
QUOTE
• Unchecked mode/none, which disables all hardening checks.
• Fast mode, which contains a set of security-critical checks that can be
done with relatively little overhead in constant time and are intended to be
used in production. We recommend most projects adopt this.
• Extensive mode, which contains all the checks from fast mode and some
additional checks for undefined behavior that incur relatively little overhead
but aren’t security-critical. Production builds requiring a broader set of
checks than fast mode should consider enabling extensive mode. The additional
rigour impacts performance more than fast mode: we recommend benchmarking to
determine if that is acceptable for your program.
• Debug mode, which enables all the available checks in the library,
including internal assertions, some of which might be very expensive. This mode
is intended to be used for testing, not in production.
END QUOTE
Technically, DEBUG builds and non-DEBUG world builds could have different
FreeBSD settings for LIBCXX_HARDENING_MODE I suppose.
QUOTE (relative to non-prebuilt components)
Users wishing for a different hardening level to their vendor default are able
to control the level by passing one of the following options to the compiler:
-D_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_NONE
-D_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_FAST
-D_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_EXTENSIVE
-D_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_DEBUG
END QUOTE
===
Mark Millard
marklmi at yahoo.com
