gh-112301: Enable compiler flags with low performance impact and no warnings (gh-120975)

nohlson · web-flow · commit 7fb32e020929 · 2024-06-26T12:11:05.000+09:00
diff --git a/Misc/NEWS.d/next/Security/2024-06-25-04-42-43.gh-issue-112301.god4IC.rst b/Misc/NEWS.d/next/Security/2024-06-25-04-42-43.gh-issue-112301.god4IC.rst
@@ -0,0 +1,2 @@
+Add default compiler options to improve security. Enable
+-Wimplicit-fallthrough, -fstack-protector-strong, -Wtrampolines.
diff --git a/configure b/configure
diff --git a/configure.ac b/configure.ac
@@ -2451,6 +2451,16 @@ AS_VAR_IF([with_strict_overflow], [yes],
           [BASECFLAGS="$BASECFLAGS $STRICT_OVERFLOW_CFLAGS"],
           [BASECFLAGS="$BASECFLAGS $NO_STRICT_OVERFLOW_CFLAGS"])
 
+# Enable flags that warn and protect for potential security vulnerabilities.
+# These flags should be enabled by default for all builds.
+AX_CHECK_COMPILE_FLAG([-Wimplicit-fallthrough], [BASECFLAGS="$BASECFLAGS -Wimplicit-fallthrough"], [AC_MSG_WARN([-Wimplicit-fallthrough not supported])])
+AX_CHECK_COMPILE_FLAG([-fstack-protector-strong], [BASECFLAGS="$BASECFLAGS -fstack-protector-strong"], [AC_MSG_WARN([-fstack-protector-strong not supported])])
+case $CC in
+  *gcc*)
+    # Add GCC-specific compiler flags          
+    AX_CHECK_COMPILE_FLAG([-Wtrampolines], [BASECFLAGS="$BASECFLAGS -Wtrampolines"], [AC_MSG_WARN([-Wtrampolines not supported])])
+esac
+
 case $GCC in
 yes)
     CFLAGS_NODIST="$CFLAGS_NODIST -std=c11"

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+Add default compiler options to improve security. Enable`
	`2`	`+-Wimplicit-fallthrough, -fstack-protector-strong, -Wtrampolines.`