On Tue, Dec 6, 2022 at 10:41 AM Siddhesh Poyarekar <siddhesh(a)redhat.com> wrote:
On Tue, Dec 6, 2022 at 10:26 AM Gary Buhrmaster
<gary.buhrmaster(a)gmail.com> wrote:
>
> On Tue, Dec 6, 2022 at 3:16 PM Siddhesh Poyarekar <siddhesh(a)redhat.com>
wrote:
>
> > My full comment in that blog post is:
> >
> > "We need a proper study of performance and code size to understand the
> > magnitude of the impact created by _FORTIFY_SOURCE=3 additional
> > runtime code generation. However the performance and code size
> > overhead may well be worth it due to the magnitude of improvement in
> > security coverage."
>
> The key word is *MAY*. That is not considered
> to be a conclusion supported by the evidence
> presented (at least in any scientific paper I
> have reviewed).
I have added a performance note[1] in the proposal.
SPEC2000 and SPEC2017 results with _FORTIFY_SOURCE=2 vs
_FORTIFY_SOURCE=3 show practically no difference in performance. I
have updated the wiki to note this and the fact that this should
alleviate any concerns of a general slowdown. However I do request
package maintainers to report any slowdown they experience due to
building with _FORTIFY_SOURCE=3 so that we get a better understanding.
Always happy to help keep performance up to par even as we improve
security mitigations.
Thanks,
Sid