On Tue, Dec 6, 2022 at 10:06 AM Gary Buhrmaster
<gary.buhrmaster(a)gmail.com> wrote:
On Tue, Dec 6, 2022 at 12:47 PM Siddhesh Poyarekar <siddhesh(a)redhat.com> wrote:
> Overall even if there is a miniscule performance overhead, I
> reckon the reward is much higher.
I am curious how you can claim there is only a
minuscule performance overhead without doing
any benchmarks?
I am not claiming the overheads are high, I
don't know, but I know enough to trust that
when you (yourself) said in the article:
"We need a proper study of performance
and code size to understand the magnitude
of the impact"
that you are making a very clear statement
that you believe that such a study is needed.
If you do not believe that that statement
is correct, will you be issuing a correction
to the posted article saying that such a study
is no longer needed?
My full comment in that blog post is:
"We need a proper study of performance and code size to understand the
magnitude of the impact created by _FORTIFY_SOURCE=3 additional
runtime code generation. However the performance and code size
overhead may well be worth it due to the magnitude of improvement in
security coverage."
To elaborate, I think the performance and code size study is an
interesting academic concern, but the magnitude of improvement
justifies whatever little performance impact this may introduce and it
should not be a blocker for the improvement.
And without any benchmarks, the proposal
should acknowledge explicitly that some
unknown performance penalty may be seen,
and needs to be accepted as a trade-off for
security reasons (some may be fine with that,
others less so, but that is a different debate
to have).
Sure, I could add that as a comment in the proposal.
Thanks,
Sid