Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
On Fri, Sep 20, 2013 at 10:01:36PM -0300, Henrique de Moraes Holschuh wrote:
> IMHO: fix everything gcc, llvm and the static testers complain about (which
> can be quite troublesome, as you must be *sure* you're actually fixing the
> issue instead of making it worse by silencing the warning without fixing a
> real bug).
Ubuntu usually decides to silence the warnings instead of fixing the bug.
> I'd also manually check every instance of (at the very least) memcopy,
> *printf, and friends, and run a batch of tests (i.e. use the program) under
> valgrind and other such dynamic behaviour checking tools.
Doesn't gcc or clang already catch calls to *printf and can do
additional checks on it's own? At least with clang/llvm it should be
trivial to find most of them.
The heart is not a logical organ.
-- Dr. Janet Wallace, "The Deadly Years", stardate 3479.4