Enable -fstack-protector-strong on macOS and MacCatalyst when clang supports it#128740
Open
Copilot wants to merge 7 commits into
Open
Enable -fstack-protector-strong on macOS and MacCatalyst when clang supports it#128740Copilot wants to merge 7 commits into
Copilot wants to merge 7 commits into
Conversation
Co-authored-by: jkotas <6668460+jkotas@users.noreply.github.com>
Copilot created this pull request from a session on behalf of
jkotas
May 29, 2026 04:03
View session
jkotas
reviewed
May 29, 2026
jkotas
reviewed
May 29, 2026
jkotas
approved these changes
May 29, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates native compiler configuration to prefer -fstack-protector-strong on macOS/MacCatalyst when supported, removing an old clang workaround and aligning Apple desktop targets with other Unix hosts.
Changes:
- Removes the hard-coded macOS/MacCatalyst
-fstack-protectorfallback. - Adds a compiler flag probe for
-fstack-protector-strong. - Preserves existing Apple arm64 LSE/default CPU handling.
Comments suppressed due to low confidence (1)
eng/native/configurecompiler.cmake:637
- The Apple-specific
ifopened on line 625 is still active here, so this stack-protector probe is now nested underCLR_CMAKE_HOST_OSX OR CLR_CMAKE_HOST_MACCATALYSTand theendiflabel at line 637 closes the wrong block. That means non-Apple Unix hosts no longer get-fstack-protector-strong, and CMake may also reject the mismatchedendiflabel. Close the Apple block before starting the general non-browser/WASI probe.
if(NOT CLR_CMAKE_HOST_BROWSER AND NOT CLR_CMAKE_HOST_WASI)
check_c_compiler_flag(-fstack-protector-strong COMPILER_SUPPORTS_F_STACK_PROTECTOR_STRONG)
if (COMPILER_SUPPORTS_F_STACK_PROTECTOR_STRONG)
add_compile_options(-fstack-protector-strong)
endif()
endif(CLR_CMAKE_HOST_OSX OR CLR_CMAKE_HOST_MACCATALYST)
Contributor
|
Tagging subscribers to this area: @dotnet/runtime-infrastructure |
jkotas
reviewed
May 29, 2026
jkotas
reviewed
May 29, 2026
jkotas
reviewed
May 29, 2026
This was referenced May 29, 2026
am11
reviewed
May 30, 2026
Comment on lines
634
to
637
| check_c_compiler_flag(-fstack-protector-strong COMPILER_SUPPORTS_F_STACK_PROTECTOR_STRONG) | ||
| if (COMPILER_SUPPORTS_F_STACK_PROTECTOR_STRONG) | ||
| add_compile_options(-fstack-protector-strong) | ||
| endif() |
Member
There was a problem hiding this comment.
Suggested change
| check_c_compiler_flag(-fstack-protector-strong COMPILER_SUPPORTS_F_STACK_PROTECTOR_STRONG) | |
| if (COMPILER_SUPPORTS_F_STACK_PROTECTOR_STRONG) | |
| add_compile_options(-fstack-protector-strong) | |
| endif() | |
| add_compile_options(-fstack-protector-strong) |
All supported versions of clang (3.6+, AppleClang 6) and gcc (4.9+) support this flag, we can simplify it.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Removes the years-old workaround that hard-coded
-fstack-protectoron macOS/MacCatalyst due to a clang 7.0.2 bug. Modern clang supports-fstack-protector-strong, providing better stack canary coverage.Changes
eng/native/configurecompiler.cmake: replace the unconditional-fstack-protector(+ stale comment) forCLR_CMAKE_HOST_OSX/CLR_CMAKE_HOST_MACCATALYSTwith acheck_c_compiler_flag(-fstack-protector-strong …)probe — same pattern already used for all other non-Apple Unix targets. Falls back to-fstack-protectorif the flag is not supported, so older toolchains are unaffected.