clang-local —
OpenBSD-specific behavior of LLVM/clang
On
OpenBSD, the LLVM/clang compiler exhibits the
following characteristics:
clang does not search under
/usr/local for include files or libraries: as a
system compiler, it only searches the system paths by default.clang comes with stack protection enabled by
default, equivalent to the
-fstack-protector-strong option on other systems.
The system will report any violation of the stack protector cookie along
with the function name via syslog(3) at
LOG_CRIT priority.clang will generate PIE code by default, allowing
the system to load the resulting binary at a random location. This
behavior can be turned off by passing -fno-pie to
the compiler and -nopie to the linker. It is also
turned off when the -pg flag is used.- The
-fstrict-aliasing option is turned off by
default unless -Ofast has been selected.
clang does not store its version string in
objects. There is no option to control this.- The
-p flag is an alias of
-pg.
clang does not warn for passing pointer arguments
or assignment with different signedness outside of
-pedantic. This can be re-enabled with the
-Wpointer-sign flag.- The warning option
-Waddress-of-packed-member is
disabled by default.
- Color diagnostic messages are disabled by default and can be re-enabled
with
-fdiagnostics-color.
- The
-fwrapv option to treat signed integer
overflows as defined is enabled by default to prevent dangerous
optimizations which could remove security critical overflow checks.
- The malloc(3),
calloc(3),
realloc(3),
strdup(3),
strndup(3),
valloc(3) and
free(3) builtins are disabled to prevent
undesirable optimizations of calls to these functions.
clang includes a security pass that exchanges some
ROP-friendly instructions for safe alternatives on i386 and amd64. This
can be disabled with the -fno-fixup-gadgets
option.clang includes the retguard security feature on
amd64 and arm64. This feature can be disabled with the
-fno-ret-protector or
-fno-stack-protector options.clang has -mretpoline
enabled by default on amd64 to protect against branch target injection
attacks. It can be disabled with
-mno-retpoline.
![[OpenBSD]](/openbsd.gif){kind=small}