OpenBSD-specific behavior of LLVM/clang
, the LLVM/clang compiler exhibits the
clang does not search under
/usr/local for include files or libraries: as a
system compiler, it only searches the system paths by default.
clang comes with stack protection enabled by
default, equivalent to the
-fstack-protector-strong option on other systems.
The system will report any violation of the stack protector cookie along
with the function name via syslog(3) at
clang will generate PIE code by default, allowing
the system to load the resulting binary at a random location. This
behavior can be turned off by passing
the compiler and
-nopie to the linker. It is also
turned off when the
-pg flag is used.
-fstrict-aliasing option is turned off by
-Ofast has been selected.
clang does not store its version string in
objects. There is no option to control this.
-p flag is an alias of
clang does not warn for passing pointer arguments
or assignment with different signedness outside of
-pedantic. This can be re-enabled with the
- The warning option
disabled by default.
- Color diagnostic messages are disabled by default and can be re-enabled
-fwrapv option to treat signed integer
overflows as defined is enabled by default to prevent dangerous
optimizations which could remove security critical overflow checks.
- The malloc(3),
free(3) builtins are disabled to prevent
undesirable optimizations of calls to these functions.
clang includes a security pass that exchanges some
ROP-friendly instructions for safe alternatives on i386 and amd64
(X86FixupGadgets pass). There is no option to disable this pass.
clang includes the retguard security feature on
amd64 and arm64. This feature can be disabled with the
enabled by default on amd64 to protect against branch target injection
attacks. It can be disabled with