facebook · mszabo-wikia · Oct 10, 2025
diff --git a/CMake/HPHPCompiler.cmake b/CMake/HPHPCompiler.cmake
@@ -83,13 +83,45 @@ if (${CMAKE_CXX_COMPILER_ID} STREQUAL "Clang" OR ${CMAKE_CXX_COMPILER_ID} STREQU
   set(GDB_SUBOPTION)
 
   # Enable GCC/LLVM stack-smashing protection
-  if(ENABLE_SSP)
+  if(ENABLE_HARDENING)
     list(APPEND GENERAL_OPTIONS
+      # Enable stack protection and stack-clash protection.
       # This needs two dashes in the name, so put one here.
       "-param=ssp-buffer-size=4"
-      "pie"
-      "fPIC"
+      "fstack-protector-strong"
+      "fstack-clash-protection"
+
+      # Use hardened equivalents of various glibc functions
+      # to guard against buffer overflows.
+      "D_FORTIFY_SOURCE=3"
+
+      # https://isisblogs.poly.edu/2011/06/01/relro-relocation-read-only/
+      "Wl,-z,relro,-z,now"
+      # Mark stack as non-executable.
+      "Wl,-z,noexecstack"
+      # Separate ELF code into its own segment.
+      "Wl,-z,separate-code"
     )
+
+    # Enable control-flow / branch protection.
+    if (IS_X64)
+      list(APPEND GENERAL_OPTIONS "fcf-protection")
+    elseif (IS_AARCH64)
+      list(APPEND GENERAL_OPTIONS "mbranch-protection=standard")
+    endif()
+
+    # Enable C++ standard library assertions.
+    if (CLANG_FORCE_LIBCPP)
+      list(APPEND GENERAL_CXX_OPTIONS "D_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_EXTENSIVE")
+    else()
+      list(APPEND GENERAL_CXX_OPTIONS "D_GLIBCXX_ASSERTIONS")
+    endif()
+  endif()
+
+  if (ENABLE_PIE)
+    list(APPEND GENERAL_OPTIONS "pie" "fPIC")
+  else()
+    list(APPEND GENERAL_OPTIONS "no-pie")
   endif()
 
   if (IS_X64)
@@ -110,13 +142,6 @@ if (${CMAKE_CXX_COMPILER_ID} STREQUAL "Clang" OR ${CMAKE_CXX_COMPILER_ID} STREQU
       "unused-command-line-argument"
     )
 
-    # Enabled GCC/LLVM stack-smashing protection
-    if(ENABLE_SSP)
-      list(APPEND GENERAL_OPTIONS "fstack-protector-strong")
-    else()
-      list(APPEND GENERAL_OPTIONS "no-pie")
-    endif()
-
     if(CLANG_FORCE_LIBCPP)
       list(APPEND GENERAL_CXX_OPTIONS "stdlib=libc++")
     endif()
@@ -150,15 +175,6 @@ if (${CMAKE_CXX_COMPILER_ID} STREQUAL "Clang" OR ${CMAKE_CXX_COMPILER_ID} STREQU
       "-param=large-unit-insns=10000"
     )
 
-    # Enabled GCC/LLVM stack-smashing protection
-    if(ENABLE_SSP)
-      if(LINUX)
-        # https://isisblogs.poly.edu/2011/06/01/relro-relocation-read-only/
-        list(APPEND GENERAL_OPTIONS "Wl,-z,relro,-z,now")
-      endif()
-      list(APPEND GENERAL_OPTIONS "fstack-protector-strong")
-    endif()
-
     # X64
     if(IS_X64)
       list(APPEND GENERAL_CXX_OPTIONS "mcrc32")

diff --git a/CMake/Options.cmake b/CMake/Options.cmake
@@ -1,7 +1,8 @@
 #set(CMAKE_BUILD_TYPE Debug)
 
 option(ALWAYS_ASSERT "Enabled asserts in a release build" OFF)
-option(ENABLE_SSP "Enabled GCC/LLVM stack-smashing protection" OFF)
+option(ENABLE_HARDENING "Set hardening flags and definitions, e.g. stack-smashing protection" OFF)
+option(ENABLE_PIE "Produce position-independent executables" OFF)
 option(STATIC_CXX_LIB "Statically link libstd++ and libgcc." OFF)
 option(ENABLE_AARCH64_CRC "Enable the use of CRC instructions" OFF)
 option(ENABLE_FASTCGI "Enable the FastCGI interface." ON)

diff --git a/third-party/brotli/CMakeLists.txt b/third-party/brotli/CMakeLists.txt
@@ -15,6 +15,7 @@ ExternalProject_Add(
   bundled_brotli
   ${BROTLI_SOURCE_ARGS}
   CMAKE_ARGS
+    -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
     -DCMAKE_INSTALL_PREFIX=<INSTALL_DIR>
     -DCMAKE_INSTALL_INCLUDEDIR=include
     -DCMAKE_INSTALL_LIBDIR=lib

diff --git a/third-party/libzip/CMakeLists.txt b/third-party/libzip/CMakeLists.txt
@@ -46,6 +46,7 @@ ExternalProject_Add(
   -DBUILD_EXAMPLES=FALSE
   -DBUILD_DOC=FALSE
   -DBUILD_SHARED_LIBS=FALSE
+  -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
   -DCMAKE_C_FLAGS=${CMAKE_C_FLAGS}
   -DCMAKE_C_COMPILER=${CMAKE_C_COMPILER}
   -DCMAKE_INSTALL_PREFIX=<INSTALL_DIR>

diff --git a/third-party/mcrouter/CMakeLists.txt b/third-party/mcrouter/CMakeLists.txt
@@ -47,6 +47,7 @@ ExternalProject_Add(
     -DCMAKE_OSX_SYSROOT=${CMAKE_OSX_SYSROOT}
     -DCMAKE_C_FLAGS=${CMAKE_C_FLAGS}
     -DCMAKE_CXX_FLAGS=${CMAKE_CXX_FLAGS}
+    -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
 
     "-DCMAKE_OSX_DEPLOYMENT_TARGET=${CMAKE_OSX_DEPLOYMENT_TARGET}"
     "-DBOOST_INCLUDE_DIR=$<TARGET_PROPERTY:boost,INTERFACE_INCLUDE_DIRECTORIES>"

diff --git a/third-party/timelib/CMakeLists.txt b/third-party/timelib/CMakeLists.txt
@@ -34,6 +34,7 @@ ExternalProject_Add(
     -DCMAKE_INSTALL_INCLUDEDIR=include
     -DCMAKE_INSTALL_LIBDIR=lib
 
+    -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
     -DCMAKE_C_COMPILER=${CMAKE_C_COMPILER}
     -DCMAKE_CXX_COMPILER=${CMAKE_CXX_COMPILER}
     -DCMAKE_OSX_SYSROOT=${CMAKE_OSX_SYSROOT}

diff --git a/third-party/watchman/CMakeLists.txt b/third-party/watchman/CMakeLists.txt
@@ -26,6 +26,7 @@ ExternalProject_Add(
     -DCMAKE_INSTALL_INCLUDEDIR=include
     -DCMAKE_INSTALL_LIBDIR=lib
 
+    -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
     -DCMAKE_C_COMPILER=${CMAKE_C_COMPILER}
     -DCMAKE_CXX_COMPILER=${CMAKE_CXX_COMPILER}
     -DCMAKE_OSX_SYSROOT=${CMAKE_OSX_SYSROOT}