[Bug 1972043] Re: Please add -ftrivial-auto-var-init=zero to default build flags

Seth Arnold 1972043 at bugs.launchpad.net
Thu Jul 6 21:08:20 UTC 2023 

On Thu, Jul 06, 2023 at 12:16:46PM -0000, Matthias Klose wrote:
> @alexmurray, I never said, that it has to be done in dpkg *only*. The
> bad thing of doing it in the compiler only is that nobody knows about
> it. Having the change *also* in dpkg lets these new flags appear in the
> build output, and people can see these compiler options.

I can appreciate wanting the flags more visible in build logs, but I think
having them set twice: once loudly, once silently, will make debugging
problems more confusing than if they're only set once, even if silent.

Could we emit our special flags as part of standard output, so they'd be
more visible to developers when troubleshooting?

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1972043

Title:
  Please add -ftrivial-auto-var-init=zero to default build flags

Status in dpkg package in Ubuntu:
  Confirmed
Status in gcc-12 package in Ubuntu:
  Confirmed
Status in dpkg source package in Kinetic:
  Confirmed
Status in gcc-12 source package in Kinetic:
  Confirmed

Bug description:
  Please add "-ftrivial-auto-var-init=zero" for GCC 12 (which is the
  first release of GCC to provide this flag).

  It goes well with the other important security flaw mitigation flags already enabled in Ubuntu for GCC:
  https://wiki.ubuntu.com/ToolChain/CompilerFlags

  While many variables are initialized (due to -Wuninitialized), there
  is a blind spot for variables passed by reference, padding, and cases
  where -Wuninitialized just fails to track it. Universally wiping the
  variables eliminates nearly the entire class of uninitialized stack
  variable use (https://cwe.mitre.org/data/definitions/457.html) with
  nearly no overhead (e.g. any duplicate assignments will already be
  squashed during dead store elimination, etc).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/1972043/+subscriptions

More information about the foundations-bugs mailing list