# g++/gcc编译器——常用知识（一）

## 常用安全编译选项

### 栈保护

• -fstack-protector:

Emit extra code to check for buffer overflows, such as stack smashing attacks.
This is done by adding a guard variable to functions with vulnerable objects.
This includes functions that call alloca, and functions with buffers larger than
or equal to 8 bytes. The guards are initialized when a function is entered and
then checked when the function exits. If a guard check fails, an error message
is printed and the program exits. Only variables that are actually allocated
on the stack are considered, optimized away variables or variables allocated in
registers don’t count.

• -fstack-protector-all:

Like ‘-fstack-protector’ except that all functions are protected.

• -fstack-protector-strong:

Like ‘-fstack-protector’ but includes additional functions to be protected —
those that have local array definitions, or have references to local frame addresses. Only variables that are actually allocated on the stack are considered,
optimized away variables or variables allocated in registers don’t count.

• -fstack-protector-explicit:

Like ‘-fstack-protector’ but only protects those functions which have the
stack_protect attribute.

1. 原理就是在缓冲区与函数返回控制信息之间插入一个哨兵变量， 当缓冲区溢出时， 哨兵变量的值会首先被覆盖掉， 这样就能判断发生了溢出攻击。
2. 使用堆栈保护选项在对字符数组进行溢出防护的同时，还有意将局部变量中的数组放到函数栈的高地址，而将其它变量放在低地址。
3. 性能损失度：fstack-protector-all > fstack-protector-strong > fstack-protector.

### GOT表的保护

• -Wl, -z relro: Create RELRO program header， RELRO表示 relocation read only, 重定位段为只读。 GOT表就是用于重定位的。
• -Wl, -z now: Mark object non-lazy runtime binding

### 地址无关的代码 -fPIC

• -fpic: Generate position-independent code (PIC) suitable for use in a shared library,
if supported for the target machine. Such code accesses all constant addresses
through a global offset table (GOT). The dynamic loader resolves the GOT
entries when the program starts (the dynamic loader is not part of GCC; it
is part of the operating system). If the GOT size for the linked executable
exceeds a machine-specific maximum size, you get an error message from the
linker indicating that ‘-fpic’ does not work; in that case, recompile with ‘-fPIC’
instead. (These maximums are 8k on the SPARC, 28k on AArch64 and 32k on
the m68k and RS/6000. The x86 has no such limit.)
Position-independent code requires special support, and therefore works only on
certain machines. For the x86, GCC supports PIC for System V but not for the
Sun 386i. Code generated for the IBM RS/6000 is always position-independent.
When this flag is set, the macros pic and PIC are defined to 1.

• -fPIC: If supported for the target machine, emit position-independent code, suitable
for dynamic linking and avoiding any limit on the size of the global offset table.
This option makes a difference on AArch64, m68k, PowerPC and SPARC.
Position-independent code requires special support, and therefore works only
on certain machines

### 地址无关可执行 -fPIE

These options are similar to ‘-fpic’ and ‘-fPIC’, but the generated positionindependent code can be
only linked into executables. Usually these options are used to compile code that will be linked using
the ‘-pie’ GCC option.

### 栈检查 -fstack-check

stack-check选项作用于编译器。它会在每个栈空间最低层部分设置一个安全缓冲区，如果函数中申请的栈空间进入了该区域，就会触发异常。对应的英文资料如下：

Generate code to verify that you do not go beyond the boundary of the stack. You should specify this flag if you are running in an environment with multiple threads, but you only rarely need to specify it in a single-threaded environment since stack overflow is automatically detected on nearly all systems if there is only one stack.
Note that this switch does not actually cause checking to be done; the operating system or the language runtime must do that. The switch causes generation of code to ensure that they see the stack being extended.

## 常用告警选项

### -Wreturn-type 选项：

Warn whenever a function is defined with a return type that defaults to int.

### -Wunused选项：

-Wunused-but-set-parameter
-Wunused-but-set-variable
-Wunused-const-variable
-Wunused-const-variable=
-Wunused-dummy-argument
-Wunused-function
-Wunused-label
-Wunused-local-typedefs
-Wunused-macros
-Wunused-parameter
-Wunused-result
-Wunused-value
-Wunused-variable



### -Wuninitialized 选项：

c++类的能成员变量为非静态的引用或者const变量， 如果不使用构造函数进行初始化， 给警告。

Warn if an automatic variable is used without first being initialized. In C++,
warn if a non-static reference or non-static const member appears in a class
without constructors.

### -Wall 选项：

-Waddress
-Warray-bounds=1 (only with ‘-O2’)
-Wbool-compare
-Wbool-operation
-Wc++11-compat -Wc++14-compat
-Wcatch-value (C++ and Objective-C++ only)
-Wchar-subscripts
-Wcomment
-Wduplicate-decl-specifier (C and Objective-C only)
-Wenum-compare (in C/ObjC; this is on by default in C++)
-Wenum-conversion in C/ObjC;
-Wformat
-Wformat-overflow
-Wformat-truncation
-Wint-in-bool-context
-Wimplicit (C and Objective-C only)
-Wimplicit-int (C and Objective-C only)
-Wimplicit-function-declaration (C and Objective-C only)
-Winit-self (only for C++)
-Wlogical-not-parentheses
-Wmain (only for C/ObjC and unless ‘-ffreestanding’)
-Wmaybe-uninitialized
-Wmemset-elt-size
-Wmemset-transposed-args
-Wmissing-attributes
-Wmissing-braces (only for C/ObjC)
-Wmultistatement-macros
-Wnarrowing (only for C++)
-Wnonnull
-Wnonnull-compare
-Wopenmp-simd
-Wparentheses
-Wpessimizing-move (only for C++)
-Wpointer-sign
-Wreorder
-Wrestrict
-Wreturn-type
-Wsequence-point
-Wsign-compare (only in C++)
-Wsizeof-pointer-div
-Wsizeof-pointer-memaccess
-Wstrict-aliasing
-Wstrict-overflow=1
-Wswitch
-Wtautological-compare
-Wtrigraphs
-Wuninitialized
-Wunknown-pragmas
-Wunused-function
-Wunused-label
-Wunused-value
-Wunused-variable
-Wvolatile-register-var
-Wzero-length-bounds



### -Wextra选项（原为-W, 已经弃用了）：

-Wclobbered
-Wcast-function-type
-Wdeprecated-copy (C++ only)
-Wempty-body
-Wignored-qualifiers
-Wimplicit-fallthrough=3
-Wmissing-field-initializers
-Wmissing-parameter-type (C only)
-Wold-style-declaration (C only)
-Woverride-init
-Wsign-compare (C only)
-Wstring-compare
-Wredundant-move (only for C++)
-Wtype-limits
-Wuninitialized
-Wshift-negative-value (in C++03 and in C99 and newer)
-Wunused-parameter (only with ‘-Wunused’ or ‘-Wall’)
-Wunused-but-set-parameter (only with ‘-Wunused’ or ‘-Wall’)

posted @ 2021-05-04 16:49  殷大侠  阅读(672)  评论(0编辑  收藏  举报