[tor-bugs] #21925 [Applications/Tor Browser]: Tor Browser based on ESR52 can't get built with ASan and FORTIFY_SOURCE

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Dec 4 09:52:26 UTC 2017


#21925: Tor Browser based on ESR52 can't get built with ASan and FORTIFY_SOURCE
--------------------------------------+--------------------------
 Reporter:  gk                        |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:  #21998                    |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by gk):

 Replying to [comment:4 tom]:
 > You're not supposed to build ASAN with FORTIFY, or so I am told by
 people who I think know what they're talking about.
 >
 > See:
 > https://bugzilla.mozilla.org/show_bug.cgi?id=1377553
 > https://bugzilla.mozilla.org/show_bug.cgi?id=1419607
 > https://bugzilla.mozilla.org/show_bug.cgi?id=1418052

 Which does not mean compilation should break. Apart from that there is
 still an issue open on the ASan side
 (https://github.com/google/sanitizers/issues/247) and glibc side to fix
 that: https://sourceware.org/bugzilla/show_bug.cgi?id=20422 (there seem to
 be some additional benefits of FORTIFY_SOURCE mentioned in this icket).
 So, it's not that one is generally not supposed to build with with ASan
 and FORTIFY_SOURCE: they just don't work together right now.

 Now, this ticket got filed when we still shipped the hardened series.
 While those were not builds meant to be used in production mode they were
 more production-like than the ASan builds we currently envision: those
 with `--enable-debug` and `--enable-tests` etc. and not distributed to
 users. I guess one could argue for those builds at least it is fine to
 disable FORTIFIY_SOURCE?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21925#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list