build: Enable _FORTIFY_SOURCE and -Og optimization

Add security hardening via _FORTIFY_SOURCE=2 and switch to -Og to
provide the necessary optimization for these checks while remaining
debugger friendly.

The goal is to catch many buffer overflows and format string errors
at compile-time or runtime.

-Og may occasionally optimize out very short-lived
local variables, making them invisible in the debugger.
So i'm not sure this is a very good idea. But I hope that we will find
bugs earlier and don't even need to debug that often. We might revert
this change later though in case we run into problems too often.

I'm not aware of any other downsides.
This commit is contained in:
Michael Vetter
2026-02-26 08:50:12 +01:00
parent e95e8b5c6f
commit 606a10208a

View File

@@ -65,7 +65,9 @@ if is_debug
'-Wunused',
'-Wall',
'-Wextra',
'-fstack-protector-strong'
'-fstack-protector-strong',
'-D_FORTIFY_SOURCE=2',
'-Og'
], language: 'c')
endif