Make: Harden builds

Author: ashvardanian

.github/workflows/prerelease.yml

@@ -47,10 +47,9 @@ jobs:
       CXX: g++
 
     steps:
-      - uses: actions/checkout@v4
-      - run: git submodule update --init --recursive
+      - name: Checkout
+        uses: actions/checkout@v4
 
-        # C/C++
       - name: Build C/C++
         run: |
           sudo apt update
@@ -62,7 +61,6 @@ jobs:
           build_artifacts/fork_union_test_cpp17
           build_artifacts/fork_union_test_cpp20
 
-        # Rust
       - name: Set up Rust
         run: |
           rustup update stable
@@ -81,8 +79,8 @@ jobs:
       CXX: clang++
 
     steps:
-      - uses: actions/checkout@v4
-      - run: git submodule update --init --recursive
+      - name: Checkout
+        uses: actions/checkout@v4
 
         # C/C++
         # Clang 16 isn't available from default repos on Ubuntu 22.04, so we have to install it manually
@@ -97,7 +95,6 @@ jobs:
           build_artifacts/fork_union_test_cpp17
           build_artifacts/fork_union_test_cpp20
 
-        # Rust
       - name: Set up Rust
         run: |
           rustup update stable
@@ -113,10 +110,9 @@ jobs:
     runs-on: macos-14
 
     steps:
-      - uses: actions/checkout@v4
-      - run: git submodule update --init --recursive
+      - name: Checkout
+        uses: actions/checkout@v4
 
-        # C/C++
       - name: Build C/C++
         run: |
           brew update
@@ -128,7 +124,6 @@ jobs:
           build_artifacts/fork_union_test_cpp17
           build_artifacts/fork_union_test_cpp20
 
-        # Rust
       - name: Set up Rust
         run: |
           rustup update stable
@@ -143,10 +138,9 @@ jobs:
     name: Windows
     runs-on: windows-2022
     steps:
-      - uses: actions/checkout@v4
-      - run: git submodule update --init --recursive
+      - name: Checkout
+        uses: actions/checkout@v4
 
-        # C/C++
       - name: Build C/C++
         run: |
           choco install cmake
@@ -159,7 +153,6 @@ jobs:
           .\build_artifacts\fork_union_test_cpp17.exe
           .\build_artifacts\fork_union_test_cpp20.exe
 
-        # Rust
       - name: Set up Rust
         run: |
           rustup update stable

.github/workflows/release.yml

@@ -77,7 +77,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           ref: "main"
-      - run: git submodule update --init --recursive
+
       - uses: actions-rs/toolchain@v1
         with:
           toolchain: nightly

.gitignore

@@ -33,6 +33,7 @@
 
 # Build directories
 build/
+build_test/
 build_debug/
 build_release/
 Testing/

CMakeLists.txt

@@ -1,5 +1,16 @@
 cmake_minimum_required(VERSION 3.14)
 
+# Set modern CMake policies for better compatibility
+if (POLICY CMP0077)
+    cmake_policy(SET CMP0077 NEW) # option() honors normal variables
+endif ()
+if (POLICY CMP0079)
+    cmake_policy(SET CMP0079 NEW) # target_link_libraries() allows use with targets in other directories
+endif ()
+if (POLICY CMP0091)
+    cmake_policy(SET CMP0091 NEW) # MSVC runtime library flags are selected by an abstraction
+endif ()
+
 project(
     fork_union
     VERSION 2.2.0
@@ -18,11 +29,78 @@ target_include_directories(
     fork_union INTERFACE $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}/include> $<INSTALL_INTERFACE:include>
 )
 
-# Strict compilation flags
+# Set C++17 requirement and features properly for library consumers
+target_compile_features(fork_union INTERFACE cxx_std_17)
+set_target_properties(
+    fork_union
+    PROPERTIES CXX_STANDARD 17
+               CXX_STANDARD_REQUIRED ON
+               CXX_EXTENSIONS OFF
+)
+
+# Strictest possible compilation flags with fatal warnings
 target_compile_options(
-    fork_union INTERFACE
-    $<$<CXX_COMPILER_ID:GNU,Clang>:-Wall -Wextra -Wpedantic -Wconversion -Wcast-qual -Wcast-align -Wunused -Wno-unused-parameter -Wno-unknown-pragmas -Wno-sign-conversion -Wno-unused-function>
-    $<$<CXX_COMPILER_ID:MSVC>:/W4 /permissive->
+    fork_union
+    INTERFACE # GCC/Clang: Maximum warnings + treat warnings as errors + security hardening
+              $<$<CXX_COMPILER_ID:GNU,Clang>:-Wall
+              -Wextra
+              -Wpedantic
+              -Werror
+              -Wconversion
+              -Wcast-qual
+              -Wcast-align
+              -Wunused
+              -Wno-unused-parameter
+              -Wno-unknown-pragmas
+              -Wno-sign-conversion
+              -Wno-unused-function
+              -Wshadow
+              -Wnon-virtual-dtor
+              -Wold-style-cast
+              -Woverloaded-virtual
+              -Wsign-promo
+              -Wduplicated-cond
+              -Wduplicated-branches
+              -Wlogical-op
+              -Wno-null-dereference
+              -Wuseless-cast
+              -Wdouble-promotion>
+              $<$<AND:$<CXX_COMPILER_ID:GNU,Clang>,$<CONFIG:Release,RelWithDebInfo>>:-Wno-unused-variable>
+              # Additional GCC-specific warnings
+              $<$<CXX_COMPILER_ID:GNU>:-Wmisleading-indentation
+              -Wduplicated-cond
+              -Wduplicated-branches
+              -Wlogical-op
+              -Wno-null-dereference
+              -Wuseless-cast>
+              # Additional Clang-specific warnings
+              $<$<CXX_COMPILER_ID:Clang>:-Wmost
+              -Wthread-safety
+              -Wthread-safety-negative>
+              # MSVC: Maximum warnings + treat warnings as errors
+              $<$<CXX_COMPILER_ID:MSVC>:/W4
+              /WX
+              /permissive-
+              /w14242
+              /w14254
+              /w14263
+              /w14265
+              /w14287
+              /we4289
+              /w14296
+              /w14311
+              /w14545
+              /w14546
+              /w14547
+              /w14549
+              /w14555
+              /w14619
+              /w14640
+              /w14826
+              /w14905
+              /w14906
+              /w14928>
+              $<$<AND:$<CXX_COMPILER_ID:MSVC>,$<CONFIG:Release,RelWithDebInfo>>:/wd4101>
 )
 
 # Pre-compiled libraries built from `c/lib.cpp`
@@ -41,6 +119,47 @@ set_target_properties(
 target_link_libraries(fork_union_dynamic PUBLIC fork_union)
 target_link_libraries(fork_union_static PUBLIC fork_union)
 
+# Security hardening flags for compiled libraries
+target_compile_options(
+    fork_union_dynamic
+    PRIVATE # Stack protection and buffer overflow detection
+            $<$<CXX_COMPILER_ID:GNU,Clang>:-fstack-protector-strong
+            -D_FORTIFY_SOURCE=2>
+            # Control flow integrity and stack clash protection
+            $<$<CXX_COMPILER_ID:GNU>:-fcf-protection=full
+            -fstack-clash-protection>
+            $<$<CXX_COMPILER_ID:Clang>:-fcf-protection=full>
+            # MSVC security features
+            $<$<CXX_COMPILER_ID:MSVC>:/GS
+            /guard:cf>
+)
+target_compile_options(
+    fork_union_static
+    PRIVATE $<$<CXX_COMPILER_ID:GNU,Clang>:-fstack-protector-strong
+            -D_FORTIFY_SOURCE=2>
+            $<$<CXX_COMPILER_ID:GNU>:-fcf-protection=full
+            -fstack-clash-protection>
+            $<$<CXX_COMPILER_ID:Clang>:-fcf-protection=full>
+            $<$<CXX_COMPILER_ID:MSVC>:/GS
+            /guard:cf>
+)
+
+# Hardened linking flags
+target_link_options(
+    fork_union_dynamic
+    PRIVATE
+    # Enable RELRO, stack canaries, and NX bit
+    $<$<PLATFORM_ID:Linux>:-Wl,-z,relro,-z,now,-z,noexecstack>
+    # MSVC hardened linking
+    $<$<CXX_COMPILER_ID:MSVC>:/DYNAMICBASE
+    /NXCOMPAT
+    /guard:cf>
+)
+target_link_options(
+    fork_union_static PRIVATE $<$<PLATFORM_ID:Linux>:-Wl,-z,relro,-z,now,-z,noexecstack>
+    $<$<CXX_COMPILER_ID:MSVC>:/guard:cf>
+)
+
 # Set the output directory for all executables - on Windows requires more boilerplate:
 # https://stackoverflow.com/a/25328001
 set(CMAKE_RUNTIME_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR})
@@ -51,47 +170,31 @@ set(CMAKE_RUNTIME_OUTPUT_DIRECTORY_MINSIZEREL ${CMAKE_BINARY_DIR})
 
 # Static analysis tools
 find_program(CPPCHECK_EXECUTABLE cppcheck)
-if(CPPCHECK_EXECUTABLE)
+if (CPPCHECK_EXECUTABLE)
     add_custom_target(
         cppcheck
-        COMMAND ${CPPCHECK_EXECUTABLE}
-            --enable=all
-            --std=c++17
-            --verbose
-            --quiet
-            --error-exitcode=1
-            --suppress=missingIncludeSystem
-            --suppress=unusedFunction
-            --suppress=unmatchedSuppression
-            --suppress=ConfigurationNotChecked
-            --suppress=knownConditionTrueFalse
-            --suppress=shadowFunction
-            --suppress=shadowVariable
-            --suppress=useStlAlgorithm
-            --suppress=noExplicitConstructor
-            -I${CMAKE_CURRENT_SOURCE_DIR}/include
-            -DFU_ENABLE_NUMA=1
-            ${CMAKE_CURRENT_SOURCE_DIR}/include
+        COMMAND
+            ${CPPCHECK_EXECUTABLE} --enable=all --std=c++17 --verbose --quiet --error-exitcode=1
+            --suppress=missingIncludeSystem --suppress=unusedFunction --suppress=unmatchedSuppression
+            --suppress=ConfigurationNotChecked --suppress=knownConditionTrueFalse --suppress=shadowFunction
+            --suppress=shadowVariable --suppress=useStlAlgorithm --suppress=noExplicitConstructor
+            -I${CMAKE_CURRENT_SOURCE_DIR}/include -DFU_ENABLE_NUMA=1 ${CMAKE_CURRENT_SOURCE_DIR}/include
             ${CMAKE_CURRENT_SOURCE_DIR}/c
         COMMENT "Running cppcheck static analysis"
     )
-endif()
+endif ()
 
 find_program(CLANG_TIDY_EXECUTABLE clang-tidy)
-if(CLANG_TIDY_EXECUTABLE)
+if (CLANG_TIDY_EXECUTABLE)
     add_custom_target(
         clang-tidy
-        COMMAND ${CLANG_TIDY_EXECUTABLE} 
-            --config-file=${CMAKE_CURRENT_SOURCE_DIR}/.clang-tidy
-            --quiet
-            ${CMAKE_CURRENT_SOURCE_DIR}/include/*.hpp
-            ${CMAKE_CURRENT_SOURCE_DIR}/c/*.cpp
-            --
-            -I${CMAKE_CURRENT_SOURCE_DIR}/include
-            -std=c++17
+        COMMAND
+            ${CLANG_TIDY_EXECUTABLE} --config-file=${CMAKE_CURRENT_SOURCE_DIR}/.clang-tidy --quiet
+            ${CMAKE_CURRENT_SOURCE_DIR}/include/*.hpp ${CMAKE_CURRENT_SOURCE_DIR}/c/*.cpp --
+            -I${CMAKE_CURRENT_SOURCE_DIR}/include -std=c++17
         COMMENT "Running clang-tidy static analysis"
     )
-endif()
+endif ()
 
 # Tests & benchmarking scripts
 include(CTest)

README.md

@@ -120,7 +120,7 @@ Then, include the header in your C++ code:
 namespace fu = ashvardanian::fork_union;
 
 int main() {
-    fu::basic_pool_t pool;
+    alignas(fu::default_alignment_k) fu::basic_pool_t pool;
     if (!pool.try_spawn(std::thread::hardware_concurrency())) {
         std::fprintf(stderr, "Failed to fork the threads\n");
         return EXIT_FAILURE;