Highlight hardening options which conflict with sanitizers #965
Description
It may make sense to mention (in "Compiler Options Hardening Guide for C and C++") that _FORTIFY_SOURCE and -ftrivial-auto-var-init should be disabled in QA runs that use Asan and Msan.
Issues with _FORTIFY_SOURCE are widely known e.g. here is an excerpt from Asan FAQ:
Q: I've compiled my code with -D_FORTIFY_SOURCE flag and ASan, or -D_FORTIFY_SOURCE is enabled by default
in my distribution (most modern distributions).
Now ASan misbehaves (either produces false warnings, or does not find some bugs).
A: Currently ASan (and other sanitizers) doesn't support source fortification,
see https://github.com/google/sanitizers/issues/247.
The fix should most likely be on the glibc side, see the (stalled) discussion here.
This will cause false negatives for Asan and false positives for Msan (https://patchwork.ozlabs.org/project/glibc/patch/[email protected]/).
Similarly -ftrivial-auto-var-init will prevent Msan from detecting uninitialized local variables (because they will be forcedly initialized).
So these two flags should be reserved only for production (non-sanitized) builds.