1546873 - Enable clang -ftrivial-auto-var-init=pattern in --enable-hardening builds

Status: NEW

(Firefox Build System :: Toolchains, enhancement)

Description

[Chris Peterson [:cpeterson]]

clang 8+ now has a -ftrivial-auto-var-init option to initialize automatic variables with an 0xAA... pattern. The expected runtime overhead is 3-5%. Performance tests in bug 1514965 comment 7 show similar results: ~2% Speedometer regression and ~1-10% tp6 page load regression.

https://reviews.llvm.org/rL349442

Bug 1514965 enabled -ftrivial-auto-var-init in Firefox builds that --enable-debug to help find bugs. Linux distro builds that explicitly --enable-hardening might want -ftrivial-auto-var-init for memory safety, even with the runtime performance regressions.

Microsoft enabled a similar auto initialization flag (with default value 0) for Windows kernel code:

https://twitter.com/JosephBialek/status/1062774315098112001

"Please join the Windows kernel in wishing farewell to uninitialized plain-old-data structs on the stack. As of today's WIPFast build, any Windows code compiled with /kernel also gets compiled with InitAll, a compiler security feature that initializes POD structs at declaration.

Between 2017 and mid 2018, this feature would have killed 49 MSRC cases that involved uninitialized struct data leaking across a trust boundary. It would have also mitigated a number of bugs involving uninitialized struct data being used directly.

To date, we are seeing noise level performance regressions caused by this change. We accomplished this by improving the compilers ability to kill redundant stores. While everything is initialized at declaration, most of these initializations can be proven redundant and eliminated.

We are conservative with how we roll this out. Starting with kernel components and than expanding scope. It's a bit scary from a perf perspective and I'd like to avoid fire drills. Kernel components are by far the most impacted in MSRC case data so it's a good starting point."