llvm-project/libcxx/docs/Hardening.rst

===============
Hardening Modes
===============

.. contents::
   :local:

.. _using-hardening-modes:

Using hardening modes
=====================

libc++ provides several hardening modes, where each mode enables a set of
assertions that prevent undefined behavior caused by violating preconditions of
the standard library. Different hardening modes make different trade-offs
between the amount of checking and runtime performance. The available hardening
modes are:
- fast mode;
- extensive mode;
- debug mode.

The fast mode contains a set of security-critical checks that can be done with
relatively little overhead in constant time and are intended to be used in
production. We recommend most projects to adopt the fast mode.

The extensive mode contains all the checks from the fast mode and additionally
some checks for undefined behavior that incur relatively little overhead but
aren't security-critical. While the performance penalty is somewhat more
significant compared to the fast mode, the extensive mode is still intended to
be usable in production.

The debug mode enables all the available checks in the library, including
internal assertions, some of which might be very expensive. This mode is
intended to be used for testing, not in production.

Vendors can set the default hardening mode by using the
``LIBCXX_HARDENING_MODE`` variable at CMake configuration time with the possible
values of ``none``, ``fast``, ``extensive`` and ``debug``. The default value is
``none`` which doesn't enable any hardening checks (this mode is sometimes
called the ``unchecked`` mode).

When hardening is enabled, the compiled library is built with the corresponding
mode enabled, **and** user code will be built with the same mode enabled by
default. If the mode is set to "none" at the CMake configuration time, the
compiled library will not contain any assertions and the default when building
user code will be to have assertions disabled. As a user, you can consult your
vendor to know which level of hardening is enabled by default.

Furthermore, independently of any vendor-selected default, users can always
control which level of hardening is enabled in their code by defining the macro
``_LIBCPP_HARDENING_MODE`` before including any libc++ headers (preferably by
passing ``-D_LIBCPP_HARDENING_MODE=X`` to the compiler). The macro can be
set to one of the following possible values:

- ``_LIBCPP_HARDENING_MODE_NONE``;
- ``_LIBCPP_HARDENING_MODE_FAST``;
- ``_LIBCPP_HARDENING_MODE_EXTENSIVE``;
- ``_LIBCPP_HARDENING_MODE_DEBUG``.

The exact numeric values of these macros are unspecified and users should not
rely on them (e.g. expect the values to be sorted in any way).

Note that if the compiled library was built by the vendor with the hardening
mode set to "none", functions compiled inside the static or shared library won't
have any hardening enabled even if the user compiles with hardening enabled (the
same is true for the inverse case where the static or shared library was
compiled **with** hardening enabled but the user tries to disable it). However,
most of the code in libc++ is in the headers, so the user-selected value for
``_LIBCPP_HARDENING_MODE``, if any, will usually be respected.

Enabling hardening has no impact on the ABI.

Iterator bounds checking
------------------------
TODO(hardening)
[libc++][hardening] Add back the safe mode. The safe mode is in-between the hardened and the debug modes, extending the checks contained in the hardened mode with certain checks that are relatively cheap and prevent common sources of errors but aren't security-critical. Thus, the safe mode trades off some performance for a wider set of checks, but unlike the debug mode, it can still be used in production. Differential Revision: https://reviews.llvm.org/D158823 2023-09-12 12:01:36 -07:00			`===============`
			`Hardening Modes`
			`===============`
[libc++][hardening][NFC] Add macros to enable hardened mode. This patch only adds new configuration knobs -- the actual assertions will be added in follow-up patches. Differential Revision: https://reviews.llvm.org/D153902 2023-07-12 10:12:51 -07:00
			`.. contents::`
			`:local:`

[libc++][hardening] Add back the safe mode. The safe mode is in-between the hardened and the debug modes, extending the checks contained in the hardened mode with certain checks that are relatively cheap and prevent common sources of errors but aren't security-critical. Thus, the safe mode trades off some performance for a wider set of checks, but unlike the debug mode, it can still be used in production. Differential Revision: https://reviews.llvm.org/D158823 2023-09-12 12:01:36 -07:00			`.. _using-hardening-modes:`
[libc++][hardening][NFC] Add macros to enable hardened mode. This patch only adds new configuration knobs -- the actual assertions will be added in follow-up patches. Differential Revision: https://reviews.llvm.org/D153902 2023-07-12 10:12:51 -07:00
[libc++][hardening] Add back the safe mode. The safe mode is in-between the hardened and the debug modes, extending the checks contained in the hardened mode with certain checks that are relatively cheap and prevent common sources of errors but aren't security-critical. Thus, the safe mode trades off some performance for a wider set of checks, but unlike the debug mode, it can still be used in production. Differential Revision: https://reviews.llvm.org/D158823 2023-09-12 12:01:36 -07:00			`Using hardening modes`
			`=====================`
[libc++][hardening][NFC] Add macros to enable hardened mode. This patch only adds new configuration knobs -- the actual assertions will be added in follow-up patches. Differential Revision: https://reviews.llvm.org/D153902 2023-07-12 10:12:51 -07:00
[libc++][hardening] Rework macros for enabling the hardening mode. (#70575) 1. Instead of using individual "boolean" macros, have an "enum" macro `_LIBCPP_HARDENING_MODE`. This avoids issues with macros being mutually exclusive and makes overriding the hardening mode within a TU more straightforward. 2. Rename the safe mode to debug-lite. This brings the code in line with the RFC: https://discourse.llvm.org/t/rfc-hardening-in-libc/73925 Fixes #65101 2023-11-08 09:10:00 -10:00			`libc++ provides several hardening modes, where each mode enables a set of`
			`assertions that prevent undefined behavior caused by violating preconditions of`
			`the standard library. Different hardening modes make different trade-offs`
			`between the amount of checking and runtime performance. The available hardening`
			`modes are:`
			`- fast mode;`
			`- extensive mode;`
[libc++][hardening] Add back the safe mode. The safe mode is in-between the hardened and the debug modes, extending the checks contained in the hardened mode with certain checks that are relatively cheap and prevent common sources of errors but aren't security-critical. Thus, the safe mode trades off some performance for a wider set of checks, but unlike the debug mode, it can still be used in production. Differential Revision: https://reviews.llvm.org/D158823 2023-09-12 12:01:36 -07:00			`- debug mode.`

[libc++][hardening] Rework macros for enabling the hardening mode. (#70575) 1. Instead of using individual "boolean" macros, have an "enum" macro `_LIBCPP_HARDENING_MODE`. This avoids issues with macros being mutually exclusive and makes overriding the hardening mode within a TU more straightforward. 2. Rename the safe mode to debug-lite. This brings the code in line with the RFC: https://discourse.llvm.org/t/rfc-hardening-in-libc/73925 Fixes #65101 2023-11-08 09:10:00 -10:00			`The fast mode contains a set of security-critical checks that can be done with`
			`relatively little overhead in constant time and are intended to be used in`
			`production. We recommend most projects to adopt the fast mode.`

			`The extensive mode contains all the checks from the fast mode and additionally`
[libc++][hardening] Add back the safe mode. The safe mode is in-between the hardened and the debug modes, extending the checks contained in the hardened mode with certain checks that are relatively cheap and prevent common sources of errors but aren't security-critical. Thus, the safe mode trades off some performance for a wider set of checks, but unlike the debug mode, it can still be used in production. Differential Revision: https://reviews.llvm.org/D158823 2023-09-12 12:01:36 -07:00			`some checks for undefined behavior that incur relatively little overhead but`
			`aren't security-critical. While the performance penalty is somewhat more`
[libc++][hardening] Rework macros for enabling the hardening mode. (#70575) 1. Instead of using individual "boolean" macros, have an "enum" macro `_LIBCPP_HARDENING_MODE`. This avoids issues with macros being mutually exclusive and makes overriding the hardening mode within a TU more straightforward. 2. Rename the safe mode to debug-lite. This brings the code in line with the RFC: https://discourse.llvm.org/t/rfc-hardening-in-libc/73925 Fixes #65101 2023-11-08 09:10:00 -10:00			`significant compared to the fast mode, the extensive mode is still intended to`
			`be usable in production.`
[libc++][hardening] Add back the safe mode. The safe mode is in-between the hardened and the debug modes, extending the checks contained in the hardened mode with certain checks that are relatively cheap and prevent common sources of errors but aren't security-critical. Thus, the safe mode trades off some performance for a wider set of checks, but unlike the debug mode, it can still be used in production. Differential Revision: https://reviews.llvm.org/D158823 2023-09-12 12:01:36 -07:00
[libc++][hardening] Rework macros for enabling the hardening mode. (#70575) 1. Instead of using individual "boolean" macros, have an "enum" macro `_LIBCPP_HARDENING_MODE`. This avoids issues with macros being mutually exclusive and makes overriding the hardening mode within a TU more straightforward. 2. Rename the safe mode to debug-lite. This brings the code in line with the RFC: https://discourse.llvm.org/t/rfc-hardening-in-libc/73925 Fixes #65101 2023-11-08 09:10:00 -10:00			`The debug mode enables all the available checks in the library, including`
			`internal assertions, some of which might be very expensive. This mode is`
			`intended to be used for testing, not in production.`
[libc++][hardening][NFC] Add macros to enable hardened mode. This patch only adds new configuration knobs -- the actual assertions will be added in follow-up patches. Differential Revision: https://reviews.llvm.org/D153902 2023-07-12 10:12:51 -07:00
[libc++][hardening] Deprecate `_LIBCPP_ENABLE_ASSERTIONS`. `_LIBCPP_ENABLE_ASSERTIONS` was used to enable the "safe" mode in libc++. Libc++ now provides the hardened mode and the debug mode that replace the safe mode. For backward compatibility, enabling `_LIBCPP_ENABLE_ASSERTIONS` now enables the hardened mode. Note that the hardened mode provides a narrower set of checks than the previous "safe" mode (only security-critical checks that are performant enough to be used in production). Differential Revision: https://reviews.llvm.org/D154997 2023-07-14 16:58:15 -07:00			`Vendors can set the default hardening mode by using the`
[libc++][hardening] Rework macros for enabling the hardening mode. (#70575) 1. Instead of using individual "boolean" macros, have an "enum" macro `_LIBCPP_HARDENING_MODE`. This avoids issues with macros being mutually exclusive and makes overriding the hardening mode within a TU more straightforward. 2. Rename the safe mode to debug-lite. This brings the code in line with the RFC: https://discourse.llvm.org/t/rfc-hardening-in-libc/73925 Fixes #65101 2023-11-08 09:10:00 -10:00			``LIBCXX_HARDENING_MODE`` variable at CMake configuration time with the possible
			values of ``none``, ``fast``, ``extensive`` and ``debug``. The default value is
			``none`` which doesn't enable any hardening checks (this mode is sometimes
			called the ``unchecked`` mode).
[libc++][hardening] Deprecate `_LIBCPP_ENABLE_ASSERTIONS`. `_LIBCPP_ENABLE_ASSERTIONS` was used to enable the "safe" mode in libc++. Libc++ now provides the hardened mode and the debug mode that replace the safe mode. For backward compatibility, enabling `_LIBCPP_ENABLE_ASSERTIONS` now enables the hardened mode. Note that the hardened mode provides a narrower set of checks than the previous "safe" mode (only security-critical checks that are performant enough to be used in production). Differential Revision: https://reviews.llvm.org/D154997 2023-07-14 16:58:15 -07:00
			`When hardening is enabled, the compiled library is built with the corresponding`
			`mode enabled, and user code will be built with the same mode enabled by`
[libc++][hardening] Rework macros for enabling the hardening mode. (#70575) 1. Instead of using individual "boolean" macros, have an "enum" macro `_LIBCPP_HARDENING_MODE`. This avoids issues with macros being mutually exclusive and makes overriding the hardening mode within a TU more straightforward. 2. Rename the safe mode to debug-lite. This brings the code in line with the RFC: https://discourse.llvm.org/t/rfc-hardening-in-libc/73925 Fixes #65101 2023-11-08 09:10:00 -10:00			`default. If the mode is set to "none" at the CMake configuration time, the`
[libc++][hardening] Deprecate `_LIBCPP_ENABLE_ASSERTIONS`. `_LIBCPP_ENABLE_ASSERTIONS` was used to enable the "safe" mode in libc++. Libc++ now provides the hardened mode and the debug mode that replace the safe mode. For backward compatibility, enabling `_LIBCPP_ENABLE_ASSERTIONS` now enables the hardened mode. Note that the hardened mode provides a narrower set of checks than the previous "safe" mode (only security-critical checks that are performant enough to be used in production). Differential Revision: https://reviews.llvm.org/D154997 2023-07-14 16:58:15 -07:00			`compiled library will not contain any assertions and the default when building`
			`user code will be to have assertions disabled. As a user, you can consult your`
			`vendor to know which level of hardening is enabled by default.`

			`Furthermore, independently of any vendor-selected default, users can always`
[libc++][hardening] Rework macros for enabling the hardening mode. (#70575) 1. Instead of using individual "boolean" macros, have an "enum" macro `_LIBCPP_HARDENING_MODE`. This avoids issues with macros being mutually exclusive and makes overriding the hardening mode within a TU more straightforward. 2. Rename the safe mode to debug-lite. This brings the code in line with the RFC: https://discourse.llvm.org/t/rfc-hardening-in-libc/73925 Fixes #65101 2023-11-08 09:10:00 -10:00			`control which level of hardening is enabled in their code by defining the macro`
			``_LIBCPP_HARDENING_MODE`` before including any libc++ headers (preferably by
			passing ``-D_LIBCPP_HARDENING_MODE=X`` to the compiler). The macro can be
			`set to one of the following possible values:`

			- ``_LIBCPP_HARDENING_MODE_NONE``;
			- ``_LIBCPP_HARDENING_MODE_FAST``;
			- ``_LIBCPP_HARDENING_MODE_EXTENSIVE``;
			- ``_LIBCPP_HARDENING_MODE_DEBUG``.

			`The exact numeric values of these macros are unspecified and users should not`
			`rely on them (e.g. expect the values to be sorted in any way).`

			`Note that if the compiled library was built by the vendor with the hardening`
			`mode set to "none", functions compiled inside the static or shared library won't`
			`have any hardening enabled even if the user compiles with hardening enabled (the`
			`same is true for the inverse case where the static or shared library was`
			`compiled with hardening enabled but the user tries to disable it). However,`
			`most of the code in libc++ is in the headers, so the user-selected value for`
			``_LIBCPP_HARDENING_MODE``, if any, will usually be respected.
[libc++][hardening] Deprecate `_LIBCPP_ENABLE_ASSERTIONS`. `_LIBCPP_ENABLE_ASSERTIONS` was used to enable the "safe" mode in libc++. Libc++ now provides the hardened mode and the debug mode that replace the safe mode. For backward compatibility, enabling `_LIBCPP_ENABLE_ASSERTIONS` now enables the hardened mode. Note that the hardened mode provides a narrower set of checks than the previous "safe" mode (only security-critical checks that are performant enough to be used in production). Differential Revision: https://reviews.llvm.org/D154997 2023-07-14 16:58:15 -07:00
			`Enabling hardening has no impact on the ABI.`
[libc++][hardening][NFC] Add macros to enable hardened mode. This patch only adds new configuration knobs -- the actual assertions will be added in follow-up patches. Differential Revision: https://reviews.llvm.org/D153902 2023-07-12 10:12:51 -07:00
			`Iterator bounds checking`
			`------------------------`
			`TODO(hardening)`