build(gcc): use -fhardened option for gcc15

.github/workflows/ci.yml

@@ -96,8 +96,7 @@ jobs:
           -D ENABLE_LSAN:BOOL=${{ matrix.build.type == 'Debug' }}
           -D ENABLE_CPPCHECK:BOOL=TRUE
           -D ENABLE_CLANG_TIDY:BOOL=${{ contains(matrix.config.cc, 'clang') }}
-          -D ENABLE_HARDENINGS:BOOL=TRUE
-          -D ENABLE_FORTIFY_SOURCE:BOOL=${{ matrix.build.type != 'Debug' }}
+          -D ENABLE_HARDENINGS:BOOL=${{ matrix.build.type != 'Debug' }}
 
       - name: Build
         run: uv run cmake --build --preset ${{ matrix.build.preset }} --target all all_verify_interface_header_sets
@@ -185,8 +184,7 @@ jobs:
           -D ENABLE_ASAN:BOOL=${{ matrix.build.type == 'Debug' }}
           -D ENABLE_UBSAN:BOOL=${{ matrix.build.type == 'Debug' }}
           -D ENABLE_LSAN:BOOL=${{ matrix.build.type == 'Debug' }}
-          -D ENABLE_HARDENINGS:BOOL=TRUE
-          -D ENABLE_FORTIFY_SOURCE:BOOL=${{ matrix.build.type != 'Debug' }}
+          -D ENABLE_HARDENINGS:BOOL=${{ matrix.build.type != 'Debug' }}
 
       - name: Build
         run: uv run cmake --build --preset ${{ matrix.build.preset }} --target all all_verify_interface_header_sets
@@ -271,7 +269,7 @@ jobs:
           # see microsoft/STL#6291 and actions/runner-images#7739 for info
           # TL;DR msvc requires ALL code to be compiled with ASAN, INCLUDING linked 3rd-party libs
           -D ENABLE_ASAN:BOOL=FALSE # ${{ matrix.build.type == 'Debug' && matrix.config.cc == 'cl' }}
-          -D ENABLE_HARDENINGS:BOOL=TRUE
+          -D ENABLE_HARDENINGS:BOOL=${{ matrix.build.type != 'Debug' }}
 
       - name: Build
         run: >

README.md

@@ -71,7 +71,6 @@ cmake --preset <preset> \
   -D CACHE_OPTION=<ccache or sccache> \
   -D ENABLE_COVERAGE=<bool> \
   -D ENABLE_HARDENINGS=<bool> \
-  -D ENABLE_FORTIFY_SOURCE=<bool> \
   -D ENABLE_ASAN=<bool> \
   -D ENABLE_LSAN=<bool> \
   -D ENABLE_UBSAN=<bool> \

cmake/defaults.cmake

@@ -12,11 +12,6 @@ if(CMAKE_CXX_COMPILER_ID MATCHES ".*Clang|GNU")
   option(ENABLE_LSAN "Enable leak sanitizer" OFF)
   option(ENABLE_UBSAN "Enable undefined behavior sanitizer" OFF)
   option(ENABLE_TSAN "Enable thread sanitizer" OFF)
-  option(
-    ENABLE_FORTIFY_SOURCE
-    "Enable -D_FORTIFY_SOURCE=3 (requires optimized build)"
-    OFF
-  )
 endif()
 option(ENABLE_HARDENINGS "Enable hardenings" OFF)
 
@@ -313,14 +308,15 @@ function(enable_hardenings target_name)
           /LARGEADDRESSAWARE
           /HIGHENTROPYVA
       )
-    elseif(CMAKE_CXX_COMPILER_ID MATCHES ".*Clang|GNU")
+    elseif(CMAKE_CXX_COMPILER_ID STREQUAL "GNU")
+      target_compile_options(${target_name} INTERFACE -fhardened)
+    elseif(CMAKE_CXX_COMPILER_ID MATCHES ".*Clang")
       target_compile_definitions(${target_name} INTERFACE _GLIBCXX_ASSERTIONS)
-      if(ENABLE_FORTIFY_SOURCE)
-        target_compile_options(
-          ${target_name}
-          INTERFACE -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3
-        )
-      endif()
+      target_compile_options(
+        ${target_name}
+        INTERFACE -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3
+      )
+
       if(LINUX)
         target_link_options(${target_name} INTERFACE -Wl,-z,noexecstack)
       endif()