- cc_flags += [
- '-D_FORTIFY_SOURCE=2',
- '-fwrapv',
- '-fno-strict-overflow',
- '-Wreturn-type',
- '-Wold-style-definition',
- '-Wmissing-declarations',
- '-Wmissing-prototypes',
- '-Wstrict-prototypes',
- '-Wredundant-decls',
- '-Wbad-function-cast',
- '-Wwrite-strings',
- '-fdiagnostics-show-option',
- '-fstrict-aliasing',
- '-Wmissing-noreturn',
- ]
- if cc_name == 'clang'
- cc_flags += '-Qunused-arguments'
- endif
- ld_flags += ['-Wl,-z,relro', '-Wl,-z,now']
- if os_name == 'windows'
- ld_flags += ['-Wl,--dynamicbase', '-Wl,--nxcompat']
+ if cc_name == 'msvc'
+ # Most of these flags are already ON by default in the latest version of MSVC.
+ # Add anyway in case someone is building using an old toolchain.
+ cc_flags += ['/guard:cf', '/GS']
+ ld_flags += [
+ '/guard:cf',
+ '/NXCOMPAT',
+ '/DYNAMICBASE',
+ cpu_family.endswith('64') ? '/HIGHENTROPYVA' : '/SAFESEH',
+ ]
+ else
+ cc_flags += [
+ '-D_FORTIFY_SOURCE=2',
+ '-fcf-protection=full',
+ '-fstack-protector-strong',
+ ]
+ ld_flags += ['-Wl,-z,relro', '-Wl,-z,now', '-Wl,-z,noexecstack']
+ if os_name == 'windows'
+ ld_flags += ['-Wl,--dynamicbase', '-Wl,--nxcompat']
+ else
+ # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90458
+ cc_flags += '-fstack-clash-protection'
+ endif