tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE
commit e0b79a5ae9fbb7d3b68c251ffdcbb9937e3ce2e7
parent b388347c051b0140a2526dc95a1e066617126823
Author: Andrew McCreight <continuation@gmail.com>
Date:   Tue, 21 Oct 2025 16:03:49 +0000

Bug 1994784 - Enable STL hardening on MacOS. r=firefox-build-system-reviewers,nalexander

Currently, STL hardening is only enabled in debug builds, where supported. This
patch enables by default STL hardening for opt MacOS builds.

This patch also makes the build fail on non-debug builds if STL
hardening is not supported, when it is enabled. The goal here is that I don't
want to start accidentally shipping unhardened builds to users. An alternative
would be to leave that code as-is, and instead explicitly enable STL hardening
to the relevant mozconfigs, but I think it is better to make safety checks opt-out
instead of opt-in. I don't expect this will be an issue in practice on MacOS,
but maybe on Linux different distros use a wider variety of STL implementations.

Differential Revision: https://phabricator.services.mozilla.com/D269402

Diffstat:

Mbuild/moz.configure/toolchain.configure | 15++++++++++++---


Mtoolkit/crashreporter/test/unit/xpcshell.toml | 7+++++--


2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/build/moz.configure/toolchain.configure b/build/moz.configure/toolchain.configure
@@ -2971,9 +2971,14 @@ set_config(
 )
 
 
+@depends(moz_debug, target)
+def want_stl_hardening(debug, target):
+    return debug or target.os == "OSX"
+
+
 option(
     "--enable-stl-hardening",
-    default=moz_debug,
+    default=want_stl_hardening,
     help="{Enable|Disable} C++ STL hardening",
 )
 
@@ -3010,8 +3015,12 @@ def stl_hardening_flags(
         else:
             return ["-D_LIBCPP_ENABLE_ASSERTIONS=1"]
 
-    if enabled.origin != "default":
-        die("C++ STL does not support hardening")
+    # Debug builds don't ship to users, so it is fine if STL hardening is
+    # silently skipped.
+    if debug:
+        return
+
+    die("C++ STL does not support hardening")
 
 
 set_config("MOZ_STL_HARDENING_FLAGS", stl_hardening_flags)
diff --git a/toolkit/crashreporter/test/unit/xpcshell.toml b/toolkit/crashreporter/test/unit/xpcshell.toml
@@ -62,8 +62,11 @@ run-if = ["os == 'linux'"]
 reason = "Still broken on macOS and not yet supported on Windows"
 
 ["test_crash_stl.js"]
-run-if = ["os != 'win' && debug"]
-reason = "STL hardening is only enabled on non-Windows debug builds"
+skip-if = [
+  "os == 'win'",
+  "os != 'mac' && !debug"
+]
+reason = "STL hardening is only enabled on non-Windows debug builds and MacOS"
 
 ["test_crash_terminator.js"]