From 10b36563e1a0d4ad100e9dd5fd546088af53fdc0 Mon Sep 17 00:00:00 2001
From: Dana Robinson <Dana.Robinson@amd.com>
Date: Sun, 23 Nov 2025 11:25:00 -0700
Subject: [PATCH 1/7] Add clang hardening flags that we added for gcc

* -fstack-clash-protection
* -fstack-protector-strong
* -fstrict-flex-arrays=3
* -D_FORTIFY_SOURCE=3
* -Wconversion
* -Wformat-security
---
 cmake/AISClangCompilerOptions.cmake | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/cmake/AISClangCompilerOptions.cmake b/cmake/AISClangCompilerOptions.cmake
index b91c9362..81fab4d9 100644
--- a/cmake/AISClangCompilerOptions.cmake
+++ b/cmake/AISClangCompilerOptions.cmake
@@ -48,6 +48,16 @@ function(get_ais_clang_warning_flags outvar compiler_version)
         -Wno-c++14-compat-pedantic
         -Wno-pre-c++17-compat-pedantic
 
+        # Turn on stack protection options
+        -fstack-clash-protection
+        -fstack-protector-strong
+
+        # Turn on strict flex arrays (helps ASAN, _FORTIFY_SOURCE, etc.)
+        -fstrict-flex-arrays=3
+
+        # Fortify source
+        -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3
+
         # Misc warnings
         #
         # This includes most warnings that are not enabled by default
@@ -74,6 +84,7 @@ function(get_ais_clang_warning_flags outvar compiler_version)
         -Wcomma
         -Wconditional-uninitialized
         -Wconsumed
+        -Wconversion
         #-Wcovered-switch-default (flags default labels where we handle all enum values)
         -Wcstring-format-directive
         -Wctad-maybe-unsupported
@@ -95,6 +106,7 @@ function(get_ais_clang_warning_flags outvar compiler_version)
         -Wformat=2
         -Wformat-non-iso
         -Wformat-pedantic
+        -Wformat-security
         -Wformat-type-confusion
         -Wfour-char-constants
         -Wfuse-ld-path

From 96f9b10bd6217d3d06ac400c0eee64309a597cce Mon Sep 17 00:00:00 2001
From: Dana Robinson <Dana.Robinson@amd.com>
Date: Sun, 23 Nov 2025 12:20:33 -0700
Subject: [PATCH 2/7] Fix missing ${} when setting compiler version

---
 cmake/AISCompilerOptions.cmake | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cmake/AISCompilerOptions.cmake b/cmake/AISCompilerOptions.cmake
index 58aea238..fc49b389 100644
--- a/cmake/AISCompilerOptions.cmake
+++ b/cmake/AISCompilerOptions.cmake
@@ -25,9 +25,9 @@ function(ais_set_compiler_flags target)
         # there's mismatch between IWYU's clang and the compiler you are using.
         if(NOT AIS_USE_IWYU)
             if(compiler_id STREQUAL "GNU" OR compiler_id STREQUAL "NVIDIA")
-                get_ais_gnu_warning_flags(compiler_flags compiler_version)
+                get_ais_gnu_warning_flags(compiler_flags ${compiler_version})
             elseif(compiler_id STREQUAL "Clang")
-                get_ais_clang_warning_flags(compiler_flags compiler_version)
+                get_ais_clang_warning_flags(compiler_flags ${compiler_version})
             endif()
         endif()
         target_compile_options(${target} PRIVATE $<$<COMPILE_LANG_AND_ID:${language},${compiler_id}>:${compiler_flags}>)

From 8093158dea04d06a5bae4bf2bd0b7df7fe9d860e Mon Sep 17 00:00:00 2001
From: Dana Robinson <Dana.Robinson@amd.com>
Date: Sun, 23 Nov 2025 12:20:56 -0700
Subject: [PATCH 3/7] Only use _FORTIFY_SOURCE w/ -O2 or higher

---
 cmake/AISClangCompilerOptions.cmake |  9 +++++++++
 cmake/AISGNUCompilerOptions.cmake   | 13 +++++++++++--
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/cmake/AISClangCompilerOptions.cmake b/cmake/AISClangCompilerOptions.cmake
index 81fab4d9..fc6daee3 100644
--- a/cmake/AISClangCompilerOptions.cmake
+++ b/cmake/AISClangCompilerOptions.cmake
@@ -229,6 +229,15 @@ function(get_ais_clang_warning_flags outvar compiler_version)
         )
     endif()
 
+    # Only use _FORTIFY_SOURCE if the optimization level is -O2, -O3, or -Os
+    string(JOIN " " MYCXXFLAGS ${CMAKE_CXX_FLAGS} ${CMAKE_CXX_FLAGS_${CMAKE_BUILD_TYPE}})
+    if (MYCXXFLAGS MATCHES "-O[2-3s]")
+        set(flags
+            -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3
+            ${flags}
+        )
+    endif()
+
     set(${outvar} ${flags} PARENT_SCOPE)
 
 endfunction()
diff --git a/cmake/AISGNUCompilerOptions.cmake b/cmake/AISGNUCompilerOptions.cmake
index 070cd7db..32121a41 100644
--- a/cmake/AISGNUCompilerOptions.cmake
+++ b/cmake/AISGNUCompilerOptions.cmake
@@ -83,8 +83,6 @@ function(get_ais_gnu_warning_flags outvar compiler_version)
 
     if(compiler_version VERSION_GREATER_EQUAL 12)
         set(flags
-            # Fortify source
-            -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3
             # Misc warnings
             -Winterference-size
             -Wtrivial-auto-var-init
@@ -92,6 +90,17 @@ function(get_ais_gnu_warning_flags outvar compiler_version)
         )
     endif()
 
+    # Only use _FORTIFY_SOURCE if the optimization level is -O2, -O3, or -Os
+    if(compiler_version VERSION_GREATER_EQUAL 12)
+        string(JOIN " " MYCXXFLAGS ${CMAKE_CXX_FLAGS} ${CMAKE_CXX_FLAGS_${CMAKE_BUILD_TYPE}})
+        if (MYCXXFLAGS MATCHES "-O[2-3s]")
+            set(flags
+                -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3
+                ${flags}
+            )
+        endif()
+    endif()
+
     if(compiler_version VERSION_GREATER_EQUAL 13)
         set(flags
             # Turn on strict flex arrays (helps ASAN, _FORTIFY_SOURCE, etc.)

From 1f8e523a11c0f62c18d4aa3a6bba49635479ab88 Mon Sep 17 00:00:00 2001
From: Dana Robinson <Dana.Robinson@amd.com>
Date: Sun, 23 Nov 2025 12:23:35 -0700
Subject: [PATCH 4/7] Fix CMake lint issues

---
 cmake/AISClangCompilerOptions.cmake | 2 +-
 cmake/AISGNUCompilerOptions.cmake   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/cmake/AISClangCompilerOptions.cmake b/cmake/AISClangCompilerOptions.cmake
index fc6daee3..c62e5ab5 100644
--- a/cmake/AISClangCompilerOptions.cmake
+++ b/cmake/AISClangCompilerOptions.cmake
@@ -231,7 +231,7 @@ function(get_ais_clang_warning_flags outvar compiler_version)
 
     # Only use _FORTIFY_SOURCE if the optimization level is -O2, -O3, or -Os
     string(JOIN " " MYCXXFLAGS ${CMAKE_CXX_FLAGS} ${CMAKE_CXX_FLAGS_${CMAKE_BUILD_TYPE}})
-    if (MYCXXFLAGS MATCHES "-O[2-3s]")
+    if(MYCXXFLAGS MATCHES "-O[2-3s]")
         set(flags
             -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3
             ${flags}
diff --git a/cmake/AISGNUCompilerOptions.cmake b/cmake/AISGNUCompilerOptions.cmake
index 32121a41..8d737437 100644
--- a/cmake/AISGNUCompilerOptions.cmake
+++ b/cmake/AISGNUCompilerOptions.cmake
@@ -93,7 +93,7 @@ function(get_ais_gnu_warning_flags outvar compiler_version)
     # Only use _FORTIFY_SOURCE if the optimization level is -O2, -O3, or -Os
     if(compiler_version VERSION_GREATER_EQUAL 12)
         string(JOIN " " MYCXXFLAGS ${CMAKE_CXX_FLAGS} ${CMAKE_CXX_FLAGS_${CMAKE_BUILD_TYPE}})
-        if (MYCXXFLAGS MATCHES "-O[2-3s]")
+        if(MYCXXFLAGS MATCHES "-O[2-3s]")
             set(flags
                 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3
                 ${flags}

From 0434e1f64cb97ddbb3b697c1254fdefc7c513389 Mon Sep 17 00:00:00 2001
From: Dana Robinson <Dana.Robinson@amd.com>
Date: Sun, 23 Nov 2025 12:26:35 -0700
Subject: [PATCH 5/7] Remove duplicate _FORTIFY_SOURCE

---
 cmake/AISClangCompilerOptions.cmake | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/cmake/AISClangCompilerOptions.cmake b/cmake/AISClangCompilerOptions.cmake
index c62e5ab5..825fa98d 100644
--- a/cmake/AISClangCompilerOptions.cmake
+++ b/cmake/AISClangCompilerOptions.cmake
@@ -55,9 +55,6 @@ function(get_ais_clang_warning_flags outvar compiler_version)
         # Turn on strict flex arrays (helps ASAN, _FORTIFY_SOURCE, etc.)
         -fstrict-flex-arrays=3
 
-        # Fortify source
-        -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3
-
         # Misc warnings
         #
         # This includes most warnings that are not enabled by default

From dba6efe66845233f2b1546b1950335af1862f005 Mon Sep 17 00:00:00 2001
From: Dana Robinson <Dana.Robinson@amd.com>
Date: Sun, 23 Nov 2025 13:39:22 -0700
Subject: [PATCH 6/7] Add -Wbidi-chars=any to gcc flags

Prevents trojan code injection
---
 cmake/AISGNUCompilerOptions.cmake | 1 +
 1 file changed, 1 insertion(+)

diff --git a/cmake/AISGNUCompilerOptions.cmake b/cmake/AISGNUCompilerOptions.cmake
index 8d737437..26271ed8 100644
--- a/cmake/AISGNUCompilerOptions.cmake
+++ b/cmake/AISGNUCompilerOptions.cmake
@@ -84,6 +84,7 @@ function(get_ais_gnu_warning_flags outvar compiler_version)
     if(compiler_version VERSION_GREATER_EQUAL 12)
         set(flags
             # Misc warnings
+            -Wbidi-chars=any
             -Winterference-size
             -Wtrivial-auto-var-init
             ${flags}

From abae76f0744b1824146f0003fbf790ff09ce4cd9 Mon Sep 17 00:00:00 2001
From: Dana Robinson <Dana.Robinson@amd.com>
Date: Sun, 23 Nov 2025 13:42:28 -0700
Subject: [PATCH 7/7] Consolidate gcc 12 blocks

---
 cmake/AISGNUCompilerOptions.cmake | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/cmake/AISGNUCompilerOptions.cmake b/cmake/AISGNUCompilerOptions.cmake
index 26271ed8..3c0aaad0 100644
--- a/cmake/AISGNUCompilerOptions.cmake
+++ b/cmake/AISGNUCompilerOptions.cmake
@@ -89,10 +89,8 @@ function(get_ais_gnu_warning_flags outvar compiler_version)
             -Wtrivial-auto-var-init
             ${flags}
         )
-    endif()
 
-    # Only use _FORTIFY_SOURCE if the optimization level is -O2, -O3, or -Os
-    if(compiler_version VERSION_GREATER_EQUAL 12)
+        # Only use _FORTIFY_SOURCE if the optimization level is -O2, -O3, or -Os
         string(JOIN " " MYCXXFLAGS ${CMAKE_CXX_FLAGS} ${CMAKE_CXX_FLAGS_${CMAKE_BUILD_TYPE}})
         if(MYCXXFLAGS MATCHES "-O[2-3s]")
             set(flags