My (possibly not fully informed) understanding of the situation is basically what this commenter said:
(llvm doesn’t implement e.g. _D_FORTIFY_SOURCE=2 properly)
As a clang developer, the way I see the issue is that -D_FORTIFY_SOURCE=2 liberally uses GCC extensions. Many changes could be made upstream in glibc to make fortify source work better with clang. Implementing the extensions needed in clang is a bit heroic.
I just want to push back on the narrative that we “haven’t implemented” _FORTIFY_SOURCE. Clang hasn’t implemented some collection of hard-to-implement GCC extensions, and
_FORTIFY_SOURCE happens to depend on them. Many of these extensions are borderline incompatible with fundamental LLVM and Clang design decisions (__builtin_va_arg_pack_len, see https://clang.llvm.org/docs/UsersManual.html#gcc-extensions-not-implemented-yet), and relaxing them isn’t fun or easy. Many contributors are busy doing other security related things, see all the work on shadow call stack, CFI, speculative load hardening, sanitizers, coverage directed fuzzing, etc.
I also don’t think there is clear consensus that _FORTIFY_SOURCE is a valuable mitigation for most codebases. In C++ code, data is in vectors and strings, not stack allocated arrays. It’s not immediately clear that _FORTIFY_SOURCE helps with this kind of code. So, for many contributors, it is much lower priority than hardening virtual and indirect calls (CFI).
Regarding security, I don’t think it’s a clear cut case that one compiler is “better”. The user needs to be able to assess the inherent value of the security mitigations provided by the compiler, and right now the compilers just have different strengths, weaknesses, and depth of integration.
and as mentioned above debuginfo issues.
This is a real problem, unfortunately, and it’s been fairly well documented in presentations, blog posts, etc. However, I subscribe to the debuginfo project on Phabricator, and I regularly see reviews go by to do the work necessary to improve variable location tracking, so hopefully things will get better.