What do the different stack-protector levels protect in Clang?

A typo in my OP broke the link to the document on Google Docs. Here is the link:
https://docs.google.com/document/d/1xXBH6rRZue4f296vGt9YQcuLVQHeE516stHwt8M9xyU/edit

Here is more specifically what I am looking for:
In GCC, it is published that the stack protector option levels do the following things (this is in the linked document):
-fno-stack-protector: No protection.
-fstack-protector: Protection for functions in which either of the following is true:

  • The function uses alloca
  • There is a char array that is bigger than 8 bytes (actually, bigger than whatever SSP_BUFFER_SIZE is)
    -fstack-protector-all: Protection for all functions - no heuristic.
    -fstack-protector-strong: Protection for functions in which any of the following is true:
  • Any the address of any local variable used in the RHS of an assignment
  • Any local variable is passed by reference to a function
  • There is any array, regardless of array type or length
  • There is a struct/union containing an array
  • There are register local variables

(Also, the stack data is rearranged such that variables are at lower addresses than buffers.)

What about on Clang? What specifically does -fstack-protector protect? What specifically does -fstack-protector-strong protect? Is it exactly the same definition as in GCC?

Thanks!

Yes, clang's implementation of stack protection is based on the same spec as GCC.

-fstack-protector: Emits stack smashing protectors in the form of
a “canary” — a random value placed on the stack before the local
variables that’s checked upon return from the function to see if it has
been overwritten. A heuristic is used to determine if a function needs
stack protectors or not. The heuristic used will enable protectors for
functions with:
  * Character arrays larger than ssp-buffer-size (default 8).
  * Aggregates containing character arrays larger than ssp-buffer-size.
  * Calls to alloca() with variable sizes or constant sizes greater than ssp-buffer-size.

Variables that are identified as requiring a protector will be
arranged on the stack such that they are adjacent to the stack
protector guard.

-fstack-protector-strong: This uses a strong heuristic when determining
if a function needs stack protectors. The strong heuristic will enable
protectors for functions with:
  * Arrays of any size and type
  * Aggregates containing an array of any size and type.
  * Calls to alloca().
  * Local variables that have had their address taken.

Variables that are identified as requiring a protector will be arranged
on the stack such that they are adjacent to the stack protector guard.
The specific layout rules are:
  * Large arrays and structures containing large arrays (>=
    ssp-buffer-size) are closest to the stack protector.
  * Small arrays and structures containing small arrays (<
    ssp-buffer-size) are 2nd closest to the protector.
  * Variables that have had their address taken are 3rd closest to the protector.

-fstack-protector-all: Every function will have a stack smashing protector.
Variable layout rules follow the same as -fstack-protector-strong.

Clang doesn't have especially detailed documentation for these options
at the moment, that would be a nice contribution to the user manual.
LLVM has documentation for the IR attributes that correspond to each
level. It is probably too low level for the casual users, but the
descriptions do provide a decent summary of the heuristic at each ssp
level (which I paraphrased above):
http://llvm.org/docs/LangRef.html#function-attributes

HTH,
- Josh