Skip to content

MSVC compiler hardening — enable SDL, guard checks, and treat warnings as errors

Summary

Phase A hardens the app binary first with /sdl and /guard:cf, then verifies the produced binary with dumpbin /headers /loadconfig. Later phases can add warning-policy enforcement and conformance tightening.

Current State

  • /Wall — all warnings enabled (already set)
  • /W4 equivalent in practice (some /Wall warnings suppressed via #pragma warning(disable:...))
  • Phase A target: app project only
  • Deferred: /WX, /permissive-, third-party/test-project hardening, /analyze

Phase A Additions

  • srchybrid/emule.vcxproj
  • SDLCheck=true
  • ControlFlowGuard=Guard
  • LinkControlFlowGuard=true
  • repos/emulebb-tooling/ci/check-workspace-policy.py build-policy
  • assert those properties for app Debug and Release
  • python -m emule_workspace
  • after build-app, verify emule.exe contains CFG metadata via dumpbin

Later Phases

  1. Expand hardening to tests and workspace-built dependency projects if desired.
  2. Audit warning suppressions and decide whether /WX is realistic with /Wall.
  3. Treat /permissive- as a separate conformance pass.

Acceptance Criteria

  • [x] app Debug and Release builds pass with /sdl
  • [x] app Debug and Release builds pass with /guard:cf
  • [x] supported build-app verification confirms CFG metadata in the built app binary
  • [x] centralized build-policy audit fails if the app project drops those properties
  • [x] later phases remain tracked separately and are not implied complete by Phase A

Completion Evidence

  • App project state: workspaces\v0.72a\app\eMule-main\srchybrid\emule.vcxproj declares SDLCheck=true, ControlFlowGuard=Guard, and LinkControlFlowGuard=true for both app Debug and Release.
  • Policy audit state: repos\emulebb-tooling\ci\check-workspace-policy.py build-policy asserts those app properties for both configurations, and routine python -m emule_workspace validate runs that audit.
  • Build orchestration state: python -m emule_workspace runs dumpbin /headers /loadconfig through Verify-AppControlFlowGuard after build-app and fails when CFG metadata is missing.
  • 2026-05-10 verification: python -m emule_workspace build app --config Debug --platform x64 passed with APP main and APP main CFG both OK. Build log: workspaces\v0.72a\state\build-logs\20260510-062221\summary.json.
  • 2026-05-10 verification: python -m emule_workspace build app --config Release --platform x64 passed with APP main and APP main CFG both OK. Build log: workspaces\v0.72a\state\build-logs\20260510-062302\summary.json.

Follow-Up Scope

This closes Phase A only. Warning-policy enforcement, /WX, /permissive-, third-party/test-project expansion, and static analysis remain separate hardening work covered by CI-004, CI-005, CI-010, and related refactor items.