NixOS · risicle · Aug 29, 2025 · Apr 27, 2025 · May 10, 2025
diff --git a/doc/redirects.json b/doc/redirects.json
@@ -574,6 +574,9 @@
   "strictflexarrays3": [
     "index.html#strictflexarrays3"
   ],
+  "glibcxxassertions": [
+    "index.html#glibcxxassertions"
+  ],
   "tester-shfmt": [
     "index.html#tester-shfmt"
   ],

diff --git a/doc/stdenv/stdenv.chapter.md b/doc/stdenv/stdenv.chapter.md
@@ -1688,6 +1688,12 @@ This should be turned off or fixed for build errors such as:
 sorry, unimplemented: __builtin_clear_padding not supported for variable length aggregates
 ```
 
+#### `glibcxxassertions` {#glibcxxassertions}
+
+Adds the `-D_GLIBCXX_ASSERTIONS` compiler flag. This flag only has an effect on libstdc++ targets, and when defined, enables extra error checking in the form of precondition assertions, such as bounds checking in c++ strings and null pointer checks when dereferencing c++ smart pointers.
+
+These checks may have an impact on performance in some cases.
+
 #### `pacret` {#pacret}
 
 This flag adds the `-mbranch-protection=pac-ret` compiler option on aarch64-linux targets. This uses ARM v8.3's Pointer Authentication feature to sign function return pointers before adding them to the stack. The pointer's authenticity is then validated before returning to its destination. This dramatically increases the difficulty of ROP exploitation techniques.

diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh
@@ -52,7 +52,7 @@ fi
 
 
 if (( "${NIX_DEBUG:-0}" >= 1 )); then
-  declare -a allHardeningFlags=(fortify fortify3 shadowstack stackprotector stackclashprotection nostrictaliasing pacret strictflexarrays1 strictflexarrays3 pie pic strictoverflow format trivialautovarinit zerocallusedregs)
+  declare -a allHardeningFlags=(fortify fortify3 shadowstack stackprotector stackclashprotection nostrictaliasing pacret strictflexarrays1 strictflexarrays3 pie pic strictoverflow glibcxxassertions format trivialautovarinit zerocallusedregs)
   declare -A hardeningDisableMap=()
 
   # Determine which flags were effectively disabled so we can report below.
@@ -111,6 +111,10 @@ for flag in "${!hardeningEnableMap[@]}"; do
       if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling pacret >&2; fi
       hardeningCFlagsBefore+=('-mbranch-protection=pac-ret')
       ;;
+    glibcxxassertions)
+      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling glibcxxassertions >&2; fi
+      hardeningCFlagsBefore+=('-D_GLIBCXX_ASSERTIONS')
+      ;;
     stackprotector)
       if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling stackprotector >&2; fi
       hardeningCFlagsBefore+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4')

diff --git a/pkgs/by-name/ar/arrow-cpp/package.nix b/pkgs/by-name/ar/arrow-cpp/package.nix
@@ -178,6 +178,9 @@ stdenv.mkDerivation (finalAttrs: {
     ZSTD_ROOT = zstd.dev;
   };
 
+  # fails tests on glibc with this enabled
+  hardeningDisable = [ "glibcxxassertions" ];
+
   preConfigure = ''
     patchShebangs build-support/
     substituteInPlace "src/arrow/vendored/datetime/tz.cpp" \

diff --git a/pkgs/stdenv/generic/make-derivation.nix b/pkgs/stdenv/generic/make-derivation.nix
@@ -150,6 +150,7 @@ let
     "pie"
     "relro"
     "stackprotector"
+    "glibcxxassertions"
     "stackclashprotection"
     "strictoverflow"
     "trivialautovarinit"

diff --git a/pkgs/test/cc-wrapper/hardening.nix b/pkgs/test/cc-wrapper/hardening.nix
@@ -4,6 +4,7 @@
   runCommand,
   runCommandWith,
   runCommandCC,
+  writeText,
   bintools,
   hello,
   debian-devscripts,
@@ -40,6 +41,17 @@ let
 
   flexArrF2ExampleWithStdEnv = writeCBinWithStdenv ./flex-arrays-fortify-example.c;
 
+  checkGlibcxxassertionsWithStdEnv =
+    expectDefined:
+    writeCBinWithStdenv (
+      writeText "main.cpp" ''
+        #if${if expectDefined then "n" else ""}def _GLIBCXX_ASSERTIONS
+        #error "Expected _GLIBCXX_ASSERTIONS to be ${if expectDefined then "" else "un"}defined"
+        #endif
+        int main() {}
+      ''
+    );
+
   # for when we need a slightly more complicated program
   helloWithStdEnv =
     stdenv': env:
@@ -502,6 +514,10 @@ nameDrvAfterAttrName (
       hardeningEnable = [ "shadowstack" ];
     }) false;
 
+    glibcxxassertionsExplicitEnabled = checkGlibcxxassertionsWithStdEnv true stdenv {
+      hardeningEnable = [ "glibcxxassertions" ];
+    };
+
     bindNowExplicitDisabled =
       checkTestBin
         (f2exampleWithStdEnv stdenv {
@@ -697,6 +713,10 @@ nameDrvAfterAttrName (
       hardeningDisable = [ "shadowstack" ];
     }) true;
 
+    glibcxxassertionsExplicitDisabled = checkGlibcxxassertionsWithStdEnv false stdenv {
+      hardeningDisable = [ "glibcxxassertions" ];
+    };
+
     # most flags can't be "unsupported" by compiler alone and
     # binutils doesn't have an accessible hardeningUnsupportedFlags
     # mechanism, so can only test a couple of flags through altered
@@ -897,6 +917,12 @@ nameDrvAfterAttrName (
           expectFailure = true;
         };
 
+    glibcxxassertionsStdenvUnsupp =
+      checkGlibcxxassertionsWithStdEnv false (stdenvUnsupport [ "glibcxxassertions" ])
+        {
+          hardeningEnable = [ "glibcxxassertions" ];
+        };
+
     fortify3EnabledEnvEnablesFortify1 =
       checkTestBin
         (f1exampleWithStdEnv stdenv {
@@ -1107,6 +1133,10 @@ nameDrvAfterAttrName (
       allExplicitDisabledShadowStack = shadowStackTest (f1exampleWithStdEnv stdenv {
         hardeningDisable = [ "all" ];
       }) true;
+
+      glibcxxassertionsExplicitDisabled = checkGlibcxxassertionsWithStdEnv false stdenv {
+        hardeningDisable = [ "all" ];
+      };
     }
   )
 )
diff --git a/pkgs/top-level/variants.nix b/pkgs/top-level/variants.nix
@@ -164,6 +164,7 @@ self: super: {
               "shadowstack"
               "nostrictaliasing"
               "pacret"
+              "glibcxxassertions"
               "trivialautovarinit"
             ]
           ) super'.stdenv;