Any bad experiences with hardened builds?

[rouben]

Howdy folks,

I know that similar posts have already been made, but it seems to be that nobody ever asked this question in a general sense (i.e. unrelated to any specific package)... at least I couldn't find anything similar being asked on these forums.

Did anyone every experience negative results with "hardened" compiles? So far on my AMD XP-M I've had numerous issues with a variety of packages, mostly multimedia-related (e.g. esound, gstreamer, aRts, xorg to name a few). Everything was resolved after disabling "hardened" compiles.

I was wondering... am I doing something wrong? Is this a n00b/PEBKAC issue on my end, or do "hardened" builds somehow compromise stability while providing better security? Furthermore, is it possible that "hardened" builds don't work as well on AMD-based CPUs? Maybe it's an issue with GCC not being as compatible to AMD chips (when compared to their Intel cunterparts) when doing hardened builds?

What are your thoughts on this?

[spb]

The hardened toolchain uses PIE by default for all executables, which, amongst other things, makes the ebx register unavailable for general use. This causes problems with hand-written assembly code that tries to use it, and with certain corner-cases in C when the compiler can run out of registers to use. Both of these cases are most common in media apps, especially video. A hardened toolchain shouldn't compromise stability in any way, except that it tends to be a lot stricter with buggy applications -- minor stack overruns etc that would normally cause corruption to some (possibly insignificant) data can instead result in the app getting killed.

As for AMD chips, I'm running a complete hardened system on an athlon-xp, and have been for several months now, with absolutely no issues. Everything works perfectly, including mpd, mplayer, etc etc. Only thing that doesn't run is Flash, because of certain PaX protections.