SDL signoff requirements - enable MSVC warnings C4242 and C4244 (libunwind)

[GrabYourPitchforks]

Please prioritize this work. We want to address BinSkim alerts early in the development cycle.

Per the SDL guidelines (MSFT internal only), C/C++ warning C4242 and C4244 are required to be enabled, and fixing violations of it is mandatory.

In src/native/external/libunwind_extras/CMakeLists.txt, we also need to delete these two lines:

runtime/src/native/external/libunwind_extras/CMakeLists.txt

Lines 143 to 144 in 1e2fdb5

	add_compile_options(-wd4242) # possible loss of data
	add_compile_options(-wd4244) # possible loss of data

We will need to make changes to our local copy of libunwind as part of this. See the "What about third-party code?" section below.

Thanks for your assistance!

Quick FAQ

What code is bound to this requirement?

This affects only production code. Production code is generally defined as code which ships as part of the product and which runs on customer machines or which manages infrastructure, such as our build labs. Unit and functional test projects are not considered production code.

Does this need to be backported?

No backporting plans at this time. If actual bugs are found during this process, individual product teams have discretion to selectively backport into the next downlevel servicing vehicle.

What about third-party code?

This requirement applies to all code that MSFT builds from source, regardless of its provenance. Ideally any changes that we make to local forked copies can be submitted upstream as a PR so that the wider ecosystem can enjoy their benefits.

The recommended pattern - and what we did with zlib a while back - is to create a .patch file which contains our local fixes to libunwind, then commit this .patch file as part of the same PR where we make the changes. See #91245 for an example of how this was done.

If this is impractical, exceptions to this requirement can be sought on an as-needed basis. However, exceptions are: (a) not guaranteed to be granted; and (b) time-constrained. The exception process is not intended to provide a permanent deferral of this work. Please contact the fxsecurity alias if an exception is needed.

What about C# and other languages?

This requirement only affects C/C++ code. Requirements for other languages will be filed as separate issues.

[dotnet-policy-service]

Tagging subscribers to this area: @dotnet/runtime-infrastructure
See info in area-owners.md if you want to be subscribed.

[jkotas]

Related to #90359

[tommcdon]

@AaronRobinsonMSFT @janvorli

[filipnavara]

Here's a commit with most of the work done: 71ab525

Feel free to pick it up.