--enable-expensive-hardening broken with clang
When passing -fsanitize=address, clang internally defines _FORTIFY_SOURCE=0. This conflicts with the _FORTIFY_SOURCE=2 we like to set beforehand, so we don't enable -fsanitize=address at all. Perhaps we should try to use fsanitize-address, if it fails try again with _FORTIFY_SOURCE remoeved, and only then resolve that it isn't available.
I am calling this 0.2.7 territory for now, but if the fix turns out to be easy we could conceivably backport it.