Commit Graph

216 Commits

Author SHA1 Message Date
github-actions[bot]
ef782655d2
Merge master into staging-next 2024-10-24 18:04:38 +00:00
Artemis Tosini
6da0a87109
bintools-wrapper: Set dynamic-linker on OpenBSD
Now that ld.so is symlinked into the libc derivation,
we can use it as a dynamic linker.
In my testing, OpenBSD does not have any issues with executing from
a symlinked ld.so.
2024-10-24 00:43:24 +00:00
Randy Eckenrode
4340a5addb
bintools-wrapper: ensure Swift auto-linked libraries can be found
While the Swift wrapper should take care of this, not everything that
links these libraries goes through the wrapper.
2024-10-15 12:36:07 -04:00
github-actions[bot]
31b11f1926
Merge staging-next into staging 2024-10-15 00:14:36 +00:00
Randy Eckenrode
826edbf719
{bintools,cc}-wrapper: fix static builds on Darwin
Without this change, all Darwin platforms mangle to the same suffix
salt. That is normally not an issue because build = host should mean a
non-cross build, but it causes issues on Darwin with static builds
because `DEVELOPER_DIR_FOR_BUILD` and `DEVELOPER_DIR` will refer to
different SDKs but mangle to the same `DEVELOPER_DIR` with suffix salt.

The fix is to mangle static builds differently from non-static ones on
Darwin, which allows building for a static Darwin target on a
same-architecture Darwin host. This fix is applied only to Dariwn
because the issue does not appear to affect other platforms.
2024-10-10 16:23:00 -04:00
Randy Eckenrode
51755b0c00
{bintools,cc}-wrapper: use a fallback SDK when DEVELOPER_DIR is not set
It is unusual to invoke a wrapped compiler without setting
`DEVELOPER_DIR`, but it can happen when a user adds a compiler to their
installed packages or when a package intentionally invokes the compiler
without an environment (such as the GHC binary packages).
2024-10-10 16:22:59 -04:00
Randy Eckenrode
97d75cb619
{bintools,cc}-wrapper: set up Darwin SDK paths
Some compilers may know to check these paths when `SDKROOT` is set, but
it’s not assumed they do. `SDKROOT` is instead derived from the
`DEVELOPER_DIR`, and `NIX_CFLAGS_COMPILE` is set up with the sysroot and
necessary framework and include search paths.
2024-10-10 16:22:59 -04:00
Emily
b2cb2a8d44 {clang-sierraHack{,-stdenv},tests.macOSSierraShared}: drop
This is some thing introduced in 2017 to work around a problem that
no longer seems to exist. Nothing uses it except its own test, which
these days passes even with the standard `clangStdenv`.
2024-10-05 21:29:07 +01:00
John Ericson
5f134ec6cf Clean up cross bootstrapping
For a long time, we've had `crossLibcStdenv`, `*Cross` libc attributes,
and `*bsdCross` pre-libc package sets. This was always bad because
having "cross" things is "not declarative": the naming doesn't reflect
what packages *need* but rather how we *provide* something. This is
ugly, and creates needless friction between cross and native building.

Now, almost all of these `*Cross` attributes are gone: just these are
kept:

- Glibc's and Musl's are kept, because those packages are widely used
  and I didn't want to risk changing the native builds of those at this
  time.

- generic `libcCross`, `theadsCross`, and friends, because these relate
  to the convolulted GCC bootstrap which still needs to be redone.

The BSD and obscure Linux or freestnanding libcs have conversely all
been made to use a new `stdenvNoLibc`, which is like the old
`crossLibcStdenv` except:

1. It usable for native and cross alike

2. It named according to what it *is* ("a standard environment without
   libc but with a C compiler"), rather than some non-compositional
   jargon ("the stdenv used for building libc when cross compiling",
   yuck).

I should have done this change long ago, but I was stymied because of
"infinite recursions". The problem was that in too many cases we are
overriding `stdenv` to *remove* things we don't need, and this risks
cyles since those more minimal stdenvs are used to build things in the
more maximal stdenvs.

The solution is to pass `stage.nix` `stdenvNoCC`, so we can override to
*build up* rather than *tear down*. For now, the full `stdenv` is also
passed, so I don't need to change the native bootstraps, but I can see
this changing as we make things more uniform and clean those up.

(adapted from commit 51f1ecaa59)
(adapted from commit 1743662e55)
2024-09-06 10:26:56 -04:00
github-actions[bot]
62f43c3094
Merge master into staging-next 2024-08-12 18:02:11 +00:00
Alyssa Ross
6f95189f88 wrapBintoolsWith: add s390(x)-linux dynamic linkers
This fixes autoPatchElfHook for these platforms.
2024-08-12 17:52:03 +02:00
github-actions[bot]
cf88251824
Merge staging-next into staging 2024-08-05 18:01:40 +00:00
bl0v3
bdb500ace1 bintools-wrapper: add dynamicLinker for s390x 2024-08-05 12:30:26 +02:00
Randy Eckenrode
2c54952847
darwin.apple_sdk.frameworks: remove NIX_COREFOUNDATION_RPATH hook
Darwin no longer supports switching between CoreFoundation implementations as of https://github.com/NixOS/nixpkgs/pull/265102. The setup hook is vestigial and was mostly harmless until https://github.com/NixOS/nixpkgs/pull/329526 was necessitated to fix build failures on staging-next https://github.com/NixOS/nixpkgs/pull/328673.

The correct fix is to remove the hook. It’s not used by the 11.0 or 12.3 SDKs. This makes the 10.12 SDK a bit more like the other SDKs.
2024-07-26 12:41:45 -04:00
Randy Eckenrode
c922cb27b6
bintools-wrapper: drop postLinkSignHook
When the linker signs a Mach-O binary, it sets a flag in the signature’s code directory indicating that the signature was generated by a linker. Tools such as `strip` and `install_name_tool` read this flag and will
update ad hoc signatures after they perform their modifications.

The updated l64 supports signing binaries automatically. Both the updated cctools and LLVM will check for the linker-signed flag and resign binaries they modify automatically when it’s present. Given that, use of postLinkSignHook is unnecessary and potentially harmful.

In particular, if the hook is used and an unwrapped `strip` or `install_name_tool` is on the user’s path, they will not automatically update an ad hoc signature. Instead, they will issue a warning and create a binary with a broken signature.

It is more robust to let the tools handled this since the only time a signature would not be linker-signed is when the user is manually invoking `codesign` (or another tool such as `sigtool` or `rcodesign`), which by nature of the invocation updates the signature to a valid  one.

Since `strip` no longer needs to be wrapped for code-signing, binutils-wrapper now uses the GNU strip wrapper on Darwin.

Fixes https://github.com/NixOS/nixpkgs/issues/208951.
2024-07-13 17:54:36 -04:00
Randy Eckenrode
1cb1853573
ld-wrapper: use a temporary file for reponse file
This changes ld-wrapper to use a temporary file for the response file
passed to ld instead of using process substitution.

ld64 does not handle long command-lines when reading from the response
file, which defeats the point of using a response file to handle long
command-lines. cctools-port was patched to work around this, but nixpkgs
is now using Apple’s source release directly instead of the port.

Since it’s preferable not to patch Apple’s release heavily (to reduce
the difficulty of updating to new versions and to match upstream’s
behavior), use the approach that was adopted in cc-wrapper to work
around issues with response files in newer versions of clang.

Related PRs (cctools-port):
- https://github.com/NixOS/nixpkgs/pull/213831
- https://github.com/tpoechtrager/cctools-port/pull/132

Related PRs (cc-wrapper):
- https://github.com/NixOS/nixpkgs/pull/245282
- https://github.com/NixOS/nixpkgs/pull/258608
2024-07-13 10:59:41 -04:00
John Ericson
000b58721f Merge remote-tracking branch 'upstream/master' into openbsd-static 2024-07-09 18:18:47 -04:00
John Ericson
676df1cf2d openbsd: Add static linking support
I've had better luck creating statically-linked binaries that work than
dynamically-linked ones, so this is needed quite practically.
2024-07-09 18:17:06 -04:00
Vladimír Čunát
879821772c
Revert #320852: Clean up cross bootstrapping
It rebuilt stdenv on *-darwin; we can't do that in nixpkgs master.
This reverts commit 2f20501c5f, reversing
changes made to fd469c24af.
2024-06-21 07:48:24 +02:00
John Ericson
51f1ecaa59 Clean up cross bootstrapping
For a long time, we've had `crossLibcStdenv`, `*Cross` libc attributes,
and `*bsdCross` pre-libc package sets. This was always bad because
having "cross" things is "not declarative": the naming doesn't reflect
what packages *need* but rather how we *provide* something. This is
ugly, and creates needless friction between cross and native building.

Now, almost all of these `*Cross` attributes are gone: just these are
kept:

- Glibc's and Musl's are kept, because those packages are widely used
  and I didn't want to risk changing the native builds of those at this
  time.

- generic `libcCross`, `theadsCross`, and friends, because these relate
  to the convolulted GCC bootstrap which still needs to be redone.

The BSD and obscure Linux or freestnanding libcs have conversely all
been made to use a new `stdenvNoLibc`, which is like the old
`crossLibcStdenv` except:

1. It usable for native and cross alike

2. It named according to what it *is* ("a standard environment without
   libc but with a C compiler"), rather than some non-compositional
   jargon ("the stdenv used for building libc when cross compiling",
   yuck).

I should have done this change long ago, but I was stymied because of
"infinite recursions". The problem was that in too many cases we are
overriding `stdenv` to *remove* things we don't need, and this risks
cyles since those more minimal stdenvs are used to build things in the
more maximal stdenvs.

The solution is to pass `stage.nix` `stdenvNoCC`, so we can override to
*build up* rather than *tear down*. For now, the full `stdenv` is also
passed, so I don't need to change the native bootstraps, but I can see
this changing as we make things more uniform and clean those up.

Finally, the BSDs also had to be cleaned up, since they have a few
pre-libc dependencies, demanding a systematic approach. I realized what
rhelmot did in 61202561d9 (specify what
packages just need `stdenvNoLibc`) is definitely the right approach for
this, and adjusted NetBSD and OpenBSD to likewise use it.
2024-06-18 17:04:16 -04:00
Robert Scott
dd80ca4d00 stdenv: promote zerocallusedregs to defaultHardeningFlags 2024-06-02 23:53:36 +01:00
Audrey Dutcher
718b237d0b bintools: Add dynamic loader path for FreeBSD native 2024-05-21 08:20:45 +02:00
Audrey Dutcher
8073fc75a8 bintools: Add an assertion which produces better error messages 2024-05-21 08:20:45 +02:00
sternenseemann
7be562d046 wrapCC, wrapBintools: move expand-response-params bootstrapping out
The cc and bintools wrapper contained ad hoc bootstrapping logic for
expand-response-params (which was callPackage-ed in a let binding). This
lead to the strange situation that the bootstrapping logic related to
expand-response-params is split between the wrapper derivations (where
it is duplicated) and the actual stdenv bootstrapping.

To clean this up, the wrappers simply should take expand-response-params
as an ordinary input: They need an adjacent expand-response-params (i.e.
one that runs on their host platform), but don't care about the how.
Providing this is only problematic during stdenv bootstrapping where we
have to pull it from the previous stage at times.
2024-04-18 20:49:13 +02:00
sternenseemann
b2a568906a wrapCC, wrapBintools: use runtimeShell instead of stdenv shell
We don't need to artificially make sure that we can execute the wrapper
scripts on the build platform by using stdenv's shell (which comes from
buildPackages) since our cross infrastructure will get us the wrapper
from buildPackages. The upside of this change is that cross-compiled
wrappers (e.g. pkgsCross.aarch64-multiplatform.gcc) will actually work
when executed!

For bootstrapping this is also not a problem, since we have a long
build->build platform chain so runtimeShell is just as good as
stdenvNoCC.shell. We do fall back to old ways, though, by explicitly
using the bootstrap-tools shell in stage2, so the adjacent bash is only
used from stage4 onwards. This is unnecessary in principle (I'll try
removing this hack in the future), but ensures this change causes zero
rebuilds.
2024-04-18 20:49:13 +02:00
sternenseemann
63d21d1325 wrapCC, wrapBintools: remove unnecessary indexing into platform sets
`targetPlatform` and `hostPlatform` are already in scope, so it is
unnecessary to index into `stdenvNoCC`.
2024-04-15 12:54:29 +02:00
sternenseemann
4aa9e4ecc6 wrapCC, wrapBintools: don't alias stdenvNoCC to stdenv
In delicate code like this, it seems unwise to pass something of as
something it isn't for convenience's (?) sake. It causes a slight
possibility for confusion with `buildPackages.stdenv`. However, it
should be possible to eliminate the need for this in a separate change.
2024-04-15 12:54:25 +02:00
Philip Taron
e0611b7ba7 Avoid top-level with ...; in pkgs/build-support/bintools-wrapper/default.nix 2024-03-19 22:31:19 +01:00
Bjørn Forsman
6ff5b79096 Revert "avrlibc: hook up libdir for cc-wrapper"
This reverts commit b2844f89d1.

It broke simavr:

  $ nix-build -A simavr
  [...]
  /nix/store/3k4djrsq23m2yg9ar4h1lkkz1ijv0ghv-avr-binutils-2.41/bin/avr-ld: /nix/store/3rpyzla18mbj690hv7j5dang0kd3c1fq-avr-libc-avr-2.1.0/avr/lib/libc.a(vfprintf_std.o): in function `.L15':
  vfprintf.c:(.text.avr-libc+0xd8): undefined reference to `__mulqi3'
  /nix/store/3k4djrsq23m2yg9ar4h1lkkz1ijv0ghv-avr-binutils-2.41/bin/avr-ld: /nix/store/3rpyzla18mbj690hv7j5dang0kd3c1fq-avr-libc-avr-2.1.0/avr/lib/libc.a(vfprintf_std.o): in function `.L18':
  vfprintf.c:(.text.avr-libc+0xe4): undefined reference to `__mulqi3'
  collect2: error: ld returned 1 exit status
  make[1]: *** [../Makefile.common:161: atmega644_adc_test.axf] Error 1
  make[1]: Leaving directory '/build/source/tests'
  make: *** [Makefile:21: build-tests] Error 2

Fixes #295610.
2024-03-14 20:09:11 +01:00
Weijia Wang
fda4c4e299 bintools: disable relro/bindnow hardening on windows 2024-01-12 22:11:17 +01:00
K900
790cc209ea bintools-wrapper: fix static check platform
This was moved in 1a5bd697ad,
the preceding check was updated from hostPlatform to targetPlatform, but these got missed.
2024-01-06 10:32:08 +03:00
Robert Scott
1a5bd697ad mkDerivation, bintools-wrapper: move defaultHardeningFlags determination to bintools-wrapper
this makes it a lot easier to create a modified stdenv with a
different set of defaultHardeningFlags and as a bonus allows us
to inject the correct defaultHardeningFlags into toolchain wrapper
scripts, reducing repetition.

while most hardening flags are arguably more of a compiler thing,
it works better to put them in bintools-wrapper because cc-wrapper
can easily refer to bintools but not vice-versa.

mkDerivation can still easily refer to either when it is constructed.

this also switches fortran-hook.sh to use the same defaults for
NIX_HARDENING_ENABLE as for C. previously NIX_HARDENING_ENABLE
defaults were apparently used to avoid passing problematic flags
to a fortran compiler, but this falls apart as soon as mkDerivation
sets its own NIX_HARDENING_ENABLE - cc.hardeningUnsupportedFlags
is a more appropriate mechanism for this as it actively filters
out flags from being used by the wrapper, so switch to using that
instead.

this is still an imperfect mechanism because it doesn't handle a
compiler which has both langFortran *and* langC very well - applying
the superset of the two's hardeningUnsupportedFlags to either
compiler's invocation. however this is nothing new - cc-wrapper
already poorly handles a langFortran+langC compiler, applying two
setup hooks that have contradictory options.
2023-12-09 16:30:45 +00:00
Fabián Heredia Montiel
5b8deaceca Merge remote-tracking branch 'origin/master' into staging-next
Fixed conflict in pkgs/applications/graphics/krita/

krita: 5.1.5 -> 5.2.0
7a40fdc288
, and
treewide: use kde mirror everywhere, don't use pname in download urls
aa15f5066d
2023-12-04 17:44:17 -06:00
pennae
b2844f89d1 avrlibc: hook up libdir for cc-wrapper
-B must be set to the root directory of avrlibc, otherwise gcc cannot
locate crt objects for some attiny devices. -L trains as set by
bintools-wrapper are not necessary with -B set correctly because gcc
takes care of that, and likewise we can drop the -B train from
cc-wrapper because the one spec is enough.
2023-12-03 21:44:27 +11:00
Bernardo Meurer
6e086086d7
Merge pull request #188347 from zhaofengli/darwin-uuid 2023-11-30 10:51:28 -03:00
Minijackson
5581c0677c
bintools-wrapper: fix dynamic linker for powerpc64 big-endian
fixes #245162
2023-09-11 13:55:43 +02:00
Felix Bühler
0a2745684e
Merge pull request #239624 from Stunkymonkey/use-optionalString-then
treewide: use optionalString instead of 'then ""'
2023-07-22 13:02:47 +02:00
Artturi
8bf1b878cf
Merge pull request #239331 from pwaller/fix-pie-hardening 2023-07-06 02:14:35 +03:00
Felix Buehler
6672dde558 treewide: use optionalAttrs instead of 'else {}' 2023-06-25 11:01:34 -03:00
Felix Buehler
f3719756b5 treewide: use optionalString instead of 'then ""' 2023-06-24 20:19:19 +02:00
Peter Waller
e0d2053b87 build-support: Use response-expanded params in pie test
When a response file is in use, "$*" contains the response file and not
the parameters; both the linker and compiler wrappers are updated to use
the response-expanded params.

The compiler driver likes to pass parameters to the linker via a
response file, including -shared.

LLD rejects the combination of (-shared -pie), whereas other linkers
silently ignore the contradiction:

```
ld.lld: error: -shared and -pie may not be used together
```

This breaks certain configurations using LLD as a linker.

Changing `add-hardening.sh` results in a full rebuild. To avoid the
rebuild, here is a quick test case which shows the new hardening script
allows the link to succeed:

```
{ pkgs ? import <nixpkgs> {} }:

let
  # gcc silently accepts -shared -pie together, lld does not.
  linker = pkgs.wrapBintoolsWith { bintools = pkgs.llvmPackages.lld; };

  patchWrapper = prev: prev.overrideAttrs (final: prev: let
    prevScript = builtins.match (".*(/nix/store/[a-z0-9]+-add-hardening.sh).*") prev.postFixup;
  in {
    postFixup = (builtins.replaceStrings prevScript ["${./new-add-hardening.sh}"] prev.postFixup);
  });
in

pkgs.stdenv.mkDerivation {
  name = "nixpkgs-hardening-bug";

  src = pkgs.writeText "src.c" "int main(int argc, char* argv[]) { return 0; }";
  NIX_HARDENING_ENABLE = "pie";

  unpackPhase = ":";
  buildPhase = ''
    $CC -c -o src.o $src
    bash -x ${patchWrapper linker}/bin/ld.lld -o $out @${pkgs.writeText "responsefile" "-shared"} src.o
  '';
}
```

Fixes: #178162
Signed-off-by: Peter Waller <p@pwaller.net>
2023-06-23 11:09:49 +01:00
Alyssa Ross
194ddeefd5
wrapBintoolsWith: support LINK.EXE-style args in purity checks
LLD supports Windows-style linker arguments, but these previously
triggered purity check false positives, because it saw that they
started with a '/' and assumed they were paths.

This tweaks the path detection to allow through certain values that
could be paths, but are much more likely to be LINK.EXE-style flags.
The risk of false negatives here is low — the only things we'd now
fail to catch would be attempts to link with libraries in the root
directory, which doesn't happen in practice.

We also teach the wrapper how to apply its purity checks to library
paths specified with the /LIBPATH: option.

Tested that paths we expect to be rejected (like /lib/libfoo.so) still
are.
2023-04-29 01:37:00 +00:00
Weijia Wang
b2ef7956b6
Merge pull request #227560 from jackyliu16/loongnix-commit
lib.platforms.loongarch64: init
2023-04-28 13:21:42 +03:00
jackyliu16
b522b5a887 bintools: set dynamic linker 2023-04-28 12:09:43 +03:00
Manuel Mendez
31d6802773 gnatboot: rename to gnat-bootstrap
Most other bootstrap compilers are named -bootstrap so lets follow that
pattern.
2023-04-15 18:52:14 -04:00
Sandro
b04d4bad27
Merge pull request #216992 from SuperSandro2000/stdenvNative-fix-eval
{bintools,cc}-wrapper: don't fallback to version = null
2023-04-14 11:22:20 +02:00
Sandro Jäckel
7090651071
{bintools,cc}-wrapper: don't fallback to version = null
mkDerivation cannot handle that
2023-04-12 22:08:36 +02:00
Rahul Butani
b41933a1be
bintools-wrapper: specify SHA1 as the build-id hash style explicitly
NixOS/nixpkgs#146275 has more discussion on this; the abridged version
is that `lld` defaults to using `--build-id=fast` while GNU `ld` defaults
to `--build-id=sha1`. These differ in length and so
`separate-debug-info.sh`, as of this writing, errors on `lld`'s shorter
`--build-id=fast`-generated hashes.

`lld` offers the following `build-id` styles:
  - UUID (random; fast but bad for reproducibility)
  - fast (xxhash; fast but shorter hashes)
  - user provided hexstring
  - SHA1
  - MD5

GNU `ld` supports the latter three options, `mold` supports all of these
plus SHA256.

UUID is out because it's not reproducible, fast isn't supported by GNU
`ld`

Using a nix provided (sourced from the output base hash) hash as the
`build-id` seems tempting but would require a little extra work
(we have to include some characteristic of the binary being hashed
so that binaries within a derivation still have unique hashes; it
seems easy to get this wrong; i.e. a path based approach would make
two otherwise identical binaries that reside at different paths have
different `build-id` hashes)

That leaves SHA1 and MD5 and GNU `ld` already defaults to the former.

This commit adds `$NIX_BUILD_ID_STYLE` as an escape hatch, in case any
packages have strong opinions about which hash to use.

----

Note that if/when NixOS/nixpkgs#146275 goes through, this change can be
reverted if linker speed is a priority.
2023-02-25 12:49:40 -06:00
Gabriella Gonzalez
79484b1707
bintools: Add response file support to ld-wrapper (#213831)
The motivation behind this is to alleviate the problem
described in https://github.com/NixOS/nixpkgs/issues/41340.
I'm not sure if this completely fixes the problem, but it
eliminates one more area where we can exceed command line
length limits.

This is essentially the same change as in #112449,
except for `ld-wrapper.sh` instead of `cc-wrapper.sh`.

However, that change alone was not enough; on macOS the
`ld` provided by `darwin.cctools` fails if you use process
substitution to generate the response file, so I put up a
PR to fix that:

https://github.com/tpoechtrager/cctools-port/pull/131

… and I included a patch referencing that fix so that the
new `ld-wrapper` still works on macOS.
2023-02-23 17:05:18 -08:00
Artturi
ee54eb7d21
Merge pull request #216383 from Artturin/bintoolswrappermold 2023-02-17 19:32:06 +02:00