hardening: fix careless bugs

I got a substitution backwards (used '+' instead of '-').

Also, this now works under `set -u` (had to fix a couple unbound
variable references).

1 files changed, 5 insertions, 5 deletions

diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh
index fedb5c19021a..5713d93ed3f3 100644
--- a/pkgs/build-support/cc-wrapper/add-hardening.sh
+++ b/pkgs/build-support/cc-wrapper/add-hardening.sh
@@ -1,8 +1,8 @@
 allHardeningFlags=(fortify stackprotector pie pic strictoverflow format relro bindnow)
 hardeningCFlags=()
 
-declare -A hardeningDisableMap
-declare -A hardeningEnableMap
+declare -A hardeningDisableMap=()
+declare -A hardeningEnableMap=()
 
 # Create table of unsupported flags for this toolchain.
 for flag in @hardening_unsupported_flags@; do
@@ -12,8 +12,8 @@ done
 # Intentionally word-split in case 'NIX_HARDENING_ENABLE' is defined in Nix. The
 # array expansion also prevents undefined variables from causing trouble with
 # `set -u`.
-for flag in ${NIX_HARDENING_ENABLE+}; do
-  if [[ -z "${hardeningDisableMap[$flag]}" ]]; then
+for flag in ${NIX_HARDENING_ENABLE-}; do
+  if [[ -z "${hardeningDisableMap[$flag]-}" ]]; then
     hardeningEnableMap[$flag]=1
   fi
 done
@@ -21,7 +21,7 @@ done
 if (( "${NIX_DEBUG:-0}" >= 1 )); then
   # Determine which flags were effectively disabled so we can report below.
   for flag in ${allHardeningFlags[@]}; do
-    if [[ -z "${hardeningEnableMap[$flag]}" ]]; then
+    if [[ -z "${hardeningEnableMap[$flag]-}" ]]; then
       hardeningDisableMap[$flag]=1
     fi
   done