diff options
Diffstat (limited to 'pkgs/build-support')
| -rw-r--r-- | pkgs/build-support/cc-wrapper/add-hardening.sh | 14 | ||||
| -rw-r--r-- | pkgs/build-support/cc-wrapper/cc-wrapper.sh | 7 | ||||
| -rw-r--r-- | pkgs/build-support/cc-wrapper/default.nix | 2 | ||||
| -rw-r--r-- | pkgs/build-support/go/module.nix | 12 | ||||
| -rw-r--r-- | pkgs/build-support/go/package.nix | 1 | ||||
| -rw-r--r-- | pkgs/build-support/libredirect/default.nix | 19 | ||||
| -rw-r--r-- | pkgs/build-support/libredirect/libredirect.c | 4 | ||||
| -rw-r--r-- | pkgs/build-support/rust/default-crate-overrides.nix | 4 | ||||
| -rw-r--r-- | pkgs/build-support/rust/hooks/maturin-build-hook.sh | 5 | ||||
| -rw-r--r-- | pkgs/build-support/setup-hooks/patch-shebangs.sh | 42 | ||||
| -rw-r--r-- | pkgs/build-support/setup-hooks/strip.sh | 19 | ||||
| -rw-r--r-- | pkgs/build-support/writers/scripts.nix | 7 |
12 files changed, 99 insertions, 37 deletions
diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh index 07ac6737f39d..7f5cd4cf4af3 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -81,8 +81,18 @@ for flag in "${!hardeningEnableMap[@]}"; do hardeningCFlags+=('-fPIC') ;; strictoverflow) - if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling strictoverflow >&2; fi - hardeningCFlags+=('-fno-strict-overflow') + if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling strictoverflow >&2; fi + if (( @isClang@ )); then + # In Clang, -fno-strict-overflow only serves to set -fwrapv and is + # reported as an unused CLI argument if -fwrapv or -fno-wrapv is set + # explicitly, so we side step that by doing the conversion here. + # + # See: https://github.com/llvm/llvm-project/blob/llvmorg-16.0.6/clang/lib/Driver/ToolChains/Clang.cpp#L6315 + # + hardeningCFlags+=('-fwrapv') + else + hardeningCFlags+=('-fno-strict-overflow') + fi ;; format) if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling format >&2; fi diff --git a/pkgs/build-support/cc-wrapper/cc-wrapper.sh b/pkgs/build-support/cc-wrapper/cc-wrapper.sh index 5350fc3cc9ae..244a0bb6623b 100644 --- a/pkgs/build-support/cc-wrapper/cc-wrapper.sh +++ b/pkgs/build-support/cc-wrapper/cc-wrapper.sh @@ -246,10 +246,13 @@ if [[ -e @out@/nix-support/cc-wrapper-hook ]]; then fi if (( "${NIX_CC_USE_RESPONSE_FILE:-@use_response_file_by_default@}" >= 1 )); then - exec @prog@ @<(printf "%q\n" \ + responseFile=$(mktemp --tmpdir cc-params.XXXXXX) + trap 'rm -f -- "$responseFile"' EXIT + printf "%q\n" \ ${extraBefore+"${extraBefore[@]}"} \ ${params+"${params[@]}"} \ - ${extraAfter+"${extraAfter[@]}"}) + ${extraAfter+"${extraAfter[@]}"} > "$responseFile" + @prog@ "@$responseFile" else exec @prog@ \ ${extraBefore+"${extraBefore[@]}"} \ diff --git a/pkgs/build-support/cc-wrapper/default.nix b/pkgs/build-support/cc-wrapper/default.nix index 551074e0a211..53141cac5dfb 100644 --- a/pkgs/build-support/cc-wrapper/default.nix +++ b/pkgs/build-support/cc-wrapper/default.nix @@ -609,6 +609,8 @@ stdenv.mkDerivation { env = { + inherit isClang; + # for substitution in utils.bash expandResponseParams = "${expand-response-params}/bin/expand-response-params"; shell = getBin shell + shell.shellPath or ""; diff --git a/pkgs/build-support/go/module.nix b/pkgs/build-support/go/module.nix index 6c2284a7a98d..586af56bd98f 100644 --- a/pkgs/build-support/go/module.nix +++ b/pkgs/build-support/go/module.nix @@ -52,6 +52,9 @@ assert (args' ? vendorHash && args' ? vendorSha256) -> throw "both `vendorHash` let args = removeAttrs args' [ "overrideModAttrs" "vendorSha256" "vendorHash" ]; + GO111MODULE = "on"; + GOTOOLCHAIN = "local"; + goModules = if (vendorHash == null) then "" else (stdenv.mkDerivation { name = "${name}-go-modules"; @@ -60,6 +63,7 @@ let inherit (args) src; inherit (go) GOOS GOARCH; + inherit GO111MODULE GOTOOLCHAIN; # The following inheritence behavior is not trivial to expect, and some may # argue it's not ideal. Changing it may break vendor hashes in Nixpkgs and @@ -73,8 +77,6 @@ let postBuild = args.modPostBuild or ""; sourceRoot = args.sourceRoot or ""; - GO111MODULE = "on"; - impureEnvVars = lib.fetchers.proxyImpureEnvVars ++ [ "GIT_PROXY_COMMAND" "SOCKS_SERVER" @@ -85,6 +87,9 @@ let runHook preConfigure export GOCACHE=$TMPDIR/go-cache export GOPATH="$TMPDIR/go" + # fixes 'GOPROXY list is not the empty string, but contains no entries' + # "https://proxy.golang.org,direct" is the go default + export GOPROXY="''${GOPROXY:-"https://proxy.golang.org,direct"}" # respect impureEnvVars cd "${modRoot}" runHook postConfigure ''; @@ -149,9 +154,8 @@ let inherit (go) GOOS GOARCH; - GO111MODULE = "on"; GOFLAGS = lib.optionals (!proxyVendor) [ "-mod=vendor" ] ++ lib.optionals (!allowGoReference) [ "-trimpath" ]; - inherit CGO_ENABLED enableParallelBuilding; + inherit CGO_ENABLED enableParallelBuilding GO111MODULE GOTOOLCHAIN; configurePhase = args.configurePhase or ('' runHook preConfigure diff --git a/pkgs/build-support/go/package.nix b/pkgs/build-support/go/package.nix index b4cb264d9f24..7e099b76f0b7 100644 --- a/pkgs/build-support/go/package.nix +++ b/pkgs/build-support/go/package.nix @@ -86,6 +86,7 @@ let inherit CGO_ENABLED enableParallelBuilding; GO111MODULE = "off"; + GOTOOLCHAIN = "local"; GOFLAGS = lib.optionals (!allowGoReference) [ "-trimpath" ]; GOARM = toString (lib.intersectLists [(stdenv.hostPlatform.parsed.cpu.version or "")] ["5" "6" "7"]); diff --git a/pkgs/build-support/libredirect/default.nix b/pkgs/build-support/libredirect/default.nix index 6e2de7fa11b0..1ab4a0db827a 100644 --- a/pkgs/build-support/libredirect/default.nix +++ b/pkgs/build-support/libredirect/default.nix @@ -1,5 +1,12 @@ -{ lib, stdenv, bintools-unwrapped, llvmPackages_13, coreutils }: - +{ lib, stdenv, bintools-unwrapped, llvmPackages, llvmPackages_13, coreutils }: + +let + # aarch64-darwin needs a clang that can build arm64e binaries, so make sure a version of LLVM + # is used that can do that, but prefer the stdenv one if it is new enough. + llvmPkgs = if (lib.versionAtLeast (lib.getVersion llvmPackages.clang) "13") + then llvmPackages + else llvmPackages_13; + in if stdenv.hostPlatform.isStatic then throw '' libredirect is not available on static builds. @@ -39,11 +46,11 @@ else stdenv.mkDerivation rec { # and the library search directory for libdl. # We can't build this on x86_64, because the libSystem we point to doesn't # like arm64(e). - PATH=${bintools-unwrapped}/bin:${llvmPackages_13.clang-unwrapped}/bin:$PATH \ + PATH=${bintools-unwrapped}/bin:${llvmPkgs.clang-unwrapped}/bin:$PATH \ clang -arch x86_64 -arch arm64 -arch arm64e \ - -isystem ${llvmPackages_13.clang.libc}/include \ - -isystem ${llvmPackages_13.libclang.lib}/lib/clang/*/include \ - -L${llvmPackages_13.clang.libc}/lib \ + -isystem ${llvmPkgs.clang.libc}/include \ + -isystem ${llvmPkgs.libclang.lib}/lib/clang/*/include \ + -L${llvmPkgs.clang.libc}/lib \ -Wl,-install_name,$libName \ -Wall -std=c99 -O3 -fPIC libredirect.c \ -shared -o "$libName" diff --git a/pkgs/build-support/libredirect/libredirect.c b/pkgs/build-support/libredirect/libredirect.c index 9ecc16450cc2..19211a813eb8 100644 --- a/pkgs/build-support/libredirect/libredirect.c +++ b/pkgs/build-support/libredirect/libredirect.c @@ -106,7 +106,7 @@ static int open_needs_mode(int flags) WRAPPER(int, open)(const char * path, int flags, ...) { - int (*open_real) (const char *, int, mode_t) = LOOKUP_REAL(open); + int (*open_real) (const char *, int, ...) = LOOKUP_REAL(open); mode_t mode = 0; if (open_needs_mode(flags)) { va_list ap; @@ -139,7 +139,7 @@ WRAPPER_DEF(open64) WRAPPER(int, openat)(int dirfd, const char * path, int flags, ...) { - int (*openat_real) (int, const char *, int, mode_t) = LOOKUP_REAL(openat); + int (*openat_real) (int, const char *, int, ...) = LOOKUP_REAL(openat); mode_t mode = 0; if (open_needs_mode(flags)) { va_list ap; diff --git a/pkgs/build-support/rust/default-crate-overrides.nix b/pkgs/build-support/rust/default-crate-overrides.nix index e4db2c8a0573..f04eeeaa9bf5 100644 --- a/pkgs/build-support/rust/default-crate-overrides.nix +++ b/pkgs/build-support/rust/default-crate-overrides.nix @@ -193,8 +193,8 @@ in }; graphene-sys = attrs: { - nativeBuildInputs = [ pkg-config ]; - buildInputs = [ graphene gobject-introspection ]; + nativeBuildInputs = [ pkg-config gobject-introspection ]; + buildInputs = [ graphene ]; }; nettle-sys = attrs: { diff --git a/pkgs/build-support/rust/hooks/maturin-build-hook.sh b/pkgs/build-support/rust/hooks/maturin-build-hook.sh index 41b313280d70..62d5619660c6 100644 --- a/pkgs/build-support/rust/hooks/maturin-build-hook.sh +++ b/pkgs/build-support/rust/hooks/maturin-build-hook.sh @@ -24,8 +24,6 @@ maturinBuildHook() { ${maturinBuildFlags-} ) - runHook postBuild - if [ ! -z "${buildAndTestSubdir-}" ]; then popd fi @@ -34,6 +32,9 @@ maturinBuildHook() { mkdir -p dist mv target/wheels/*.whl dist/ + # These are python build hooks and may depend on ./dist + runHook postBuild + echo "Finished maturinBuildHook" } diff --git a/pkgs/build-support/setup-hooks/patch-shebangs.sh b/pkgs/build-support/setup-hooks/patch-shebangs.sh index 9a48440debec..e6872db1acd7 100644 --- a/pkgs/build-support/setup-hooks/patch-shebangs.sh +++ b/pkgs/build-support/setup-hooks/patch-shebangs.sh @@ -11,11 +11,12 @@ fixupOutputHooks+=(patchShebangsAuto) # Run patch shebangs on a directory or file. # Can take multiple paths as arguments. -# patchShebangs [--build | --host] PATH... +# patchShebangs [--build | --host | --update] [--] PATH... # Flags: # --build : Lookup commands available at build-time # --host : Lookup commands available at runtime +# --update : Update shebang paths that are in Nix store # Example use cases, # $ patchShebangs --host /nix/store/...-hello-1.0/bin @@ -23,14 +24,35 @@ fixupOutputHooks+=(patchShebangsAuto) patchShebangs() { local pathName - - if [[ "$1" == "--host" ]]; then - pathName=HOST_PATH - shift - elif [[ "$1" == "--build" ]]; then - pathName=PATH - shift - fi + local update + + while [[ $# -gt 0 ]]; do + case "$1" in + --host) + pathName=HOST_PATH + shift + ;; + --build) + pathName=PATH + shift + ;; + --update) + update=true + shift + ;; + --) + shift + break + ;; + -*|--*) + echo "Unknown option $1 supplied to patchShebangs" >&2 + return 1 + ;; + *) + break + ;; + esac + done echo "patching script interpreter paths in $@" local f @@ -93,7 +115,7 @@ patchShebangs() { newInterpreterLine="$newPath $args" newInterpreterLine=${newInterpreterLine%${newInterpreterLine##*[![:space:]]}} - if [[ -n "$oldPath" && "${oldPath:0:${#NIX_STORE}}" != "$NIX_STORE" ]]; then + if [[ -n "$oldPath" && ( "$update" == true || "${oldPath:0:${#NIX_STORE}}" != "$NIX_STORE" ) ]]; then if [[ -n "$newPath" && "$newPath" != "$oldPath" ]]; then echo "$f: interpreter directive changed from \"$oldInterpreterLine\" to \"$newInterpreterLine\"" # escape the escape chars so that sed doesn't interpret them diff --git a/pkgs/build-support/setup-hooks/strip.sh b/pkgs/build-support/setup-hooks/strip.sh index 849148e92149..5f53e7e95b2e 100644 --- a/pkgs/build-support/setup-hooks/strip.sh +++ b/pkgs/build-support/setup-hooks/strip.sh @@ -51,6 +51,9 @@ stripDirs() { local stripFlags="$4" local pathsNew= + [ -z "$cmd" ] && echo "stripDirs: Strip command is empty" 1>&2 && exit 1 + [ -z "$ranlibCmd" ] && echo "stripDirs: Ranlib command is empty" 1>&2 && exit 1 + local p for p in ${paths}; do if [ -e "$prefix/$p" ]; then @@ -61,8 +64,22 @@ stripDirs() { if [ -n "${paths}" ]; then echo "stripping (with command $cmd and flags $stripFlags) in $paths" + local striperr + striperr="$(mktemp 'striperr.XXXXXX')" # Do not strip lib/debug. This is a directory used by setup-hooks/separate-debug-info.sh. - find $paths -type f -a '!' -wholename "$prefix/lib/debug/*" -exec $cmd $stripFlags '{}' \; 2>/dev/null + find $paths -type f -a '!' -path "$prefix/lib/debug/*" -print0 | + # Make sure we process files under symlinks only once. Otherwise + # 'strip` can corrupt files when writes to them in parallel: + # https://github.com/NixOS/nixpkgs/issues/246147#issuecomment-1657072039 + xargs -r -0 -n1 -- realpath -z | sort -u -z | + + xargs -r -0 -n1 -P "$NIX_BUILD_CORES" -- $cmd $stripFlags 2>"$striperr" || exit_code=$? + # xargs exits with status code 123 if some but not all of the + # processes fail. We don't care if some of the files couldn't + # be stripped, so ignore specifically this code. + [[ "$exit_code" = 123 || -z "$exit_code" ]] || (cat "$striperr" 1>&2 && exit 1) + + rm "$striperr" # 'strip' does not normally preserve archive index in .a files. # This usually causes linking failures against static libs like: # ld: ...-i686-w64-mingw32-stage-final-gcc-13.0.0-lib/i686-w64-mingw32/lib/libstdc++.dll.a: diff --git a/pkgs/build-support/writers/scripts.nix b/pkgs/build-support/writers/scripts.nix index 7fc47fbcdf94..a5b24abf0f2f 100644 --- a/pkgs/build-support/writers/scripts.nix +++ b/pkgs/build-support/writers/scripts.nix @@ -79,16 +79,11 @@ rec { let name = last (builtins.split "/" nameOrPath); in - pkgs.runCommand name ((if (types.str.check content) then { + pkgs.runCommand name (if (types.str.check content) then { inherit content; passAsFile = [ "content" ]; } else { contentPath = content; - }) // lib.optionalAttrs (stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isAarch64) { - # post-link-hook expects codesign_allocate to be in PATH - # https://github.com/NixOS/nixpkgs/issues/154203 - # https://github.com/NixOS/nixpkgs/issues/148189 - nativeBuildInputs = [ stdenv.cc.bintools ]; }) '' ${compileScript} ${lib.optionalString strip |