{ stdenv, fetchurl }:

stdenv.mkDerivation rec {
  name = "graphene-hardened-malloc-${version}";
  version = "1";

  src = fetchurl {
    url = "https://github.com/GrapheneOS/hardened_malloc/archive/${version}.tar.gz";
    sha256 = "1z3kb9fr6w9fcdc42bh8k5b4r10sn5hrwwk4m691qjdgk5hlj3aa";
  };

  installPhase = ''
    install -Dm444 -t $out/lib libhardened_malloc.so

    mkdir -p $out/bin
    substitute preload.sh $out/bin/preload-hardened-malloc --replace "\$dir" $out/lib
    chmod 0555 $out/bin/preload-hardened-malloc
  '';

  separateDebugInfo = true;

  doInstallCheck = true;
  installCheckPhase = ''
    pushd test
    make
    $out/bin/preload-hardened-malloc ./offset

    pushd simple-memory-corruption
    make

    # these tests don't actually appear to generate overflows currently
    rm read_after_free_small string_overflow eight_byte_overflow_large

    for t in `find . -regex ".*/[a-z_]+"` ; do
      echo "Running $t..."
      # the program being aborted (as it should be) would result in an exit code > 128
      (($out/bin/preload-hardened-malloc $t) && false) \
        || (test $? -gt 128 || (echo "$t was not aborted" && false))
    done
    popd

    popd
  '';

  meta = with stdenv.lib; {
    homepage = https://github.com/GrapheneOS/hardened_malloc;
    description = "Hardened allocator designed for modern systems";
    longDescription = ''
      This is a security-focused general purpose memory allocator providing the malloc API
      along with various extensions. It provides substantial hardening against heap
      corruption vulnerabilities yet aims to provide decent overall performance.
    '';
    license = licenses.mit;
    maintainers = with maintainers; [ ris ];
    platforms = platforms.linux;
  };
}