commit 82ad6be56ef54a27da654d7ea879f8dff5fda900 Author: Alex Catarineu acat@torproject.org Date: Tue Sep 15 16:18:36 2020 +0200
Bug 40093: Ensure application-services libs do not include libc networking symbols
This compiles and links NSS/application-services with lto, and also adds a check which will make the building of the application-services project fail if it finds networking symbols in the final built libraries. --- projects/application-services/build | 13 +++++++++++++ projects/application-services/config | 2 ++ projects/application-services/lto.patch | 10 ++++++++++ projects/nss/build | 4 ++++ 4 files changed, 29 insertions(+)
diff --git a/projects/application-services/build b/projects/application-services/build index 5c6b5e0..ffe63da 100644 --- a/projects/application-services/build +++ b/projects/application-services/build @@ -97,12 +97,25 @@ patch -p1 < $rootdir/1651662.patch export LANG=C.UTF-8 patch -p1 < $rootdir/mavenLocal.patch gradle_flags="--offline --no-daemon -Dmaven.repo.local=$gradle_repo" + patch -p1 < $rootdir/lto.patch + # Set the right flags for cross-language LTO and override linking opt level, since + # lld does not understand -Os or -Oz. + export RUSTFLAGS="-Clinker-plugin-lto -Clink-arg=-fuse-ld=lld -Clink-arg=-Wl,-plugin-opt=O2" $GRADLE_HOME/gradle-6.3/bin/gradle $gradle_flags assembleRelease $GRADLE_HOME/gradle-6.3/bin/gradle $gradle_flags publish
cd build find maven -regex '.*[0-9].(aar|pom)' -exec cp --parents {} $distdir ;
+ # Verify that the compiled libs do not have libc networking symbols + # (list adapted from https://searchfox.org/mozilla-central/rev/30e70f2fe80c97bfbfcd975e68538cefd7...) + tmpdir=$(mktemp -d) + find $distdir -name '*.aar' -exec mkdir -p $tmpdir/{} ; -exec unzip {} -d $tmpdir/{} ; + if find $tmpdir -name '*.so' | xargs objdump -Tt | grep "*UND*" | grep "connect|accept|listen|sock|recv|send|host|serv|proto"; then + echo "Error: networking symbols found" + exit 1 + fi + cd /var/tmp/dist [% c('tar', { tar_src => [ project ], diff --git a/projects/application-services/config b/projects/application-services/config index 0560872..a002ae4 100644 --- a/projects/application-services/config +++ b/projects/application-services/config @@ -91,3 +91,5 @@ input_files: - filename: target.patch - filename: 1651660.patch - filename: 1651662.patch + - filename: lto.patch + enable: '[% !c("var/fetch_gradle_dependencies") %]' diff --git a/projects/application-services/lto.patch b/projects/application-services/lto.patch new file mode 100644 index 0000000..838967c --- /dev/null +++ b/projects/application-services/lto.patch @@ -0,0 +1,10 @@ +diff --git a/Cargo.toml b/Cargo.toml +index 93006d8b..2c9ae848 100644 +--- a/Cargo.toml ++++ b/Cargo.toml +@@ -39,4 +39,4 @@ members = [ + [profile.release] + opt-level = "s" + debug = true +-lto = "thin" ++lto = "fat" diff --git a/projects/nss/build b/projects/nss/build index c5cfd95..bf51122 100644 --- a/projects/nss/build +++ b/projects/nss/build @@ -52,6 +52,10 @@ patch -p2 < $rootdir/config.patch # side. patch -p2 < $rootdir/bug_13028.patch
+# Enable LTO +export CFLAGS="-flto" +export LDFLAGS="-flto" + # Building NSPR mkdir $builddir/nspr_build cd $builddir/nspr_build