[tbb-commits] [tor-browser-build/master] Bug 40093: Ensure application-services libs do not include libc networking symbols

gk at torproject.org gk at torproject.org
Thu Oct 1 09:22:41 UTC 2020


commit 82ad6be56ef54a27da654d7ea879f8dff5fda900
Author: Alex Catarineu <acat at torproject.org>
Date:   Tue Sep 15 16:18:36 2020 +0200

    Bug 40093: Ensure application-services libs do not include libc networking symbols
    
    This compiles and links NSS/application-services with lto, and also adds a check
    which will make the building of the application-services project fail if it finds
    networking symbols in the final built libraries.
---
 projects/application-services/build     | 13 +++++++++++++
 projects/application-services/config    |  2 ++
 projects/application-services/lto.patch | 10 ++++++++++
 projects/nss/build                      |  4 ++++
 4 files changed, 29 insertions(+)

diff --git a/projects/application-services/build b/projects/application-services/build
index 5c6b5e0..ffe63da 100644
--- a/projects/application-services/build
+++ b/projects/application-services/build
@@ -97,12 +97,25 @@ patch -p1 < $rootdir/1651662.patch
   export LANG=C.UTF-8
   patch -p1 < $rootdir/mavenLocal.patch
   gradle_flags="--offline --no-daemon -Dmaven.repo.local=$gradle_repo"
+  patch -p1 < $rootdir/lto.patch
+  # Set the right flags for cross-language LTO and override linking opt level, since
+  # lld does not understand -Os or -Oz.
+  export RUSTFLAGS="-Clinker-plugin-lto -Clink-arg=-fuse-ld=lld -Clink-arg=-Wl,-plugin-opt=O2"
   $GRADLE_HOME/gradle-6.3/bin/gradle $gradle_flags assembleRelease
   $GRADLE_HOME/gradle-6.3/bin/gradle $gradle_flags publish
 
   cd build
   find maven -regex '.*[0-9].\(aar\|pom\)' -exec cp --parents {} $distdir \;
 
+  # Verify that the compiled libs do not have libc networking symbols
+  # (list adapted from https://searchfox.org/mozilla-central/rev/30e70f2fe80c97bfbfcd975e68538cefd7f58b2a/python/mozbuild/mozbuild/action/check_binary.py#217)
+  tmpdir=$(mktemp -d)
+  find $distdir -name '*.aar' -exec mkdir -p $tmpdir/{} \; -exec unzip {} -d $tmpdir/{} \;
+  if find $tmpdir -name '*.so' | xargs objdump -Tt | grep "*UND*" | grep "connect\|accept\|listen\|sock\|recv\|send\|host\|serv\|proto"; then
+    echo "Error: networking symbols found"
+    exit 1
+  fi
+
   cd /var/tmp/dist
   [% c('tar', {
       tar_src => [ project ],
diff --git a/projects/application-services/config b/projects/application-services/config
index 0560872..a002ae4 100644
--- a/projects/application-services/config
+++ b/projects/application-services/config
@@ -91,3 +91,5 @@ input_files:
   - filename: target.patch
   - filename: 1651660.patch
   - filename: 1651662.patch
+  - filename: lto.patch
+    enable: '[% !c("var/fetch_gradle_dependencies") %]'
diff --git a/projects/application-services/lto.patch b/projects/application-services/lto.patch
new file mode 100644
index 0000000..838967c
--- /dev/null
+++ b/projects/application-services/lto.patch
@@ -0,0 +1,10 @@
+diff --git a/Cargo.toml b/Cargo.toml
+index 93006d8b..2c9ae848 100644
+--- a/Cargo.toml
++++ b/Cargo.toml
+@@ -39,4 +39,4 @@ members = [
+ [profile.release]
+ opt-level = "s"
+ debug = true
+-lto = "thin"
++lto = "fat"
diff --git a/projects/nss/build b/projects/nss/build
index c5cfd95..bf51122 100644
--- a/projects/nss/build
+++ b/projects/nss/build
@@ -52,6 +52,10 @@ patch -p2 < $rootdir/config.patch
 # side.
 patch -p2 < $rootdir/bug_13028.patch
 
+# Enable LTO
+export CFLAGS="-flto"
+export LDFLAGS="-flto"
+
 # Building NSPR
 mkdir $builddir/nspr_build
 cd $builddir/nspr_build





More information about the tbb-commits mailing list