neovim: make the build reproducible
This introduces a patch that improves binary reproducibility since changes in ordering of the generated code indeed cause changes in the compiled code. Additionally, since neovim embeds luajit-compiled bytecode into the nvim binary, we are impacted by https://github.com/LuaJIT/LuaJIT/issues/626 . It is possible to switch to lua 5.1, but that'd be a regression (luajit has much better performance and some plugins depend on it, like for example Noice and Lazy). Disabling `COMPILE_LUA` at build time would cause a runtime penalty each time neovim starts. Instead, we run luagit with those security settings disabled for the build-time code generation. (Note to self: for a minimized testcase this seemed to help at 975ec13f5d5aefcac1dbb15fa867e660e07c93a1 but no longer at 03080b795aa3496ed62d4a0697c9f4767e7ca7e5 of luajit, which is surprising since that commit doesn't look super relevant. _Also_ surprisingly it does seem to work in the context of the neovim code generation, though, so that might be good enough...) Also, some of the code generation (using mpack and tables) still relies on stable table ordering. This should eventually be fixed, but as a workaround we use the luajit-with-stable-string-ids for those generators as well. Fixes #207841
This commit is contained in:
parent
677ed08a50
commit
90c4a2ebc3
@ -1,4 +1,5 @@
|
|||||||
{ lib, stdenv, fetchFromGitHub, cmake, gettext, msgpack, libtermkey, libiconv
|
{ lib, stdenv, fetchFromGitHub, cmake, gettext, msgpack, libtermkey, libiconv
|
||||||
|
, fetchpatch
|
||||||
, libuv, lua, ncurses, pkg-config
|
, libuv, lua, ncurses, pkg-config
|
||||||
, unibilium, gperf
|
, unibilium, gperf
|
||||||
, libvterm-neovim
|
, libvterm-neovim
|
||||||
@ -19,6 +20,16 @@ let
|
|||||||
nvim-client luv coxpcall busted luafilesystem penlight inspect
|
nvim-client luv coxpcall busted luafilesystem penlight inspect
|
||||||
]
|
]
|
||||||
));
|
));
|
||||||
|
codegenLua =
|
||||||
|
if lua.pkgs.isLuaJIT
|
||||||
|
then
|
||||||
|
let deterministicLuajit =
|
||||||
|
lua.override {
|
||||||
|
deterministicStringIds = true;
|
||||||
|
self = deterministicLuajit;
|
||||||
|
};
|
||||||
|
in deterministicLuajit.withPackages(ps: [ ps.mpack ps.lpeg ])
|
||||||
|
else lua;
|
||||||
|
|
||||||
pyEnv = python3.withPackages(ps: with ps; [ pynvim msgpack ]);
|
pyEnv = python3.withPackages(ps: with ps; [ pynvim msgpack ]);
|
||||||
in
|
in
|
||||||
@ -38,6 +49,13 @@ in
|
|||||||
# necessary so that nix can handle `UpdateRemotePlugins` for the plugins
|
# necessary so that nix can handle `UpdateRemotePlugins` for the plugins
|
||||||
# it installs. See https://github.com/neovim/neovim/issues/9413.
|
# it installs. See https://github.com/neovim/neovim/issues/9413.
|
||||||
./system_rplugin_manifest.patch
|
./system_rplugin_manifest.patch
|
||||||
|
# make the build reproducible, rebased version of
|
||||||
|
# https://github.com/neovim/neovim/pull/21586
|
||||||
|
(fetchpatch {
|
||||||
|
name = "neovim-build-make-generated-source-files-reproducible.patch";
|
||||||
|
url = "https://github.com/raboof/neovim/commit/485dd2af3efbfd174163583c46e0bb2a01ff04f1.patch";
|
||||||
|
hash = "sha256-9aRVK4lDkL/W4RVjeKptrZFY7rYYBx6/RGR4bQSbCsM=";
|
||||||
|
})
|
||||||
];
|
];
|
||||||
|
|
||||||
dontFixCmake = true;
|
dontFixCmake = true;
|
||||||
@ -89,7 +107,7 @@ in
|
|||||||
substituteInPlace src/nvim/version.c --replace NVIM_VERSION_CFLAGS "";
|
substituteInPlace src/nvim/version.c --replace NVIM_VERSION_CFLAGS "";
|
||||||
'';
|
'';
|
||||||
# check that the above patching actually works
|
# check that the above patching actually works
|
||||||
disallowedReferences = [ stdenv.cc ];
|
disallowedReferences = [ stdenv.cc ] ++ lib.optional (lua != codegenLua) codegenLua;
|
||||||
|
|
||||||
cmakeFlags = [
|
cmakeFlags = [
|
||||||
# Don't use downloaded dependencies. At the end of the configurePhase one
|
# Don't use downloaded dependencies. At the end of the configurePhase one
|
||||||
@ -101,7 +119,12 @@ in
|
|||||||
++ lib.optional (!lua.pkgs.isLuaJIT) "-DPREFER_LUA=ON"
|
++ lib.optional (!lua.pkgs.isLuaJIT) "-DPREFER_LUA=ON"
|
||||||
;
|
;
|
||||||
|
|
||||||
preConfigure = lib.optionalString stdenv.isDarwin ''
|
preConfigure = lib.optionalString lua.pkgs.isLuaJIT ''
|
||||||
|
cmakeFlagsArray+=(
|
||||||
|
"-DLUAC_PRG=${codegenLua}/bin/luajit -b -s %s -"
|
||||||
|
"-DLUA_GEN_PRG=${codegenLua}/bin/luajit"
|
||||||
|
)
|
||||||
|
'' + lib.optionalString stdenv.isDarwin ''
|
||||||
substituteInPlace src/nvim/CMakeLists.txt --replace " util" ""
|
substituteInPlace src/nvim/CMakeLists.txt --replace " util" ""
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
@ -26,6 +26,12 @@
|
|||||||
, enableAPICheck ? false
|
, enableAPICheck ? false
|
||||||
, enableVMAssertions ? false
|
, enableVMAssertions ? false
|
||||||
, useSystemMalloc ? false
|
, useSystemMalloc ? false
|
||||||
|
# Upstream generates randomized string id's by default for security reasons
|
||||||
|
# https://github.com/LuaJIT/LuaJIT/issues/626. Deterministic string id's should
|
||||||
|
# never be needed for correctness (that should be fixed in the lua code),
|
||||||
|
# but may be helpful when you want to embed jit-compiled raw lua blobs in
|
||||||
|
# binaries that you want to be reproducible.
|
||||||
|
, deterministicStringIds ? false
|
||||||
, luaAttr ? "luajit_${lib.versions.major version}_${lib.versions.minor version}"
|
, luaAttr ? "luajit_${lib.versions.major version}_${lib.versions.minor version}"
|
||||||
} @ inputs:
|
} @ inputs:
|
||||||
assert enableJITDebugModule -> enableJIT;
|
assert enableJITDebugModule -> enableJIT;
|
||||||
@ -45,6 +51,7 @@ let
|
|||||||
++ optional enableGDBJITSupport "-DLUAJIT_USE_GDBJIT"
|
++ optional enableGDBJITSupport "-DLUAJIT_USE_GDBJIT"
|
||||||
++ optional enableAPICheck "-DLUAJIT_USE_APICHECK"
|
++ optional enableAPICheck "-DLUAJIT_USE_APICHECK"
|
||||||
++ optional enableVMAssertions "-DLUAJIT_USE_ASSERT"
|
++ optional enableVMAssertions "-DLUAJIT_USE_ASSERT"
|
||||||
|
++ optional deterministicStringIds "-DLUAJIT_SECURITY_STRID=0"
|
||||||
;
|
;
|
||||||
in
|
in
|
||||||
stdenv.mkDerivation rec {
|
stdenv.mkDerivation rec {
|
||||||
|
Loading…
Reference in New Issue
Block a user