colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
master
nixpkgs/pkgs/build-support/bintools-wrapper/ld-wrapper.sh
Alyssa Ross 194ddeefd5
wrapBintoolsWith: support LINK.EXE-style args in purity checks 
LLD supports Windows-style linker arguments, but these previously
triggered purity check false positives, because it saw that they
started with a '/' and assumed they were paths.

This tweaks the path detection to allow through certain values that
could be paths, but are much more likely to be LINK.EXE-style flags.
The risk of false negatives here is low — the only things we'd now
fail to catch would be attempts to link with libraries in the root
directory, which doesn't happen in practice.

We also teach the wrapper how to apply its purity checks to library
paths specified with the /LIBPATH: option.

Tested that paths we expect to be rejected (like /lib/libfoo.so) still
are.
2023-04-29 01:37:00 +00:00

274 lines
8.7 KiB
Bash
Raw Permalink Blame History

#! @shell@
set -eu -o pipefail +o posix
shopt -s nullglob
if (( "${NIX_DEBUG:-0}" >= 7 )); then
set -x
fi
path_backup="$PATH"
# phase separation makes this look useless
# shellcheck disable=SC2157
if [ -n "@coreutils_bin@" ]; then
PATH="@coreutils_bin@/bin"
fi
source @out@/nix-support/utils.bash
if [ -z "${NIX_BINTOOLS_WRAPPER_FLAGS_SET_@suffixSalt@:-}" ]; then
source @out@/nix-support/add-flags.sh
fi
# Optionally filter out paths not refering to the store.
expandResponseParams "$@"
# NIX_LINK_TYPE is set if ld has been called through our cc wrapper. We take
# advantage of this to avoid both recalculating it, and also repeating other
# processing cc wrapper has already done.
if [[ -n "${NIX_LINK_TYPE_@suffixSalt@:-}" ]]; then
linkType=$NIX_LINK_TYPE_@suffixSalt@
else
linkType=$(checkLinkType "${params[@]}")
fi
if [[ "${NIX_ENFORCE_PURITY:-}" = 1 && -n "${NIX_STORE:-}"
&& ( -z "$NIX_IGNORE_LD_THROUGH_GCC_@suffixSalt@" || -z "${NIX_LINK_TYPE_@suffixSalt@:-}" ) ]]; then
rest=()
nParams=${#params[@]}
declare -i n=0
while (( "$n" < "$nParams" )); do
p=${params[n]}
p2=${params[n+1]:-} # handle `p` being last one
if [ "${p:0:3}" = -L/ ] && badPath "${p:2}"; then
skip "${p:2}"
elif [ "$p" = -L ] && badPath "$p2"; then
n+=1; skip "$p2"
elif [ "$p" = -rpath ] && badPath "$p2"; then
n+=1; skip "$p2"
elif [ "$p" = -dynamic-linker ] && badPath "$p2"; then
n+=1; skip "$p2"
elif [ "$p" = -syslibroot ] && [ $p2 == // ]; then
# When gcc is built on darwin --with-build-sysroot=/
# produces '-syslibroot //' linker flag. It's a no-op,
# which does not introduce impurities.
n+=1; skip "$p2"
elif [ "${p:0:10}" = /LIBPATH:/ ] && badPath "${p:9}"; then
reject "${p:9}"
# We need to not match LINK.EXE-style flags like
# /NOLOGO or /LIBPATH:/nix/store/foo
elif [[ $p =~ ^/[^:]*/ ]] && badPath "$p"; then
reject "$p"
elif [ "${p:0:9}" = --sysroot ]; then
# Our ld is not built with sysroot support (Can we fix that?)
:
else
rest+=("$p")
fi
n+=1
done
# Old bash empty array hack
params=(${rest+"${rest[@]}"})
fi
source @out@/nix-support/add-hardening.sh
extraAfter=()
extraBefore=(${hardeningLDFlags[@]+"${hardeningLDFlags[@]}"})
if [ -z "${NIX_LINK_TYPE_@suffixSalt@:-}" ]; then
extraAfter+=($(filterRpathFlags "$linkType" $NIX_LDFLAGS_@suffixSalt@))
extraBefore+=($(filterRpathFlags "$linkType" $NIX_LDFLAGS_BEFORE_@suffixSalt@))
# By adding dynamic linker to extraBefore we allow the users set their
# own dynamic linker as NIX_LD_FLAGS will override earlier set flags
if [[ "$linkType" == dynamic && -n "$NIX_DYNAMIC_LINKER_@suffixSalt@" ]]; then
extraBefore+=("-dynamic-linker" "$NIX_DYNAMIC_LINKER_@suffixSalt@")
fi
fi
extraAfter+=($(filterRpathFlags "$linkType" $NIX_LDFLAGS_AFTER_@suffixSalt@))
# These flags *must not* be pulled up to -Wl, flags, so they can't go in
# add-flags.sh. They must always be set, so must not be disabled by
# NIX_LDFLAGS_SET.
if [ -e @out@/nix-support/add-local-ldflags-before.sh ]; then
source @out@/nix-support/add-local-ldflags-before.sh
fi
# Three tasks:
#
# 1. Find all -L... switches for rpath
#
# 2. Find relocatable flag for build id.
#
# 3. Choose 32-bit dynamic linker if needed
declare -a libDirs
declare -A libs
declare -i relocatable=0 link32=0
linkerOutput="a.out"
if
[ "$NIX_DONT_SET_RPATH_@suffixSalt@" != 1 ] \
|| [ "$NIX_SET_BUILD_ID_@suffixSalt@" = 1 ] \
|| [ -e @out@/nix-support/dynamic-linker-m32 ]
then
prev=
# Old bash thinks empty arrays are undefined, ugh.
for p in \
${extraBefore+"${extraBefore[@]}"} \
${params+"${params[@]}"} \
${extraAfter+"${extraAfter[@]}"}
do
case "$prev" in
-L)
libDirs+=("$p")
;;
-l)
libs["lib${p}.so"]=1
;;
-m)
# Presumably only the last `-m` flag has any effect.
case "$p" in
elf_i386) link32=1;;
*) link32=0;;
esac
;;
-dynamic-linker | -plugin)
# Ignore this argument, or it will match *.so and be added to rpath.
;;
*)
case "$p" in
-L/*)
libDirs+=("${p:2}")
;;
-l?*)
libs["lib${p:2}.so"]=1
;;
"${NIX_STORE:-}"/*.so | "${NIX_STORE:-}"/*.so.*)
# This is a direct reference to a shared library.
libDirs+=("${p%/*}")
libs["${p##*/}"]=1
;;
-r | --relocatable | -i)
relocatable=1
esac
;;
esac
prev="$p"
done
fi
# Determine linkerOutput
prev=
for p in \
${extraBefore+"${extraBefore[@]}"} \
${params+"${params[@]}"} \
${extraAfter+"${extraAfter[@]}"}
do
case "$prev" in
-o)
# Informational for post-link-hook
linkerOutput="$p"
;;
*)
;;
esac
prev="$p"
done
if [[ "$link32" == "1" && "$linkType" == dynamic && -e "@out@/nix-support/dynamic-linker-m32" ]]; then
# We have an alternate 32-bit linker and we're producing a 32-bit ELF, let's
# use it.
extraAfter+=(
'-dynamic-linker'
"$(< @out@/nix-support/dynamic-linker-m32)"
)
fi
# Add all used dynamic libraries to the rpath.
if [[ "$NIX_DONT_SET_RPATH_@suffixSalt@" != 1 && "$linkType" != static-pie ]]; then
# For each directory in the library search path (-L...),
# see if it contains a dynamic library used by a -l... flag. If
# so, add the directory to the rpath.
# It's important to add the rpath in the order of -L..., so
# the link time chosen objects will be those of runtime linking.
declare -A rpaths
for dir in ${libDirs+"${libDirs[@]}"}; do
if [[ "$dir" =~ [/.][/.] ]] && dir2=$(readlink -f "$dir"); then
dir="$dir2"
fi
if [ -n "${rpaths[$dir]:-}" ] || [[ "$dir" != "${NIX_STORE:-}"/* ]]; then
# If the path is not in the store, don't add it to the rpath.
# This typically happens for libraries in /tmp that are later
# copied to $out/lib. If not, we're screwed.
continue
fi
for path in "$dir"/*; do
file="${path##*/}"
if [ "${libs[$file]:-}" ]; then
# This library may have been provided by a previous directory,
# but if that library file is inside an output of the current
# derivation, it can be deleted after this compilation and
# should be found in a later directory, so we add all
# directories that contain any of the libraries to rpath.
rpaths["$dir"]=1
extraAfter+=(-rpath "$dir")
break
fi
done
done
fi
# This is outside the DONT_SET_RPATH branch because it's more targeted and we
# usually want it (on Darwin) even if DONT_SET_RPATH is set.
if [ -n "${NIX_COREFOUNDATION_RPATH:-}" ]; then
extraAfter+=(-rpath $NIX_COREFOUNDATION_RPATH)
fi
# Only add --build-id if this is a final link. FIXME: should build gcc
# with --enable-linker-build-id instead?
#
# Note: `lld` interprets `--build-id` to mean `--build-id=fast`; GNU ld defaults
# to SHA1.
if [ "$NIX_SET_BUILD_ID_@suffixSalt@" = 1 ] && ! (( "$relocatable" )); then
extraAfter+=(--build-id="${NIX_BUILD_ID_STYLE:-sha1}")
fi
# Optionally print debug info.
if (( "${NIX_DEBUG:-0}" >= 1 )); then
# Old bash workaround, see above.
echo "extra flags before to @prog@:" >&2
printf " %q\n" ${extraBefore+"${extraBefore[@]}"} >&2
echo "original flags to @prog@:" >&2
printf " %q\n" ${params+"${params[@]}"} >&2
echo "extra flags after to @prog@:" >&2
printf " %q\n" ${extraAfter+"${extraAfter[@]}"} >&2
fi
PATH="$path_backup"
# Old bash workaround, see above.
if (( "${NIX_LD_USE_RESPONSE_FILE:-@use_response_file_by_default@}" >= 1 )); then
@prog@ @<(printf "%q\n" \
${extraBefore+"${extraBefore[@]}"} \
${params+"${params[@]}"} \
${extraAfter+"${extraAfter[@]}"})
else
@prog@ \
${extraBefore+"${extraBefore[@]}"} \
${params+"${params[@]}"} \
${extraAfter+"${extraAfter[@]}"}
fi
if [ -e "@out@/nix-support/post-link-hook" ]; then
source @out@/nix-support/post-link-hook
fi
Reference in New Issue View Git Blame Copy Permalink