cc-wrapper: Pass shellcheck and other cleanups #27879
Conversation
|
@Ericson2314, thanks for your PR! By analyzing the history of the files in this pull request, we identified @edolstra, @vcunat and @abbradar to be potential reviewers. |
| @@ -69,7 +73,7 @@ relocatable= | |||
| # Find all -L... switches for rpath, and relocatable flags for build id. | |||
| if [ "$NIX_DONT_SET_RPATH" != 1 ] || [ "$NIX_SET_BUILD_ID" = 1 ]; then | |||
| prev= | |||
| for p in "${params[@]}" "${extra[@]}"; do | |||
| for p in "${extraBefore[@]}" "${params[@]}" "${extraAfter[@]}"; do | |||
There was a problem hiding this comment.
I think not including extraBefore here was an oversight of whoever added it originally. Note that the debugging code below originally also skipped it.
| if [ -n "@coreutils_bin@" ]; then | ||
| addToSearchPath _PATH @coreutils_bin@/bin | ||
| fi | ||
|
|
||
| if [ -z "$crossConfig" ]; then | ||
| ENV_PREFIX="" | ||
| # shellcheck disable=SC2157 |
There was a problem hiding this comment.
This was the same one as above---eager copy paste---and unneeded.
| @@ -1,28 +1,37 @@ | |||
| # `-B@out@/bin' forces cc to use ld-wrapper.sh when calling ld. | |||
| export NIX_CFLAGS_COMPILE="-B@out@/bin/ $NIX_CFLAGS_COMPILE" | |||
|
|
|||
| # One line export + assign means missing files will not fail script. Not sure | |||
| # whether thsi is intentional. | |||
There was a problem hiding this comment.
Somebody should weigh in on this.
There was a problem hiding this comment.
thsi is probably not intentional
There was a problem hiding this comment.
I weigh in on "thsi" most likely being a typo. Does that count?
There was a problem hiding this comment.
Wait, we already check for file existence, so this is definitely isn't needed.
| @@ -1,26 +1,41 @@ | |||
| hardeningFlags=(fortify stackprotector pic strictoverflow format relro bindnow) | |||
| hardeningFlags+=("${hardeningEnable[@]}") | |||
| # Intentionally word-split in case 'hardeningEnable' is defined in Nix. | |||
| hardeningFlags+=(${hardeningEnable[@]}) | |||
There was a problem hiding this comment.
Semantics change, but all the flags are sans-whitespace so it seems fine.
| # `set -u`. | ||
| for flag in ${hardeningDisable[@]} @hardening_unsupported_flags@ | ||
| do | ||
| hardeningDisableMap[$flag]=1 |
There was a problem hiding this comment.
I think this is clearer than the regex stuff that was there before---and shellcheck said the regex stuff was done wrong anyways such that only string literals would match.
| case $flag in | ||
| fortify) | ||
| if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling fortify >&2; fi | ||
| hardeningCFlags+=('-O2' '-D_FORTIFY_SOURCE=2') | ||
| ;; | ||
| stackprotector) | ||
| if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling stackprotector >&2; fi | ||
| hardeningCFlags+=('-fstack-protector-strong' '--param ssp-buffer-size=4') | ||
| hardeningCFlags+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4') |
There was a problem hiding this comment.
N.B. bugs like this weren't being caught because extra word splitting on arrays.
| @@ -19,16 +25,17 @@ source @out@/nix-support/utils.sh | |||
| # For instance, figure out if linker flags should be passed. | |||
| # GCC prints annoying warnings when they are not needed. | |||
| dontLink=0 | |||
| getVersion=0 | |||
| fi | ||
|
|
||
| if [ -n "$NIX_CC_WRAPPER_EXEC_HOOK" ]; then | ||
| source "$NIX_CC_WRAPPER_EXEC_HOOK" | ||
| fi | ||
|
|
||
| PATH="$path_backup" | ||
| exec @prog@ ${extraBefore[@]} "${params[@]}" "${extraAfter[@]}" | ||
| exec @prog@ "${extraBefore[@]}" "${params[@]}" "${extraAfter[@]}" |
There was a problem hiding this comment.
Semantics change, but the old version was a mistake. I fixed a hardening flag bug uncovered by this; hope there aren't others.
@orivej did something the same fix for ld-wrapper, and I guess it was fine there?
| if [ "${p:0:3}" = -L/ ] && badPath "${p:2}"; then | ||
| skip $p | ||
| skip "${p:2}" |
There was a problem hiding this comment.
So the "skip" thing does say "bad path", but not knowing what flag it came from is strictly less useful. I'm conflicted.
| @@ -18,7 +24,6 @@ source @out@/nix-support/utils.sh | |||
| # Figure out if linker flags should be passed. GCC prints annoying | |||
| # warnings when they are not needed. | |||
| dontLink=0 | |||
There was a problem hiding this comment.
This is a dead variable, but used in commented code, so I guess I'll leave it for now.
Ericson2314
force-pushed
the
cc-wrapper-shellcheck
branch
4 times, most recently
from
7f7ed3c
to
de957cc
Compare
|
In #27672 I made cc-wrapper robust with undefined variables with |
| @@ -1,28 +1,37 @@ | |||
| # `-B@out@/bin' forces cc to use ld-wrapper.sh when calling ld. | |||
| export NIX_CFLAGS_COMPILE="-B@out@/bin/ $NIX_CFLAGS_COMPILE" | |||
|
|
|||
| # One line export + assign means missing files will not fail script. Not sure | |||
| # whether thsi is intentional. | |||
There was a problem hiding this comment.
thsi is probably not intentional
Ericson2314
force-pushed
the
cc-wrapper-shellcheck
branch
from
de957cc
to
6463fd3
Compare
|
OK I think I dealt with all comments. |
| @@ -116,23 +125,22 @@ if [[ "$isCpp" = 1 ]]; then | |||
| NIX_CFLAGS_LINK+=" $NIX_CXXSTDLIB_LINK" | |||
| fi | |||
|
|
|||
| LD=@ldPath@/ld | |||
There was a problem hiding this comment.
This would be the unwrapped ld, which seems wrong.
| @@ -49,18 +54,17 @@ if [ "$NIX_ENFORCE_PURITY" = 1 -a -n "$NIX_STORE" \ | |||
| params=("${rest[@]}") | |||
| fi | |||
|
|
|||
| LD=@prog@ | |||
There was a problem hiding this comment.
This however would be the wrapped ld. Since cc will fork ld-wrapper, the old LD=..., assuming LD was already an export so it affected forked processes' environments (!), would be clobbered anyways.
| @@ -1,28 +1,37 @@ | |||
| # `-B@out@/bin' forces cc to use ld-wrapper.sh when calling ld. | |||
| export NIX_CFLAGS_COMPILE="-B@out@/bin/ $NIX_CFLAGS_COMPILE" | |||
|
|
|||
| # Export and assign separately in order that a failing $(..) will fail | |||
| # the script. | |||
There was a problem hiding this comment.
Added back better comment without typo.
Motivation for this change
In many cases, this involved taking @orivej's and @edolstra's recent ld-wrapper improvements, and applying then elsewhere.
The only semantics changes I know of are
Fix bad word-splitting---already done with ld-wrapper with no issues
Remove unused and probably wrong
LD=---didn't take into account cross and in cc-wrapper pointed to unwrapped ld while in ld-wrapper pointed to wrapped ld.Things done
Please check what applies. Note that these are not hard requirements but merely serve as information for reviewers.
(nix.useSandbox on NixOS,
or option
build-use-sandboxinnix.confon non-NixOS)
nix-shell -p nox --run "nox-review wip"./result/bin/)CC @orivej