diff options
| author | fanquake <fanquake@gmail.com> | 2023-11-14 09:42:12 +0000 |
|---|---|---|
| committer | fanquake <fanquake@gmail.com> | 2023-11-14 09:47:36 +0000 |
| commit | fb85bb277670aad28fef51b7313d4a96cdaa760f (patch) | |
| tree | 0a6df27a65ed2857fef0b1f8e16f3cd949e38035 | |
| parent | 1fbeeed23a77cb42d6e2531d4d9e898a41049c86 (diff) | |
| parent | 3c61c60b90db1b6a77b3804784430fcd57b447b6 (diff) | |
Merge bitcoin/bitcoin#28783: build: remove `-bind_at_load` usage
3c61c60b90db1b6a77b3804784430fcd57b447b6 build: Add an old hack to remove bind_at_load from libtool. (Cory Fields)
45257601da4cf38f081d9af2c18cd0be7174bcef build: remove -bind_at_load usage (fanquake)
Pull request description:
This is deprecated on macOS:
```bash
ld: warning: -bind_at_load is deprecated on macOS
```
and likely redundant anyways, given the behaviour of dyld3.
Unfortunately libtool is still injecting a `-bind_at_load`, because it's version check is broken:
```bash
# Don't allow lazy linking, it breaks C++ global constructors
# But is supposedly fixed on 10.4 or later (yay!).
if test CXX = "$tagname"; then
case ${MACOSX_DEPLOYMENT_TARGET-10.0} in
10.[0123])
func_append compile_command " $wl-bind_at_load"
func_append finalize_command " $wl-bind_at_load"
;;
esac
fi
```
so this adds another change to strip them out at the end of configure.
Note that anywhere the ld64 warnings are being emitted, we are already not adding this flag to our hardened ldflags, because of `-Wl,-fatal_warnings`.
ACKs for top commit:
theuni:
utACK 3c61c60b90db1b6a77b3804784430fcd57b447b6.
hebasto:
ACK 3c61c60b90db1b6a77b3804784430fcd57b447b6, tested on macOS Sonoma 14.1.1 (23B81, Apple M1) and Ubuntu 23.10 (cross-compiling for macOS). Also I've verified the actual diff in the `libtool` script.
Tree-SHA512: 98e6a095dc2d2409f8ec3b9d462e0db3643d7873d7903a12f8acd664829e7e84e797638556fa42ca8ebc1003f13a38fe9bb8a2a50cecfa991155da818574bf08
| -rw-r--r-- | configure.ac | 12 | ||||
| -rwxr-xr-x | contrib/devtools/test-security-check.py | 8 |
2 files changed, 15 insertions, 5 deletions
diff --git a/configure.ac b/configure.ac index 6add570d00..5d26f49e8b 100644 --- a/configure.ac +++ b/configure.ac @@ -1002,7 +1002,6 @@ dnl "ad_strip" as the symbol for the entry point. if test "$TARGET_OS" = "darwin"; then AX_CHECK_LINK_FLAG([-Wl,-dead_strip], [CORE_LDFLAGS="$CORE_LDFLAGS -Wl,-dead_strip"], [], [$LDFLAG_WERROR]) AX_CHECK_LINK_FLAG([-Wl,-dead_strip_dylibs], [CORE_LDFLAGS="$CORE_LDFLAGS -Wl,-dead_strip_dylibs"], [], [$LDFLAG_WERROR]) - AX_CHECK_LINK_FLAG([-Wl,-bind_at_load], [HARDENED_LDFLAGS="$HARDENED_LDFLAGS -Wl,-bind_at_load"], [], [$LDFLAG_WERROR]) AX_CHECK_LINK_FLAG([-Wl,-fixup_chains], [HARDENED_LDFLAGS="$HARDENED_LDFLAGS -Wl,-fixup_chains"], [], [$LDFLAG_WERROR]) fi @@ -1970,6 +1969,17 @@ case ${OS} in ;; esac +dnl An old hack similar to a98356fee to remove hard-coded +dnl bind_at_load flag from libtool +case $host in + *darwin*) + AC_MSG_RESULT([Removing -Wl,bind_at_load from libtool.]) + sed < libtool > libtool-2 '/bind_at_load/d' + mv libtool-2 libtool + chmod 755 libtool + ;; +esac + echo echo "Options used to compile and link:" echo " external signer = $use_external_signer" diff --git a/contrib/devtools/test-security-check.py b/contrib/devtools/test-security-check.py index 802bf9fd30..92272cf8f9 100755 --- a/contrib/devtools/test-security-check.py +++ b/contrib/devtools/test-security-check.py @@ -129,11 +129,11 @@ class TestSecurityChecks(unittest.TestCase): (1, executable+': failed NOUNDEFS PIE CONTROL_FLOW')) self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-fstack-protector-all', '-Wl,-fixup_chains']), (1, executable+': failed PIE CONTROL_FLOW')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-bind_at_load','-fstack-protector-all', '-Wl,-fixup_chains']), + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-fstack-protector-all', '-Wl,-fixup_chains']), (1, executable+': failed PIE CONTROL_FLOW')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-bind_at_load','-fstack-protector-all', '-fcf-protection=full', '-Wl,-fixup_chains']), + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-fstack-protector-all', '-fcf-protection=full', '-Wl,-fixup_chains']), (1, executable+': failed PIE')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-pie','-Wl,-bind_at_load','-fstack-protector-all', '-fcf-protection=full', '-Wl,-fixup_chains']), + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-pie','-fstack-protector-all', '-fcf-protection=full', '-Wl,-fixup_chains']), (0, '')) else: # arm64 darwin doesn't support non-PIE binaries, control flow or executable stacks @@ -143,7 +143,7 @@ class TestSecurityChecks(unittest.TestCase): (1, executable+': failed NOUNDEFS Canary')) self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-flat_namespace','-fstack-protector-all', '-Wl,-fixup_chains']), (1, executable+': failed NOUNDEFS')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-bind_at_load','-fstack-protector-all', '-Wl,-fixup_chains']), + self.assertEqual(call_security_check(cc, source, executable, ['-fstack-protector-all', '-Wl,-fixup_chains']), (0, '')) |