diff options
author | merge-script <fanquake@gmail.com> | 2024-05-29 09:42:05 +0100 |
---|---|---|
committer | merge-script <fanquake@gmail.com> | 2024-05-29 09:42:05 +0100 |
commit | be100cf4c77a3e45750773689e0a396fda39d8a7 (patch) | |
tree | 3c03e8b402f0cc267812f2b651d0fa52e7bf30f9 /contrib | |
parent | 417b6ceceee94b9f291f7f84c4664e5a6bcd3707 (diff) | |
parent | e8c25e8a35e333e90514945c592557615641553f (diff) | |
download | bitcoin-be100cf4c77a3e45750773689e0a396fda39d8a7.tar.xz |
Merge bitcoin/bitcoin#21778: build: LLD based macOS toolchain
e8c25e8a35e333e90514945c592557615641553f guix: drop binutils from macOS env (fanquake)
555fddf646265f7e57a416dc64b171f2c9460e20 guix: use GUIX_LD_WRAPPER_DISABLE_RPATH for all HOSTS (fanquake)
9ec238d0f3c7b97aec83dbeb4c7a6950c8f5125e guix: remove ZERO_AR_DATE export (fanquake)
f836f7e9b3e091eb27cdefb624e2a6f2a921fa55 depends: remove cctools & libtapi (fanquake)
4a0536c5d96688729f8c885060c83cb12d72a8c5 build: switch to using lld for macOS builds (fanquake)
c6a6b2d6fd4e3a01b095dc98645f819ebabf1931 build: add lld into macOS build environment(s) (fanquake)
437e908ebd1bf9473ef924de5aec57bdc26de6dd depends: swap cctools-x for llvm-x (fanquake)
bab287d1bab2c02b5fab3285f2678c15316d31c2 depends: don't use -no_warning_for_no_symbols in macOS qt build (fanquake)
Pull request description:
This switches us to using a [LLD](https://lld.llvm.org/) based toolchain for macOS builds.
### Benefits
* Less complicated macOS toolchain.
* No longer beholden to Apple releasing it's [source](https://opensource.apple.com/source/) for [cctools](https://opensource.apple.com/source/cctools/), [ld64](https://opensource.apple.com/source/ld64/) & [libtapi](https://opensource.apple.com/source/tapi/).
* No more reliance on third parties to modify those sources for us. i.e [apple-libtapi](https://github.com/tpoechtrager/apple-libtapi), [cctools-port](https://github.com/tpoechtrager/cctools-port) (cctools + ld64).
ACKs for top commit:
theuni:
Tentative ACK e8c25e8a35e333e90514945c592557615641553f.
Tree-SHA512: ec73304e8a2cd4c71041f7863d7d2e4e0408787299fb4fa3745076853156e8f64e4742e16f30d65e3a27f1e9c0d19cdf802248366b72a4fcb4ea821f92bb7a00
Diffstat (limited to 'contrib')
-rwxr-xr-x | contrib/devtools/symbol-check.py | 2 | ||||
-rwxr-xr-x | contrib/devtools/test-security-check.py | 24 | ||||
-rwxr-xr-x | contrib/guix/libexec/build.sh | 23 | ||||
-rw-r--r-- | contrib/guix/manifest.scm | 3 | ||||
-rw-r--r-- | contrib/macdeploy/README.md | 17 |
5 files changed, 14 insertions, 55 deletions
diff --git a/contrib/devtools/symbol-check.py b/contrib/devtools/symbol-check.py index b3e73bb2b9..e4a62c2072 100755 --- a/contrib/devtools/symbol-check.py +++ b/contrib/devtools/symbol-check.py @@ -240,7 +240,7 @@ def check_MACHO_sdk(binary) -> bool: return False def check_MACHO_ld64(binary) -> bool: - if binary.build_version.tools[0].version == [711, 0, 0]: + if binary.build_version.tools[0].version == [17, 0, 6]: return True return False diff --git a/contrib/devtools/test-security-check.py b/contrib/devtools/test-security-check.py index 51bca4627e..dd0cf7030a 100755 --- a/contrib/devtools/test-security-check.py +++ b/contrib/devtools/test-security-check.py @@ -120,21 +120,15 @@ class TestSecurityChecks(unittest.TestCase): arch = get_arch(cc, source, executable) if arch == lief.ARCHITECTURES.X86: - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fno-stack-protector', '-Wl,-no_fixup_chains']), - (1, executable+': failed NOUNDEFS Canary FIXUP_CHAINS PIE NX CONTROL_FLOW')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fno-stack-protector', '-Wl,-fixup_chains']), - (1, executable+': failed NOUNDEFS Canary PIE NX CONTROL_FLOW')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fstack-protector-all', '-Wl,-fixup_chains']), - (1, executable+': failed NOUNDEFS PIE NX CONTROL_FLOW')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-fstack-protector-all', '-Wl,-fixup_chains']), - (1, executable+': failed NOUNDEFS PIE CONTROL_FLOW')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-fstack-protector-all', '-Wl,-fixup_chains']), - (1, executable+': failed PIE CONTROL_FLOW')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-fstack-protector-all', '-Wl,-fixup_chains']), - (1, executable+': failed PIE CONTROL_FLOW')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-fstack-protector-all', '-fcf-protection=full', '-Wl,-fixup_chains']), - (1, executable+': failed PIE')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-pie','-fstack-protector-all', '-fcf-protection=full', '-Wl,-fixup_chains']), + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-fno-stack-protector', '-Wl,-no_fixup_chains']), + (1, executable+': failed NOUNDEFS Canary FIXUP_CHAINS PIE CONTROL_FLOW')) + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-flat_namespace','-fno-stack-protector', '-Wl,-fixup_chains']), + (1, executable+': failed NOUNDEFS Canary CONTROL_FLOW')) + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-flat_namespace','-fstack-protector-all', '-Wl,-fixup_chains']), + (1, executable+': failed NOUNDEFS CONTROL_FLOW')) + self.assertEqual(call_security_check(cc, source, executable, ['-fstack-protector-all', '-Wl,-fixup_chains']), + (1, executable+': failed CONTROL_FLOW')) + self.assertEqual(call_security_check(cc, source, executable, ['-fstack-protector-all', '-fcf-protection=full', '-Wl,-fixup_chains']), (0, '')) else: # arm64 darwin doesn't support non-PIE binaries, control flow or executable stacks diff --git a/contrib/guix/libexec/build.sh b/contrib/guix/libexec/build.sh index 1e9b682f3f..f589ac7a55 100755 --- a/contrib/guix/libexec/build.sh +++ b/contrib/guix/libexec/build.sh @@ -133,18 +133,7 @@ for p in "${PATHS[@]}"; do done # Disable Guix ld auto-rpath behavior -case "$HOST" in - *darwin*) - # The auto-rpath behavior is necessary for darwin builds as some native - # tools built by depends refer to and depend on Guix-built native - # libraries - # - # After the native packages in depends are built, the ld wrapper should - # no longer affect our build, as clang would instead reach for - # x86_64-apple-darwin-ld from cctools - ;; - *) export GUIX_LD_WRAPPER_DISABLE_RPATH=yes ;; -esac +export GUIX_LD_WRAPPER_DISABLE_RPATH=yes # Make /usr/bin if it doesn't exist [ -e /usr/bin ] || mkdir -p /usr/bin @@ -173,16 +162,6 @@ esac # Environment variables for determinism export TAR_OPTIONS="--owner=0 --group=0 --numeric-owner --mtime='@${SOURCE_DATE_EPOCH}' --sort=name" export TZ="UTC" -case "$HOST" in - *darwin*) - # cctools AR, unlike GNU binutils AR, does not have a deterministic mode - # or a configure flag to enable determinism by default, it only - # understands if this env-var is set or not. See: - # - # https://github.com/tpoechtrager/cctools-port/blob/55562e4073dea0fbfd0b20e0bf69ffe6390c7f97/cctools/ar/archive.c#L334 - export ZERO_AR_DATE=yes - ;; -esac #################### # Depends Building # diff --git a/contrib/guix/manifest.scm b/contrib/guix/manifest.scm index 96818c7748..40500ccb88 100644 --- a/contrib/guix/manifest.scm +++ b/contrib/guix/manifest.scm @@ -532,8 +532,9 @@ inspecting signatures in Mach-O binaries.") ((string-contains target "darwin") (list ;; Native GCC 11 toolchain gcc-toolchain-11 - binutils clang-toolchain-17 + lld-17 + (make-lld-wrapper lld-17 #:lld-as-ld? #t) python-signapple zip)) (else '()))))) diff --git a/contrib/macdeploy/README.md b/contrib/macdeploy/README.md index d1df3062f8..78f61685e1 100644 --- a/contrib/macdeploy/README.md +++ b/contrib/macdeploy/README.md @@ -56,28 +56,13 @@ The `sha256sum` should be `c0c2e7bb92c1fee0c4e9f3a485e4530786732d6c6dd9e9f418c28 ## Deterministic macOS App Notes -macOS Applications are created in Linux by combining a recent `clang` and the Apple -`binutils` (`ld`, `ar`, etc). +macOS Applications are created in Linux using a recent LLVM. Apple uses `clang` extensively for development and has upstreamed the necessary functionality so that a vanilla clang can take advantage. It supports the use of `-F`, `-target`, `-mmacosx-version-min`, and `-isysroot`, which are all necessary when building for macOS. -Apple's version of `binutils` (called `cctools`) contains lots of functionality missing in the -FSF's `binutils`. In addition to extra linker options for frameworks and sysroots, several -other tools are needed as well. These do not build under Linux, so they have been patched to -do so. The work here was used as a starting point: [mingwandroid/toolchain4](https://github.com/mingwandroid/toolchain4). - -In order to build a working toolchain, the following source packages are needed from -Apple: `cctools`, `dyld`, and `ld64`. - -These tools inject timestamps by default, which produce non-deterministic binaries. The -`ZERO_AR_DATE` environment variable is used to disable that. - -This version of `cctools` has been patched to use the current version of `clang`'s headers -and its `libLTO.so` rather than those from `llvmgcc`, as it was originally done in `toolchain4`. - To complicate things further, all builds must target an Apple SDK. These SDKs are free to download, but not redistributable. See the SDK Extraction notes above for how to obtain it. |