highperfocused/bitcoin
1
0
Fork 0
mirror of https://github.com/bitcoin/bitcoin.git synced 2025-11-09 21:47:34 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge bitcoin/bitcoin#21778: build: LLD based macOS toolchain

Browse Source 
e8c25e8a35 guix: drop binutils from macOS env (fanquake)
555fddf646 guix: use GUIX_LD_WRAPPER_DISABLE_RPATH for all HOSTS (fanquake)
9ec238d0f3 guix: remove ZERO_AR_DATE export (fanquake)
f836f7e9b3 depends: remove cctools & libtapi (fanquake)
4a0536c5d9 build: switch to using lld for macOS builds (fanquake)
c6a6b2d6fd build: add lld into macOS build environment(s) (fanquake)
437e908ebd depends: swap cctools-x for llvm-x (fanquake)
bab287d1ba depends: don't use -no_warning_for_no_symbols in macOS qt build (fanquake)

Pull request description:

  This switches us to using a [LLD](https://lld.llvm.org/) based toolchain for macOS builds.

  ### Benefits
  * Less complicated macOS toolchain.
  * No longer beholden to Apple releasing it's [source](https://opensource.apple.com/source/) for [cctools](https://opensource.apple.com/source/cctools/), [ld64](https://opensource.apple.com/source/ld64/) & [libtapi](https://opensource.apple.com/source/tapi/).
  * No more reliance on third parties to modify those sources for us. i.e [apple-libtapi](https://github.com/tpoechtrager/apple-libtapi), [cctools-port](https://github.com/tpoechtrager/cctools-port) (cctools + ld64).

ACKs for top commit:
  theuni:
    Tentative ACK e8c25e8a35.

Tree-SHA512: ec73304e8a2cd4c71041f7863d7d2e4e0408787299fb4fa3745076853156e8f64e4742e16f30d65e3a27f1e9c0d19cdf802248366b72a4fcb4ea821f92bb7a00
This commit is contained in:
merge-script
2024-05-29 09:42:05 +01:00
parent 417b6cecee e8c25e8a35
commit be100cf4c7
18 changed files with 66 additions and 162 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
contrib/devtools/symbol-check.py
View File

@@ -240,7 +240,7 @@ def check_MACHO_sdk(binary) -> bool:
return False
def check_MACHO_ld64(binary) -> bool:
if binary.build_version.tools[0].version == [711, 0, 0]:
if binary.build_version.tools[0].version == [17, 0, 6]:
return True
return False

24
contrib/devtools/test-security-check.py
View File

@@ -120,21 +120,15 @@ class TestSecurityChecks(unittest.TestCase):
arch = get_arch(cc, source, executable)
if arch == lief.ARCHITECTURES.X86:
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fno-stack-protector', '-Wl,-no_fixup_chains']),
(1, executable+': failed NOUNDEFS Canary FIXUP_CHAINS PIE NX CONTROL_FLOW'))
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fno-stack-protector', '-Wl,-fixup_chains']),
(1, executable+': failed NOUNDEFS Canary PIE NX CONTROL_FLOW'))
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fstack-protector-all', '-Wl,-fixup_chains']),
(1, executable+': failed NOUNDEFS PIE NX CONTROL_FLOW'))
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-fstack-protector-all', '-Wl,-fixup_chains']),
(1, executable+': failed NOUNDEFS PIE CONTROL_FLOW'))
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-fstack-protector-all', '-Wl,-fixup_chains']),
(1, executable+': failed PIE CONTROL_FLOW'))
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-fstack-protector-all', '-Wl,-fixup_chains']),
(1, executable+': failed PIE CONTROL_FLOW'))
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-fstack-protector-all', '-fcf-protection=full', '-Wl,-fixup_chains']),
(1, executable+': failed PIE'))
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-pie','-fstack-protector-all', '-fcf-protection=full', '-Wl,-fixup_chains']),
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-fno-stack-protector', '-Wl,-no_fixup_chains']),
(1, executable+': failed NOUNDEFS Canary FIXUP_CHAINS PIE CONTROL_FLOW'))
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-flat_namespace','-fno-stack-protector', '-Wl,-fixup_chains']),
(1, executable+': failed NOUNDEFS Canary CONTROL_FLOW'))
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-flat_namespace','-fstack-protector-all', '-Wl,-fixup_chains']),
(1, executable+': failed NOUNDEFS CONTROL_FLOW'))
self.assertEqual(call_security_check(cc, source, executable, ['-fstack-protector-all', '-Wl,-fixup_chains']),
(1, executable+': failed CONTROL_FLOW'))
self.assertEqual(call_security_check(cc, source, executable, ['-fstack-protector-all', '-fcf-protection=full', '-Wl,-fixup_chains']),
(0, ''))
else:
# arm64 darwin doesn't support non-PIE binaries, control flow or executable stacks

23
contrib/guix/libexec/build.sh
View File

@@ -133,18 +133,7 @@ for p in "${PATHS[@]}"; do
done
# Disable Guix ld auto-rpath behavior
case "$HOST" in
*darwin*)
# The auto-rpath behavior is necessary for darwin builds as some native
# tools built by depends refer to and depend on Guix-built native
# libraries
#
# After the native packages in depends are built, the ld wrapper should
# no longer affect our build, as clang would instead reach for
# x86_64-apple-darwin-ld from cctools
;;
*) export GUIX_LD_WRAPPER_DISABLE_RPATH=yes ;;
esac
export GUIX_LD_WRAPPER_DISABLE_RPATH=yes
# Make /usr/bin if it doesn't exist
[ -e /usr/bin ] || mkdir -p /usr/bin
@@ -173,16 +162,6 @@ esac
# Environment variables for determinism
export TAR_OPTIONS="--owner=0 --group=0 --numeric-owner --mtime='@${SOURCE_DATE_EPOCH}' --sort=name"
export TZ="UTC"
case "$HOST" in
*darwin*)
# cctools AR, unlike GNU binutils AR, does not have a deterministic mode
# or a configure flag to enable determinism by default, it only
# understands if this env-var is set or not. See:
#
# https://github.com/tpoechtrager/cctools-port/blob/55562e4073dea0fbfd0b20e0bf69ffe6390c7f97/cctools/ar/archive.c#L334
export ZERO_AR_DATE=yes
;;
esac
####################
# Depends Building #

3
contrib/guix/manifest.scm
View File

@@ -532,8 +532,9 @@ inspecting signatures in Mach-O binaries.")
((string-contains target "darwin")
(list ;; Native GCC 11 toolchain
gcc-toolchain-11
binutils
clang-toolchain-17
lld-17
(make-lld-wrapper lld-17 #:lld-as-ld? #t)
python-signapple
zip))
(else '())))))

17
contrib/macdeploy/README.md
View File

@@ -56,28 +56,13 @@ The `sha256sum` should be `c0c2e7bb92c1fee0c4e9f3a485e4530786732d6c6dd9e9f418c28
## Deterministic macOS App Notes
macOS Applications are created in Linux by combining a recent `clang` and the Apple
`binutils` (`ld`, `ar`, etc).
macOS Applications are created in Linux using a recent LLVM.
Apple uses `clang` extensively for development and has upstreamed the necessary
functionality so that a vanilla clang can take advantage. It supports the use of `-F`,
`-target`, `-mmacosx-version-min`, and `-isysroot`, which are all necessary when
building for macOS.
Apple's version of `binutils` (called `cctools`) contains lots of functionality missing in the
FSF's `binutils`. In addition to extra linker options for frameworks and sysroots, several
other tools are needed as well. These do not build under Linux, so they have been patched to
do so. The work here was used as a starting point: [mingwandroid/toolchain4](https://github.com/mingwandroid/toolchain4).
In order to build a working toolchain, the following source packages are needed from
Apple: `cctools`, `dyld`, and `ld64`.
These tools inject timestamps by default, which produce non-deterministic binaries. The
`ZERO_AR_DATE` environment variable is used to disable that.
This version of `cctools` has been patched to use the current version of `clang`'s headers
and its `libLTO.so` rather than those from `llvmgcc`, as it was originally done in `toolchain4`.
To complicate things further, all builds must target an Apple SDK. These SDKs are free to
download, but not redistributable. See the SDK Extraction notes above for how to obtain it.