[tbb-commits] [tor-browser-build/master] Bug 40093: Ensure application-services libs do not include libc networking symbols
gk at torproject.org
gk at torproject.org
Thu Oct 1 09:22:41 UTC 2020
commit 82ad6be56ef54a27da654d7ea879f8dff5fda900
Author: Alex Catarineu <acat at torproject.org>
Date: Tue Sep 15 16:18:36 2020 +0200
Bug 40093: Ensure application-services libs do not include libc networking symbols
This compiles and links NSS/application-services with lto, and also adds a check
which will make the building of the application-services project fail if it finds
networking symbols in the final built libraries.
---
projects/application-services/build | 13 +++++++++++++
projects/application-services/config | 2 ++
projects/application-services/lto.patch | 10 ++++++++++
projects/nss/build | 4 ++++
4 files changed, 29 insertions(+)
diff --git a/projects/application-services/build b/projects/application-services/build
index 5c6b5e0..ffe63da 100644
--- a/projects/application-services/build
+++ b/projects/application-services/build
@@ -97,12 +97,25 @@ patch -p1 < $rootdir/1651662.patch
export LANG=C.UTF-8
patch -p1 < $rootdir/mavenLocal.patch
gradle_flags="--offline --no-daemon -Dmaven.repo.local=$gradle_repo"
+ patch -p1 < $rootdir/lto.patch
+ # Set the right flags for cross-language LTO and override linking opt level, since
+ # lld does not understand -Os or -Oz.
+ export RUSTFLAGS="-Clinker-plugin-lto -Clink-arg=-fuse-ld=lld -Clink-arg=-Wl,-plugin-opt=O2"
$GRADLE_HOME/gradle-6.3/bin/gradle $gradle_flags assembleRelease
$GRADLE_HOME/gradle-6.3/bin/gradle $gradle_flags publish
cd build
find maven -regex '.*[0-9].\(aar\|pom\)' -exec cp --parents {} $distdir \;
+ # Verify that the compiled libs do not have libc networking symbols
+ # (list adapted from https://searchfox.org/mozilla-central/rev/30e70f2fe80c97bfbfcd975e68538cefd7f58b2a/python/mozbuild/mozbuild/action/check_binary.py#217)
+ tmpdir=$(mktemp -d)
+ find $distdir -name '*.aar' -exec mkdir -p $tmpdir/{} \; -exec unzip {} -d $tmpdir/{} \;
+ if find $tmpdir -name '*.so' | xargs objdump -Tt | grep "*UND*" | grep "connect\|accept\|listen\|sock\|recv\|send\|host\|serv\|proto"; then
+ echo "Error: networking symbols found"
+ exit 1
+ fi
+
cd /var/tmp/dist
[% c('tar', {
tar_src => [ project ],
diff --git a/projects/application-services/config b/projects/application-services/config
index 0560872..a002ae4 100644
--- a/projects/application-services/config
+++ b/projects/application-services/config
@@ -91,3 +91,5 @@ input_files:
- filename: target.patch
- filename: 1651660.patch
- filename: 1651662.patch
+ - filename: lto.patch
+ enable: '[% !c("var/fetch_gradle_dependencies") %]'
diff --git a/projects/application-services/lto.patch b/projects/application-services/lto.patch
new file mode 100644
index 0000000..838967c
--- /dev/null
+++ b/projects/application-services/lto.patch
@@ -0,0 +1,10 @@
+diff --git a/Cargo.toml b/Cargo.toml
+index 93006d8b..2c9ae848 100644
+--- a/Cargo.toml
++++ b/Cargo.toml
+@@ -39,4 +39,4 @@ members = [
+ [profile.release]
+ opt-level = "s"
+ debug = true
+-lto = "thin"
++lto = "fat"
diff --git a/projects/nss/build b/projects/nss/build
index c5cfd95..bf51122 100644
--- a/projects/nss/build
+++ b/projects/nss/build
@@ -52,6 +52,10 @@ patch -p2 < $rootdir/config.patch
# side.
patch -p2 < $rootdir/bug_13028.patch
+# Enable LTO
+export CFLAGS="-flto"
+export LDFLAGS="-flto"
+
# Building NSPR
mkdir $builddir/nspr_build
cd $builddir/nspr_build
More information about the tbb-commits
mailing list