phantom/bitcoin
1
0
Fork 0
mirror of https://github.com/bitcoin/bitcoin.git synced 2025-01-10 11:57:28 -03:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge bitcoin/bitcoin#28783: build: remove -bind_at_load usage

Browse source 
3c61c60b90 build: Add an old hack to remove bind_at_load from libtool. (Cory Fields)
45257601da build: remove -bind_at_load usage (fanquake)

Pull request description:

  This is deprecated on macOS:
  ```bash
  ld: warning: -bind_at_load is deprecated on macOS
  ```
  and likely redundant anyways, given the behaviour of dyld3.

  Unfortunately libtool is still injecting a `-bind_at_load`, because it's version check is broken:
  ```bash
  # Don't allow lazy linking, it breaks C++ global constructors
  # But is supposedly fixed on 10.4 or later (yay!).
  if test CXX = "$tagname"; then
    case ${MACOSX_DEPLOYMENT_TARGET-10.0} in
      10.[0123])
        func_append compile_command " $wl-bind_at_load"
        func_append finalize_command " $wl-bind_at_load"
      ;;
    esac
  fi
  ```
  so this adds another change to strip them out at the end of configure.

  Note that anywhere the ld64 warnings are being emitted, we are already not adding this flag to our hardened ldflags, because of `-Wl,-fatal_warnings`.

ACKs for top commit:
  theuni:
    utACK 3c61c60b90.
  hebasto:
    ACK 3c61c60b90, tested on macOS Sonoma 14.1.1 (23B81, Apple M1) and Ubuntu 23.10 (cross-compiling for macOS). Also I've verified the actual diff in the `libtool` script.

Tree-SHA512: 98e6a095dc2d2409f8ec3b9d462e0db3643d7873d7903a12f8acd664829e7e84e797638556fa42ca8ebc1003f13a38fe9bb8a2a50cecfa991155da818574bf08
This commit is contained in:
fanquake 2023-11-14 09:42:12 +00:00
commit fb85bb2776
No known key found for this signature in database
GPG key ID: 2EEB9F5CC09526C1
2 changed files with 15 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
configure.ac
View file

@ -1002,7 +1002,6 @@ dnl "ad_strip" as the symbol for the entry point.
if test "$TARGET_OS" = "darwin"; then
AX_CHECK_LINK_FLAG([-Wl,-dead_strip], [CORE_LDFLAGS="$CORE_LDFLAGS -Wl,-dead_strip"], [], [$LDFLAG_WERROR])
AX_CHECK_LINK_FLAG([-Wl,-dead_strip_dylibs], [CORE_LDFLAGS="$CORE_LDFLAGS -Wl,-dead_strip_dylibs"], [], [$LDFLAG_WERROR])
AX_CHECK_LINK_FLAG([-Wl,-bind_at_load], [HARDENED_LDFLAGS="$HARDENED_LDFLAGS -Wl,-bind_at_load"], [], [$LDFLAG_WERROR])
AX_CHECK_LINK_FLAG([-Wl,-fixup_chains], [HARDENED_LDFLAGS="$HARDENED_LDFLAGS -Wl,-fixup_chains"], [], [$LDFLAG_WERROR])
fi
@ -1970,6 +1969,17 @@ case ${OS} in
;;
esac
dnl An old hack similar to a98356fee to remove hard-coded
dnl bind_at_load flag from libtool
case $host in
*darwin*)
AC_MSG_RESULT([Removing -Wl,bind_at_load from libtool.])
sed < libtool > libtool-2 '/bind_at_load/d'
mv libtool-2 libtool
chmod 755 libtool
;;
esac
echo
echo "Options used to compile and link:"
echo " external signer = $use_external_signer"

8
contrib/devtools/test-security-check.py
View file

@ -129,11 +129,11 @@ class TestSecurityChecks(unittest.TestCase):
(1, executable+': failed NOUNDEFS PIE CONTROL_FLOW'))
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-fstack-protector-all', '-Wl,-fixup_chains']),
(1, executable+': failed PIE CONTROL_FLOW'))
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-bind_at_load','-fstack-protector-all', '-Wl,-fixup_chains']),
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-fstack-protector-all', '-Wl,-fixup_chains']),
(1, executable+': failed PIE CONTROL_FLOW'))
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-bind_at_load','-fstack-protector-all', '-fcf-protection=full', '-Wl,-fixup_chains']),
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-fstack-protector-all', '-fcf-protection=full', '-Wl,-fixup_chains']),
(1, executable+': failed PIE'))
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-pie','-Wl,-bind_at_load','-fstack-protector-all', '-fcf-protection=full', '-Wl,-fixup_chains']),
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-pie','-fstack-protector-all', '-fcf-protection=full', '-Wl,-fixup_chains']),
(0, ''))
else:
# arm64 darwin doesn't support non-PIE binaries, control flow or executable stacks
@ -143,7 +143,7 @@ class TestSecurityChecks(unittest.TestCase):
(1, executable+': failed NOUNDEFS Canary'))
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-flat_namespace','-fstack-protector-all', '-Wl,-fixup_chains']),
(1, executable+': failed NOUNDEFS'))
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-bind_at_load','-fstack-protector-all', '-Wl,-fixup_chains']),
self.assertEqual(call_security_check(cc, source, executable, ['-fstack-protector-all', '-Wl,-fixup_chains']),
(0, ''))