summaryrefslogtreecommitdiffstats
path: root/security/nss/coreconf
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/coreconf')
-rw-r--r--security/nss/coreconf/Darwin.mk3
-rw-r--r--security/nss/coreconf/Linux.mk25
-rw-r--r--security/nss/coreconf/arch.mk23
-rw-r--r--security/nss/coreconf/check_cc_clang.py7
-rw-r--r--security/nss/coreconf/config.gypi288
-rw-r--r--security/nss/coreconf/coreconf.dep1
-rw-r--r--security/nss/coreconf/detect_host_arch.py2
-rw-r--r--security/nss/coreconf/fuzz.sh41
-rw-r--r--security/nss/coreconf/nspr.sh65
-rw-r--r--security/nss/coreconf/precommit.clang-format.sh63
-rw-r--r--security/nss/coreconf/sanitizers.mk35
-rw-r--r--security/nss/coreconf/sanitizers.py15
-rw-r--r--security/nss/coreconf/sanitizers.sh78
-rw-r--r--security/nss/coreconf/werror.py4
14 files changed, 433 insertions, 217 deletions
diff --git a/security/nss/coreconf/Darwin.mk b/security/nss/coreconf/Darwin.mk
index 210784767..0569e1819 100644
--- a/security/nss/coreconf/Darwin.mk
+++ b/security/nss/coreconf/Darwin.mk
@@ -145,6 +145,3 @@ ifeq (3,$(SYS_SQLITE3_VERSION_MAJOR))
NSS_USE_SYSTEM_SQLITE = 1
endif
endif
-
-include $(CORE_DEPTH)/coreconf/sanitizers.mk
-DARWIN_SDK_SHLIBFLAGS += $(SANITIZER_LDFLAGS)
diff --git a/security/nss/coreconf/Linux.mk b/security/nss/coreconf/Linux.mk
index 438dab48a..bb9db413b 100644
--- a/security/nss/coreconf/Linux.mk
+++ b/security/nss/coreconf/Linux.mk
@@ -106,16 +106,6 @@ ifneq ($(OS_TARGET),Android)
LIBC_TAG = _glibc
endif
-ifeq ($(OS_RELEASE),2.0)
- OS_REL_CFLAGS += -DLINUX2_0
- MKSHLIB = $(CC) -shared -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so) $(RPATH)
- ifdef MAPFILE
- MKSHLIB += -Wl,--version-script,$(MAPFILE)
- endif
- PROCESS_MAP_FILE = grep -v ';-' $< | \
- sed -e 's,;+,,' -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,;,' > $@
-endif
-
ifdef BUILD_OPT
ifeq (11,$(ALLOW_OPT_CODE_SIZE)$(OPT_CODE_SIZE))
OPTIMIZER = -Os
@@ -139,15 +129,16 @@ ifeq ($(USE_PTHREADS),1)
OS_PTHREAD = -lpthread
endif
-OS_CFLAGS = $(DSO_CFLAGS) $(OS_REL_CFLAGS) $(ARCHFLAG) -pipe -ffunction-sections -fdata-sections -DLINUX -Dlinux -DHAVE_STRERROR
+OS_CFLAGS = $(DSO_CFLAGS) $(OS_REL_CFLAGS) $(ARCHFLAG) -pipe -ffunction-sections -fdata-sections -DHAVE_STRERROR
+ifeq ($(KERNEL),Linux)
+ OS_CFLAGS += -DLINUX -Dlinux
+endif
OS_LIBS = $(OS_PTHREAD) -ldl -lc
ifdef USE_PTHREADS
DEFINES += -D_REENTRANT
endif
-ARCH = linux
-
DSO_CFLAGS = -fPIC
DSO_LDOPTS = -shared $(ARCHFLAG) -Wl,--gc-sections
# The linker on Red Hat Linux 7.2 and RHEL 2.1 (GNU ld version 2.11.90.0.8)
@@ -156,10 +147,8 @@ DSO_LDOPTS = -shared $(ARCHFLAG) -Wl,--gc-sections
# Also, -z defs conflicts with Address Sanitizer, which emits relocations
# against the libsanitizer runtime built into the main executable.
ZDEFS_FLAG = -Wl,-z,defs
-ifneq ($(USE_ASAN),1)
DSO_LDOPTS += $(if $(findstring 2.11.90.0.8,$(shell ld -v)),,$(ZDEFS_FLAG))
-endif
-LDFLAGS += $(ARCHFLAG)
+LDFLAGS += $(ARCHFLAG) -z noexecstack
# On Maemo, we need to use the -rpath-link flag for even the standard system
# library directories.
@@ -167,7 +156,6 @@ ifdef _SBOX_DIR
LDFLAGS += -Wl,-rpath-link,/usr/lib:/lib
endif
-# INCLUDES += -I/usr/include -Y/usr/include/linux
G++INCLUDES = -I/usr/include/g++
#
@@ -202,7 +190,6 @@ RPATH = -Wl,-rpath,'$$ORIGIN:/opt/sun/private/lib'
endif
endif
-OS_REL_CFLAGS += -DLINUX2_1
MKSHLIB = $(CC) $(DSO_LDOPTS) -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so) $(RPATH)
ifdef MAPFILE
@@ -220,5 +207,3 @@ OS_CFLAGS += --coverage
LDFLAGS += --coverage
DSO_LDOPTS += --coverage
endif
-
-include $(CORE_DEPTH)/coreconf/sanitizers.mk
diff --git a/security/nss/coreconf/arch.mk b/security/nss/coreconf/arch.mk
index 06c276f80..79e56d510 100644
--- a/security/nss/coreconf/arch.mk
+++ b/security/nss/coreconf/arch.mk
@@ -12,7 +12,7 @@
# OS_TARGET User defined, or set to OS_ARCH
# CPU_ARCH (from unmame -m or -p, ONLY on WINNT)
# OS_CONFIG OS_TARGET + OS_RELEASE
-# OBJDIR_TAG (uses ASAN_TAG, GCOV_TAG, 64BIT_TAG)
+# OBJDIR_TAG (uses GCOV_TAG, 64BIT_TAG)
# OBJDIR_NAME
#######################################################################
@@ -115,6 +115,20 @@ ifeq ($(OS_ARCH),Linux)
ifneq ($(words $(OS_RELEASE)),1)
OS_RELEASE := $(word 1,$(OS_RELEASE)).$(word 2,$(OS_RELEASE))
endif
+ KERNEL = Linux
+endif
+
+# Since all uses of OS_ARCH that follow affect only userland, we can
+# merge other Glibc systems with Linux here.
+ifeq ($(OS_ARCH),GNU)
+ OS_ARCH = Linux
+ OS_RELEASE = 2.6
+ KERNEL = GNU
+endif
+ifeq ($(OS_ARCH),GNU_kFreeBSD)
+ OS_ARCH = Linux
+ OS_RELEASE = 2.6
+ KERNEL = FreeBSD
endif
#
@@ -254,11 +268,6 @@ OS_CONFIG = $(OS_TARGET)$(OS_RELEASE)
# to distinguish between debug and release builds.
#
-ifeq ($(USE_ASAN), 1)
- ASAN_TAG = _ASAN
-else
- ASAN_TAG =
-endif
ifeq ($(USE_GCOV), 1)
GCOV_TAG = _GCOV
else
@@ -269,7 +278,7 @@ ifeq ($(USE_64), 1)
else
64BIT_TAG =
endif
-OBJDIR_TAG_BASE=$(ASAN_TAG)$(GCOV_TAG)$(64BIT_TAG)
+OBJDIR_TAG_BASE=$(GCOV_TAG)$(64BIT_TAG)
ifdef BUILD_OPT
OBJDIR_TAG = $(OBJDIR_TAG_BASE)_OPT
diff --git a/security/nss/coreconf/check_cc_clang.py b/security/nss/coreconf/check_cc_clang.py
index 145ec0a72..4b9541195 100644
--- a/security/nss/coreconf/check_cc_clang.py
+++ b/security/nss/coreconf/check_cc_clang.py
@@ -6,15 +6,16 @@ import sys
def main():
if sys.platform == 'win32':
- print 0
+ print(0)
else:
cc = os.environ.get('CC', 'cc')
try:
- cc_is_clang = 'clang' in subprocess.check_output([cc, '--version'])
+ cc_is_clang = 'clang' in subprocess.check_output(
+ [cc, '--version'], universal_newlines=True)
except OSError:
# We probably just don't have CC/cc.
cc_is_clang = False
- print int(cc_is_clang)
+ print(int(cc_is_clang))
if __name__ == '__main__':
main()
diff --git a/security/nss/coreconf/config.gypi b/security/nss/coreconf/config.gypi
index fe9b55329..9ea528ae4 100644
--- a/security/nss/coreconf/config.gypi
+++ b/security/nss/coreconf/config.gypi
@@ -24,39 +24,44 @@
# building on.
'target_arch%': '<(host_arch)',
}],
+ ['OS=="linux"', {
+ # FIPS-140 LOWHASH
+ 'freebl_name': 'freeblpriv3',
+ }, {
+ 'freebl_name': 'freebl3',
+ }],
+ ['OS=="mac"', {
+ 'use_system_sqlite%': 1,
+ },{
+ 'use_system_sqlite%': 0,
+ }],
+ ['OS=="mac" or OS=="win"', {
+ 'cc_use_gnu_ld%': 0,
+ }, {
+ 'cc_use_gnu_ld%': 1,
+ }],
['OS=="win"', {
'use_system_zlib%': 0,
- 'nspr_libs%': ['nspr4.lib', 'plc4.lib', 'plds4.lib'],
+ 'nspr_libs%': ['libnspr4.lib', 'libplc4.lib', 'libplds4.lib'],
'zlib_libs%': [],
#TODO
'moz_debug_flags%': '',
'dll_prefix': '',
'dll_suffix': 'dll',
}, {
- 'nspr_libs%': ['-lplds4', '-lplc4', '-lnspr4'],
'use_system_zlib%': 1,
- }],
- ['OS=="linux" or OS=="android"', {
- 'zlib_libs%': ['-lz'],
- 'moz_debug_flags%': '-gdwarf-2',
- 'optimize_flags%': '-O2',
- 'dll_prefix': 'lib',
- 'dll_suffix': 'so',
- }],
- ['OS=="linux"', {
- 'freebl_name': 'freeblpriv3',
- }, {
- 'freebl_name': 'freebl3',
- }],
- ['OS=="mac"', {
+ 'nspr_libs%': ['-lplds4', '-lplc4', '-lnspr4'],
'zlib_libs%': ['-lz'],
- 'use_system_sqlite%': 1,
- 'moz_debug_flags%': '-gdwarf-2 -gfull',
- 'optimize_flags%': '-O2',
'dll_prefix': 'lib',
- 'dll_suffix': 'dylib',
- }, {
- 'use_system_sqlite%': 0,
+ 'conditions': [
+ ['OS=="mac"', {
+ 'moz_debug_flags%': '-gdwarf-2 -gfull',
+ 'dll_suffix': 'dylib',
+ }, {
+ 'moz_debug_flags%': '-gdwarf-2',
+ 'dll_suffix': 'so',
+ }],
+ ],
}],
['"<(GENERATOR)"=="ninja"', {
'cc_is_clang%': '<!(<(python) <(DEPTH)/coreconf/check_cc_clang.py)',
@@ -81,6 +86,7 @@
'dll_suffix': '<(dll_suffix)',
'freebl_name': '<(freebl_name)',
'cc_is_clang%': '<(cc_is_clang)',
+ 'cc_use_gnu_ld%': '<(cc_use_gnu_ld)',
# Some defaults
'disable_tests%': 0,
'disable_chachapoly%': 0,
@@ -91,16 +97,18 @@
'moz_fold_libs%': 0,
'moz_folded_library_name%': '',
'ssl_enable_zlib%': 1,
- 'use_asan%': 0,
- 'use_ubsan%': 0,
- 'use_msan%': 0,
- 'use_sancov%': 0,
+ 'sanitizer_flags%': 0,
'test_build%': 0,
+ 'no_zdefs%': 0,
'fuzz%': 0,
+ 'fuzz_tls%': 0,
+ 'fuzz_oss%': 0,
'sign_libs%': 1,
'use_pprof%': 0,
+ 'ct_verif%': 0,
'nss_public_dist_dir%': '<(nss_dist_dir)/public',
'nss_private_dist_dir%': '<(nss_dist_dir)/private',
+ 'only_dev_random%': 1,
},
'target_defaults': {
# Settings specific to targets should go here.
@@ -108,6 +116,8 @@
'variables': {
'mapfile%': '',
'test_build%': 0,
+ 'debug_optimization_level%': '0',
+ 'release_optimization_level%': '2',
},
'standalone_static_library': 0,
'include_dirs': [
@@ -115,13 +125,68 @@
'<(nss_dist_dir)/private/<(module)',
],
'conditions': [
- [ 'OS=="linux"', {
+ [ 'OS!="android" and OS!="mac" and OS!="win"', {
'libraries': [
'-lpthread',
+ ],
+ }],
+ [ 'OS=="linux"', {
+ 'libraries': [
'-ldl',
'-lc',
],
}],
+ [ 'fuzz==1', {
+ 'variables': {
+ 'debug_optimization_level%': '1',
+ },
+ }],
+ [ 'target_arch=="ia32" or target_arch=="x64"', {
+ 'defines': [
+ 'NSS_X86_OR_X64',
+ ],
+ # For Windows.
+ 'msvs_settings': {
+ 'VCCLCompilerTool': {
+ 'PreprocessorDefinitions': [
+ 'NSS_X86_OR_X64',
+ ],
+ },
+ },
+ }],
+ [ 'target_arch=="ia32"', {
+ 'defines': [
+ 'NSS_X86',
+ ],
+ # For Windows.
+ 'msvs_settings': {
+ 'VCCLCompilerTool': {
+ 'PreprocessorDefinitions': [
+ 'NSS_X86',
+ ],
+ },
+ },
+ }],
+ [ 'target_arch=="arm64" or target_arch=="aarch64"', {
+ 'defines': [
+ 'NSS_USE_64',
+ ],
+ }],
+ [ 'target_arch=="x64"', {
+ 'defines': [
+ 'NSS_X64',
+ 'NSS_USE_64',
+ ],
+ # For Windows.
+ 'msvs_settings': {
+ 'VCCLCompilerTool': {
+ 'PreprocessorDefinitions': [
+ 'NSS_X64',
+ 'NSS_USE_64',
+ ],
+ },
+ },
+ }],
],
'target_conditions': [
# If we want to properly export a static library, and copy it to lib,
@@ -135,7 +200,7 @@
'product_dir': '<(nss_dist_obj_dir)/lib'
}],
# mapfile handling
- [ 'test_build==0 and mapfile!=""', {
+ [ 'mapfile!=""', {
# Work around a gyp bug. Fixed upstream but not in Ubuntu packages:
# https://chromium.googlesource.com/external/gyp/+/b85ad3e578da830377dbc1843aa4fbc5af17a192%5E%21/
'sources': [
@@ -148,12 +213,12 @@
],
},
'conditions': [
- [ 'OS=="linux" or OS=="android"', {
+ [ 'cc_use_gnu_ld==1', {
'ldflags': [
'-Wl,--version-script,<(INTERMEDIATE_DIR)/out.>(mapfile)',
],
}],
- [ 'OS=="win"', {
+ [ 'cc_use_gnu_ld!=1 and OS=="win"', {
# On Windows, .def files are used directly as sources.
'sources': [
'>(mapfile)',
@@ -195,10 +260,16 @@
# Shared library specific settings.
[ '_type=="shared_library"', {
'conditions': [
- [ 'OS=="linux" or OS=="android"', {
+ [ 'cc_use_gnu_ld==1', {
'ldflags': [
'-Wl,--gc-sections',
- '-Wl,-z,defs',
+ ],
+ 'conditions': [
+ ['no_zdefs==0', {
+ 'ldflags': [
+ '-Wl,-z,defs',
+ ],
+ }],
],
}],
],
@@ -251,10 +322,36 @@
'LINUX2_1',
'LINUX',
'linux',
+ ],
+ }],
+ [ 'OS=="dragonfly" or OS=="freebsd"', {
+ 'defines': [
+ 'FREEBSD',
+ ],
+ }],
+ [ 'OS=="netbsd"', {
+ 'defines': [
+ 'NETBSD',
+ ],
+ }],
+ [ 'OS=="openbsd"', {
+ 'defines': [
+ 'OPENBSD',
+ ],
+ }],
+ ['OS=="mac" or OS=="dragonfly" or OS=="freebsd" or OS=="netbsd" or OS=="openbsd"', {
+ 'defines': [
+ 'HAVE_BSD_FLOCK',
+ ],
+ }],
+ [ 'OS!="win"', {
+ 'defines': [
'HAVE_STRERROR',
'XP_UNIX',
'_REENTRANT',
],
+ }],
+ [ 'OS!="mac" and OS!="win"', {
'cflags': [
'-fPIC',
'-pipe',
@@ -264,6 +361,9 @@
'cflags_cc': [
'-std=c++0x',
],
+ 'ldflags': [
+ '-z', 'noexecstack',
+ ],
'conditions': [
[ 'target_arch=="ia32"', {
'cflags': ['-m32'],
@@ -273,89 +373,57 @@
'cflags': ['-m64'],
'ldflags': ['-m64'],
}],
- [ 'use_pprof==1' , {
+ ],
+ }],
+ [ 'use_pprof==1 and OS!="android" and OS!="win"', {
+ 'conditions': [
+ [ 'OS=="mac"', {
+ 'xcode_settings': {
+ 'OTHER_LDFLAGS': [ '-lprofiler' ],
+ },
+ }, {
'ldflags': [ '-lprofiler' ],
}],
+ [ 'OS!="linux"', {
+ 'library_dirs': [
+ '/usr/local/lib/',
+ ],
+ }],
],
}],
- [ 'disable_werror==0 and (OS=="linux" or OS=="mac")', {
+ [ 'disable_werror==0 and OS!="android" and OS!="win"', {
'cflags': [
'<!@(<(python) <(DEPTH)/coreconf/werror.py)',
],
+ 'xcode_settings': {
+ 'OTHER_CFLAGS': [
+ '<!@(<(python) <(DEPTH)/coreconf/werror.py)',
+ ],
+ },
}],
- [ 'fuzz==1', {
+ [ 'fuzz_tls==1', {
'cflags': [
'-Wno-unused-function',
- ]
- }],
- [ 'use_asan==1 or use_ubsan==1', {
- 'cflags': ['-O1'],
+ '-Wno-unused-variable',
+ ],
'xcode_settings': {
- 'GCC_OPTIMIZATION_LEVEL': '1', # -O1
- }
- }],
- [ 'use_asan==1', {
- 'variables': {
- 'asan_flags': '<!(<(python) <(DEPTH)/coreconf/sanitizers.py asan)',
- 'no_ldflags': '<!(<(python) <(DEPTH)/coreconf/sanitizers.py ld)',
+ 'OTHER_CFLAGS': [
+ '-Wno-unused-function',
+ '-Wno-unused-variable',
+ ],
},
- 'cflags': ['<@(asan_flags)'],
- 'ldflags': ['<@(asan_flags)'],
- 'ldflags!': ['<@(no_ldflags)'],
+ }],
+ [ 'sanitizer_flags!=0', {
+ 'cflags': ['<@(sanitizer_flags)'],
+ 'ldflags': ['<@(sanitizer_flags)'],
'xcode_settings': {
- 'OTHER_CFLAGS': ['<@(asan_flags)'],
- 'OTHER_LDFLAGS!': ['<@(no_ldflags)'],
+ 'OTHER_CFLAGS': ['<@(sanitizer_flags)'],
# We want to pass -fsanitize=... to our final link call,
# but not to libtool. OTHER_LDFLAGS is passed to both.
# To trick GYP into doing what we want, we'll piggyback on
# LIBRARY_SEARCH_PATHS, producing "-L/usr/lib -fsanitize=...".
# The -L/usr/lib is redundant but innocuous: it's a default path.
- 'LIBRARY_SEARCH_PATHS': ['/usr/lib <(asan_flags)'],
- },
- }],
- [ 'use_ubsan==1', {
- 'variables': {
- 'ubsan_flags': '<!(<(python) <(DEPTH)/coreconf/sanitizers.py ubsan)',
- 'no_ldflags': '<!(<(python) <(DEPTH)/coreconf/sanitizers.py ld)',
- },
- 'cflags': ['<@(ubsan_flags)'],
- 'ldflags': ['<@(ubsan_flags)'],
- 'ldflags!': ['<@(no_ldflags)'],
- 'xcode_settings': {
- 'OTHER_CFLAGS': ['<@(ubsan_flags)'],
- 'OTHER_LDFLAGS!': ['<@(no_ldflags)'],
- # See comment above.
- 'LIBRARY_SEARCH_PATHS': ['/usr/lib <(ubsan_flags)'],
- },
- }],
- [ 'use_msan==1', {
- 'variables': {
- 'msan_flags': '<!(<(python) <(DEPTH)/coreconf/sanitizers.py msan)',
- 'no_ldflags': '<!(<(python) <(DEPTH)/coreconf/sanitizers.py ld)',
- },
- 'cflags': ['<@(msan_flags)'],
- 'ldflags': ['<@(msan_flags)'],
- 'ldflags!': ['<@(no_ldflags)'],
- 'xcode_settings': {
- 'OTHER_CFLAGS': ['<@(msan_flags)'],
- 'OTHER_LDFLAGS!': ['<@(no_ldflags)'],
- # See comment above.
- 'LIBRARY_SEARCH_PATHS': ['/usr/lib <(msan_flags)'],
- },
- }],
- [ 'use_sancov!=0', {
- 'variables': {
- 'sancov_flags': '<!(<(python) <(DEPTH)/coreconf/sanitizers.py sancov <(use_sancov))',
- 'no_ldflags': '<!(<(python) <(DEPTH)/coreconf/sanitizers.py ld)',
- },
- 'cflags': ['<@(sancov_flags)'],
- 'ldflags': ['<@(sancov_flags)'],
- 'ldflags!': ['<@(no_ldflags)'],
- 'xcode_settings': {
- 'OTHER_CFLAGS': ['<@(sancov_flags)'],
- 'OTHER_LDFLAGS!': ['<@(no_ldflags)'],
- # See comment above.
- 'LIBRARY_SEARCH_PATHS': ['/usr/lib <(sancov_flags)'],
+ 'LIBRARY_SEARCH_PATHS': ['/usr/lib <(sanitizer_flags)'],
},
}],
[ 'OS=="android" and mozilla_client==0', {
@@ -368,9 +436,6 @@
[ 'OS=="mac"', {
'defines': [
'DARWIN',
- 'HAVE_STRERROR',
- 'HAVE_BSD_FLOCK',
- 'XP_UNIX',
],
'conditions': [
[ 'target_arch=="ia32"', {
@@ -415,9 +480,9 @@
'PreprocessorDefinitions': [
'WIN32',
],
+ 'AdditionalOptions': [ '/EHsc' ],
},
},
-
}],
[ 'target_arch=="x64"', {
'msvs_configuration_platform': 'x64',
@@ -430,6 +495,7 @@
'WIN64',
'_AMD64_',
],
+ 'AdditionalOptions': [ '/EHsc' ],
},
},
}],
@@ -451,7 +517,7 @@
'Debug': {
'inherit_from': ['Common'],
'conditions': [
- [ 'OS=="linux" or OS=="android"', {
+ [ 'OS!="mac" and OS!="win"', {
'cflags': [
'-g',
'<(moz_debug_flags)',
@@ -460,14 +526,15 @@
],
#TODO: DEBUG_$USER
'defines': ['DEBUG'],
+ 'cflags': [ '-O<(debug_optimization_level)' ],
'xcode_settings': {
'COPY_PHASE_STRIP': 'NO',
- 'GCC_OPTIMIZATION_LEVEL': '0',
+ 'GCC_OPTIMIZATION_LEVEL': '<(debug_optimization_level)',
'GCC_GENERATE_DEBUGGING_SYMBOLS': 'YES',
},
'msvs_settings': {
'VCCLCompilerTool': {
- 'Optimization': '0',
+ 'Optimization': '<(debug_optimization_level)',
'BasicRuntimeChecks': '3',
'RuntimeLibrary': '2', # /MD
},
@@ -482,16 +549,15 @@
# Common settings for release should go here.
'Release': {
'inherit_from': ['Common'],
- 'defines': [
- 'NDEBUG',
- ],
+ 'defines': ['NDEBUG'],
+ 'cflags': [ '-O<(release_optimization_level)' ],
'xcode_settings': {
'DEAD_CODE_STRIPPING': 'YES', # -Wl,-dead_strip
- 'GCC_OPTIMIZATION_LEVEL': '2', # -O2
+ 'GCC_OPTIMIZATION_LEVEL': '<(release_optimization_level)',
},
'msvs_settings': {
'VCCLCompilerTool': {
- 'Optimization': '2', # /Os
+ 'Optimization': '<(release_optimization_level)',
'RuntimeLibrary': '2', # /MD
},
'VCLinkerTool': {
@@ -516,9 +582,9 @@
},
},
'conditions': [
- [ 'OS=="linux" or OS=="android"', {
+ [ 'cc_use_gnu_ld==1', {
'variables': {
- 'process_map_file': ['/bin/sh', '-c', '/bin/grep -v ";-" >(mapfile) | sed -e "s,;+,," -e "s; DATA ;;" -e "s,;;,," -e "s,;.*,;," > >@(_outputs)'],
+ 'process_map_file': ['/bin/sh', '-c', '/usr/bin/env grep -v ";-" >(mapfile) | sed -e "s,;+,," -e "s; DATA ;;" -e "s,;;,," -e "s,;.*,;," > >@(_outputs)'],
},
}],
[ 'OS=="mac"', {
diff --git a/security/nss/coreconf/coreconf.dep b/security/nss/coreconf/coreconf.dep
index 5182f7555..590d1bfae 100644
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -10,3 +10,4 @@
*/
#error "Do not include this header file."
+
diff --git a/security/nss/coreconf/detect_host_arch.py b/security/nss/coreconf/detect_host_arch.py
index f161d3c89..8b505a6b5 100644
--- a/security/nss/coreconf/detect_host_arch.py
+++ b/security/nss/coreconf/detect_host_arch.py
@@ -14,7 +14,7 @@ def main():
if host_arch in ('amd64', 'x86_64'):
host_arch = 'x64'
elif fnmatch.fnmatch(host_arch, 'i?86') or host_arch == 'i86pc':
- host_arch = 'x64'
+ host_arch = 'ia32'
elif host_arch.startswith('arm'):
host_arch = 'arm'
elif host_arch.startswith('mips'):
diff --git a/security/nss/coreconf/fuzz.sh b/security/nss/coreconf/fuzz.sh
new file mode 100644
index 000000000..67cb7f594
--- /dev/null
+++ b/security/nss/coreconf/fuzz.sh
@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+# This file is used by build.sh to setup fuzzing.
+
+set +e
+
+# Default to clang if CC is not set.
+if [ -z "$CC" ]; then
+ command -v clang &> /dev/null 2>&1
+ if [ $? != 0 ]; then
+ echo "Fuzzing requires clang!"
+ exit 1
+ fi
+ export CC=clang
+ export CCC=clang++
+ export CXX=clang++
+fi
+
+gyp_params+=(-Dtest_build=1 -Dfuzz=1 -Dsign_libs=0)
+
+# Add debug symbols even for opt builds.
+nspr_params+=(--enable-debug-symbols)
+
+if [ "$fuzz_oss" = 1 ]; then
+ gyp_params+=(-Dno_zdefs=1 -Dfuzz_oss=1)
+else
+ enable_sanitizer asan
+ # Ubsan doesn't build on 32-bit at the moment. Disable it.
+ if [ "$build_64" = 1 ]; then
+ enable_ubsan
+ fi
+ enable_sancov
+fi
+
+if [ "$fuzz_tls" = 1 ]; then
+ gyp_params+=(-Dfuzz_tls=1)
+fi
+
+if [ ! -f "/usr/lib/libFuzzingEngine.a" ]; then
+ echo "Cloning libFuzzer files ..."
+ run_verbose "$cwd"/fuzz/config/clone_libfuzzer.sh
+fi
diff --git a/security/nss/coreconf/nspr.sh b/security/nss/coreconf/nspr.sh
index ff5e38363..d11cd48ed 100644
--- a/security/nss/coreconf/nspr.sh
+++ b/security/nss/coreconf/nspr.sh
@@ -1,48 +1,59 @@
-#!/bin/bash
+#!/usr/bin/env bash
# This script builds NSPR for NSS.
#
# This build system is still under development. It does not yet support all
# the features or platforms that the regular NSPR build supports.
# variables
-nspr_opt=()
nspr_cflags=
nspr_cxxflags=
nspr_ldflags=
-nspr_sanitizer()
+# Try to avoid bmake on OS X and BSD systems
+if hash gmake 2>/dev/null; then
+ make() { command gmake "$@"; }
+fi
+
+nspr_set_flags()
{
- nspr_cflags="$nspr_cflags $(python $cwd/coreconf/sanitizers.py $1 $2)"
- nspr_cxxflags="$nspr_cxxflags $(python $cwd/coreconf/sanitizers.py $1 $2)"
- nspr_ldflags="$nspr_ldflags $(python $cwd/coreconf/sanitizers.py $1 $2)"
+ nspr_cflags="$CFLAGS $@"
+ nspr_cxxflags="$CXXFLAGS $@"
+ nspr_ldflags="$LDFLAGS $@"
}
-verbose()
+nspr_build()
{
- CFLAGS=$nspr_cflags CXXFLAGS=$nspr_cxxflags LDFLAGS=$nspr_ldflags \
- CC=$CC CXX=$CCC ../configure "${nspr_opt[@]}" --prefix="$obj_dir"
- make -C "$cwd/../nspr/$target"
- make -C "$cwd/../nspr/$target" install
+ local nspr_dir="$cwd"/../nspr/$target
+ mkdir -p "$nspr_dir"
+
+ # These NSPR options are directory-specific, so they don't need to be
+ # included in nspr_opt and changing them doesn't force a rebuild of NSPR.
+ extra_params=(--prefix="$dist_dir"/$target)
+ if [ "$opt_build" = 1 ]; then
+ extra_params+=(--disable-debug --enable-optimize)
+ fi
+
+ echo "NSPR [1/3] configure ..."
+ pushd "$nspr_dir" >/dev/null
+ CFLAGS="$nspr_cflags" CXXFLAGS="$nspr_cxxflags" \
+ LDFLAGS="$nspr_ldflags" CC="$CC" CXX="$CCC" \
+ run_verbose ../configure "${extra_params[@]}" "$@"
+ popd >/dev/null
+ echo "NSPR [2/3] make ..."
+ run_verbose make -C "$nspr_dir"
+ echo "NSPR [3/3] install ..."
+ run_verbose make -C "$nspr_dir" install
}
-silent()
+nspr_clean()
{
- echo "[1/3] configure NSPR ..."
- CFLAGS=$nspr_cflags CXXFLAGS=$nspr_cxxflags LDFLAGS=$nspr_ldflags \
- CC=$CC CXX=$CCC ../configure "${nspr_opt[@]}" --prefix="$obj_dir" 1> /dev/null
- echo "[2/3] make NSPR ..."
- make -C "$cwd/../nspr/$target" 1> /dev/null
- echo "[3/3] install NSPR ..."
- make -C "$cwd/../nspr/$target" install 1> /dev/null
+ rm -rf "$cwd"/../nspr/$target
}
-build_nspr()
+set_nspr_path()
{
- mkdir -p "$cwd/../nspr/$target"
- cd "$cwd/../nspr/$target"
- if [ "$1" == 1 ]; then
- verbose
- else
- silent
- fi
+ local include=$(echo "$1" | cut -d: -f1)
+ local lib=$(echo "$1" | cut -d: -f2)
+ gyp_params+=(-Dnspr_include_dir="$include")
+ gyp_params+=(-Dnspr_lib_dir="$lib")
}
diff --git a/security/nss/coreconf/precommit.clang-format.sh b/security/nss/coreconf/precommit.clang-format.sh
new file mode 100644
index 000000000..b638b298e
--- /dev/null
+++ b/security/nss/coreconf/precommit.clang-format.sh
@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+# This is a pre-commit hook for use with either mercurial or git.
+#
+# Install this by running the script with an argument of "install".
+#
+# All that does is add the following lines to .hg/hgrc:
+#
+# [hook]
+# pretxncommit.clang-format = [ ! -x ./coreconf/precommit.clang-format.sh ] || ./coreconf/precommit.clang-format.sh
+#
+# Or installs a symlink to .git/hooks/precommit:
+# $ ln -s ../../coreconf/precommit.clang-format.sh .git/hooks/pre-commit
+
+hash clang-format || exit 1
+[ "$(hg root 2>/dev/null)" = "$PWD" ] && hg=1 || hg=0
+[ "$(git rev-parse --show-toplevel 2>/dev/null)" = "$PWD" ] && git=1 || git=0
+
+if [ "$1" = "install" ]; then
+ if [ "$hg" -eq 1 ]; then
+ hgrc="$(hg root)"/.hg/hgrc
+ if ! grep -q '^pretxncommit.clang-format' "$hgrc"; then
+ echo '[hooks]' >> "$hgrc"
+ echo 'pretxncommit.clang-format = [ ! -x ./coreconf/precommit.clang-format.sh ] || ./coreconf/precommit.clang-format.sh' >> "$hgrc"
+ echo "Installed mercurial pretxncommit hook"
+ exit
+ fi
+ fi
+ if [ "$git" -eq 1 ]; then
+ hook="$(git rev-parse --show-toplevel)"/.git/hooks/pre-commit
+ if [ ! -e "$hook" ]; then
+ ln -s ../../coreconf/precommit.clang-format.sh "$hook"
+ echo "Installed git pre-commit hook"
+ exit
+ fi
+ fi
+ echo "Hook already installed, or not in NSS repo"
+ exit 2
+fi
+
+err=0
+files=()
+if [ "$hg" -eq 1 ]; then
+ files=($(hg status -m -a --rev tip^:tip | cut -f 2 -d ' ' -))
+fi
+if [ "$git" -eq 1 ]; then
+ files=($(git status --porcelain | sed '/^[MACU]/{s/..//;p;};/^R/{s/^.* -> //;p;};d'))
+fi
+tmp=$(mktemp)
+trap 'rm -f "$tmp"' ERR EXIT
+for f in "${files[@]}"; do
+ ext="${f##*.}"
+ if [ "$ext" = "c" -o "$ext" = "h" -o "$ext" = "cc" ]; then
+ [ "$hg" -eq 1 ] && hg cat -r tip "$f" > "$tmp"
+ [ "$git" -eq 1 ] && git show :"$f" > "$tmp"
+ if ! cat "$tmp" | clang-format -assume-filename="$f" | \
+ diff -q "$tmp" - >/dev/null; then
+ [ "$err" -eq 0 ] && echo "Formatting errors found in:" 1>&2
+ echo " $f" 1>&2
+ err=1
+ fi
+ fi
+done
+exit "$err"
diff --git a/security/nss/coreconf/sanitizers.mk b/security/nss/coreconf/sanitizers.mk
deleted file mode 100644
index 6fd728cf5..000000000
--- a/security/nss/coreconf/sanitizers.mk
+++ /dev/null
@@ -1,35 +0,0 @@
-# Address Sanitizer support; include this in OS-specific .mk files
-# *after* defining the variables that are appended to here.
-
-ifeq ($(USE_ASAN), 1)
-SANITIZER_FLAGS_COMMON = -fsanitize=address
-
-ifeq ($(USE_UBSAN), 1)
-SANITIZER_FLAGS_COMMON += -fsanitize=undefined -fno-sanitize-recover=undefined
-endif
-
-ifeq ($(FUZZ), 1)
-SANITIZER_FLAGS_COMMON += -fsanitize-coverage=edge
-endif
-
-SANITIZER_FLAGS_COMMON += $(EXTRA_SANITIZER_FLAGS)
-SANITIZER_CFLAGS = $(SANITIZER_FLAGS_COMMON)
-SANITIZER_LDFLAGS = $(SANITIZER_FLAGS_COMMON)
-OS_CFLAGS += $(SANITIZER_CFLAGS)
-LDFLAGS += $(SANITIZER_LDFLAGS)
-
-# ASan needs frame pointers to save stack traces for allocation/free sites.
-# (Warning: some platforms, like ARM Linux in Thumb mode, don't have useful
-# frame pointers even with this option.)
-SANITIZER_CFLAGS += -fno-omit-frame-pointer -fno-optimize-sibling-calls
-
-ifdef BUILD_OPT
-# You probably want to be able to get debug info for failures, even with an
-# optimized build.
-OPTIMIZER += -g
-else
-# Try maintaining reasonable performance, ASan and UBSan slow things down.
-OPTIMIZER += -O1
-endif
-
-endif
diff --git a/security/nss/coreconf/sanitizers.py b/security/nss/coreconf/sanitizers.py
index 2f62d00bb..8735aad61 100644
--- a/security/nss/coreconf/sanitizers.py
+++ b/security/nss/coreconf/sanitizers.py
@@ -5,14 +5,16 @@ import sys
def main():
if len(sys.argv) < 2:
- raise Exception('Specify either "ld", asan", "msan", "sancov" or "ubsan" as argument.')
+ raise Exception('Specify either "asan", "msan", "sancov" or "ubsan" as argument.')
sanitizer = sys.argv[1]
if sanitizer == "ubsan":
- print('-fsanitize=undefined -fno-sanitize-recover=undefined ', end='')
+ if len(sys.argv) < 3:
+ raise Exception('ubsan requires another argument.')
+ print('-fsanitize='+sys.argv[2]+' -fno-sanitize-recover=undefined ', end='')
return
if sanitizer == "asan":
- print('-fsanitize=address ', end='')
+ print('-fsanitize=address -fsanitize-address-use-after-scope ', end='')
print('-fno-omit-frame-pointer -fno-optimize-sibling-calls ', end='')
return
if sanitizer == "msan":
@@ -25,12 +27,7 @@ def main():
print('-fsanitize-coverage='+sys.argv[2]+' ', end='')
return
- # We have to remove this from the ld flags when building asan.
- if sanitizer == "ld":
- print('-Wl,-z,defs ', end='')
- return
-
- raise Exception('Specify either "ld", asan", "msan", "sancov" or "ubsan" as argument.')
+ raise Exception('Specify either "asan", "msan", "sancov" or "ubsan" as argument.')
if __name__ == '__main__':
main()
diff --git a/security/nss/coreconf/sanitizers.sh b/security/nss/coreconf/sanitizers.sh
new file mode 100644
index 000000000..bd77571ed
--- /dev/null
+++ b/security/nss/coreconf/sanitizers.sh
@@ -0,0 +1,78 @@
+#!/usr/bin/env bash
+# This file is used by build.sh to setup sanitizers.
+
+sanitizer_flags=""
+sanitizers=()
+
+# This tracks what sanitizers are enabled so they don't get enabled twice. This
+# means that doing things that enable the same sanitizer twice (such as enabling
+# both --asan and --fuzz) is order-dependent: only the first is used.
+enable_sanitizer()
+{
+ local san="$1"
+ for i in "${sanitizers[@]}"; do
+ [ "$san" = "$i" ] && return
+ done
+ sanitizers+=("$san")
+
+ if [ -z "$sanitizer_flags" ]; then
+ gyp_params+=(-Dno_zdefs=1)
+ fi
+
+ local cflags=$(python $cwd/coreconf/sanitizers.py "$@")
+ sanitizer_flags="$sanitizer_flags $cflags"
+}
+
+enable_sancov()
+{
+ local clang_version=$($CC --version | grep -oE '([0-9]{1,}\.)+[0-9]{1,}')
+ if [[ ${clang_version:0:1} -lt 4 && ${clang_version:0:1} -eq 3 && ${clang_version:2:1} -lt 9 ]]; then
+ echo "Need at least clang-3.9 (better 4.0) for sancov." 1>&2
+ exit 1
+ fi
+
+ local sancov
+ if [ -n "$1" ]; then
+ sancov="$1"
+ elif [ "${clang_version:0:3}" = "3.9" ]; then
+ sancov=edge,indirect-calls,8bit-counters
+ else
+ sancov=trace-pc-guard,trace-cmp
+ fi
+ enable_sanitizer sancov "$sancov"
+}
+
+enable_ubsan()
+{
+ local ubsan
+ if [ -n "$1" ]; then
+ ubsan="$1"
+ else
+ ubsan=bool,signed-integer-overflow,shift,vptr
+ fi
+ enable_sanitizer ubsan "$ubsan"
+}
+
+# Not strictly a sanitizer, but the pattern fits
+scanbuild=()
+enable_scanbuild()
+{
+ [ "${#scanbuild[@]}" -gt 0 ] && return
+
+ scanbuild=(scan-build)
+ if [ -n "$1" ]; then
+ scanbuild+=(-o "$1")
+ fi
+ # pass on CC and CCC to scanbuild
+ if [ -n "$CC" ]; then
+ scanbuild+=(--use-cc="$CC")
+ fi
+ if [ -n "$CCC" ]; then
+ scanbuild+=(--use-c++="$CCC")
+ fi
+}
+
+run_scanbuild()
+{
+ "${scanbuild[@]}" "$@"
+}
diff --git a/security/nss/coreconf/werror.py b/security/nss/coreconf/werror.py
index a37fad95f..0d3843f64 100644
--- a/security/nss/coreconf/werror.py
+++ b/security/nss/coreconf/werror.py
@@ -7,7 +7,8 @@ def main():
cc = os.environ.get('CC', 'cc')
sink = open(os.devnull, 'wb')
try:
- cc_is_clang = 'clang' in subprocess.check_output([cc, '--version'], stderr=sink)
+ cc_is_clang = 'clang' in subprocess.check_output(
+ [cc, '--version'], universal_newlines=True, stderr=sink)
except OSError:
# We probably just don't have CC/cc.
return
@@ -25,6 +26,7 @@ def main():
try:
v = subprocess.check_output([cc, '-dumpversion'], stderr=sink)
v = v.strip(' \r\n').split('.')
+ v = list(map(int, v))
if v[0] < 4 or (v[0] == 4 and v[1] < 8):
# gcc 4.8 minimum
return False