From f017b749ea9f1586d2308504553d40bf4cc5439d Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Tue, 6 Feb 2018 11:46:26 +0100 Subject: Update NSS to 3.32.1-RTM --- security/nss/coreconf/Darwin.mk | 3 - security/nss/coreconf/Linux.mk | 25 +- security/nss/coreconf/arch.mk | 23 +- security/nss/coreconf/check_cc_clang.py | 7 +- security/nss/coreconf/config.gypi | 288 +++++++++++++++--------- security/nss/coreconf/coreconf.dep | 1 + security/nss/coreconf/detect_host_arch.py | 2 +- security/nss/coreconf/fuzz.sh | 41 ++++ security/nss/coreconf/nspr.sh | 65 +++--- security/nss/coreconf/precommit.clang-format.sh | 63 ++++++ security/nss/coreconf/sanitizers.mk | 35 --- security/nss/coreconf/sanitizers.py | 15 +- security/nss/coreconf/sanitizers.sh | 78 +++++++ security/nss/coreconf/werror.py | 4 +- 14 files changed, 433 insertions(+), 217 deletions(-) create mode 100644 security/nss/coreconf/fuzz.sh create mode 100644 security/nss/coreconf/precommit.clang-format.sh delete mode 100644 security/nss/coreconf/sanitizers.mk create mode 100644 security/nss/coreconf/sanitizers.sh (limited to 'security/nss/coreconf') diff --git a/security/nss/coreconf/Darwin.mk b/security/nss/coreconf/Darwin.mk index 210784767..0569e1819 100644 --- a/security/nss/coreconf/Darwin.mk +++ b/security/nss/coreconf/Darwin.mk @@ -145,6 +145,3 @@ ifeq (3,$(SYS_SQLITE3_VERSION_MAJOR)) NSS_USE_SYSTEM_SQLITE = 1 endif endif - -include $(CORE_DEPTH)/coreconf/sanitizers.mk -DARWIN_SDK_SHLIBFLAGS += $(SANITIZER_LDFLAGS) diff --git a/security/nss/coreconf/Linux.mk b/security/nss/coreconf/Linux.mk index 438dab48a..bb9db413b 100644 --- a/security/nss/coreconf/Linux.mk +++ b/security/nss/coreconf/Linux.mk @@ -106,16 +106,6 @@ ifneq ($(OS_TARGET),Android) LIBC_TAG = _glibc endif -ifeq ($(OS_RELEASE),2.0) - OS_REL_CFLAGS += -DLINUX2_0 - MKSHLIB = $(CC) -shared -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so) $(RPATH) - ifdef MAPFILE - MKSHLIB += -Wl,--version-script,$(MAPFILE) - endif - PROCESS_MAP_FILE = grep -v ';-' $< | \ - sed -e 's,;+,,' -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,;,' > $@ -endif - ifdef BUILD_OPT ifeq (11,$(ALLOW_OPT_CODE_SIZE)$(OPT_CODE_SIZE)) OPTIMIZER = -Os @@ -139,15 +129,16 @@ ifeq ($(USE_PTHREADS),1) OS_PTHREAD = -lpthread endif -OS_CFLAGS = $(DSO_CFLAGS) $(OS_REL_CFLAGS) $(ARCHFLAG) -pipe -ffunction-sections -fdata-sections -DLINUX -Dlinux -DHAVE_STRERROR +OS_CFLAGS = $(DSO_CFLAGS) $(OS_REL_CFLAGS) $(ARCHFLAG) -pipe -ffunction-sections -fdata-sections -DHAVE_STRERROR +ifeq ($(KERNEL),Linux) + OS_CFLAGS += -DLINUX -Dlinux +endif OS_LIBS = $(OS_PTHREAD) -ldl -lc ifdef USE_PTHREADS DEFINES += -D_REENTRANT endif -ARCH = linux - DSO_CFLAGS = -fPIC DSO_LDOPTS = -shared $(ARCHFLAG) -Wl,--gc-sections # The linker on Red Hat Linux 7.2 and RHEL 2.1 (GNU ld version 2.11.90.0.8) @@ -156,10 +147,8 @@ DSO_LDOPTS = -shared $(ARCHFLAG) -Wl,--gc-sections # Also, -z defs conflicts with Address Sanitizer, which emits relocations # against the libsanitizer runtime built into the main executable. ZDEFS_FLAG = -Wl,-z,defs -ifneq ($(USE_ASAN),1) DSO_LDOPTS += $(if $(findstring 2.11.90.0.8,$(shell ld -v)),,$(ZDEFS_FLAG)) -endif -LDFLAGS += $(ARCHFLAG) +LDFLAGS += $(ARCHFLAG) -z noexecstack # On Maemo, we need to use the -rpath-link flag for even the standard system # library directories. @@ -167,7 +156,6 @@ ifdef _SBOX_DIR LDFLAGS += -Wl,-rpath-link,/usr/lib:/lib endif -# INCLUDES += -I/usr/include -Y/usr/include/linux G++INCLUDES = -I/usr/include/g++ # @@ -202,7 +190,6 @@ RPATH = -Wl,-rpath,'$$ORIGIN:/opt/sun/private/lib' endif endif -OS_REL_CFLAGS += -DLINUX2_1 MKSHLIB = $(CC) $(DSO_LDOPTS) -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so) $(RPATH) ifdef MAPFILE @@ -220,5 +207,3 @@ OS_CFLAGS += --coverage LDFLAGS += --coverage DSO_LDOPTS += --coverage endif - -include $(CORE_DEPTH)/coreconf/sanitizers.mk diff --git a/security/nss/coreconf/arch.mk b/security/nss/coreconf/arch.mk index 06c276f80..79e56d510 100644 --- a/security/nss/coreconf/arch.mk +++ b/security/nss/coreconf/arch.mk @@ -12,7 +12,7 @@ # OS_TARGET User defined, or set to OS_ARCH # CPU_ARCH (from unmame -m or -p, ONLY on WINNT) # OS_CONFIG OS_TARGET + OS_RELEASE -# OBJDIR_TAG (uses ASAN_TAG, GCOV_TAG, 64BIT_TAG) +# OBJDIR_TAG (uses GCOV_TAG, 64BIT_TAG) # OBJDIR_NAME ####################################################################### @@ -115,6 +115,20 @@ ifeq ($(OS_ARCH),Linux) ifneq ($(words $(OS_RELEASE)),1) OS_RELEASE := $(word 1,$(OS_RELEASE)).$(word 2,$(OS_RELEASE)) endif + KERNEL = Linux +endif + +# Since all uses of OS_ARCH that follow affect only userland, we can +# merge other Glibc systems with Linux here. +ifeq ($(OS_ARCH),GNU) + OS_ARCH = Linux + OS_RELEASE = 2.6 + KERNEL = GNU +endif +ifeq ($(OS_ARCH),GNU_kFreeBSD) + OS_ARCH = Linux + OS_RELEASE = 2.6 + KERNEL = FreeBSD endif # @@ -254,11 +268,6 @@ OS_CONFIG = $(OS_TARGET)$(OS_RELEASE) # to distinguish between debug and release builds. # -ifeq ($(USE_ASAN), 1) - ASAN_TAG = _ASAN -else - ASAN_TAG = -endif ifeq ($(USE_GCOV), 1) GCOV_TAG = _GCOV else @@ -269,7 +278,7 @@ ifeq ($(USE_64), 1) else 64BIT_TAG = endif -OBJDIR_TAG_BASE=$(ASAN_TAG)$(GCOV_TAG)$(64BIT_TAG) +OBJDIR_TAG_BASE=$(GCOV_TAG)$(64BIT_TAG) ifdef BUILD_OPT OBJDIR_TAG = $(OBJDIR_TAG_BASE)_OPT diff --git a/security/nss/coreconf/check_cc_clang.py b/security/nss/coreconf/check_cc_clang.py index 145ec0a72..4b9541195 100644 --- a/security/nss/coreconf/check_cc_clang.py +++ b/security/nss/coreconf/check_cc_clang.py @@ -6,15 +6,16 @@ import sys def main(): if sys.platform == 'win32': - print 0 + print(0) else: cc = os.environ.get('CC', 'cc') try: - cc_is_clang = 'clang' in subprocess.check_output([cc, '--version']) + cc_is_clang = 'clang' in subprocess.check_output( + [cc, '--version'], universal_newlines=True) except OSError: # We probably just don't have CC/cc. cc_is_clang = False - print int(cc_is_clang) + print(int(cc_is_clang)) if __name__ == '__main__': main() diff --git a/security/nss/coreconf/config.gypi b/security/nss/coreconf/config.gypi index fe9b55329..9ea528ae4 100644 --- a/security/nss/coreconf/config.gypi +++ b/security/nss/coreconf/config.gypi @@ -24,39 +24,44 @@ # building on. 'target_arch%': '<(host_arch)', }], + ['OS=="linux"', { + # FIPS-140 LOWHASH + 'freebl_name': 'freeblpriv3', + }, { + 'freebl_name': 'freebl3', + }], + ['OS=="mac"', { + 'use_system_sqlite%': 1, + },{ + 'use_system_sqlite%': 0, + }], + ['OS=="mac" or OS=="win"', { + 'cc_use_gnu_ld%': 0, + }, { + 'cc_use_gnu_ld%': 1, + }], ['OS=="win"', { 'use_system_zlib%': 0, - 'nspr_libs%': ['nspr4.lib', 'plc4.lib', 'plds4.lib'], + 'nspr_libs%': ['libnspr4.lib', 'libplc4.lib', 'libplds4.lib'], 'zlib_libs%': [], #TODO 'moz_debug_flags%': '', 'dll_prefix': '', 'dll_suffix': 'dll', }, { - 'nspr_libs%': ['-lplds4', '-lplc4', '-lnspr4'], 'use_system_zlib%': 1, - }], - ['OS=="linux" or OS=="android"', { - 'zlib_libs%': ['-lz'], - 'moz_debug_flags%': '-gdwarf-2', - 'optimize_flags%': '-O2', - 'dll_prefix': 'lib', - 'dll_suffix': 'so', - }], - ['OS=="linux"', { - 'freebl_name': 'freeblpriv3', - }, { - 'freebl_name': 'freebl3', - }], - ['OS=="mac"', { + 'nspr_libs%': ['-lplds4', '-lplc4', '-lnspr4'], 'zlib_libs%': ['-lz'], - 'use_system_sqlite%': 1, - 'moz_debug_flags%': '-gdwarf-2 -gfull', - 'optimize_flags%': '-O2', 'dll_prefix': 'lib', - 'dll_suffix': 'dylib', - }, { - 'use_system_sqlite%': 0, + 'conditions': [ + ['OS=="mac"', { + 'moz_debug_flags%': '-gdwarf-2 -gfull', + 'dll_suffix': 'dylib', + }, { + 'moz_debug_flags%': '-gdwarf-2', + 'dll_suffix': 'so', + }], + ], }], ['"<(GENERATOR)"=="ninja"', { 'cc_is_clang%': '(mapfile)', ], }], - [ 'OS=="win"', { + [ 'cc_use_gnu_ld!=1 and OS=="win"', { # On Windows, .def files are used directly as sources. 'sources': [ '>(mapfile)', @@ -195,10 +260,16 @@ # Shared library specific settings. [ '_type=="shared_library"', { 'conditions': [ - [ 'OS=="linux" or OS=="android"', { + [ 'cc_use_gnu_ld==1', { 'ldflags': [ '-Wl,--gc-sections', - '-Wl,-z,defs', + ], + 'conditions': [ + ['no_zdefs==0', { + 'ldflags': [ + '-Wl,-z,defs', + ], + }], ], }], ], @@ -251,10 +322,36 @@ 'LINUX2_1', 'LINUX', 'linux', + ], + }], + [ 'OS=="dragonfly" or OS=="freebsd"', { + 'defines': [ + 'FREEBSD', + ], + }], + [ 'OS=="netbsd"', { + 'defines': [ + 'NETBSD', + ], + }], + [ 'OS=="openbsd"', { + 'defines': [ + 'OPENBSD', + ], + }], + ['OS=="mac" or OS=="dragonfly" or OS=="freebsd" or OS=="netbsd" or OS=="openbsd"', { + 'defines': [ + 'HAVE_BSD_FLOCK', + ], + }], + [ 'OS!="win"', { + 'defines': [ 'HAVE_STRERROR', 'XP_UNIX', '_REENTRANT', ], + }], + [ 'OS!="mac" and OS!="win"', { 'cflags': [ '-fPIC', '-pipe', @@ -264,6 +361,9 @@ 'cflags_cc': [ '-std=c++0x', ], + 'ldflags': [ + '-z', 'noexecstack', + ], 'conditions': [ [ 'target_arch=="ia32"', { 'cflags': ['-m32'], @@ -273,89 +373,57 @@ 'cflags': ['-m64'], 'ldflags': ['-m64'], }], - [ 'use_pprof==1' , { + ], + }], + [ 'use_pprof==1 and OS!="android" and OS!="win"', { + 'conditions': [ + [ 'OS=="mac"', { + 'xcode_settings': { + 'OTHER_LDFLAGS': [ '-lprofiler' ], + }, + }, { 'ldflags': [ '-lprofiler' ], }], + [ 'OS!="linux"', { + 'library_dirs': [ + '/usr/local/lib/', + ], + }], ], }], - [ 'disable_werror==0 and (OS=="linux" or OS=="mac")', { + [ 'disable_werror==0 and OS!="android" and OS!="win"', { 'cflags': [ '(mapfile) | sed -e "s,;+,," -e "s; DATA ;;" -e "s,;;,," -e "s,;.*,;," > >@(_outputs)'], + 'process_map_file': ['/bin/sh', '-c', '/usr/bin/env grep -v ";-" >(mapfile) | sed -e "s,;+,," -e "s; DATA ;;" -e "s,;;,," -e "s,;.*,;," > >@(_outputs)'], }, }], [ 'OS=="mac"', { diff --git a/security/nss/coreconf/coreconf.dep b/security/nss/coreconf/coreconf.dep index 5182f7555..590d1bfae 100644 --- a/security/nss/coreconf/coreconf.dep +++ b/security/nss/coreconf/coreconf.dep @@ -10,3 +10,4 @@ */ #error "Do not include this header file." + diff --git a/security/nss/coreconf/detect_host_arch.py b/security/nss/coreconf/detect_host_arch.py index f161d3c89..8b505a6b5 100644 --- a/security/nss/coreconf/detect_host_arch.py +++ b/security/nss/coreconf/detect_host_arch.py @@ -14,7 +14,7 @@ def main(): if host_arch in ('amd64', 'x86_64'): host_arch = 'x64' elif fnmatch.fnmatch(host_arch, 'i?86') or host_arch == 'i86pc': - host_arch = 'x64' + host_arch = 'ia32' elif host_arch.startswith('arm'): host_arch = 'arm' elif host_arch.startswith('mips'): diff --git a/security/nss/coreconf/fuzz.sh b/security/nss/coreconf/fuzz.sh new file mode 100644 index 000000000..67cb7f594 --- /dev/null +++ b/security/nss/coreconf/fuzz.sh @@ -0,0 +1,41 @@ +#!/usr/bin/env bash +# This file is used by build.sh to setup fuzzing. + +set +e + +# Default to clang if CC is not set. +if [ -z "$CC" ]; then + command -v clang &> /dev/null 2>&1 + if [ $? != 0 ]; then + echo "Fuzzing requires clang!" + exit 1 + fi + export CC=clang + export CCC=clang++ + export CXX=clang++ +fi + +gyp_params+=(-Dtest_build=1 -Dfuzz=1 -Dsign_libs=0) + +# Add debug symbols even for opt builds. +nspr_params+=(--enable-debug-symbols) + +if [ "$fuzz_oss" = 1 ]; then + gyp_params+=(-Dno_zdefs=1 -Dfuzz_oss=1) +else + enable_sanitizer asan + # Ubsan doesn't build on 32-bit at the moment. Disable it. + if [ "$build_64" = 1 ]; then + enable_ubsan + fi + enable_sancov +fi + +if [ "$fuzz_tls" = 1 ]; then + gyp_params+=(-Dfuzz_tls=1) +fi + +if [ ! -f "/usr/lib/libFuzzingEngine.a" ]; then + echo "Cloning libFuzzer files ..." + run_verbose "$cwd"/fuzz/config/clone_libfuzzer.sh +fi diff --git a/security/nss/coreconf/nspr.sh b/security/nss/coreconf/nspr.sh index ff5e38363..d11cd48ed 100644 --- a/security/nss/coreconf/nspr.sh +++ b/security/nss/coreconf/nspr.sh @@ -1,48 +1,59 @@ -#!/bin/bash +#!/usr/bin/env bash # This script builds NSPR for NSS. # # This build system is still under development. It does not yet support all # the features or platforms that the regular NSPR build supports. # variables -nspr_opt=() nspr_cflags= nspr_cxxflags= nspr_ldflags= -nspr_sanitizer() +# Try to avoid bmake on OS X and BSD systems +if hash gmake 2>/dev/null; then + make() { command gmake "$@"; } +fi + +nspr_set_flags() { - nspr_cflags="$nspr_cflags $(python $cwd/coreconf/sanitizers.py $1 $2)" - nspr_cxxflags="$nspr_cxxflags $(python $cwd/coreconf/sanitizers.py $1 $2)" - nspr_ldflags="$nspr_ldflags $(python $cwd/coreconf/sanitizers.py $1 $2)" + nspr_cflags="$CFLAGS $@" + nspr_cxxflags="$CXXFLAGS $@" + nspr_ldflags="$LDFLAGS $@" } -verbose() +nspr_build() { - CFLAGS=$nspr_cflags CXXFLAGS=$nspr_cxxflags LDFLAGS=$nspr_ldflags \ - CC=$CC CXX=$CCC ../configure "${nspr_opt[@]}" --prefix="$obj_dir" - make -C "$cwd/../nspr/$target" - make -C "$cwd/../nspr/$target" install + local nspr_dir="$cwd"/../nspr/$target + mkdir -p "$nspr_dir" + + # These NSPR options are directory-specific, so they don't need to be + # included in nspr_opt and changing them doesn't force a rebuild of NSPR. + extra_params=(--prefix="$dist_dir"/$target) + if [ "$opt_build" = 1 ]; then + extra_params+=(--disable-debug --enable-optimize) + fi + + echo "NSPR [1/3] configure ..." + pushd "$nspr_dir" >/dev/null + CFLAGS="$nspr_cflags" CXXFLAGS="$nspr_cxxflags" \ + LDFLAGS="$nspr_ldflags" CC="$CC" CXX="$CCC" \ + run_verbose ../configure "${extra_params[@]}" "$@" + popd >/dev/null + echo "NSPR [2/3] make ..." + run_verbose make -C "$nspr_dir" + echo "NSPR [3/3] install ..." + run_verbose make -C "$nspr_dir" install } -silent() +nspr_clean() { - echo "[1/3] configure NSPR ..." - CFLAGS=$nspr_cflags CXXFLAGS=$nspr_cxxflags LDFLAGS=$nspr_ldflags \ - CC=$CC CXX=$CCC ../configure "${nspr_opt[@]}" --prefix="$obj_dir" 1> /dev/null - echo "[2/3] make NSPR ..." - make -C "$cwd/../nspr/$target" 1> /dev/null - echo "[3/3] install NSPR ..." - make -C "$cwd/../nspr/$target" install 1> /dev/null + rm -rf "$cwd"/../nspr/$target } -build_nspr() +set_nspr_path() { - mkdir -p "$cwd/../nspr/$target" - cd "$cwd/../nspr/$target" - if [ "$1" == 1 ]; then - verbose - else - silent - fi + local include=$(echo "$1" | cut -d: -f1) + local lib=$(echo "$1" | cut -d: -f2) + gyp_params+=(-Dnspr_include_dir="$include") + gyp_params+=(-Dnspr_lib_dir="$lib") } diff --git a/security/nss/coreconf/precommit.clang-format.sh b/security/nss/coreconf/precommit.clang-format.sh new file mode 100644 index 000000000..b638b298e --- /dev/null +++ b/security/nss/coreconf/precommit.clang-format.sh @@ -0,0 +1,63 @@ +#!/usr/bin/env bash +# This is a pre-commit hook for use with either mercurial or git. +# +# Install this by running the script with an argument of "install". +# +# All that does is add the following lines to .hg/hgrc: +# +# [hook] +# pretxncommit.clang-format = [ ! -x ./coreconf/precommit.clang-format.sh ] || ./coreconf/precommit.clang-format.sh +# +# Or installs a symlink to .git/hooks/precommit: +# $ ln -s ../../coreconf/precommit.clang-format.sh .git/hooks/pre-commit + +hash clang-format || exit 1 +[ "$(hg root 2>/dev/null)" = "$PWD" ] && hg=1 || hg=0 +[ "$(git rev-parse --show-toplevel 2>/dev/null)" = "$PWD" ] && git=1 || git=0 + +if [ "$1" = "install" ]; then + if [ "$hg" -eq 1 ]; then + hgrc="$(hg root)"/.hg/hgrc + if ! grep -q '^pretxncommit.clang-format' "$hgrc"; then + echo '[hooks]' >> "$hgrc" + echo 'pretxncommit.clang-format = [ ! -x ./coreconf/precommit.clang-format.sh ] || ./coreconf/precommit.clang-format.sh' >> "$hgrc" + echo "Installed mercurial pretxncommit hook" + exit + fi + fi + if [ "$git" -eq 1 ]; then + hook="$(git rev-parse --show-toplevel)"/.git/hooks/pre-commit + if [ ! -e "$hook" ]; then + ln -s ../../coreconf/precommit.clang-format.sh "$hook" + echo "Installed git pre-commit hook" + exit + fi + fi + echo "Hook already installed, or not in NSS repo" + exit 2 +fi + +err=0 +files=() +if [ "$hg" -eq 1 ]; then + files=($(hg status -m -a --rev tip^:tip | cut -f 2 -d ' ' -)) +fi +if [ "$git" -eq 1 ]; then + files=($(git status --porcelain | sed '/^[MACU]/{s/..//;p;};/^R/{s/^.* -> //;p;};d')) +fi +tmp=$(mktemp) +trap 'rm -f "$tmp"' ERR EXIT +for f in "${files[@]}"; do + ext="${f##*.}" + if [ "$ext" = "c" -o "$ext" = "h" -o "$ext" = "cc" ]; then + [ "$hg" -eq 1 ] && hg cat -r tip "$f" > "$tmp" + [ "$git" -eq 1 ] && git show :"$f" > "$tmp" + if ! cat "$tmp" | clang-format -assume-filename="$f" | \ + diff -q "$tmp" - >/dev/null; then + [ "$err" -eq 0 ] && echo "Formatting errors found in:" 1>&2 + echo " $f" 1>&2 + err=1 + fi + fi +done +exit "$err" diff --git a/security/nss/coreconf/sanitizers.mk b/security/nss/coreconf/sanitizers.mk deleted file mode 100644 index 6fd728cf5..000000000 --- a/security/nss/coreconf/sanitizers.mk +++ /dev/null @@ -1,35 +0,0 @@ -# Address Sanitizer support; include this in OS-specific .mk files -# *after* defining the variables that are appended to here. - -ifeq ($(USE_ASAN), 1) -SANITIZER_FLAGS_COMMON = -fsanitize=address - -ifeq ($(USE_UBSAN), 1) -SANITIZER_FLAGS_COMMON += -fsanitize=undefined -fno-sanitize-recover=undefined -endif - -ifeq ($(FUZZ), 1) -SANITIZER_FLAGS_COMMON += -fsanitize-coverage=edge -endif - -SANITIZER_FLAGS_COMMON += $(EXTRA_SANITIZER_FLAGS) -SANITIZER_CFLAGS = $(SANITIZER_FLAGS_COMMON) -SANITIZER_LDFLAGS = $(SANITIZER_FLAGS_COMMON) -OS_CFLAGS += $(SANITIZER_CFLAGS) -LDFLAGS += $(SANITIZER_LDFLAGS) - -# ASan needs frame pointers to save stack traces for allocation/free sites. -# (Warning: some platforms, like ARM Linux in Thumb mode, don't have useful -# frame pointers even with this option.) -SANITIZER_CFLAGS += -fno-omit-frame-pointer -fno-optimize-sibling-calls - -ifdef BUILD_OPT -# You probably want to be able to get debug info for failures, even with an -# optimized build. -OPTIMIZER += -g -else -# Try maintaining reasonable performance, ASan and UBSan slow things down. -OPTIMIZER += -O1 -endif - -endif diff --git a/security/nss/coreconf/sanitizers.py b/security/nss/coreconf/sanitizers.py index 2f62d00bb..8735aad61 100644 --- a/security/nss/coreconf/sanitizers.py +++ b/security/nss/coreconf/sanitizers.py @@ -5,14 +5,16 @@ import sys def main(): if len(sys.argv) < 2: - raise Exception('Specify either "ld", asan", "msan", "sancov" or "ubsan" as argument.') + raise Exception('Specify either "asan", "msan", "sancov" or "ubsan" as argument.') sanitizer = sys.argv[1] if sanitizer == "ubsan": - print('-fsanitize=undefined -fno-sanitize-recover=undefined ', end='') + if len(sys.argv) < 3: + raise Exception('ubsan requires another argument.') + print('-fsanitize='+sys.argv[2]+' -fno-sanitize-recover=undefined ', end='') return if sanitizer == "asan": - print('-fsanitize=address ', end='') + print('-fsanitize=address -fsanitize-address-use-after-scope ', end='') print('-fno-omit-frame-pointer -fno-optimize-sibling-calls ', end='') return if sanitizer == "msan": @@ -25,12 +27,7 @@ def main(): print('-fsanitize-coverage='+sys.argv[2]+' ', end='') return - # We have to remove this from the ld flags when building asan. - if sanitizer == "ld": - print('-Wl,-z,defs ', end='') - return - - raise Exception('Specify either "ld", asan", "msan", "sancov" or "ubsan" as argument.') + raise Exception('Specify either "asan", "msan", "sancov" or "ubsan" as argument.') if __name__ == '__main__': main() diff --git a/security/nss/coreconf/sanitizers.sh b/security/nss/coreconf/sanitizers.sh new file mode 100644 index 000000000..bd77571ed --- /dev/null +++ b/security/nss/coreconf/sanitizers.sh @@ -0,0 +1,78 @@ +#!/usr/bin/env bash +# This file is used by build.sh to setup sanitizers. + +sanitizer_flags="" +sanitizers=() + +# This tracks what sanitizers are enabled so they don't get enabled twice. This +# means that doing things that enable the same sanitizer twice (such as enabling +# both --asan and --fuzz) is order-dependent: only the first is used. +enable_sanitizer() +{ + local san="$1" + for i in "${sanitizers[@]}"; do + [ "$san" = "$i" ] && return + done + sanitizers+=("$san") + + if [ -z "$sanitizer_flags" ]; then + gyp_params+=(-Dno_zdefs=1) + fi + + local cflags=$(python $cwd/coreconf/sanitizers.py "$@") + sanitizer_flags="$sanitizer_flags $cflags" +} + +enable_sancov() +{ + local clang_version=$($CC --version | grep -oE '([0-9]{1,}\.)+[0-9]{1,}') + if [[ ${clang_version:0:1} -lt 4 && ${clang_version:0:1} -eq 3 && ${clang_version:2:1} -lt 9 ]]; then + echo "Need at least clang-3.9 (better 4.0) for sancov." 1>&2 + exit 1 + fi + + local sancov + if [ -n "$1" ]; then + sancov="$1" + elif [ "${clang_version:0:3}" = "3.9" ]; then + sancov=edge,indirect-calls,8bit-counters + else + sancov=trace-pc-guard,trace-cmp + fi + enable_sanitizer sancov "$sancov" +} + +enable_ubsan() +{ + local ubsan + if [ -n "$1" ]; then + ubsan="$1" + else + ubsan=bool,signed-integer-overflow,shift,vptr + fi + enable_sanitizer ubsan "$ubsan" +} + +# Not strictly a sanitizer, but the pattern fits +scanbuild=() +enable_scanbuild() +{ + [ "${#scanbuild[@]}" -gt 0 ] && return + + scanbuild=(scan-build) + if [ -n "$1" ]; then + scanbuild+=(-o "$1") + fi + # pass on CC and CCC to scanbuild + if [ -n "$CC" ]; then + scanbuild+=(--use-cc="$CC") + fi + if [ -n "$CCC" ]; then + scanbuild+=(--use-c++="$CCC") + fi +} + +run_scanbuild() +{ + "${scanbuild[@]}" "$@" +} diff --git a/security/nss/coreconf/werror.py b/security/nss/coreconf/werror.py index a37fad95f..0d3843f64 100644 --- a/security/nss/coreconf/werror.py +++ b/security/nss/coreconf/werror.py @@ -7,7 +7,8 @@ def main(): cc = os.environ.get('CC', 'cc') sink = open(os.devnull, 'wb') try: - cc_is_clang = 'clang' in subprocess.check_output([cc, '--version'], stderr=sink) + cc_is_clang = 'clang' in subprocess.check_output( + [cc, '--version'], universal_newlines=True, stderr=sink) except OSError: # We probably just don't have CC/cc. return @@ -25,6 +26,7 @@ def main(): try: v = subprocess.check_output([cc, '-dumpversion'], stderr=sink) v = v.strip(' \r\n').split('.') + v = list(map(int, v)) if v[0] < 4 or (v[0] == 4 and v[1] < 8): # gcc 4.8 minimum return False -- cgit v1.2.3