Skip to content

scripts: add checks for minimum required OS versions #21871

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jun 18, 2021
Merged

scripts: add checks for minimum required OS versions #21871

merged 4 commits into from
Jun 18, 2021

Conversation

fanquake
Copy link
Member

@fanquake fanquake commented May 6, 2021
edited
Loading

macOS:
We use a compile flag (-mmacosx-version-min=10.14) to set the minimum required version of macOS needed to run our binaries. This adds a sanity check that the version is being set as expected.

Clangs Darwin driver should infer the SDK version used during compilation, and forward that through to the linker. Add a check that this has been done, and the expected SDK version is set. Should help prevent issues like #21771 in future.

Windows:
We use linker flags (-Wl,--major/minor-subsystem-version) to set the minimum required version of Windows needed to run our binaries. This adds a sanity check that the version is being set as expected.

Gitian builds:

# macOS:
8b6fcd61d75001c37b2af3fceb5ae09f5d2fe85e97d361f684214bd91c27954a  bitcoin-f015e1c2cac9-osx-unsigned.dmg
3c1e412bc7f5a7a5d0f78e2cd84b7096831414e1304c1307211aa3e135d89bbf  bitcoin-f015e1c2cac9-osx-unsigned.tar.gz
50b7b2804e8481f63c69c78e3e8a71c0d811bf2db8895dd6d3edae9c46a738ae  bitcoin-f015e1c2cac9-osx64.tar.gz
fe6b5c0a550096b76b6727efee30e85b60163a41c83f21868c849fdd9876b675  src/bitcoin-f015e1c2cac9.tar.gz
8a20f21b20673dfc8c23e22b20ae0839bcaf65bf0e02f62381cdf5e7922936f0  bitcoin-core-osx-22-res.yml

# Windows:
b01fcdc2a5673387050d6c6c4f96f1d350976a121155fde3f76c2af309111f9d  bitcoin-f015e1c2cac9-win-unsigned.tar.gz
b95bdcbef638804030671d2332d58011f8c4ed4c1db87d6ffd211515c32c9d02  bitcoin-f015e1c2cac9-win64-debug.zip
350bf180252d24a3d40f05e22398fec7bb00e06d812204eb5a421100a8e10638  bitcoin-f015e1c2cac9-win64-setup-unsigned.exe
2730ddabe246d99913c9a779e97edcadb2d55309933d46f1dffd0d23ecf9aae5  bitcoin-f015e1c2cac9-win64.zip
fe6b5c0a550096b76b6727efee30e85b60163a41c83f21868c849fdd9876b675  src/bitcoin-f015e1c2cac9.tar.gz
aa60d7a753e8cb2d4323cfbbf4d964ad3645e74c918cccd66862888f8646d80f  bitcoin-core-win-22-res.yml

@hebasto
Copy link
Member

hebasto commented May 6, 2021

Concep ACK. Was working on similar preventing #21771 right now :)

@fanquake fanquake force-pushed the new_tests_on_lief branch from 8774070 to c14211c Compare May 7, 2021 05:32
@fanquake
Copy link
Member Author

fanquake commented May 7, 2021

Updated to fix a typo, and address the CI failure.

@hebasto
Copy link
Member

hebasto commented May 8, 2021

@fanquake

I would add a check for the version of the macOS SDK using during compilation (which should help prevent issues like #21771), however there seems to be a bug in LIEF when accessing binary.build_version.sdk (although not when sdk is printed as part of build_version). I have opened an issue upstream: lief-project/LIEF#577.

Are we going to wait for LIEF 0.12 with a fix, or macOS SDK version check could be added in a separated PR?

@fanquake
Copy link
Member Author

fanquake commented May 9, 2021

Are we going to wait for LIEF 0.12 with a fix, or macOS SDK version check could be added in a separated PR?

I've just added one here. Apparently LIEF 0.12 wont be released until September / October.

@hebasto
Copy link
Member

hebasto commented May 9, 2021

https://cirrus-ci.com/task/5407569322704896?logs=lint#L855:

contrib/devtools/symbol-check.py:232: error: Item "None" of "Optional[Match[str]]" has no attribute "groups"
Found 1 error in 1 file (checked 200 source files)
^---- failure generated from test/lint/lint-python.sh

@hebasto
Copy link
Member

hebasto commented May 9, 2021

How about to check the solely MIN_OS error firing:

--- a/contrib/devtools/test-symbol-check.py
+++ b/contrib/devtools/test-symbol-check.py
@@ -142,6 +142,19 @@ class TestSymbolChecks(unittest.TestCase):
         self.assertEqual(call_symbol_check(cc, source, executable, ['-mmacosx-version-min=10.14', '-Wl,-platform_version', '-Wl,macos', '-Wl,10.14', '-Wl,10.15.6']),
                 (0, ''))
 
+        source = 'test5.c'
+        executable = 'test5'
+        with open(source, 'w', encoding="utf8") as f:
+            f.write('''
+                int main()
+                {
+                    return 0;
+                }
+        ''')
+
+        self.assertEqual(call_symbol_check(cc, source, executable, ['-mmacosx-version-min=10.14', '-Wl,-platform_version', '-Wl,macos', '-Wl,10.15.6', '-Wl,10.15.6']),
+                (1, executable + ': failed MIN_OS'))
+
     def test_PE(self):
         source = 'test1.c'
         executable = 'test1.exe'

?

hebasto
hebasto reviewed May 9, 2021
View reviewed changes
@hebasto
Copy link
Member

hebasto commented May 9, 2021

Maybe add a test for the SUBSYSTEM_VERSION error to the test_PE function of the test-symbol-check.py?

@laanwj
Copy link
Member

laanwj commented May 10, 2021 

contrib/devtools/symbol-check.py:232: error: Item "None" of "Optional[Match[str]]" has no attribute "groups"
Found 1 error in 1 file (checked 200 source files)

@fanquake fanquake force-pushed the new_tests_on_lief branch from ae6a06d to af717c1 Compare May 12, 2021 02:34
@fanquake
Copy link
Member Author

contrib/devtools/symbol-check.py:232: error: Item "None" of "Optional[Match[str]]" has no attribute "groups"

Addressed.

How about to check the solely MIN_OS error firing:

There is some overlap between the MIN_OS and SDK test. I think we have enough coverage in this regard.

Maybe add a test for the SUBSYSTEM_VERSION error to the test_PE function of the test-symbol-check.py?

Added a test for this.

@hebasto
Copy link
Member

hebasto commented May 12, 2021

Assuming that test-symbol-check.py could and should be ran for cross builds, I see this PR closely related to #20980.

At least #20980 allows to make test-security-check for macOS cross builds on Linux.

After rebasing this PR on top of #20980 getting an error:

$ make test-security-check
.
----------------------------------------------------------------------
Ran 1 test in 0.484s

OK
F
======================================================================
FAIL: test_MACHO (__main__.TestSymbolChecks)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "./contrib/devtools/test-symbol-check.py", line 102, in test_MACHO
    self.assertEqual(call_symbol_check(cc, source, executable, ['-lexpat']),
AssertionError: Tuples differ: (1, '[28 chars]LLOWED_LIBRARIES!\ntest1: failed DYNAMIC_LIBRARIES') != (1, '[28 chars]LLOWED_LIBRARIES!\ntest1: failed DYNAMIC_LIBRARIES MIN_OS SDK')

First differing element 1:
'libe[23 chars]ALLOWED_LIBRARIES!\ntest1: failed DYNAMIC_LIBRARIES'
'libe[23 chars]ALLOWED_LIBRARIES!\ntest1: failed DYNAMIC_LIBRARIES MIN_OS SDK'

  (1,
   'libexpat.1.dylib is not in ALLOWED_LIBRARIES!\n'
-  'test1: failed DYNAMIC_LIBRARIES')
+  'test1: failed DYNAMIC_LIBRARIES MIN_OS SDK')
?                                  +++++++++++


----------------------------------------------------------------------
Ran 1 test in 0.093s

FAILED (failures=1)
make: *** [Makefile:1444: test-security-check] Error 1

@hebasto hebasto mentioned this pull request May 13, 2021
Closed
@hebasto
Copy link
Member

hebasto commented May 23, 2021

@fanquake

Are we going to wait for LIEF 0.12 with a fix, or macOS SDK version check could be added in a separated PR?

I've just added one here. Apparently LIEF 0.12 wont be released until September / October.

The fix is included in LIEF 0.11.5.
From the changelog:

:MachO:
  * Fix error on property :attr:`lief.MachO.BuildVersion.sdk` (see :issue:`533`)

@fanquake fanquake force-pushed the new_tests_on_lief branch from af717c1 to f015e1c Compare May 24, 2021 03:22
@fanquake
Copy link
Member Author

At least #20980 allows to make test-security-check for macOS cross builds on Linux.
After rebasing this PR on top of #20980 getting an error:

Ok. What is the actual error though?

The fix is included in LIEF 0.11.5.

I've included an update to 0.11.5 in this PR, and simplified the SDK check.

@hebasto
Copy link
Member

hebasto commented May 24, 2021
edited
Loading

At least #20980 allows to make test-security-check for macOS cross builds on Linux.
After rebasing this PR on top of #20980 getting an error:

Ok. What is the actual error though?

Well, not an error, but changed behavior: make test-security-check fails (this PR on top of the master + #20980), while it passed before (this PR on top of the master).

@fanquake
Copy link
Member Author

Well, not an error, but changed behavior:

I understand. I'm asking is what is the underlying cause of the failure. I assume it's the compiler/linker not accepting some of the newly added flags.

@hebasto
Copy link
Member

hebasto commented May 24, 2021

Well, not an error, but changed behavior:

I understand. I'm asking is what is the underlying cause of the failure. I assume it's the compiler/linker not accepting some of the newly added flags.

From #bitcoin-builds channel on 2021-03-13:

21:23:32 <dongcarl> Oh huh... I'm guessing the test-*-check.py scripts don't expect the CC to be set with an SDK?

fanquake added 3 commits June 10, 2021 10:40
@fanquake
scripts: LIEF 0.11.5
8732f7b
@fanquake
scripts: check minimum required macOS vesion is set
29615ae 
We use a compile flag (-mmacosx-version-min) to set the minimum required
version of macOS needed to run our binaries. This adds a sanity check
that the version is being set as expected.
@fanquake
scripts: check minimum required Windows version is set
c972345 
We use linker flags (-Wl,--major/minor-subsystem-version) to set the
minimum required version of Windows needed to run our binaries. This
adds a sanity check that the version is being set as expected.
@fanquake fanquake force-pushed the new_tests_on_lief branch from f015e1c to 763437b Compare June 10, 2021 03:00
@fanquake
Copy link
Member Author

I've removed the macOS SDK check from test-security-check. I don't think it adds much value, and given we don't control the SDK version being used in the CI, we can't necessarily test for/using the same SDK version we expect in our binaries.

@fanquake
scripts: check macOS SDK version is set
aa80b57 
Clangs Darwin driver should infer the SDK version used during compilation, and
forward that through to the linker. Add a check that this has been done, and the
expected SDK version is set.

Should help prevent issues like bitcoin#21771 in future.
@fanquake fanquake force-pushed the new_tests_on_lief branch from 763437b to aa80b57 Compare June 10, 2021 07:44
hebasto
hebasto approved these changes Jun 17, 2021
View reviewed changes
Copy link
Member

@hebasto hebasto left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK aa80b57, tested by breaking tests:

  • macOS changes -- on macOS Big Sur 11.4 (20F71)
  • Windows changes -- on Linux Mint 20.1 (x86_64) with providing CC like
$ CC=x86_64-w64-mingw32-gcc contrib/devtools/test-symbol-check.py TestSymbolChecks.test_PE

@practicalswift
Copy link
Contributor

Concept ACK

@fanquake fanquake merged commit da69d99 into bitcoin:master Jun 18, 2021
@fanquake fanquake deleted the new_tests_on_lief branch June 18, 2021 07:22
sidhujag pushed a commit to syscoin/syscoin that referenced this pull request Jun 18, 2021
@fanquake
Merge bitcoin#21871: scripts: add checks for minimum required OS vers…
9e71e81 
…ions

aa80b57 scripts: check macOS SDK version is set (fanquake)
c972345 scripts: check minimum required Windows version is set (fanquake)
29615ae scripts: check minimum required macOS vesion is set (fanquake)
8732f7b scripts: LIEF 0.11.5 (fanquake)

Pull request description:

  macOS:
  We use a compile flag ([-mmacosx-version-min=10.14](https://github.com/bitcoin/bitcoin/blob/master/depends/hosts/darwin.mk#L96)) to set the minimum required version of macOS needed to run our binaries. This adds a sanity check that the version is being set as expected.

  Clangs Darwin driver should infer the SDK version used during compilation, and forward that through to the linker. Add a check that this has been done, and the expected SDK version is set. Should help prevent issues like bitcoin#21771 in future.

  Windows:
  We use linker flags ([-Wl,--major/minor-subsystem-version](https://github.com/bitcoin/bitcoin/blob/master/configure.ac#L683)) to set the minimum required version of Windows needed to run our binaries. This adds a sanity check that the version is being set as expected.

  Gitian builds:
  ```bash
  # macOS:
  8b6fcd61d75001c37b2af3fceb5ae09f5d2fe85e97d361f684214bd91c27954a  bitcoin-f015e1c2cac9-osx-unsigned.dmg
  3c1e412bc7f5a7a5d0f78e2cd84b7096831414e1304c1307211aa3e135d89bbf  bitcoin-f015e1c2cac9-osx-unsigned.tar.gz
  50b7b2804e8481f63c69c78e3e8a71c0d811bf2db8895dd6d3edae9c46a738ae  bitcoin-f015e1c2cac9-osx64.tar.gz
  fe6b5c0a550096b76b6727efee30e85b60163a41c83f21868c849fdd9876b675  src/bitcoin-f015e1c2cac9.tar.gz
  8a20f21b20673dfc8c23e22b20ae0839bcaf65bf0e02f62381cdf5e7922936f0  bitcoin-core-osx-22-res.yml

  # Windows:
  b01fcdc2a5673387050d6c6c4f96f1d350976a121155fde3f76c2af309111f9d  bitcoin-f015e1c2cac9-win-unsigned.tar.gz
  b95bdcbef638804030671d2332d58011f8c4ed4c1db87d6ffd211515c32c9d02  bitcoin-f015e1c2cac9-win64-debug.zip
  350bf180252d24a3d40f05e22398fec7bb00e06d812204eb5a421100a8e10638  bitcoin-f015e1c2cac9-win64-setup-unsigned.exe
  2730ddabe246d99913c9a779e97edcadb2d55309933d46f1dffd0d23ecf9aae5  bitcoin-f015e1c2cac9-win64.zip
  fe6b5c0a550096b76b6727efee30e85b60163a41c83f21868c849fdd9876b675  src/bitcoin-f015e1c2cac9.tar.gz
  aa60d7a753e8cb2d4323cfbbf4d964ad3645e74c918cccd66862888f8646d80f  bitcoin-core-win-22-res.yml
  ```

ACKs for top commit:
  hebasto:
    ACK aa80b57, tested by breaking tests:

Tree-SHA512: 10150219910e8131715fbfe20edaa15778387616ef3bfe1a5152c7acd3958fe8f88c74961c3d3641074eb72824680c22764bb1dc01a19e92e946c2d4962a8d2c
gwillen pushed a commit to ElementsProject/elements that referenced this pull request Jun 1, 2022
@apoelstra
Merge da69d99 into merged_master (Bitcoin PR bitcoin/bitcoin#21871)
dcb699c
@bitcoin bitcoin locked as resolved and limited conversation to collaborators Aug 18, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@hebasto hebasto hebasto approved these changes

Assignees
No one assigned
Labels
Scripts and tools
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@fanquake @hebasto @laanwj @practicalswift