[WIP] Alternative approach to allow to running the DMD testsuite on hardened systems #7427
Conversation
... on Linux x86_64 distros where PIC/PIE is enforced. For more details, see: * https://wiki.gentoo.org/wiki/Hardened/Position_Independent_Code_internals * https://fedoraproject.org/wiki/Packaging:Guidelines#PIE * https://wiki.debian.org/Hardening/PIEByDefaultTransition * https://wiki.ubuntu.com/SecurityTeam/PIE * non-PIE linker support removed in Android 5.0: https://source.android.com/security/enhancements/enhancements50 * https://eli.thegreenplace.net/2011/11/03/position-independent-code-pic-in-shared-libraries/ We addressed the issues in the `dmd.conf` generated when dmd is build, the `dmd.conf` files we ship in the release packages, and the makefiles of druntime and phobos, but we haven't (yet) fixed the test suite build system. Because of that, on Linux x86_64 distros where PIC is enforced, the dmd test suite (the d_do_test.d test runner, as well as all test cases that require linking) fails to link and as a result is completely unusable. The first commit of this pull-request does the following: * adds a `PIC` variable to `test/Makefile`, which defaults to `1`, on x86_64 * exports a `PIC_FLAG` environment variable, which is set to `-fPIC` when `PIC` is set to `1` * adds `$(PIC_FLAG)` to `d_do_test.d`'s build command-line * appends `$(PIC_FLAG)` to the `REQUIRED_ARGS` variable, which is expanded in each `*.d` test case command-line The second and final commit adds the `$PIC_FLAG` environment variable to the dmd command-line in the shell-driven test cases, where the object files were linked. This was done by trial and error, by amending each failing test case, until I got the whole test suite to pass on my Ubuntu 17.10 system, minus two unrelated test failures: * `runnable/test_cdvecfill.d` - see https://issues.dlang.org/show_bug.cgi?id=18013 * runnable/test17559.d - stack traces don't work properly on my system, but I have yet to investigate the root cause. See also: * dlang#7002 * dlang/druntime#1880 * dlang/druntime#1974 * dlang/phobos#5586 * dlang/phobos#5868
... on Linux x86_64 distros where PIC/PIE is enforced. See the previous commit for more details. This commit adds the `$PIC_FLAG` environment variable to the dmd command-line in the shell-driven test cases, where the object files were linked. This was done by trial and error, by amending each failing test case, until I got the whole test suite to pass (minus to unrelated test failures) on my Ubuntu 17.10 system.
Update test_cdvecfill test suite for -fPIC
|
Thanks for your pull request, @ZombineDev! Bugzilla references
|
|
Alternative to #7420 |
PetarKirov
changed the title
dlang-bot
added
the
Review:WIP
| /* pop rcx */ 0x59, | ||
| /* pop rbp */ 0x5d, | ||
| /* ret */ 0xc3, | ||
| ]), |
There was a problem hiding this comment.
If PIC=0 won't that cause this test to fail if we accept these changes?
There was a problem hiding this comment.
I'm not sure. I just cherry-picked @wilzbach's fix to try to get the test suite to pass on my machine. It seems this will need more work.
(As I also hit 18013, though I hadn't had the time to look into it.)
There was a problem hiding this comment.
I think you may need to keep both tests: This one for -fPIC and the test without these changes for Non-PIC. That is, if you intend to allow both PIC and non-PIC compiles, which appears to be the case, unless I'm misunderstanding.
There was a problem hiding this comment.
How about copy/pasting this file and using version(D_PIC) {} else in the other? This has the advantage that the update script would still work.
|
I'm not satisfied with my PR yet, as in my docker setup I get the following error: Also, on Windows I get the following error: I'm running out of time now, so I'll try to investigate this in the evening. |
Okay, I think we should go step by step here and thus as I first step I cherry-picked your first commit and modified it slightly: #7433 Note that stack traces on Linux are broken in PIE, see e.g. https://issues.dlang.org/show_bug.cgi?id=18068 (a good reason why we should let at least one CI run the test suite with |
|
pros and cons of this vs #7420 ? |
|
@ZombineDev UPDATE: I just realized that we can always add |
|
I'm wondering, however, if we really need to add The drawback, however, is there would be no verification of the test in non-PIC mode, but I'm not sure if that's a problem. |
|
@JinShil I am only propagating the PIC flag to the shell-based tests, because the rest pick it up from the REQUIRED_ARGS variable. An alternative solution would be propagate the REQUIRED_ARGS for the shell-based tests and not treat PIC specifically. |
Ah, right. Sorry, I'm still learning.
That actually seems like the best approach. I'm wondering why it's not done already, as the name implies, it should be required. Can you give it a try? UPDATE: Hold on. I clearly misunderstood this. So it looks like there's a lot of redundancy in the shell script tests. We should try to have one source of truth for compiler args, and not have to add such things to each and every shell script. I'm now leaning back towards #7420. |
|
Ok, so after thinking about this more, I'm thinking #7420 is the way to go. @ZombineDev is there any particular strength this PR has over #7420 that we should consider? |
5 participants
Alternative to #7420.
To reproduce the original problem, simply run:
To verify the changes in this PR, run: