Skip to content

Commit fb85bb2

Browse files
fanquakefanquake
committed
Merge bitcoin/bitcoin#28783: build: remove -bind_at_load usage
3c61c60 build: Add an old hack to remove bind_at_load from libtool. (Cory Fields) 4525760 build: remove -bind_at_load usage (fanquake) Pull request description: This is deprecated on macOS: ```bash ld: warning: -bind_at_load is deprecated on macOS ``` and likely redundant anyways, given the behaviour of dyld3. Unfortunately libtool is still injecting a `-bind_at_load`, because it's version check is broken: ```bash # Don't allow lazy linking, it breaks C++ global constructors # But is supposedly fixed on 10.4 or later (yay!). if test CXX = "$tagname"; then case ${MACOSX_DEPLOYMENT_TARGET-10.0} in 10.[0123]) func_append compile_command " $wl-bind_at_load" func_append finalize_command " $wl-bind_at_load" ;; esac fi ``` so this adds another change to strip them out at the end of configure. Note that anywhere the ld64 warnings are being emitted, we are already not adding this flag to our hardened ldflags, because of `-Wl,-fatal_warnings`. ACKs for top commit: theuni: utACK 3c61c60. hebasto: ACK 3c61c60, tested on macOS Sonoma 14.1.1 (23B81, Apple M1) and Ubuntu 23.10 (cross-compiling for macOS). Also I've verified the actual diff in the `libtool` script. Tree-SHA512: 98e6a095dc2d2409f8ec3b9d462e0db3643d7873d7903a12f8acd664829e7e84e797638556fa42ca8ebc1003f13a38fe9bb8a2a50cecfa991155da818574bf08
2 parents 1fbeeed + 3c61c60 commit fb85bb2

File tree

2 files changed

+15
-5
lines changed

2 files changed

+15
-5
lines changed

configure.ac

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1002,7 +1002,6 @@ dnl "ad_strip" as the symbol for the entry point.
10021002
if test "$TARGET_OS" = "darwin"; then
10031003
AX_CHECK_LINK_FLAG([-Wl,-dead_strip], [CORE_LDFLAGS="$CORE_LDFLAGS -Wl,-dead_strip"], [], [$LDFLAG_WERROR])
10041004
AX_CHECK_LINK_FLAG([-Wl,-dead_strip_dylibs], [CORE_LDFLAGS="$CORE_LDFLAGS -Wl,-dead_strip_dylibs"], [], [$LDFLAG_WERROR])
1005-
AX_CHECK_LINK_FLAG([-Wl,-bind_at_load], [HARDENED_LDFLAGS="$HARDENED_LDFLAGS -Wl,-bind_at_load"], [], [$LDFLAG_WERROR])
10061005
AX_CHECK_LINK_FLAG([-Wl,-fixup_chains], [HARDENED_LDFLAGS="$HARDENED_LDFLAGS -Wl,-fixup_chains"], [], [$LDFLAG_WERROR])
10071006
fi
10081007

@@ -1970,6 +1969,17 @@ case ${OS} in
19701969
;;
19711970
esac
19721971

1972+
dnl An old hack similar to a98356fee to remove hard-coded
1973+
dnl bind_at_load flag from libtool
1974+
case $host in
1975+
*darwin*)
1976+
AC_MSG_RESULT([Removing -Wl,bind_at_load from libtool.])
1977+
sed < libtool > libtool-2 '/bind_at_load/d'
1978+
mv libtool-2 libtool
1979+
chmod 755 libtool
1980+
;;
1981+
esac
1982+
19731983
echo
19741984
echo "Options used to compile and link:"
19751985
echo " external signer = $use_external_signer"

contrib/devtools/test-security-check.py

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -129,11 +129,11 @@ def test_MACHO(self):
129129
(1, executable+': failed NOUNDEFS PIE CONTROL_FLOW'))
130130
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-fstack-protector-all', '-Wl,-fixup_chains']),
131131
(1, executable+': failed PIE CONTROL_FLOW'))
132-
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-bind_at_load','-fstack-protector-all', '-Wl,-fixup_chains']),
132+
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-fstack-protector-all', '-Wl,-fixup_chains']),
133133
(1, executable+': failed PIE CONTROL_FLOW'))
134-
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-bind_at_load','-fstack-protector-all', '-fcf-protection=full', '-Wl,-fixup_chains']),
134+
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-fstack-protector-all', '-fcf-protection=full', '-Wl,-fixup_chains']),
135135
(1, executable+': failed PIE'))
136-
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-pie','-Wl,-bind_at_load','-fstack-protector-all', '-fcf-protection=full', '-Wl,-fixup_chains']),
136+
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-pie','-fstack-protector-all', '-fcf-protection=full', '-Wl,-fixup_chains']),
137137
(0, ''))
138138
else:
139139
# arm64 darwin doesn't support non-PIE binaries, control flow or executable stacks
@@ -143,7 +143,7 @@ def test_MACHO(self):
143143
(1, executable+': failed NOUNDEFS Canary'))
144144
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-flat_namespace','-fstack-protector-all', '-Wl,-fixup_chains']),
145145
(1, executable+': failed NOUNDEFS'))
146-
self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-bind_at_load','-fstack-protector-all', '-Wl,-fixup_chains']),
146+
self.assertEqual(call_security_check(cc, source, executable, ['-fstack-protector-all', '-Wl,-fixup_chains']),
147147
(0, ''))
148148

149149

0 commit comments

Comments
 (0)