Skip to content

feat: [NODE-1566] Build with hermetic cc toolchains #3508

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Bownairo merged 31 commits into from
Mar 27, 2025
Merged

feat: [NODE-1566] Build with hermetic cc toolchains #3508

Bownairo merged 31 commits into from
Mar 27, 2025

Conversation

@Bownairo
Copy link
Contributor

@Bownairo Bownairo commented Jan 17, 2025
edited
Loading

If we upgrade our build container, the dynamic libraries linked to our published binaries upgrade, too. We would like to link against older libraries in order to support more targets, and would like to upgrade our build container to use more modern tools.

In order to decouple the bazel build from our build container, build using hermetic_cc_toolchains pinned to an older libc, and patch up the rough edges.

@github-actions github-actions bot added the feat label Jan 17, 2025
@Bownairo Bownairo force-pushed the eero/hermetic-toolchain branch 3 times, most recently from 0d20bba to 5b5b249 Compare January 23, 2025 22:01
@Bownairo Bownairo force-pushed the eero/hermetic-toolchain branch 2 times, most recently from f5bfd00 to b8bf5b9 Compare February 4, 2025 02:08
@Bownairo Bownairo changed the title feat: Build with hermetic cc toolchains feat: [NODE-1566] Build with hermetic cc toolchains Feb 4, 2025
@Bownairo Bownairo force-pushed the eero/hermetic-toolchain branch 3 times, most recently from d10101c to 2c71eb6 Compare February 10, 2025 19:04
@Bownairo Bownairo added the CI_ALL_BAZEL_TARGETS Runs all bazel targets and uploads them to S3 label Feb 10, 2025
@Bownairo Bownairo force-pushed the eero/hermetic-toolchain branch from 2c71eb6 to 5a7bebe Compare February 10, 2025 21:21
Bownairo
Bownairo commented Feb 11, 2025
View reviewed changes
Copy link
Contributor Author

@Bownairo Bownairo left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The determinism tests are failing due to differences in one of the binaries:
> Binary files A/ic-boundary and B/ic-boundary differ

I still need to take a look. Have any ideas?

I haven't been able to reproduce the diff in ic-boundary, and when I went to inspect the files, they actually were the same. I did find a separate issue in infogetty where sandbox paths were leaking into the binary, but this was fixed by stripping it.

@Bownairo Bownairo force-pushed the eero/hermetic-toolchain branch from d6748ad to 5504f28 Compare February 12, 2025 19:47
@Bownairo Bownairo force-pushed the eero/hermetic-toolchain branch 2 times, most recently from 7624edc to 396609a Compare March 3, 2025 21:26
@Bownairo
Copy link
Contributor Author

Bownairo commented Mar 4, 2025
edited
Loading

Hey @dfinity/product-security! I had run into some trouble with the AFL fuzzers, and came up with these two solutions. Before I pull this out of draft and open this up to the other teams, could you take a look and let me know what you think?

Build AFL fuzzers without hermetic toolchains: eero/hermetic-toolchain...eero/hermetic-toolchain-afl (19166e3)
To instrument with AFL we use the AFL wrappers here. Using the hermetic toolchains makes it so that these variables are not respected, and the binaries are built without instrumentation.

It is a really simple change to avoid using the hermetic toolchain for these targets, but it means the build path for the fuzzing targets diverges.

Patch dependencies to support AFL fuzzers on zig: eero/hermetic-toolchain...eero/hermetic-toolchain-afl-zig (20c1e0e)
If we do want to build with zig (which backs the hermetic toolchains), I had to make a few patches to respect the AFL wrapper variables, and work around link args that zig cc does not support. This also creates another variant of lockfiles to build with fuzzing flags, but not the bundled libfuzzer.

This change is more complicated, but keeps the fuzzers in line with the built binaries. This also makes the fuzzers slower, as the LTO variant is not supported (it seems the required flags are not even on the radar for zig).

edit: Updated links to more stable commits.

@Bownairo Bownairo requested a review from a team March 4, 2025 05:07
@venkkatesh-sekar
Copy link
Member

venkkatesh-sekar commented Mar 4, 2025

Hey @dfinity/product-security! I had run into some trouble with the AFL fuzzers, and came up with these two solutions. Before I pull this out of draft and open this up to the other teams, could you take a look and let me know what you think?

Build AFL fuzzers without hermetic toolchains: eero/hermetic-toolchain...eero/hermetic-toolchain-afl To instrument with AFL we use the AFL wrappers here. Using the hermetic toolchains makes it so that these variables are not respected, and the binaries are built without instrumentation.

It is a really simple change to avoid using the hermetic toolchain for these targets, but it means the build path for the fuzzing targets diverges.

Patch dependencies to support AFL fuzzers on zig: eero/hermetic-toolchain...eero/hermetic-toolchain-afl-zig If we do want to build with zig (which backs the hermetic toolchains), I had to make a few patches to respect the AFL wrapper variables, and work around link args that zig cc does not support. This also creates another variant of lockfiles to build with fuzzing flags, but not the bundled libfuzzer.

This change is more complicated, but keeps the fuzzers in line with the built binaries. This also makes the fuzzers slower, as the LTO variant is not supported (it seems the required flags are not even on the radar for zig).

Thanks @Bownairo for this awesome effort, we can go ahead with option A as it's the simplest one and the build path diverging should have very little effect on the bugs the fuzzers should find itself.

venkkatesh-sekar
venkkatesh-sekar reviewed Mar 4, 2025
View reviewed changes
@Bownairo Bownairo force-pushed the eero/hermetic-toolchain branch from 201cdc8 to 95c5f5d Compare March 5, 2025 21:09
@Bownairo
Copy link
Contributor Author

Bownairo commented Mar 5, 2025
edited
Loading

It seems the rustix patches don't apply after the latest repin. #4188 should be the fix?

andrewbattat
andrewbattat approved these changes Mar 6, 2025
View reviewed changes
Copy link
Contributor

@andrewbattat andrewbattat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥳

@Bownairo Bownairo force-pushed the eero/hermetic-toolchain branch 4 times, most recently from 34e9296 to c9a2286 Compare March 7, 2025 02:14
venkkatesh-sekar
venkkatesh-sekar approved these changes Mar 7, 2025
View reviewed changes
nmattia
nmattia reviewed Mar 7, 2025
View reviewed changes
@Bownairo Bownairo mentioned this pull request Mar 25, 2025
Merged
github-merge-queue bot pushed a commit that referenced this pull request Mar 26, 2025
@Bownairo
fix: Pass ic-ref-test directly (#4515)
ed71f86 
In #3508 we change the name of the
underlying `ic-ref-test` binary, but keep the target the same. This
breaks tests that have been depending on the binary name directly.

This change uses the target path to reference the binary, instead.
@Bownairo
Copy link
Contributor Author

Bownairo commented Mar 27, 2025

@mraszyk would you be able to take a look at the other side of #4515?

@mraszyk
Copy link
Contributor

mraszyk commented Mar 27, 2025

@mraszyk would you be able to take a look at the other side of #4515?

What do you mean by "the other side of #4515"?

@Bownairo
Copy link
Contributor Author

Bownairo commented Mar 27, 2025
edited
Loading

@mraszyk would you be able to take a look at the other side of #4515?

What do you mean by "the other side of #4515"?

Ah sorry for being unclear, #4515 set us up to change the binary name in hs/spec_compliance/BUILD.bazel, through hs/spec_compliance/defs.bzl. We wrap these targets in order to transition with disable_hermetic_cc_binary that keeps the haskell build using their current build path, with the host system toolchains.

mraszyk
mraszyk approved these changes Mar 27, 2025
View reviewed changes
Copy link
Contributor

@mraszyk mraszyk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rubber-stamp as I'm not a bazel expert.

nmattia
nmattia approved these changes Mar 27, 2025
View reviewed changes
Copy link
Contributor

@nmattia nmattia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very exciting! 🥳

@Bownairo Bownairo added this pull request to the merge queue Mar 27, 2025
Merged via the queue into master with commit 810ddde Mar 27, 2025
20 checks passed
@Bownairo Bownairo deleted the eero/hermetic-toolchain branch March 27, 2025 12:11
@Bownairo Bownairo restored the eero/hermetic-toolchain branch March 27, 2025 15:46
@Bownairo Bownairo deleted the eero/hermetic-toolchain branch March 27, 2025 15:46
@nmattia nmattia mentioned this pull request Apr 1, 2025
Closed
nmattia added a commit that referenced this pull request Apr 1, 2025
@nmattia
revert: "feat: [NODE-1566] Build with hermetic cc toolchains (#3508)"
e025bf5 
This reverts commit
[810ddde](810ddde).

This new toolchain is causing build performance issues. The root cause
is unclear, see
uber/hermetic_cc_toolchain#215.
github-merge-queue bot pushed a commit that referenced this pull request Apr 2, 2025
@nmattia
revert: "feat: [NODE-1566] Build with hermetic cc toolchains (#3508)" (
6fc00b7 
…#4621)

This reverts commit

[810ddde](810ddde).

This new toolchain is causing build performance issues. The root cause
is unclear, see
uber/hermetic_cc_toolchain#215.

---------

Co-authored-by: IDX GitHub Automation <[email protected]>
sasa-tomic pushed a commit that referenced this pull request Apr 7, 2025
@nmattia @sasa-tomic
revert: "feat: [NODE-1566] Build with hermetic cc toolchains (#3508)" (
6a78ff6 
…#4621)

This reverts commit

[810ddde](810ddde).

This new toolchain is causing build performance issues. The root cause
is unclear, see
uber/hermetic_cc_toolchain#215.

---------

Co-authored-by: IDX GitHub Automation <[email protected]>
@Bownairo Bownairo mentioned this pull request May 6, 2025
Merged
github-merge-queue bot pushed a commit that referenced this pull request May 8, 2025
@Bownairo @nmattia
feat: [NODE-1566] Build with hermetic cc toolchains (again) (#4848)
2f52f29 
Following #3508 and
#4621

What has changed since last time?
-
dd17358
- Share the zig cache across targets to improve build speed. `zig cc`
builds system components on demand, and the shared cache means these are
only built once.
- 80f68ab +
31d8822 - Strip debug_info, but
preserve symbols, to fix traces. `zig cc` can only strip everything, or
nothing at all. First patch `rules_rust` to disable the default
stripping, then patch `hermetic_cc_toolchain` to strip only
`debug_info`, outside of the main call to `zig cc`.

---------

Co-authored-by: Nicolas Mattia <[email protected]>
Co-authored-by: IDX GitHub Automation <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@venkkatesh-sekar venkkatesh-sekar venkkatesh-sekar approved these changes

@nmattia nmattia nmattia approved these changes

@mraszyk mraszyk mraszyk approved these changes

@andrewbattat andrewbattat andrewbattat approved these changes

Assignees

No one assigned

Labels

CI_ALL_BAZEL_TARGETS Runs all bazel targets and uploads them to S3 feat @idx @node @research

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@Bownairo @venkkatesh-sekar @mraszyk @nmattia @andrewbattat