Merge pull request #326 from google/static-linking-linux

On linux, statically link all libraries including GLIBC

Author: rishipal

.github/workflows/build.yml

@@ -39,7 +39,8 @@ jobs:
           disk-cache: ${{ github.workflow }}
           # Share repository cache between workflows.
           repository-cache: true
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
+      - name: Checkout repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
         with:
           submodules: recursive
           ref: ${{ inputs.release-tag || '' }}
@@ -88,24 +89,58 @@ jobs:
     env:
       NODE_VERSION: '20.x'
       FORCE_COLOR: '1'
+      MUSL_HOME: ${{ github.workspace }}/musl-toolchain
     steps:
-      - name: Setup Java
-        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
-        with:
-          distribution: adopt-hotspot
-          java-version: 21
-          java-package: jdk
-          architecture: x64
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
+      - name: Checkout repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
         with:
           ref: ${{ inputs.release-tag || '' }}
+      - name: Checkout musl
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
+        with:
+          repository: kraj/musl
+          ref: c47ad25ea3b484e10326f933e927c0bc8cded3da # patched 1.2.5 version
+          path: musl
+          clean: false
+      - name: Checkout zlib
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
+        with:
+          repository: madler/zlib
+          ref: 04f42ceca40f73e2978b50e93806c2a18c1281fc # v1.2.13
+          path: zlib
+          clean: false
+      - name: Build musl and zlib
+        run: |
+          # See https://www.graalvm.org/latest/reference-manual/native-image/guides/build-static-executables/
+          # We have to build MUSL from source to ensure recent CVEs are patched
+
+          # Build musl from source
+          pushd musl
+          ./configure --prefix=$MUSL_HOME --static
+          sudo make && make install
+          popd
+
+          # Install a symlink for use by native-image
+          ln -s $MUSL_HOME/bin/musl-gcc $MUSL_HOME/bin/x86_64-linux-musl-gcc
+
+          # Extend the system path and confirm that musl is available by printing its version
+          export PATH="$MUSL_HOME/bin:$PATH"
+          echo "$path" >> $GITHUB_PATH
+          x86_64-linux-musl-gcc --version
+
+          # Build zlib with musl from source and install into the MUSL_HOME directory
+          pushd zlib
+          CC=musl-gcc ./configure --prefix=$MUSL_HOME --static
+          make && make install
+          popd
       - name: Use Node.js ${{ env.NODE_VERSION }}
         uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # 4.4.0
         with:
           node-version: ${{ env.NODE_VERSION }}
-      - uses: graalvm/setup-graalvm@01ed653ac833fe80569f1ef9f25585ba2811baab # 1.3.3
+      - name: Install GraalVM
+        uses: graalvm/setup-graalvm@01ed653ac833fe80569f1ef9f25585ba2811baab # 1.3.3
         with:
-          java-version: 21
+          java-version: 24
           distribution: 'graalvm-community'
           github-token: ${{ secrets.GITHUB_TOKEN }}
           native-image-job-reports: 'true'
@@ -139,6 +174,7 @@ jobs:
       - name: Build image
         working-directory: packages/google-closure-compiler-linux
         run: |
+          export PATH="$MUSL_HOME/bin:$PATH"
           cp ../google-closure-compiler-java/compiler.jar compiler.jar
           yarn run build
       - name: Tests
@@ -160,23 +196,18 @@ jobs:
       NODE_VERSION: '20.x'
       FORCE_COLOR: '1'
     steps:
-      - name: Setup Java
-        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
-        with:
-          distribution: adopt-hotspot
-          java-version: 21
-          java-package: jdk
-          architecture: x64
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
+      - name: Checkout repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
         with:
           ref: ${{ inputs.release-tag || '' }}
       - name: Use Node.js ${{ env.NODE_VERSION }}
         uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # 4.4.0
         with:
           node-version: ${{ env.NODE_VERSION }}
-      - uses: graalvm/setup-graalvm@01ed653ac833fe80569f1ef9f25585ba2811baab # 1.3.3
+      - name: Setup GraalVM
+        uses: graalvm/setup-graalvm@01ed653ac833fe80569f1ef9f25585ba2811baab # 1.3.3
         with:
-          java-version: 21
+          java-version: 24
           distribution: 'graalvm-community'
           github-token: ${{ secrets.GITHUB_TOKEN }}
           native-image-job-reports: 'true'
@@ -229,23 +260,18 @@ jobs:
       NODE_VERSION: '22.x'
       FORCE_COLOR: '1'
     steps:
-      - name: Setup Java
-        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
-        with:
-          distribution: adopt-hotspot
-          java-version: 21
-          java-package: jdk
-          architecture: x64
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
+      - name: Checkout repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
         with:
           ref: ${{ inputs.release-tag || '' }}
       - name: Use Node.js ${{ env.NODE_VERSION }}
         uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # 4.4.0
         with:
           node-version: ${{ env.NODE_VERSION }}
-      - uses: graalvm/setup-graalvm@01ed653ac833fe80569f1ef9f25585ba2811baab # 1.3.3
+      - name: Setup GraalVM
+        uses: graalvm/setup-graalvm@01ed653ac833fe80569f1ef9f25585ba2811baab # 1.3.3
         with:
-          java-version: 21
+          java-version: 24
           distribution: 'graalvm-community'
           github-token: ${{ secrets.GITHUB_TOKEN }}
           native-image-job-reports: 'true'
@@ -298,23 +324,18 @@ jobs:
       NODE_VERSION: '22.x'
       FORCE_COLOR: '1'
     steps:
-      - name: Setup Java
-        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
-        with:
-          distribution: adopt-hotspot
-          java-version: 21
-          java-package: jdk
-          architecture: x64
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
+      - name: Checkout repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
         with:
           ref: ${{ inputs.release-tag || '' }}
       - name: Use Node.js ${{ env.NODE_VERSION }}
         uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # 4.4.0
         with:
           node-version: ${{ env.NODE_VERSION }}
-      - uses: graalvm/setup-graalvm@01ed653ac833fe80569f1ef9f25585ba2811baab # 1.3.3
+      - name: Setup GraalVM
+        uses: graalvm/setup-graalvm@01ed653ac833fe80569f1ef9f25585ba2811baab # 1.3.3
         with:
-          java-version: 21
+          java-version: 24
           distribution: 'graalvm-community'
           github-token: ${{ secrets.GITHUB_TOKEN }}
           native-image-job-reports: 'true'
@@ -377,7 +398,8 @@ jobs:
       - build-macos
       - build-windows
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
+      - name: Checkout repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
         with:
           ref: ${{ inputs.release-tag || '' }}
       - name: Use Node.js ${{ env.NODE_VERSION }}

.gitignore

@@ -2,6 +2,7 @@ node_modules
 npm-debug.log
 yarn-error.log
 /lerna-debug.log
+/musl-toolchain
 /packages/google-closure-compiler/contrib/
 /packages/google-closure-compiler/externs/
 /packages/google-closure-compiler-java/compiler.jar
@@ -12,6 +13,7 @@ yarn-error.log
 /packages/google-closure-compiler-macos/compiler.jar
 /packages/google-closure-compiler-macos/compiler
 /packages/google-closure-compiler-windows/compiler.*
-/temp
 /publish-log.txt
+/temp
+/zlib
 .npmrc

build-scripts/graal.js

@@ -34,32 +34,44 @@ process.on('unhandledRejection', error => {
   process.exit(1);
 });
 
-const NATIVE_IMAGE_BUILD_ARGS = [
-  '-H:+UnlockExperimentalVMOptions',
-  '-H:IncludeResourceBundles=org.kohsuke.args4j.Messages',
-  '-H:IncludeResourceBundles=org.kohsuke.args4j.spi.Messages',
-  '-H:IncludeResourceBundles=com.google.javascript.jscomp.parsing.ParserConfig',
-  '-H:+AllowIncompleteClasspath',
-  `-H:ReflectionConfigurationFiles=${path.resolve(__dirname, 'reflection-config.json')}`,
-  '-H:IncludeResources=externs\.zip',
-  '-H:IncludeResources=.*\.typedast',
-  '-H:IncludeResources=com/google/javascript/.*\.js',
-  '-H:IncludeResources=com/google/javascript/.*\.txt',
-  '-H:IncludeResources=lib/.*\.js',
-  '-H:IncludeResources=META-INF/.*\.txt',
-  '-H:+ReportExceptionStackTraces',
-  // '-H:+GenerateEmbeddedResourcesFile', // Available on Graal JDK 24 and newer
-  '--report-unsupported-elements-at-runtime',
-  '--initialize-at-build-time',
-  '--color=always',
-  '-jar',
-  path.resolve(process.cwd(), 'compiler.jar')
-];
+const flagsByPlatformAndArch = new Map([
+  // Statically link libraries when supported. Allows usage on systems
+  // which are missing or have incompatible versions of GLIBC.
+  // Only linux x86 architectures can fully statically link
+  // See https://www.graalvm.org/latest/reference-manual/native-image/guides/build-static-executables/
+  ['linux-x86', ['--static', '--libc=musl']],
+  ['linux-x64', ['--static', '--libc=musl']],
+  ['linux-arm64', ['--static-nolibc']],
+]);
 
-const spawnOpts = {};
-if (process.platform === 'win32') {
-  spawnOpts.shell = true;
-}
+const NATIVE_IMAGE_BUILD_ARGS = ['-H:+UnlockExperimentalVMOptions'].concat(
+  flagsByPlatformAndArch.get(`${process.platform}-${process.arch}`) || [],
+  [
+    '-H:IncludeResourceBundles=org.kohsuke.args4j.Messages',
+    '-H:IncludeResourceBundles=org.kohsuke.args4j.spi.Messages',
+    '-H:IncludeResourceBundles=com.google.javascript.jscomp.parsing.ParserConfig',
+    '-H:+AllowIncompleteClasspath',
+    `-H:ReflectionConfigurationFiles=${path.resolve(__dirname, 'reflection-config.json')}`,
+    '-H:IncludeResources=externs\.zip',
+    '-H:IncludeResources=.*\.typedast',
+    '-H:IncludeResources=com/google/javascript/.*\.js',
+    '-H:IncludeResources=com/google/javascript/.*\.txt',
+    '-H:IncludeResources=lib/.*\.js',
+    '-H:IncludeResources=META-INF/.*\.txt',
+    '-H:+ReportExceptionStackTraces',
+    // '-H:+GenerateEmbeddedResourcesFile',
+    '-J--sun-misc-unsafe-memory-access=allow', // See https://github.com/google/closure-compiler/issues/4229
+    '--initialize-at-build-time',
+    '-march=compatibility',
+    '--color=always',
+    '-jar',
+    path.resolve(process.cwd(), 'compiler.jar'),
+  ],
+);
+
+const spawnOpts = {
+  ...(process.platform === 'win32' ? { shell: true } : {}),
+};
 
 runCommand(`native-image${process.platform === 'win32' ? '.cmd' : ''}`, NATIVE_IMAGE_BUILD_ARGS, spawnOpts)
     .catch(e => {