Skip to content

Run annocheck for libruby.so #11123

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Run annocheck for libruby.so #11123

wants to merge 2 commits into from

Conversation

voxik
Copy link
Contributor

@voxik voxik commented Jul 8, 2024

When building with --shared option, most functionality is kept in libruby.so. Therefore also run annocheck for libruby.so. Testing ruby executable is almost pointless.

@voxik
Copy link
Contributor Author

voxik commented Jul 8, 2024

A few thing to consider:

  1. Not sure if the target should not depend also on existence of $(LIBRUBY_SO). IOW if this version would not be better:

    $ git diff
diff --git a/common.mk b/common.mk
index 05145313c6..cfc474ca19 100644
--- a/common.mk
+++ b/common.mk
@@ -1667,8 +1667,8 @@ no-test-bundler-parallel:
 # The annocheck supports ELF format binaries compiled for any OS and for any
 # architecture. It is designed to be independent of the host OS and the
 # architecture. The test-annocheck.sh requires docker or podman.
-test-annocheck: $(PROGRAM)
-       $(tooldir)/test-annocheck.sh $(PROGRAM)
+test-annocheck: $(PROGRAM) $(LIBRUBY_SO)
+       $(tooldir)/test-annocheck.sh $(PROGRAM) $(LIBRUBY_SO)
 
 GEM = up
 sync-default-gems:

  2. Not sure if it would not be good idea to test all *.so files

  3. It could even make sense to test the *.o files, because that would provide more details, should there be some issue.

@voxik voxik force-pushed the annocheck-libruby-so branch 2 times, most recently from 3b319bf to baf9214 Compare July 8, 2024 15:05
@voxik voxik changed the title Run annocheck for libruby.so [WIP] Run annocheck for libruby.so Jul 8, 2024
@voxik voxik force-pushed the annocheck-libruby-so branch 7 times, most recently from 46dc2bf to d706a1a Compare July 8, 2024 18:14
@voxik
Copy link
Contributor Author

voxik commented Jul 9, 2024
edited
Loading

Apparently COPY $FILES /work/ treats ruby libruby.so.3.4.0 env variable as a single file (discussed here. So this won't be as easy as it could.

@voxik voxik force-pushed the annocheck-libruby-so branch 5 times, most recently from fa82c4f to 6daff56 Compare July 9, 2024 10:51
voxik added 2 commits July 9, 2024 14:36
@voxik
Run annocheck for libruby.so
6cf99bf 
When building with `--shared` option, most functionality is kept in
`libruby.so`. Therefore also run annocheck for `libruby.so`. Testing
`ruby` executable is almost pointless.

Use `sed` to expand the `${FILES}` variable, because Docker can't do it:

https://stackoverflow.com/questions/61599384/specify-multiple-files-in-arg-to-copy-in-dockerfile
@voxik
Simplify annocheck Docker file
28280f7 
It is not needed to create dir explicitly, when the destination end by
slash
@voxik voxik force-pushed the annocheck-libruby-so branch from 373c911 to 28280f7 Compare July 9, 2024 12:37
@voxik
Copy link
Contributor Author

voxik commented Jul 9, 2024

Apparently COPY $FILES /work/ treats ruby libruby.so.3.4.0 env variable as a single file (discussed here. So this won't be as easy as it could.

I decided to expand the ${FILES} variable by sed instead.

@voxik voxik changed the title [WIP] Run annocheck for libruby.so Run annocheck for libruby.so Jul 9, 2024
@voxik
Copy link
Contributor Author

voxik commented Jul 10, 2024

Not sure if the build should not be configured with --disable-yjit, because Rust hides possible fortification issues:

Hardened: libruby.so.3.4.0: skip: cf-protection test because mixed Rust and C code - control flow protection is needed but not yet supported by Rust

@voxik
Copy link
Contributor Author

voxik commented Jul 17, 2024

Not sure if the build should not be configured with --disable-yjit, because Rust hides possible fortification issues:

Hardened: libruby.so.3.4.0: skip: cf-protection test because mixed Rust and C code - control flow protection is needed but not yet supported by Rust

And just FTR, this is the Rust tracker:

rust-lang/rust#93754

nobu
nobu reviewed Jul 22, 2024
View reviewed changes
tool/test-annocheck.sh
@@ -27,7 +27,8 @@ else
# volume in container in container on GitHub Actions
# <.github/workflows/compilers.yml>.
TAG="${TAG}-copy"
"${DOCKER}" build --rm -t "${TAG}" --build-arg=FILES="${*}" -f ${TOOL_DIR}/annocheck/Dockerfile-copy .
sed -r "s/\\$\{FILES\}/${*}/" ${TOOL_DIR}/annocheck/Dockerfile-copy | \
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't / as the separator unsafe, as it is also a file separator.

Copy link
Member

@junaruga junaruga Jul 23, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nobu I would agree with your opinion. the / is unsafe when the ${*} includes the file separator /.

However, I don't think we need to use the sed command. Because this hack just ignores the functionality of the --build-arg=FILES="${*}" as an argument. And I have alternative idea to deal with this limitation in a way to understand the logic easily in my opinion. I will share it soon.

@junaruga junaruga self-requested a review July 23, 2024 13:20
junaruga
junaruga requested changes Jul 23, 2024
View reviewed changes
Copy link
Member

@junaruga junaruga left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For someone who is interested in the annocheck test on CI. The test is executed in the .github/workflows/annocheck.yml calling the make test-annocheck calling tool/test-annocheck.sh.

I tested and debugged this PR on my following branch in my forked repository. The latest commit on the branch is my change proposal for this PR.

https://github.com/junaruga/ruby/tree/wip/v_annocheck-libruby-so-debug

Below is the diff. I think this way is better in terms of understanding the logic easily without using the sed hack making the --build-arg=FILES="${*}" in the docker build command meaningless.

What do you think?

diff --git a/tool/annocheck/Dockerfile-copy b/tool/annocheck/Dockerfile-copy
index 132febc86c..0a79f3a50a 100644
--- a/tool/annocheck/Dockerfile-copy
+++ b/tool/annocheck/Dockerfile-copy
@@ -1,6 +1,6 @@
 FROM docker.io/fedora:latest
-ARG FILES
+ARG IN_DIR

 RUN dnf -y install annobin-annocheck
-COPY ${FILES} /work/
+COPY ${IN_DIR} /work
 WORKDIR /work
diff --git a/tool/test-annocheck.sh b/tool/test-annocheck.sh
index f6a6bd8223..cbe833d97c 100755
--- a/tool/test-annocheck.sh
+++ b/tool/test-annocheck.sh
@@ -15,6 +15,7 @@ set -x
 DOCKER="$(command -v docker || command -v podman)"
 TAG=ruby-fedora-annocheck
 TOOL_DIR=$(dirname "${0}")
+TMP_DIR="tmp/annocheck"
 DOCKER_RUN_VOLUME_OPTS=

 if [ -z "${CI-}" ]; then
@@ -27,8 +28,13 @@ else
   # volume in container in container on GitHub Actions
   # <.github/workflows/compilers.yml>.
   TAG="${TAG}-copy"
-  sed -r "s/\\$\{FILES\}/${*}/" ${TOOL_DIR}/annocheck/Dockerfile-copy | \
-    "${DOCKER}" build --rm -t "${TAG}" --build-arg=FILES="${*}" -f - .
+  rm -rf "${TMP_DIR}"
+  mkdir -p "${TMP_DIR}"
+  for file in ${@}; do
+    cp -p "${file}" "${TMP_DIR}"
+  done
+  "${DOCKER}" build --rm -t "${TAG}" --build-arg=IN_DIR="${TMP_DIR}" -f ${TOOL_DIR}/annocheck/Dockerfile-copy .
+  rm -rf "${TMP_DIR}"
 fi

 "${DOCKER}" run --rm -t ${DOCKER_RUN_VOLUME_OPTS} "${TAG}" annocheck --verbose ${TEST_ANNOCHECK_OPTS-} "${@}"

I confirmed the make test-annocheck passed on GitHub Actions on my forked repository.
https://github.com/junaruga/ruby/actions/runs/10073821672/job/27848650745#step:10:106

common.mk
@@ -1668,7 +1668,7 @@ no-test-bundler-parallel:
# architecture. It is designed to be independent of the host OS and the
# architecture. The test-annocheck.sh requires docker or podman.
test-annocheck: $(PROGRAM)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The $(LIBRUBY_SO) is missed at this line.

tool/test-annocheck.sh
@@ -27,7 +27,8 @@ else
# volume in container in container on GitHub Actions
# <.github/workflows/compilers.yml>.
TAG="${TAG}-copy"
"${DOCKER}" build --rm -t "${TAG}" --build-arg=FILES="${*}" -f ${TOOL_DIR}/annocheck/Dockerfile-copy .
sed -r "s/\\$\{FILES\}/${*}/" ${TOOL_DIR}/annocheck/Dockerfile-copy | \
Copy link
Member

@junaruga junaruga Jul 23, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nobu I would agree with your opinion. the / is unsafe when the ${*} includes the file separator /.

However, I don't think we need to use the sed command. Because this hack just ignores the functionality of the --build-arg=FILES="${*}" as an argument. And I have alternative idea to deal with this limitation in a way to understand the logic easily in my opinion. I will share it soon.

@junaruga
Copy link
Member

By the way, below is an article about ${@} vs ${*}.

https://www.baeldung.com/linux/dollar-star-at

In most cases, using $@ or “$@” instead of $* is safer and more flexible when working with command-line arguments because they preserve the original argument structure and make it easier to work with individual arguments in our bash script.

@junaruga junaruga mentioned this pull request Aug 7, 2024
Merged
@junaruga
Copy link
Member

junaruga commented Aug 7, 2024

I did cherry-pick this PR, adding my change, and opened another PR #11324. So, I would close this PR. Thanks for your PR!

@junaruga junaruga closed this Aug 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nobu nobu nobu left review comments

@junaruga junaruga junaruga requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@voxik @junaruga @nobu