strepsirrhini/office-gobmx
9
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
office-gobmx/bin/check-elf-dynamic-objects
Michael Stahl 0028266e34 configure: default to --with-system-nss on Linux 
NSS is very ABI compatible and part of current LSB 5.0 and so it should
just work to use the one from the system, i'm not aware of a Linux that
doesn't ship it.

There used to be some feature patch in external/nss but this was removed
years ago, now it just contains build fixes.

Problems can occur if a mixture of system and bundled NSS libraries is
loaded, if first an old version .so is loaded and then newer version .so
depends on it but can't find some required symbol.

See for example:
https://www.mail-archive.com/libreoffice@lists.freedesktop.org/msg287043.html

Another issue is that e.g. Fedora ships libnsspem.so in the nss-pem
package, which may cause trouble in ASAN builds, where the internal NSS
is built to call __asan_poison_memory_region but the system
libnss-pem.so doesn't call __asan_unpoison_memory_region so we get:

  ==2568944==ERROR: AddressSanitizer: use-after-poison on address 0x61d0019afab0
  WRITE of size 192 at 0x61d0019afab0 thread T28 (utl::Moderator)
    0 in __interceptor_memset.part.0 (instdir/program/soffice.bin+0x466460)
    1  (/lib64/libnsspem.so+0x15f3d)
    2  (/lib64/libnsspem.so+0x16185)
    3  (/lib64/libnsspem.so+0x8a9b)
    4  (/lib64/libnsspem.so+0xe13b)
    5 in secmod_ModuleInit workdir/UnpackedTarball/nss/nss/lib/pk11wrap/pk11load.c:244:11
    ..
    21 in curl_easy_perform workdir/UnpackedTarball/curl/lib/easy.c:715:10

Also, with system NSS, things like p11-kit integration become
responsibility of the OS.

Change-Id: I50caedd46914dd5d6905c5d32d44a599cd78119e
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/120388
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
2022-04-29 20:24:58 +02:00

271 lines
9.3 KiB
Bash
Executable file
Raw Blame History

#!/usr/bin/env bash
#
# This file is part of the LibreOffice project.
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# verify that ELF NEEDED entries are known-good so hopefully builds run on
# lots of different GNU/Linux distributions
set -euo pipefail
PARA=1
check_path="${INSTDIR:-.}"
help()
{
cat << "EOF"
-d <dir> directory to check
-p run unbound parallel checks
-h help
EOF
[ -z "${1:-}" ] && exit 0
}
die()
{
echo "$1"
echo
help 1
exit 1
}
while [ "${1:-}" != "" ]; do
parm=${1%%=*}
arg=${1#*=}
has_arg=
if [ "${1}" != "${parm?}" ] ; then
has_arg=1
else
arg=""
fi
case "${parm}" in
--dir|-d)
if [ "$has_arg" ] ; then
check_path="$arg"
else
shift
check_path="$1"
fi
if [ ! -d "$check_path" ]; then
die "Invalid directory '$check_path'"
fi
;;
-h)
help
;;
-p)
# this sounds counter intuitive but the idea
# is to possibly support -p <n>
# in the meantime: 0 = nolimit and -p 1 would mean
# the current default: serialize
PARA=0
;;
-*)
die "Invalid option $1"
;;
*)
if [ "$DO_NEW" = 1 ] ; then
REPO="$1"
else
die "Invalid argument $1"
fi
;;
esac
shift
done
files=$(find "${check_path}/program" "${check_path}/sdk/bin" -type f)
# all RPATHs should point to ${INSTDIR}/program so that's the files they find
programfiles=$(echo ${files} | grep -o '/program/[^/]* ' | xargs -n 1 basename)
# allowlists should contain only system libraries that have a good reputation
# of maintaining ABI stability
# allow extending the allowlist using the environment variable to be able to work
# on the installer stuff without the need for a baseline setup
globalallowlist="ld-linux-x86-64.so.2 ld-linux.so.2 libc.so.6 libm.so.6 libdl.so.2 libpthread.so.0 librt.so.1 libutil.so.1 libnsl.so.1 libcrypt.so.1 libgcc_s.so.1 libstdc++.so.6 libz.so.1 libfontconfig.so.1 libfreetype.so.6 libxml2.so.2 libxslt.so.1 libexslt.so.0 libnspr4.so libnss3.so libnssutil3.so libplc4.so libplds4.so libsmime3.so libssl3.so ${LO_ELFCHECK_ALLOWLIST-}"
x11allowlist="libX11.so.6 libX11-xcb.so.1 libXext.so.6 libSM.so.6 libICE.so.6 libXinerama.so.1 libXrender.so.1 libXrandr.so.2 libcairo.so.2"
openglallowlist="libGL.so.1"
gobjectallowlist="libgobject-2.0.so.0 libglib-2.0.so.0"
gdbusallowlist="libdbus-glib-1.so.2 libdbus-1.so.3 libgmodule-2.0.so.0 libgthread-2.0.so.0 ${gobjectallowlist}"
gioallowlist="libgio-2.0.so.0 ${gdbusallowlist}"
gstreamerallowlist="libgsttag-1.0.so.0 libgstaudio-1.0.so.0 libgstpbutils-1.0.so.0 libgstvideo-1.0.so.0 libgstbase-1.0.so.0 libgstreamer-1.0.so.0 ${gobjectallowlist}"
gtk3allowlist="libgtk-3.so.0 libgdk-3.so.0 libcairo-gobject.so.2 libpangocairo-1.0.so.0 libfribidi.so.0 libatk-1.0.so.0 libcairo.so.2 libpangoft2-1.0.so.0 libpango-1.0.so.0 libfontconfig.so.1 libfreetype.so.6 libgdk_pixbuf-2.0.so.0 libharfbuzz.so.0 ${gioallowlist}"
gtk4allowlist="libgtk-4.so.1 libcairo-gobject.so.2 libpangocairo-1.0.so.0 libatk-1.0.so.0 libcairo.so.2 libpango-1.0.so.0 libgdk_pixbuf-2.0.so.0 libharfbuzz.so.0 libgraphene-1.0.so.0 ${gioallowlist}"
qt5allowlist="libQt5Core.so.5 libQt5Gui.so.5 libQt5Network.so.5 libQt5Widgets.so.5 libQt5X11Extras.so.5 libcairo.so.2 libxcb.so.1 libxcb-icccm.so.4 ${gobjectallowlist}"
kf5allowlist="libKF5ConfigCore.so.5 libKF5CoreAddons.so.5 libKF5I18n.so.5 libKF5KIOCore.so.5 libKF5KIOFileWidgets.so.5 libKF5KIOWidgets.so.5 libKF5WindowSystem.so.5"
avahiallowlist="libavahi-common.so.3 libavahi-client.so.3 ${gdbusallowlist}"
kerberosallowlist="libgssapi_krb5.so.2 libcom_err.so.2 libkrb5.so.3"
dconfallowlist="libdconf.so.1 libgio-2.0.so.0 ${gobjectallowlist}"
check_one_file()
{
local file="$1"
skip=0
allowlist="${globalallowlist}"
case "${file}" in
*/sdk/docs/*)
# skip the majority of files, no ELF binaries here
skip=1
;;
*/_uuid.cpython-*.so)
allowlist="${allowlist} libuuid.so.1"
;;
*/libcairo.so.2)
allowlist="${allowlist} ${x11allowlist} libxcb-shm.so.0 libxcb.so.1 libxcb-render.so.0"
;;
*/libcairocanvaslo.so)
allowlist="${allowlist} libcairo.so.2"
;;
*/libucpgio1lo.so|*/liblosessioninstalllo.so|*/libevoablo.so)
allowlist="${allowlist} ${gioallowlist}"
;;
*/libavmediagst.so)
allowlist="${allowlist} ${gstreamerallowlist}"
;;
*/libavmediagtk.so)
allowlist="${allowlist} ${gtk4allowlist}"
;;
*/libvclplug_kf5lo.so|*/libkf5be1lo.so)
if [ "$ENABLE_KF5" = TRUE ]; then
allowlist="${allowlist} ${qt5allowlist} ${kf5allowlist}"
fi
;;
*/libvclplug_gtk3lo.so|*/updater)
allowlist="${allowlist} ${x11allowlist} ${gtk3allowlist}"
;;
*/libvclplug_gtk4lo.so)
allowlist="${allowlist} ${x11allowlist} ${gtk4allowlist}"
;;
*/libvclplug_qt5lo.so)
if [ "$ENABLE_QT5" = TRUE ]; then
allowlist="${allowlist} ${qt5allowlist}"
fi
;;
*/libvclplug_gtk3_kde5lo.so)
if [ "$ENABLE_GTK3_KDE5" = TRUE ]; then
allowlist="${allowlist} ${x11allowlist} ${gtk3allowlist} ${qt5allowlist} ${kf5allowlist}"
fi
;;
*/lo_kde5filepicker)
if [ "$ENABLE_GTK3_KDE5" = TRUE ]; then
allowlist="${allowlist} ${x11allowlist} ${gtk3allowlist} ${qt5allowlist} \
${kf5allowlist}"
fi
;;
*/libdesktop_detectorlo.so|*/oosplash|*/gengal.bin)
allowlist="${allowlist} ${x11allowlist}"
;;
*/libvclplug_genlo.so|*/libchartcorelo.so|*/libavmediaogl.so|*/libOGLTranslo.so|*/liboglcanvaslo.so)
allowlist="${allowlist} ${x11allowlist} ${openglallowlist}"
;;
*/libvcllo.so)
allowlist="${allowlist} ${x11allowlist} ${openglallowlist} ${gioallowlist} libcups.so.2"
;;
*/libsofficeapp.so)
allowlist="${allowlist} ${x11allowlist} ${openglallowlist} ${gioallowlist} libcups.so.2"
;;
*/liblibreofficekitgtk.so)
allowlist="${allowlist} ${gtk3allowlist}"
;;
*/libsdlo.so)
allowlist="${allowlist} ${avahiallowlist}"
;;
*/libskialo.so)
allowlist="${allowlist} ${openglallowlist} ${x11allowlist}"
;;
*/libofficebean.so)
allowlist="${allowlist} libjawt.so"
;;
*/libpostgresql-sdbc-impllo.so)
allowlist="${allowlist} ${kerberosallowlist}"
;;
*/libconfigmgrlo.so)
if [ "$ENABLE_DCONF" = TRUE ]; then
allowlist="${allowlist} ${dconfallowlist}"
fi
;;
*/libmergedlo.so)
allowlist="${allowlist} ${x11allowlist} ${openglallowlist} ${gioallowlist} ${dconfallowlist} libcups.so.2 libcairo.so.2"
;;
esac
if test "${skip}" = 0 && readelf -d "${file}" &> /dev/null ; then
rpath=$(readelf -d "${file}" | grep '(\(RPATH\|RUNPATH\))' || true)
neededs=$(readelf -d "${file}" | grep '(NEEDED)' | sed -e 's/.*\[\(.*\)\]$/\1/')
neededsinternal=
for needed in ${neededs}
do
if ! echo ${allowlist} | grep -q -w "${needed}" ; then
neededsinternal="${neededsinternal} ${needed}"
if ! echo ${programfiles} | grep -q -w "${needed}" ; then
echo "${file}" has suspicious NEEDED: "${needed}"
status=1
fi
fi
done
if test -z "${rpath}" ; then
case "${file}" in
*/python-core-*/lib/lib-dynload/*)
# python modules don't have RPATH
;;
*/share/extensions/*)
# extension libraries don't have RPATH
;;
*)
# no NEEDED from instdir, no RPATH needed
if test -n "${neededsinternal}" ; then
echo "${file}" has no RPATH
status=1
fi
;;
esac
else
case "$file" in
*/sdk/bin/*)
if echo "${rpath}" | grep -q -v '\[\$ORIGIN/../../program\]$' ; then
echo "${file}" has unexpected RPATH "${rpath}"
status=1
fi
;;
*)
if echo "${rpath}" | grep -q -v '\[\$ORIGIN\]$' ; then
echo "${file}" has unexpected RPATH "${rpath}"
status=1
fi
;;
esac
fi
fi
}
status=0
if [ "$PARA" = "1" ] ; then
for file in ${files}
do
check_one_file $file
done
else
rm -f check_elf.out
for file in ${files}
do
(
check_one_file $file
)>> check_elf.out &
done
wait
if [ -s check_elf.out ] ; then
cat check_elf.out
status=1
fi
rm check_elf.out
fi
exit ${status}
Reference in a new issue View git blame Copy permalink