Open
Bug 1459314
Opened 7 years ago
Updated 5 months ago
NSS is missing every(?) public symbol when -fvisibility=hidden is specified
Categories
(Firefox Build System :: General, enhancement, P3)
Firefox Build System
General
Tracking
(Not tracked)
NEW
People
(Reporter: tjr, Unassigned)
References
(Blocks 2 open bugs)
Details
Attachments
(2 files, 1 obsolete file)
Whole bunch of errors of the form
> 0:07.58 /builds/worker/my-workspace/build/src/clang/bin/ld.lld: error: undefined symbol: NSS_Initialize
> 0:07.58 >>> referenced by mar_sign.c:37 (/builds/worker/my-workspace/build/src/modules/libmar/sign/mar_sign.c:37)
> 0:07.58 >>> lto.tmp:(main)
> 0:07.58 /builds/worker/my-workspace/build/src/clang/bin/ld.lld: error: undefined symbol: PK11_FindCertFromNickname
> 0:07.58 >>> referenced by mar.c:365 (/builds/worker/my-workspace/build/src/modules/libmar/tool/mar.c:365)
> 0:07.58 >>> lto.tmp:(main)
I compared a LTO build with a LTO+CFI build, taking NSS_Initialize as an arbitrary example. Sure enough, it's missing in the CFI build: https://www.diffchecker.com/QhA60FqE
|
Reporter | |
Comment 1•7 years ago
|
||
This does not occur with -fsanitize=cfi-cast-strict but it does occur with -fsanitize=cfi-icall. Neither of these require -fvisibility, so the error apparently does not related to that flag.
Are the undefined symbols always (for lack of knowing the elf term) "dllexport" functions?
|
|
Reporter | |
Comment 3•7 years ago
|
||
No longer a problem. Maybe upgrading clang solved it?
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
|
|
Reporter | |
Comment 4•7 years ago
|
||
Nope, spoke to soon. This error comes from cfi-vcall
Example: https://treeherder.mozilla.org/#/jobs?repo=try&revision=260914a4b1b2cc32050fbff8fe9b927e43537165&selectedJob=182636347
Status: RESOLVED → UNCONFIRMED
Ever confirmed: false
Resolution: WORKSFORME → ---
|
|
Reporter | |
Updated•7 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
Reporter | |
Comment 5•7 years ago
|
||
This is because the functions that don't get emitted to the DSO need an __attribute__((visibility("default"))) annotation
|
||
Comment 6•7 years ago
|
||
(In reply to Tom Ritter [:tjr] from comment #5)
> This is because the functions that don't get emitted to the DSO need an
> __attribute__((visibility("default"))) annotation
That doesn't sound right.
|
|
Reporter | |
Comment 7•7 years ago
|
||
(In reply to Mike Hommey [:glandium] from comment #6)
> (In reply to Tom Ritter [:tjr] from comment #5)
> > This is because the functions that don't get emitted to the DSO need an
> > __attribute__((visibility("default"))) annotation
>
> That doesn't sound right.
Ah... I didn't mention this; but this error occurs when adding -fvisibility=hidden to the build and linking command line tools to nss3 like signmar. Does that sound any better?
|
|
Reporter | |
Updated•7 years ago
|
Flags: needinfo?(mh+mozilla)
|
|
||
Comment 8•7 years ago
|
||
Why are you adding -fvisibility=hidden to the build?
Flags: needinfo?(mh+mozilla)
|
|
Reporter | |
Comment 9•7 years ago
|
||
(In reply to Mike Hommey [:glandium] from comment #8)
> Why are you adding -fvisibility=hidden to the build?
Some value of -fvisibility is required for cfi-vcall. fvisibility=hidden is the generally recommended option. https://clang.llvm.org/docs/ControlFlowIntegrity.html
Flags: needinfo?(mh+mozilla)
|
|
||
Comment 10•7 years ago
|
||
Except we set visibility in other ways. Which is why adding -fvisibility=hidden busts NSS. And does nothing useful on the rest on the build.
Flags: needinfo?(mh+mozilla)
|
|
Reporter | |
Updated•7 years ago
|
| Comment hidden (mozreview-request) |
|
|
Reporter | |
Comment 12•7 years ago
|
||
Regardless, fvisibility is a required compiler flag for CFI vcall to compile.
I've attached a horrible patch that adds the attribute to the public NSS functions, and allows a browser with vcall to compile and run. We may need to add the appropriate attribute (as indicated in this patch); but another option may include setting -fvisibility=default for NSS (although I think this will result in no CFI protection there).
|
|
Reporter | |
Comment 13•7 years ago
|
||
|
|
Reporter | |
Updated•7 years ago
|
Attachment #8995662 -
Attachment is obsolete: true
|
|
||
Comment 14•7 years ago
|
||
(In reply to Tom Ritter [:tjr] from comment #9)
> (In reply to Mike Hommey [:glandium] from comment #8)
> > Why are you adding -fvisibility=hidden to the build?
>
> Some value of -fvisibility is required for cfi-vcall. fvisibility=hidden is
> the generally recommended option.
> https://clang.llvm.org/docs/ControlFlowIntegrity.html
I'll have to insist that you don't use -fvisibility=hidden. What the page says is that the build needs to have visibility hidden associated with non public stuff so that CFI can work. That already *is* happening with the normal build. You don't need to pass -fvisibility=hidden to have symbols with hidden visibility in the build.
|
|
Reporter | |
Comment 15•7 years ago
|
||
(In reply to Mike Hommey [:glandium] from comment #14)
> (In reply to Tom Ritter [:tjr] from comment #9)
> > (In reply to Mike Hommey [:glandium] from comment #8)
> > > Why are you adding -fvisibility=hidden to the build?
> >
> > Some value of -fvisibility is required for cfi-vcall. fvisibility=hidden is
> > the generally recommended option.
> > https://clang.llvm.org/docs/ControlFlowIntegrity.html
>
> I'll have to insist that you don't use -fvisibility=hidden. What the page
> says is that the build needs to have visibility hidden associated with non
> public stuff so that CFI can work. That already *is* happening with the
> normal build. You don't need to pass -fvisibility=hidden to have symbols
> with hidden visibility in the build.
I will have to figure out what I need to change in the compiler to get it to accept vcall without specifying the compiler parameter.
Right now; the direct milestone for CFI is to get performance numbers on Windows acceptable; so I'll be using this local workaround for the time being until we know for certain we can land CFI at all; at which point cleaning up the ugly messes like this one will be the priority (and blockers for landing).
|
|
||
Comment 16•7 years ago
|
||
That the compiler requires -fvisibility=hidden is even worse on Windows, where it has no meaning: everything is hidden by default, unless __declspec(dllexport).
|
|
Reporter | |
Comment 17•7 years ago
|
||
|
||
Updated•7 years ago
|
Version: Version 3 → 3 Branch
|
|
Reporter | |
Updated•6 years ago
|
Assignee: tom → nobody
Type: defect → enhancement
Priority: -- → P3
Version: 3 Branch → Trunk
|
||
Updated•3 years ago
|
Severity: normal → S3
|
||
Comment 18•2 years ago
|
||
The following patches are waiting for review from an inactive reviewer:
| ID | Title | Author | Reviewer Status |
|---|---|---|---|
| D3041 | Bug 1459314 Add default visibility to a whole bunch of stuff in nss and sqlite to resolve missing symbol errors with cfi-vcall r=Alex_Gaynor | tjr | Alex_Gaynor: Inactive |
| D3419 | Bug 1459314 Add default visibility to a whole bunch of stuff in nss and sqlite to resolve missing symbol errors with cfi-vcall r=Alex_Gaynor | tjr | Alex_Gaynor: Inactive |
:tjr, could you please find another reviewer or abandon the patch if it is no longer relevant?
For more information, please visit auto_nag documentation.
Flags: needinfo?(tom)
|
|
Reporter | |
Updated•2 years ago
|
Flags: needinfo?(tom)
|
||
Updated•2 years ago
|
Blocks: nss-external
You need to log in
before you can comment on or make changes to this bug.
Description
•