Merge #2798: stdenv and a few other big updates

Stdenv-changing things: - gcc 4.8.2 -> 4.8.3 - long-running grsecurity branch Others: - pkgconfig update - CVE for libtasn1, dbus Conflicts (simple): pkgs/development/compilers/ghc/7.6.3.nix
2014-06-16 10:23:36 +02:00
parent 5e16c9428b 9757785295
commit 1b78ca58bc
52 changed files with 2216 additions and 368 deletions
--- a/pkgs/development/compilers/gcc/4.6/builder.sh
+++ b/pkgs/development/compilers/gcc/4.6/builder.sh
@@ -33,7 +33,7 @@ if test "$noSysDirs" = "1"; then

        # The path to the Glibc binaries such as `crti.o'.
        glibc_libdir="$(cat $NIX_GCC/nix-support/orig-libc)/lib"
-        
+
    else
        # Hack: support impure environments.
        extraFlags="-isystem /usr/include"
@@ -214,7 +214,7 @@ postInstall() {
    # previous gcc.
    rm -rf $out/libexec/gcc/*/*/install-tools
    rm -rf $out/lib/gcc/*/*/install-tools
-    
+
    # More dependencies with the previous gcc or some libs (gccbug stores the build command line)
    rm -rf $out/bin/gccbug
    # Take out the bootstrap-tools from the rpath, as it's not needed at all having $out
@@ -240,6 +240,11 @@ postInstall() {
        fi
    done

+    # Disable RANDMMAP on grsec, which causes segfaults when using
+    # precompiled headers.
+    # See https://bugs.gentoo.org/show_bug.cgi?id=301299#c31
+    paxmark r $out/libexec/gcc/*/*/{cc1,cc1plus}
+
    eval "$postInstallGhdl"
 }

--- a/pkgs/development/compilers/gcc/4.6/default.nix
+++ b/pkgs/development/compilers/gcc/4.6/default.nix
@@ -99,7 +99,7 @@ let version = "4.6.3";
        withAbi = if gccAbi != null then " --with-abi=${gccAbi}" else "";
        withFpu = if gccFpu != null then " --with-fpu=${gccFpu}" else "";
        withFloat = if gccFloat != null then " --with-float=${gccFloat}" else "";
-      in 
+      in
        (withArch +
        withCpu +
        withAbi +
--- a/pkgs/development/compilers/gcc/4.8/bug-58800.patch
+++ b/pkgs/development/compilers/gcc/4.8/bug-58800.patch
@@ -1,79 +0,0 @@
-Index: gcc-4_8-branch/libstdc++-v3/include/bits/stl_algo.h
-===================================================================
--- gcc-4_8-branch/libstdc++-v3/include/bits/stl_algo.h	(revision 203872)
-+++ gcc-4_8-branch/libstdc++-v3/include/bits/stl_algo.h	(revision 203873)
-@@ -2279,7 +2279,7 @@
- 				_RandomAccessIterator __last)
-     {
-       _RandomAccessIterator __mid = __first + (__last - __first) / 2;
-      std::__move_median_to_first(__first, __first + 1, __mid, (__last - 2));
-+      std::__move_median_to_first(__first, __first + 1, __mid, __last - 1);
-       return std::__unguarded_partition(__first + 1, __last, *__first);
-     }
- 
-@@ -2291,7 +2291,7 @@
- 				_RandomAccessIterator __last, _Compare __comp)
-     {
-       _RandomAccessIterator __mid = __first + (__last - __first) / 2;
-      std::__move_median_to_first(__first, __first + 1, __mid, (__last - 2),
-+      std::__move_median_to_first(__first, __first + 1, __mid, __last - 1,
- 				  __comp);
-       return std::__unguarded_partition(__first + 1, __last, *__first, __comp);
-     }
-Index: gcc-4_8-branch/libstdc++-v3/testsuite/25_algorithms/nth_element/58800.cc
-===================================================================
--- gcc-4_8-branch/libstdc++-v3/testsuite/25_algorithms/nth_element/58800.cc	(revision 0)
-+++ gcc-4_8-branch/libstdc++-v3/testsuite/25_algorithms/nth_element/58800.cc	(revision 203873)
-@@ -0,0 +1,52 @@
-+// Copyright (C) 2013 Free Software Foundation, Inc.
-+//
-+// This file is part of the GNU ISO C++ Library.  This library is free
-+// software; you can redistribute it and/or modify it under the
-+// terms of the GNU General Public License as published by the
-+// Free Software Foundation; either version 3, or (at your option)
-+// any later version.
-+
-+// This library is distributed in the hope that it will be useful,
-+// but WITHOUT ANY WARRANTY; without even the implied warranty of
-+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+// GNU General Public License for more details.
-+
-+// You should have received a copy of the GNU General Public License along
-+// with this library; see the file COPYING3.  If not see
-+// <http://www.gnu.org/licenses/>.
-+
-+// 25.3.2 [lib.alg.nth.element]
-+
-+// { dg-options "-std=gnu++11" }
-+
-+#include <algorithm>
-+#include <testsuite_hooks.h>
-+#include <testsuite_iterators.h>
-+
-+using __gnu_test::test_container;
-+using __gnu_test::random_access_iterator_wrapper;
-+
-+typedef test_container<int, random_access_iterator_wrapper> Container;
-+
-+void test01()
-+{
-+  std::vector<int> v = {
-+    207089,
-+    202585,
-+    180067,
-+    157549,
-+    211592,
-+    216096,
-+    207089
-+  };
-+
-+  Container con(v.data(), v.data() + 7);
-+
-+  std::nth_element(con.begin(), con.begin() + 3, con.end());
-+}
-+
-+int main()
-+{
-+  test01();
-+  return 0;
-+}
--- a/pkgs/development/compilers/gcc/4.8/builder.sh
+++ b/pkgs/development/compilers/gcc/4.8/builder.sh
@@ -239,6 +239,11 @@ postInstall() {
        fi
    done

+    # Disable RANDMMAP on grsec, which causes segfaults when using
+    # precompiled headers.
+    # See https://bugs.gentoo.org/show_bug.cgi?id=301299#c31
+    paxmark r $out/libexec/gcc/*/*/{cc1,cc1plus}
+
    eval "$postInstallGhdl"
 }

--- a/pkgs/development/compilers/gcc/4.8/default.nix
+++ b/pkgs/development/compilers/gcc/4.8/default.nix
@@ -54,7 +54,7 @@ assert langGo -> langCC;
 with stdenv.lib;
 with builtins;

-let version = "4.8.2";
+let version = "4.8.3";

    # Whether building a cross-compiler for GNU/Hurd.
    crossGNU = cross != null && cross.config == "i586-pc-gnu";
@@ -64,7 +64,7 @@ let version = "4.8.2";
  */
    enableParallelBuilding = !profiledCompiler;

-    patches = [ ./bug-58800.patch ] # http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58800
+    patches = []
      ++ optional enableParallelBuilding ./parallel-bconfig.patch
      ++ optional (cross != null) ./libstdc++-target.patch
      # ++ optional noSysDirs ./no-sys-dirs.patch
@@ -212,7 +212,7 @@ stdenv.mkDerivation ({

  src = fetchurl {
    url = "mirror://gnu/gcc/gcc-${version}/gcc-${version}.tar.bz2";
-    sha256 = "1j6dwgby4g3p3lz7zkss32ghr45zpdidrg8xvazvn91lqxv25p09";
+    sha256 = "07hg10zs7gnqz58my10ch0zygizqh0z0bz6pv4pgxx45n48lz3ka";
  };

  inherit patches;
--- a/pkgs/development/compilers/ghc/6.10.4.nix
+++ b/pkgs/development/compilers/ghc/6.10.4.nix
@@ -20,6 +20,8 @@ stdenv.mkDerivation rec {
    "--with-gcc=${stdenv.gcc}/bin/gcc"
  ];

+  NIX_CFLAGS_COMPILE = "-fomit-frame-pointer";
+
  meta = {
    inherit homepage;
    description = "The Glasgow Haskell Compiler";
--- a/pkgs/development/compilers/ghc/6.12.3.nix
+++ b/pkgs/development/compilers/ghc/6.12.3.nix
@@ -25,6 +25,8 @@ stdenv.mkDerivation rec {
    "--with-gcc=${stdenv.gcc}/bin/gcc"
  ];

+  NIX_CFLAGS_COMPILE = "-fomit-frame-pointer";
+
  # required, because otherwise all symbols from HSffi.o are stripped, and
  # that in turn causes GHCi to abort
  stripDebugFlags=["-S" "--keep-file-symbols"];
--- a/pkgs/development/compilers/ghc/7.0.4.nix
+++ b/pkgs/development/compilers/ghc/7.0.4.nix
@@ -25,6 +25,8 @@ stdenv.mkDerivation rec {
    "--with-gcc=${stdenv.gcc}/bin/gcc"
  ];

+  NIX_CFLAGS_COMPILE = "-fomit-frame-pointer";
+
  # required, because otherwise all symbols from HSffi.o are stripped, and
  # that in turn causes GHCi to abort
  stripDebugFlags=["-S" "--keep-file-symbols"];
--- a/pkgs/development/compilers/ghc/7.2.2.nix
+++ b/pkgs/development/compilers/ghc/7.2.2.nix
@@ -25,6 +25,8 @@ stdenv.mkDerivation rec {
    "--with-gcc=${stdenv.gcc}/bin/gcc"
  ];

+  NIX_CFLAGS_COMPILE = "-fomit-frame-pointer";
+
  # required, because otherwise all symbols from HSffi.o are stripped, and
  # that in turn causes GHCi to abort
  stripDebugFlags=["-S" "--keep-file-symbols"];
--- a/pkgs/development/compilers/ghc/7.6.3.nix
+++ b/pkgs/development/compilers/ghc/7.6.3.nix
@@ -1,6 +1,13 @@
-{ stdenv, fetchurl, ghc, perl, gmp, ncurses }:
+{ stdenv, fetchurl, ghc, perl, gmp, ncurses, binutils }:

-stdenv.mkDerivation rec {
+let
+  # The "-Wa,--noexecstack" options might be needed only with GNU ld (as opposed
+  # to the gold linker). It prevents binaries' stacks from being marked as
+  # executable, which fails to run on a grsecurity/PaX kernel.
+  ghcFlags = "-optc-Wa,--noexecstack -opta-Wa,--noexecstack";
+  cFlags = "-Wa,--noexecstack";
+
+in stdenv.mkDerivation rec {
  version = "7.6.3";

  name = "ghc-${version}";
@@ -12,21 +19,40 @@ stdenv.mkDerivation rec {

  buildInputs = [ ghc perl gmp ncurses ];

-
  buildMK = ''
    libraries/integer-gmp_CONFIGURE_OPTS += --configure-option=--with-gmp-libraries="${gmp}/lib"
    libraries/integer-gmp_CONFIGURE_OPTS += --configure-option=--with-gmp-includes="${gmp}/include"
+
+  '' + stdenv.lib.optionalString stdenv.isLinux ''
+    # Set ghcFlags for building ghc itself
+    SRC_HC_OPTS += ${ghcFlags}
+    SRC_CC_OPTS += ${cFlags}
  '';

  preConfigure = ''
    echo "${buildMK}" > mk/build.mk
    sed -i -e 's|-isysroot /Developer/SDKs/MacOSX10.5.sdk||' configure
+
+  '' + stdenv.lib.optionalString stdenv.isLinux ''
+    # Set ghcFlags for binaries that ghc builds
+    sed -i -e 's|"\$topdir"|"\$topdir" ${ghcFlags}|' ghc/ghc.wrapper
+
  '' + stdenv.lib.optionalString (!stdenv.isDarwin) ''
    export NIX_LDFLAGS="$NIX_LDFLAGS -rpath $out/lib/ghc-${version}"
  '';

  configureFlags = "--with-gcc=${stdenv.gcc}/bin/gcc";

+  postInstall = ''
+    # ghci uses mmap with rwx protection at it implements dynamic
+    # linking on its own. See:
+    # - https://bugs.gentoo.org/show_bug.cgi?id=299709
+    # - https://ghc.haskell.org/trac/ghc/ticket/4244
+    # Therefore, we have to pax-mark the resulting binary.
+    # Haddock also seems to run with ghci, so mark it as well.
+    paxmark m $out/lib/${name}/{ghc,haddock}
+  '';
+
  # required, because otherwise all symbols from HSffi.o are stripped, and
  # that in turn causes GHCi to abort
  stripDebugFlags=["-S" "--keep-file-symbols"];
--- a/pkgs/development/compilers/icedtea/default.nix
+++ b/pkgs/development/compilers/icedtea/default.nix
@@ -59,7 +59,7 @@ with srcInfo; stdenv.mkDerivation {
    "--disable-downloading"

    "--without-rhino"
-    # Uncomment this when paxctl lands in stdenv: "--with-pax=paxctl"
+    "--with-pax=paxctl"
    "--with-jdk-home=${jdkPath}"
  ];

--- a/pkgs/development/compilers/jdk/jdk7-linux.nix
+++ b/pkgs/development/compilers/jdk/jdk7-linux.nix
@@ -2,6 +2,7 @@
 , stdenv
 , requireFile
 , unzip
+, file
 , xlibs ? null
 , installjdk ? true
 , pluginSupport ? true
@@ -71,10 +72,20 @@ stdenv.mkDerivation rec {
    else
      abort "jdk requires i686-linux or x86_64 linux";

-  buildInputs = if installjce then [ unzip ] else [];
+  nativeBuildInputs = [ file ]
+    ++ stdenv.lib.optional installjce unzip;

  installPhase = ''
    cd ..
+
+    # Set PaX markings
+    exes=$(file $sourceRoot/bin/* $sourceRoot/jre/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
+    for file in $exes; do
+      paxmark m "$file"
+      # On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well.
+      ${stdenv.lib.optionalString stdenv.isi686 ''paxmark msp "$file"''}
+    done
+
    if test -z "$installjdk"; then
      mv $sourceRoot/jre $out
    else
--- a/pkgs/development/compilers/llvm/3.3/llvm.nix
+++ b/pkgs/development/compilers/llvm/3.3/llvm.nix
@@ -22,11 +22,20 @@ in stdenv.mkDerivation rec {

  cmakeFlags = with stdenv; [
    "-DCMAKE_BUILD_TYPE=Release"
+    "-DLLVM_BUILD_TESTS=ON"
    "-DLLVM_ENABLE_FFI=ON"
    "-DLLVM_BINUTILS_INCDIR=${binutils}/include"
    "-DLLVM_EXPERIMENTAL_TARGETS_TO_BUILD=R600" # for mesa
  ] ++ stdenv.lib.optional (!isDarwin) "-DBUILD_SHARED_LIBS=ON";

+  postBuild = ''
+    paxmark m bin/{lli,llvm-rtdyld}
+
+    paxmark m unittests/ExecutionEngine/JIT/JITTests
+    paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests
+    paxmark m unittests/Support/SupportTests
+  '';
+
  enableParallelBuilding = true;

  doCheck = true;
--- a/pkgs/development/compilers/llvm/3.4/dragonegg.nix
+++ b/pkgs/development/compilers/llvm/3.4/dragonegg.nix
@@ -1,10 +1,18 @@
-{stdenv, fetch, llvm, gmp, mpfr, mpc, ncurses, zlib, version}:
+{stdenv, fetch, fetchpatch, llvm, gmp, mpfr, mpc, ncurses, zlib, version}:

 stdenv.mkDerivation rec {
  name = "dragonegg-${version}";

  src = fetch "dragonegg" "1733czbvby1ww3xkwcwmm0km0bpwhfyxvf56wb0zv5gksp3kbgrl";

+  patches = [(fetchpatch {
+    url = "https://llvm.org/viewvc/llvm-project/dragonegg/trunk/src/x86/ABIHack.inc"
+      + "?r1=208730&r2=208729&view=patch";
+    sha256 = "1al82gqz90hzjx24p0wls029lw2bgnlgd209kgvxsp82p4z1v1c1";
+    name = "bug-18548.patch";
+  })];
+  patchFlags = "-p2";
+
  # The gcc the plugin will be built for (the same used building dragonegg)
  GCC = "gcc";

--- a/pkgs/development/compilers/llvm/3.4/llvm.nix
+++ b/pkgs/development/compilers/llvm/3.4/llvm.nix
@@ -36,15 +36,25 @@ in stdenv.mkDerivation rec {
    mkdir -p $out/
    ln -sv $PWD/lib $out
  '';
-  postBuild = "rm -fR $out";

  cmakeFlags = with stdenv; [
    "-DCMAKE_BUILD_TYPE=Release"
+    "-DLLVM_BUILD_TESTS=ON"
    "-DLLVM_ENABLE_FFI=ON"
    "-DLLVM_BINUTILS_INCDIR=${binutils}/include"
    "-DCMAKE_CXX_FLAGS=-std=c++11"
  ] ++ stdenv.lib.optional (!isDarwin) "-DBUILD_SHARED_LIBS=ON";

+  postBuild = ''
+    rm -fR $out
+
+    paxmark m bin/{lli,llvm-rtdyld}
+
+    paxmark m unittests/ExecutionEngine/JIT/JITTests
+    paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests
+    paxmark m unittests/Support/SupportTests
+  '';
+
  enableParallelBuilding = true;

  passthru.src = src;
--- a/pkgs/development/compilers/openjdk/bootstrap.nix
+++ b/pkgs/development/compilers/openjdk/bootstrap.nix
@@ -1,4 +1,4 @@
-{ runCommand, glibc, fetchurl }:
+{ stdenv, runCommand, glibc, fetchurl, file }:

 let
  # !!! These should be on nixos.org
@@ -18,4 +18,12 @@ in
 runCommand "openjdk-bootstrap" {} ''
  xz -dc ${src} | sed "s/e*-glibc-[^/]*/$(basename ${glibc})/g" | tar xv
  mv openjdk-bootstrap $out
+
+  # Temporarily, while NixOS's OpenJDK bootstrap tarball doesn't have PaX markings:
+  exes=$(${file}/bin/file $out/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
+  for file in $exes; do
+    paxmark m "$file"
+    # On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well.
+    ${stdenv.lib.optionalString stdenv.isi686 ''paxmark msp "$file"''}
+  done
 ''
--- a/pkgs/development/compilers/openjdk/default.nix
+++ b/pkgs/development/compilers/openjdk/default.nix
@@ -1,5 +1,5 @@
 { stdenv, fetchurl, unzip, zip, procps, coreutils, alsaLib, ant, freetype, cups
-, which, jdk, nettools, xorg
+, which, jdk, nettools, xorg, file
 , fontconfig, cpio, cacert, perl, setJavaClassPath }:

 let
@@ -19,6 +19,9 @@ let

  build = "43";

+  # On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well.
+  paxflags = if stdenv.isi686 then "msp" else "m";
+
 in

 stdenv.mkDerivation rec {
@@ -35,7 +38,7 @@ stdenv.mkDerivation rec {
    [ unzip procps ant which zip cpio nettools alsaLib
      xorg.libX11 xorg.libXt xorg.libXext xorg.libXrender xorg.libXtst
      xorg.libXi xorg.libXinerama xorg.libXcursor xorg.lndir
-      fontconfig perl
+      fontconfig perl file
    ];

  NIX_LDFLAGS = "-lfontconfig -lXcursor -lXinerama";
@@ -49,7 +52,7 @@ stdenv.mkDerivation rec {
      openjdk/{jdk,corba}/make/common/shared/Defs-utils.gmk
  '';

-  patches = [ ./cppflags-include-fix.patch ./fix-java-home.patch ];
+  patches = [ ./cppflags-include-fix.patch ./fix-java-home.patch ./paxctl.patch ];

  NIX_NO_SELF_RPATH = true;

@@ -72,6 +75,14 @@ stdenv.mkDerivation rec {

  configurePhase = "true";

+  preBuild = ''
+    # We also need to PaX-mark in the middle of the build
+    substituteInPlace hotspot/make/linux/makefiles/launcher.make \
+       --replace XXX_PAXFLAGS_XXX ${paxflags}
+    substituteInPlace jdk/make/common/Program.gmk  \
+       --replace XXX_PAXFLAGS_XXX ${paxflags}
+  '';
+
  installPhase = ''
    mkdir -p $out/lib/openjdk $out/share $jre/lib/openjdk

@@ -98,6 +109,14 @@ stdenv.mkDerivation rec {
    rm -rf $out/lib/openjdk/jre/bin
    ln -s $out/lib/openjdk/bin $out/lib/openjdk/jre/bin

+    # Set PaX markings
+    exes=$(file $out/lib/openjdk/bin/* $jre/lib/openjdk/jre/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
+    echo "to mark: *$exes*"
+    for file in $exes; do
+      echo "marking *$file*"
+      paxmark ${paxflags} "$file"
+    done
+
    # Remove duplicate binaries.
    for i in $(cd $out/lib/openjdk/bin && echo *); do
      if [ "$i" = java ]; then continue; fi
--- a/pkgs/development/compilers/openjdk/paxctl.patch
+++ b/pkgs/development/compilers/openjdk/paxctl.patch
@@ -0,0 +1,28 @@
+diff --git a/hotspot/make/linux/makefiles/launcher.make b/hotspot/make/linux/makefiles/launcher.make
+index 34bbcd6..41b9332 100644
+--- a/hotspot/make/linux/makefiles/launcher.make
+++ b/hotspot/make/linux/makefiles/launcher.make
+@@ -83,6 +83,8 @@ $(LAUNCHER): $(OBJS) $(LIBJVM) $(LAUNCHER_MAPFILE)
+ 	$(QUIETLY) echo Linking launcher...
+ 	$(QUIETLY) $(LINK_LAUNCHER/PRE_HOOK)
+ 	$(QUIETLY) $(LINK_LAUNCHER) $(LFLAGS_LAUNCHER) -o $@ $(OBJS) $(LIBS_LAUNCHER)
+	paxctl -c $(LAUNCHER)
+	paxctl -zex -XXX_PAXFLAGS_XXX $(LAUNCHER)
+ 	$(QUIETLY) $(LINK_LAUNCHER/POST_HOOK)
+ 
+ $(LAUNCHER): $(LAUNCHER_SCRIPT)
+diff --git a/jdk/make/common/Program.gmk b/jdk/make/common/Program.gmk
+index 091800d..1de8cb4 100644
+--- a/jdk/make/common/Program.gmk
+++ b/jdk/make/common/Program.gmk
+@@ -60,6 +60,10 @@ ACTUAL_PROGRAM      = $(ACTUAL_PROGRAM_DIR)/$(ACTUAL_PROGRAM_NAME)
+ program_default_rule: all
+ 
+ program: $(ACTUAL_PROGRAM)
+	if [[ "$(PROGRAM)" = "java" ]]; then \
+		paxctl -c $(ACTUAL_PROGRAM); \
+		paxctl -zex -XXX_PAXFLAGS_XXX $(ACTUAL_PROGRAM); \
+	fi
+ 
+ # Work-around for missing processor specific mapfiles
+ ifndef CROSS_COMPILE_ARCH