diff --git a/builder/cc_builder.rs b/builder/cc_builder.rs --- a/builder/cc_builder.rs +++ b/builder/cc_builder.rs @@ -26,7 +26,7 @@ }; use std::cell::Cell; use std::collections::HashMap; -use std::path::PathBuf; +use std::path::{Path, PathBuf}; #[non_exhaustive] #[derive(PartialEq, Eq)] @@ -681,6 +681,16 @@ } let mut memcmp_compile_args = Vec::from(memcmp_compiler.args()); + // Keep the probe self-contained and avoid invoking external debug tools + // (for example `dsymutil`) that may be missing in hermetic sandboxes. + memcmp_compile_args.retain(|arg| { + let Some(arg_str) = arg.to_str() else { + return true; + }; + !arg_str.starts_with("-g") + }); + memcmp_compile_args.push("-g0".into()); + // This check invokes the compiled executable and hence needs to link // it. CMake handles this via LDFLAGS but `cc` doesn't. In setups with // custom linker setups this could lead to a mismatch between the @@ -692,6 +702,15 @@ } } + if let Some(execroot) = Self::bazel_execroot(self.manifest_dir.as_path()) { + // In Bazel build-script sandboxes, `cc` can pass `bazel-out/...` args + // relative to the execroot while the process runs from elsewhere. + // Normalize those args to absolute paths so this check can still link. + for arg in &mut memcmp_compile_args { + Self::rewrite_bazel_execroot_arg(execroot.as_path(), arg); + } + } + memcmp_compile_args.push( self.manifest_dir .join("aws-lc") @@ -742,6 +761,40 @@ ); let _ = fs::remove_file(exec_path); } + + fn rewrite_bazel_execroot_arg(execroot: &Path, arg: &mut std::ffi::OsString) { + let Some(arg_str) = arg.to_str() else { + return; + }; + + if arg_str.starts_with("bazel-out/") { + *arg = execroot.join(arg_str).into_os_string(); + return; + } + + for flag_prefix in ["-B", "-L"] { + if let Some(path) = arg_str.strip_prefix(flag_prefix) { + if path.starts_with("bazel-out/") { + *arg = format!("{flag_prefix}{}", execroot.join(path).display()).into(); + return; + } + } + } + } + + fn bazel_execroot(path: &Path) -> Option { + let mut prefix = PathBuf::new(); + for component in path.components() { + if component.as_os_str() == "bazel-out" { + return Some(prefix); + } + + prefix.push(component.as_os_str()); + } + + None + } + fn run_compiler_checks(&self, cc_build: &mut cc::Build) { if self.compiler_check("stdalign_check", Vec::<&'static str>::new()) { cc_build.define("AWS_LC_STDALIGN_AVAILABLE", Some("1")); diff --git a/builder/main.rs b/builder/main.rs --- a/builder/main.rs +++ b/builder/main.rs @@ -944,10 +944,12 @@ // iterate over all the include paths and copy them into the final output for path in include_paths { for child in std::fs::read_dir(path).into_iter().flatten().flatten() { - if child.file_type().map_or(false, |t| t.is_file()) { + let child_path = child.path(); + + if child_path.is_file() { std::fs::copy( - child.path(), - include_dir.join(child.path().file_name().unwrap()), + &child_path, + include_dir.join(child_path.file_name().unwrap()), ) .expect("Failed to copy include file during build setup"); continue; @@ -957,7 +959,7 @@ let options = fs_extra::dir::CopyOptions::new() .skip_exist(true) .copy_inside(true); - fs_extra::dir::copy(child.path(), &include_dir, &options) + fs_extra::dir::copy(child_path, &include_dir, &options) .expect("Failed to copy include directory during build setup"); } }