bintools-wrapper: enable strictflexarrays1 hardening flag by default

[risicle]

See #400408 for introduction of this flag.

Have built a lot of packages across nixos x86_64 (including pkgsi686Linux, pkgsStatic, pkgsMusl, pkgsCross.aarch64-multiplatform) & macos 14 x86_64 without stumbling across any new bugs caused by this. I'm not hugely surprised as I did a lot of building at the time of introducing this flag and didn't find any packages with problems against it then.

Things done

• Built on platform:
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• Tested, as applicable:
  • NixOS tests in nixos/tests.
  • Package tests at passthru.tests.
  • Tests in lib/tests or pkgs/test for functions and "core" functionality.
• Ran nixpkgs-review on this PR. See nixpkgs-review usage.
• Tested basic functionality of all binary files, usually in ./result/bin/.
• Nixpkgs Release Notes
  • Package update: when the change is major or breaking.
• NixOS Release Notes
  • Module addition: when adding a new NixOS module.
  • Module update: when the change is significant.
• Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

---

Add a 👍 reaction to pull requests you find important.

[Eveeifyeve]

Looking into this now, about to run nixpkgs-review for the darwin section. Linux section would have to be done with someone with a much powerful machine as my linux is only via the linux-builder which only has 4 cores.

Looking at the changes they seem good, it's more like testing for broken packages. It might be worth seeing what hydra sees on this pr.

[risicle]

Oh, nixpkgs-review isn't really going to work for anything on the staging branch unless you're happy rebuilding the whole of nixpkgs. I stick to building key and known-awkward packages.

[Eveeifyeve]

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 473648 --package bazel
Commit: 6980bafab2c123b5cec01e61a5e57e313926c977

---

aarch64-darwin

❌ 1 package failed to build:

• bazel

[Eveeifyeve]

Logs:

 ⋮
┃          /nix/store/5x6x6868d3axs34579hcq0j48kf5f77l-sqlite-3.51.2-dev
┃          /nix/store/ap5p72brfvgd1vk5s9ggrmjsfqj8wx4q-sqlite-3.51.2-bin
┃          /nix/store/rlc10dp6p1v3jzkhipn7n8lwpnh5jryp-sqlite-3.51.2
┃        Last 25 log lines:
┃        >     (procedure "slave_test_file" line 23)
┃        >     invoked from within
┃        > "slave_test_file $file"
┃        >     (procedure "run_tests" line 36)
┃        >     invoked from within
┃        > "run_tests veryquick -presql {} -files {/nix/var/nix/builds/nix-24627-3975004287/sqlite-src-…
┃        >     ("uplevel" body line 1)
┃        >     invoked from within
┃        > "uplevel run_tests $name $::testspec($name)"
┃        >     (procedure "run_test_suite" line 5)
┃        >     invoked from within
┃        > "run_test_suite veryquick"
┃        >     (file "/nix/var/nix/builds/nix-24627-3975004287/sqlite-src-3510200/test/veryquick.test" …
┃        >     invoked from within
┃        > "source $argv0"
┃        >     invoked from within
┃        > "if {[llength $argv]>=1} {
┃        > set argv0 [lindex $argv 0]
┃        > set argv [lrange $argv 1 end]
┃        > source $argv0
┃        > } else {
┃        > set line {}
┃        > while {![eof stdin]} {
┃        > if {$line..."
┃        > make: *** [/nix/var/nix/builds/nix-24627-3975004287/sqlite-src-3510200/main.mk:1852: tcltest…
┃        For full logs, run:
┃          nix log /nix/store/jwfb2awjy32lqhmvbh7826wv1k78z0bd-sqlite-3.51.2.drv

[Eveeifyeve]

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 473648 --package sqlite
Commit: 6980bafab2c123b5cec01e61a5e57e313926c977

---

aarch64-darwin

❌ 5 packages failed to build:

• sqlite
• sqlite.bin (sqlite.bin.bin, sqlite.bin.dev, sqlite.bin.doc, sqlite.bin.man)
• sqlite.dev (sqlite.dev.bin, sqlite.dev.dev, sqlite.dev.doc, sqlite.dev.man)
• sqlite.doc (sqlite.doc.bin, sqlite.doc.dev, sqlite.doc.doc, sqlite.doc.man)
• sqlite.man (sqlite.man.bin, sqlite.man.dev, sqlite.man.doc, sqlite.man.man)

[risicle]

Do you by any chance get the same error on the head of staging? As I say, nixpkgs-review and staging don't mix very well partly because its default mode is to build against a merge-commit, which will change a lot from one build to the next on a busy branch like staging.

[mweinelt]

Built sqlite just fine on aarch64-darwin on top of yesterdays merge-base between master and staging.

[mweinelt]

And bazel on aarch64-darwin is also fine. I think this is probably fine to merge.

[RossComputerGuy]

This breaks aarch64-linux:

error: Cannot build '/nix/store/25szfqz836lmypkvmrwa22zsn4xqf3wq-expand-response-params.drv'.
       Reason: builder failed with exit code 1.
       Output paths:
         /nix/store/hd0k8s0c341wxg041g78jhggsic6s1ws-expand-response-params
       Last 9 log lines:
       > Running phase: unpackPhase
       > Running phase: patchPhase
       > Running phase: updateAutotoolsGnuConfigScriptsPhase
       > Running phase: configurePhase
       > no configure script, doing nothing
       > Running phase: buildPhase
       > gcc: error: unrecognized command-line option '-fstrict-flex-arrays=1'
       > /nix/store/9l34ijwa4q1wp0nnjbmnnrvgm8cgkn8v-bootstrap-stage1-stdenv-linux/setup: line 1824: pop_var_context: head of shell_variables not a function context
       > /nix/store/shkw4qm9qcw5sc5n1k5jznc83ny02r39-default-builder.sh: line 1: pop_var_context: head of shell_variables not a function context
       For full logs, run:
         nix log /nix/store/25szfqz836lmypkvmrwa22zsn4xqf3wq-expand-response-params.drv

[risicle]

😕 what changed between when I branched off and merged? Obviously I had tested pkgsExtraHardening numerous times on aarch64-linux since adding strictflexarrays1 to it.

[RossComputerGuy]

pkgsExtraHardening.stdenv != stdenv on aarch64-linux. This broke the bootstrap, I believe it was stage 1 or 2. The problem is that the bootstrap for aarch64-linux hasn't been updated in 3 years, it has been using GCC 12 which does not support -fstrict-flex-arrays=1. GCC 13 and newer supports it, the fix is to merge #489675 since that bumps the bootstrap to the latest.

[risicle]

pkgsExtraHardening does do a full bootstrap though - it's not a cross-build. Am re-checking my assumptions.

[RossComputerGuy]

I thought it reuses stages 1 - 4 and then injects a new compiler into stage 5.

[risicle]

Huh ... it at least builds from stage 2.