Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Compile failure on 16.13.2 & 17.4.0 on RHEL8 #41633

Closed
FireBurn opened this issue Jan 21, 2022 · 19 comments
Closed

Compile failure on 16.13.2 & 17.4.0 on RHEL8 #41633

FireBurn opened this issue Jan 21, 2022 · 19 comments
Labels
build Issues and PRs related to build files or the CI.

Comments

@FireBurn
Copy link

FireBurn commented Jan 21, 2022

Version

16.13.2 & 17.4.0

Platform

RHEL8

Subsystem

No response

What steps will reproduce the bug?

Building nodejs on RHEL8

/usr/bin/ld: /apps/was/jenkins/workspace/Compile_GitLab/node-v17.4.0/out/Release/obj.target/test_crypto_engine/test/fixtures/test_crypto_engine.o: relocation R_X86_64_PC32 against symbol `stderr@@GLIBC_2.2.5' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: final link failed: Bad value
collect2: error: ld returned 1 exit status
make[1]: *** [test_crypto_engine.target.mk:125: /apps/was/jenkins/workspace/Compile_GitLab/node-v17.4.0/out/Release/obj.target/libtest_crypto_engine.so] Error 1
make[1]: *** Waiting for unfinished jobs....
ar crsT /apps/was/jenkins/workspace/Compile_GitLab/node-v17.4.0/out/Release/obj.target/tools/icu/libicui18n.a @/apps/was/jenkins/workspace/Compile_GitLab/node-v17.4.0/out/Release/obj.target/tools/icu/libicui18n.a.ar-file-list
ar crsT /apps/was/jenkins/workspace/Compile_GitLab/node-v17.4.0/out/Release/obj.target/tools/icu/libicuucx.a @/apps/was/jenkins/workspace/Compile_GitLab/node-v17.4.0/out/Release/obj.target/tools/icu/libicuucx.a.ar-file-list
ar crsT /apps/was/jenkins/workspace/Compile_GitLab/node-v17.4.0/out/Release/obj.target/deps/openssl/libopenssl.a @/apps/was/jenkins/workspace/Compile_GitLab/node-v17.4.0/out/Release/obj.target/deps/openssl/libopenssl.a.ar-file-list
rm 543516193a908c04f2824127f631a1a630a35199.intermediate
make: *** [Makefile:113: node] Error 2
Build step 'Execute shell' marked build as failure
Finished: FAILURE

This happens with v16.13.2 but doesn't happen with v16.13.0

How often does it reproduce? Is there a required condition?

No response

What is the expected behavior?

No response

What do you see instead?

Compile failure

Additional information

Configured with

export CFLAGS="-O3 -march=haswell -fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2"
export CXXFLAGS=${CFLAGS}
export LDFLAGS="-Wl,-z,now -Wl,-z,relro"

BUILDTYPE=Release ./configure --shared-zlib

gcc version 8.5.0 20210514
GNU ld version 2.30-108.el8_5.1

@mhdawson
Copy link
Member

test_crypto_engine modified in 16.13.1 - #40481

@mhdawson
Copy link
Member

@FireBurn can you see if #40965 is related/fixes the issue you are seeing?

@Mesteery Mesteery added the build Issues and PRs related to build files or the CI. label Jan 22, 2022
@FireBurn
Copy link
Author

That doesn't seem to have worked

+ wget -nv https://nodejs.org/dist/v16.13.2/node-v16.13.2.tar.gz
2022-01-24 10:25:10 URL:https://nodejs.org/dist/v16.13.2/node-v16.13.2.tar.gz [64437444/64437444] -> "node-v16.13.2.tar.gz" [1]
+ tar xf node-v16.13.2.tar.gz
+ cd node-v16.13.2
+ wget https://patch-diff.githubusercontent.com/raw/nodejs/node/pull/40965.patch
--2022-01-24 10:25:11--  https://patch-diff.githubusercontent.com/raw/nodejs/node/pull/40965.patch
Resolving patch-diff.githubusercontent.com (patch-diff.githubusercontent.com)... 140.82.121.3
Connecting to patch-diff.githubusercontent.com (patch-diff.githubusercontent.com)|140.82.121.3|:443... connected.
HTTP request sent, awaiting response... 200 OK
Cookie coming from patch-diff.githubusercontent.com attempted to set domain to github.com
Length: unspecified [text/plain]
Saving to: ���40965.patch���

     0K                                                        22.1M=0s

2022-01-24 10:25:12 (22.1 MB/s) - ���40965.patch��� saved [936]

+ patch -p1
patching file node.gyp
Hunk #1 succeeded at 1393 (offset -83 lines).
+ BUILDTYPE=Release
+ ./configure --prefix=/apps/was/gitlab/embedded --shared-zlib
Node.js configure: Found Python 3.6.8...
INFO: configure completed successfully
+ make -j10

...

  cc -o /apps/was/jenkins/workspace/Compile_GitLab/node-v16.13.2/out/Release/obj.target/openssl-cli/deps/openssl/openssl/apps/ca.o ../deps/openssl/openssl/apps/ca.c '-DV8_DEPRECATION_WARNINGS' '-DV8_IMMINENT_DEPRECATION_WARNINGS' '-D_GLIBCXX_USE_CXX11_ABI=1' '-D__STDC_FORMAT_MACROS' '-DOPENSSL_NO_PINSHARED' '-DOPENSSL_THREADS' '-DNDEBUG' '-DOPENSSL_USE_NODELETE' '-DL_ENDIAN' '-DOPENSSL_PIC' '-DOPENSSL_CPUID_OBJ' '-DOPENSSL_IA32_SSE2' '-DOPENSSL_BN_ASM_MONT' '-DOPENSSL_BN_ASM_MONT5' '-DOPENSSL_BN_ASM_GF2m' '-DSHA1_ASM' '-DSHA256_ASM' '-DSHA512_ASM' '-DKECCAK1600_ASM' '-DRC4_ASM' '-DMD5_ASM' '-DAESNI_ASM' '-DVPAES_ASM' '-DGHASH_ASM' '-DECP_NISTZ256_ASM' '-DX25519_ASM' '-DPOLY1305_ASM' '-DOPENSSLDIR="/etc/ssl"' '-DENGINESDIR="/dev/null"' '-DTERMIOS' -I../deps/openssl/openssl -I../deps/openssl/openssl/include -I../deps/openssl/openssl/crypto -I../deps/openssl/openssl/crypto/include -I../deps/openssl/openssl/crypto/modes -I../deps/openssl/openssl/crypto/ec/curve448 -I../deps/openssl/openssl/crypto/ec/curve448/arch_32 -I../deps/openssl/config -I../deps/openssl/config/archs/linux-x86_64/asm/include -I../deps/openssl/openssl/include  -pthread -Wall -Wextra -Wno-unused-parameter -m64 -Wa,--noexecstack -Wall -O3 -pthread -m64 -Wall -O3 -Wno-missing-field-initializers -Wno-old-style-declaration -O3 -fno-omit-frame-pointer  -MMD -MF /apps/was/jenkins/workspace/Compile_GitLab/node-v16.13.2/out/Release/.deps//apps/was/jenkins/workspace/Compile_GitLab/node-v16.13.2/out/Release/obj.target/openssl-cli/deps/openssl/openssl/apps/ca.o.d.raw  -O3 -march=haswell -fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2 -c
/usr/bin/ld: /apps/was/jenkins/workspace/Compile_GitLab/node-v16.13.2/out/Release/obj.target/test_crypto_engine/test/fixtures/test_crypto_engine.o: relocation R_X86_64_PC32 against symbol `stderr@@GLIBC_2.2.5' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: final link failed: Bad value
collect2: error: ld returned 1 exit status
make[1]: *** [test_crypto_engine.target.mk:123: /apps/was/jenkins/workspace/Compile_GitLab/node-v16.13.2/out/Release/obj.target/libtest_crypto_engine.so] Error 1
make[1]: *** Waiting for unfinished jobs....
rm 22e33bd4ab16bef6fd40acbd0ca68340c022f767.intermediate
make: *** [Makefile:110: node] Error 2
Build step 'Execute shell' marked build as failure
Finished: FAILURE

@mhdawson
Copy link
Member

With the default configuration on my RHEL8 box it works ok. Trying the options listed above

@mhdawson
Copy link
Member

Added this part of the config BUILDTYPE=Release ./configure --shared-zlib, still built/ran ok for me.

@mhdawson
Copy link
Member

after adding this export LDFLAGS="-Wl,-z,now -Wl,-z,relro" it still seemed to compile build ok for me as well.

@mhdawson
Copy link
Member

Ok adding this export CFLAGS="-O3 -march=haswell -fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2" recreates"

@mhdawson
Copy link
Member

Ok, so it's specifically this -fPIE

@richardlau
Copy link
Member

There's an old comment from a few years ago about -D_FORTIFY_SOURCE=2: #18671 (comment)

@mhdawson
Copy link
Member

mhdawson commented Jan 26, 2022

I don't think this has anything to do with RHEL8 as I'd expect the same problem to exist on other Linux flavors as well.

The fundamental problem is that a shared object test_crypto_engine.o is compiled. The configuration in node.gyp

node/node.gyp

Line 1496 in 6fc6ba7

'-fPIC',
specifies -fPIC.

However, if -fPIE is set in CFLAGS which applies to all c files which are compiled. This overrides -fPIC and we end up with the error shown.

I don't see a way in gyp to control what CFLAGS applies to. Options like cflags! in the node.gyp file don't seem to have any effect. I believe that is because they would apply to the cflags being built up by gyp not the CFLAGS which are added at the end by the definition for cc in gyp.

I managed to build test_crypto_engine.o by modifying the target in the node.gyp file to look like

 ['(OS=="mac" or (OS=="linux" and target_arch=="x64")) and \
      node_use_openssl=="true"', {
      'targets': [
        {
          'target_name': 'test_crypto_engine',
          'type': 'none',
          'actions': [
            {
              'action_name': 'test_crypto_engine',
              'inputs':[],
              'outputs': [
                '<(PRODUCT_DIR)/test/fixtures/test_crypto_engine.o',
              ],
              'action': [
                'cc',
                '-c',
                '-I',
                'deps/openssl/openssl/include',
                '-fPIC',
                '-Wno-deprecated-declarations',
                'test/fixtures/test_crypto_engine.c',
                '-o',
                '<(PRODUCT_DIR)/test/fixtures/test_crypto_engine.o',
              ],
            },
          ],
        }
      ], # end targets
    }], # end node_use_openssl section

This allowed make node to pass (but would only work for linux not OSX I believe) but trying to run make test resulted in similar failures when the addons where built because they had the same problem with -fPIC being overridden by -fPIE.

Building the shared object for the test as part of make node seems wrong to me and is why we see the failure build node versus in testing it. However, I think the more fundamental issue is that adding -fPIE to the CFLAGS may have worked but only because of the order things were built and it's not a way to build/test with that option.

I think the right way to fix it would be to update so that there is a configure option that would add -fPIE to just the right places.

@mhdawson
Copy link
Member

@RaisinTen what do you think about this comment:

Building the shared object for the test as part of make node seems wrong to me

@FireBurn would adding an option to configure in -fPIE in properly be something you'd be interested in contributing a PR for?

@RaisinTen
Copy link
Contributor

@mhdawson

Building the shared object for the test as part of make node seems wrong to me

Yes, I agree. We should probably build the engine only when make test is run.

@mhdawson
Copy link
Member

@RaisinTen I was also wondering if it might make any sense to move the test to be an addon test. If test_crypto_engine could be built as an add-on then we already have the infra for building a shared object (the addon) and running JavaScript to test with it. I've not looked at the test that uses it to know if that makes any sense though.

@RaisinTen
Copy link
Contributor

@mhdawson yes, that sounds good to me. We already have a very similar setup in https://github.com/nodejs/node/tree/HEAD/test/addons/openssl-client-cert-engine, so we can just copy that test and modify the js file by adding some crypto.setEngine() calls like https://github.com/nodejs/node/blob/HEAD/test/parallel/test-crypto-engine.js.

@RaisinTen
Copy link
Contributor

Unfortunately, https://github.com/nodejs/node/blob/7752eedcc7db586fb0a7c586908d4405c6408325/test/addons/openssl-client-cert-engine/binding.gyp seems to be built on macOS only, so it might need some more modifications to make it work on other platforms. (could be done in a separate PR)

mhdawson added a commit to mhdawson/io.js that referenced this issue Feb 2, 2022
Fixes: nodejs#41633

- move test-crypto-engine so that dummy engine
  is only built if tests are run

Signed-off-by: Michael Dawson <[email protected]>
mhdawson added a commit to mhdawson/io.js that referenced this issue Feb 2, 2022
Fixes: nodejs#41633

- move test-crypto-engine so that dummy engine
  is only built if tests are run

Signed-off-by: Michael Dawson <[email protected]>
@mhdawson
Copy link
Member

mhdawson commented Feb 2, 2022

@RaisinTen PR to move test to an addon #41830

mhdawson added a commit to mhdawson/io.js that referenced this issue Feb 4, 2022
Fixes: nodejs#41633
Fixes: nodejs#40958

- move test-crypto-engine so that dummy engine
  is only built if tests are run

Signed-off-by: Michael Dawson <[email protected]>
@FireBurn
Copy link
Author

FireBurn commented Feb 11, 2022

Is this being backported to 16.x? Still had the same issue building 16.14.0

@mhdawson
Copy link
Member

@FireBurn I just tagged the PR with the lts-watch-v16.x label which I think should prompt releasers to pull it into a 16.x release unless it needs a manual backport.

@richardlau
Copy link
Member

The default policy is for a change to have been in a current release for two weeks before being backported to a LTS release. #41830 hasn't gone into a 17.x release yet, AFAICT.

bengl pushed a commit to bengl/node that referenced this issue Feb 21, 2022
Fixes: nodejs#41633
Fixes: nodejs#40958

- move test-crypto-engine so that dummy engine
  is only built if tests are run

Signed-off-by: Michael Dawson <[email protected]>

PR-URL: nodejs#41830
Reviewed-By: Tobias Nießen <[email protected]>
Reviewed-By: Darshan Sen <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Richard Lau <[email protected]>
bengl pushed a commit to bengl/node that referenced this issue Feb 21, 2022
Fixes: nodejs#41633
Fixes: nodejs#40958

- move test-crypto-engine so that dummy engine
  is only built if tests are run

Signed-off-by: Michael Dawson <[email protected]>

PR-URL: nodejs#41830
Reviewed-By: Tobias Nießen <[email protected]>
Reviewed-By: Darshan Sen <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Richard Lau <[email protected]>
danielleadams pushed a commit to danielleadams/node that referenced this issue Apr 21, 2022
Fixes: nodejs#41633
Fixes: nodejs#40958

- move test-crypto-engine so that dummy engine
  is only built if tests are run

Signed-off-by: Michael Dawson <[email protected]>

PR-URL: nodejs#41830
Reviewed-By: Tobias Nießen <[email protected]>
Reviewed-By: Darshan Sen <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Richard Lau <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
build Issues and PRs related to build files or the CI.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants