Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[20.09] chromium, llvm_11: Backport additional patches #102758

merged 13 commits into from Nov 13, 2020


Copy link

@primeos primeos commented Nov 4, 2020

Motivation for this change

I'm trying to keep the differences between 20.09 and nixos-unstable minimal. I didn't backport these patches right away as the last two Chromium updates needed to be merged more quickly for security reasons. A few (two?) Chromium patches are still missing for now.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits
primeos and others added 11 commits Oct 4, 2020
So that it can be accessed via llvmPackages_11.clang-unwrapped.clang-tools-extra_src
(e.g. useful for nix-prefetch-url).

(cherry picked from commit 72cc4d2)

A port of #85925 for LLVM 11 to enable CFI for Chromium.

This is required for features such as `-fsanitize=cfi` that (by default)
load the file `…/resource-root/share/cfi_blacklist.txt`.

(cherry picked from commit 03dd1b3)
(cherry picked from commit 7a30df9)
compiler-rt (and as a result clang) can't be build for i686 (as noticed here: #99984).
The patch adds the required variables and should result in the same behavior as in the nixpkgs-llvm10. It essentially forces to use i386 buildins when using i486, i586 or i686, which are not supported.

Fixes #100392

(cherry picked from commit 6948875)
Chromium 86.0.4240.75 builds fine without this patch. And since
WEBP_MAX_DIMENSION is the same in the system libwebp this patch should
not be required anymore (it was introduced in 06ec2a9, apparently to
fix the build).

(cherry picked from commit 015c5a2)
(cherry picked from commit 5742fcd)
(cherry picked from commit 8e861c0) runs out of memory on i686.

(cherry picked from commit c557c27)
Wanted to do this for a long time to collect important knowledge and
make it easier to pass maintainership.
Only time will tell if this'll be useful or become outdated instead.

(cherry picked from commit b36db49)
The gn version depends on the channel and new gn versions aren't always
backward compatible. Therefore we should also include it in
upstream-info.json (I've scoped it under "deps" as we'll likely have to
add more like this in the future).

(cherry picked from commit d7f5386)
Copy link
Member Author

@primeos primeos commented Nov 11, 2020

This also contains #103294 and should be ready to test now (CI was fine until the timeout).

@Frostman could you test Chromium as usual?

@primeos primeos marked this pull request as ready for review Nov 11, 2020
@primeos primeos requested a review from matthewbauer as a code owner Nov 11, 2020
primeos added 2 commits Nov 10, 2020

This update includes 1 security fix (no CVE).

(cherry picked from commit 841664a)
Backport of #103294.

This update includes 2 security fixes. Google is aware of reports that
exploits for CVE-2020-16013 and CVE-2020-16017 exist in the wild.

CVEs: CVE-2020-16013 CVE-2020-16017
(cherry picked from commit b91153f)
Backport of #103595.
@primeos primeos force-pushed the primeos:chromium-backport branch from a9af722 to ded16fc Nov 13, 2020
Copy link
Member Author

@primeos primeos commented Nov 13, 2020

I'll merge this right away due to #103595. CI was fine anyway (up to the timeout at least).

@primeos primeos merged commit caadf99 into NixOS:release-20.09 Nov 13, 2020
1 of 3 checks passed
1 of 3 checks passed
Wait for ofborg This failed status will be cleared when ofborg finishes eval.
grahamcofborg-eval Checking original out paths
Copy link

@Frostman Frostman commented Nov 13, 2020

@primeos I have some problems with my setup - wasn't able to get it to finish state, will try to debug this weekend and hopefully will work fine for the next time.

Copy link
Member Author

@primeos primeos commented Nov 13, 2020

@Frostman ok, no problem, thanks for the update :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

5 participants
You can’t perform that action at this time.