2021-08-09 09:57:15 +00:00
|
|
|
{ stdenv, lib, fetchurl, fetchpatch
|
|
|
|
|
# Channel data:
|
|
|
|
|
, channel, upstream-info
|
2021-08-28 21:12:27 +00:00
|
|
|
# Helper functions:
|
|
|
|
|
, chromiumVersionAtLeast, versionRange
|
2021-08-09 09:57:15 +00:00
|
|
|
|
|
|
|
|
# Native build inputs:
|
|
|
|
|
, ninja, pkg-config
|
2021-10-13 18:55:01 +00:00
|
|
|
, python3, perl
|
2022-03-31 18:11:26 +00:00
|
|
|
, which
|
2021-08-09 09:57:15 +00:00
|
|
|
, llvmPackages
|
|
|
|
|
# postPatch:
|
|
|
|
|
, pkgsBuildHost
|
|
|
|
|
# configurePhase:
|
|
|
|
|
, gnChromium
|
|
|
|
|
|
|
|
|
|
# Build inputs:
|
|
|
|
|
, libpng
|
|
|
|
|
, bzip2, flac, speex, libopus
|
2014-04-01 05:36:26 +00:00
|
|
|
, libevent, expat, libjpeg, snappy
|
2021-08-09 09:57:15 +00:00
|
|
|
, libcap
|
|
|
|
|
, xdg-utils, minizip, libwebp
|
|
|
|
|
, libusb1, re2
|
|
|
|
|
, ffmpeg, libxslt, libxml2
|
|
|
|
|
, nasm
|
2022-02-20 05:24:15 +00:00
|
|
|
, nspr, nss
|
2021-06-10 02:57:09 +00:00
|
|
|
, util-linux, alsa-lib
|
2021-08-09 09:57:15 +00:00
|
|
|
, bison, gperf, libkrb5
|
2018-10-04 18:01:26 +00:00
|
|
|
, glib, gtk3, dbus-glib
|
2020-12-24 11:17:35 +00:00
|
|
|
, libXScrnSaver, libXcursor, libXtst, libxshmfence, libGLU, libGL
|
2021-08-09 09:57:15 +00:00
|
|
|
, mesa
|
|
|
|
|
, pciutils, protobuf, speechd, libXdamage, at-spi2-core
|
2021-03-03 12:24:48 +00:00
|
|
|
, pipewire
|
2020-11-27 12:49:04 +00:00
|
|
|
, libva
|
2021-08-09 09:57:15 +00:00
|
|
|
, libdrm, wayland, libxkbcommon # Ozone
|
2021-05-07 14:09:57 +00:00
|
|
|
, curl
|
2023-02-01 21:26:49 +00:00
|
|
|
, libffi
|
2021-11-11 04:35:34 +00:00
|
|
|
, libepoxy
|
2021-08-09 09:57:15 +00:00
|
|
|
# postPatch:
|
|
|
|
|
, glibc # gconv + locale
|
2023-02-16 06:07:21 +00:00
|
|
|
# postFixup:
|
|
|
|
|
, vulkan-loader
|
2014-04-01 05:36:26 +00:00
|
|
|
|
2021-08-09 09:57:15 +00:00
|
|
|
# Package customization:
|
|
|
|
|
, cupsSupport ? true, cups ? null
|
2014-04-01 05:36:26 +00:00
|
|
|
, proprietaryCodecs ? true
|
2015-05-27 19:42:15 +00:00
|
|
|
, pulseSupport ? false, libpulseaudio ? null
|
2020-12-09 18:13:26 +00:00
|
|
|
, ungoogled ? false, ungoogled-chromium
|
2021-08-09 09:57:15 +00:00
|
|
|
# Optional dependencies:
|
2022-03-28 14:10:35 +00:00
|
|
|
, libgcrypt ? null # cupsSupport
|
2022-09-21 07:04:52 +00:00
|
|
|
, systemdSupport ? lib.meta.availableOn stdenv.hostPlatform systemd
|
2022-02-20 05:24:15 +00:00
|
|
|
, systemd
|
2014-04-01 05:36:26 +00:00
|
|
|
}:
|
|
|
|
|
|
|
|
|
|
buildFun:
|
|
|
|
|
|
|
|
|
|
let
|
2021-05-08 17:55:29 +00:00
|
|
|
python3WithPackages = python3.withPackages(ps: with ps; [
|
|
|
|
|
ply jinja2 setuptools
|
|
|
|
|
]);
|
2021-10-13 18:55:01 +00:00
|
|
|
clangFormatPython3 = fetchurl {
|
|
|
|
|
url = "https://chromium.googlesource.com/chromium/tools/build/+/e77882e0dde52c2ccf33c5570929b75b4a2a2522/recipes/recipe_modules/chromium/resources/clang-format?format=TEXT";
|
|
|
|
|
sha256 = "0ic3hn65dimgfhakli1cyf9j3cxcqsf1qib706ihfhmlzxf7256l";
|
|
|
|
|
};
|
2020-09-19 11:41:44 +00:00
|
|
|
|
2014-04-01 05:36:26 +00:00
|
|
|
# The additional attributes for creating derivations based on the chromium
|
|
|
|
|
# source tree.
|
|
|
|
|
extraAttrs = buildFun base;
|
|
|
|
|
|
2021-06-08 19:12:07 +00:00
|
|
|
githubPatch = { commit, sha256, revert ? false }: fetchpatch {
|
2018-02-26 23:04:33 +00:00
|
|
|
url = "https://github.com/chromium/chromium/commit/${commit}.patch";
|
2021-06-08 19:12:07 +00:00
|
|
|
inherit sha256 revert;
|
2018-02-26 23:04:33 +00:00
|
|
|
};
|
2018-01-09 01:11:02 +00:00
|
|
|
|
2016-10-29 02:05:53 +00:00
|
|
|
mkGnFlags =
|
2014-04-01 05:36:26 +00:00
|
|
|
let
|
2016-10-29 02:05:53 +00:00
|
|
|
# Serialize Nix types into GN types according to this document:
|
chromium: use official build settings (#101467)
LLD: https://lld.llvm.org/
When you link a large program on a multicore machine, you can expect that LLD runs more than twice as fast as the GNU gold linker. Your mileage may vary, though.
Link-time optimization (LTO) is supported by default.
Some default settings have been tuned for the 21st century. For example, the stack is marked as non-executable by default to tighten security.
LTO & ThinLTO: https://clang.llvm.org/docs/ThinLTO.html
LTO (Link Time Optimization) achieves better runtime performance through whole-program analysis and cross-module optimization. However, monolithic LTO implements this by merging all input into a single module, which is not scalable in time or memory, and also prevents fast incremental compiles. ThinLTO is a new approach that is designed to scale like a non-LTO build, while retaining most of the performance achievement of full LTO.
PGO: https://llvm.org/docs/HowToBuildWithPGO.html https://blog.chromium.org/2020/08/chrome-just-got-faster-with-profile.html
Allows your compiler to better optimize code for how it actually runs. Users report that applying this to Clang and LLVM can decrease overall compile time by 20%.
Because PGO uses real usage scenarios that match the workflows of Chrome users around the world, the most common tasks get prioritized and made faster. Delivers up to 10% faster page loads.
CFI: https://clang.llvm.org/docs/ControlFlowIntegrity.html https://www.chromium.org/developers/testing/control-flow-integrity
Aborts the program upon detecting certain forms of undefined behavior that can potentially allow attackers to subvert the program’s control flow. These schemes have been optimized for performance, allowing developers to enable them in release builds.
By default, a program compiled with CFI will crash with SIGILL if it detects a CFI violation.
Additionally:
Use minizip instead of zlib. Chromium says zlib but actually uses minizip.
Remove old unused workarounds.
Make shell scripts POSIX compliant.
Update documentation URLs.
Prepare for using system libraries.
2020-10-24 10:27:40 +00:00
|
|
|
# https://source.chromium.org/gn/gn/+/master:docs/language.md
|
2023-01-24 16:29:20 +00:00
|
|
|
mkGnString = value: "\"${lib.escape ["\"" "$" "\\"] value}\"";
|
2014-04-01 05:36:26 +00:00
|
|
|
sanitize = value:
|
2016-10-29 02:05:53 +00:00
|
|
|
if value == true then "true"
|
|
|
|
|
else if value == false then "false"
|
2023-01-24 16:29:20 +00:00
|
|
|
else if lib.isList value then "[${lib.concatMapStringsSep ", " sanitize value}]"
|
|
|
|
|
else if lib.isInt value then toString value
|
|
|
|
|
else if lib.isString value then mkGnString value
|
2016-10-29 02:05:53 +00:00
|
|
|
else throw "Unsupported type for GN value `${value}'.";
|
|
|
|
|
toFlag = key: value: "${key}=${sanitize value}";
|
2023-01-24 16:29:20 +00:00
|
|
|
in attrs: lib.concatStringsSep " " (lib.attrValues (lib.mapAttrs toFlag attrs));
|
2014-04-01 05:36:26 +00:00
|
|
|
|
chromium: use official build settings (#101467)
LLD: https://lld.llvm.org/
When you link a large program on a multicore machine, you can expect that LLD runs more than twice as fast as the GNU gold linker. Your mileage may vary, though.
Link-time optimization (LTO) is supported by default.
Some default settings have been tuned for the 21st century. For example, the stack is marked as non-executable by default to tighten security.
LTO & ThinLTO: https://clang.llvm.org/docs/ThinLTO.html
LTO (Link Time Optimization) achieves better runtime performance through whole-program analysis and cross-module optimization. However, monolithic LTO implements this by merging all input into a single module, which is not scalable in time or memory, and also prevents fast incremental compiles. ThinLTO is a new approach that is designed to scale like a non-LTO build, while retaining most of the performance achievement of full LTO.
PGO: https://llvm.org/docs/HowToBuildWithPGO.html https://blog.chromium.org/2020/08/chrome-just-got-faster-with-profile.html
Allows your compiler to better optimize code for how it actually runs. Users report that applying this to Clang and LLVM can decrease overall compile time by 20%.
Because PGO uses real usage scenarios that match the workflows of Chrome users around the world, the most common tasks get prioritized and made faster. Delivers up to 10% faster page loads.
CFI: https://clang.llvm.org/docs/ControlFlowIntegrity.html https://www.chromium.org/developers/testing/control-flow-integrity
Aborts the program upon detecting certain forms of undefined behavior that can potentially allow attackers to subvert the program’s control flow. These schemes have been optimized for performance, allowing developers to enable them in release builds.
By default, a program compiled with CFI will crash with SIGILL if it detects a CFI violation.
Additionally:
Use minizip instead of zlib. Chromium says zlib but actually uses minizip.
Remove old unused workarounds.
Make shell scripts POSIX compliant.
Update documentation URLs.
Prepare for using system libraries.
2020-10-24 10:27:40 +00:00
|
|
|
# https://source.chromium.org/chromium/chromium/src/+/master:build/linux/unbundle/replace_gn_files.py
|
2021-10-21 07:13:10 +00:00
|
|
|
gnSystemLibraries = [
|
2021-09-19 11:08:14 +00:00
|
|
|
# TODO:
|
|
|
|
|
# "ffmpeg"
|
|
|
|
|
# "snappy"
|
2020-10-09 21:29:16 +00:00
|
|
|
"flac"
|
|
|
|
|
"libjpeg"
|
|
|
|
|
"libpng"
|
|
|
|
|
"libwebp"
|
|
|
|
|
"libxslt"
|
2022-02-27 19:30:43 +00:00
|
|
|
# "opus"
|
2020-07-14 20:52:15 +00:00
|
|
|
];
|
2014-04-01 05:36:26 +00:00
|
|
|
|
|
|
|
|
opusWithCustomModes = libopus.override {
|
2014-07-28 03:05:01 +00:00
|
|
|
withCustomModes = true;
|
2014-04-01 05:36:26 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
# build paths and release info
|
2014-04-20 06:39:40 +00:00
|
|
|
packageName = extraAttrs.packageName or extraAttrs.name;
|
2014-04-01 05:36:26 +00:00
|
|
|
buildType = "Release";
|
|
|
|
|
buildPath = "out/${buildType}";
|
|
|
|
|
libExecPath = "$out/libexec/${packageName}";
|
|
|
|
|
|
2020-12-09 18:29:31 +00:00
|
|
|
ungoogler = ungoogled-chromium {
|
|
|
|
|
inherit (upstream-info.deps.ungoogled-patches) rev sha256;
|
|
|
|
|
};
|
|
|
|
|
|
2014-04-01 05:36:26 +00:00
|
|
|
base = rec {
|
2022-03-22 16:57:23 +00:00
|
|
|
pname = "${packageName}-unwrapped";
|
2019-11-06 19:37:25 +00:00
|
|
|
inherit (upstream-info) version;
|
2021-01-22 11:19:27 +00:00
|
|
|
inherit packageName buildType buildPath;
|
2016-03-20 16:50:17 +00:00
|
|
|
|
2019-11-06 19:37:25 +00:00
|
|
|
src = fetchurl {
|
|
|
|
|
url = "https://commondatastorage.googleapis.com/chromium-browser-official/chromium-${version}.tar.xz";
|
|
|
|
|
inherit (upstream-info) sha256;
|
|
|
|
|
};
|
2016-03-20 16:50:17 +00:00
|
|
|
|
2017-02-08 19:47:07 +00:00
|
|
|
nativeBuildInputs = [
|
2021-05-08 17:55:29 +00:00
|
|
|
ninja pkg-config
|
2021-10-13 18:55:01 +00:00
|
|
|
python3WithPackages perl
|
2022-03-31 18:11:26 +00:00
|
|
|
which
|
2021-05-01 03:03:19 +00:00
|
|
|
llvmPackages.bintools
|
2020-07-14 20:52:15 +00:00
|
|
|
];
|
2017-02-08 19:47:07 +00:00
|
|
|
|
2021-08-09 09:57:15 +00:00
|
|
|
buildInputs = [
|
|
|
|
|
(libpng.override { apngSupport = false; }) # https://bugs.chromium.org/p/chromium/issues/detail?id=752403
|
|
|
|
|
bzip2 flac speex opusWithCustomModes
|
|
|
|
|
libevent expat libjpeg snappy
|
|
|
|
|
libcap
|
|
|
|
|
xdg-utils minizip libwebp
|
|
|
|
|
libusb1 re2
|
|
|
|
|
ffmpeg libxslt libxml2
|
|
|
|
|
nasm
|
2022-02-20 05:24:15 +00:00
|
|
|
nspr nss
|
2021-06-10 02:57:09 +00:00
|
|
|
util-linux alsa-lib
|
2021-03-14 16:11:48 +00:00
|
|
|
bison gperf libkrb5
|
2018-10-04 18:01:26 +00:00
|
|
|
glib gtk3 dbus-glib
|
2020-12-24 11:17:35 +00:00
|
|
|
libXScrnSaver libXcursor libXtst libxshmfence libGLU libGL
|
2021-04-04 17:17:49 +00:00
|
|
|
mesa # required for libgbm
|
2018-12-09 03:00:42 +00:00
|
|
|
pciutils protobuf speechd libXdamage at-spi2-core
|
2021-03-03 12:24:48 +00:00
|
|
|
pipewire
|
2020-11-27 12:49:04 +00:00
|
|
|
libva
|
2021-02-05 13:29:47 +00:00
|
|
|
libdrm wayland mesa.drivers libxkbcommon
|
2021-05-07 14:09:57 +00:00
|
|
|
curl
|
2021-11-11 04:35:34 +00:00
|
|
|
libepoxy
|
2023-02-09 08:47:53 +00:00
|
|
|
libffi
|
2023-01-24 16:29:20 +00:00
|
|
|
] ++ lib.optional systemdSupport systemd
|
|
|
|
|
++ lib.optionals cupsSupport [ libgcrypt cups ]
|
2023-02-09 08:47:53 +00:00
|
|
|
++ lib.optional pulseSupport libpulseaudio;
|
2014-04-01 05:36:26 +00:00
|
|
|
|
2020-10-07 11:39:57 +00:00
|
|
|
patches = [
|
2021-08-09 09:57:15 +00:00
|
|
|
# Optional patch to use SOURCE_DATE_EPOCH in compute_build_timestamp.py (should be upstreamed):
|
|
|
|
|
./patches/no-build-timestamps.patch
|
|
|
|
|
# For bundling Widevine (DRM), might be replaceable via bundle_widevine_cdm=true in gnFlags:
|
|
|
|
|
./patches/widevine-79.patch
|
chromium: Fix the build
The build was failing with the following error:
```
[18950/51180] SOLINK ./libvk_swiftshader.sotls_transport_interface/dtls_transport_interface.omputils.o[K.otch.oos.oKx/unbundle:default)fault)ault)
FAILED: libvk_swiftshader.so libvk_swiftshader.so.TOC
python3 "../../build/toolchain/gcc_solink_wrapper.py" --readelf="readelf" --nm="nm" --sofile="./libvk_swiftshader.so" --tocfile="./libvk_swiftshader.so.TOC" --output="./libvk_swiftshader.so" -- clang++ -shared -Wl,-soname="libvk_swiftshader.so" -Wl,-Bsymbolic -Wl,--version-script=../../third_party/swiftshader/src/Vulkan/vk_swiftshader.lds -fuse-ld=lld -Wl,--fatal-warnings -Wl,--build-id=sha1 -fPIC -Wl,-z,noexecstack -Wl,-z,relro -Wl,-z,now -Wl,--icf=all -Wl,--color-diagnostics -Wl,-mllvm,-instcombine-lower-dbg-declare=0 -flto=thin -Wl,--thinlto-jobs=all -Wl,--thinlto-cache-dir=thinlto-cache -Wl,--thinlto-cache-policy=cache_size=10\%:cache_size_bytes=40g:cache_size_files=100000 -Wl,-mllvm,-import-instr-limit=30 -fwhole-program-vtables -Wl,--no-call-graph-profile-sort -m64 -no-canonical-prefixes -Wl,-O2 -Wl,--gc-sections -rdynamic -Wl,-z,defs -Wl,--as-needed -nostdlib++ -Wl,--lto-O0 -fsanitize=cfi-vcall -fsanitize=cfi-icall -o "./libvk_swiftshader.so" @"./libvk_swiftshader.so.rsp"
ld.lld: error: unable to find library -l:libffi_pic.a
clang++: error: linker command failed with exit code 1 (use -v to see invocation)
```
This turned out to be a regression from b6b51374fc7. That change was
bad/undesirable in the first place and I only applied it to quickly fix
another build error caused by incompatible wayland-protocols header
files from a newer system version (Chromium bundles version 1.21 while
we already package 1.26).
The better fix for that wayland-protocols build issue is to pull in a
patch that is already used/tested by the Arch package [0] and seems to
originate from [1] (not sure if that patch was formally submitted yet).
Alternatives to that patch would be to (we should probably first try the
first approach if need be):
1) Build with wayland-protocols 1.21 from the system (by overriding the
Nixpkgs package).
2) Dynamically link against libffi by patching [2] to use the other
branch (`default_toolchain == "//build/toolchain/cros:target"`).
Some additional details can be found in the GitHub PR [3].
Huge thanks to Lorenz Brun for his great analysis that enabled me to fix
the build so that we can finally merge the update to Chromium M105
(which contains many important security fixes!).
[0]: https://github.com/archlinux/svntogit-packages/commit/a353833a5a731abfaa465b658f61894a516aa49b
[1]: https://bugs.chromium.org/p/angleproject/issues/detail?id=7582#c1
[2]: https://source.chromium.org/chromium/chromium/src/+/refs/tags/105.0.5195.52:build/config/linux/libffi/BUILD.gn
[3]: https://github.com/NixOS/nixpkgs/pull/189033
Co-Authored-By: Lorenz Brun <lorenz@brun.one>
2022-09-01 22:45:51 +00:00
|
|
|
# Required to fix the build with a more recent wayland-protocols version
|
|
|
|
|
# (we currently package 1.26 in Nixpkgs while Chromium bundles 1.21):
|
|
|
|
|
# Source: https://bugs.chromium.org/p/angleproject/issues/detail?id=7582#c1
|
|
|
|
|
./patches/angle-wayland-include-protocol.patch
|
2021-04-13 08:17:35 +00:00
|
|
|
];
|
2018-10-24 21:25:36 +00:00
|
|
|
|
2022-05-25 22:21:24 +00:00
|
|
|
postPatch = ''
|
2022-04-30 13:19:30 +00:00
|
|
|
# Workaround/fix for https://bugs.chromium.org/p/chromium/issues/detail?id=1313361:
|
|
|
|
|
substituteInPlace BUILD.gn \
|
|
|
|
|
--replace '"//infra/orchestrator:orchestrator_all",' ""
|
2022-04-30 16:39:57 +00:00
|
|
|
# Disable build flags that require LLVM 15:
|
|
|
|
|
substituteInPlace build/config/compiler/BUILD.gn \
|
|
|
|
|
--replace '"-Xclang",' "" \
|
|
|
|
|
--replace '"-no-opaque-pointers",' ""
|
chromium: use official build settings (#101467)
LLD: https://lld.llvm.org/
When you link a large program on a multicore machine, you can expect that LLD runs more than twice as fast as the GNU gold linker. Your mileage may vary, though.
Link-time optimization (LTO) is supported by default.
Some default settings have been tuned for the 21st century. For example, the stack is marked as non-executable by default to tighten security.
LTO & ThinLTO: https://clang.llvm.org/docs/ThinLTO.html
LTO (Link Time Optimization) achieves better runtime performance through whole-program analysis and cross-module optimization. However, monolithic LTO implements this by merging all input into a single module, which is not scalable in time or memory, and also prevents fast incremental compiles. ThinLTO is a new approach that is designed to scale like a non-LTO build, while retaining most of the performance achievement of full LTO.
PGO: https://llvm.org/docs/HowToBuildWithPGO.html https://blog.chromium.org/2020/08/chrome-just-got-faster-with-profile.html
Allows your compiler to better optimize code for how it actually runs. Users report that applying this to Clang and LLVM can decrease overall compile time by 20%.
Because PGO uses real usage scenarios that match the workflows of Chrome users around the world, the most common tasks get prioritized and made faster. Delivers up to 10% faster page loads.
CFI: https://clang.llvm.org/docs/ControlFlowIntegrity.html https://www.chromium.org/developers/testing/control-flow-integrity
Aborts the program upon detecting certain forms of undefined behavior that can potentially allow attackers to subvert the program’s control flow. These schemes have been optimized for performance, allowing developers to enable them in release builds.
By default, a program compiled with CFI will crash with SIGILL if it detects a CFI violation.
Additionally:
Use minizip instead of zlib. Chromium says zlib but actually uses minizip.
Remove old unused workarounds.
Make shell scripts POSIX compliant.
Update documentation URLs.
Prepare for using system libraries.
2020-10-24 10:27:40 +00:00
|
|
|
# remove unused third-party
|
|
|
|
|
for lib in ${toString gnSystemLibraries}; do
|
|
|
|
|
if [ -d "third_party/$lib" ]; then
|
|
|
|
|
find "third_party/$lib" -type f \
|
|
|
|
|
\! -path "third_party/$lib/chromium/*" \
|
|
|
|
|
\! -path "third_party/$lib/google/*" \
|
|
|
|
|
\! -path "third_party/harfbuzz-ng/utils/hb_scoped.h" \
|
|
|
|
|
\! -regex '.*\.\(gn\|gni\|isolate\)' \
|
|
|
|
|
-delete
|
|
|
|
|
fi
|
|
|
|
|
done
|
|
|
|
|
|
2020-08-26 12:22:31 +00:00
|
|
|
# Required for patchShebangs (unsupported interpreter directive, basename: invalid option -- '*', etc.):
|
chromium: use official build settings (#101467)
LLD: https://lld.llvm.org/
When you link a large program on a multicore machine, you can expect that LLD runs more than twice as fast as the GNU gold linker. Your mileage may vary, though.
Link-time optimization (LTO) is supported by default.
Some default settings have been tuned for the 21st century. For example, the stack is marked as non-executable by default to tighten security.
LTO & ThinLTO: https://clang.llvm.org/docs/ThinLTO.html
LTO (Link Time Optimization) achieves better runtime performance through whole-program analysis and cross-module optimization. However, monolithic LTO implements this by merging all input into a single module, which is not scalable in time or memory, and also prevents fast incremental compiles. ThinLTO is a new approach that is designed to scale like a non-LTO build, while retaining most of the performance achievement of full LTO.
PGO: https://llvm.org/docs/HowToBuildWithPGO.html https://blog.chromium.org/2020/08/chrome-just-got-faster-with-profile.html
Allows your compiler to better optimize code for how it actually runs. Users report that applying this to Clang and LLVM can decrease overall compile time by 20%.
Because PGO uses real usage scenarios that match the workflows of Chrome users around the world, the most common tasks get prioritized and made faster. Delivers up to 10% faster page loads.
CFI: https://clang.llvm.org/docs/ControlFlowIntegrity.html https://www.chromium.org/developers/testing/control-flow-integrity
Aborts the program upon detecting certain forms of undefined behavior that can potentially allow attackers to subvert the program’s control flow. These schemes have been optimized for performance, allowing developers to enable them in release builds.
By default, a program compiled with CFI will crash with SIGILL if it detects a CFI violation.
Additionally:
Use minizip instead of zlib. Chromium says zlib but actually uses minizip.
Remove old unused workarounds.
Make shell scripts POSIX compliant.
Update documentation URLs.
Prepare for using system libraries.
2020-10-24 10:27:40 +00:00
|
|
|
substituteInPlace native_client/SConstruct --replace "#! -*- python -*-" ""
|
|
|
|
|
if [ -e third_party/harfbuzz-ng/src/src/update-unicode-tables.make ]; then
|
|
|
|
|
substituteInPlace third_party/harfbuzz-ng/src/src/update-unicode-tables.make \
|
|
|
|
|
--replace "/usr/bin/env -S make -f" "/usr/bin/make -f"
|
|
|
|
|
fi
|
2021-11-17 21:34:05 +00:00
|
|
|
chmod -x third_party/webgpu-cts/src/tools/run_deno
|
2022-05-25 22:21:24 +00:00
|
|
|
chmod -x third_party/dawn/third_party/webgpu-cts/tools/run_deno
|
2020-10-07 11:39:57 +00:00
|
|
|
|
2016-08-04 19:26:05 +00:00
|
|
|
# We want to be able to specify where the sandbox is via CHROME_DEVEL_SANDBOX
|
|
|
|
|
substituteInPlace sandbox/linux/suid/client/setuid_sandbox_host.cc \
|
|
|
|
|
--replace \
|
2016-08-05 09:55:48 +00:00
|
|
|
'return sandbox_binary;' \
|
|
|
|
|
'return base::FilePath(GetDevelSandboxPath());'
|
2016-08-04 19:26:05 +00:00
|
|
|
|
2019-01-30 22:55:20 +00:00
|
|
|
substituteInPlace services/audio/audio_sandbox_hook_linux.cc \
|
|
|
|
|
--replace \
|
|
|
|
|
'/usr/share/alsa/' \
|
2021-06-10 02:57:09 +00:00
|
|
|
'${alsa-lib}/share/alsa/' \
|
2019-01-30 22:55:20 +00:00
|
|
|
--replace \
|
|
|
|
|
'/usr/lib/x86_64-linux-gnu/gconv/' \
|
|
|
|
|
'${glibc}/lib/gconv/' \
|
|
|
|
|
--replace \
|
|
|
|
|
'/usr/share/locale/' \
|
|
|
|
|
'${glibc}/share/locale/'
|
|
|
|
|
|
2021-02-01 08:05:09 +00:00
|
|
|
sed -i -e 's@"\(#!\)\?.*xdg-@"\1${xdg-utils}/bin/xdg-@' \
|
2017-03-07 10:10:58 +00:00
|
|
|
chrome/browser/shell_integration_linux.cc
|
|
|
|
|
|
2022-02-20 05:24:15 +00:00
|
|
|
'' + lib.optionalString systemdSupport ''
|
2020-08-12 18:12:16 +00:00
|
|
|
sed -i -e '/lib_loader.*Load/s!"\(libudev\.so\)!"${lib.getLib systemd}/lib/\1!' \
|
2015-01-23 00:48:56 +00:00
|
|
|
device/udev_linux/udev?_loader.cc
|
2022-02-20 05:24:15 +00:00
|
|
|
'' + ''
|
2015-01-23 00:48:56 +00:00
|
|
|
sed -i -e '/libpci_loader.*Load/s!"\(libpci\.so\)!"${pciutils}/lib/\1!' \
|
|
|
|
|
gpu/config/gpu_info_collector_linux.cc
|
2016-05-28 17:04:22 +00:00
|
|
|
|
2017-06-18 02:29:22 +00:00
|
|
|
# Allow to put extensions into the system-path.
|
|
|
|
|
sed -i -e 's,/usr,/run/current-system/sw,' chrome/common/chrome_paths.cc
|
|
|
|
|
|
2021-10-13 18:55:01 +00:00
|
|
|
# We need the fix for https://bugs.chromium.org/p/chromium/issues/detail?id=1254408:
|
|
|
|
|
base64 --decode ${clangFormatPython3} > buildtools/linux64/clang-format
|
|
|
|
|
|
2016-10-29 02:05:53 +00:00
|
|
|
patchShebangs .
|
2021-08-01 16:41:56 +00:00
|
|
|
# Link to our own Node.js and Java (required during the build):
|
2017-05-14 13:03:21 +00:00
|
|
|
mkdir -p third_party/node/linux/node-linux-x64/bin
|
2021-08-09 09:57:15 +00:00
|
|
|
ln -s "${pkgsBuildHost.nodejs}/bin/node" third_party/node/linux/node-linux-x64/bin/node
|
2022-02-20 22:28:17 +00:00
|
|
|
ln -s "${pkgsBuildHost.jre8_headless}/bin/java" third_party/jdk/current/bin/
|
chromium: use official build settings (#101467)
LLD: https://lld.llvm.org/
When you link a large program on a multicore machine, you can expect that LLD runs more than twice as fast as the GNU gold linker. Your mileage may vary, though.
Link-time optimization (LTO) is supported by default.
Some default settings have been tuned for the 21st century. For example, the stack is marked as non-executable by default to tighten security.
LTO & ThinLTO: https://clang.llvm.org/docs/ThinLTO.html
LTO (Link Time Optimization) achieves better runtime performance through whole-program analysis and cross-module optimization. However, monolithic LTO implements this by merging all input into a single module, which is not scalable in time or memory, and also prevents fast incremental compiles. ThinLTO is a new approach that is designed to scale like a non-LTO build, while retaining most of the performance achievement of full LTO.
PGO: https://llvm.org/docs/HowToBuildWithPGO.html https://blog.chromium.org/2020/08/chrome-just-got-faster-with-profile.html
Allows your compiler to better optimize code for how it actually runs. Users report that applying this to Clang and LLVM can decrease overall compile time by 20%.
Because PGO uses real usage scenarios that match the workflows of Chrome users around the world, the most common tasks get prioritized and made faster. Delivers up to 10% faster page loads.
CFI: https://clang.llvm.org/docs/ControlFlowIntegrity.html https://www.chromium.org/developers/testing/control-flow-integrity
Aborts the program upon detecting certain forms of undefined behavior that can potentially allow attackers to subvert the program’s control flow. These schemes have been optimized for performance, allowing developers to enable them in release builds.
By default, a program compiled with CFI will crash with SIGILL if it detects a CFI violation.
Additionally:
Use minizip instead of zlib. Chromium says zlib but actually uses minizip.
Remove old unused workarounds.
Make shell scripts POSIX compliant.
Update documentation URLs.
Prepare for using system libraries.
2020-10-24 10:27:40 +00:00
|
|
|
|
|
|
|
|
# Allow building against system libraries in official builds
|
|
|
|
|
sed -i 's/OFFICIAL_BUILD/GOOGLE_CHROME_BUILD/' tools/generate_shim_headers/generate_shim_headers.py
|
2017-07-06 22:54:10 +00:00
|
|
|
|
2023-01-24 16:29:20 +00:00
|
|
|
'' + lib.optionalString stdenv.isAarch64 ''
|
2018-01-21 13:31:54 +00:00
|
|
|
substituteInPlace build/toolchain/linux/BUILD.gn \
|
|
|
|
|
--replace 'toolprefix = "aarch64-linux-gnu-"' 'toolprefix = ""'
|
2023-01-24 16:29:20 +00:00
|
|
|
'' + lib.optionalString ungoogled ''
|
2020-12-09 18:13:26 +00:00
|
|
|
${ungoogler}/utils/prune_binaries.py . ${ungoogler}/pruning.list || echo "some errors"
|
|
|
|
|
${ungoogler}/utils/patches.py . ${ungoogler}/patches
|
|
|
|
|
${ungoogler}/utils/domain_substitution.py apply -r ${ungoogler}/domain_regex.list -f ${ungoogler}/domain_substitution.list -c ./ungoogled-domsubcache.tar.gz .
|
2014-04-01 05:36:26 +00:00
|
|
|
'';
|
|
|
|
|
|
2020-07-14 20:52:15 +00:00
|
|
|
gnFlags = mkGnFlags ({
|
2021-07-31 10:36:49 +00:00
|
|
|
# Main build and toolchain settings:
|
2021-08-14 10:15:24 +00:00
|
|
|
# Create an official and optimized release build (only official builds
|
|
|
|
|
# should be distributed to users, as non-official builds are intended for
|
|
|
|
|
# development and may not be configured appropriately for production,
|
|
|
|
|
# e.g. unsafe developer builds have developer-friendly features that may
|
|
|
|
|
# weaken or disable security measures like sandboxing or ASLR):
|
2021-02-05 13:29:47 +00:00
|
|
|
is_official_build = true;
|
2021-09-24 11:31:41 +00:00
|
|
|
disable_fieldtrial_testing_config = true;
|
2021-08-14 10:15:24 +00:00
|
|
|
# Build Chromium using the system toolchain (for Linux distributions):
|
chromium: use official build settings (#101467)
LLD: https://lld.llvm.org/
When you link a large program on a multicore machine, you can expect that LLD runs more than twice as fast as the GNU gold linker. Your mileage may vary, though.
Link-time optimization (LTO) is supported by default.
Some default settings have been tuned for the 21st century. For example, the stack is marked as non-executable by default to tighten security.
LTO & ThinLTO: https://clang.llvm.org/docs/ThinLTO.html
LTO (Link Time Optimization) achieves better runtime performance through whole-program analysis and cross-module optimization. However, monolithic LTO implements this by merging all input into a single module, which is not scalable in time or memory, and also prevents fast incremental compiles. ThinLTO is a new approach that is designed to scale like a non-LTO build, while retaining most of the performance achievement of full LTO.
PGO: https://llvm.org/docs/HowToBuildWithPGO.html https://blog.chromium.org/2020/08/chrome-just-got-faster-with-profile.html
Allows your compiler to better optimize code for how it actually runs. Users report that applying this to Clang and LLVM can decrease overall compile time by 20%.
Because PGO uses real usage scenarios that match the workflows of Chrome users around the world, the most common tasks get prioritized and made faster. Delivers up to 10% faster page loads.
CFI: https://clang.llvm.org/docs/ControlFlowIntegrity.html https://www.chromium.org/developers/testing/control-flow-integrity
Aborts the program upon detecting certain forms of undefined behavior that can potentially allow attackers to subvert the program’s control flow. These schemes have been optimized for performance, allowing developers to enable them in release builds.
By default, a program compiled with CFI will crash with SIGILL if it detects a CFI violation.
Additionally:
Use minizip instead of zlib. Chromium says zlib but actually uses minizip.
Remove old unused workarounds.
Make shell scripts POSIX compliant.
Update documentation URLs.
Prepare for using system libraries.
2020-10-24 10:27:40 +00:00
|
|
|
custom_toolchain = "//build/toolchain/linux/unbundle:default";
|
|
|
|
|
host_toolchain = "//build/toolchain/linux/unbundle:default";
|
2021-08-14 10:15:24 +00:00
|
|
|
# Don't build against a sysroot image downloaded from Cloud Storage:
|
2015-12-29 18:32:30 +00:00
|
|
|
use_sysroot = false;
|
2021-08-14 10:15:24 +00:00
|
|
|
# Because we use a different toolchain / compiler version:
|
2016-10-29 02:05:53 +00:00
|
|
|
treat_warnings_as_errors = false;
|
2021-08-14 10:15:24 +00:00
|
|
|
# We aren't compiling with Chrome's Clang (would enable Chrome-specific
|
|
|
|
|
# plugins for enforcing coding guidelines, etc.):
|
2017-07-31 08:01:15 +00:00
|
|
|
clang_use_chrome_plugins = false;
|
2021-08-14 10:15:24 +00:00
|
|
|
# Disable symbols (they would negatively affect the performance of the
|
|
|
|
|
# build since the symbols are large and dealing with them is slow):
|
2020-10-09 21:24:20 +00:00
|
|
|
symbol_level = 0;
|
2021-08-14 10:15:24 +00:00
|
|
|
blink_symbol_level = 0;
|
2014-04-01 05:36:26 +00:00
|
|
|
|
2021-03-03 12:02:48 +00:00
|
|
|
# Google API key, see: https://www.chromium.org/developers/how-tos/api-keys
|
|
|
|
|
# Note: The API key is for NixOS/nixpkgs use ONLY.
|
|
|
|
|
# For your own distribution, please get your own set of keys.
|
2014-04-01 05:36:26 +00:00
|
|
|
google_api_key = "AIzaSyDGi15Zwl11UNe6Y-5XW_upsfyw31qwZPI";
|
2021-07-31 10:36:49 +00:00
|
|
|
|
|
|
|
|
# Optional features:
|
2022-03-05 20:30:31 +00:00
|
|
|
use_gio = true;
|
2022-03-28 13:42:41 +00:00
|
|
|
use_gnome_keyring = false; # Superseded by libsecret
|
2021-08-09 09:57:15 +00:00
|
|
|
use_cups = cupsSupport;
|
2021-07-31 10:36:49 +00:00
|
|
|
|
|
|
|
|
# Feature overrides:
|
|
|
|
|
# Native Client support was deprecated in 2020 and support will end in June 2021:
|
|
|
|
|
enable_nacl = false;
|
|
|
|
|
# Enabling the Widevine component here doesn't affect whether we can
|
|
|
|
|
# redistribute the chromium package; the Widevine component is either
|
|
|
|
|
# added later in the wrapped -wv build or downloaded from Google:
|
|
|
|
|
enable_widevine = true;
|
|
|
|
|
# Provides the enable-webrtc-pipewire-capturer flag to support Wayland screen capture:
|
|
|
|
|
rtc_use_pipewire = true;
|
2022-04-13 20:37:33 +00:00
|
|
|
# Disable PGO because the profile data requires a newer compiler version (LLVM 14 isn't sufficient):
|
|
|
|
|
chrome_pgo_phase = 0;
|
2022-10-25 18:54:15 +00:00
|
|
|
clang_base_path = "${llvmPackages.clang}";
|
|
|
|
|
use_qt = false;
|
2023-02-01 21:26:49 +00:00
|
|
|
# To fix the build as we don't provide libffi_pic.a
|
|
|
|
|
# (ld.lld: error: unable to find library -l:libffi_pic.a):
|
|
|
|
|
use_system_libffi = true;
|
2023-01-24 16:29:20 +00:00
|
|
|
} // lib.optionalAttrs proprietaryCodecs {
|
2014-04-01 05:36:26 +00:00
|
|
|
# enable support for the H.264 codec
|
|
|
|
|
proprietary_codecs = true;
|
2015-10-07 16:42:24 +00:00
|
|
|
enable_hangout_services_extension = true;
|
2014-04-01 05:36:26 +00:00
|
|
|
ffmpeg_branding = "Chrome";
|
2023-01-24 16:29:20 +00:00
|
|
|
} // lib.optionalAttrs pulseSupport {
|
2016-10-29 02:05:53 +00:00
|
|
|
use_pulseaudio = true;
|
|
|
|
|
link_pulseaudio = true;
|
2023-01-24 16:29:20 +00:00
|
|
|
} // lib.optionalAttrs ungoogled (lib.importTOML ./ungoogled-flags.toml)
|
2022-02-05 19:02:07 +00:00
|
|
|
// (extraAttrs.gnFlags or {}));
|
2014-04-01 05:36:26 +00:00
|
|
|
|
|
|
|
|
configurePhase = ''
|
2017-02-08 19:48:05 +00:00
|
|
|
runHook preConfigure
|
|
|
|
|
|
2014-04-01 05:36:26 +00:00
|
|
|
# This is to ensure expansion of $out.
|
|
|
|
|
libExecPath="${libExecPath}"
|
2021-10-11 21:13:09 +00:00
|
|
|
${python3}/bin/python3 build/linux/unbundle/replace_gn_files.py --system-libraries ${toString gnSystemLibraries}
|
2023-01-24 16:29:20 +00:00
|
|
|
${gnChromium}/bin/gn gen --args=${lib.escapeShellArg gnFlags} out/Release | tee gn-gen-outputs.txt
|
2018-06-19 00:48:42 +00:00
|
|
|
|
|
|
|
|
# Fail if `gn gen` contains a WARNING.
|
|
|
|
|
grep -o WARNING gn-gen-outputs.txt && echo "Found gn WARNING, exiting nix build" && exit 1
|
2017-02-08 19:48:05 +00:00
|
|
|
|
|
|
|
|
runHook postConfigure
|
2014-04-01 05:36:26 +00:00
|
|
|
'';
|
|
|
|
|
|
2020-04-02 22:02:23 +00:00
|
|
|
# Don't spam warnings about unknown warning options. This is useful because
|
|
|
|
|
# our Clang is always older than Chromium's and the build logs have a size
|
|
|
|
|
# of approx. 25 MB without this option (and this saves e.g. 66 %).
|
2023-02-19 19:23:32 +00:00
|
|
|
env.NIX_CFLAGS_COMPILE = "-Wno-unknown-warning-option";
|
2020-04-02 22:02:23 +00:00
|
|
|
|
2014-04-01 05:36:26 +00:00
|
|
|
buildPhase = let
|
2014-08-13 02:49:53 +00:00
|
|
|
buildCommand = target: ''
|
treewide: drop -l$NIX_BUILD_CORES
Passing `-l$NIX_BUILD_CORES` improperly limits the overall system load.
For a build machine which is configured to run `$B` builds where each
build gets `total cores / B` cores (`$C`), passing `-l $C` to make will
improperly limit the load to `$C` instead of `$B * $C`.
This effect becomes quite pronounced on machines with 80 cores, with
40 simultaneous builds and a cores limit of 2. On a machine with this
configuration, Nix will run 40 builds and make will limit the overall
system load to approximately 2. A build machine with this many cores
can happily run with a load approaching 80.
A non-solution is to oversubscribe the machine, by picking a larger
`$C`. However, there is no way to divide the number of cores in a way
which fairly subdivides the available cores when `$B` is greater than
1.
There has been exploration of passing a jobserver in to the sandbox,
or sharing a jobserver between all the builds. This is one option, but
relatively complicated and only supports make. Lots of other software
uses its own implementation of `-j` and doesn't support either `-l` or
the Make jobserver.
For the case of an interactive user machine, the user should limit
overall system load using `$B`, `$C`, and optionally systemd's
cpu/network/io limiting features.
Making this change should significantly improve the utilization of our
build farm, and improve the throughput of Hydra.
2022-09-22 15:17:14 +00:00
|
|
|
ninja -C "${buildPath}" -j$NIX_BUILD_CORES "${target}"
|
2017-11-08 22:44:20 +00:00
|
|
|
(
|
|
|
|
|
source chrome/installer/linux/common/installer.include
|
|
|
|
|
PACKAGE=$packageName
|
|
|
|
|
MENUNAME="Chromium"
|
|
|
|
|
process_template chrome/app/resources/manpage.1.in "${buildPath}/chrome.1"
|
|
|
|
|
)
|
2014-04-25 01:58:33 +00:00
|
|
|
'';
|
|
|
|
|
targets = extraAttrs.buildTargets or [];
|
|
|
|
|
commands = map buildCommand targets;
|
2023-01-24 16:29:20 +00:00
|
|
|
in lib.concatStringsSep "\n" commands;
|
2019-07-15 06:35:03 +00:00
|
|
|
|
|
|
|
|
postFixup = ''
|
2023-02-16 06:07:21 +00:00
|
|
|
# Make sure that libGLESv2 and libvulkan are found by dlopen.
|
2019-07-15 06:35:03 +00:00
|
|
|
chromiumBinary="$libExecPath/$packageName"
|
|
|
|
|
origRpath="$(patchelf --print-rpath "$chromiumBinary")"
|
2023-02-16 06:07:21 +00:00
|
|
|
patchelf --set-rpath "${lib.makeLibraryPath [ libGL vulkan-loader ]}:$origRpath" "$chromiumBinary"
|
2019-07-15 06:35:03 +00:00
|
|
|
'';
|
2019-11-06 19:37:25 +00:00
|
|
|
|
2020-11-03 12:08:09 +00:00
|
|
|
passthru = {
|
|
|
|
|
updateScript = ./update.py;
|
|
|
|
|
chromiumDeps = {
|
|
|
|
|
gn = gnChromium;
|
|
|
|
|
};
|
|
|
|
|
};
|
2014-04-01 05:36:26 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
# Remove some extraAttrs we supplied to the base attributes already.
|
|
|
|
|
in stdenv.mkDerivation (base // removeAttrs extraAttrs [
|
2016-10-29 02:05:53 +00:00
|
|
|
"name" "gnFlags" "buildTargets"
|
2019-11-06 19:37:25 +00:00
|
|
|
] // { passthru = base.passthru // (extraAttrs.passthru or {}); })
|