search

nginxinc / ngx-rust

Rust binding for NGINX
Apache License 2.0
713 stars 59 forks source link

Build error: "_FORTIFY_SOURCE" redefined [-Werror] #80

Closed azoyan closed 3 weeks ago

azoyan commented 1 month ago

Describe the bug Can't build on Ubuntu 24.04 at 85/88: nginx-sys(build)

To Reproduce

git clone https://github.com/nginxinc/ngx-rust
cargo b

I see:

Blocking waiting for file lock on build directory
   Compiling nginx-sys v0.5.0 (/home/i/ngx-rust/nginx-sys)
error: failed to run custom build command for `nginx-sys v0.5.0 (/home/i/ngx-rust/nginx-sys)`

Caused by:
  process didn't exit successfully: `/home/i/ngx-rust/target/debug/build/nginx-sys-6d4e38600c2f20d0/build-script-main` (exit status: 1)
  --- stdout
...
...
 install ./include/openssl/x509err.h -> /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/openssl-3.2.1/.openssl/include/openssl/x509err.h
  install ./include/openssl/x509v3.h -> /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/openssl-3.2.1/.openssl/include/openssl/x509v3.h
  install ./include/openssl/x509v3err.h -> /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/openssl-3.2.1/.openssl/include/openssl/x509v3err.h
  install libcrypto.a -> /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/openssl-3.2.1/.openssl/lib/libcrypto.a
  install libssl.a -> /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/openssl-3.2.1/.openssl/lib/libssl.a
  install libcrypto.pc -> /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/openssl-3.2.1/.openssl/lib/pkgconfig/libcrypto.pc
  install libssl.pc -> /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/openssl-3.2.1/.openssl/lib/pkgconfig/libssl.pc
  install openssl.pc -> /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/openssl-3.2.1/.openssl/lib/pkgconfig/openssl.pc
  gmake[2]: Leaving directory '/home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/openssl-3.2.1'
  cc -c -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -g -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC -I src/core -I src/event -I src/event/modules -I src/os/unix -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/pcre2-10.42/src/ -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/openssl-3.2.1/.openssl/include -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/zlib-1.3.1 -I objs \
    -o objs/src/core/nginx.o \
    src/core/nginx.c
  cc -c -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -g -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC -I src/core -I src/event -I src/event/modules -I src/os/unix -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/pcre2-10.42/src/ -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/openssl-3.2.1/.openssl/include -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/zlib-1.3.1 -I objs \
    -o objs/src/core/ngx_log.o \
    src/core/ngx_log.c
  cc -c -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -g -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC -I src/core -I src/event -I src/event/modules -I src/os/unix -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/pcre2-10.42/src/ -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/openssl-3.2.1/.openssl/include -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/zlib-1.3.1 -I objs \
    -o objs/src/core/ngx_palloc.o \
    src/core/ngx_palloc.c
  cc -c -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -g -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC -I src/core -I src/event -I src/event/modules -I src/os/unix -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/pcre2-10.42/src/ -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/openssl-3.2.1/.openssl/include -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/zlib-1.3.1 -I objs \
    -o objs/src/core/ngx_array.o \
    src/core/ngx_array.c
  cc -c -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -g -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC -I src/core -I src/event -I src/event/modules -I src/os/unix -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/pcre2-10.42/src/ -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/openssl-3.2.1/.openssl/include -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/zlib-1.3.1 -I objs \
    -o objs/src/core/ngx_list.o \
    src/core/ngx_list.c
  cc -c -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -g -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC -I src/core -I src/event -I src/event/modules -I src/os/unix -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/pcre2-10.42/src/ -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/openssl-3.2.1/.openssl/include -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/zlib-1.3.1 -I objs \
    -o objs/src/core/ngx_hash.o \
    src/core/ngx_hash.c
  cc -c -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -g -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC -I src/core -I src/event -I src/event/modules -I src/os/unix -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/pcre2-10.42/src/ -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/openssl-3.2.1/.openssl/include -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/zlib-1.3.1 -I objs \
    -o objs/src/core/ngx_buf.o \
    src/core/ngx_buf.c
  cc -c -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -g -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC -I src/core -I src/event -I src/event/modules -I src/os/unix -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/pcre2-10.42/src/ -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/openssl-3.2.1/.openssl/include -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/zlib-1.3.1 -I objs \
    -o objs/src/core/ngx_queue.o \
    src/core/ngx_queue.c
  cc -c -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -g -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC -I src/core -I src/event -I src/event/modules -I src/os/unix -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/pcre2-10.42/src/ -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/openssl-3.2.1/.openssl/include -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/zlib-1.3.1 -I objs \
    -o objs/src/core/ngx_output_chain.o \
    src/core/ngx_output_chain.c
  cc -c -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -g -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC -I src/core -I src/event -I src/event/modules -I src/os/unix -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/pcre2-10.42/src/ -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/openssl-3.2.1/.openssl/include -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/zlib-1.3.1 -I objs \
    -o objs/src/core/ngx_string.o \
    src/core/ngx_string.c
  cc -c -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -g -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC -I src/core -I src/event -I src/event/modules -I src/os/unix -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/pcre2-10.42/src/ -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/openssl-3.2.1/.openssl/include -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/zlib-1.3.1 -I objs \
    -o objs/src/core/ngx_parse.o \
    src/core/ngx_parse.c
  cc -c -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -g -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC -I src/core -I src/event -I src/event/modules -I src/os/unix -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/pcre2-10.42/src/ -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/openssl-3.2.1/.openssl/include -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/zlib-1.3.1 -I objs \
    -o objs/src/core/ngx_parse_time.o \
    src/core/ngx_parse_time.c
  cc -c -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -g -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC -I src/core -I src/event -I src/event/modules -I src/os/unix -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/pcre2-10.42/src/ -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/openssl-3.2.1/.openssl/include -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/zlib-1.3.1 -I objs \
    -o objs/src/core/ngx_inet.o \
    src/core/ngx_inet.c
  <command-line>: error: "_FORTIFY_SOURCE" redefined [-Werror]
  <command-line>: note: this is the location of the previous definition
  cc -c -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -g -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC -I src/core -I src/event -I src/event/modules -I src/os/unix -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/pcre2-10.42/src/ -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/openssl-3.2.1/.openssl/include -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/zlib-1.3.1 -I objs \
    -o objs/src/core/ngx_file.o \
    src/core/ngx_file.c
  cc -c -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -g -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC -I src/core -I src/event -I src/event/modules -I src/os/unix -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/pcre2-10.42/src/ -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/openssl-3.2.1/.openssl/include -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/zlib-1.3.1 -I objs \
    -o objs/src/core/ngx_crc32.o \
    src/core/ngx_crc32.c
  <command-line>: error: "_FORTIFY_SOURCE" redefined [-Werror]
  <command-line>: note: this is the location of the previous definition
  <command-line>: error: "_FORTIFY_SOURCE" redefined [-Werror]
  <command-line>: error: "_FORTIFY_SOURCE" redefined [-Werror]
  <command-line>: note: this is the location of the previous definition
  <command-line>: note: this is the location of the previous definition
  <command-line>: error: "_FORTIFY_SOURCE" redefined [-Werror]
  <command-line>: note: this is the location of the previous definition
  <command-line>: error: "_FORTIFY_SOURCE" redefined [-Werror]
  <command-line>: error: "_FORTIFY_SOURCE" redefined [-Werror]
  <command-line>: note: this is the location of the previous definition
  <command-line>: note: this is the location of the previous definition
  cc -c -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -g -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC -I src/core -I src/event -I src/event/modules -I src/os/unix -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/pcre2-10.42/src/ -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/openssl-3.2.1/.openssl/include -I /home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/zlib-1.3.1 -I objs \
    -o objs/src/core/ngx_murmurhash.o \
    src/core/ngx_murmurhash.c
  <command-line>: error: "_FORTIFY_SOURCE" redefined [-Werror]
  <command-line>: note: this is the location of the previous definition
  <command-line>: error: "_FORTIFY_SOURCE" redefined [-Werror]
  <command-line>: note: this is the location of the previous definition
  <command-line>: error: "_FORTIFY_SOURCE" redefined [-Werror]
  <command-line>: note: this is the location of the previous definition
  <command-line>: error: "_FORTIFY_SOURCE" redefined [-Werror]
  <command-line>: note: this is the location of the previous definition
  <command-line>: error: "_FORTIFY_SOURCE" redefined [-Werror]
  <command-line>: note: this is the location of the previous definition
  <command-line>: error: "_FORTIFY_SOURCE" redefined [-Werror]
  <command-line>: note: this is the location of the previous definition
  <command-line>: error: "_FORTIFY_SOURCE" redefined [-Werror]
  <command-line>: note: this is the location of the previous definition
  <command-line>: error: "_FORTIFY_SOURCE" redefined [-Werror]
  <command-line>: note: this is the location of the previous definition
  <command-line>: error: "_FORTIFY_SOURCE" redefined [-Werror]
  <command-line>: note: this is the location of the previous definition
  cc1: all warnings being treated as errors
  gmake[1]: *** [objs/Makefile:595: objs/src/core/ngx_crc32.o] Error 1
  gmake[1]: *** Waiting for unfinished jobs....
  cc1: all warnings being treated as errors
  gmake[1]: *** [objs/Makefile:518: objs/src/core/ngx_array.o] Error 1
  cc1: all warnings being treated as errors
  gmake[1]: *** [objs/Makefile:602: objs/src/core/ngx_murmurhash.o] Error 1
  cc1: all warnings being treated as errors
  gmake[1]: *** [objs/Makefile:567: objs/src/core/ngx_parse.o] Error 1
  cc1: all warnings being treated as errors
  gmake[1]: *** [objs/Makefile:511: objs/src/core/ngx_palloc.o] Error 1
  cc1: all warnings being treated as errors
  gmake[1]: *** [objs/Makefile:553: objs/src/core/ngx_output_chain.o] Error 1
  cc1: all warnings being treated as errors
  gmake[1]: *** [objs/Makefile:497: objs/src/core/nginx.o] Error 1
  cc1: all warnings being treated as errors
  gmake[1]: *** [objs/Makefile:539: objs/src/core/ngx_buf.o] Error 1
  cc1: all warnings being treated as errors
  gmake[1]: *** [objs/Makefile:574: objs/src/core/ngx_parse_time.o] Error 1
  cc1: all warnings being treated as errors
  cc1: all warnings being treated as errors
  gmake[1]: *** [objs/Makefile:546: objs/src/core/ngx_queue.o] Error 1
  gmake[1]: *** [objs/Makefile:560: objs/src/core/ngx_string.o] Error 1
  cc1: all warnings being treated as errors
  gmake[1]: *** [objs/Makefile:525: objs/src/core/ngx_list.o] Error 1
  cc1: all warnings being treated as errors
  gmake[1]: *** [objs/Makefile:504: objs/src/core/ngx_log.o] Error 1
  cc1: all warnings being treated as errors
  gmake[1]: *** [objs/Makefile:581: objs/src/core/ngx_inet.o] Error 1
  cc1: all warnings being treated as errors
  gmake[1]: *** [objs/Makefile:532: objs/src/core/ngx_hash.o] Error 1
  cc1: all warnings being treated as errors
  gmake[1]: *** [objs/Makefile:588: objs/src/core/ngx_file.o] Error 1
  gmake[1]: Leaving directory '/home/i/ngx-rust/.cache/src/x86_64-unknown-linux-gnu/nginx-1.24.0'
  gmake: *** [Makefile:13: install] Error 2

  --- stderr
  Error: Custom { kind: Other, error: "command [\"/usr/bin/gmake\", \"-j\", \"16\", \"install\"] exited with code 2" }

Possibly fix I remove this: -Wp,-D_FORTIFY_SOURCE=2 from 

const NGX_LINUX_ADDITIONAL_OPTS: [&str; 3] = [
    "--with-file-aio",
    "--with-cc-opt=-g -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC",
    "--with-ld-opt=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie",
];

to 

const NGX_LINUX_ADDITIONAL_OPTS: [&str; 3] = [
    "--with-file-aio",
    "--with-cc-opt=-g -fstack-protector-strong -Wformat -Werror=format-security -fPIC",
    "--with-ld-opt=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie",
];

and compilation was success

My environment

Additional context Add any other context about the problem here. Any log files you want to share.

bavshin-f5 commented 1 month ago

A patch in the Ubuntu build of gcc incorrectly checks for a duplicate definition of -D_FORTIFY_SOURCE.

A minimal fix would be

--- a/nginx-sys/build/vendored.rs
+++ b/nginx-sys/build/vendored.rs
@@ -97,7 +97,7 @@ const NGX_BASE_MODULES: [&str; 20] = [
 /// Additional configuration flags to use when building on Linux.
 const NGX_LINUX_ADDITIONAL_OPTS: [&str; 3] = [
     "--with-file-aio",
-    "--with-cc-opt=-g -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC",
+    "--with-cc-opt=-g -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -fPIC",
     "--with-ld-opt=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie",
 ];
 const ENV_VARS_TRIGGERING_RECOMPILE: [&str; 12] = [

but I'd rather drop the flags from the NGX_LINUX_ADDITIONAL_OPTS completely. -g is already set in the auto/cc/*, -fPIC causes a build error on Fedora, and warnings are sufficiently covered by the Nginx repo CI. No practical reason to have the remaining options here.

@dekobon what do you think?

dekobon commented 1 month ago

A patch in the Ubuntu build of gcc incorrectly checks for a duplicate definition of -D_FORTIFY_SOURCE.

A minimal fix would be

--- a/nginx-sys/build/vendored.rs
+++ b/nginx-sys/build/vendored.rs
@@ -97,7 +97,7 @@ const NGX_BASE_MODULES: [&str; 20] = [
 /// Additional configuration flags to use when building on Linux.
 const NGX_LINUX_ADDITIONAL_OPTS: [&str; 3] = [
     "--with-file-aio",
-    "--with-cc-opt=-g -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC",
+    "--with-cc-opt=-g -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -fPIC",
     "--with-ld-opt=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie",
 ];
 const ENV_VARS_TRIGGERING_RECOMPILE: [&str; 12] = [

but I'd rather drop the flags from the NGX_LINUX_ADDITIONAL_OPTS completely. -g is already set in the auto/cc/*, -fPIC causes a build error on Fedora, and warnings are sufficiently covered by the Nginx repo CI. No practical reason to have the remaining options here.

@dekobon what do you think?

That seems reasonable to me. Would you mind submitting a PR?