-
-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable macOS build #23
Conversation
Hi! This is the friendly automated conda-forge-linting service. I just wanted to let you know that I linted all conda-recipes in your PR ( I do have some suggestions for making it better though... For recipe:
|
Note: building GDB 8.3.1 (from the gdb tarball) succeeds on my machine (10.11). It also builds fine under a conda environment ( However I can reproduce the build failure locally using $ conda build --dirty -m .ci_support/osx_python3.6.____cpython.yaml recipe
[...] # skipping lots of stuff
Configuring in ./gdb
/Applications/Xcode.app/Contents/Developer/usr/bin/make all-recursive
Making all in .
/bin/sh ./libtool --tag=CC --mode=compile x86_64-apple-darwin13.4.0-clang -DHAVE_CONFIG_H -I. -I. -I. -I../bfd -I./../include -I./../bfd -I./../intl -D_FORTIFY_SOURCE=2 -mmacosx-version-min=10.9 -isystem $PREFIX/include -I$PREFIX/include -W -Wall -Wstrict-prototypes -Wmissing-prototypes -Wshadow -march=core2 -mtune=haswell -mssse3 -ftree-vectorize -fPIC -fPIE -fstack-protector-strong -O2 -pipe -isystem $PREFIX/include -fdebug-prefix-map=$SRC_DIR=/usr/local/src/conda/gdb-8.3.1 -fdebug-prefix-map=$PREFIX=/usr/local/src/conda-prefix -MT dis-buf.lo -MD -MP -MF .deps/dis-buf.Tpo -c -o dis-buf.lo dis-buf.c
[...] # skipping until the first invocation of `CXX`
CXX ada-exp.o
In file included from ada-exp.y:38:
In file included from ./defs.h:28:
In file included from ./common/common-defs.h:77:
In file included from build-gnulib/import/stdlib.h:36:
In file included from /Users/Philippe/Logiciels/miniconda3/conda-bld/gdb_1590587843385/_build_env/bin/../include/c++/v1/stdlib.h:100:
In file included from build-gnulib/import/math.h:27:
In file included from /Users/Philippe/Logiciels/miniconda3/conda-bld/gdb_1590587843385/_build_env/bin/../include/c++/v1/math.h:311:
In file included from /Users/Philippe/Logiciels/miniconda3/conda-bld/gdb_1590587843385/_build_env/bin/../include/c++/v1/type_traits:417:
In file included from /Users/Philippe/Logiciels/miniconda3/conda-bld/gdb_1590587843385/_build_env/bin/../include/c++/v1/cstddef:37:
./../intl/version:1:1: error: unknown type name 'GNU'
GNU gettext library from gettext-0.12.1
^
./../intl/version:1:12: error: expected ';' after top level declarator
GNU gettext library from gettext-0.12.1 So the problem is that the file A simple fix would be to add a patch that renames this file to |
Update: it appears conda-build does not handle patches that are just renaming a file (created with Renaming the file in build.sh makes the build succeeds. New problem: the code signing does not work in the conda-build environment because the compiler package activation script sets $ cd /Users/Philippe/Logiciels/miniconda3/conda-bld/gdb_1590596079611/work
$ source build_env_setup.sh
$ env |grep CODESIGN
CODESIGN_ALLOCATE=/Users/Philippe/Logiciels/miniconda3/conda-bld/gdb_1590596079611/_build_env/bin/x86_64-apple-darwin13.4.0-codesign_allocate
|
Build succeeds, but the executable must be signed for the test phase of conda-build to work (since the package is installed to a new location). |
How do you know it is about signing? Test failure suggests it is picking up the wrong (maybe system?) Python.
|
Possibly that's another error.
which is the message I get on my mac when my GDB is not signed. |
Some potentially relevant links: |
Thanks @jakirkham. The up-to-date info is actually in the GDB wiki, which I link to in the PR description: The |
d753745
to
277cf33
Compare
If you are signing this with a certificate in the CI build, how is this going to work in a user environment? |
@isuruf the user will have to run the included script to generate a self-signed certificate and sign the binary. This is what Homebrew does. |
Currently I tried installing the package and using gdb on another mac running 10.13 and it also works well, however when logged into this mac using SSH from my 10.11 machine and invoking gdb, a graphical authentication pop up appears on the 10.13 system. When prefixing gdb with On azure it appears even prefixing with Interestingly, I tried installing and testing the package on Travis CI with this configuration: language: cpp
os: osx
osx_image:
- xcode11.5 # 10.15
- xcode11.3 # 10.14
- xcode10.1 # 10.13
- xcode9.2 # 10.12
- xcode8 # 10.11
install:
# Download miniconda
- "wget https://repo.anaconda.com/miniconda/Miniconda3-latest-MacOSX-x86_64.sh -O ~/miniconda.sh"
# Install miniconda
- "bash ~/miniconda.sh -b -p $HOME/miniconda"
script:
# Create "gdb" conda environment
- "source $HOME/miniconda/bin/activate"
- "conda config --add channels conda-forge"
- "conda config --set channel_priority strict"
- "conda create -y -c phil-blain/label/test -n gdb gdb"
- "conda activate gdb"
# check codesigning
- "security find-certificate -c gdb_codesign"
- "security dump-trust-settings -d"
- "type gdb"
- "gdb --version"
- "codesign -vv $(which gdb)"
- "codesign -d --entitlements - $(which gdb)"
# check GDB
- "echo 'set startup-with-shell off' >> ~/.gdbinit"
- "g++ -g hello.cpp -o hello"
- "sudo gdb -batch -ex r --args hello" and this succeeds on 10.11-10.13 but fails on 10.14 and 10.15. When SSH-ing into the VM (travis debug mode), it works if I prefix gdb with |
A small update: I switched the provider to Travis for macOS, and added this before calling GDB in the if [[ $(uname) == "Darwin" ]]; then
sudo /usr/sbin/DevToolsSecurity -enable
sudo security authorizationdb write system.privilege.taskport allow
fi which seems to help: with this GDB does not hang. The Travis image used by conda-forge is the Next step: Now that GDB does not hang, we can see if we can actually run the test script. Locally on my Mac, I get this: $ gdb --args python testing/process_to_debug.py
GNU gdb (GDB) 8.3.1
# --- >8 ---
Reading symbols from python...
warning: `/tmp/lto.o': can't open to read symbols: No such file or directory.
(No debugging symbols found in python)
(gdb) r
Starting program: /Users/Philippe/Logiciels/miniconda3/envs/gdb/bin/python testing/process_to_debug.py
[New Thread 0x1103 of process 75303]
warning: `/tmp/lto.o': can't open to read symbols: No such file or directory.
Program received signal SIGSEGV, Segmentation fault.
0x00007fff8a68b8ea in ?? () from /usr/lib/system/libsystem_kernel.dylib
(gdb) py-bt
Traceback (most recent call first):
PyCFunction invocation (unable to read func_obj: missing debuginfos?)
(unable to read python frame information) So it seems that some debug information is missing from the Python binary to be able to use the CPython "libpython.py" GDB extension. On Linux, the test works, so I'm guessing the conda-forge |
Seems to be related to the Python build using link time optimization with |
Thanks for bringing up this point about codesigning. Have raised issue ( conda-forge/conda-forge.github.io#1081 ) to discuss how we should handle this in general. |
Good point about the debug symbols on macOS. I think we should skip that test on macOS for now as fixing the Thanks for sticking with this! I know these are quite hairy issues, but it seems like we are quite close here. Looking forward to seeing |
@jakirkham I understand now why GDB complains about |
Does |
Allright so this is what I found out.
The last point means that the final executable keeps a reference to this deleted temporary file (I guess Adding References:
Of course having debug symbols distributed with a conda-forge package would have to be discussed on each package's feedstock. It would mean telling the build system of each package to add the flag For now as said above I'll just add a test with a simple C program. |
@isuruf about LLDB: the conda-forge lldb recipe uses which I guess was done to avoid having to codesign the executable. I haven't been able to use the conda-forge lldb at all. For a simple "hello-world"-type program, I get:
This seems to be related to inability for the lldb executable to connect with the system |
Add support for building GDB on macOS. On macOS, debuggers need to be codesigned with a codesigning certificate located in the System keychain to be able to control other processes. The script `recipe/macos-codesign/macos-setup-codesign.sh` sets up this certificate. It is taken from the LLDB repository [1] and only slightly modified to use "gdb_codesign" as the certificate name. Using a script seems more robust than the manual method mentioned in the GDB wiki [2]. This script requires 'sudo', so it is run automatically on the CI but not in a user installation. It is copied to the installation prefix so that users can run it after installing GDB. The script `recipe/macos-codesign/macos-codesign-gdb.sh` actually calls 'macos-setup-codesign.sh' and then signs the GDB executable using the just created certificate. A post-link script runs the `recipe/macos-codesign/macos-codesign-gdb.sh` is passwordless sudo is available (in the CI), and if it's not, it writes to $PREFIX/.messages.txt such that users are notified that they need to sign GDB in order to use it, using the provided script. An activate script is also added to make sure that GDB is correctly codesigned upon environment activation. If it's not codesigned, users are instructed to run the provided script. Since the Python executable from the conda-forge python package does not include debugging symbols on macOS (see [3],[4]), we skip the test for the GDB "libpython" integration and add a simple "Hello World" C program, just to test that the debugger can actually run a program. We use Travis CI for the macOS build since the conda-forge Travis macOS image use macOS 10.13 ('xcode9.4') [5]. When tested under Azure and Travis under macOS 10.14 and 10.15, the build phase succeeds but when running the executable in GDB, GDB hangs. This is probably due to system security settings that need tweaking (I'm suspecting a graphical authentification popup since that's what I witnessed during local testing). We also add a README in the recipe dir to warn maintainers and contributors that it's possible that the automated testing starts failing when the Travis CI macOS 10.13 image is decomissioned (by Travis or conda-forge). [1]: https://github.com/llvm/llvm-project/blob/master/lldb/scripts/macos-setup-codesign.sh [2]: https://sourceware.org/gdb/wiki/PermissionsDarwin [3]: conda-forge#23 [4]: conda-forge/python-feedstock#354 [5]: https://docs.travis-ci.com/user/reference/osx/
Hi! This is the friendly automated conda-forge-linting service. I was trying to look for recipes to lint for you, but it appears we have a merge conflict. Please ping the 'conda-forge/core' team (using the @ notation in a comment) if you believe this is a bug. |
Add support for building GDB on macOS. On macOS, debuggers need to be codesigned with a codesigning certificate located in the System keychain to be able to control other processes. The script `recipe/macos-codesign/macos-setup-codesign.sh` sets up this certificate. It is taken from the LLDB repository [1] and only slightly modified to use "gdb_codesign" as the certificate name. Using a script seems more robust than the manual method mentioned in the GDB wiki [2]. This script requires 'sudo', so it is run automatically on the CI but not in a user installation. It is copied to the installation prefix so that users can run it after installing GDB. The script `recipe/macos-codesign/macos-codesign-gdb.sh` actually calls 'macos-setup-codesign.sh' and then signs the GDB executable using the just created certificate. A post-link script runs the `recipe/macos-codesign/macos-codesign-gdb.sh` is passwordless sudo is available (in the CI), and if it's not, it writes to $PREFIX/.messages.txt such that users are notified that they need to sign GDB in order to use it, using the provided script. An activate script is also added to make sure that GDB is correctly codesigned upon environment activation. If it's not codesigned, users are instructed to run the provided script. Since the Python executable from the conda-forge python package does not include debugging symbols on macOS (see [3],[4]), we skip the test for the GDB "libpython" integration and add a simple "Hello World" C program, just to test that the debugger can actually run a program. We use Travis CI for the macOS build since the conda-forge Travis macOS image use macOS 10.13 ('xcode9.4') [5]. When tested under Azure and Travis under macOS 10.14 and 10.15, the build phase succeeds but when running the executable in GDB, GDB hangs. This is probably a manifestation of an intermittent GDB bug [6]. We use the patch provided in the bug report to mitigate the effects of that bug. We also add a README in the recipe dir to warn maintainers and contributors that it's possible that the automated testing starts failing when the Travis CI macOS 10.13 image is decomissioned (by Travis or conda-forge). [1]: https://github.com/llvm/llvm-project/blob/master/lldb/scripts/macos-setup-codesign.sh [2]: https://sourceware.org/gdb/wiki/PermissionsDarwin [3]: conda-forge#23 [4]: conda-forge/python-feedstock#354 [5]: https://docs.travis-ci.com/user/reference/osx/ [6]: https://sourceware.org/bugzilla/show_bug.cgi?id=24069
Hi! This is the friendly automated conda-forge-linting service. I just wanted to let you know that I linted all conda-recipes in your PR ( |
Add support for building GDB on macOS. On macOS, debuggers need to be codesigned with a codesigning certificate located in the System keychain to be able to control other processes. The script `recipe/macos-codesign/macos-setup-codesign.sh` sets up this certificate. It is taken from the LLDB repository [1] and only slightly modified to use "gdb_codesign" as the certificate name. Using a script seems more robust than the manual method mentioned in the GDB wiki [2]. This script requires 'sudo', so it is run automatically on the CI but not in a user installation. It is copied to the installation prefix so that users can run it after installing GDB. The script `recipe/macos-codesign/macos-codesign-gdb.sh` actually calls 'macos-setup-codesign.sh' and then signs the GDB executable using the just created certificate. A post-link script runs the `recipe/macos-codesign/macos-codesign-gdb.sh` is passwordless sudo is available (in the CI), and if it's not, it writes to $PREFIX/.messages.txt such that users are notified that they need to sign GDB in order to use it, using the provided script. An activate script is also added to make sure that GDB is correctly codesigned upon environment activation. If it's not codesigned, users are instructed to run the provided script. Since the Python executable from the conda-forge python package does not include debugging symbols on macOS (see [3],[4]), we skip the test for the GDB "libpython" integration and add a simple "Hello World" C program, just to test that the debugger can actually run a program. We also re-introduce the Python test on Linux, which was deleted in conda-forge#27. We use Travis CI for the macOS build since the conda-forge Travis macOS image use macOS 10.13 ('xcode9.4') [5]. When tested under Azure and Travis under macOS 10.14 and 10.15, the build phase succeeds but when running the executable in GDB, GDB hangs. This is probably a manifestation of an intermittent GDB bug [6]. We use the patch provided in the bug report to mitigate the effects of that bug. We also add a README in the recipe dir to warn maintainers and contributors that it's possible that the automated testing starts failing when the Travis CI macOS 10.13 image is decomissioned (by Travis or conda-forge). [1]: https://github.com/llvm/llvm-project/blob/master/lldb/scripts/macos-setup-codesign.sh [2]: https://sourceware.org/gdb/wiki/PermissionsDarwin [3]: conda-forge#23 [4]: conda-forge/python-feedstock#354 [5]: https://docs.travis-ci.com/user/reference/osx/ [6]: https://sourceware.org/bugzilla/show_bug.cgi?id=24069
@isuruf @jakirkham it seems that the build is running both on travis-ci.org (continuous-integration/travis-ci/pr) and travis-ci.com (Travis CI - Pull Request).. is this expected ? |
Add support for building GDB on macOS. On macOS, debuggers need to be codesigned with a codesigning certificate located in the System keychain to be able to control other processes. The script `recipe/macos-codesign/macos-setup-codesign.sh` sets up this certificate. It is taken from the LLDB repository [1] and only slightly modified to use "gdb_codesign" as the certificate name. Using a script seems more robust than the manual method mentioned in the GDB wiki [2]. This script requires 'sudo', so it is run automatically on the CI but not in a user installation. It is copied to the installation prefix so that users can run it after installing GDB. The script `recipe/macos-codesign/macos-codesign-gdb.sh` actually calls 'macos-setup-codesign.sh' and then signs the GDB executable using the just created certificate. A post-link script runs the `recipe/macos-codesign/macos-codesign-gdb.sh` is passwordless sudo is available (in the CI), and if it's not, it writes to $PREFIX/.messages.txt such that users are notified that they need to sign GDB in order to use it, using the provided script. An activate script is also added to make sure that GDB is correctly codesigned upon environment activation. If it's not codesigned, users are instructed to run the provided script. Since the Python executable from the conda-forge python package does not include debugging symbols on macOS (see [3],[4]), we skip the test for the GDB "libpython" integration and add a simple "Hello World" C program, just to test that the debugger can actually run a program. We use Travis CI for the macOS build since the conda-forge Travis macOS image use macOS 10.13 ('xcode9.4') [5]. When tested under Azure and Travis under macOS 10.14 and 10.15, the build phase succeeds but when running the executable in GDB, GDB hangs. This is probably a manifestation of an intermittent GDB bug [6]. We use the patch provided in the bug report to mitigate the effects of that bug. We also add a README in the recipe dir to warn maintainers and contributors that it's possible that the automated testing starts failing when the Travis CI macOS 10.13 image is decomissioned (by Travis or conda-forge). [1]: https://github.com/llvm/llvm-project/blob/master/lldb/scripts/macos-setup-codesign.sh [2]: https://sourceware.org/gdb/wiki/PermissionsDarwin [3]: conda-forge#23 [4]: conda-forge/python-feedstock#354 [5]: https://docs.travis-ci.com/user/reference/osx/ [6]: https://sourceware.org/bugzilla/show_bug.cgi?id=24069
@gqmelo @marcelotrevisani @isuruf @jakirkham This PR is now ready for review. I've updated the PR description with a detailed description, as well as an example of how it will look for users when installing the package. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not familiar with the OSX bits, but in general it looks good to me. Great work!
I just commented on a duplicate flag when running configure
, but I'll leave up to you if you want to remove it now.
Add support for building GDB on macOS. On macOS, debuggers need to be codesigned with a codesigning certificate located in the System keychain to be able to control other processes. The script `recipe/macos-codesign/macos-setup-codesign.sh` sets up this certificate. It is taken from the LLDB repository [1] and only slightly modified to use "gdb_codesign" as the certificate name. Using a script seems more robust than the manual method mentioned in the GDB wiki [2]. This script requires 'sudo', so it is run automatically on the CI but not in a user installation. It is copied to the installation prefix so that users can run it after installing GDB. The script `recipe/macos-codesign/macos-codesign-gdb.sh` actually calls 'macos-setup-codesign.sh' and then signs the GDB executable using the just created certificate. A post-link script runs the `recipe/macos-codesign/macos-codesign-gdb.sh` is passwordless sudo is available (in the CI), and if it's not, it writes to $PREFIX/.messages.txt such that users are notified that they need to sign GDB in order to use it, using the provided script. An activate script is also added to make sure that GDB is correctly codesigned upon environment activation. If it's not codesigned, users are instructed to run the provided script. Since the Python executable from the conda-forge python package does not include debugging symbols on macOS (see [3],[4]), we skip the test for the GDB "libpython" integration and add a simple "Hello World" C program, just to test that the debugger can actually run a program. We use Travis CI for the macOS build since the conda-forge Travis macOS image use macOS 10.13 ('xcode9.4') [5]. When tested under Azure and Travis under macOS 10.14 and 10.15, the build phase succeeds but when running the executable in GDB, GDB hangs. This is probably a manifestation of an intermittent GDB bug [6]. We use the patch provided in the bug report to mitigate the effects of that bug. We also add a README in the recipe dir to warn maintainers and contributors that it's possible that the automated testing starts failing when the Travis CI macOS 10.13 image is decomissioned (by Travis or conda-forge). [1]: https://github.com/llvm/llvm-project/blob/master/lldb/scripts/macos-setup-codesign.sh [2]: https://sourceware.org/gdb/wiki/PermissionsDarwin [3]: conda-forge#23 [4]: conda-forge/python-feedstock#354 [5]: https://docs.travis-ci.com/user/reference/osx/ [6]: https://sourceware.org/bugzilla/show_bug.cgi?id=24069
Remove the logic for Python 2.7, for which this package is not built anymore.
The GDB tarball contains both GPLv2 and GPLv3 at the root level, but this tarball also contains related libraries needed to build GDB. The code for the debugger itself is in the `gdb/` subdirectory, and this folder contains only the GPLv3 in `COPYING`. Update the license path and use the correct SPDX license identifier.
- Add titles - Show how to avoid being prompted for a password - Warn about https://sourceware.org/bugzilla/show_bug.cgi?id=24069 on Mojave and later - Change recipe/README.md to mention that bug.
…da-forge-pinning 2020.06.24.16.31.11
The package can be tested by downloading from the conda-forge
|
@isuruf @jakirkham I'll merge this in a day or two, if you want to take a look (no worry if you don't have time). |
Checklist
conda-smithy
(Use the phrase@conda-forge-admin, please rerender
in a comment in this PR for automated rerendering)Closes #7
TODO:
post-link
script that writes to$PREFIX/.message.txt
to instruct users to run the code signing script on their machine to be able to use the debugger. (might be better to wait for conda 4.8.4: see Error printing messages inside .messages.txt file for python3.7+ conda/conda#8809)set startup-with-shell off
(https://sourceware.org/gdb/wiki/BuildingOnDarwin#Disable_starting_the_debuggee_.28inferior.29_via_a_shell) to the global gdbinit, or just instruct users to add that to their~/.gdbinit
. The latter might be less user-friendly, but easier if we want this to apply only on macOS. The alternative would be to use--with-system-gdbinit-dir=directory
(https://sourceware.org/gdb/current/onlinedocs/gdb/System_002dwide-configuration.html#System_002dwide-configuration) and have a script for the python stuff and a separate script for macOS that gets added inside aif [[ $(uname) == "Darwin" ]]
block in build.sh.13/06/2020: here is a final description of this PR, now that all tests are passing.
Add support for building GDB on macOS
On macOS, debuggers need to be codesigned with a codesigning certificate located in the System keychain to be able to control other processes.
The script
recipe/macos-codesign/macos-setup-codesign.sh
sets up this certificate. It is taken from the LLDB repository and only slightly modified to use "gdb_codesign" as the certificate name. Using a script seems more robust than the manual method mentioned in the GDB wiki.This script requires 'sudo', so it is run automatically on the CI but not in a user installation. It is copied to the installation prefix so that users can run it after installing GDB.
The script
recipe/macos-codesign/macos-codesign-gdb.sh
actually callsmacos-setup-codesign.sh
and then signs the GDB executable using the just created certificate.A post-link script runs the
recipe/macos-codesign/macos-codesign-gdb.sh
if passwordless sudo is available (in the CI), and if it's not, it writes to$PREFIX/.messages.txt
such that users are notified that they need to sign GDB in order to use it, using the provided script.Note: at the moment, conda mangles multi-line messages in
$PREFIX/.messages.txt
(conda/conda#8809 ). This bug was fixed in conda/conda#9841, which is already merged, and so should appear in conda 4.8.4. Maybe we want to wait for this conda release before merging this ? It would make for a nicer end-user experience, but since this message is also shown upon environment activation (as long as GDB is not codesigned), I think it's ok.The message shown also informs users how to avoid being prompted for a password every login when they start an executable in GDB.
An activate script is also added to make sure that GDB is correctly codesigned upon environment activation. If it's not codesigned, users are instructed to run the provided script (by showing the same message as the post-link script).
Here is a copy of the message users will see when installing (with the fix in conda/conda#9841 applied to conda) :
Since the Python executable from the conda-forge python package does not include debugging symbols on macOS (see 3,4), we skip the test for the GDB "libpython" integration and add a simple "Hello World" C program, just to test that the debugger can actually run a program.
We use Travis CI for the macOS build since the conda-forge Travis macOS image use macOS 10.13 ('xcode9.4'). When tested under Azure and Travis under macOS 10.14 and 10.15, the build phase succeeds but when running the executable in GDB, GDB hangs. Doing manual testing on 10.15.5 I can replicate this behaviour about half the time I
run
an executable in GDB, so it looks like a race condition.This is probably due to an intermittent GDB bug. The bug reporter suggests a patch that makes GDB not hang, but fails to launch the executable instead (again, about half the time it still works correctly). I've added this patch to the recipe and added a mention of that in
$PREFIX/.messages.txt
to inform users to just try again if they hit this bug:We also add a README in the recipe dir to warn maintainers and contributors that it's possible that the automated testing starts failing when the Travis CI macOS 10.13 image is decommissioned (by Travis or conda-forge).