Mesa fails to build on my system (hardened gcc 4.2 with overlay) because of textrel when "strict stricter" is enabled on the features. I believe the failure to merge to be independent of the bleeding, unsupported system. Possibly related to http://bugs.gentoo.org/show_bug.cgi?id=144801 (and with a similar solution). Reproducible: Always Actual Results: * Moving libGL and friends for dynamic switching ... [ ok ] >>> Completed installing mesa-7.2 into /var/tmp/portage/media-libs/mesa-7.2/image/ strip: i686-pc-linux-gnu-strip --strip-unneeded -R .comment usr/lib/dri/i915_dri.so usr/lib/dri/i810_dri.so usr/lib/dri/swrast_dri.so usr/lib/dri/i965_dri.so usr/lib/libGLU.so.1.3.070200 usr/lib/opengl/xorg-x11/lib/libGL.so.1.2 * QA Notice: The following files contain executable stacks * Files with executable stacks will not work properly (or at all!) * on some architectures/operating systems. A bug should be filed * at http://bugs.gentoo.org/ to make sure the file is fixed. * For more information, see http://hardened.gentoo.org/gnu-stack.xml * Please include the following list of files in your report: * --- R-X RWX usr/lib/opengl/xorg-x11/lib/libGL.so.1.2 * * ERROR: media-libs/mesa-7.2 failed. * Call stack: * misc-functions.sh, line 715: Called install_qa_check * misc-functions.sh, line 233: Called die * The specific snippet of code: * die "Aborting due to QA concerns: ${die_msg}" * The die message: * Aborting due to QA concerns: execstacks * * If you need support, post the topmost build error, and the call stack if relevant. * A complete build log is located at '/var/tmp/portage/media-libs/mesa-7.2/temp/build.log'. * The ebuild environment file is located at '/var/tmp/portage/media-libs/mesa-7.2/temp/environment'. * !!! post install failed; exiting. >>> Failed to emerge media-libs/mesa-7.2, Log file: >>> '/var/tmp/portage/media-libs/mesa-7.2/temp/build.log'
Please post your `emerge --info' too.
As I said, it's a hardened-gcc4-overlay machine which I understand fully unsupported. However, as asked: # emerge --info WARNING: repository at /usr/portage/local/overlay is missing a repo_name entry * Overlay eclasses override eclasses from PORTDIR: * * '/usr/portage/local/layman/xake-toolchain/eclass/flag-o-matic.eclass' * '/usr/portage/local/layman/xake-toolchain/eclass/toolchain.eclass' * '/usr/portage/local/layman/xake-toolchain/eclass/toolchain-binutils.eclass' * '/usr/portage/local/layman/xake-toolchain/eclass/toolchain-funcs.eclass' * '/usr/portage/local/layman/xake-toolchain/eclass/vim.eclass' * * It is best to avoid overriding eclasses from PORTDIR because it will * trigger invalidation of cached ebuild metadata that is distributed with * the portage tree. If you must override eclasses from PORTDIR then you * are advised to add FEATURES="metadata-transfer" to /etc/make.conf and to * run `emerge --regen` after each time that you run `emerge --sync`. Set * PORTAGE_ECLASS_WARNING_ENABLE="0" in /etc/make.conf if you would like to * disable this warning. Portage 2.2_rc12 (hardened/x86/2.6, gcc-4.2.4, glibc-2.6.1-r1, 2.6.25-hardened-r7 i686) ================================================================= System uname: Linux-2.6.25-hardened-r7-i686-Intel-R-_Pentium-R-_4_CPU_2.66GHz-with-glibc2.4 Timestamp of tree: Mon, 27 Oct 2008 08:16:01 +0000 ccache version 2.4 [enabled] app-shells/bash: 3.2_p33 dev-java/java-config: 1.3.7, 2.1.6 dev-lang/python: 2.5.2-r7 dev-util/ccache: 2.4-r7 dev-util/cmake: 2.4.6-r1 sys-apps/baselayout: 2.0.0 sys-apps/openrc: 0.3.0-r1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r2 sys-devel/automake: 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1-r1 sys-devel/binutils: 2.18-r4 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=pentium4 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d /usr/share/X11/xkb" CXXFLAGS="-O2 -march=pentium4 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="buildsyspkg ccache distlocks metadata-transfer parallel-fetch preserve-libs protect-owned sandbox sfperms strict stricter suidctl unmerge-orphans userfetch userpriv usersandbox webrsync-gpg" GENTOO_MIRRORS="http://ftp.udc.es/gentoo/" LANG="es_ES.UTF-8" LC_ALL="es_ES.UTF-8" LDFLAGS="" LINGUAS="es en" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/layman/xake-toolchain /usr/portage/local/layman/x11 /usr/portage/local/overlay" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="16bit X X509 a52 aac acl acpi alsa apache2 applet archive artworkextra avahi bash-completion berkdb big-tables bittorrent bluetooth branding bzip2 c++ cairo calendar cdaudio cdda cddb cdio cdparanoia cdr cgi chroot compress consolekit cpudetection cracklib crypt cscope css ctype cups curl dbus dia disk-partition divx dri dvd dvdnav dvdr dvdread enca encode exif extraengine fam fastbuild fat ffmpeg file-icons flac flash ftp gcj gd gdbm gedit gif git glibc-omitfp glitz glut gnome gnutella gnutls gpg gpm graphviz gs gstreamer gtk gzip hal hardened hash hpn iconv id3 id3tag imagemagick ipv6 j2me jabber java java6 joystick jpeg jpeg2k kdeenablefinal kdehiddenvisibility keyring lame latex libburn libnotify lzma lzo mad math matroska mdnsresponder-compat midi mime mmx mono mouse mozdevelop mozdom mp3 mp4 mpeg mpeg2 mplayer msdav msn musicbrainz mysql nautilus ncurses netpbm network-cron nls nptl nptlonly nsplugin ntfs ogg openal opengl pam parport pcre pdf perl php pic pidgin pixmaps pkcs11 pmount png policykit portaudio posix postscript ppds pulseaudio python qt3 qt4 qtdesigner quicktime quotas rar readline reflection reiserfs restrict samba screen sdl session snmp sockets spell spl sql sqlite sse sse2 ssl startup-notification subversion svg syslog taglib tcpd theora threads tidy tiff tk totem tracker transcode truetype unicode unzip urandom usb userlocales vhosts vim vim-syntax vnc vorbis wxwindows x264 x86 xattr xine xml xorg xulrunner xv xvid xvmc zeroconf zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev joystick" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="es en" USERLAND="GNU" VIDEO_CARDS="dummy fbdev intel vesa vga" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_ Package merges just fine with FEATURES="-strict -stricter" (just don't know which one does trigger the problem)
(In reply to comment #2) > As I said, it's a hardened-gcc4-overlay machine which I understand fully > unsupported. This isn't a support forum, but a bug tracker. If you find a bug, then you file a report here to (hopefully) get it fixed. If you need support, then ask nicely or pay someone to do it, but don't file a bug report. :) > Package merges just fine with FEATURES="-strict -stricter" (just don't know > which one does trigger the problem) Quoting make.conf(5): strict Have portage react strongly to conditions that have the potential to be dangerous (like missing or incorrect digests for ebuilds). stricter Have portage react strongly to conditions that may conflict with system security provisions (for example textrels, executable stack). Read about the QA_STRICT_* variables in make.conf(5). As the configuration variable name suggests, these are features, not bugs. The question is not whether setting either stops mesa from building (hint - it was stricter, not strict) but whether you are compromising either stability or security or both when you set FEATURES=-stricter.
Point is: according to the portage message, it IS a mesa's bug: " A bug should be filed * at http://bugs.gentoo.org/ to make sure the file is fixed." Which is what I was trying to do. I'm pretty sure than emerging in another non-hardened machine with "stricter" will fail in the same way, because libgl.so HAS an executable stack. Other ebuilds with EXECSTACK (such as nvidia-drivers, also related to its own libgl.so, or the relationed bug I linked) emerge perfectly with FEATURES="stricter" (just tried), because the QA_EXECSTACK_x86 and QA_EXECSTACK_amd64 on their ebuilds. I tried adding QA_EXECSTACK_x86 to the ebuild but it kept failing though. Perhaps it should be recategorized to QA, but not closed as invalid (according to that text at least!). It's up to ignore this bug though (because that's what it is IMHO).
Then the Summary should reflect that.
Does this bug happen with hardened gcc-3.x while using USE=pic ? Please make sure when you file/report bugs you are not intermixing 3rd party overlay code and our tree.
Confirmed with gcc-3.4.6 (USE=pic is present by default on my system, shown with (+ ) on ufed): I get the same error.
This is also an issue with nonhardened gcc, but pax enabled hardened kernel and causes all libGL dependent programs to be killed at start, I tried to use the PIC fix guide on the hardened page to find what causes it, but in vain, couldnt find it. mesa-7.1 has no textrelocs emerge --info Portage 2.2_rc14 (default/linux/x86/2008.0/desktop, gcc-4.3.2, glibc-2.7-r2, 2.6.27-hardened-r1 i686) ================================================================= System uname: Linux-2.6.27-hardened-r1-i686-Intel-R-_Pentium-R-_4_CPU_3.00GHz-with-glibc2.0 Timestamp of tree: Fri, 14 Nov 2008 15:00:01 +0000 ccache version 2.4 [enabled] app-shells/bash: 3.2_p33 dev-java/java-config: 1.3.7, 2.1.6 dev-lang/python: 2.5.2-r7 dev-util/ccache: 2.4-r7 dev-util/cmake: 2.4.7-r1 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r2 sys-devel/automake: 1.4_p6, 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1-r1 sys-devel/binutils: 2.19 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=pentium4 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-O2 -march=pentium4 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="ccache distlocks parallel-fetch preserve-libs protect-owned sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LANG="sv_SE" LC_ALL="sv_SE" LDFLAGS="-Wl,-O1" LINGUAS="sv en" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/layman/desktop-effects /usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X a52 aac aalib acpi alsa amr berkdb bluetooth branding bzip2 cairo cdr cli cracklib crypt cups curl dbus directfb dri dts dvb dvd dvdr dvdread eds emboss encode evo fam ffmpeg firefox flac gdbm gif glut gstreamer gtk hal iconv idea isdnlog ithreads java jpeg ldap libnotify mad midi mikmod mmx mng mp3 mpeg mudflap ncurses nls nptl nptlonly ogg openal opengl openmp pam pcre pdf perl pic png ppds pppd python qt3 qt3support qt4 quicktime readline reflection sdl session speex spell spl sse sse2 ssl startup-notification svg svga sysfs tcl tcpd tga theora threads tiff tk truetype unicode usb v4l v4l2 vorbis win32codecs wxwindows x264 x86 xcomposite xml xorg xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="sv en" USERLAND="GNU" VIDEO_CARDS="fglrx radeon vesa" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
(In reply to comment #8) See http://bugs.gentoo.org/show_bug.cgi?id=240956.
there're several issues here. 1. the 7.1->7.2 ebuild was changed as: @@ -148,10 +146,10 @@ myconf="${myconf} --with-dri-drivers=${DRI_DRIVERS}" # Deactivate assembly code for pic build - myconf="${myconf} $(use_enable pic asm)" + myconf="${myconf} $(use_enable !pic asm)" # Sparc assembly code is not working - myconf="${myconf} $(use_enable sparc asm)" + myconf="${myconf} $(use_enable !sparc asm)" myconf="${myconf} --disable-glut" that was a rather careless change as you can see it from bug #240956 (with my additional note that the GLX_X86_READONLY_TEXT patch isn't needed to fix it). 2. mesa has been bleeding from several wounds, that all lead back to the fundamental issue of runtime code generation. it used to be missing GNU_STACK marks iirc, but that got fixed, then came runtime patched GL dispatcher stubs, that was solved by emitting a RWE PT_LOAD which of course runs afoul of PaX/MPROTECT and needs MPROTECT removed from all *executables* that link against libGL (good luck hunting those down...), then lately there's runtime generated code for certain transformations (see src/mesa/tnl/). all in all, the workaround we used to have with USE=pic has little effect nowadays. even if fixed in the ebuild, while the resulting libGL would at least load under PaX/MPROTECT it would fail on the tnl runtime generated code. unless there's a way to turn that off and fall back to interpreted code or whatever it was before, it'll be an uphill battle (not only for PaX users but SElinux folks as well as they can also restrict runtime code generation). any ideas welcome...
*** This bug has been marked as a duplicate of bug 240956 ***
