Package: guix-patches;
Reported by: Ian Eure <ian <at> retrospec.tv>
Date: Tue, 8 Apr 2025 19:58:02 UTC
Severity: normal
Tags: patch
To reply to this bug, email your comments to 77653 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
View this report as an mbox folder, status mbox, maintainer mbox
guix-patches <at> gnu.org:bug#77653; Package guix-patches.
(Tue, 08 Apr 2025 19:58:02 GMT) Full text and rfc822 format available.Ian Eure <ian <at> retrospec.tv>:guix-patches <at> gnu.org.
(Tue, 08 Apr 2025 19:58:02 GMT) Full text and rfc822 format available.Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: guix-patches <at> gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH 0/4] Add WASM toolchain, wasi-libc, and browser WASM sandbox support Date: Tue, 8 Apr 2025 12:57:20 -0700
This patch series adds a Clang variant which can emit WASM; runtime support for WASM binaries; wasi-libc, a libc implementation for WASM programs; and a `wasm-sandboxed' function which creates a WASM sandboxed variant of Firefox-based browsers. In Firefox and Firefox-derived browsers, WASM sandboxing is a security technique which compiles C/C++ libraries into WASM, then translates the WASM back into native code. This allows leveraging the WASM security model to isolate the library from the browser, without needing a separate process to contain it. Please see this blog post for more info: https://hacks.mozilla.org/2020/02/securing-firefox-with-webassembly/ The code is extracted from my personal channel[1], which in turn is based on work done for nonguix's Firefox package. I've been daliy-driving personal variants of LibreWolf since before the package was accepted into Guix, and nonguix's Firefox has been using it even longer. [1]: https://codeberg.org/ieure/atomized-guix/src/branch/main/atomized/packages/wasm.scm [2]: https://gitlab.com/nonguix/nonguix/-/blob/master/nongnu/packages/wasm.scm?ref_type=heads Ian Eure (4): gnu: Add wasi-libc. gnu: Add wasm32-wasi-clang-runtime. gnu: Add wasm32-wasi-clang. gnu: Add wasm-sandboxed. gnu/packages/gnuzilla.scm | 30 +++++++++ gnu/packages/wasm.scm | 135 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 165 insertions(+) create mode 100644 gnu/packages/wasm.scm -- 2.49.0
guix-patches <at> gnu.org:bug#77653; Package guix-patches.
(Tue, 08 Apr 2025 19:59:02 GMT) Full text and rfc822 format available.Message #8 received at 77653 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: 77653 <at> debbugs.gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH 2/4] gnu: Add wasm32-wasi-clang-runtime. Date: Tue, 8 Apr 2025 12:58:27 -0700
* gnu/packages/wasm.scm (wasm32-wasi-clang-runtime): New variable.
Change-Id: Ib0465fdc86086451782d533380a8966cdde6dc1e
---
gnu/packages/wasm.scm | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/gnu/packages/wasm.scm b/gnu/packages/wasm.scm
index 060e1e420f..53ea31f4a7 100644
--- a/gnu/packages/wasm.scm
+++ b/gnu/packages/wasm.scm
@@ -76,3 +76,33 @@ (define-public wasi-libc
license:bsd-2
;; For wasi-libc and musl-libc.
license:expat))))
+
+(define-public wasm32-wasi-clang-runtime
+ (package (inherit clang-runtime-16)
+ (native-inputs
+ (list clang-16
+ wasi-libc))
+ (inputs (list llvm-16))
+ (arguments
+ (list
+ #:build-type "Release"
+ #:tests? #f
+ ;; Stripping binaries breaks wasm linking, resulting in the following
+ ;; error: "archive has no index; run ranlib to add one".
+ #:strip-binaries? #f
+ #:configure-flags
+ #~(list "-DCMAKE_C_COMPILER=clang"
+ "-DCMAKE_C_COMPILER_TARGET=wasm32-wasi"
+ (string-append
+ "-DCMAKE_SYSROOT=" #$wasi-libc "/wasm32-wasi")
+ (string-append
+ "-DCMAKE_C_FLAGS=-I " #$wasi-libc "/wasm32-wasi/include")
+
+ "-DCOMPILER_RT_OS_DIR=wasi"
+
+ "-DCOMPILER_RT_BAREMETAL_BUILD=On"
+ "-DCOMPILER_RT_DEFAULT_TARGET_ONLY=On"
+
+ ;; WASM only needs libclang_rt.builtins-wasm32.a from
+ ;; compiler-rt.
+ "../source/compiler-rt/lib/builtins")))))
--
2.49.0
guix-patches <at> gnu.org:bug#77653; Package guix-patches.
(Tue, 08 Apr 2025 19:59:03 GMT) Full text and rfc822 format available.Message #11 received at 77653 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: 77653 <at> debbugs.gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH 1/4] gnu: Add wasi-libc. Date: Tue, 8 Apr 2025 12:58:26 -0700
* gnu/packages/wasm.scm (wasi-libc): New variable.
Change-Id: I1aefc4573424e19119d225904b5461b1bea0221e
---
gnu/packages/wasm.scm | 78 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 gnu/packages/wasm.scm
diff --git a/gnu/packages/wasm.scm b/gnu/packages/wasm.scm
new file mode 100644
index 0000000000..060e1e420f
--- /dev/null
+++ b/gnu/packages/wasm.scm
@@ -0,0 +1,78 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2022-2023 Pierre Langlois <pierre.langlois <at> gmx.com>
+;;; Copyright © 2023, 2024, 2025 Ian Eure <ian <at> retrospec.tv>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu packages wasm)
+ #:use-module (gnu packages llvm)
+ #:use-module (guix base32)
+ #:use-module (guix build-system gnu)
+ #:use-module (guix gexp)
+ #:use-module (guix git-download)
+ #:use-module ((guix licenses) #:prefix license:)
+ #:use-module (guix packages))
+
+(define-public wasi-libc
+ (package
+ (name "wasi-libc")
+ (version "sdk-20")
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/WebAssembly/wasi-libc")
+ (commit (string-append "wasi-" version))
+ (recursive? #t)))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "0knm5ch499dksmv1k0kh7356pjd9n1gjn0p3vp9bw57mn478zp8z"))))
+ (build-system gnu-build-system)
+ (native-inputs (list clang-16))
+ (arguments
+ (list #:tests? #f ;No test suite
+ ;; Firefox uses wasm2c to compile WebAssembly to C code, and it
+ ;; does not support the memory.copy opcode.
+ ;; See https://bugzilla.mozilla.org/show_bug.cgi?id=1773200#c4
+ #:make-flags ''("BULK_MEMORY_SOURCES=")
+ #:phases
+ #~(modify-phases %standard-phases
+ (delete 'configure)
+ (add-before 'build 'set-sysroot-include
+ (lambda _
+ (setenv "C_INCLUDE_PATH"
+ (string-append (getcwd) "/sysroot/include"))))
+ (add-before 'install 'set-install-dir
+ (lambda _
+ (setenv "INSTALL_DIR"
+ (string-append #$output "/wasm32-wasi")))))))
+ (home-page "https://wasi.dev")
+ (synopsis "WASI libc implementation for WebAssembly")
+ (description
+ "WASI Libc is a libc for WebAssembly programs built on top of WASI
+system calls. It provides a wide array of POSIX-compatible C APIs, including
+support for standard I/O, file I/O, filesystem manipulation, memory
+management, time, string, environment variables, program startup, and many
+other APIs.")
+ (license (list
+ ;; For wasi-libc, with LLVM exceptions
+ license:asl2.0
+ ;; For malloc.c.
+ license:cc0
+ ;; For cloudlibc.
+ license:bsd-2
+ ;; For wasi-libc and musl-libc.
+ license:expat))))
--
2.49.0
guix-patches <at> gnu.org:bug#77653; Package guix-patches.
(Tue, 08 Apr 2025 19:59:03 GMT) Full text and rfc822 format available.Message #14 received at 77653 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: 77653 <at> debbugs.gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH 3/4] gnu: Add wasm32-wasi-clang. Date: Tue, 8 Apr 2025 12:58:28 -0700
* gnu/packages/wasm.scm (wasm32-wasi-clang): New variable.
Change-Id: Ibf1df3e93929442a8eed29eea20b2f83b491f3b3
---
gnu/packages/wasm.scm | 29 ++++++++++++++++++++++++++++-
1 file changed, 28 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/wasm.scm b/gnu/packages/wasm.scm
index 53ea31f4a7..447687d009 100644
--- a/gnu/packages/wasm.scm
+++ b/gnu/packages/wasm.scm
@@ -24,7 +24,8 @@ (define-module (gnu packages wasm)
#:use-module (guix gexp)
#:use-module (guix git-download)
#:use-module ((guix licenses) #:prefix license:)
- #:use-module (guix packages))
+ #:use-module (guix packages)
+ #:use-module (guix utils))
(define-public wasi-libc
(package
@@ -106,3 +107,29 @@ (define-public wasm32-wasi-clang-runtime
;; WASM only needs libclang_rt.builtins-wasm32.a from
;; compiler-rt.
"../source/compiler-rt/lib/builtins")))))
+
+;; Although Clang can be built to support multiple compilation targets, Guix
+;; builds only target the native architecture, so we have to build a build a
+;; new toolchain that to target WASM.
+
+(define clang-from-llvm (@@ (gnu packages llvm) clang-from-llvm))
+(define llvm-monorepo (@@ (gnu packages llvm) llvm-monorepo))
+
+(define-public wasm32-wasi-clang
+ (let ((base (clang-from-llvm llvm-16 wasm32-wasi-clang-runtime)))
+ (package (inherit base)
+ (name "wasm32-wasi-clang")
+ (inputs
+ (modify-inputs (package-inputs base)
+ (prepend wasi-libc)))
+ (arguments
+ (substitute-keyword-arguments (package-arguments base)
+ ((#:configure-flags flags)
+ #~(list "-DCLANG_INCLUDE_TESTS=True"
+ ;; Use a sane default include directory.
+ (string-append "-DC_INCLUDE_DIRS="
+ #$wasi-libc
+ "/wasm32-wasi/include")))
+ ((#:phases phases)
+ `(modify-phases ,phases
+ (delete 'symlink-cfi_ignorelist))))))))
--
2.49.0
guix-patches <at> gnu.org:bug#77653; Package guix-patches.
(Tue, 08 Apr 2025 19:59:04 GMT) Full text and rfc822 format available.Message #17 received at 77653 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: 77653 <at> debbugs.gnu.org Cc: Ian Eure <ian <at> retrospec.tv> Subject: [PATCH 4/4] gnu: Add wasm-sandboxed. Date: Tue, 8 Apr 2025 12:58:29 -0700
* gnu/packages/gnuzilla.scm (wasm-sandboxed): New variable.
Change-Id: I568e6cb9aca43122a06f46fd3a8d9a462754c36a
---
gnu/packages/gnuzilla.scm | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index f4a912d8d5..32b2d13de5 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -99,8 +99,38 @@ (define-module (gnu packages gnuzilla)
#:use-module (gnu packages xdisorg)
#:use-module (gnu packages readline)
#:use-module (gnu packages sqlite)
+ #:use-module (gnu packages wasm)
#:autoload (json parser) (json->scm))
+(define-public (wasm-sandboxed orig-package)
+ "Given a Firefox or Firefox-derived package ORIG-PACKAGE, return a
+variant package which enables WASM sandboxing."
+ (package
+ (inherit orig-package)
+ (name (string-append (package-name orig-package) "-wasm-sandboxed"))
+ (arguments
+ (substitute-keyword-arguments (package-arguments orig-package)
+ ((#:configure-flags flags)
+ #~(let ((wasi-sysroot #$(this-package-native-input "wasm32-wasi-clang-toolchain")))
+ (append (delq "--without-wasm-sandboxed-libraries" #$flags)
+ (list
+ (string-append "--with-wasi-sysroot=" wasi-sysroot "/wasm32-wasi")))))
+ ((#:phases phases)
+ #~(modify-phases #$phases
+ (add-before 'configure 'set-wasm-env
+ (lambda* (#:key inputs #:allow-other-keys)
+ (setenv "WASM_CC"
+ (string-append (assoc-ref inputs
+ "wasm32-wasi-clang-toolchain")
+ "/bin/clang"))
+ (setenv "WASM_CXX"
+ (string-append (assoc-ref inputs
+ "wasm32-wasi-clang-toolchain")
+ "/bin/clang++"))))))))
+ (native-inputs
+ (modify-inputs (package-native-inputs orig-package)
+ (append wasm32-wasi-clang-toolchain)))))
+
(define-public mozjs
(package
(name "mozjs")
--
2.49.0
guix-patches <at> gnu.org:bug#77653; Package guix-patches.
(Wed, 09 Apr 2025 02:56:02 GMT) Full text and rfc822 format available.Message #20 received at 77653 <at> debbugs.gnu.org (full text, mbox):
From: Z572 <z572 <at> z572.online> To: Ian Eure <ian <at> retrospec.tv> Cc: 77653 <at> debbugs.gnu.org Subject: Re: [bug#77653] [PATCH 1/4] gnu: Add wasi-libc. Date: Wed, 09 Apr 2025 10:54:56 +0800
[Message part 1 (text/plain, inline)]
Ian Eure <ian <at> retrospec.tv> writes:
> * gnu/packages/wasm.scm (wasi-libc): New variable.
>
> Change-Id: I1aefc4573424e19119d225904b5461b1bea0221e
> ---
> gnu/packages/wasm.scm | 78 +++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 78 insertions(+)
> create mode 100644 gnu/packages/wasm.scm
>
> diff --git a/gnu/packages/wasm.scm b/gnu/packages/wasm.scm
> new file mode 100644
> index 0000000000..060e1e420f
> --- /dev/null
> +++ b/gnu/packages/wasm.scm
> @@ -0,0 +1,78 @@
> +;;; GNU Guix --- Functional package management for GNU
> +;;; Copyright © 2022-2023 Pierre Langlois <pierre.langlois <at> gmx.com>
> +;;; Copyright © 2023, 2024, 2025 Ian Eure <ian <at> retrospec.tv>
> +;;;
> +;;; This file is part of GNU Guix.
> +;;;
> +;;; GNU Guix is free software; you can redistribute it and/or modify it
> +;;; under the terms of the GNU General Public License as published by
> +;;; the Free Software Foundation; either version 3 of the License, or (at
> +;;; your option) any later version.
> +;;;
> +;;; GNU Guix is distributed in the hope that it will be useful, but
> +;;; WITHOUT ANY WARRANTY; without even the implied warranty of
> +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> +;;; GNU General Public License for more details.
> +;;;
> +;;; You should have received a copy of the GNU General Public License
> +;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
> +
> +(define-module (gnu packages wasm)
> + #:use-module (gnu packages llvm)
> + #:use-module (guix base32)
> + #:use-module (guix build-system gnu)
> + #:use-module (guix gexp)
> + #:use-module (guix git-download)
> + #:use-module ((guix licenses) #:prefix license:)
> + #:use-module (guix packages))
> +
> +(define-public wasi-libc
> + (package
> + (name "wasi-libc")
> + (version "sdk-20")
i think sould "20"
> + (source (origin
> + (method git-fetch)
> + (uri (git-reference
> + (url "https://github.com/WebAssembly/wasi-libc")
> + (commit (string-append "wasi-" version))
"wasi-sdk-"
> + (recursive? #t)))
Why do we need recursive
> + (file-name (git-file-name name version))
> + (sha256
> + (base32
> + "0knm5ch499dksmv1k0kh7356pjd9n1gjn0p3vp9bw57mn478zp8z"))))
> + (build-system gnu-build-system)
> + (native-inputs (list clang-16))
Please add a comment why clang-16 is needed instead of clang.
> + (arguments
> + (list #:tests? #f ;No test suite
> + ;; Firefox uses wasm2c to compile WebAssembly to C code, and it
> + ;; does not support the memory.copy opcode.
> + ;; See https://bugzilla.mozilla.org/show_bug.cgi?id=1773200#c4
> + #:make-flags ''("BULK_MEMORY_SOURCES=")
#~(list "BULK_MEMORY_SOURCES=")
> + #:phases
> + #~(modify-phases %standard-phases
> + (delete 'configure)
> + (add-before 'build 'set-sysroot-include
> + (lambda _
> + (setenv "C_INCLUDE_PATH"
> + (string-append (getcwd) "/sysroot/include"))))
> + (add-before 'install 'set-install-dir
> + (lambda _
> + (setenv "INSTALL_DIR"
> + (string-append #$output "/wasm32-wasi")))))))
> + (home-page "https://wasi.dev")
> + (synopsis "WASI libc implementation for WebAssembly")
> + (description
> + "WASI Libc is a libc for WebAssembly programs built on top of WASI
> +system calls. It provides a wide array of POSIX-compatible C APIs, including
> +support for standard I/O, file I/O, filesystem manipulation, memory
> +management, time, string, environment variables, program startup, and many
> +other APIs.")
> + (license (list
> + ;; For wasi-libc, with LLVM exceptions
> + license:asl2.0
> + ;; For malloc.c.
> + license:cc0
> + ;; For cloudlibc.
> + license:bsd-2
> + ;; For wasi-libc and musl-libc.
> + license:expat))))
[signature.asc (application/pgp-signature, inline)]
guix-patches <at> gnu.org:bug#77653; Package guix-patches.
(Wed, 09 Apr 2025 02:59:02 GMT) Full text and rfc822 format available.Message #23 received at 77653 <at> debbugs.gnu.org (full text, mbox):
From: Z572 <z572 <at> z572.online> To: Ian Eure <ian <at> retrospec.tv> Cc: 77653 <at> debbugs.gnu.org Subject: Re: [bug#77653] [PATCH 2/4] gnu: Add wasm32-wasi-clang-runtime. Date: Wed, 09 Apr 2025 10:58:05 +0800
[Message part 1 (text/plain, inline)]
Ian Eure <ian <at> retrospec.tv> writes: > * gnu/packages/wasm.scm (wasm32-wasi-clang-runtime): New variable. > > Change-Id: Ib0465fdc86086451782d533380a8966cdde6dc1e > --- > gnu/packages/wasm.scm | 30 ++++++++++++++++++++++++++++++ > 1 file changed, 30 insertions(+) > > diff --git a/gnu/packages/wasm.scm b/gnu/packages/wasm.scm > index 060e1e420f..53ea31f4a7 100644 > --- a/gnu/packages/wasm.scm > +++ b/gnu/packages/wasm.scm > @@ -76,3 +76,33 @@ (define-public wasi-libc > license:bsd-2 > ;; For wasi-libc and musl-libc. > license:expat)))) > + > +(define-public wasm32-wasi-clang-runtime > + (package (inherit clang-runtime-16) Please add a line break (package (inherit clang-runtime-16) .... ) > + (native-inputs > + (list clang-16 > + wasi-libc)) Should wasi-libc be placed in inputs? > + (inputs (list llvm-16)) > + (arguments > + (list > + #:build-type "Release" > + #:tests? #f > + ;; Stripping binaries breaks wasm linking, resulting in the following > + ;; error: "archive has no index; run ranlib to add one". > + #:strip-binaries? #f > + #:configure-flags > + #~(list "-DCMAKE_C_COMPILER=clang" > + "-DCMAKE_C_COMPILER_TARGET=wasm32-wasi" > + (string-append > + "-DCMAKE_SYSROOT=" #$wasi-libc "/wasm32-wasi") (this-package-native-input "wasi-libc") > + (string-append > + "-DCMAKE_C_FLAGS=-I " #$wasi-libc "/wasm32-wasi/include") (this-package-native-input "wasi-libc") > + > + "-DCOMPILER_RT_OS_DIR=wasi" > + > + "-DCOMPILER_RT_BAREMETAL_BUILD=On" > + "-DCOMPILER_RT_DEFAULT_TARGET_ONLY=On" > + > + ;; WASM only needs libclang_rt.builtins-wasm32.a from > + ;; compiler-rt. > + "../source/compiler-rt/lib/builtins")))))
[signature.asc (application/pgp-signature, inline)]
guix-patches <at> gnu.org:bug#77653; Package guix-patches.
(Wed, 09 Apr 2025 03:02:02 GMT) Full text and rfc822 format available.Message #26 received at 77653 <at> debbugs.gnu.org (full text, mbox):
From: Z572 <z572 <at> z572.online> To: Ian Eure <ian <at> retrospec.tv> Cc: 77653 <at> debbugs.gnu.org Subject: Re: [bug#77653] [PATCH 3/4] gnu: Add wasm32-wasi-clang. Date: Wed, 09 Apr 2025 11:01:14 +0800
[Message part 1 (text/plain, inline)]
Ian Eure <ian <at> retrospec.tv> writes: > * gnu/packages/wasm.scm (wasm32-wasi-clang): New variable. > > Change-Id: Ibf1df3e93929442a8eed29eea20b2f83b491f3b3 > --- > gnu/packages/wasm.scm | 29 ++++++++++++++++++++++++++++- > 1 file changed, 28 insertions(+), 1 deletion(-) > > diff --git a/gnu/packages/wasm.scm b/gnu/packages/wasm.scm > index 53ea31f4a7..447687d009 100644 > --- a/gnu/packages/wasm.scm > +++ b/gnu/packages/wasm.scm > @@ -24,7 +24,8 @@ (define-module (gnu packages wasm) > #:use-module (guix gexp) > #:use-module (guix git-download) > #:use-module ((guix licenses) #:prefix license:) > - #:use-module (guix packages)) > + #:use-module (guix packages) > + #:use-module (guix utils)) > > (define-public wasi-libc > (package > @@ -106,3 +107,29 @@ (define-public wasm32-wasi-clang-runtime > ;; WASM only needs libclang_rt.builtins-wasm32.a from > ;; compiler-rt. > "../source/compiler-rt/lib/builtins"))))) > + > +;; Although Clang can be built to support multiple compilation targets, Guix > +;; builds only target the native architecture, so we have to build a build a > +;; new toolchain that to target WASM. > + > +(define clang-from-llvm (@@ (gnu packages llvm) clang-from-llvm)) > +(define llvm-monorepo (@@ (gnu packages llvm) llvm-monorepo)) Will this have any impact on the compilation? Maybe we should export clang-from-llvm and llvm-monorepo from (gnu packages llvm) > + > +(define-public wasm32-wasi-clang > + (let ((base (clang-from-llvm llvm-16 wasm32-wasi-clang-runtime))) > + (package (inherit base) > + (name "wasm32-wasi-clang") > + (inputs > + (modify-inputs (package-inputs base) > + (prepend wasi-libc))) > + (arguments > + (substitute-keyword-arguments (package-arguments base) > + ((#:configure-flags flags) > + #~(list "-DCLANG_INCLUDE_TESTS=True" > + ;; Use a sane default include directory. > + (string-append "-DC_INCLUDE_DIRS=" > + #$wasi-libc (this-package-input "wasi-libc") > + "/wasm32-wasi/include"))) > + ((#:phases phases) > + `(modify-phases ,phases > + (delete 'symlink-cfi_ignorelist)))))))) Please add a comment why symlink-cfi_ignorelist should be deleted
[signature.asc (application/pgp-signature, inline)]
guix-patches <at> gnu.org:bug#77653; Package guix-patches.
(Wed, 09 Apr 2025 22:09:02 GMT) Full text and rfc822 format available.Message #29 received at 77653 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: Z572 <z572 <at> z572.online> Cc: 77653 <at> debbugs.gnu.org Subject: Re: [bug#77653] [PATCH 2/4] gnu: Add wasm32-wasi-clang-runtime. Date: Wed, 09 Apr 2025 15:08:12 -0700
Z572 <z572 <at> z572.online> writes: > Ian Eure <ian <at> retrospec.tv> writes: > >> + (native-inputs >> + (list clang-16 >> + wasi-libc)) > > Should wasi-libc be placed in inputs? Good question. I think it can be, since it’s WASM bytecode. My only concern is that it might contain an arch-specific store reference, but I dug around in the output and didn’t see anything. So I think this should be fine, but I’ll do a little testing. All your other suggestions look good, I’ll give this a whirl and send a v2. Thanks, -- Ian
guix-patches <at> gnu.org:bug#77653; Package guix-patches.
(Fri, 25 Apr 2025 08:03:02 GMT) Full text and rfc822 format available.Message #32 received at 77653 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: Ian Eure <ian <at> retrospec.tv> Cc: 77653 <at> debbugs.gnu.org Subject: Re: [bug#77653] [PATCH 1/4] gnu: Add wasi-libc. Date: Fri, 25 Apr 2025 17:02:15 +0900
Hello,
Ian Eure <ian <at> retrospec.tv> writes:
> * gnu/packages/wasm.scm (wasi-libc): New variable.
[...]
> +(define-public wasi-libc
> + (package
> + (name "wasi-libc")
> + (version "sdk-20")
That's an odd version string. Should we strip 'sdk-' and keep just
'20'?
> + (source (origin
> + (method git-fetch)
> + (uri (git-reference
> + (url "https://github.com/WebAssembly/wasi-libc")
> + (commit (string-append "wasi-" version))
> + (recursive? #t)))
The reason for using recursive? #t should be explained in a comment.
Typically these pull other package sources, which as a policy we'd
rather package separately.
> + (file-name (git-file-name name version))
> + (sha256
> + (base32
> + "0knm5ch499dksmv1k0kh7356pjd9n1gjn0p3vp9bw57mn478zp8z"))))
> + (build-system gnu-build-system)
> + (native-inputs (list clang-16))
> + (arguments
> + (list #:tests? #f ;No test suite
nitpick: no need to punctuate margin comments (standalone comments, yes).
> + ;; Firefox uses wasm2c to compile WebAssembly to C code, and it
> + ;; does not support the memory.copy opcode.
> + ;; See https://bugzilla.mozilla.org/show_bug.cgi?id=1773200#c4
> + #:make-flags ''("BULK_MEMORY_SOURCES=")
> + #:phases
> + #~(modify-phases %standard-phases
> + (delete 'configure)
> + (add-before 'build 'set-sysroot-include
> + (lambda _
> + (setenv "C_INCLUDE_PATH"
> + (string-append (getcwd) "/sysroot/include"))))
> + (add-before 'install 'set-install-dir
> + (lambda _
> + (setenv "INSTALL_DIR"
> + (string-append #$output "/wasm32-wasi")))))))
That's a strange (non-FHSish) place to put the result, no? Should in go
to /lib/wasm32-wasi, perhaps?
> + (home-page "https://wasi.dev")
> + (synopsis "WASI libc implementation for WebAssembly")
> + (description
> + "WASI Libc is a libc for WebAssembly programs built on top of WASI
> +system calls. It provides a wide array of POSIX-compatible C APIs, including
> +support for standard I/O, file I/O, filesystem manipulation, memory
> +management, time, string, environment variables, program startup, and many
> +other APIs.")
Please use 'file system' instead of filesystem, as a GNU convention.
--
Thanks,
Maxim
guix-patches <at> gnu.org:bug#77653; Package guix-patches.
(Fri, 25 Apr 2025 08:07:02 GMT) Full text and rfc822 format available.Message #35 received at 77653 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: Ian Eure <ian <at> retrospec.tv> Cc: 77653 <at> debbugs.gnu.org Subject: Re: [bug#77653] [PATCH 2/4] gnu: Add wasm32-wasi-clang-runtime. Date: Fri, 25 Apr 2025 17:05:52 +0900
Hi, Ian Eure <ian <at> retrospec.tv> writes: > * gnu/packages/wasm.scm (wasm32-wasi-clang-runtime): New variable. [...] > +(define-public wasm32-wasi-clang-runtime > + (package (inherit clang-runtime-16) This reminds me that this should be documented, but when creating variants (packages issued from the same source but with different build flags, say), you must use package/inherit for the grafts machinery to work correctly. > + (native-inputs > + (list clang-16 > + wasi-libc)) I'd format these on one line, like you did below, since there are less than 5 and it fits. > + (inputs (list llvm-16)) > + (arguments > + (list > + #:build-type "Release" > + #:tests? #f Need an explanatory comment, e.g.: ;no test suite > + ;; Stripping binaries breaks wasm linking, resulting in the following > + ;; error: "archive has no index; run ranlib to add one". > + #:strip-binaries? #f > + #:configure-flags > + #~(list "-DCMAKE_C_COMPILER=clang" > + "-DCMAKE_C_COMPILER_TARGET=wasm32-wasi" > + (string-append > + "-DCMAKE_SYSROOT=" #$wasi-libc "/wasm32-wasi") > + (string-append > + "-DCMAKE_C_FLAGS=-I " #$wasi-libc "/wasm32-wasi/include") As Z572 mentioned, this shouldn't reference the packages directly, to be input-rewrite friendly. -- Thanks, Maxim
guix-patches <at> gnu.org:bug#77653; Package guix-patches.
(Fri, 25 Apr 2025 08:10:02 GMT) Full text and rfc822 format available.Message #38 received at 77653 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: Ian Eure <ian <at> retrospec.tv> Cc: 77653 <at> debbugs.gnu.org Subject: Re: [bug#77653] [PATCH 2/4] gnu: Add wasm32-wasi-clang-runtime. Date: Fri, 25 Apr 2025 17:09:42 +0900
Hi, Ian Eure <ian <at> retrospec.tv> writes: [...] > +(define-public wasm32-wasi-clang-runtime > + (package (inherit clang-runtime-16) I forgot the most important bit: inheritance cannot happen between different modules, as it uses direct (non-delayed nor thunked) references to the package objects and would introduce module circular dependencies, which are surprising and not fun to hunt down. See (info "(guix) Cyclic Module Dependencies") for the explanation/guidelines. -- Thanks, Maxim
guix-patches <at> gnu.org:bug#77653; Package guix-patches.
(Fri, 25 Apr 2025 12:53:03 GMT) Full text and rfc822 format available.Message #41 received at 77653 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: Ian Eure <ian <at> retrospec.tv> Cc: 77653 <at> debbugs.gnu.org Subject: Re: [bug#77653] [PATCH 3/4] gnu: Add wasm32-wasi-clang. Date: Fri, 25 Apr 2025 21:52:32 +0900
Hi, Ian Eure <ian <at> retrospec.tv> writes: > * gnu/packages/wasm.scm (wasm32-wasi-clang): New variable. > > Change-Id: Ibf1df3e93929442a8eed29eea20b2f83b491f3b3 [...] > --- a/gnu/packages/wasm.scm > +++ b/gnu/packages/wasm.scm > @@ -24,7 +24,8 @@ (define-module (gnu packages wasm) > #:use-module (guix gexp) > #:use-module (guix git-download) > #:use-module ((guix licenses) #:prefix license:) > - #:use-module (guix packages)) > + #:use-module (guix packages) > + #:use-module (guix utils)) > > (define-public wasi-libc > (package > @@ -106,3 +107,29 @@ (define-public wasm32-wasi-clang-runtime > ;; WASM only needs libclang_rt.builtins-wasm32.a from > ;; compiler-rt. > "../source/compiler-rt/lib/builtins"))))) > + > +;; Although Clang can be built to support multiple compilation targets, Guix > +;; builds only target the native architecture, so we have to build a build a > +;; new toolchain that to target WASM. > + > +(define clang-from-llvm (@@ (gnu packages llvm) clang-from-llvm)) > +(define llvm-monorepo (@@ (gnu packages llvm) llvm-monorepo)) > + > +(define-public wasm32-wasi-clang > + (let ((base (clang-from-llvm llvm-16 wasm32-wasi-clang-runtime))) > + (package (inherit base) As explained previously, this should be package/inherit, and this new clang variant should live in the same module as clang in (gnu packages llvm). > + (name "wasm32-wasi-clang") > + (inputs > + (modify-inputs (package-inputs base) > + (prepend wasi-libc))) > + (arguments > + (substitute-keyword-arguments (package-arguments base) > + ((#:configure-flags flags) Since it seems you strictly want to override #:configure-flags rather than extend it, a better choice would be `ensure-keyword-arguments'. > + #~(list "-DCLANG_INCLUDE_TESTS=True" > + ;; Use a sane default include directory. > + (string-append "-DC_INCLUDE_DIRS=" > + #$wasi-libc > + "/wasm32-wasi/include"))) It seems to be /include or /include/wasm32-wasi would be a "saner" default :-). > + ((#:phases phases) > + `(modify-phases ,phases > + (delete 'symlink-cfi_ignorelist)))))))) Why is the above necessary? A comment could help. -- Thanks, Maxim
guix-patches <at> gnu.org:bug#77653; Package guix-patches.
(Fri, 25 Apr 2025 13:02:03 GMT) Full text and rfc822 format available.Message #44 received at 77653 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: Ian Eure <ian <at> retrospec.tv> Cc: 77653 <at> debbugs.gnu.org Subject: Re: [bug#77653] [PATCH 4/4] gnu: Add wasm-sandboxed. Date: Fri, 25 Apr 2025 22:01:13 +0900
Hi, Ian Eure <ian <at> retrospec.tv> writes: > * gnu/packages/gnuzilla.scm (wasm-sandboxed): New variable. > > Change-Id: I568e6cb9aca43122a06f46fd3a8d9a462754c36a > --- > gnu/packages/gnuzilla.scm | 30 ++++++++++++++++++++++++++++++ > 1 file changed, 30 insertions(+) > > diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm > index f4a912d8d5..32b2d13de5 100644 > --- a/gnu/packages/gnuzilla.scm > +++ b/gnu/packages/gnuzilla.scm > @@ -99,8 +99,38 @@ (define-module (gnu packages gnuzilla) > #:use-module (gnu packages xdisorg) > #:use-module (gnu packages readline) > #:use-module (gnu packages sqlite) > + #:use-module (gnu packages wasm) > #:autoload (json parser) (json->scm)) > > +(define-public (wasm-sandboxed orig-package) > + "Given a Firefox or Firefox-derived package ORIG-PACKAGE, return a > +variant package which enables WASM sandboxing." > + (package > + (inherit orig-package) If that is going to be called to define top-level packages in some other module, that would also lead to the circular module dependency problem discussed earlier. Perhaps it's best to remain private then. > + (name (string-append (package-name orig-package) "-wasm-sandboxed")) > + (arguments > + (substitute-keyword-arguments (package-arguments orig-package) > + ((#:configure-flags flags) > + #~(let ((wasi-sysroot #$(this-package-native-input "wasm32-wasi-clang-toolchain"))) > + (append (delq "--without-wasm-sandboxed-libraries" #$flags) To compare strings, you want equal?, not eq?, so you should use delete and not delq. > + (list > + (string-append "--with-wasi-sysroot=" wasi-sysroot "/wasm32-wasi"))))) Too wide: our guidelines says maximum width should be 80 columns. > + ((#:phases phases) I find it's often a better practice to put a default value when using `substitute-keyword-arguments', otherwise if there is no #:phases argument in the base package, nothing happens. So something like: ((#:phases phases '%standard-phases) ...) would be more robust. > + #~(modify-phases #$phases > + (add-before 'configure 'set-wasm-env > + (lambda* (#:key inputs #:allow-other-keys) > + (setenv "WASM_CC" > + (string-append (assoc-ref inputs > + "wasm32-wasi-clang-toolchain") > + "/bin/clang")) Instead of assoc-ref, you should use the more modern equivalent #$(this-package-native-input "wasm32-wasi-clang-toolchain"). I'm not sure i we really want this wrapper, which is nice but could lead to even more variants of firefox builds, which are expensive. Perhaps we should just make a decision to enable such support in our current builds, if it doesn't cause performance problems yet (supposedly) helps with security and be done. -- Thanks, Maxim
guix-patches <at> gnu.org:bug#77653; Package guix-patches.
(Fri, 25 Apr 2025 13:03:01 GMT) Full text and rfc822 format available.Message #47 received at 77653 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: Ian Eure <ian <at> retrospec.tv> Cc: 77653 <at> debbugs.gnu.org Subject: Re: [bug#77653] [PATCH 0/4] Add WASM toolchain, wasi-libc, and browser WASM sandbox support Date: Fri, 25 Apr 2025 22:02:45 +0900
Hi Ian, Ian Eure <ian <at> retrospec.tv> writes: > This patch series adds a Clang variant which can emit WASM; runtime support for WASM binaries; wasi-libc, a libc implementation for WASM programs; and a `wasm-sandboxed' function which creates a WASM sandboxed variant of Firefox-based browsers. > > In Firefox and Firefox-derived browsers, WASM sandboxing is a security technique which compiles C/C++ libraries into WASM, then translates the WASM back into native code. This allows leveraging the WASM security model to isolate the library from the browser, without needing a separate process to contain it. Please see this blog post for more info: https://hacks.mozilla.org/2020/02/securing-firefox-with-webassembly/ > > The code is extracted from my personal channel[1], which in turn is based on work done for nonguix's Firefox package. I've been daliy-driving personal variants of LibreWolf since before the package was accepted into Guix, and nonguix's Firefox has been using it even longer. > > [1]: https://codeberg.org/ieure/atomized-guix/src/branch/main/atomized/packages/wasm.scm > [2]: https://gitlab.com/nonguix/nonguix/-/blob/master/nongnu/packages/wasm.scm?ref_type=heads > > Ian Eure (4): > gnu: Add wasi-libc. > gnu: Add wasm32-wasi-clang-runtime. > gnu: Add wasm32-wasi-clang. > gnu: Add wasm-sandboxed. Thanks for picking it up! Nice series. I've left a few hopefully useful comments. Could you please prepare a v2 taking them into account? Thank you! -- Maxim
guix-patches <at> gnu.org:bug#77653; Package guix-patches.
(Mon, 28 Apr 2025 01:11:04 GMT) Full text and rfc822 format available.Message #50 received at 77653 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Cc: Z572 <z572 <at> z572.online>, 77653 <at> debbugs.gnu.org, Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Subject: Re: [bug#77653] [PATCH 0/4] Add WASM toolchain, wasi-libc, and browser WASM sandbox support Date: Sun, 27 Apr 2025 18:10:28 -0700
Hi Maxim, Z572, Maxim Cournoyer <maxim.cournoyer <at> gmail.com> writes: > Hi Ian, > > > Thanks for picking it up! Nice series. I've left a few > hopefully > useful comments. Could you please prepare a v2 taking them into > account? Sorry about the delay on this. I appreciate the feedback and have a v2 in decent shape that incorporates nearly all the feedback from the two of you. Unfortunately, this work is currently blocked due to unclear licensing of the WASI specification, which wasi-libc includes a copy of via Git submodule. There’s an issue open for this, but it was opened in 2019 and still isn’t resolved. Hopefully recent pings on the issue will get it some renewed attention, but I’m not feeling confident about moving this forward at the moment. I’ll go ahead and send a v2 patch anyway, but it’s unpushable until the WASI situation is resolved. Thanks, -- Ian [1]: https://github.com/WebAssembly/WASI/issues/182
guix-patches <at> gnu.org:bug#77653; Package guix-patches.
(Tue, 29 Apr 2025 01:26:04 GMT) Full text and rfc822 format available.Message #53 received at 77653 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: Ian Eure <ian <at> retrospec.tv> Cc: Z572 <z572 <at> z572.online>, 77653 <at> debbugs.gnu.org Subject: Re: [bug#77653] [PATCH 0/4] Add WASM toolchain, wasi-libc, and browser WASM sandbox support Date: Tue, 29 Apr 2025 10:24:45 +0900
Hi, Ian Eure <ian <at> retrospec.tv> writes: > Hi Maxim, Z572, > > Maxim Cournoyer <maxim.cournoyer <at> gmail.com> writes: > >> Hi Ian, >> >> >> Thanks for picking it up! Nice series. I've left a few hopefully >> useful comments. Could you please prepare a v2 taking them into >> account? > > Sorry about the delay on this. I appreciate the feedback and have a > v2 in decent shape that incorporates nearly all the feedback from the > two of you. > > Unfortunately, this work is currently blocked due to unclear licensing > of the WASI specification, which wasi-libc includes a copy of via Git WASI specification sounds like non-functional data more than code, right? If that's correct, then it shouldn't be an impediment to having this merged in GNU Guix (though of course having this licensing issue fixed upstream would be nice), as the GNU FSDG has an exception for non-functional data, as long as is freely distributable. See the 'Non-functional Data' paragraph, specifically: > It can be included in a free system distribution as long as its > license gives you permission to copy and redistribute, both for > commercial and non-commercial purposes. -- Thanks, Maxim
guix-patches <at> gnu.org:bug#77653; Package guix-patches.
(Fri, 02 May 2025 22:49:02 GMT) Full text and rfc822 format available.Message #56 received at 77653 <at> debbugs.gnu.org (full text, mbox):
From: Ian Eure <ian <at> retrospec.tv> To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Cc: 77653 <at> debbugs.gnu.org, Z572 <z572 <at> z572.online> Subject: Re: [bug#77653] [PATCH 0/4] Add WASM toolchain, wasi-libc, and browser WASM sandbox support Date: Fri, 02 May 2025 15:48:23 -0700
Hi Maxim, Maxim Cournoyer <maxim.cournoyer <at> gmail.com> writes: > Hi, > > Ian Eure <ian <at> retrospec.tv> writes: > >> Hi Maxim, Z572, >> >> Maxim Cournoyer <maxim.cournoyer <at> gmail.com> writes: >> >>> Hi Ian, >>> >>> >>> Thanks for picking it up! Nice series. I've left a few >>> hopefully >>> useful comments. Could you please prepare a v2 taking them >>> into >>> account? >> >> Sorry about the delay on this. I appreciate the feedback and >> have a >> v2 in decent shape that incorporates nearly all the feedback >> from the >> two of you. >> >> Unfortunately, this work is currently blocked due to unclear >> licensing >> of the WASI specification, which wasi-libc includes a copy of >> via Git > > WASI specification sounds like non-functional data more than > code, > right? If that's correct, then it shouldn't be an impediment to > having > this merged in GNU Guix (though of course having this licensing > issue > fixed upstream would be nice), as the GNU FSDG has an exception > for > non-functional data, as long as is freely distributable. See > the > 'Non-functional Data' paragraph, specifically: The stuff in the WASI repo is used to generate api.h in wasi-libc[1]. Since it’s already in there, maybe we don’t need to package the WASI repo or fetch the submodule at all. >> It can be included in a free system distribution as long as its >> license gives you permission to copy and redistribute, both for >> commercial and non-commercial purposes. The issue is that it’s unclear whether it has a user license at all. The only licensing information in the project is two sentences saying[2]: Copyright © 2019-2023 the Contributors to the WASI Specification, published by the WebAssembly Community Group under the W3C Community Contributor License Agreement (CLA). A human-readable summary is available. The CLA itself covers contributions into the project. While section 12.8 has some language about the terms it can be provided under, a specific license laying out those terms is not provided. It also appears to cover the Specification, which is the final work product, which hasn’t been published yet. Section 5 also allows contributions to be withdrawn up to 45 days after being contributed, which makes it incompatible with the GPL’s "Basic Permissions," which states: All rights granted under this License are granted for the term of copyright on the Program, and are irrevocable provided the stated conditions are met. I’ll see if wasi-libc builds without the WASI module and go from there. Thanks, -- Ian [1]: https://github.com/WebAssembly/wasi-libc/blob/main/libc-bottom-half/headers/public/wasi/api.h [2]: https://github.com/WebAssembly/WASI/blob/main/LICENSE.md
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.