fix(BUILD): restore -exported_symbols_list for :envoy on Darwin#227
Open
fix(BUILD): restore -exported_symbols_list for :envoy on Darwin#227
Conversation
PR #210 (extension-loader) gave the :envoy target an explicit linkopts attribute. Upstream envoy's envoy_cc_binary macro replaces the entire default linkopt set when the caller provides linkopts: if not linkopts: linkopts = _envoy_linkopts() A select() is truthy in Starlark, so the default _envoy_linkopts() is skipped whenever a select-based linkopts is provided. _envoy_linkopts() ends with `+ envoy_select_exported_symbols(["-Wl,-E"])`, which on Apple expands to `-Wl,-exported_symbols_list,exported_symbols_apple.txt`. That file scopes exports to the dynamic-module ABI only (lua, envoyGo, dynamic_module callbacks). Without it, every symbol defaults to globally visible -- tcmalloc's internal Static, ThreadCache, STLPageHeapAllocator, SlowTLS, and TestingPortalImpl data symbols flip from local (d/s in nm) to global (D/S), breaking allocator bookkeeping at runtime and producing SIGSEGV inside tcmalloc::CentralFreeList::ReleaseToSpans during static- destructor cleanup on macOS arm64. Same fault as ENG-3955 (envoy --version segfault) and ENG-3965 (envoy crash on startup on macOS) -- both report identical fault sites at +68 with NULL deref of [NULL+0x20]. The :envoy.static target (also added in PR #210) is unaffected because it doesn't override linkopts, so it picks up _envoy_linkopts() and its -exported_symbols_list flag. Bisect confirms :envoy.static at the same crash commit (533dfa2) exits 0 on --version. This change brings :envoy back into parity by adding the dropped flag back. The linker input file (exported_symbols_apple.txt) is already provided unconditionally by envoy_cc_binary via additional_linker_inputs, so the $(location ...) reference resolves without further changes. Adds a Darwin-only sh_test (tools/check_macos_tcmalloc_symbols.sh) that inspects the built binary with `nm -gU` and fails if any tcmalloc::* symbols leak into the global export set, so this regression cannot silently return. Refs: ENG-3955, ENG-3965
Coverage Report for CI Build 25137183191Warning Build has drifted: This PR's base is out of sync with its target branch, so coverage data may include unrelated changes. Coverage remained the same at 100.0%Details
Uncovered ChangesNo uncovered changes found. Coverage RegressionsNo coverage regressions found. Coverage Stats
💛 - Coveralls |
Drop the internal tracking reference from the user-facing message and extend the symbol scan to also flag globally-exported `operator new` and `operator delete` overrides, so the next regression in this class is caught even if the leaked symbols aren't in the `tcmalloc::` namespace.
The previous regex did not match c++filt output like `operator new(unsigned long)` because the next char after `new`/`delete` is `(`. Use `(\[\])?\(` to match `operator new(`, `operator new[](`, `operator delete(`, and `operator delete[](`. Also broaden the failure heading to "allocator symbols" since the check now covers more than tcmalloc:: internals.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Restore Envoy's Darwin exported-symbols list for the
:envoytarget.The
:envoytarget provides customlinkopts, which means Envoy's default_envoy_linkopts()are not applied byenvoy_cc_binary. On macOS those defaults include:which keeps the executable's public symbol surface limited to the dynamic-module ABI.
Without that flag the Darwin
:envoybinary exported many internal C++ and allocator symbols. On macOS arm64 this allowed dyld symbol binding/interposition that routed C++ runtime cleanup through Envoy's allocator path, reproducing as a SIGSEGV intcmalloc::CentralFreeList::ReleaseToSpans.This PR adds the Darwin export-list linkopt back to
:envoyand adds a macOS regression test that fails iftcmalloc::internals or globaloperator new/operator deleteare exported again.Why
envoy_cc_binaryonly applies its default link options whenlinkoptsis unset:A
select(...)value is still a providedlinkoptsvalue, so the defaults are skipped even when the Darwin branch only needs a small platform-specific override.The export list file is already provided to the target through Envoy's existing linker inputs, so this change restores the missing Darwin flag without touching the Linux link options.
Validation
Local Darwin arm64 validation against the produced artifact:
envoy --versionexits 0envoy --helpexits 0envoy --mode validateagainst a representative HTTP-proxy config exits 0.ipscrash report producednm -gU | c++filtshows no globally-exportedtcmalloc::oroperator new/operator deletesymbolstools/check_macos_tcmalloc_symbols.shregression check passesCI: pending rerun on the latest commit.
Notes
This does not change the Linux link options. Linux still keeps the dynamic-loader flags added for extension loading.
This is separate from broader work to avoid pulling tcmalloc into macOS builds. This PR fixes the Darwin
:envoysymbol-visibility regression directly.Drafted with AI assistance.