clone/codex
1
0
Fork 0
mirror of https://github.com/openai/codex.git synced 2026-05-14 00:02:33 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
xli-codex/generate-python-sdk
codex/patches/v8_bazel_rules.patch
Channing Conger 36460387ec Enable V8 sandboxing for source-built builds (#21146) 
## Summary

This is the first PR in the V8 in-process sandboxing rollout.

It adds the build-system and Rust feature plumbing needed to support
sandboxed V8 builds, then enables sandboxing by default for the
source-built Bazel V8 path that we control directly. It deliberately
keeps the published `rusty_v8` artifact workflows on their current
non-sandboxed contract so this PR can land and ship independently before
we change any released artifacts.

## Rollout plan

- [x] **PR 1: land sandbox plumbing and default source-built Bazel V8 to
sandboxed mode**

- [ ] **PR 2: publish sandbox-enabled release artifacts and add
compatibility validation**
- Produce sandboxed artifact pairs for every released Cargo target that
does not already use the source-built Bazel path.
- Add CI coverage that consumes those sandboxed artifacts and verifies:
    - `codex-v8-poc` reports sandbox enabled
    - `codex-code-mode` builds/tests against the sandboxed path

- [ ] **PR 3: switch release consumers to sandboxed artifacts by
default**
  - Update released artifact selectors/checksums.
- Enable the Rust `v8_enable_sandbox` feature in the default release
path.
- Make the sandboxed artifact family the normal path for published
builds.

- [ ] **PR 4: remove rollout-only compatibility paths**
- Remove the temporary non-sandbox release compatibility config once the
new default has shipped and baked.
  - Keep the invariant tests permanently.
2026-05-05 14:36:37 -07:00

294 lines
10 KiB
Diff
Raw Permalink Blame History

# What: adapt upstream V8 Bazel rules to this workspace's hermetic toolchains
# and externally provided dependencies.
# Scope: Bazel BUILD/defs/BUILD.icu integration only, including dependency
# wiring, generated sources, and visibility; no standalone V8 source patching.
diff --git a/orig/v8-14.6.202.11/bazel/defs.bzl b/mod/v8-14.6.202.11/bazel/defs.bzl
index 9648e4a..88efd41 100644
--- a/orig/v8-14.6.202.11/bazel/defs.bzl
+++ b/mod/v8-14.6.202.11/bazel/defs.bzl
@@ -97,7 +97,7 @@ v8_config = rule(
def _default_args():
return struct(
- deps = [":define_flags", "@libcxx//:libc++"],
+ deps = [":define_flags"],
defines = select({
"@v8//bazel/config:is_windows": [
"UNICODE",
@@ -128,12 +128,6 @@ def _default_args():
],
"//conditions:default": [],
}) + select({
- "@v8//bazel/config:is_clang": [
- "-Wno-invalid-offsetof",
- "-Wno-deprecated-this-capture",
- "-Wno-deprecated-declarations",
- "-std=c++20",
- ],
"@v8//bazel/config:is_gcc": [
"-Wno-extra",
"-Wno-array-bounds",
@@ -155,7 +149,15 @@ def _default_args():
- "@v8//bazel/config:is_windows": [
- "/std:c++20",
- ],
- "//conditions:default": [],
+ "@v8//bazel/config:is_windows": [
+ "-Wno-invalid-offsetof",
+ "-Wno-deprecated-this-capture",
+ "-Wno-deprecated-declarations",
+ "-std=c++20",
+ ],
+ "//conditions:default": [
+ "-Wno-invalid-offsetof",
+ "-Wno-deprecated-this-capture",
+ "-Wno-deprecated-declarations",
+ "-std=c++20",
+ ],
}) + select({
"@v8//bazel/config:is_gcc_fastbuild": [
# Non-debug builds without optimizations fail because
@@ -180,10 +179,10 @@ def _default_args():
"@v8//bazel/config:is_windows": [
- "Winmm.lib",
- "DbgHelp.lib",
- "Advapi32.lib",
+ "-lwinmm",
+ "-ldbghelp",
+ "-ladvapi32",
],
"@v8//bazel/config:is_macos": ["-pthread"],
- "//conditions:default": ["-Wl,--no-as-needed -ldl -latomic -pthread"],
+ "//conditions:default": ["-Wl,--no-as-needed -ldl -pthread"],
}) + select({
":should_add_rdynamic": ["-rdynamic"],
"//conditions:default": [],
diff --git a/orig/v8-14.6.202.11/BUILD.bazel b/mod/v8-14.6.202.11/BUILD.bazel
index 85f31b7..bbc351b 100644
--- a/orig/v8-14.6.202.11/BUILD.bazel
+++ b/mod/v8-14.6.202.11/BUILD.bazel
@@ -148,6 +148,8 @@ v8_flag(name = "v8_enable_trace_maps")
v8_flag(name = "v8_enable_v8_checks")
+v8_flag(name = "v8_enable_sandbox")
+
v8_flag(name = "v8_enable_verify_csa")
v8_flag(name = "v8_enable_verify_heap")
@@ -303,7 +305,7 @@ v8_int(
# If no explicit value for v8_enable_pointer_compression, we set it to 'none'.
v8_string(
name = "v8_enable_pointer_compression",
- default = "none",
+ default = "False",
)
# Default setting for v8_enable_pointer_compression.
@@ -503,6 +505,7 @@ v8_config(
"v8_enable_slow_dchecks": "ENABLE_SLOW_DCHECKS",
"v8_enable_runtime_call_stats": "V8_RUNTIME_CALL_STATS",
"v8_enable_snapshot_native_code_counters": "V8_SNAPSHOT_NATIVE_CODE_COUNTERS",
+ "v8_enable_sandbox": "V8_ENABLE_SANDBOX",
"v8_enable_trace_maps": "V8_TRACE_MAPS",
"v8_enable_turbofan": "V8_ENABLE_TURBOFAN",
"v8_enable_v8_checks": "V8_ENABLE_CHECKS",
@@ -4077,28 +4080,14 @@ filegroup(
}),
)
-v8_library(
- name = "lib_dragonbox",
- srcs = ["third_party/dragonbox/src/include/dragonbox/dragonbox.h"],
- hdrs = [
- "third_party/dragonbox/src/include/dragonbox/dragonbox.h",
- ],
- includes = [
- "third_party/dragonbox/src/include",
- ],
+alias(
+ name = "lib_dragonbox",
+ actual = "@dragonbox//:dragonbox",
)
-v8_library(
- name = "lib_fp16",
- srcs = ["third_party/fp16/src/include/fp16.h"],
- hdrs = [
- "third_party/fp16/src/include/fp16/fp16.h",
- "third_party/fp16/src/include/fp16/bitcasts.h",
- "third_party/fp16/src/include/fp16/macros.h",
- ],
- includes = [
- "third_party/fp16/src/include",
- ],
+alias(
+ name = "lib_fp16",
+ actual = "@fp16//:fp16",
)
filegroup(
@@ -4405,6 +4394,20 @@ genrule(
srcs = [
"include/js_protocol.pdl",
"src/inspector/inspector_protocol_config.json",
+ "third_party/inspector_protocol/code_generator.py",
+ "third_party/inspector_protocol/pdl.py",
+ "third_party/inspector_protocol/lib/Forward_h.template",
+ "third_party/inspector_protocol/lib/Object_cpp.template",
+ "third_party/inspector_protocol/lib/Object_h.template",
+ "third_party/inspector_protocol/lib/Protocol_cpp.template",
+ "third_party/inspector_protocol/lib/ValueConversions_cpp.template",
+ "third_party/inspector_protocol/lib/ValueConversions_h.template",
+ "third_party/inspector_protocol/lib/Values_cpp.template",
+ "third_party/inspector_protocol/lib/Values_h.template",
+ "third_party/inspector_protocol/templates/Exported_h.template",
+ "third_party/inspector_protocol/templates/Imported_h.template",
+ "third_party/inspector_protocol/templates/TypeBuilder_cpp.template",
+ "third_party/inspector_protocol/templates/TypeBuilder_h.template",
],
outs = [
"include/inspector/Debugger.h",
@@ -4426,15 +4429,19 @@ genrule(
"src/inspector/protocol/Schema.cpp",
"src/inspector/protocol/Schema.h",
],
- cmd = "$(location :code_generator) --jinja_dir . \
- --inspector_protocol_dir third_party/inspector_protocol \
+ cmd = "INSPECTOR_PROTOCOL_DIR=$$(dirname $(execpath third_party/inspector_protocol/code_generator.py)); \
+ PYTHONPATH=$$INSPECTOR_PROTOCOL_DIR:external/rules_python++pip+v8_python_deps_311_jinja2/site-packages:external/rules_python++pip+v8_python_deps_311_markupsafe/site-packages:$${PYTHONPATH-} \
+ $(execpath @rules_python//python/bin:python) $(execpath third_party/inspector_protocol/code_generator.py) --jinja_dir . \
+ --inspector_protocol_dir $$INSPECTOR_PROTOCOL_DIR \
--config $(location :src/inspector/inspector_protocol_config.json) \
--config_value protocol.path=$(location :include/js_protocol.pdl) \
+ --config_value crdtp.dir=third_party/inspector_protocol/crdtp \
--output_base $(@D)/src/inspector",
- local = 1,
message = "Generating inspector files",
tools = [
- ":code_generator",
+ "@rules_python//python/bin:python",
+ requirement("jinja2"),
+ requirement("markupsafe"),
],
)
@@ -4448,6 +4455,15 @@ filegroup(
],
)
+cc_library(
+ name = "rusty_v8_internal_headers",
+ hdrs = [
+ "src/libplatform/default-platform.h",
+ ],
+ strip_include_prefix = "",
+ visibility = ["//visibility:public"],
+)
+
filegroup(
name = "d8_files",
srcs = [
@@ -4567,16 +4583,9 @@ cc_library(
],
)
-cc_library(
- name = "simdutf",
- srcs = ["third_party/simdutf/simdutf.cpp"],
- hdrs = ["third_party/simdutf/simdutf.h"],
- copts = select({
- "@v8//bazel/config:is_clang": ["-std=c++20"],
- "@v8//bazel/config:is_gcc": ["-std=gnu++2a"],
- "@v8//bazel/config:is_windows": ["/std:c++20"],
- "//conditions:default": [],
- }),
+alias(
+ name = "simdutf",
+ actual = "@simdutf//:simdutf",
)
v8_library(
@@ -4593,7 +4602,7 @@ v8_library(
copts = ["-Wno-implicit-fallthrough"],
icu_deps = [
":icu/generated_torque_definitions_headers",
- "//external:icu",
+ "@icu//:icu",
],
icu_srcs = [
":generated_regexp_special_case",
@@ -4608,7 +4617,7 @@ v8_library(
],
deps = [
":lib_dragonbox",
- "//third_party/fast_float/src:fast_float",
+ "@fast_float//:fast_float",
":lib_fp16",
":simdutf",
":v8_libbase",
@@ -4664,6 +4673,7 @@ alias(
alias(
name = "core_lib_icu",
actual = "icu/v8",
+ visibility = ["//visibility:public"],
)
v8_library(
@@ -4715,7 +4725,7 @@ v8_binary(
],
deps = [
":v8_libbase",
- "//external:icu",
+ "@icu//:icu",
],
)
diff --git a/orig/v8-14.6.202.11/bazel/BUILD.icu b/mod/v8-14.6.202.11/bazel/BUILD.icu
index 5fda2f4..381386c 100644
--- a/orig/v8-14.6.202.11/bazel/BUILD.icu
+++ b/mod/v8-14.6.202.11/bazel/BUILD.icu
@@ -1,3 +1,5 @@
+load("@rules_cc//cc:defs.bzl", "cc_library")
+
# Copyright 2021 the V8 project authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
@@ -16,10 +18,7 @@ cc_library(
]),
copts = select({
"@platforms//os:windows": [
- "/wd4005", # Macro redefinition.
- "/wd4068", # Unknown pragmas.
- "/wd4267", # Conversion from size_t on 64-bits.
- "/utf-8", # ICU source files are in UTF-8.
+ "-Wno-deprecated-declarations",
],
"//conditions:default": [
"-Wno-deprecated-declarations",
@@ -65,10 +64,7 @@ cc_library(
]),
copts = select({
"@platforms//os:windows": [
- "/wd4005", # Macro redefinition.
- "/wd4068", # Unknown pragmas.
- "/wd4267", # Conversion from size_t on 64-bits.
- "/utf-8", # ICU source files are in UTF-8.
+ "-Wno-deprecated-declarations",
],
"//conditions:default": [
"-Wno-deprecated-declarations",
@@ -93,10 +89,7 @@ cc_library(
]),
copts = select({
"@platforms//os:windows": [
- "/wd4005", # Macro redefinition.
- "/wd4068", # Unknown pragmas.
- "/wd4267", # Conversion from size_t on 64-bits.
- "/utf-8", # ICU source files are in UTF-8.
+ "-Wno-deprecated-declarations",
],
"//conditions:default": [],
}),
Reference in New Issue View Git Blame Copy Permalink