From 962b8f2deb4c6a029e531bcca9fec66486180ecc Mon Sep 17 00:00:00 2001 From: Nicolas Mattia Date: Mon, 8 Jun 2026 15:47:43 +0200 Subject: [PATCH 1/3] feat: bump bazel version to 9.1.1 This bumps our bazel version to the latest available version. Some dependencies had to be bumped for 9.X support, but overall very little changed. --- .bazelversion | 2 +- MODULE.bazel | 37 ++++++++++++++++++++---------------- bazel/conf/.bazelrc.build | 17 +++++++++++++++++ bazel/rules_foreign_cc.patch | 19 +++++++++--------- 4 files changed, 49 insertions(+), 26 deletions(-) diff --git a/.bazelversion b/.bazelversion index df5119ec64e6..44931da2660c 100644 --- a/.bazelversion +++ b/.bazelversion @@ -1 +1 @@ -8.7.0 +9.1.1 diff --git a/MODULE.bazel b/MODULE.bazel index 3b2ee2a464b4..6a73a0655d11 100644 --- a/MODULE.bazel +++ b/MODULE.bazel @@ -11,14 +11,14 @@ register_toolchains("@rules_buf_toolchains//:all") # General Bazel helpers bazel_dep(name = "bazel_skylib", version = "1.8.2") -bazel_dep(name = "aspect_bazel_lib", version = "2.9.0") +bazel_dep(name = "aspect_bazel_lib", version = "2.19.3") bazel_dep(name = "rules_shell", version = "0.6.1") bazel_dep(name = "buildifier_prebuilt", version = "8.2.0.2", dev_dependency = True) # CC dependencies (for C libs like miracl-core, etc) -bazel_dep(name = "rules_cc", version = "0.2.16") -bazel_dep(name = "platforms", version = "1.0.0") +bazel_dep(name = "rules_cc", version = "0.2.17") +bazel_dep(name = "platforms", version = "1.1.0") bazel_dep(name = "hermetic_cc_toolchain", version = "4.1.0") single_version_override( module_name = "hermetic_cc_toolchain", @@ -30,31 +30,28 @@ single_version_override( ) # configure/make dependencies -bazel_dep(name = "rules_foreign_cc", version = "0.14.0") +bazel_dep(name = "rules_foreign_cc", version = "0.15.1") register_toolchains( "@rules_foreign_cc//toolchains:preinstalled_pkgconfig_toolchain", "@rules_foreign_cc//toolchains:preinstalled_make_toolchain", ) -# Use HEAD to include this commit which is needed for preinstalled toolchains to work -# https://github.com/bazel-contrib/rules_foreign_cc/commit/d03f7ae79ddda0ad228b17048b9e2dc0efcc8e95 -# # Use a patch to work around determinism issues in make & pkgconfig toolchains # https://github.com/bazel-contrib/rules_foreign_cc/issues/1313 archive_override( module_name = "rules_foreign_cc", - integrity = "sha384-bTtlZejENu+3rnOsCg1nmSZJl54++7nB0zgzWT+jtZJ1QyMRwkV4ieOaeORQTdjY", + integrity = "sha256-MnWXKJE8N2ukWwEWhptxtoscLr+PK897QSIrwHt3PXM=", patch_strip = 1, patches = ["//bazel:rules_foreign_cc.patch"], - strip_prefix = "rules_foreign_cc-77d4483fadbb1b7bcace18ed8e8e87e8791050f6", + strip_prefix = "rules_foreign_cc-0.15.1", type = "tar.gz", - urls = ["https://codeload.github.com/bazelbuild/rules_foreign_cc/tar.gz/77d4483fadbb1b7bcace18ed8e8e87e8791050f6"], + urls = ["https://github.com/bazel-contrib/rules_foreign_cc/releases/download/0.15.1/rules_foreign_cc-0.15.1.tar.gz"], ) # Misc tools -bazel_dep(name = "pigz", version = "2.8") # (parallel) gzip +bazel_dep(name = "pigz", version = "2.8.bcr.1") # (parallel) gzip bazel_dep(name = "zstd", version = "1.5.7.bcr.1") # zstd can change format across versions # Rust @@ -63,7 +60,7 @@ include("//bazel:rust.MODULE.bazel") # Python dependencies -bazel_dep(name = "rules_python", version = "1.4.1") +bazel_dep(name = "rules_python", version = "1.7.0") python_version = "3.12" @@ -82,8 +79,16 @@ use_repo(pip, "python_deps") # toolchains_protoc must be declared before protobuf so its toolchain registration wins bazel_dep(name = "toolchains_protoc", version = "0.6.1") +# protobuf 33+ enforces (via its ProtocAuthenticityCheck) that the prebuilt +# protoc matches the resolved `protobuf` module version (33.4, pulled in by +# rules_cc/rules_go/rules_python/... under Bazel 9). toolchains_protoc 0.6.1 +# (latest) only ships protoc up to v33.0, so we use that and allow the small +# (same-line, 4-patch) version skew via +# `--@protobuf//bazel/toolchains:allow_nonstandard_protoc`, set in +# bazel/conf/.bazelrc.build. Bump this to v33.4 (and drop the flag) once +# toolchains_protoc ships it. protoc = use_extension("@toolchains_protoc//protoc:extensions.bzl", "protoc") -protoc.toolchain(version = "v32.1") +protoc.toolchain(version = "v33.0") use_repo( protoc, "toolchains_protoc_hub", @@ -97,7 +102,7 @@ register_toolchains("@toolchains_protoc_hub//:all") bazel_dep( name = "protobuf", - version = "32.1", + version = "33.4", ) # protobuf linter @@ -105,8 +110,8 @@ bazel_dep(name = "rules_buf", version = "0.5.2") # Go dependencies -bazel_dep(name = "rules_go", version = "0.50.1") -bazel_dep(name = "gazelle", version = "0.38.0") +bazel_dep(name = "rules_go", version = "0.61.1") +bazel_dep(name = "gazelle", version = "0.51.3") go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps") go_deps.from_file(go_mod = "//:go.mod") diff --git a/bazel/conf/.bazelrc.build b/bazel/conf/.bazelrc.build index 79afac787fa0..83800c6f3be7 100644 --- a/bazel/conf/.bazelrc.build +++ b/bazel/conf/.bazelrc.build @@ -9,6 +9,23 @@ common --lockfile_mode=off # See https://github.com/protocolbuffers/protobuf/issues/19558 common --incompatible_enable_proto_toolchain_resolution +# The module graph resolves protobuf to 33.4, but toolchains_protoc only ships a +# prebuilt protoc up to v33.0 (see MODULE.bazel). Allow this small version skew; +# protobuf otherwise fails the build via its ProtocAuthenticityCheck. +build --@protobuf//bazel/toolchains:allow_nonstandard_protoc + +# protobuf 33.4's upb bootstrap tools (protoc-gen-upb*, protoc_minimal, ...) use +# __start_/__stop_ linker-array sections (e.g. linkarr_upb_AllExts). lld (used by +# the hermetic zig toolchain on Linux) garbage-collects these under its default +# --start-stop-gc together with our opt-mode --gc-sections, breaking the link +# with "undefined symbol: __start_linkarr_upb_AllExts". The lld-suggested +# `-z nostart-stop-gc` is rejected by zig's wrapper, so we disable section GC +# instead. Scoped to the exec config (these are build-time `[for tool]` targets, +# so target binaries/canisters keep --gc-sections) and to Linux via +# --enable_platform_specific_config (the macOS system linker rejects this flag). +common --enable_platform_specific_config +build:linux --host_linkopt=-Wl,--no-gc-sections + # Use hermetic JDK # See https://bazel.build/docs/bazel-and-java#hermetic-testing build --java_runtime_version=remotejdk_17 diff --git a/bazel/rules_foreign_cc.patch b/bazel/rules_foreign_cc.patch index a0996c38a11d..fc476f4a6e7b 100644 --- a/bazel/rules_foreign_cc.patch +++ b/bazel/rules_foreign_cc.patch @@ -1,14 +1,15 @@ -# Avoid build logs that create sources of non-determinism +# Avoid build logs that create sources of non-determinism. +# On a successful build we empty the build log (which is declared as an action +# output) since it contains non-deterministic content (absolute paths, +# timestamps). On failure the log is still printed for debugging. diff --git a/foreign_cc/private/framework.bzl b/foreign_cc/private/framework.bzl -index 33129b8..7326107 100644 --- a/foreign_cc/private/framework.bzl +++ b/foreign_cc/private/framework.bzl -@@ -616,7 +616,7 @@ def wrap_outputs(ctx, lib_name, configure_name, script_text, env_prelude, build_ - cleanup_on_success_function = create_function( - ctx, - "cleanup_on_success", -- "rm -rf $$BUILD_TMPDIR$$ $$EXT_BUILD_DEPS$$", -+ "rm -rf $$BUILD_TMPDIR$$ $$EXT_BUILD_DEPS$$ && echo > $$BUILD_LOG$$", +@@ -647,6 +647,7 @@ def wrap_outputs(ctx, lib_name, configure_name, script_text, env_prelude, build_ + "\n".join([ + "##rm_rf## $$BUILD_TMPDIR$$", + "##rm_rf## $$EXT_BUILD_DEPS$$", ++ "echo > $$BUILD_LOG$$", + ]), ) cleanup_on_failure_function = create_function( - ctx, From 5fbcc523fa579e35e475754f722fb4506196e307 Mon Sep 17 00:00:00 2001 From: Nicolas Mattia Date: Tue, 9 Jun 2026 13:35:09 +0200 Subject: [PATCH 2/3] Align versions --- MODULE.bazel | 24 +++++++++++++++--------- bazel/conf/.bazelrc.build | 8 ++------ go.mod | 5 +++-- go.sum | 5 +++++ 4 files changed, 25 insertions(+), 17 deletions(-) diff --git a/MODULE.bazel b/MODULE.bazel index 6a73a0655d11..4c68f015e61a 100644 --- a/MODULE.bazel +++ b/MODULE.bazel @@ -79,14 +79,11 @@ use_repo(pip, "python_deps") # toolchains_protoc must be declared before protobuf so its toolchain registration wins bazel_dep(name = "toolchains_protoc", version = "0.6.1") -# protobuf 33+ enforces (via its ProtocAuthenticityCheck) that the prebuilt -# protoc matches the resolved `protobuf` module version (33.4, pulled in by -# rules_cc/rules_go/rules_python/... under Bazel 9). toolchains_protoc 0.6.1 -# (latest) only ships protoc up to v33.0, so we use that and allow the small -# (same-line, 4-patch) version skew via -# `--@protobuf//bazel/toolchains:allow_nonstandard_protoc`, set in -# bazel/conf/.bazelrc.build. Bump this to v33.4 (and drop the flag) once -# toolchains_protoc ships it. +# Pin protoc to the prebuilt binary toolchains_protoc provides (v33.0, its +# latest) and pin the `protobuf` module to the matching 33.0 below. protobuf 33+ +# enforces (via ProtocAuthenticityCheck) that protoc and the protobuf module +# share the same version, so they are kept in lockstep. +# https://registry.bazel.build/modules/toolchains_protoc protoc = use_extension("@toolchains_protoc//protoc:extensions.bzl", "protoc") protoc.toolchain(version = "v33.0") use_repo( @@ -102,7 +99,16 @@ register_toolchains("@toolchains_protoc_hub//:all") bazel_dep( name = "protobuf", - version = "33.4", + version = "33.0", +) + +# Bazel 9's builtin modules (rules_cc/rules_go/rules_python/...) pull in +# protobuf 33.4, but toolchains_protoc only ships a prebuilt protoc up to v33.0. +# Pin protobuf to 33.0 so it matches the prebuilt protoc and satisfies +# protobuf's ProtocAuthenticityCheck (33.0 and 33.4 are the same release line). +single_version_override( + module_name = "protobuf", + version = "33.0", ) # protobuf linter diff --git a/bazel/conf/.bazelrc.build b/bazel/conf/.bazelrc.build index 83800c6f3be7..11cdfa43a9ca 100644 --- a/bazel/conf/.bazelrc.build +++ b/bazel/conf/.bazelrc.build @@ -7,14 +7,10 @@ common --lockfile_mode=off # Use prebuilt protoc binary via toolchain resolution instead of compiling from C++ source. # See https://github.com/protocolbuffers/protobuf/issues/19558 +# (Removing this still builds, but reverts to compiling protoc/libprotoc from source.) common --incompatible_enable_proto_toolchain_resolution -# The module graph resolves protobuf to 33.4, but toolchains_protoc only ships a -# prebuilt protoc up to v33.0 (see MODULE.bazel). Allow this small version skew; -# protobuf otherwise fails the build via its ProtocAuthenticityCheck. -build --@protobuf//bazel/toolchains:allow_nonstandard_protoc - -# protobuf 33.4's upb bootstrap tools (protoc-gen-upb*, protoc_minimal, ...) use +# protobuf 33's upb bootstrap tools (protoc-gen-upb*, protoc_minimal, ...) use # __start_/__stop_ linker-array sections (e.g. linkarr_upb_AllExts). lld (used by # the hermetic zig toolchain on Linux) garbage-collects these under its default # --start-stop-gc together with our opt-mode --gc-sections, breaking the link diff --git a/go.mod b/go.mod index 07cc5f77e592..cd823cf6ec33 100644 --- a/go.mod +++ b/go.mod @@ -4,10 +4,10 @@ go 1.19 require ( github.com/fatih/color v1.13.0 - github.com/google/go-cmp v0.5.9 + github.com/google/go-cmp v0.6.0 github.com/schollz/closestmatch v2.1.0+incompatible github.com/spf13/cobra v1.6.1 - github.com/stretchr/testify v1.8.1 + github.com/stretchr/testify v1.8.4 ) require ( @@ -17,6 +17,7 @@ require ( github.com/mattn/go-isatty v0.0.14 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/spf13/pflag v1.0.5 // indirect + github.com/stretchr/objx v0.5.0 // indirect golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/go.sum b/go.sum index bfec957245fb..6152f270ea65 100644 --- a/go.sum +++ b/go.sum @@ -6,6 +6,8 @@ github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w= github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= @@ -26,11 +28,14 @@ github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= From b2526a80c152a57d2aa269324a07326430bca78a Mon Sep 17 00:00:00 2001 From: Nicolas Mattia Date: Tue, 9 Jun 2026 17:47:51 +0200 Subject: [PATCH 3/3] Fix fuzzer flags --- bazel/fuzz_testing.bzl | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/bazel/fuzz_testing.bzl b/bazel/fuzz_testing.bzl index 50d948bd1dd7..c5efd3c528be 100644 --- a/bazel/fuzz_testing.bzl +++ b/bazel/fuzz_testing.bzl @@ -103,6 +103,12 @@ def rust_fuzz_test_binary_afl(name, srcs, rustc_flags = [], crate_features = [], RUSTC_FLAGS_AFL = DEFAULT_RUSTC_FLAGS + [ "-Cllvm-args=-sanitizer-coverage-trace-pc-guard", + # Use afl-clang-lto as the linker driver so that -fsanitize=fuzzer and + # -fsanitize=address are understood. Without this, Bazel's autoconfigured + # system C++ toolchain selects /usr/bin/gcc, which does not support + # -fsanitize=fuzzer (a Clang-only flag). afl-clang-lto is a clang + # wrapper, so it accepts all clang sanitizer flags. + "-Clinker=afl-clang-lto", "-Clink-arg=-fuse-ld=lld", "-Clink-arg=-fsanitize=fuzzer", "-Clink-arg=-fsanitize=address",