From 6b555c3c8fafe312278c26fa10cf4e7a3dacc0b0 Mon Sep 17 00:00:00 2001 From: Branden Bonaby Date: Wed, 13 May 2026 21:49:08 -0700 Subject: [PATCH 01/14] add pdb to builds --- .azure-pipelines/templates/Rust.Build.Job.yml | 9 +++++++++ build.bat | 2 ++ 2 files changed, 11 insertions(+) diff --git a/.azure-pipelines/templates/Rust.Build.Job.yml b/.azure-pipelines/templates/Rust.Build.Job.yml index 909c4ec62..0e61f59b0 100644 --- a/.azure-pipelines/templates/Rust.Build.Job.yml +++ b/.azure-pipelines/templates/Rust.Build.Job.yml @@ -175,6 +175,15 @@ jobs: contents: wslcsdk.dll targetFolder: $(outputDirectory)/$(targetTriple) + # Copy wxc-exec.pdb so consumers can symbolicate crashes (Windows only). + - task: CopyFiles@2 + displayName: Copy wxc-exec.pdb + condition: and(succeeded(), eq('${{ item.os }}', 'windows')) + inputs: + sourceFolder: $(targetTripleDir) + contents: wxc-exec.pdb + targetFolder: $(outputDirectory)/$(targetTriple) + - task: 1ES.PublishPipelineArtifact@1 displayName: Publish inputs: diff --git a/build.bat b/build.bat index 94f438d23..bdcb68351 100644 --- a/build.bat +++ b/build.bat @@ -74,6 +74,8 @@ for %%T in (x86_64-pc-windows-msvc aarch64-pc-windows-msvc) do ( if not exist "sdk\bin\!SDK_ARCH!" mkdir "sdk\bin\!SDK_ARCH!" copy /Y "!BIN_DIR!\wxc-exec.exe" "sdk\bin\!SDK_ARCH!\" >nul echo Copied !SDK_ARCH!\wxc-exec.exe + copy /Y "!BIN_DIR!\wxc-exec.pdb" "sdk\bin\!SDK_ARCH!\" >nul + echo Copied !SDK_ARCH!\wxc-exec.pdb if exist "!BIN_DIR!\wxc-windows-sandbox-guest.exe" ( copy /Y "!BIN_DIR!\wxc-windows-sandbox-guest.exe" "sdk\bin\!SDK_ARCH!\" >nul echo Copied !SDK_ARCH!\wxc-windows-sandbox-guest.exe From de4189f47d6fa7e5354f0e31449fe53240aec411 Mon Sep 17 00:00:00 2001 From: Branden Bonaby Date: Wed, 13 May 2026 22:28:15 -0700 Subject: [PATCH 02/14] more updates to capture pdb + executables for release page --- .../templates/Package.NpmSdk.Job.yml | 21 +++++++++++++++++++ .azure-pipelines/templates/Rust.Build.Job.yml | 10 ++++----- build.bat | 2 -- src/Cargo.toml | 6 ++++++ 4 files changed, 31 insertions(+), 8 deletions(-) diff --git a/.azure-pipelines/templates/Package.NpmSdk.Job.yml b/.azure-pipelines/templates/Package.NpmSdk.Job.yml index a744ac365..d9ecad0b6 100644 --- a/.azure-pipelines/templates/Package.NpmSdk.Job.yml +++ b/.azure-pipelines/templates/Package.NpmSdk.Job.yml @@ -42,6 +42,27 @@ jobs: - script: chmod +x $(sdkDirectory)/bin/*/lxc-exec displayName: Restore execute permission on lxc-exec + # Archive sdk/bin (x64/ + arm64/, executables + wxc_exec.pdb) for upload + # to the GitHub Release page, until we publish to a symbol server. + - task: ArchiveFiles@2 + displayName: Archive mxc-release-binaries.zip + inputs: + rootFolderOrFile: '$(sdkDirectory)/bin' + includeRootFolder: false + archiveType: zip + archiveFile: '$(outputDirectory)/release-binaries/mxc-release-binaries.zip' + replaceExistingArchive: true + + - task: 1ES.PublishPipelineArtifact@1 + displayName: Publish mxc-release-binaries artifact + inputs: + path: '$(outputDirectory)/release-binaries' + artifactName: mxc-release-binaries + + # Strip pdbs before npm pack — symbols ship via mxc-release-binaries.zip. + - script: rm -f $(sdkDirectory)/bin/*/*.pdb + displayName: Strip pdbs from npm package + # Copy .npmrc to the SDK directory so Azure artifacts feed is used for npm install. - task: CopyFiles@2 displayName: Copy .npmrc to SDK diff --git a/.azure-pipelines/templates/Rust.Build.Job.yml b/.azure-pipelines/templates/Rust.Build.Job.yml index 0e61f59b0..42f2e07b4 100644 --- a/.azure-pipelines/templates/Rust.Build.Job.yml +++ b/.azure-pipelines/templates/Rust.Build.Job.yml @@ -175,14 +175,12 @@ jobs: contents: wslcsdk.dll targetFolder: $(outputDirectory)/$(targetTriple) - # Copy wxc-exec.pdb so consumers can symbolicate crashes (Windows only). - - task: CopyFiles@2 + # Copy wxc_exec.pdb (rustc names pdbs after the crate, underscored) and + # rename it to wxc-exec.pdb to match the exe. + - powershell: | + Copy-Item -Force "$(targetTripleDir)/wxc_exec.pdb" "$(outputDirectory)/$(targetTriple)/wxc-exec.pdb" displayName: Copy wxc-exec.pdb condition: and(succeeded(), eq('${{ item.os }}', 'windows')) - inputs: - sourceFolder: $(targetTripleDir) - contents: wxc-exec.pdb - targetFolder: $(outputDirectory)/$(targetTriple) - task: 1ES.PublishPipelineArtifact@1 displayName: Publish diff --git a/build.bat b/build.bat index bdcb68351..94f438d23 100644 --- a/build.bat +++ b/build.bat @@ -74,8 +74,6 @@ for %%T in (x86_64-pc-windows-msvc aarch64-pc-windows-msvc) do ( if not exist "sdk\bin\!SDK_ARCH!" mkdir "sdk\bin\!SDK_ARCH!" copy /Y "!BIN_DIR!\wxc-exec.exe" "sdk\bin\!SDK_ARCH!\" >nul echo Copied !SDK_ARCH!\wxc-exec.exe - copy /Y "!BIN_DIR!\wxc-exec.pdb" "sdk\bin\!SDK_ARCH!\" >nul - echo Copied !SDK_ARCH!\wxc-exec.pdb if exist "!BIN_DIR!\wxc-windows-sandbox-guest.exe" ( copy /Y "!BIN_DIR!\wxc-windows-sandbox-guest.exe" "sdk\bin\!SDK_ARCH!\" >nul echo Copied !SDK_ARCH!\wxc-windows-sandbox-guest.exe diff --git a/src/Cargo.toml b/src/Cargo.toml index d1dae477f..f6854d96b 100644 --- a/src/Cargo.toml +++ b/src/Cargo.toml @@ -19,6 +19,12 @@ members = [ ] resolver = "3" +# Full debug info so we can analyse customer crash dumps in WinDbg until we +# publish to a symbol server. +[profile.release] +debug = "full" +split-debuginfo = "packed" + [workspace.package] edition = "2021" From f814e1d3c7dd43e1765bcfac533f1b1a8088f91b Mon Sep 17 00:00:00 2001 From: Branden Bonaby Date: Thu, 14 May 2026 06:27:15 -0700 Subject: [PATCH 03/14] capture all pdbs --- .../templates/Package.NpmSdk.Job.yml | 4 ++-- .azure-pipelines/templates/Rust.Build.Job.yml | 16 ++++++++++------ 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/.azure-pipelines/templates/Package.NpmSdk.Job.yml b/.azure-pipelines/templates/Package.NpmSdk.Job.yml index d9ecad0b6..7ad17c886 100644 --- a/.azure-pipelines/templates/Package.NpmSdk.Job.yml +++ b/.azure-pipelines/templates/Package.NpmSdk.Job.yml @@ -42,8 +42,8 @@ jobs: - script: chmod +x $(sdkDirectory)/bin/*/lxc-exec displayName: Restore execute permission on lxc-exec - # Archive sdk/bin (x64/ + arm64/, executables + wxc_exec.pdb) for upload - # to the GitHub Release page, until we publish to a symbol server. + # Archive sdk/bin (x64/ + arm64/, executables + pdbs) for upload to the + # GitHub Release page, until we publish to a symbol server. - task: ArchiveFiles@2 displayName: Archive mxc-release-binaries.zip inputs: diff --git a/.azure-pipelines/templates/Rust.Build.Job.yml b/.azure-pipelines/templates/Rust.Build.Job.yml index 42f2e07b4..4b8849c3f 100644 --- a/.azure-pipelines/templates/Rust.Build.Job.yml +++ b/.azure-pipelines/templates/Rust.Build.Job.yml @@ -175,12 +175,16 @@ jobs: contents: wslcsdk.dll targetFolder: $(outputDirectory)/$(targetTriple) - # Copy wxc_exec.pdb (rustc names pdbs after the crate, underscored) and - # rename it to wxc-exec.pdb to match the exe. - - powershell: | - Copy-Item -Force "$(targetTripleDir)/wxc_exec.pdb" "$(outputDirectory)/$(targetTriple)/wxc-exec.pdb" - displayName: Copy wxc-exec.pdb - condition: and(succeeded(), eq('${{ item.os }}', 'windows')) + # Copy all symbol files alongside the binaries: .pdb on Windows (MSVC), + # .dwp on Linux (DWARF package from split-debuginfo = "packed"). + - task: CopyFiles@2 + displayName: Copy symbol files + inputs: + sourceFolder: $(targetTripleDir) + contents: | + *.pdb + *.dwp + targetFolder: $(outputDirectory)/$(targetTriple) - task: 1ES.PublishPipelineArtifact@1 displayName: Publish From e6f6f5cf941353c2f086fa0d2d9e6a905c2e3bd3 Mon Sep 17 00:00:00 2001 From: Branden Bonaby Date: Thu, 14 May 2026 06:41:12 -0700 Subject: [PATCH 04/14] capture all pdbs2 --- .azure-pipelines/templates/Package.NpmSdk.Job.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.azure-pipelines/templates/Package.NpmSdk.Job.yml b/.azure-pipelines/templates/Package.NpmSdk.Job.yml index 7ad17c886..82f0a626c 100644 --- a/.azure-pipelines/templates/Package.NpmSdk.Job.yml +++ b/.azure-pipelines/templates/Package.NpmSdk.Job.yml @@ -42,8 +42,8 @@ jobs: - script: chmod +x $(sdkDirectory)/bin/*/lxc-exec displayName: Restore execute permission on lxc-exec - # Archive sdk/bin (x64/ + arm64/, executables + pdbs) for upload to the - # GitHub Release page, until we publish to a symbol server. + # Archive sdk/bin (x64/ + arm64/, executables + symbol files) for upload + # to the GitHub Release page, until we publish to a symbol server. - task: ArchiveFiles@2 displayName: Archive mxc-release-binaries.zip inputs: @@ -59,9 +59,9 @@ jobs: path: '$(outputDirectory)/release-binaries' artifactName: mxc-release-binaries - # Strip pdbs before npm pack — symbols ship via mxc-release-binaries.zip. - - script: rm -f $(sdkDirectory)/bin/*/*.pdb - displayName: Strip pdbs from npm package + # Strip symbol files before npm pack — symbols ship via mxc-release-binaries.zip. + - script: rm -f $(sdkDirectory)/bin/*/*.pdb $(sdkDirectory)/bin/*/*.dwp + displayName: Strip symbol files from npm package # Copy .npmrc to the SDK directory so Azure artifacts feed is used for npm install. - task: CopyFiles@2 From 296240107950d595190ec65bb7c96ff8c2280019 Mon Sep 17 00:00:00 2001 From: Branden Bonaby Date: Thu, 14 May 2026 08:09:52 -0700 Subject: [PATCH 05/14] add new template --- .azure-pipelines/1ES.Build.yml | 12 +--- .../templates/Mxc.Binary.Packaging.Job.yml | 59 +++++++++++++++++++ .../templates/Package.NpmSdk.Job.yml | 30 ++++------ 3 files changed, 72 insertions(+), 29 deletions(-) create mode 100644 .azure-pipelines/templates/Mxc.Binary.Packaging.Job.yml diff --git a/.azure-pipelines/1ES.Build.yml b/.azure-pipelines/1ES.Build.yml index 883c63977..ca567cc00 100644 --- a/.azure-pipelines/1ES.Build.yml +++ b/.azure-pipelines/1ES.Build.yml @@ -92,18 +92,10 @@ extends: jobs: - template: .azure-pipelines/templates/Package.NpmSdk.Job.yml@self parameters: - targets: - - artifact: wxc-binaries-x86_64-pc-windows-msvc - sdkArch: x64 - - artifact: wxc-binaries-aarch64-pc-windows-msvc - sdkArch: arm64 - - artifact: lxc-binaries-x86_64-unknown-linux-gnu - sdkArch: x64 - - artifact: lxc-binaries-aarch64-unknown-linux-gnu - sdkArch: arm64 - ESRPInfo: ${{ parameters.ESRPInfo }} + - template: .azure-pipelines/templates/Mxc.Binary.Packaging.Job.yml@self + - stage: SDK_Unit_Tests displayName: 'SDK Unit Tests' dependsOn: [] diff --git a/.azure-pipelines/templates/Mxc.Binary.Packaging.Job.yml b/.azure-pipelines/templates/Mxc.Binary.Packaging.Job.yml new file mode 100644 index 000000000..990f210fc --- /dev/null +++ b/.azure-pipelines/templates/Mxc.Binary.Packaging.Job.yml @@ -0,0 +1,59 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. +# +# Bundles the per-arch build artifacts into a single mxc-release-binaries.zip +# (x64/ + arm64/ folders containing executables and symbol files) for upload +# to the GitHub Release page, until we publish to a symbol server. Runs in +# parallel with the npm SDK packaging job. + +parameters: +- name: targets + type: object + default: + - artifact: wxc-binaries-x86_64-pc-windows-msvc + sdkArch: x64 + - artifact: wxc-binaries-aarch64-pc-windows-msvc + sdkArch: arm64 + - artifact: lxc-binaries-x86_64-unknown-linux-gnu + sdkArch: x64 + - artifact: lxc-binaries-aarch64-unknown-linux-gnu + sdkArch: arm64 + +jobs: +- job: package_mxc_release_binaries + displayName: Package Mxc Release Binaries + pool: + name: Azure-Pipelines-1ESPT-ExDShared + image: ubuntu-latest + os: linux + variables: + stagingDirectory: $(Build.SourcesDirectory)/release-binaries-staging + outputDirectory: $(Build.SourcesDirectory)/out + artifactName: mxc-release-binaries + + steps: + - checkout: none + + # Download all per-arch artifacts into a flat / layout matching the + # one that ships in the npm package. + - ${{ each target in parameters.targets }}: + - task: DownloadPipelineArtifact@2 + displayName: Download ${{ target.artifact }} + inputs: + artifact: ${{ target.artifact }} + path: $(stagingDirectory)/${{ target.sdkArch }} + + - task: ArchiveFiles@2 + displayName: Archive mxc-release-binaries.zip + inputs: + rootFolderOrFile: '$(stagingDirectory)' + includeRootFolder: false + archiveType: zip + archiveFile: '$(outputDirectory)/release-binaries/mxc-release-binaries.zip' + replaceExistingArchive: true + + - task: 1ES.PublishPipelineArtifact@1 + displayName: Publish mxc-release-binaries artifact + inputs: + path: '$(outputDirectory)/release-binaries' + artifactName: $(artifactName) diff --git a/.azure-pipelines/templates/Package.NpmSdk.Job.yml b/.azure-pipelines/templates/Package.NpmSdk.Job.yml index 82f0a626c..8b6a8b39b 100644 --- a/.azure-pipelines/templates/Package.NpmSdk.Job.yml +++ b/.azure-pipelines/templates/Package.NpmSdk.Job.yml @@ -4,7 +4,15 @@ parameters: - name: Targets type: object - default: [] # list of { artifact, path, sdkArch } + default: + - artifact: wxc-binaries-x86_64-pc-windows-msvc + sdkArch: x64 + - artifact: wxc-binaries-aarch64-pc-windows-msvc + sdkArch: arm64 + - artifact: lxc-binaries-x86_64-unknown-linux-gnu + sdkArch: x64 + - artifact: lxc-binaries-aarch64-unknown-linux-gnu + sdkArch: arm64 - name: ESRPInfo type: object default: {} @@ -42,24 +50,8 @@ jobs: - script: chmod +x $(sdkDirectory)/bin/*/lxc-exec displayName: Restore execute permission on lxc-exec - # Archive sdk/bin (x64/ + arm64/, executables + symbol files) for upload - # to the GitHub Release page, until we publish to a symbol server. - - task: ArchiveFiles@2 - displayName: Archive mxc-release-binaries.zip - inputs: - rootFolderOrFile: '$(sdkDirectory)/bin' - includeRootFolder: false - archiveType: zip - archiveFile: '$(outputDirectory)/release-binaries/mxc-release-binaries.zip' - replaceExistingArchive: true - - - task: 1ES.PublishPipelineArtifact@1 - displayName: Publish mxc-release-binaries artifact - inputs: - path: '$(outputDirectory)/release-binaries' - artifactName: mxc-release-binaries - - # Strip symbol files before npm pack — symbols ship via mxc-release-binaries.zip. + # Strip symbol files before npm pack — they ship via the separate + # mxc-release-binaries artifact (see Mxc.Binary.Packaging.Job.yml). - script: rm -f $(sdkDirectory)/bin/*/*.pdb $(sdkDirectory)/bin/*/*.dwp displayName: Strip symbol files from npm package From 45e49bcb4b010ab6229a84e1d483c5a791d28ad0 Mon Sep 17 00:00:00 2001 From: Branden Bonaby <105318831+bbonaby@users.noreply.github.com> Date: Thu, 14 May 2026 08:24:58 -0700 Subject: [PATCH 06/14] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- .azure-pipelines/templates/Package.NpmSdk.Job.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azure-pipelines/templates/Package.NpmSdk.Job.yml b/.azure-pipelines/templates/Package.NpmSdk.Job.yml index 8b6a8b39b..de4517714 100644 --- a/.azure-pipelines/templates/Package.NpmSdk.Job.yml +++ b/.azure-pipelines/templates/Package.NpmSdk.Job.yml @@ -2,7 +2,7 @@ # Licensed under the MIT License. parameters: -- name: Targets +- name: targets type: object default: - artifact: wxc-binaries-x86_64-pc-windows-msvc From ce0e10aee47f2d0589b9202364de575b7a8354b7 Mon Sep 17 00:00:00 2001 From: Branden Bonaby Date: Thu, 14 May 2026 09:35:40 -0700 Subject: [PATCH 07/14] update stages display names --- .azure-pipelines/1ES.Build.yml | 6 +++--- .azure-pipelines/templates/Package.NpmSdk.Job.yml | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.azure-pipelines/1ES.Build.yml b/.azure-pipelines/1ES.Build.yml index ca567cc00..3ee3ccad6 100644 --- a/.azure-pipelines/1ES.Build.yml +++ b/.azure-pipelines/1ES.Build.yml @@ -86,8 +86,8 @@ extends: ESRPInfo: ${{ parameters.ESRPInfo }} - - stage: Package_MXC_NPM_SDK - displayName: 'Package Npm Sdk' + - stage: Package_MXC + displayName: 'Package MXC' dependsOn: Build_Binaries jobs: - template: .azure-pipelines/templates/Package.NpmSdk.Job.yml@self @@ -106,7 +106,7 @@ extends: - stage: SDK_Integration_Tests displayName: 'SDK Integration Tests' - dependsOn: Package_MXC_NPM_SDK + dependsOn: Package_MXC jobs: - template: .azure-pipelines/templates/SDK.Integration.Test.Job.yml@self parameters: diff --git a/.azure-pipelines/templates/Package.NpmSdk.Job.yml b/.azure-pipelines/templates/Package.NpmSdk.Job.yml index de4517714..5204a4eac 100644 --- a/.azure-pipelines/templates/Package.NpmSdk.Job.yml +++ b/.azure-pipelines/templates/Package.NpmSdk.Job.yml @@ -18,8 +18,8 @@ parameters: default: {} jobs: -- job: package_mxc_npm_sdk - displayName: Package Mxc Npm Sdk +- job: package_npm_sdk + displayName: Package Npm Sdk pool: name: Azure-Pipelines-1ESPT-ExDShared image: ubuntu-latest From 211439808c18de978d3a468cef9086192b1f0cc0 Mon Sep 17 00:00:00 2001 From: Branden Bonaby Date: Fri, 15 May 2026 17:01:18 -0700 Subject: [PATCH 08/14] fix left over conflict --- .azure-pipelines/templates/Package.NpmSdk.Job.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.azure-pipelines/templates/Package.NpmSdk.Job.yml b/.azure-pipelines/templates/Package.NpmSdk.Job.yml index 077697803..4c3451a9d 100644 --- a/.azure-pipelines/templates/Package.NpmSdk.Job.yml +++ b/.azure-pipelines/templates/Package.NpmSdk.Job.yml @@ -50,17 +50,15 @@ jobs: - script: chmod +x $(sdkDirectory)/bin/*/lxc-exec displayName: Restore execute permission on lxc-exec -<<<<<<< HEAD # Strip symbol files before npm pack — they ship via the separate # mxc-release-binaries artifact (see Mxc.Binary.Packaging.Job.yml). - script: rm -f $(sdkDirectory)/bin/*/*.pdb $(sdkDirectory)/bin/*/*.dwp displayName: Strip symbol files from npm package -======= + - script: | set -euo pipefail find $(sdkDirectory)/bin -name mxc-exec-mac -exec chmod +x {} + displayName: Restore execute permission on mxc-exec-mac ->>>>>>> main # Copy .npmrc to the SDK directory so Azure artifacts feed is used for npm install. - task: CopyFiles@2 From c58fe54abe6188a51f4638cdba59bb97d4212f9b Mon Sep 17 00:00:00 2001 From: Branden Bonaby Date: Fri, 15 May 2026 19:22:29 -0700 Subject: [PATCH 09/14] attempt to fix binskim errors --- .cargo/config.toml | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/.cargo/config.toml b/.cargo/config.toml index 57314ef69..76426a9cf 100644 --- a/.cargo/config.toml +++ b/.cargo/config.toml @@ -1,8 +1,19 @@ -# Use static CRT for Windows targets so vcruntime DLLs don't need to be -# pre-installed on the machine. -[target.x86_64-pc-windows-msvc] -rustflags = ["-C", "target-feature=+crt-static"] - -[target.aarch64-pc-windows-msvc] -rustflags = ["-C", "target-feature=+crt-static"] +# Hardening flags for Windows targets: +# - target-feature=+crt-static — static CRT so vcruntime DLLs aren't needed at runtime +# - control-flow-guard (rustc) + /guard:cf (linker) — Control Flow Guard +# - /DYNAMICBASE — ASLR +# - /CETCOMPAT — Intel CET shadow stack opt-in +# - /LTCG — link-time codegen (pairs best with profile-level lto = "thin"|"fat") +# - -D warnings — make warnings fatal at compile time +[target.'cfg(target_os = "windows")'] +rustflags = [ + "-C", + "control-flow-guard", + "-C", + "target-feature=+crt-static", + "-C", + "link-args=/guard:cf /DYNAMICBASE /CETCOMPAT /LTCG", + "-D", + "warnings", +] From e6b71a3a99c7e5b91d455310214be61fc0d14f57 Mon Sep 17 00:00:00 2001 From: Branden Bonaby Date: Fri, 15 May 2026 19:37:54 -0700 Subject: [PATCH 10/14] attempt to fix binskim errors2 --- .cargo/config.toml | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/.cargo/config.toml b/.cargo/config.toml index 76426a9cf..e027d8b4a 100644 --- a/.cargo/config.toml +++ b/.cargo/config.toml @@ -1,12 +1,16 @@ -# Hardening flags for Windows targets: -# - target-feature=+crt-static — static CRT so vcruntime DLLs aren't needed at runtime +# Hardening flags for Windows targets. Most flags apply to both arches; +# /CETCOMPAT is x86/x64 only (Intel Control-flow Enforcement Technology; +# ARM64 uses Pointer Authentication / BTI instead). +# +# Shared flags: # - control-flow-guard (rustc) + /guard:cf (linker) — Control Flow Guard +# - target-feature=+crt-static — static CRT so vcruntime DLLs aren't needed at runtime # - /DYNAMICBASE — ASLR -# - /CETCOMPAT — Intel CET shadow stack opt-in # - /LTCG — link-time codegen (pairs best with profile-level lto = "thin"|"fat") # - -D warnings — make warnings fatal at compile time -[target.'cfg(target_os = "windows")'] + +[target.x86_64-pc-windows-msvc] rustflags = [ "-C", "control-flow-guard", @@ -17,3 +21,15 @@ rustflags = [ "-D", "warnings", ] + +[target.aarch64-pc-windows-msvc] +rustflags = [ + "-C", + "control-flow-guard", + "-C", + "target-feature=+crt-static", + "-C", + "link-args=/guard:cf /DYNAMICBASE /LTCG", + "-D", + "warnings", +] From 9c9407d27adb64e44500095fa2539344330d0c49 Mon Sep 17 00:00:00 2001 From: Branden Bonaby Date: Fri, 15 May 2026 23:48:56 -0700 Subject: [PATCH 11/14] attempt to fix 3 --- .../templates/Mxc.Binary.Packaging.Job.yml | 11 +++++++++++ .azure-pipelines/templates/Rust.Build.Job.yml | 10 +++++++--- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/.azure-pipelines/templates/Mxc.Binary.Packaging.Job.yml b/.azure-pipelines/templates/Mxc.Binary.Packaging.Job.yml index 990f210fc..23d84c14f 100644 --- a/.azure-pipelines/templates/Mxc.Binary.Packaging.Job.yml +++ b/.azure-pipelines/templates/Mxc.Binary.Packaging.Job.yml @@ -43,6 +43,17 @@ jobs: artifact: ${{ target.artifact }} path: $(stagingDirectory)/${{ target.sdkArch }} + # Flatten symbols/ subdirs back into each arch root. + - pwsh: | + Get-ChildItem -Path "$(stagingDirectory)" -Directory | ForEach-Object { + $symbols = Join-Path $_.FullName 'symbols' + if (Test-Path $symbols) { + Get-ChildItem -Path $symbols -File | Move-Item -Destination $_.FullName -Force -Verbose + Remove-Item -Path $symbols -Force + } + } + displayName: Flatten symbols/ into arch dirs + - task: ArchiveFiles@2 displayName: Archive mxc-release-binaries.zip inputs: diff --git a/.azure-pipelines/templates/Rust.Build.Job.yml b/.azure-pipelines/templates/Rust.Build.Job.yml index 4b8849c3f..796118f12 100644 --- a/.azure-pipelines/templates/Rust.Build.Job.yml +++ b/.azure-pipelines/templates/Rust.Build.Job.yml @@ -175,8 +175,12 @@ jobs: contents: wslcsdk.dll targetFolder: $(outputDirectory)/$(targetTriple) - # Copy all symbol files alongside the binaries: .pdb on Windows (MSVC), - # .dwp on Linux (DWARF package from split-debuginfo = "packed"). + # Copy symbol files into a sibling `symbols/` subdir, NOT alongside the + # binaries. Workaround for BinSkim BA2007: when the pdb is co-located, + # BinSkim reads its S_COMPILE3 records and flags `-wd4146` in the + # statically-linked MS CRT obj files (libucrt.lib internals). We still + # want +crt-static so consumers don't need a vcruntime DLL — separating + # the pdb hides those records from BinSkim without changing the binary. - task: CopyFiles@2 displayName: Copy symbol files inputs: @@ -184,7 +188,7 @@ jobs: contents: | *.pdb *.dwp - targetFolder: $(outputDirectory)/$(targetTriple) + targetFolder: $(outputDirectory)/$(targetTriple)/symbols - task: 1ES.PublishPipelineArtifact@1 displayName: Publish From b073ef773942027dcb3e8ae1fb4d18de25b8546c Mon Sep 17 00:00:00 2001 From: Branden Bonaby Date: Sat, 16 May 2026 08:55:05 -0700 Subject: [PATCH 12/14] don't add symbols to npm package --- .azure-pipelines/templates/Package.NpmSdk.Job.yml | 7 +++---- src/Cargo.toml | 6 +++++- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/.azure-pipelines/templates/Package.NpmSdk.Job.yml b/.azure-pipelines/templates/Package.NpmSdk.Job.yml index 4c3451a9d..de98cc2f2 100644 --- a/.azure-pipelines/templates/Package.NpmSdk.Job.yml +++ b/.azure-pipelines/templates/Package.NpmSdk.Job.yml @@ -50,10 +50,9 @@ jobs: - script: chmod +x $(sdkDirectory)/bin/*/lxc-exec displayName: Restore execute permission on lxc-exec - # Strip symbol files before npm pack — they ship via the separate - # mxc-release-binaries artifact (see Mxc.Binary.Packaging.Job.yml). - - script: rm -f $(sdkDirectory)/bin/*/*.pdb $(sdkDirectory)/bin/*/*.dwp - displayName: Strip symbol files from npm package + # Drop symbol files from the npm package — symbols ship separately. + - script: rm -rf $(sdkDirectory)/bin/*/symbols + displayName: Strip symbols/ from npm package - script: | set -euo pipefail diff --git a/src/Cargo.toml b/src/Cargo.toml index e89f06fde..745332ea8 100644 --- a/src/Cargo.toml +++ b/src/Cargo.toml @@ -21,10 +21,14 @@ members = [ resolver = "3" # Full debug info so we can analyse customer crash dumps in WinDbg until we -# publish to a symbol server. +# publish to a symbol server. `strip = "debuginfo"` removes embedded debug +# sections from the binary itself (mainly relevant on Linux — Windows pdbs +# are already split by `split-debuginfo = "packed"`). Full debug info still +# ships via the side-by-side .pdb / .dwp files. [profile.release] debug = "full" split-debuginfo = "packed" +strip = "debuginfo" [workspace.package] edition = "2021" From 5e082ca46a0d0591146399ecbf6f03ed204db9cc Mon Sep 17 00:00:00 2001 From: Branden Bonaby Date: Sat, 16 May 2026 09:24:27 -0700 Subject: [PATCH 13/14] account for mac debug --- .azure-pipelines/templates/Mac.Build.Job.yml | 9 +++++++++ .azure-pipelines/templates/Mxc.Binary.Packaging.Job.yml | 2 ++ 2 files changed, 11 insertions(+) diff --git a/.azure-pipelines/templates/Mac.Build.Job.yml b/.azure-pipelines/templates/Mac.Build.Job.yml index 4f009291f..fbb61ca11 100644 --- a/.azure-pipelines/templates/Mac.Build.Job.yml +++ b/.azure-pipelines/templates/Mac.Build.Job.yml @@ -89,6 +89,15 @@ jobs: contents: mxc-exec-mac targetFolder: $(outputDirectory)/$(targetTriple) + # Copy the .dSYM bundle into a sibling `symbols/` subdir, mirroring the + # Windows/Linux pattern (see Rust.Build.Job.yml for the BinSkim rationale). + - task: CopyFiles@2 + displayName: Copy dSYM bundle + inputs: + sourceFolder: $(targetTripleDir) + contents: 'mxc-exec-mac.dSYM/**' + targetFolder: $(outputDirectory)/$(targetTriple)/symbols + - task: 1ES.PublishPipelineArtifact@1 displayName: Publish inputs: diff --git a/.azure-pipelines/templates/Mxc.Binary.Packaging.Job.yml b/.azure-pipelines/templates/Mxc.Binary.Packaging.Job.yml index 23d84c14f..2e46c5d8e 100644 --- a/.azure-pipelines/templates/Mxc.Binary.Packaging.Job.yml +++ b/.azure-pipelines/templates/Mxc.Binary.Packaging.Job.yml @@ -18,6 +18,8 @@ parameters: sdkArch: x64 - artifact: lxc-binaries-aarch64-unknown-linux-gnu sdkArch: arm64 + - artifact: mxc-binaries-aarch64-apple-darwin + sdkArch: arm64 jobs: - job: package_mxc_release_binaries From f0f96a4ba3d42f2e984996ff818354f3ae3517c0 Mon Sep 17 00:00:00 2001 From: Branden Bonaby Date: Sat, 16 May 2026 09:56:08 -0700 Subject: [PATCH 14/14] account for symbol folder --- .../templates/Mxc.Binary.Packaging.Job.yml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/.azure-pipelines/templates/Mxc.Binary.Packaging.Job.yml b/.azure-pipelines/templates/Mxc.Binary.Packaging.Job.yml index 2e46c5d8e..633fa6b87 100644 --- a/.azure-pipelines/templates/Mxc.Binary.Packaging.Job.yml +++ b/.azure-pipelines/templates/Mxc.Binary.Packaging.Job.yml @@ -45,17 +45,6 @@ jobs: artifact: ${{ target.artifact }} path: $(stagingDirectory)/${{ target.sdkArch }} - # Flatten symbols/ subdirs back into each arch root. - - pwsh: | - Get-ChildItem -Path "$(stagingDirectory)" -Directory | ForEach-Object { - $symbols = Join-Path $_.FullName 'symbols' - if (Test-Path $symbols) { - Get-ChildItem -Path $symbols -File | Move-Item -Destination $_.FullName -Force -Verbose - Remove-Item -Path $symbols -Force - } - } - displayName: Flatten symbols/ into arch dirs - - task: ArchiveFiles@2 displayName: Archive mxc-release-binaries.zip inputs: