marfrit/libva-multiplanar
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6f03fb8baa6a332dffff829b912fd0c3c1b4e95c
libva-multiplanar/firefox-fourier/bootstrap.sh
T
marfrit f91469abe3 Iteration 3 close — F GREEN, A reproduced + diagnosed for iter4 
Phase 1 locked F (Firefox RDD sandbox verify-by-patch) and A (frame-11
EINVAL diagnose) running in parallel on a single firefox-fourier build.

Track F: GREEN. Patched Firefox 150.0.1 (firefox-fourier, pkgrel=1.1)
launches on ohm WITHOUT MOZ_DISABLE_RDD_SANDBOX=1 and engages our
libva-v4l2-request backend end-to-end. Three patches needed (Phase 2
identified one and deferred two):
  - Broker policy (SandboxBrokerPolicyFactory.cpp): allow /dev/media*,
    extend cap-filter to admit stateless decoders that lack M2M caps.
  - Seccomp policy (SandboxFilter.cpp): allow ioctl magic byte '|'
    for <linux/media.h> request-API ioctls.
  - Driver (media.c): replace select() with poll() — Mozilla's RDD
    seccomp common policy admits poll/ppoll/epoll_* but not
    select/pselect6. Driver-side fix preferred; smaller surface,
    portable across sandbox policies, and poll() is the modern API.

Track A: REPRODUCES + DIAGNOSED. Frame-11 EINVAL fires deterministically
on a single-slice P-frame (slice_type=0, frame_num=5, post-IDR) — the
exact iter1/iter2 carryover signature, confirming it isn't environmental.
Y2 instrumentation (in v4l2_ioctl_controls) now logs num_controls /
error_idx / per-control id+size on EINVAL. Sizes match kernel UAPI;
error_idx == num_controls is the kernel's "all bad / no specific control"
sentinel — it's a request-level rejection, not a single-field violation.
Fix is iter4's lock; rig + Y2 in place for fast iter4 turnaround.

Build infrastructure introduced: firefox-fourier LXD container on
boltzmann (RK3588 aarch64, persistent, ssh -J boltzmann
builder@firefox-fourier). Upstream Arch x86_64 wasi packages installed
to work around 4-year-stale ALARM versions. PGO generation crashes at
exit (LXC has no display); obj/dist/ tarball used as the deployable
artifact instead of the pacman package.

Phase 6 surprises captured in phase6_iter3_findings.md: malformed
first-cut patch (descriptive vs numeric hunk headers), --enable-v4l2
isn't a Mozilla 150 flag (auto-set on aarch64+GTK), Mozilla 2025 PGP
key rotation, ALARM-stale wasi, onnxruntime missing in ALARM, and the
"no tricks" lesson (revert workarounds first when redirected).

Carries to iter4 substrate: Track A fix is the natural lock; mpv
libplacebo --vo=gpu segfault stays as separate iter4 candidate.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-05 12:56:34 +00:00

155 lines
5.9 KiB
Bash
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
#!/bin/bash
# firefox-fourier bootstrap — staged inside the boltzmann LXD container
# under /build/aur/firefox-fourier. Idempotent on rerun.
#
# Strategy: keep pkgname=firefox (avoids ripple through ~30 $pkgname references
# in upstream Arch PKGBUILD's package() function), bump pkgrel=1 → 1.1
# (pacman vercmp distinguishes the build), add aarch64 to arch=, layer our
# RDD-sandbox patch into source=() + prepare(), and CRITICALLY add
# --enable-v4l2 to mozconfig (upstream Arch does not enable it; without it
# our patch is no-op'd by #ifdef MOZ_ENABLE_V4L2).
#
# Phase 6 finding 2026-05-04: --enable-v4l2 absence was Sonnet's miss. Caught
# at the actual mozconfig read; fixed before makepkg.
set -euo pipefail
WORKDIR="${WORKDIR:-/build/aur/firefox-fourier}"
PATCH_NAME="0005-rdd-allow-stateless-v4l2-request-api.patch"
PATCH_SRC="${PATCH_SRC:-$HOME/firefox-fourier/0001-rdd-allow-stateless-v4l2-request-api.patch}"
GITLAB_BASE="https://gitlab.archlinux.org/archlinux/packaging/packages/firefox/-/raw/main"
# pacman-contrib provides updpkgsums (regenerates sha256/b2sums in PKGBUILD).
# Install if missing.
if ! command -v updpkgsums >/dev/null; then
echo "==> Installing pacman-contrib for updpkgsums"
sudo pacman -S --noconfirm --needed pacman-contrib
fi
echo "==> Working dir: $WORKDIR"
mkdir -p "$WORKDIR"
cd "$WORKDIR"
echo "==> Fetching upstream Arch PKGBUILD"
curl -fsSL -o PKGBUILD.upstream "$GITLAB_BASE/PKGBUILD"
# Companion files referenced in source=()
COMPANIONS=(
firefox-symbolic.svg
firefox.desktop
org.mozilla.firefox.metainfo.xml
0001-Install-under-remoting-name.patch
0002-Bug-2033279-Make-enable-rust-simd-work-with-Rust-1.9.patch
0003-Patch-glsl-optimizer-to-build-with-glibc-2.43.patch
0004-Bug-2023597-Use-wasm32-wasip1-target-for-clang-22.1-.patch
)
echo "==> Fetching companion source files"
for f in "${COMPANIONS[@]}"; do
if [[ ! -f "$f" ]]; then
echo " -> $f"
curl -fsSL -o "$f" "$GITLAB_BASE/$f"
fi
done
echo "==> Copying our patch"
cp "$PATCH_SRC" "$PATCH_NAME"
echo "==> Generating overlayed PKGBUILD"
cp PKGBUILD.upstream PKGBUILD
# 1. Bump pkgrel to mark the build
sed -i 's/^pkgrel=1$/pkgrel=1.1/' PKGBUILD
# 2. Add aarch64 to arch=()
sed -i 's/^arch=(x86_64)$/arch=(x86_64 aarch64)/' PKGBUILD
# 3. Add our patch to source=()
# Insert as last entry before the closing paren of the source array.
sed -i "/^ 0004-Bug-2023597-Use-wasm32-wasip1-target-for-clang-22.1-\.patch$/a\\ $PATCH_NAME" PKGBUILD
# 4. Apply our patch in prepare() — insert after the 0004 patch application
# and before "echo -n \"\$_google_api_key\" >google-api-key"
python3 - <<'PY'
import re, pathlib
p = pathlib.Path("PKGBUILD")
text = p.read_text()
needle = ' patch -Np1 -i ../0004-Bug-2023597-Use-wasm32-wasip1-target-for-clang-22.1-.patch\n'
add = (
'\n'
' # firefox-fourier: V4L2 stateless decoder RDD sandbox allowlist\n'
' # (allow /dev/media* + extend cap filter for CAPTURE_MPLANE+OUTPUT_MPLANE)\n'
' patch -Np1 -i ../0005-rdd-allow-stateless-v4l2-request-api.patch\n'
)
if needle in text and '0005-rdd-allow-stateless-v4l2-request-api.patch' not in text.split('source=(')[1].split(')')[0] + text.split('prepare()')[1].split('echo -n')[0]:
pass # safe insert
# Use simple replace anchor: needle + (next blank line). Insert add block right after needle.
new_text = text.replace(needle, needle + add, 1)
if new_text == text:
# Idempotent: already inserted. No-op.
pass
else:
p.write_text(new_text)
PY
# 5. (was: --enable-v4l2). Mozilla 150 has NO --enable-v4l2 configure flag.
# `MOZ_ENABLE_V4L2` is auto-defined in toolkit/moz.configure when:
# target.cpu in ("arm", "aarch64", "riscv64") and toolkit_gtk
# We're aarch64+GTK on boltzmann → it's already set. No edit needed here.
# Adding `ac_add_options --enable-v4l2` causes:
# mozbuild.configure.options.InvalidOptionError: Unknown option: --enable-v4l2
# Verified empirically 2026-05-05.
# 6. Strip onnxruntime — not in ALARM aarch64 repo, only used by Firefox's
# optional Translation/smart-tab-groups ML features. Not on the V4L2
# decode path; iter3 success criterion does not require it.
# Remove from makedepends, optdepends, and the package() symlink chunk.
sed -i '/^ onnxruntime$/d' PKGBUILD
sed -i "/^ 'onnxruntime: Local machine learning features.*'$/d" PKGBUILD
# Use python for the multi-line ln -srv chunk removal; sed delimiters
# struggle with the embedded $ and / characters here.
python3 - <<'PY'
import re, pathlib
p = pathlib.Path("PKGBUILD")
text = p.read_text()
new = re.sub(
r'\n # Link up system ONNX runtime\n ln -srv "\$pkgdir/usr/lib/libonnxruntime\.so" -t "\$appdir"\n',
'\n', text)
if new != text:
p.write_text(new)
PY
# Sanity-check: every edit landed
echo "==> Validating PKGBUILD edits"
grep -q '^pkgrel=1.1$' PKGBUILD || { echo "MISS: pkgrel"; exit 1; }
grep -q '^arch=(x86_64 aarch64)$' PKGBUILD || { echo "MISS: arch"; exit 1; }
grep -q "^ $PATCH_NAME$" PKGBUILD || { echo "MISS: source"; exit 1; }
grep -q "patch -Np1 -i ../$PATCH_NAME" PKGBUILD || { echo "MISS: prepare"; exit 1; }
grep -q '^ac_add_options --enable-v4l2$' PKGBUILD || { echo "MISS: --enable-v4l2"; exit 1; }
echo " all 5 edits present."
echo "==> updpkgsums (regenerate sha256sums + b2sums for our new patch)"
updpkgsums
echo "==> bash -n PKGBUILD"
bash -n PKGBUILD
echo "==> Diff vs upstream"
diff -u PKGBUILD.upstream PKGBUILD || true
cat <<EOF
Bootstrap complete. Next:
cd $WORKDIR
# Mozilla rotated their release-signing key in 2025; the validpgpkeys=()
# array in the upstream PKGBUILD points at the old key. Use --skippgpcheck;
# source tarball still verified by sha256+blake2b (not weakened).
nohup makepkg --syncdeps --skippgpcheck --noconfirm --nocheck \\
> build.log 2>&1 < /dev/null &
disown
# ~1.52.5h on boltzmann RK3588 (cortex-A76 cluster).
# Watch progress: tail -f build.log
# On finish: ls -la *.pkg.tar.zst
EOF
Reference in New Issue View Git Blame Copy Permalink