perf(build): eager symbol binding (-z,now,-z,relro) for faster init#1273
Draft
duncanista wants to merge 1 commit into
Draft
Conversation
Append -Clink-arg=-Wl,-z,now -Clink-arg=-Wl,-z,relro to the clang-linker RUSTFLAGS in both compile Dockerfiles. Eager (now) binding resolves all dynamic symbols at load time instead of lazily via the PLT, moving resolution stalls off the Lambda INIT path; relro hardens the GOT. This only affects the dynamically-linked glibc layers; it is a no-op on the static musl build.
|
12 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Jira: none yet — add before marking ready.
Overview
Appends two link args to the clang-linker
RUSTFLAGSin both compile Dockerfiles (images/Dockerfile.bottlecap.compileandimages/Dockerfile.bottlecap.alpine.compile):Mechanism. The published layers are dynamically-linked glibc binaries. By default the dynamic linker resolves imported symbols lazily, on first call, via the PLT/GOT — so the first invocation of each external function pays a one-time resolution stall, and many of those stalls land on the cold-start INIT path.
-z nowforces eager binding: every dynamic symbol is resolved at load time, moving that resolution work off the INIT path.-z relrothen marks the GOT read-only after relocation, which is a standard hardening that pairs with full eager binding (full RELRO).Scope. This is a no-op for the static musl build: that binary statically links its dependencies, so there is no lazy PLT resolution of dynamic symbols to eliminate. In the alpine Dockerfile the edited
export RUSTFLAGS=...already lives inside the existingif [ "${PLATFORM}" = "x86_64" ]clang-linker branch, so behavior there is unchanged beyond the added (inert) flags. The flags only have a runtime effect on the dynamically-linked glibc layers.Dockerfile-only change — no Rust source changes.
Testing
RUSTFLAGSstring in both Dockerfiles to confirm the two args are appended cleanly after the existing-lclang_rt.builtins-$(uname -m)flag, preserving the surrounding shell quoting and command substitution.