Codesign w/ debugging entitlement for backtraces on macOS (#7010)

### Motivation:

The new Swift backtracer will only function on macOS if:

1. `SWIFT_BACKTRACE` environment variable has its `enable` option set to
`yes` or `tty`, and

2. The program you are running was signed with the
`com.apple.security.get-task-allow` entitlement.

Xcode automatically signs all local builds with that entitlement by
default; without it the Swift backtracer won't work.

SwiftPM should sign Debug binaries with the entitlement by default. It
should also have an _option_ to sign Release binaries with the
entitlement, noting that they should not be distributed in that state
but that crashes may only manifest in release builds (where the
optimizer is fully enabled).

### Modifications:

Added new `--enable-get-task-allow-entitlement` and
`--disable-get-task-allow-entitlement` CLI flags. Made it enabled by
default for debug builds on macOS. When enabled, applying codesigning
with `com.apple.security.get-task-allow` in
`LLBuildManifestBuilder+Product.swift`.

### Result:

Backtraces work on macOS when built with SwiftPM.

Resolves rdar://112065568.

Author: MaxDesiatov

CHANGELOG.md

@@ -7,6 +7,9 @@ Swift Next
 
   In packages that specify resources using a future tools version, the generated resource bundle accessor will import `Foundation.Bundle` for its own implementation only. _Clients_ of such packages therefore no longer silently import `Foundation`, preventing inadvertent use of Foundation extensions to standard library APIs, which helps to avoid unexpected code size increases.
 
+* [#7010]
+
+  On macOS, `swift build` and `swift run` now produce binaries that allow backtraces in debug builds. Pass `SWIFT_BACKTRACE=enable=yes` environment variable to enable backtraces on such binaries when running them.
 
 Swift 5.9
 -----------

Sources/Build/BuildDescription/ProductBuildDescription.swift

@@ -367,6 +367,10 @@ public final class ProductBuildDescription: SPMBuildCore.ProductBuildDescription
 
         return flags
     }
+
+    func codeSigningArguments(plistPath: AbsolutePath, binaryPath: AbsolutePath) -> [String] {
+        ["codesign", "--force", "--sign", "-", "--entitlements", plistPath.pathString, binaryPath.pathString]
+    }
 }
 
 extension SortedArray where Element == AbsolutePath {

Sources/Build/BuildManifest/LLBuildManifestBuilder+Product.swift

@@ -33,13 +33,19 @@ extension LLBuildManifestBuilder {
             testInputs = []
         }
 
+        // Create a phony node to represent the entire target.
+        let targetName = try buildProduct.product.getLLBuildTargetName(config: self.buildConfig)
+        let output: Node = .virtual(targetName)
+
+        let finalProductNode: Node
         switch buildProduct.product.type {
         case .library(.static):
+            finalProductNode = try .file(buildProduct.binaryPath)
             try self.manifest.addShellCmd(
                 name: cmdName,
                 description: "Archiving \(buildProduct.binaryPath.prettyPath())",
                 inputs: (buildProduct.objects + [buildProduct.linkFileListPath]).map(Node.file),
-                outputs: [.file(buildProduct.binaryPath)],
+                outputs: [finalProductNode],
                 arguments: try buildProduct.archiveArguments()
             )
 
@@ -49,23 +55,55 @@ extension LLBuildManifestBuilder {
                 + [buildProduct.linkFileListPath]
                 + testInputs
 
+            let shouldCodeSign: Bool
+            let linkedBinaryNode: Node
+            let linkedBinaryPath = try buildProduct.binaryPath
+            if case .executable = buildProduct.product.type,
+               buildParameters.targetTriple.isMacOSX,
+               buildParameters.debuggingParameters.shouldEnableDebuggingEntitlement {
+                shouldCodeSign = true
+                linkedBinaryNode = try .file(buildProduct.binaryPath, isMutated: true)
+            } else {
+                shouldCodeSign = false
+                linkedBinaryNode = try .file(buildProduct.binaryPath)
+            }
+
             try self.manifest.addShellCmd(
                 name: cmdName,
                 description: "Linking \(buildProduct.binaryPath.prettyPath())",
                 inputs: inputs.map(Node.file),
-                outputs: [.file(buildProduct.binaryPath)],
+                outputs: [linkedBinaryNode],
                 arguments: try buildProduct.linkArguments()
             )
-        }
 
-        // Create a phony node to represent the entire target.
-        let targetName = try buildProduct.product.getLLBuildTargetName(config: self.buildConfig)
-        let output: Node = .virtual(targetName)
+            if shouldCodeSign {
+                let basename = try buildProduct.binaryPath.basename
+                let plistPath = try buildProduct.binaryPath.parentDirectory
+                    .appending(component: "\(basename)-entitlement.plist")
+                self.manifest.addEntitlementPlistCommand(
+                    entitlement: "com.apple.security.get-task-allow",
+                    outputPath: plistPath
+                )
+
+                let cmdName = try buildProduct.product.getCommandName(config: self.buildConfig)
+                let codeSigningOutput = Node.virtual(targetName + "-CodeSigning")
+                try self.manifest.addShellCmd(
+                    name: "\(cmdName)-entitlements",
+                    description: "Applying debug entitlements to \(buildProduct.binaryPath.prettyPath())",
+                    inputs: [linkedBinaryNode, .file(plistPath)],
+                    outputs: [codeSigningOutput],
+                    arguments: buildProduct.codeSigningArguments(plistPath: plistPath, binaryPath: linkedBinaryPath)
+                )
+                finalProductNode = codeSigningOutput
+            } else {
+                finalProductNode = linkedBinaryNode
+            }
+        }
 
         self.manifest.addNode(output, toTarget: targetName)
-        try self.manifest.addPhonyCmd(
+        self.manifest.addPhonyCmd(
             name: output.name,
-            inputs: [.file(buildProduct.binaryPath)],
+            inputs: [finalProductNode],
             outputs: [output]
         )
 

Sources/Build/BuildManifest/LLBuildManifestBuilder.swift

@@ -22,6 +22,7 @@ import struct TSCBasic.ByteString
 import enum TSCBasic.ProcessEnv
 import func TSCBasic.topologicalSort
 
+/// High-level interface to ``LLBuildManifest`` and ``LLBuildManifestWriter``.
 public class LLBuildManifestBuilder {
     public enum TargetKind {
         case main
@@ -42,7 +43,7 @@ public class LLBuildManifestBuilder {
     public let disableSandboxForPluginCommands: Bool
 
     /// File system reference.
-    let fileSystem: FileSystem
+    let fileSystem: any FileSystem
 
     /// ObservabilityScope with which to emit diagnostics
     public let observabilityScope: ObservabilityScope
@@ -60,7 +61,7 @@ public class LLBuildManifestBuilder {
     public init(
         _ plan: BuildPlan,
         disableSandboxForPluginCommands: Bool = false,
-        fileSystem: FileSystem,
+        fileSystem: any FileSystem,
         observabilityScope: ObservabilityScope
     ) {
         self.plan = plan

Sources/CoreCommands/Options.swift

@@ -477,6 +477,12 @@ public struct BuildOptions: ParsableArguments {
     )
     public var linkTimeOptimizationMode: LinkTimeOptimizationMode?
 
+    @Flag(help: .hidden)
+    public var enableGetTaskAllowEntitlement: Bool = false
+
+    @Flag(help: .hidden)
+    public var disableGetTaskAllowEntitlement: Bool = false
+
     // @Flag works best when there is a default value present
     // if true, false aren't enough and a third state is needed
     // nil should not be the goto. Instead create an enum

Sources/CoreCommands/SwiftTool.swift

@@ -664,6 +664,11 @@ public final class SwiftTool {
         return buildSystem
     }
 
+    static let entitlementsMacOSWarning = """
+    `--disable-get-task-allow-entitlement` and `--disable-get-task-allow-entitlement` only have an effect \
+    when building on macOS.
+    """
+
     private func _buildParams(toolchain: UserToolchain) throws -> BuildParameters {
         let hostTriple = try self.getHostToolchain().targetTriple
         let targetTriple = toolchain.targetTriple
@@ -672,6 +677,12 @@ public final class SwiftTool {
             component: targetTriple.platformBuildPathComponent(buildSystem: options.build.buildSystem)
         )
 
+        if !targetTriple.isMacOSX && (
+            options.build.disableGetTaskAllowEntitlement || options.build.enableGetTaskAllowEntitlement
+        ) {
+            observabilityScope.emit(warning: Self.entitlementsMacOSWarning)
+        }
+
         return try BuildParameters(
             dataPath: dataPath,
             configuration: options.build.configuration,
@@ -685,7 +696,13 @@ public final class SwiftTool {
             sanitizers: options.build.enabledSanitizers,
             indexStoreMode: options.build.indexStoreMode.buildParameter,
             isXcodeBuildSystemEnabled: options.build.buildSystem == .xcode,
-            debugInfoFormat: options.build.debugInfoFormat.buildParameter,
+            debuggingParameters: .init(
+                debugInfoFormat: options.build.debugInfoFormat.buildParameter,
+                targetTriple: targetTriple,
+                shouldEnableDebuggingEntitlement:
+                    (options.build.configuration == .debug && !options.build.disableGetTaskAllowEntitlement) ||
+                    (options.build.enableGetTaskAllowEntitlement && !options.build.disableGetTaskAllowEntitlement)
+            ),
             driverParameters: .init(
                 canRenameEntrypointFunctionName: driverSupport.checkSupportedFrontendFlags(
                     flags: ["entry-point-function-name"],

Sources/SPMBuildCore/BuildParameters/BuildParameters+Debugging.swift

@@ -0,0 +1,74 @@
+//===----------------------------------------------------------------------===//
+//
+// This source file is part of the Swift open source project
+//
+// Copyright (c) 2020-2023 Apple Inc. and the Swift project authors
+// Licensed under Apache License v2.0 with Runtime Library Exception
+//
+// See http://swift.org/LICENSE.txt for license information
+// See http://swift.org/CONTRIBUTORS.txt for the list of Swift project authors
+//
+//===----------------------------------------------------------------------===//
+
+import struct Basics.Triple
+import enum PackageModel.BuildConfiguration
+
+extension BuildParameters {
+    public struct Debugging: Encodable {
+        public init(
+            debugInfoFormat: DebugInfoFormat = .dwarf,
+            targetTriple: Triple,
+            shouldEnableDebuggingEntitlement: Bool
+        ) {
+            self.debugInfoFormat = debugInfoFormat
+
+            // Per rdar://112065568 for backtraces to work on macOS a special entitlement needs to be granted on the final
+            // executable.
+            self.shouldEnableDebuggingEntitlement = targetTriple.isMacOSX && shouldEnableDebuggingEntitlement
+        }
+
+        public var debugInfoFormat: DebugInfoFormat
+        
+        /// Whether the produced executable should be codesigned with the debugging entitlement, enabling enhanced
+        /// backtraces on macOS.
+        public var shouldEnableDebuggingEntitlement: Bool
+    }
+
+    /// Represents the debugging strategy.
+    ///
+    /// Swift binaries requires the swiftmodule files in order for lldb to work.
+    /// On Darwin, linker can directly take the swiftmodule file path using the
+    /// -add_ast_path flag. On other platforms, we convert the swiftmodule into
+    /// an object file using Swift's modulewrap tool.
+    public enum DebuggingStrategy {
+        case swiftAST
+        case modulewrap
+    }
+
+    /// The debugging strategy according to the current build parameters.
+    public var debuggingStrategy: DebuggingStrategy? {
+        guard configuration == .debug else {
+            return nil
+        }
+
+        if targetTriple.isApple() {
+            return .swiftAST
+        }
+        return .modulewrap
+    }
+
+    /// Represents the debug information format.
+    ///
+    /// The debug information format controls the format of the debug information
+    /// that the compiler generates.  Some platforms support debug information
+    // formats other than DWARF.
+    public enum DebugInfoFormat: String, Encodable {
+        /// DWARF debug information format, the default format used by Swift.
+        case dwarf
+        /// CodeView debug information format, used on Windows.
+        case codeview
+        /// No debug information to be emitted.
+        case none
+    }
+
+}

Sources/SPMBuildCore/BuildParameters/BuildParameters.swift

@@ -26,31 +26,6 @@ public struct BuildParameters: Encodable {
         case auto
     }
 
-    /// Represents the debug information format.
-    ///
-    /// The debug information format controls the format of the debug information
-    /// that the compiler generates.  Some platforms support debug information
-    // formats other than DWARF.
-    public enum DebugInfoFormat: String, Encodable {
-        /// DWARF debug information format, the default format used by Swift.
-        case dwarf
-        /// CodeView debug information format, used on Windows.
-        case codeview
-        /// No debug information to be emitted.
-        case none
-    }
-
-    /// Represents the debugging strategy.
-    ///
-    /// Swift binaries requires the swiftmodule files in order for lldb to work.
-    /// On Darwin, linker can directly take the swiftmodule file path using the
-    /// -add_ast_path flag. On other platforms, we convert the swiftmodule into
-    /// an object file using Swift's modulewrap tool.
-    public enum DebuggingStrategy {
-        case swiftAST
-        case modulewrap
-    }
-
     /// The path to the data directory.
     public var dataPath: AbsolutePath
 
@@ -125,10 +100,11 @@ public struct BuildParameters: Encodable {
     /// Whether the Xcode build system is used.
     public var isXcodeBuildSystemEnabled: Bool
 
-    public var debugInfoFormat: DebugInfoFormat
-
     public var shouldSkipBuilding: Bool
 
+    /// Build parameters related to debugging.
+    public var debuggingParameters: Debugging
+
     /// Build parameters related to Swift Driver.
     public var driverParameters: Driver
 
@@ -155,21 +131,25 @@ public struct BuildParameters: Encodable {
         sanitizers: EnabledSanitizers = EnabledSanitizers(),
         indexStoreMode: IndexStoreMode = .auto,
         isXcodeBuildSystemEnabled: Bool = false,
-        debugInfoFormat: DebugInfoFormat = .dwarf,
         shouldSkipBuilding: Bool = false,
+        debuggingParameters: Debugging? = nil,
         driverParameters: Driver = .init(),
         linkingParameters: Linking = .init(),
         outputParameters: Output = .init(),
         testingParameters: Testing? = nil
     ) throws {
         let targetTriple = try targetTriple ?? .getHostTriple(usingSwiftCompiler: toolchain.swiftCompilerPath)
+        self.debuggingParameters = debuggingParameters ?? .init(
+            targetTriple: targetTriple,
+            shouldEnableDebuggingEntitlement: configuration == .debug
+        )
 
         self.dataPath = dataPath
         self.configuration = configuration
         self._toolchain = _Toolchain(toolchain: toolchain)
         self.hostTriple = try hostTriple ?? .getHostTriple(usingSwiftCompiler: toolchain.swiftCompilerPath)
         self.targetTriple = targetTriple
-        switch debugInfoFormat {
+        switch self.debuggingParameters.debugInfoFormat {
         case .dwarf:
             var flags = flags
             // DWARF requires lld as link.exe expects CodeView debug info.
@@ -205,13 +185,11 @@ public struct BuildParameters: Encodable {
         self.sanitizers = sanitizers
         self.indexStoreMode = indexStoreMode
         self.isXcodeBuildSystemEnabled = isXcodeBuildSystemEnabled
-        self.debugInfoFormat = debugInfoFormat
         self.shouldSkipBuilding = shouldSkipBuilding
         self.driverParameters = driverParameters
         self.linkingParameters = linkingParameters
         self.outputParameters = outputParameters
         self.testingParameters = testingParameters ?? .init(configuration: configuration, targetTriple: targetTriple)
-
     }
 
     public func forTriple(_ targetTriple: Triple) throws -> BuildParameters {
@@ -280,19 +258,6 @@ public struct BuildParameters: Encodable {
     public var testOutputPath: AbsolutePath {
         return buildPath.appending(component: "testOutput.txt")
     }
-
-    /// The debugging strategy according to the current build parameters.
-    public var debuggingStrategy: DebuggingStrategy? {
-        guard configuration == .debug else {
-            return nil
-        }
-
-        if targetTriple.isApple() {
-            return .swiftAST
-        }
-        return .modulewrap
-    }
-
     /// Returns the path to the binary of a product for the current build parameters.
     public func binaryPath(for product: ResolvedProduct) throws -> AbsolutePath {
         return try buildPath.appending(binaryRelativePath(for: product))

Sources/SPMBuildCore/CMakeLists.txt

@@ -9,6 +9,7 @@
 add_library(SPMBuildCore
   BinaryTarget+Extensions.swift
   BuildParameters/BuildParameters.swift
+  BuildParameters/BuildParameters+Debugging.swift
   BuildParameters/BuildParameters+Driver.swift
   BuildParameters/BuildParameters+Linking.swift
   BuildParameters/BuildParameters+Output.swift