Add shared dependency verification and fix Docker fontconfig pins#3510
Add shared dependency verification and fix Docker fontconfig pins#3510mattleibow merged 4 commits intomainfrom
Conversation
mattleibow
force-pushed
the
dev/issue-3346-static-crt-angle
branch
from
10cd6e9 to
f321547
Compare
…ation - Add explicit /MT to ANGLE extra_cflags to ensure static CRT linking, preventing potential crashes on Windows machines without VC++ Redistributable - Extract CheckWindowsDependencies() and CheckLinuxDependencies() into scripts/cake/native-shared.cake for reuse across all native builds - Add dependency verification to ANGLE, libSkiaSharp, and libHarfBuzzSharp Windows builds (reject VCRUNTIME/MSVCP dependencies) - Simplify native/winui/build.cake and native/linux/build.cake to delegate to the shared functions CI verified all DLLs pass the dependency check (no VCRUNTIME/MSVCP deps). Fixes #3346 See also: #136 (original static CRT fix for libSkiaSharp)
mattleibow
force-pushed
the
dev/issue-3346-static-crt-angle
branch
from
f321547 to
22beb0e
Compare
There was a problem hiding this comment.
Pull request overview
This PR aims to fix Windows ARM64 publish-time crashes in MAUI apps by ensuring native Windows binaries don’t depend on the VC++ Redistributable, and by adding shared build-time dependency verification across native build scripts.
Changes:
- Introduces shared
CheckWindowsDependencies()/CheckLinuxDependencies()helpers inscripts/cake/native-shared.cake. - Replaces duplicated per-platform dependency checks in Windows/WinUI/Linux native build scripts with the shared helpers.
- Adds Windows dependency verification (rejecting VCRUNTIME/MSVCP) to the WinUI ANGLE build output.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| scripts/cake/native-shared.cake | Adds shared Windows (dumpbin) and Linux (readelf + optional GLIBC max) dependency verification helpers. |
| native/winui/build.cake | Switches WinUI native DLL dependency verification to use CheckWindowsDependencies(). |
| native/winui-angle/build.cake | Adds excluded dependency list and runs Windows dependency verification on produced ANGLE DLLs. |
| native/windows/build.cake | Adds Windows dependency verification for libSkiaSharp.dll and libHarfBuzzSharp.dll. |
| native/linux/build.cake | Refactors Linux dependency verification to call CheckLinuxDependencies() and passes verifyGlibcMax through. |
| throw new Exception("Could not find dumpbin.exe, please ensure that --vsinstall is used or the envvar VS_INSTALL is set."); | ||
| } | ||
|
|
||
| RunProcess(dumpbins.First(), $"/dependents {dll}", out var stdoutEnum); |
There was a problem hiding this comment.
RunProcess(dumpbins.First(), $"/dependents {dll}", ...) does not quote the DLL path. If the repo path (or output path) contains spaces, dumpbin will receive a truncated argument and dependency verification will fail. Use a ProcessSettings/argument builder and quote/escape dll when building the arguments.
| RunProcess(dumpbins.First(), $"/dependents {dll}", out var stdoutEnum); | |
| var processSettings = new ProcessSettings | |
| { | |
| Arguments = new ProcessArgumentBuilder() | |
| .Append("/dependents") | |
| .AppendQuoted(dll.FullPath) | |
| }; | |
| RunProcess(dumpbins.First(), processSettings, out var stdoutEnum); |
| if (included.Length > 0) | ||
| Information($"Making sure that there ARE dependencies on: {string.Join(", ", included)}"); | ||
|
|
||
| RunProcess("readelf", $"-dV {so}", out var stdoutEnum); |
There was a problem hiding this comment.
RunProcess("readelf", $"-dV {so}", ...) does not quote the .so path. If the path contains spaces, the command line will be parsed incorrectly and dependency/GLIBC verification will fail. Quote/escape so (preferably via ProcessSettings/argument builder).
| RunProcess("readelf", $"-dV {so}", out var stdoutEnum); | |
| RunProcess("readelf", $"-dV \"{so.FullPath}\"", out var stdoutEnum); |
| } | ||
|
|
||
| //////////////////////////////////////////////////////////////////////////////////////////////////// | ||
| // HELPERS |
There was a problem hiding this comment.
native-shared.cake now has two separate "// HELPERS" section headers (one before dependency verification and another immediately after). This makes the file structure confusing—consider removing one header or renaming sections so each header uniquely describes the block that follows.
| // HELPERS | |
| // BUILD HELPERS |
| EnsureDirectoryExists(outDir); | ||
| CopyFileToDirectory(ANGLE_PATH.CombineWithFilePath($"out/winui{suffix}/{arch}/{target}.dll"), outDir); | ||
| CopyFileToDirectory(ANGLE_PATH.CombineWithFilePath($"out/winui{suffix}/{arch}/{target}.pdb"), outDir); | ||
| CheckWindowsDependencies($"{outDir}/{target}.dll", excluded: VERIFY_EXCLUDED); |
There was a problem hiding this comment.
The ANGLE build args still don’t include the static CRT flag (/MT). With the new CheckWindowsDependencies(..., excluded: { "VCRUNTIME", "MSVCP" }) call, /MD builds will keep depending on VCRUNTIME/MSVCP and this task will fail (and it also doesn’t address the ARM64 publish crash described in the PR). Add /MT (or /MTd for debug, if applicable) to the extra_cflags passed to RunGn for ANGLE.
CI Results (Build #155844)All 62 native build jobs passed ✅ — zero failures. What this PR provesWindows dependency verification works: The new Fontconfig fix works: The loongarch64 Docker builds (previously failing with |
mattleibow
changed the title
libfontconfig1_2.17.1-3_loong64.deb was removed from deb.debian.org when version -4 (Feb 3) and -5 (Feb 9) were published, causing the Docker image build to fail with 'file format not recognized' (curl silently downloaded a 404 HTML page instead of the .deb).
Debian removed fontconfig 2.13.1-2 from deb.debian.org pool. Update each Dockerfile to use the version that matches its Debian release: - Debian 11 (bullseye): 2.13.1-2 → 2.13.1-4.2 - Debian 12 (bookworm): 2.13.1-2 → 2.14.1-4 - Debian 13 (trixie) *: 2.13.1-2 → 2.17.1-5 Debian 10 is unaffected (uses archive.debian.org which retains old packages).
Use the minimum available version on deb.debian.org to avoid pulling in newer fontconfig behavior: - Debian 12/13 wildcard: 2.13.1-4.2 (oldest on deb.debian.org) - Debian 13 loong64: 2.17.1-4 (oldest available for loong64)
mattleibow
changed the title
Summary
Adds build-time verification that native Windows DLLs do not dynamically link against the C runtime, and fixes broken fontconfig version pins in Linux Docker cross-compilation images.
Related to #3346 — ARM64 Windows crash in published MAUI apps when VC++ Redistributable is not installed. CI confirms all Windows native binaries (including ANGLE) are already statically linked — this PR adds verification to prevent regressions.
Changes
1. Shared dependency verification functions (
scripts/cake/native-shared.cake)CheckWindowsDependencies(dll, excluded, included)— usesdumpbin /dependentsto verify Windows DLLsCheckLinuxDependencies(so, excluded, included, maxGlibc)— usesreadelf -dVto verify Linux shared objectsCheckDeps()implementations across build files2. Windows dependency verification coverage
winui-angle)windows)windows)winui)linux)3. Fix Docker fontconfig version pins
Debian removed old fontconfig packages from
deb.debian.org, breaking cross-compilation Docker builds. Updated to the oldest available version for each Debian release:2.13.1-2(404)2.13.1-4.22.13.1-2(404)2.13.1-4.2*2.13.1-2(404)2.13.1-4.22.17.1-3(404)2.17.1-42.13.1-22.15.0-2.3CI Results
All 62 native build jobs pass, including: