epic: dynamic libSystem-linked darwin executables (Apple Silicon rejects static images)

[octalide]

Status (2026-06-28)

Scoped (see the investigation findings comment). The exec gate on Apple Silicon is
PIE, proven on macos-14 — not signing, load commands, or libSystem. Awaiting a
direction call: commit to the PIE work / x86_64-interim / shelve. #1680 aarch64 leg
and #1716 are blocked on this. Not started.

What

macOS on arm64 (Apple Silicon) refuses to exec a non-PIE main executable. Proven
on a macos-14 runner (#1680 / scope investigation): EVERY mach variant — static,
dynamic+libSystem+LC_UNIXTHREAD+raw-svc, +LC_MAIN, +LC_BUILD_VERSION, +LC_UUID,
+MH_PIE flag, +libSystem call — is Killed: 9, both mach-signed and after Apple
codesign -s -. System clang on the same runner: clang -nostdlib raw-svc with
zero dylibs runs (→42); clang -no_pie emits ld: warning: -no_pie ignored for arm64 — the linker forces PIE. mach emits a non-PIE fixed-absolute image (__TEXT at
0xfffff000, empty rebase stream), so the kernel kills it.

What this rules OUT (shrinks the epic): raw svc works → no libSystem syscall
routing; classic LC_DYLD_INFO works → no chained-fixups; a dyld-linked image with
zero dylibs runs → no libSystem dependency. The only missing hard requirement is
genuine PIE.

Goal: emit a position-independent darwin executable so arm64 binaries exec on Apple
Silicon and the compiler self-hosts there.

Sized scope (from the investigation)

• mach (codegen/link) — LARGE. Emit a real PIE Mach-O: MH_PIE + a relocatable
  base/layout, LC_MAIN / LC_BUILD_VERSION / LC_UUID (all prototyped on the scope
  branch), and the dominant cost — a rebase stream (classic LC_DYLD_INFO rebase
  opcodes) for every in-image absolute pointer (globals, vtable fn-pointers, absolute
  data relocs). arm64 TEXT is already PC-relative; the work is in absolute DATA
  pointers and the linker collecting them as rebase records. Route the darwin
  self-host through this writer (no imports ⇒ zero dylibs/stubs/got/bind).
• mach-std (os:darwin) — SMALL. Keep raw svc; only change the darwin arm64 entry
  from the LC_UNIXTHREAD stack convention ([sp]=argc) to the LC_MAIN register
  convention (x0=argc, x1=argv, x2=envp).

Children

• codegen/link(macho): PIE Mach-O executable writer + rebase stream (Apple Silicon arm64 exec) #1722 — mach: PIE Mach-O writer + rebase stream — MH_PIE, relocatable layout,
  LC_MAIN/LC_BUILD_VERSION/LC_UUID, and the rebase-stream emission for absolute
  pointers (linker collects absolute relocs → rebase records). Route the darwin
  self-host through it. (LARGE)
• runtime/darwin: arm64 entry via LC_MAIN register convention (PIE darwin support) mach-std#324 — mach-std: darwin arm64 entry LC_UNIXTHREAD →
  LC_MAIN register convention (keep raw svc). (SMALL)
• infra: CD-authored darwin release build (x86_64 + aarch64, native fixpoint) #1680 (aarch64 leg) — re-enable + validate native fixpoint + exec on macos-14
  once codegen/link(macho): PIE Mach-O executable writer + rebase stream (Apple Silicon arm64 exec) #1722 + mach-std#324 land.

Sequencing

mach PIE writer + mach-std LC_MAIN entry, validated together on a macos-14 runner.
Then #1680 aarch64. The #1717 static-writer header fix already landed (correct for
static x86_64-darwin + freestanding); x86_64-darwin tolerates non-PIE/static and is
unaffected by this epic.

Future follow-ons (enabled, NOT in scope here)

The BaseReloc set #1722 adds to the linker is format-neutral, so once it's proven on
macOS, two OPTIONAL ASLR-hardening follow-ons become small encoder issues consuming the
same set (to be filed against the proven interface, parallelizable with each other):

• ELF PIE (linux ASLR): ET_DYN + R_*_RELATIVE in .rela.dyn. Caveat — mach's
  no-libc static linux binaries also need a self-relocation startup (apply RELATIVE
  relocs before main, since there's no ld.so), so this is more than the encoder.
• PE/COFF ASLR (windows): .reloc base-relocation blocks + DYNAMIC_BASE. Closer
  to pure-encoder.

Neither is forced — linux/windows run fixed-address fine — so both are deferred until
ASLR hardening is wanted. Captured here so the generalization isn't lost.

[octalide]

Investigation (on-Mac) — minimum runnable arm64 darwin image shape

On-Mac experiments on a macos-14 (Apple Silicon) runner via a workflow_dispatch
lane (branch invel/1718-scope, draft PR #1721). Each fixture is a few-instruction
program that exits 42, cross-built for darwin-aarch64, mach self-signed, run on the
Mac; each is also re-signed with Apple codesign -s - and re-run to separate a
signature problem from an image-shape problem.

Exit codes (137 = Killed: 9, SIGKILL at exec before any instruction runs)

fixture	shape	mach-signed	codesign-resigned
exp_static	static (emit_exec, LC_UNIXTHREAD, no dyld)	137	137
exp_raw_B	dyn (emit_dyn_exec) + real libSystem LC_LOAD_DYLIB + LC_UNIXTHREAD + raw svc	137	137
exp_raw_C	dyn + LC_MAIN + raw svc	137	137
exp_raw_E	dyn + LC_MAIN + LC_BUILD_VERSION + raw svc	137	137
exp_raw_G	E + LC_UUID	137	137
exp_raw_P	E + MH_PIE header flag	137	137
exp_raw_F	E + LC_UUID + MH_PIE flag	137	137
exp_libcall_E	dyn + LC_MAIN/LC_BUILD_VERSION + libSystem _exit call (no raw svc)	137	137

System-toolchain references (ground truth on the same runner)

reference	result
clang int main(){return 42;} (PIE, chained fixups)	exits 42
clang -nostdlib raw-svc exit(42), no LC_LOAD_DYLIB at all	exits 42
clang -Wl,-no_fixup_chains → classic LC_DYLD_INFO_ONLY, PIE	exits 42
clang -Wl,-no_pie	ld: warning: -no_pie ignored for arm64* → linker forces PIE

Conclusions

1. A dyld-linked shape is not sufficient. Every mach dynamic variant is Killed: 9,
   with LC_UNIXTHREAD or LC_MAIN, with/without LC_BUILD_VERSION/LC_UUID/the
   MH_PIE flag, and even when the exit is routed through a libSystem import. No
   combination of load-command cosmetics flips mach's image to runnable.
2. Not a signature problem. Apple codesign -s - re-signing still Killed: 9.
3. Raw svc works and libSystem is not required. The clang -nostdlib raw-svc
   binary (zero LC_LOAD_DYLIB) runs. So the darwin runtime can keep raw svc 0x80.
4. Chained fixups are not required. A classic LC_DYLD_INFO_ONLY clang binary runs.
5. PIE is mandatory. The system linker refuses to emit a non-PIE arm64 main
   (-no_pie ignored for arm64*). mach emits a non-PIE, fixed-absolute-address image
   (__TEXT at 0xfffff000, empty rebase stream, absolute addressing) — the shape the
   kernel SIGKILLs.

Minimum runnable shape: a genuine PIE Mach-O (MH_PIE + position-independent
addressing + a rebase stream for in-image absolute pointers) with LC_MAIN,
LC_BUILD_VERSION(macOS), LC_UUID, and LC_LOAD_DYLINKER (/usr/lib/dyld).
classic LC_DYLD_INFO rebase is fine; raw svc stays; no libSystem dependency needed
(dyld-linked with zero dylibs, like clang -nostdlib, runs).

Sized scope

mach (codegen/link) — LARGE. Emit a real PIE dyld image:

• assign segment vaddrs at a relocatable PIE base + set MH_PIE; fix the __PAGEZERO/__TEXT
  layout (today __TEXT is mapped at 0xfffff000, below the base).
• emit LC_MAIN (file-offset entry), LC_BUILD_VERSION, LC_UUID (all prototyped on the branch).
• rebase stream (classic LC_DYLD_INFO rebase opcodes) for every in-image absolute
  pointer — global addresses, vtable function pointers, absolute data relocations. This is
  the dominant cost: the linker must collect intra-image absolute relocations as rebase
  records instead of baking final absolute values. arm64 TEXT refs are already PC-relative
  (adrp/adr/br), so the work is concentrated in absolute data pointers.
• route the darwin self-host through the PIE dyn-exec writer instead of emit_exec. The
  compiler has no external imports, so it can be dyld-linked with zero dylibs (no stubs/
  got/bind needed) — only the rebase stream + load commands.

mach-std (os:darwin) — SMALL. Keep raw svc (no libSystem routing). The only required
change is the entry: PIE mains use LC_MAIN, so the darwin arm64 _start must take the
LC_MAIN register convention (x0=argc, x1=argv, x2=envp) instead of the current
LC_UNIXTHREAD stack convention ([sp]=argc).

Recommendation

The blocker is real; the fix is large but well-bounded and standard ("emit a normal PIE
Mach-O"). Good news vs the epic's worst case: syscalls stay raw (no libSystem wrappers), no
chained fixups, and no libSystem dependency — so the mach-std scope collapses to a tiny
entry change and the cost is the mach-side PIE + rebase infrastructure. Options: (1) commit
to the PIE dyn-exec work (unblocks #1680 aarch64 + #1716); (2) ship x86_64-darwin interim
(tolerates static images) and schedule the PIE work; (3) shelve darwin as cross-compile-only.
Recommend (1) when arm64 self-host is wanted, else (2) to keep darwin moving.

Experiment branch invel/1718-scope / PR #1721 are throwaway (not for merge); cd.yml is
repurposed there only as the dispatch vehicle and the real release cd.yml on dev is untouched.