Absolute CI build paths in release binaries cause GraalVM Native Image build failures (DetectUserDirectoriesInImageHeap) #302
Description
Thank you for making this library!
I am currently embedding JWM into a GraalVM Native Image project. However, the native image compilation fails when using the default security checks because the pre-compiled JWM native libraries (e.g., libjwm_arm64.dylib) contain absolute file paths from the GitHub Actions build runners.
The Problem:
When GraalVM includes the JWM .dylib as a resource in the image heap, its static analyzer scans the byte array and detects the /Users/runner/work/... path. This triggers GraalVM's DetectUserDirectoriesInImageHeap check, resulting in a fatal build error:
Fatal error: com.oracle.graal.pointsto.constraints.UnsupportedFeatureException: Detected a byte[] in the image heap that contains a user directory. This means that file system information from the native image build is persisted and available at image runtime, which is most likely an error.
Disallowed substring with user directory: /Users/runner
Looking at a hex dump of the macOS ARM64 dylib, the absolute paths are clearly visible in the __cstring section (likely generated by __FILE__ macros in assert() or logging statements):
/Users/runner/work/JWM/JWM/macos/cc/LayerGL.mm
/Users/runner/work/JWM/JWM/macos/cc/LayerMetal.mm
The Root Cause:
Because the C++ code is compiled on GitHub Actions without path mapping, the __FILE__ macro resolves to the absolute path of the runner, baking that path permanently into the compiled release binaries.
Suggested Solution:
Could you add the -ffile-prefix-map (or -fmacro-prefix-map) flag to the C++ compiler flags (CXXFLAGS) in your build scripts?
For example, adding something like:
-ffile-prefix-map=$(GITHUB_WORKSPACE)=.
This will instruct the compiler to replace the absolute CI paths with relative paths, making the builds reproducible, keeping the binaries clean, and completely resolving the GraalVM Native Image crash.
Current Workaround:
I am currently working around this by passing -H:-DetectUserDirectoriesInImageHeap to the native-image builder, but it would be great to have the binaries scrubbed of local CI paths so downstream users can keep this GraalVM security check enabled.
Thank you for your time!