bazel/cranelift: make build scripts produce deterministic output

Patch cranelift-codegen and cranelift-assembler-x64 build scripts to
emit relative paths in generated source files instead of absolute
OUT_DIR paths. Without this, sandbox-specific absolute paths leak into
compiled string literals, breaking byte-for-byte reproducibility.

The cranelift-codegen issue is fixed upstream on main by 0694bba38
("Strip prefixes in file names") but not in any released version yet.

Author: travisdowns

MODULE.bazel

@@ -380,6 +380,20 @@ crate.annotation(
     extra_aliased_targets = {"wasmtime_c": "wasmtime_c"},
     gen_build_script = "off",
 )
+
+# CORE-16110: make cranelift build scripts produce deterministic output.
+# The cranelift-codegen patch can be removed after upgrading to a wasmtime
+# version that includes 0694bba38 ("Strip prefixes in file names").
+crate.annotation(
+    crate = "cranelift-codegen",
+    patch_args = ["-p1"],
+    patches = ["//bazel/thirdparty:cranelift-codegen-reproducible.patch"],
+)
+crate.annotation(
+    crate = "cranelift-assembler-x64",
+    patch_args = ["-p1"],
+    patches = ["//bazel/thirdparty:cranelift-assembler-x64-reproducible.patch"],
+)
 use_repo(crate, "crates")
 
 # ====================================

MODULE.bazel.lock

@@ -0,0 +1,46 @@
+--- a/build.rs	2026-04-15 18:44:30.930898497 -0400
++++ b/build.rs	2026-04-15 18:44:46.447314373 -0400
+@@ -2,7 +2,33 @@
+ use std::env;
+ use std::fs::File;
+ use std::io::Write;
+-use std::path::Path;
++use std::path::{Path, PathBuf};
++
++/// Compute a relative path from the current directory to `p` so that
++/// paths embedded in generated code are deterministic across sandbox
++/// instances (e.g. in Bazel builds).
++fn relative_from_cwd(p: &Path) -> PathBuf {
++    let cwd = match std::env::current_dir().and_then(|d| d.canonicalize()) {
++        Ok(d) => d,
++        Err(_) => return p.to_path_buf(),
++    };
++    let abs_p = match p.canonicalize() {
++        Ok(a) => a,
++        Err(_) => return p.to_path_buf(),
++    };
++    let common = cwd.components()
++        .zip(abs_p.components())
++        .take_while(|(a, b)| a == b)
++        .count();
++    let mut rel = PathBuf::new();
++    for _ in 0..(cwd.components().count() - common) {
++        rel.push("..");
++    }
++    for comp in abs_p.components().skip(common) {
++        rel.push(comp);
++    }
++    rel
++}
+ 
+ fn main() {
+     println!("cargo:rerun-if-changed=build.rs");
+@@ -16,7 +42,7 @@
+     let mut vec_of_built_files = File::create(out_dir.join("generated-files.rs")).unwrap();
+     writeln!(vec_of_built_files, "vec![").unwrap();
+     for file in &built_files {
+-        writeln!(vec_of_built_files, "  {:?}.into(),", file.display()).unwrap();
++        writeln!(vec_of_built_files, "  {:?}.into(),", relative_from_cwd(file).display()).unwrap();
+     }
+     writeln!(vec_of_built_files, "]").unwrap();
+ }

bazel/thirdparty/cranelift-assembler-x64-reproducible.patch

@@ -0,0 +1,30 @@
+--- a/build.rs
++++ b/build.rs
+@@ -144,6 +144,27 @@
+ ) -> std::path::PathBuf {
+     if let Ok(suffix) = filename.strip_prefix(&cur_dir) {
+         suffix.to_path_buf()
++    } else if let (Ok(abs_cur), Ok(abs_file)) =
++        (cur_dir.canonicalize(), filename.canonicalize())
++    {
++        // In sandboxed builds (e.g. Bazel), cur_dir and filename may not
++        // share a direct prefix even though they share a common ancestor.
++        // Compute a relative path via "../" to keep generated source
++        // deterministic across different sandbox instances.
++        let common = abs_cur
++            .components()
++            .zip(abs_file.components())
++            .take_while(|(a, b)| a == b)
++            .count();
++        let ups = abs_cur.components().count() - common;
++        let mut rel = std::path::PathBuf::new();
++        for _ in 0..ups {
++            rel.push("..");
++        }
++        for comp in abs_file.components().skip(common) {
++            rel.push(comp);
++        }
++        rel
+     } else {
+         filename.to_path_buf()
+     }