Merge pull request #27879 from obsidiansystems/cc-wrapper-shellcheck

cc-wrapper: Pass shellcheck and other cleanups

9 files changed, 195 insertions, 161 deletions

diff --git a/pkgs/build-support/cc-wrapper/add-flags.sh b/pkgs/build-support/cc-wrapper/add-flags.sh
index 5634c82aa28..1edfe8bfc75 100644
--- a/pkgs/build-support/cc-wrapper/add-flags.sh
+++ b/pkgs/build-support/cc-wrapper/add-flags.sh
@@ -1,28 +1,37 @@
 # `-B@out@/bin' forces cc to use ld-wrapper.sh when calling ld.
 export NIX_CFLAGS_COMPILE="-B@out@/bin/ $NIX_CFLAGS_COMPILE"
 
+# Export and assign separately in order that a failing $(..) will fail
+# the script.
+
 if [ -e @out@/nix-support/libc-cflags ]; then
-    export NIX_CFLAGS_COMPILE="$(cat @out@/nix-support/libc-cflags) $NIX_CFLAGS_COMPILE"
+    export NIX_CFLAGS_COMPILE
+    NIX_CFLAGS_COMPILE="$(< @out@/nix-support/libc-cflags) $NIX_CFLAGS_COMPILE"
 fi
 
 if [ -e @out@/nix-support/cc-cflags ]; then
-    export NIX_CFLAGS_COMPILE="$(cat @out@/nix-support/cc-cflags) $NIX_CFLAGS_COMPILE"
+    export NIX_CFLAGS_COMPILE
+    NIX_CFLAGS_COMPILE="$(< @out@/nix-support/cc-cflags) $NIX_CFLAGS_COMPILE"
 fi
 
 if [ -e @out@/nix-support/gnat-cflags ]; then
-    export NIX_GNATFLAGS_COMPILE="$(cat @out@/nix-support/gnat-cflags) $NIX_GNATFLAGS_COMPILE"
+    export NIX_GNATFLAGS_COMPILE
+    NIX_GNATFLAGS_COMPILE="$(< @out@/nix-support/gnat-cflags) $NIX_GNATFLAGS_COMPILE"
 fi
 
 if [ -e @out@/nix-support/libc-ldflags ]; then
-    export NIX_LDFLAGS+=" $(cat @out@/nix-support/libc-ldflags)"
+    export NIX_LDFLAGS
+    NIX_LDFLAGS+=" $(< @out@/nix-support/libc-ldflags)"
 fi
 
 if [ -e @out@/nix-support/cc-ldflags ]; then
-    export NIX_LDFLAGS+=" $(cat @out@/nix-support/cc-ldflags)"
+    export NIX_LDFLAGS
+    NIX_LDFLAGS+=" $(< @out@/nix-support/cc-ldflags)"
 fi
 
 if [ -e @out@/nix-support/libc-ldflags-before ]; then
-    export NIX_LDFLAGS_BEFORE="$(cat @out@/nix-support/libc-ldflags-before) $NIX_LDFLAGS_BEFORE"
+    export NIX_LDFLAGS_BEFORE
+    NIX_LDFLAGS_BEFORE="$(< @out@/nix-support/libc-ldflags-before) $NIX_LDFLAGS_BEFORE"
 fi
 
 export NIX_CC_WRAPPER_FLAGS_SET=1
diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh
index b98833b3513..c91ff0a9d0b 100644
--- a/pkgs/build-support/cc-wrapper/add-hardening.sh
+++ b/pkgs/build-support/cc-wrapper/add-hardening.sh
@@ -1,18 +1,32 @@
 hardeningFlags=(fortify stackprotector pic strictoverflow format relro bindnow)
-hardeningFlags+=("${hardeningEnable[@]}")
+# Intentionally word-split in case 'hardeningEnable' is defined in Nix.
+hardeningFlags+=(${hardeningEnable[@]})
 hardeningCFlags=()
 hardeningLDFlags=()
-hardeningDisable=${hardeningDisable:-""}
 
-hardeningDisable+=" @hardening_unsupported_flags@"
+declare -A hardeningDisableMap
 
-if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: Value of '$hardeningDisable': $hardeningDisable >&2; fi
+# Intentionally word-split in case 'hardeningDisable' is defined in Nix. The
+# array expansion also prevents undefined variables from causing trouble with
+# `set -u`.
+for flag in ${hardeningDisable[@]} @hardening_unsupported_flags@
+do
+  hardeningDisableMap[$flag]=1
+done
 
-if [[ ! $hardeningDisable =~ "all" ]]; then
-  if [[ -n "$NIX_DEBUG" ]]; then echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2; fi
+if [[ -n "$NIX_DEBUG" ]]; then
+  printf 'HARDENING: disabled flags:' >&2
+  (( "${#hardeningDisableMap[@]}" )) && printf ' %q' "${!hardeningDisableMap[@]}" >&2
+  echo >&2
+fi
+
+if [[ -z "${hardeningDisableMap[all]}" ]]; then
+  if [[ -n "$NIX_DEBUG" ]]; then
+    echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2;
+  fi
   for flag in "${hardeningFlags[@]}"
   do
-    if [[ ! "${hardeningDisable}" =~ "$flag" ]]; then
+    if [[ -z "${hardeningDisableMap[$flag]}" ]]; then
       case $flag in
         fortify)
           if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling fortify >&2; fi
@@ -20,7 +34,7 @@ if [[ ! $hardeningDisable =~ "all" ]]; then
           ;;
         stackprotector)
           if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling stackprotector >&2; fi
-          hardeningCFlags+=('-fstack-protector-strong' '--param ssp-buffer-size=4')
+          hardeningCFlags+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4')
           ;;
         pie)
           if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling CFlags -fPIE >&2; fi
diff --git a/pkgs/build-support/cc-wrapper/cc-wrapper.sh b/pkgs/build-support/cc-wrapper/cc-wrapper.sh
index 99eb63f40ed..96655656607 100644
--- a/pkgs/build-support/cc-wrapper/cc-wrapper.sh
+++ b/pkgs/build-support/cc-wrapper/cc-wrapper.sh
@@ -1,7 +1,14 @@
-#! @shell@ -e
+#! @shell@
+set -e -o pipefail
+shopt -s nullglob
+
 path_backup="$PATH"
-if [ -n "@coreutils_bin@" ]; then
-  PATH="@coreutils_bin@/bin:@gnugrep_bin@/bin"
+
+# That @-vars are substituted separately from bash evaluation makes
+# shellcheck think this, and others like it, are useless conditionals.
+# shellcheck disable=SC2157
+if [[ -n "@coreutils_bin@" && -n "@gnugrep_bin@" ]]; then
+    PATH="@coreutils_bin@/bin:@gnugrep_bin@/bin"
 fi
 
 if [ -n "$NIX_CC_WRAPPER_START_HOOK" ]; then
@@ -19,16 +26,17 @@ source @out@/nix-support/utils.sh
 # For instance, figure out if linker flags should be passed.
 # GCC prints annoying warnings when they are not needed.
 dontLink=0
-getVersion=0
 nonFlagArgs=0
+# shellcheck disable=SC2193
 [[ "@prog@" = *++ ]] && isCpp=1 || isCpp=0
 cppInclude=1
 
 expandResponseParams "$@"
-n=0
-while [ $n -lt ${#params[*]} ]; do
+declare -i n=0
+nParams=${#params[@]}
+while [ "$n" -lt "$nParams" ]; do
     p=${params[n]}
-    p2=${params[$((n+1))]}
+    p2=${params[n+1]}
     if [ "$p" = -c ]; then
         dontLink=1
     elif [ "$p" = -S ]; then
@@ -55,10 +63,10 @@ while [ $n -lt ${#params[*]} ]; do
         nonFlagArgs=1
     elif [ "$p" = -m32 ]; then
         if [ -e @out@/nix-support/dynamic-linker-m32 ]; then
-            NIX_LDFLAGS+=" -dynamic-linker $(cat @out@/nix-support/dynamic-linker-m32)"
+            NIX_LDFLAGS+=" -dynamic-linker $(< @out@/nix-support/dynamic-linker-m32)"
         fi
     fi
-    n=$((n + 1))
+    n+=1
 done
 
 # If we pass a flag like -Wl, then gcc will call the linker unless it
@@ -71,26 +79,27 @@ if [ "$nonFlagArgs" = 0 ]; then
 fi
 
 # Optionally filter out paths not refering to the store.
-if [ "$NIX_ENFORCE_PURITY" = 1 -a -n "$NIX_STORE" ]; then
+if [[ "$NIX_ENFORCE_PURITY" = 1 && -n "$NIX_STORE" ]]; then
     rest=()
-    n=0
-    while [ $n -lt ${#params[*]} ]; do
+    nParams=${#params[@]}
+    declare -i n=0
+    while [ "$n" -lt "$nParams" ]; do
         p=${params[n]}
-        p2=${params[$((n+1))]}
+        p2=${params[n+1]}
         if [ "${p:0:3}" = -L/ ] && badPath "${p:2}"; then
-            skip $p
+            skip "${p:2}"
         elif [ "$p" = -L ] && badPath "$p2"; then
-            n=$((n + 1)); skip $p2
+            n+=1; skip "$p2"
         elif [ "${p:0:3}" = -I/ ] && badPath "${p:2}"; then
-            skip $p
+            skip "${p:2}"
         elif [ "$p" = -I ] && badPath "$p2"; then
-            n=$((n + 1)); skip $p2
+            n+=1; skip "$p2"
         elif [ "$p" = -isystem ] && badPath "$p2"; then
-            n=$((n + 1)); skip $p2
+            n+=1; skip "$p2"
         else
             rest+=("$p")
         fi
-        n=$((n + 1))
+        n+=1
     done
     params=("${rest[@]}")
 fi
@@ -99,11 +108,11 @@ fi
 # Clear march/mtune=native -- they bring impurity.
 if [ "$NIX_ENFORCE_NO_NATIVE" = 1 ]; then
     rest=()
-    for i in "${params[@]}"; do
-        if [[ "$i" = -m*=native ]]; then
-            skip $i
+    for p in "${params[@]}"; do
+        if [[ "$p" = -m*=native ]]; then
+            skip "$p"
         else
-            rest+=("$i")
+            rest+=("$p")
         fi
     done
     params=("${rest[@]}")
@@ -116,23 +125,22 @@ if [[ "$isCpp" = 1 ]]; then
     NIX_CFLAGS_LINK+=" $NIX_CXXSTDLIB_LINK"
 fi
 
-LD=@ldPath@/ld
 source @out@/nix-support/add-hardening.sh
 
 # Add the flags for the C compiler proper.
-extraAfter=($NIX_CFLAGS_COMPILE ${hardeningCFlags[@]})
+extraAfter=($NIX_CFLAGS_COMPILE "${hardeningCFlags[@]}")
 extraBefore=()
 
 if [ "$dontLink" != 1 ]; then
 
     # Add the flags that should only be passed to the compiler when
     # linking.
-    extraAfter+=($NIX_CFLAGS_LINK ${hardeningLDFlags[@]})
+    extraAfter+=($NIX_CFLAGS_LINK "${hardeningLDFlags[@]}")
 
     # Add the flags that should be passed to the linker (and prevent
     # `ld-wrapper' from adding NIX_LDFLAGS again).
     for i in $NIX_LDFLAGS_BEFORE; do
-        extraBefore=(${extraBefore[@]} "-Wl,$i")
+        extraBefore+=("-Wl,$i")
     done
     for i in $NIX_LDFLAGS; do
         if [ "${i:0:3}" = -L/ ]; then
@@ -155,18 +163,12 @@ fi
 
 # Optionally print debug info.
 if [ -n "$NIX_DEBUG" ]; then
-  echo "original flags to @prog@:" >&2
-  for i in "${params[@]}"; do
-      echo "  $i" >&2
-  done
-  echo "extraBefore flags to @prog@:" >&2
-  for i in ${extraBefore[@]}; do
-      echo "  $i" >&2
-  done
-  echo "extraAfter flags to @prog@:" >&2
-  for i in ${extraAfter[@]}; do
-      echo "  $i" >&2
-  done
+    echo "extra flags before to @prog@:" >&2
+    printf "  %q\n" "${extraBefore[@]}"  >&2
+    echo "original flags to @prog@:" >&2
+    printf "  %q\n" "${params[@]}" >&2
+    echo "extra flags after to @prog@:" >&2
+    printf "  %q\n" "${extraAfter[@]}" >&2
 fi
 
 if [ -n "$NIX_CC_WRAPPER_EXEC_HOOK" ]; then
@@ -174,4 +176,4 @@ if [ -n "$NIX_CC_WRAPPER_EXEC_HOOK" ]; then
 fi
 
 PATH="$path_backup"
-exec @prog@ ${extraBefore[@]} "${params[@]}" "${extraAfter[@]}"
+exec @prog@ "${extraBefore[@]}" "${params[@]}" "${extraAfter[@]}"
diff --git a/pkgs/build-support/cc-wrapper/gnat-wrapper.sh b/pkgs/build-support/cc-wrapper/gnat-wrapper.sh
index 0d74527dd8a..dd97a07bd19 100644
--- a/pkgs/build-support/cc-wrapper/gnat-wrapper.sh
+++ b/pkgs/build-support/cc-wrapper/gnat-wrapper.sh
@@ -1,7 +1,13 @@
-#! @shell@ -e
+#! @shell@
+set -e -o pipefail
+shopt -s nullglob
+
 path_backup="$PATH"
+
+# phase separation makes this look useless
+# shellcheck disable=SC2157
 if [ -n "@coreutils_bin@" ]; then
-  PATH="@coreutils_bin@/bin"
+    PATH="@coreutils_bin@/bin"
 fi
 
 if [ -n "$NIX_GNAT_WRAPPER_START_HOOK" ]; then
@@ -18,7 +24,6 @@ source @out@/nix-support/utils.sh
 # Figure out if linker flags should be passed.  GCC prints annoying
 # warnings when they are not needed.
 dontLink=0
-getVersion=0
 nonFlagArgs=0
 
 for i in "$@"; do
@@ -30,7 +35,7 @@ for i in "$@"; do
         nonFlagArgs=1
     elif [ "$i" = -m32 ]; then
         if [ -e @out@/nix-support/dynamic-linker-m32 ]; then
-            NIX_LDFLAGS="$NIX_LDFLAGS -dynamic-linker $(cat @out@/nix-support/dynamic-linker-m32)"
+            NIX_LDFLAGS+=" -dynamic-linker $(< @out@/nix-support/dynamic-linker-m32)"
         fi
     fi
 done
@@ -47,24 +52,20 @@ fi
 
 # Optionally filter out paths not refering to the store.
 params=("$@")
-if [ "$NIX_ENFORCE_PURITY" = 1 -a -n "$NIX_STORE" ]; then
+if [[ "$NIX_ENFORCE_PURITY" = 1 && -n "$NIX_STORE" ]]; then
     rest=()
-    n=0
-    while [ $n -lt ${#params[*]} ]; do
-        p=${params[n]}
-        p2=${params[$((n+1))]}
+    for p in "${params[@]}"; do
         if [ "${p:0:3}" = -L/ ] && badPath "${p:2}"; then
-            skip $p
+            skip "${p:2}"
         elif [ "${p:0:3}" = -I/ ] && badPath "${p:2}"; then
-            skip $p
+            skip "${p:2}"
         elif [ "${p:0:4}" = -aI/ ] && badPath "${p:3}"; then
-            skip $p
+            skip "${p:2}"
         elif [ "${p:0:4}" = -aO/ ] && badPath "${p:3}"; then
-            skip $p
+            skip "${p:2}"
         else
             rest+=("$p")
         fi
-        n=$((n + 1))
     done
     params=("${rest[@]}")
 fi
@@ -73,11 +74,11 @@ fi
 # Clear march/mtune=native -- they bring impurity.
 if [ "$NIX_ENFORCE_NO_NATIVE" = 1 ]; then
     rest=()
-    for i in "${params[@]}"; do
-        if [[ "$i" = -m*=native ]]; then
-            skip $i
+    for p in "${params[@]}"; do
+        if [[ "$p" = -m*=native ]]; then
+            skip "$p"
         else
-            rest+=("$i")
+            rest+=("$p")
         fi
     done
     params=("${rest[@]}")
@@ -88,30 +89,34 @@ fi
 extraAfter=($NIX_GNATFLAGS_COMPILE)
 extraBefore=()
 
-if [ "`basename $0`x" = "gnatmakex" ]; then
-  extraBefore=("--GNATBIND=@out@/bin/gnatbind --GNATLINK=@out@/bin/gnatlink ")
+if [ "$(basename "$0")x" = "gnatmakex" ]; then
+  extraBefore=("--GNATBIND=@out@/bin/gnatbind" "--GNATLINK=@out@/bin/gnatlink ")
 fi
 
-# Add the flags that should be passed to the linker (and prevent
-# `ld-wrapper' from adding NIX_LDFLAGS again).
-#for i in $NIX_LDFLAGS_BEFORE; do
-#    extraBefore=(${extraBefore[@]} "-largs $i")
-#done
+#if [ "$dontLink" != 1 ]; then
+#    # Add the flags that should be passed to the linker (and prevent
+#    # `ld-wrapper' from adding NIX_LDFLAGS again).
+#    for i in $NIX_LDFLAGS_BEFORE; do
+#        extraBefore+=("-largs" "$i")
+#    done
+#    for i in $NIX_LDFLAGS; do
+#        if [ "${i:0:3}" = -L/ ]; then
+#            extraAfter+=("$i")
+#        else
+#            extraAfter+=("-largs" "$i")
+#        fi
+#    done
+#    export NIX_LDFLAGS_SET=1
+#fi
 
 # Optionally print debug info.
 if [ -n "$NIX_DEBUG" ]; then
-  echo "original flags to @prog@:" >&2
-  for i in "${params[@]}"; do
-      echo "  $i" >&2
-  done
-  echo "extraBefore flags to @prog@:" >&2
-  for i in ${extraBefore[@]}; do
-      echo "  $i" >&2
-  done
-  echo "extraAfter flags to @prog@:" >&2
-  for i in ${extraAfter[@]}; do
-      echo "  $i" >&2
-  done
+    echo "extra flags before to @prog@:" >&2
+    printf "  %q\n" "${extraBefore[@]}"  >&2
+    echo "original flags to @prog@:" >&2
+    printf "  %q\n" "${params[@]}" >&2
+    echo "extra flags after to @prog@:" >&2
+    printf "  %q\n" "${extraAfter[@]}" >&2
 fi
 
 if [ -n "$NIX_GNAT_WRAPPER_EXEC_HOOK" ]; then
@@ -119,4 +124,4 @@ if [ -n "$NIX_GNAT_WRAPPER_EXEC_HOOK" ]; then
 fi
 
 PATH="$path_backup"
-exec @prog@ ${extraBefore[@]} "${params[@]}" ${extraAfter[@]}
+exec @prog@ "${extraBefore[@]}" "${params[@]}" "${extraAfter[@]}"
diff --git a/pkgs/build-support/cc-wrapper/gnatlink-wrapper.sh b/pkgs/build-support/cc-wrapper/gnatlink-wrapper.sh
index c9958dbbb41..3c1a805c3fa 100644
--- a/pkgs/build-support/cc-wrapper/gnatlink-wrapper.sh
+++ b/pkgs/build-support/cc-wrapper/gnatlink-wrapper.sh
@@ -1,33 +1,37 @@
-#! @shell@ -e
+#! @shell@
+set -e -o pipefail
+shopt -s nullglob
 
 # Add the flags for the GNAT compiler proper.
-extraAfter="--GCC=@out@/bin/gcc"
+extraAfter=("--GCC=@out@/bin/gcc")
 extraBefore=()
 
-# Add the flags that should be passed to the linker (and prevent
-# `ld-wrapper' from adding NIX_LDFLAGS again).
+## Add the flags that should be passed to the linker (and prevent
+## `ld-wrapper' from adding NIX_LDFLAGS again).
 #for i in $NIX_LDFLAGS_BEFORE; do
-#    extraBefore=(${extraBefore[@]} "-largs $i")
+#    extraBefore+=("-largs" "$i")
 #done
+#for i in $NIX_LDFLAGS; do
+#    if [ "${i:0:3}" = -L/ ]; then
+#        extraAfter+=("$i")
+#    else
+#        extraAfter+=("-largs" "$i")
+#    fi
+#done
+#export NIX_LDFLAGS_SET=1
 
 # Optionally print debug info.
 if [ -n "$NIX_DEBUG" ]; then
-  echo "original flags to @prog@:" >&2
-  for i in "$@"; do
-      echo "  $i" >&2
-  done
-  echo "extraBefore flags to @prog@:" >&2
-  for i in ${extraBefore[@]}; do
-      echo "  $i" >&2
-  done
-  echo "extraAfter flags to @prog@:" >&2
-  for i in ${extraAfter[@]}; do
-      echo "  $i" >&2
-  done
+    echo "extra flags before to @prog@:" >&2
+    printf "  %q\n" "${extraBefore[@]}"  >&2
+    echo "original flags to @prog@:" >&2
+    printf "  %q\n" "$@" >&2
+    echo "extra flags after to @prog@:" >&2
+    printf "  %q\n" "${extraAfter[@]}" >&2
 fi
 
 if [ -n "$NIX_GNAT_WRAPPER_EXEC_HOOK" ]; then
     source "$NIX_GNAT_WRAPPER_EXEC_HOOK"
 fi
 
-exec @prog@ ${extraBefore[@]} "$@" ${extraAfter[@]}
+exec @prog@ "${extraBefore[@]}" "$@" "${extraAfter[@]}"
diff --git a/pkgs/build-support/cc-wrapper/ld-solaris-wrapper.sh b/pkgs/build-support/cc-wrapper/ld-solaris-wrapper.sh
index 263ea5408e9..72c999ff8bc 100755
--- a/pkgs/build-support/cc-wrapper/ld-solaris-wrapper.sh
+++ b/pkgs/build-support/cc-wrapper/ld-solaris-wrapper.sh
@@ -1,40 +1,25 @@
 #!@shell@
+set -eu -o pipefail
+shopt -s nullglob
 
-set -e
-set -u
-
+declare -a args=("$@")
 # I've also tried adding -z direct and -z lazyload, but it gave too many problems with C++ exceptions :'(
 # Also made sure libgcc would not be lazy-loaded, as suggested here: https://www.illumos.org/issues/2534#note-3
 #   but still no success.
-cmd="@ld@ -z ignore"
-
-args=("$@");
+declare -a argsBefore=(-z ignore) argsAfter=()
 
 # This loop makes sure all -L arguments are before -l arguments, or ld may complain it cannot find a library.
 # GNU binutils does not have this problem:
 #   http://stackoverflow.com/questions/5817269/does-the-order-of-l-and-l-options-in-the-gnu-linker-matter
-i=0;
-while [[ $i -lt $# ]]; do
+while (( $# )); do
     case "${args[$i]}" in
-        -L)  cmd="$cmd ${args[$i]} ${args[($i+1)]}"; i=($i+1); ;;
-        -L*) cmd="$cmd ${args[$i]}" ;;
-        *)   ;;
+        -L)   argsBefore+=("$1" "$2"); shift ;;
+        -L?*) argsBefore+=("$1") ;;
+        *)    argsAfter+=("$1") ;;
     esac
-    i=($i+1);
-done
-
-i=0;
-while [[ $i -lt $# ]]; do
-    case "${args[$i]}" in
-        -L)  i=($i+1); ;;
-        -L*) ;;
-        *)   cmd="$cmd ${args[$i]}" ;;
-    esac
-    i=($i+1);
+    shift
 done
 
 # Trace:
 set -x
-exec $cmd
-
-exit 0
+exec "@ld@" "${argsBefore[@]}" "${argsAfter[@]}"
diff --git a/pkgs/build-support/cc-wrapper/ld-wrapper.sh b/pkgs/build-support/cc-wrapper/ld-wrapper.sh
index 72c0be304ac..6ee66b0e3f2 100644
--- a/pkgs/build-support/cc-wrapper/ld-wrapper.sh
+++ b/pkgs/build-support/cc-wrapper/ld-wrapper.sh
@@ -1,8 +1,13 @@
-#! @shell@ -e
+#! @shell@
+set -e -o pipefail
 shopt -s nullglob
+
 path_backup="$PATH"
+
+# phase separation makes this look useless
+# shellcheck disable=SC2157
 if [ -n "@coreutils_bin@" ]; then
-  PATH="@coreutils_bin@/bin"
+    PATH="@coreutils_bin@/bin"
 fi
 
 if [ -n "$NIX_LD_WRAPPER_START_HOOK" ]; then
@@ -18,14 +23,14 @@ source @out@/nix-support/utils.sh
 
 # Optionally filter out paths not refering to the store.
 expandResponseParams "$@"
-if [ "$NIX_ENFORCE_PURITY" = 1 -a -n "$NIX_STORE" \
-        -a \( -z "$NIX_IGNORE_LD_THROUGH_GCC" -o -z "$NIX_LDFLAGS_SET" \) ]; then
+if [[ "$NIX_ENFORCE_PURITY" = 1 && -n "$NIX_STORE"
+        && ( -z "$NIX_IGNORE_LD_THROUGH_GCC" || -z "$NIX_LDFLAGS_SET" ) ]]; then
     rest=()
     nParams=${#params[@]}
     declare -i n=0
-    while [ $n -lt $nParams ]; do
+    while [ "$n" -lt "$nParams" ]; do
         p=${params[n]}
-        p2=${params[$((n+1))]}
+        p2=${params[n+1]}
         if [ "${p:0:3}" = -L/ ] && badPath "${p:2}"; then
             skip "${p:2}"
         elif [ "$p" = -L ] && badPath "$p2"; then
@@ -49,18 +54,17 @@ if [ "$NIX_ENFORCE_PURITY" = 1 -a -n "$NIX_STORE" \
     params=("${rest[@]}")
 fi
 
-LD=@prog@
 source @out@/nix-support/add-hardening.sh
 
-extra=("${hardeningLDFlags[@]}")
+extraAfter=("${hardeningLDFlags[@]}")
 extraBefore=()
 
 if [ -z "$NIX_LDFLAGS_SET" ]; then
-    extra+=($NIX_LDFLAGS)
+    extraAfter+=($NIX_LDFLAGS)
     extraBefore+=($NIX_LDFLAGS_BEFORE)
 fi
 
-extra+=($NIX_LDFLAGS_AFTER $NIX_LDFLAGS_HARDEN)
+extraAfter+=($NIX_LDFLAGS_AFTER $NIX_LDFLAGS_HARDEN)
 
 declare -a libDirs
 declare -A libs
@@ -69,7 +73,7 @@ relocatable=
 # Find all -L... switches for rpath, and relocatable flags for build id.
 if [ "$NIX_DONT_SET_RPATH" != 1 ] || [ "$NIX_SET_BUILD_ID" = 1 ]; then
     prev=
-    for p in "${params[@]}" "${extra[@]}"; do
+    for p in "${extraBefore[@]}" "${params[@]}" "${extraAfter[@]}"; do
         case "$prev" in
             -L)
                 libDirs+=("$p")
@@ -127,7 +131,7 @@ if [ "$NIX_DONT_SET_RPATH" != 1 ]; then
                 libs["$file"]=
                 if [ ! "${rpaths[$dir]}" ]; then
                     rpaths["$dir"]=1
-                    extra+=(-rpath "$dir")
+                    extraAfter+=(-rpath "$dir")
                 fi
             fi
         done
@@ -138,16 +142,18 @@ fi
 # Only add --build-id if this is a final link. FIXME: should build gcc
 # with --enable-linker-build-id instead?
 if [ "$NIX_SET_BUILD_ID" = 1 ] && [ ! "$relocatable" ]; then
-    extra+=(--build-id)
+    extraAfter+=(--build-id)
 fi
 
 
 # Optionally print debug info.
 if [ -n "$NIX_DEBUG" ]; then
+    echo "extra flags before to @prog@:" >&2
+    printf "  %q\n" "${extraBefore[@]}"  >&2
     echo "original flags to @prog@:" >&2
     printf "  %q\n" "${params[@]}" >&2
-    echo "extra flags to @prog@:" >&2
-    printf "  %q\n" "${extraBefore[@]}" "${extra[@]}" >&2
+    echo "extra flags after to @prog@:" >&2
+    printf "  %q\n" "${extraAfter[@]}" >&2
 fi
 
 if [ -n "$NIX_LD_WRAPPER_EXEC_HOOK" ]; then
@@ -155,4 +161,4 @@ if [ -n "$NIX_LD_WRAPPER_EXEC_HOOK" ]; then
 fi
 
 PATH="$path_backup"
-exec @prog@ "${extraBefore[@]}" "${params[@]}" "${extra[@]}"
+exec @prog@ "${extraBefore[@]}" "${params[@]}" "${extraAfter[@]}"
diff --git a/pkgs/build-support/cc-wrapper/setup-hook.sh b/pkgs/build-support/cc-wrapper/setup-hook.sh
index 104b82425f2..2bf507ce8df 100644
--- a/pkgs/build-support/cc-wrapper/setup-hook.sh
+++ b/pkgs/build-support/cc-wrapper/setup-hook.sh
@@ -1,45 +1,50 @@
 addCVars () {
-    if [ -d $1/include ]; then
+    if [[ -d "$1/include" ]]; then
         export NIX_CFLAGS_COMPILE+=" ${ccIncludeFlag:--isystem} $1/include"
     fi
 
-    if [ -d $1/lib64 -a ! -L $1/lib64 ]; then
+    if [[ -d "$1/lib64" && ! -L "$1/lib64" ]]; then
         export NIX_LDFLAGS+=" -L$1/lib64"
     fi
 
-    if [ -d $1/lib ]; then
+    if [[ -d "$1/lib" ]]; then
         export NIX_LDFLAGS+=" -L$1/lib"
     fi
 
-    if test -d $1/Library/Frameworks; then
-        export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE -F$1/Library/Frameworks"
+    if [[ -d "$1/Library/Frameworks" ]]; then
+        export NIX_CFLAGS_COMPILE+=" -F$1/Library/Frameworks"
     fi
 }
 
 envHooks+=(addCVars)
 
-# Note: these come *after* $out in the PATH (see setup.sh).
+# Note 1: these come *after* $out in the PATH (see setup.sh).
+# Note 2: phase separation makes this look useless to shellcheck.
 
+# shellcheck disable=SC2157
 if [ -n "@cc@" ]; then
     addToSearchPath _PATH @cc@/bin
 fi
 
+# shellcheck disable=SC2157
 if [ -n "@binutils_bin@" ]; then
     addToSearchPath _PATH @binutils_bin@/bin
 fi
 
+# shellcheck disable=SC2157
 if [ -n "@libc_bin@" ]; then
     addToSearchPath _PATH @libc_bin@/bin
 fi
 
+# shellcheck disable=SC2157
 if [ -n "@coreutils_bin@" ]; then
     addToSearchPath _PATH @coreutils_bin@/bin
 fi
 
-if [ -z "$crossConfig" ]; then
-  ENV_PREFIX=""
+if [ -z "${crossConfig:-}" ]; then
+    ENV_PREFIX=""
 else
-  ENV_PREFIX="BUILD_"
+    ENV_PREFIX="BUILD_"
 fi
 
 export NIX_${ENV_PREFIX}CC=@out@
diff --git a/pkgs/build-support/cc-wrapper/utils.sh b/pkgs/build-support/cc-wrapper/utils.sh
index 87e48da9c8d..267044b2c4f 100644
--- a/pkgs/build-support/cc-wrapper/utils.sh
+++ b/pkgs/build-support/cc-wrapper/utils.sh
@@ -24,11 +24,15 @@ badPath() {
 }
 
 expandResponseParams() {
-    params=("$@")
+    declare -g params=("$@")
     local arg
     for arg in "$@"; do
         if [[ "$arg" == @* ]]; then
+            # phase separation makes this look useless
+            # shellcheck disable=SC2157
             if [ -n "@expandResponseParams@" ]; then
+                # params is used by caller
+                #shellcheck disable=SC2034
                 readarray -d '' params < <("@expandResponseParams@" "$@")
                 return 0
             else