Bumping toolchains

[nicolasnoble]

• binutils to 2.46.1
• gcc to 16.1.0
• gdb to 17.2

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c3f6e2de-e607-4b85-84db-b81d374a1e29

📥 Commits

Reviewing files that changed from the base of the PR and between 1e2e34c and 129d46f.

📒 Files selected for processing (1)

• src/mips/psyqo/GETTING_STARTED.md

---

📝 Walkthrough

Walkthrough

Bumps the MIPS cross-toolchain versions across all platform artifacts: GCC from 15.2.0 to 16.1.0, binutils from 2.45 to 2.46.1, and GDB from 16.3 to 17.2. Updates Linux shell scripts, macOS Homebrew formulas, Windows Dockerfiles, the VSCode extension (version 0.4.1), and documentation.

Changes

Toolchain Version Bump

Layer / File(s)	Summary
Linux and Windows build scripts / Dockerfiles tools/linux-mips/spawn-compiler.sh, tools/win32-mips/Dockerfile, tools/win32-gdb/Dockerfile	spawn-compiler.sh updates binutils (2.45 → 2.46.1) and GCC (15.2.0 → 16.1.0) download and extraction targets. The Windows MIPS Dockerfile mirrors those version bumps throughout all ARGs, build directories, and the final zip artifact naming. The Windows GDB Dockerfile switches from gdb-16.3 to gdb-17.2 in its ARG, source directory references, and output zip filename.
macOS Homebrew formulas tools/macos-mips/mipsel-none-elf-binutils.rb, tools/macos-mips/mipsel-none-elf-gcc.rb	Homebrew formula url, mirror, and sha256 fields updated to reference binutils 2.46.1 and GCC 16.1.0. The macOS GCC formula's embedded zlib/zutil.h patch is removed entirely.
VSCode extension version, changelog, and embedded formulas tools/vscode-extension/tools.js, tools/vscode-extension/package.json, tools/vscode-extension/README.md, tools/vscode-extension/scripts/mipsel-none-elf-binutils.rb, tools/vscode-extension/scripts/mipsel-none-elf-gcc.rb	mipsVersion constant updated to 16.1.0; manifest version bumped to 0.4.1; changelog entry added documenting GCC 16.1.0, binutils 2.46.1, and GDB 17.2. The embedded Homebrew formula scripts reference binutils 2.46.1 and GCC 16.1.0 with updated checksums; embedded zlib/zutil.h patches narrow macOS platform detection and remove platform-specific fdopen macro branches.
Documentation README.md, src/mips/psyqo/GETTING_STARTED.md	Windows PowerShell mips install command updated to 16.1.0 in both files.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• grumpycoders/pcsx-redux#1919: Both PRs touch the GNU toolchain download inputs in the MIPS toolchain build scripts and Dockerfiles; this PR bumps the actual GCC/binutils versions while #1919 swaps mirror URLs.
• grumpycoders/pcsx-redux#1966: Both PRs update the VSCode extension's Windows MIPS toolchain setup in tools/vscode-extension/tools.js and related Docker packaging, so this PR's version bump follows prior toolchain install updates.

Suggested labels

size/M

Poem

🐇 Hop, hop, the versions leap high,
GCC sixteen now touches the sky!
Binutils jumps from forty-five's lane,
And GDB seventeen joins the refrain.
The rabbit updates every Dockerfile with cheer —
A brand new toolchain for the whole frontier! 🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Bumping toolchains' directly relates to the main change—upgrading compiler toolchain versions (binutils, gcc, gdb).
Description check	✅ Passed	The description lists the three toolchain components being upgraded with their new versions, which directly corresponds to the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/mips/psyqo/GETTING_STARTED.md`:
- Around line 111-118: The description lines for the build options (Release,
Debug, SmallDebug, and LTO) are not properly indented in the Markdown list. Each
explanation text that follows a build option line needs to be indented with
additional spaces to be recognized as part of the list item rather than separate
paragraphs. Indent all the descriptive text lines following each build option to
align them properly with the list structure.

In `@tools/linux-mips/spawn-compiler.sh`:
- Line 21: The PREFIX variable expansion in the configure command is unquoted,
which can cause word splitting and globbing issues when the path contains
spaces. Quote the PREFIX variable by changing $PREFIX to "$PREFIX" in the
configure command invocation on line 21 and also apply the same fix to line 34
where PREFIX is used elsewhere to ensure the path is treated as a single
argument regardless of spaces or special characters.
- Around line 16-30: The script downloads binutils-2.46.1.tar.gz and
gcc-16.1.0.tar.gz from external mirrors without verifying checksums or
signatures before extraction, creating a supply chain security risk. For each
tarball download loop (both binutils and gcc sections), after the wget command
succeeds and before the corresponding tar xvfz extraction command, add steps to
download the checksum file (sha256 or sha512) from the same mirror URL, verify
the downloaded tarball against that checksum using sha256sum or sha512sum, and
only proceed with the tar extraction if the checksum verification passes. If
verification fails, the script should exit with an error rather than continuing.

In `@tools/win32-gdb/Dockerfile`:
- Line 48: The GDB source download in the RUN command uses Invoke-WebRequest
without validating the integrity of the downloaded archive. Add SHA256 checksum
validation between the Invoke-WebRequest download step and the archive
extraction steps. Retrieve the official GNU GDB SHA256 checksum for version
17.2, then add a PowerShell command to compute the hash of the downloaded file
at C:\Windows\Temp\gdb-17.2.tar.xz and compare it against the official checksum,
failing the build if the checksums do not match before proceeding with the 7-Zip
extraction.

In `@tools/win32-mips/Dockerfile`:
- Around line 48-49: The Dockerfile downloads BINUTILS and GCC from remote
mirrors without verifying their integrity, creating a supply-chain security
risk. Add SHA256 checksum ARG variables for BINUTILS and GCC alongside their URL
definitions, then add verification steps after each download using the sha256sum
command to validate that the downloaded tarballs match the published checksums
before extracting them. Apply the same SHA256 verification approach to the 7zip
download as well to ensure consistency across all remote binary downloads.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: d187c0dd-a029-48a6-a447-a884bf9ae9da

📥 Commits

Reviewing files that changed from the base of the PR and between e2b4d90 and 5a83a4e.

📒 Files selected for processing (12)

• README.md
• src/mips/psyqo/GETTING_STARTED.md
• tools/linux-mips/spawn-compiler.sh
• tools/macos-mips/mipsel-none-elf-binutils.rb
• tools/macos-mips/mipsel-none-elf-gcc.rb
• tools/vscode-extension/README.md
• tools/vscode-extension/package.json
• tools/vscode-extension/scripts/mipsel-none-elf-binutils.rb
• tools/vscode-extension/scripts/mipsel-none-elf-gcc.rb
• tools/vscode-extension/tools.js
• tools/win32-gdb/Dockerfile
• tools/win32-mips/Dockerfile

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n tools/linux-mips/spawn-compiler.sh

Repository: grumpycoders/pcsx-redux

Length of output: 2151

---

Add checksum verification before extracting downloaded tarballs.

The script downloads binutils and GCC archives from external mirrors and immediately extracts them without validating checksums or signatures. This leaves the toolchain build vulnerable to mirror compromise or in-transit tampering, introducing a supply chain attack vector into the compiler toolchain itself.

🧰 Tools

🪛 Shellcheck (0.11.0)

[info] 21-21: Double quote to prevent globbing and word splitting.

(SC2086)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tools/linux-mips/spawn-compiler.sh` around lines 16 - 30, The script
downloads binutils-2.46.1.tar.gz and gcc-16.1.0.tar.gz from external mirrors
without verifying checksums or signatures before extraction, creating a supply
chain security risk. For each tarball download loop (both binutils and gcc
sections), after the wget command succeeds and before the corresponding tar xvfz
extraction command, add steps to download the checksum file (sha256 or sha512)
from the same mirror URL, verify the downloaded tarball against that checksum
using sha256sum or sha512sum, and only proceed with the tar extraction if the
checksum verification passes. If verification fails, the script should exit with
an error rather than continuing.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Quote PREFIX expansions in configure arguments.

Unquoted PREFIX can trigger word splitting/globbing and break the configure invocation when install paths contain spaces.

Proposed fix

-./configure --target=mipsel-none-elf --disable-multilib --disable-nls --disable-werror --prefix=$PREFIX
+./configure --target=mipsel-none-elf --disable-multilib --disable-nls --disable-werror --prefix="$PREFIX"

-../configure --target=mipsel-none-elf --without-isl --disable-nls --disable-threads --disable-shared --disable-libssp --disable-libstdcxx-pch --disable-libgomp --disable-werror --without-headers --disable-hosted-libstdcxx --with-as=$PREFIX/bin/mipsel-none-elf-as --with-ld=$PREFIX/bin/mipsel-none-elf-ld --enable-languages=c,c++ --prefix=$PREFIX
+../configure --target=mipsel-none-elf --without-isl --disable-nls --disable-threads --disable-shared --disable-libssp --disable-libstdcxx-pch --disable-libgomp --disable-werror --without-headers --disable-hosted-libstdcxx --with-as="$PREFIX/bin/mipsel-none-elf-as" --with-ld="$PREFIX/bin/mipsel-none-elf-ld" --enable-languages=c,c++ --prefix="$PREFIX"

Also applies to: 34-34

🧰 Tools

🪛 Shellcheck (0.11.0)

[info] 21-21: Double quote to prevent globbing and word splitting.

(SC2086)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tools/linux-mips/spawn-compiler.sh` at line 21, The PREFIX variable expansion
in the configure command is unquoted, which can cause word splitting and
globbing issues when the path contains spaces. Quote the PREFIX variable by
changing $PREFIX to "$PREFIX" in the configure command invocation on line 21 and
also apply the same fix to line 34 where PREFIX is used elsewhere to ensure the
path is treated as a single argument regardless of spaces or special characters.

Source: Linters/SAST tools

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n tools/win32-gdb/Dockerfile | sed -n '40,60p'

Repository: grumpycoders/pcsx-redux

Length of output: 2073

---

🏁 Script executed:

wc -l tools/win32-gdb/Dockerfile

Repository: grumpycoders/pcsx-redux

Length of output: 97

---

🏁 Script executed:

rg -i "checksum|sha|signature|gpg|verify|hash" tools/win32-gdb/Dockerfile

Repository: grumpycoders/pcsx-redux

Length of output: 885

---

Add checksum validation for GDB source download.

Line 51 downloads GDB using Invoke-WebRequest without verifying the downloaded archive's integrity. GNU provides SHA256 checksums for GDB releases; add validation to ensure the downloaded source hasn't been tampered with before extraction.

Lines 50-54 showing the download and extraction

RUN [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; `
    Invoke-WebRequest $env:GDB -OutFile "C:\Windows\Temp\gdb-17.2.tar.xz"; `
    Start-Process -FilePath "C:\7-Zip\7z.exe" -ArgumentList e, "C:\Windows\Temp\gdb-17.2.tar.xz", `-oC:\Windows\Temp\ -NoNewWindow -PassThru -Wait; `
    Start-Process -FilePath "C:\7-Zip\7z.exe" -ArgumentList x, "C:\Windows\Temp\gdb-17.2.tar", `-oC:\ -NoNewWindow -PassThru -Wait; `
    Remove-Item @('C:\Windows\Temp\*', 'C:\Users\*\Appdata\Local\Temp\*') -Force -Recurse;

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tools/win32-gdb/Dockerfile` at line 48, The GDB source download in the RUN
command uses Invoke-WebRequest without validating the integrity of the
downloaded archive. Add SHA256 checksum validation between the Invoke-WebRequest
download step and the archive extraction steps. Retrieve the official GNU GDB
SHA256 checksum for version 17.2, then add a PowerShell command to compute the
hash of the downloaded file at C:\Windows\Temp\gdb-17.2.tar.xz and compare it
against the official checksum, failing the build if the checksums do not match
before proceeding with the 7-Zip extraction.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n tools/win32-mips/Dockerfile

Repository: grumpycoders/pcsx-redux

Length of output: 7040

---

🏁 Script executed:

find tools/win32-mips -type f \( -name "*.sha256" -o -name "*.sha1" -o -name "*.md5" -o -name "*checksum*" -o -name "*signature*" \) 2>/dev/null

Repository: grumpycoders/pcsx-redux

Length of output: 49

---

🏁 Script executed:

rg -i "sha256|gpg|verify|checksum" tools/win32-mips/ --type dockerfile

Repository: grumpycoders/pcsx-redux

Length of output: 102

---

🏁 Script executed:

# Check if there are any checksums or signature files elsewhere in the repo
find . -type f \( -name "*binutils*" -o -name "*gcc*" \) \( -name "*.sha256" -o -name "*.sig" -o -name "*.asc" -o -name "*checksum*" \) 2>/dev/null | head -20

Repository: grumpycoders/pcsx-redux

Length of output: 49

---

🏁 Script executed:

# Verify GNU binutils and GCC provide checksums publicly
web_search
GNU binutils 2.46.1 SHA256 checksum

Repository: grumpycoders/pcsx-redux

Length of output: 160

---

🏁 Script executed:

web_search
GNU GCC 16.1.0 SHA256 checksum verification

Repository: grumpycoders/pcsx-redux

Length of output: 160

---

🌐 Web query:

GNU binutils 2.46.1 checksum SHA256

💡 Result:

The GNU Binutils 2.46.1 release was announced on June 8, 2026 [1]. While official GNU release archives typically include associated checksum files, the specific SHA256 checksum for the binutils-2.46.1.tar.xz source tarball is as follows, as recorded in trusted package management repositories: SHA256: a5a0578281d6315a43437ccf7636b3b91185c2706f1582b22af6973f55a86f5b4bc7eb03aa9ceaec547070152c08c982bc40ee9ce07679f2e3bb49e050bae76c [2] For security verification, GNU Binutils releases are signed with GPG keys [1]. Users are encouraged to verify the integrity of downloaded tarballs using the corresponding.sig signature files provided alongside the releases at the official GNU and Sourceware mirrors [1][3]. Official download locations for the 2.46.1 release include: - https://ftp.gnu.org/gnu/binutils/ - https://sourceware.org/pub/binutils/releases/ [1][4]

Citations:

• 1: https://sourceware.org/pipermail/binutils/2026-June/149568.html
• 2: https://archives-cdn-origin.gentoo.org/gentoo-commits/1780965989.9029fd8fd7478c6597eedb2740b2ec046ed907cb.sam@gentoo/t/
• 3: https://boileri.nic.funet.fi/index/gnu/RELEASE/binutils/
• 4: https://sourceware.org/pub/binutils/releases/?C=N%3BO%3DD

---

🌐 Web query:

GNU GCC 16.1.0 checksum SHA256 verification

💡 Result:

The GNU Compiler Collection (GCC) version 16.1.0 was released on April 30, 2026 [1][2][3]. The official GCC project distribution site at sourceware.org does not provide a single file explicitly named "sha256.sum" for GCC 16.1.0 [4][5]. However, the SHA256 checksum for the source distribution file gcc-16.1.0.tar.xz is verified by trusted community archives and package managers to be: 50efb4d94c3397aff3b0d61a5abd748b4dd31d9d3f2ab7be05b171d36a510f79 [6][7] To verify your downloaded source files, it is recommended to use the official GPG signatures (.sig files) provided in the release directory alongside the source tarballs [4][5], as these provide cryptographic assurance of authenticity from the GCC release managers. You can verify the signature using the public keys listed on the official GNU GCC website.

Citations:

• 1: https://gcc.gnu.org/releases.html
• 2: https://gcc.gnu.org/gcc-16/
• 3: https://gcc.gnu.org/pipermail/gcc-announce/2026/000190.html
• 4: https://sourceware.org/pub/gcc/releases/gcc-16.1.0/
• 5: https://www.mirrorservice.org/sites/sourceware.org/pub/gcc/releases/gcc-16.1.0/
• 6: https://www.freshports.org/lang/gcc16/
• 7: https://fossies.org/linux/misc/gcc-16.1.0.tar.xz/index_tp.html

---

Add SHA256 verification for BINUTILS and GCC downloads.

The Dockerfile downloads remote tarballs without integrity verification. GNU Binutils 2.46.1 and GCC 16.1.0 provide published SHA256 checksums and GPG signatures on official mirrors (sourceware.org, ftp.gnu.org), but this build does not validate them. This creates a supply-chain risk if the mirror or network connection is compromised.

Applies to lines 51-54 (BINUTILS) and 57-60 (GCC). Also line 9 (7zip).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tools/win32-mips/Dockerfile` around lines 48 - 49, The Dockerfile downloads
BINUTILS and GCC from remote mirrors without verifying their integrity, creating
a supply-chain security risk. Add SHA256 checksum ARG variables for BINUTILS and
GCC alongside their URL definitions, then add verification steps after each
download using the sha256sum command to validate that the downloaded tarballs
match the published checksums before extracting them. Apply the same SHA256
verification approach to the 7zip download as well to ensure consistency across
all remote binary downloads.