-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to deal with breaking changes on platform ? [BSDs related] #570
Comments
Unfortunately I don't really know how we'd handle this, I just figured that platforms wouldn't do this. If this happens a lot we'll just need to document what's wrong and stop adding new bindings, it'll be up to crates to implement version compatibility. |
I think it isn't just a "version compatibility" issue. My purpose isn't to have a compatibility layer for missing/removed functions or types. The problem is OpenBSD triple is versioned, meaning that API/ABI of one version could be different from another version. I checked some others system (running
I also checked in LLVM source tree: the OS version is a part of the triple definition. Maybe a concept is missing in Rust ? If I don't think it is a problem only on OpenBSD. Any OS using OS-Version could be hitted. OpenBSD exposes it because we heavy use the ability to not be API/ABI compatible (it is a way to be able remove old stuff that deserve security). |
Yeah there's no concept of a versioned target in rustc right now, and we're unfortunately not really capable of doing so right now. Our only recourse is basically to take the subset which currently works across all revisions, put that in libc, and then otherwise let downstream crates bind versions that change over time. |
I hope you are kidding: you are asking to remove So I am looking to extend Target to include os-version information in the target specification. |
Well, I'm not really kidding. If we feel we must fix this then we currently have no choice but to not add the bindings. If we don't want to do that then the fix must go elsewhere. I don't know the best way to fix this, just spitballing. |
This isn't just a problem for OpenBSD. FreeBSD 12, when it comes out, will change a number of important types, like Would it be possible to generate bindings dynamically at build time? When writing Ruby bindings, I've always preferred that approach to FFI. If not, then I think libc needs a way to distinguish between OS versions, just as it currently distinguishes between OSes. |
I would personally be afraid of generating bindings at compile time. It just pushes the problem to consumers without giving them tools to deal with it. I do think that this sounds like this needs a way for libc to distinguish between OS versions, but Rust currently has no tool for doing so really. |
The problem just got worse. Linux 4.11, released today, added a new system call: |
@asomers that's not quite true though, we can add bindings at any time. Rust supports Linux 2.6.18+ and there are a huge number of syscalls bound in libc not present in 2.6.18. It's up to crate authors to pick and choose apis for platform compatibility appropriately. |
@alexcrichton I guess I was wrong about how libc's CI tests worked. Are you saying that libc's tests do not flag symbols defined in FFI but not present in the system's headers? If that's true, then a Rust program trying to use Would you consider dynamically generating the bindings for select functions, even if most functions have static bindings? Right now, I don't see any way at all for consumers to deal with the versioning problem. |
No, to be clear:
Programs using I would like to avoid dynamically generating the bindings, as that's typically not the actual solution to this problem. It makes cross compilation (even just across OS versions) much more difficult |
Cross-compilation could be solved by overriding the build script's platform detection. For example, on FreeBSD there's basically only one symbol that a build script would need to detect: But it sounds like you might have something else in mind when you say it's "not the actual solution to this problem". Do you? What is the "actual solution", @alexcrichton ? |
To me the "actual solution" is precisely what we're doing right now. We list a bunch of symbols and authors need to be vigilant about which ones they use. This does not solve the use case of OpenBSD, however, if there are ABI breaking changes. We may need more than one solution but to me there are too many downsides to dynamically generating an API on Linux at least. |
Not only does it not solve OpenBSD's use case; it doesn't solve the use case where operating systems make changes that don't break the ABI. Both FreeBSD and Linux occasionally change syscalls and provide backwards compatible syscalls with the old signature and syscall number but a new name. For example, FreeBSD 8's "compat7.shmctl" syscall is identical to FreeBSD 7's "shmctl". Similarly, operating systems make changes to system libraries and provide backwards compatibility by bumping the SHLIB version and providing the old libraries as optional packages. Currently libc handles neither of these cases. Either the libc binding tracks the new function's signature, which breaks Rust programs at runtime on older versions, or the libc binding stays with the old signature, which breaks Rust programs at runtime on newer versions. It's simply not possible for the current libc to compile correctly on multiple versions of an operating system. Your previously suggested solution is to simply remove a binding whenever the OS changes it. But that would break any crates that use the binding, violate semver, and still result in runtime failures for crates that use the old libc but were built on a new OS. You suggest that libc's consumers should be responsible for versioning issues, but I don't think that's possible. Let's take Alternatively, libc could assume that all operating systems provide backwards but not forwards compatibility (sorry OpenBSD). Then it could pick a minimum supported version, and always link against that version's shared libraries, Currently Cargo doesn't provide a mechanism to specify an exact shared library version to link against, but that could be added. This would fix all of the runtime failures, but at substantial cost: dependent crates would lack access to new OS features, and both developers and users would have to install the compat library packages. Not only would new features that change APIs be unavailable, but the shared library lock would mean that entirely new functions would be unavailable as well, unlike the current situation where using newly added functions will generate link failures when building on an old OS. In either case, developers will likely fork libc to update their favorite bindings, resulting in a Balkanization of libc and dependent crates that don't support older OS versions. I understand that cross-compilation is a really cool feature, but I fear that you're underestimating the severity of this problem. Have you looked into how embedded cross development toolchains work? AFAIK the host system requires full headers for the target. Maybe Rust needs to do the same. |
@asomers if you've got a proposal of what to do I'd recommend writing up an RFC, with so many dependencies changes such as what I think you're proposing can't be taken lightly. |
@alexcrichton I pushed a WIP branch on my github repository. I hope code will be more explicity than my explaination about what I called having support for OS version. Tree is at https://github.com/semarie/rust/tree/target-os-version . Please note my code isn't working for now. Basically, it is:
It would be possible to do have conditionnal code against OS version (OpenBSD 6.1 or OpenBSD 6.0), in the same way we have conditionnal code against OS name (OpenBSD or FreeBSD). |
Good work @semarie. BTW, I've been studying ELF symbol versioning and I think it would be possible to fix libc without modifying Rust itself. Basically, libc would need to grow a bunch of feature flags like "freebsd11+", "freebsd10+", etc, meaning "build code that will work on FreeBSD 11 or greater" and "build code that will work on FreeBSD 10 or greater". Of course, those flags could be conditionalized so they won't appear on other platforms. Then, for every symbol that differs between FreeBSD versions, libc will bind a different version depending on which feature flags are set. The Also, I've found several functions in glibc with multiple versions. Linux is not immune from this problem. |
@asomers OpenBSD uses ELF on all platforms. but using ELF symbol versioning doesn't help for breaking changes if the OS doesn't use symbol versioning. |
@semarie I'd personally probably reocmmend writing an RFC before sending that as a PR, I'm sure many others would have comments as well! |
This has hit me too - in particular, with changes in Mac OS X major versions. However, a good solution probably isn't to use a version number in the target triple, as there's a distinction to be drawn between libc version and OS version; they do not necessarily go in lockstep. A classic example might be changes to Linux's uapi headers, which don't yet line up with changes in musl, say. This problem is a general one: changes in third party (usually C) library APIs that are incompatible. It needs a good solution within Rust. It's a problem that's heavily compounded by set ups that use dynamic libraries (something I've come to see as more trouble than they're worth for secure or robust systems outside of the desktop. In practice, it's a far too difficult for most sysadmins to assess whether a security fix to a dynamic library affects more than on running program, and so they just go for the nuclear option of a reboot). Using (Semantic version does absolutely nothing to solve this; in fact, semantic versioning is a deeply broken concept that's become popular recently. In practice, either a version is compatible or it isn't; semantic versioning is just the upstream's author's assessment. One man's inconsequential security version or minor change is another's nightmare. In practice, with large system set ups and deployments, I always encourage dev teams to think of only two kinds of version: likely-to-be-compatible security fix, and incompatible. Everything incompatible needs to go through the full test cycle before deployment. Security fixes can bypass that if urgent; risk vs reward and all that). |
Er, is the Though it seems there's a more general problem to be solved here. |
Related: rust-lang/rust#42681
|
I don't quite understand how Rust initially missed out on OS and ABI versioning quite so badly - deciding to assuming that structures and types are immutable over time or removing key structures from libc altogether. Nonetheless, Rust can conditionally compile based on configuration values, what is stopping this? |
@mattmacy my understanding of the problem is:
|
The assumption that by targetting FreeBSD 11 libc is usable on FreeBSD 12 is incorrect. Consider There is probably a subset of the FreeBSD 11 and 12 API surface that works correctly on both platforms, but FreeBSD 11 is not it. |
https://svnweb.freebsd.org/base?view=revision&revision=303495 Even if some Rust code attempted to use its return value, I still don't think that would qualify as UB, because of the FFI interface. UB would only come into play if the compiler knew that there was no initialized return value. However, in this case the compiler believes that the return value is initialized, and believes that it exists where the C calling convention says that it should be. On amd64, that means that libc's |
I think that the original proposal of @semarie here (#570 (comment)) is the best solution to this problem. IIUC, essentially there would not be a I'm not sure if this is what @alexcrichton had in mind here (#570 (comment)) when they said that this cannot be supported right now, but AFAICT this should "just work" without any changes to the compiler. It probably wouldn't even require an RFC. If somebody wanted to go the RFC route, then maybe a |
@gnzlbg @semarie's proposal would work well for OpenBSD, but at great cost to the Rust ecosystem. Adding target_os's for every version of FreeBSD and NetBSD would have even more cost. And it wouldn't solve the problem for rare and proprietary OSes. This is why I proposed an alternate solution at https://internals.rust-lang.org/t/pre-rfc-global-source-replacement-in-cargo-for-os-bindings/9383 . In a nutshell:
|
@asomers I remember your proposal and I think it is interesting as well. From my point of view, your proposal and @semarie 's both solve problems in the same domain, but they have quite different goals and constraints on the solution, which is what results in two very different approaches, both having different trade-offs, to the point that we actually could do both since they appear to me to be compatible with each other. Maybe it would be worth it to have a mini-RFC here first about what goals and constraints do we have, and once we are on the same page about that, reconsider both solutions, and try to come up with something that satisfies them all. |
Hmm, looks like you've decided to check it in libc's Lines 19 to 23 in d5a599e
but only for testing right now. If you just do |
@myfreeweb the current system is for private use within libc only. This allow us to implement FreeBSD12 APIs, keep track of the backwards incompatible changes, and enables testing whatever system we choose to use to support this. |
Yes. And I'm saying this can easily be turned into the actual solution that won't be just for private use!
|
OpenBSD doesn’t bump Rust versions in stable branches of the ports tree, so one needs to use OpenBSD-CURRENT if one wants a recent Rust on that platform. This solution also does not work for cross-compilation. For the open-source OSs, one option would be to run bindgen on |
It is by design: stable port tree receive only security updates. But nothing prevent a user to build recent rust release on OpenBSD stable. |
Understandable. That said, this prevents products that depend on the latest stable Rust (such as Firefox) from getting security updates. Also, security vulnerabilities occasionally do appear in Rust itself. |
This RFC proposes a good solution: rust-lang/rfcs#3036 . |
@asomers How would that work exactly? Have code inside the |
Exactly. Then consumers can set the min_libc_version in their own .cargo/config files. |
I open an issue on libc because it is here the problems will start to show up. Depending the solution or the way to deal with, modifications could occurs in rustc repository too.
At OpenBSD, we don't care about breaking API/ABI between releases. Once a release is done, the API/ABI is stable, but there is no guarantee that it will be compatible with the next release.
Currently, in the upcoming 6.2 version of OpenBSD (6.1-current), there is a breaking change that will affect libc : si_addr should be of type void *, not char * (caddr_t). Here the current definition in libc.
Under OpenBSD, we deal with ABI under LLVM by using a triple like:
amd64-unknown-openbsd6.1
. For Rust, instead we use an unversioned platform, resulting all OpenBSD versions to define the same ABI (which isn't properly right).Do you think it possible to switch from
*-unknown-openbsd
to*-unknown-openbsd6.0
,*-unknown-openbsd6.1
, ... without having to duplicate all code in libc for each target ? and without having to add a new target in rustc for each OpenBSD release ?Any others ideas on the way to deal with it ?
The text was updated successfully, but these errors were encountered: