Fix rustc sysroot in systems using CAS

[rcvalle]

Change filesearch::get_or_default_sysroot() to check if sysroot is found using env::args().next() if rustc in argv[0] is a symlink; otherwise, or if it is not found, use env::current_exe() to imply sysroot. This makes the rustc binary able to locate Rust libraries in systems using content-addressable storage (CAS).

[rust-highfive]

Thanks for the pull request, and welcome! The Rust team is excited to review your changes, and you should hear from @eddyb (or someone else) soon.

If any changes to this PR are deemed necessary, please add them as extra commits. This ensures that the reviewer can see what has changed since they last reviewed the code. Due to the way GitHub handles out-of-date commits, this should also make it reasonably obvious what issues have or haven't been addressed. Large or tricky changes may require several passes of review and changes.

Please see the contribution instructions for more information.

[jyn514]

r? @Mark-Simulacrum

[jyn514]

@rcvalle what is content-addressable storage? Do you mean like a nix store or something?

[Mark-Simulacrum]

I don't think I can effectively review this patch without more information -- switching away from current_exe feels like the wrong approach though. If it was a "true" content-addressable storage system I would expect paths to be largely meaningless, so the popping that is still present wouldn't work really either...?

[rcvalle]

@rcvalle what is content-addressable storage? Do you mean like a nix store or something?

Content-addressable storage (CAS) is a method of storing information so it can be retrieved based on its content (usually using a hashing function appropriate for CAS) instead of its location. (Git itself is an userspace CAS filesystem.)

[rcvalle]

I don't think I can effectively review this patch without more information -- switching away from current_exe feels like the wrong approach though. If it was a "true" content-addressable storage system I would expect paths to be largely meaningless, so the popping that is still present wouldn't work really either...?

Sorry, I should have provided more information. We use CAS in our build systems with symlink forests to replicate the locations files originally belong. However, since both env::current_exe() and fs::canonicalize() follow symlinks/canonicalize the components of the path, the symlinks were being followed to the CAS locations, making the rustc binary unable to locate its distributed libraries.

[Mark-Simulacrum]

Hm, ok. I'm not sure I'm willing to land this change -- it seems like there are cases where that canonicalization would be necessary. Generally the sysroot discovery is a bit ad-hoc in rustc and not super well polished. I think my suggestion would be that we try both - it looks like perhaps the sysroot_candidates function can be extended to also visit the non-canonicalized path. I'm not actually quite sure why we don't use that function to discover the sysroot in librustc_session (cc @bjorn3 since you modified the sysroot code recently), but instead just call the current_exe-based function.

[bjorn3]

If I run rustc a.rs, env::args().next() would return rustc, right? In that case it will look for the sysroot in ../, which is unlikely to be the real sysroot location.

However, since it can be set to an arbitrary value, fs::get_or_default_sysroot() and its return value should not be relied on for security-related decisions.

Rustc runs with the same permissions as the user. I personally don't see how security is relevant here. It can only be invoked by the user. Also the sysroot is most of the time only used to load the files the crate will link against. Only with -Zcodegen-backend can it dynamically link against a dylib in the sysroot.

[bjorn3]

sysroot_candidates calls get_or_default_sysroot. The former also searches relative to the rustc_driver dylib for custom drivers, while the later only searches relative to the main executable. sysroot_candidates was necessary when cg_llvm was a hotpluggable codegen backend. Otherwise custom drivers wouldn't find the llvm codegen backend.

[rcvalle]

If I run rustc a.rs, env::args().next() would return rustc, right? In that case it will look for the sysroot in ../, which is unlikely to be the real sysroot location.

Indeed. We could perhaps check if sysroot is found using env::args().next(), and if it's not found, use env::current_exe(). What do you think?

However, since it can be set to an arbitrary value, fs::get_or_default_sysroot() and its return value should not be relied on for security-related decisions.

Rustc runs with the same permissions as the user. I personally don't see how security is relevant here. It can only be invoked by the user. Also the sysroot is most of the time only used to load the files the crate will link against. Only with -Zcodegen-backend can it dynamically link against a dylib in the sysroot.

It may be relevant in a multiuser or remote system, where the rustc binary may be executed by a different user with different privileges.

[rcvalle]

@bjorn3 @Mark-Simulacrum I've amended my commit to check if sysroot is found using env::args().next(), and if it's not found, use env::current_exe() instead. What do you think?

[rcvalle]

@rustbot modify labels: +S-waiting-on-review -S-waiting-on-author

[Mark-Simulacrum]

This last sentence seems misleading, as it applies just as much to from_current_exe. I would perhaps expect to see it on the get_or_default_sysroot function itself.

[rcvalle]

Done. (I improved the changes a bit and fixed the comments.)

[Mark-Simulacrum]

I am still concerned about this change. It seems like it could easily lead to confusion if there are (by accident or intentionally) different sysroots at argv0 and current_exe. That said, it does seem like the problem you're running into is a real one - I just am not sure this is the right solution. Can you say more about how other compilers or programs that need more than one file deal with this in your system? I think overall I just don't have enough expertise to weigh in here. cc @rust-lang/compiler - maybe someone can chime in if they have experience or thoughts here.

[wesleywiser]

Perhaps we should consider adding a flag that would allow specifying the sysroot path instead?

[jyn514]

@wesleywiser there's already a --sysroot flag:

$ rustc --help -v | grep sysroot
        --print [crate-name|file-names|sysroot|target-libdir|cfg|target-list|target-cpus|target-features|relocation-models|code-models|tls-models|target-spec-json|native-static-libs]
        --sysroot PATH  Override the system root

[wesleywiser]

Thanks @jyn514! GitHub hid this comment which has the motivation for the change.

[bors]

⌛ Testing commit 3f679fe with merge 9a61ec508e22d4488fa01c424e3bd85bb7d02027...

[rust-log-analyzer]

A job failed! Check out the build log: (web) (plain)

Click to see the possible cause of the failure (guessed by this bot)

[bors]

💔 Test failed - checks-actions

[rcvalle]

Thank you @nagisa, @Mark-Simulacrum, @jyn514, @bjorn3, and others for your time on this! Much appreciated.

[rcvalle]

@bors retry

[bors]

@rcvalle: 🔑 Insufficient privileges: not in try users

[jyn514]

@bors retry

[bors]

⌛ Testing commit 3f679fe with merge 16b8057...

[bors]

☀️ Test successful - checks-actions
Approved by: nagisa
Pushing 16b8057 to master...