cmd/link: lock down future uses of linkname #67401
Comments
gopherbot
added
the
compiler/runtime
|
Change https://go.dev/cl/585820 mentions this issue: |
|
I think
However key differences:
As a downstream of quic-go I clearly understood the situation, the worst was the need to wait a couple of days for In the case of
instead of creating a compile time error they could have stubbed their API by forwarding calls to What I actually propose:Continue to allow the Pull kind of //go:build go1.23.4 && !go1.23.5 && !go1.24To know if a file is properly locked down, the toolchain can evaluate the build tags with the next future release and it MUST fail to be allowed. That means if a file pass the current version but not the next one, then Pull linknames from the std would be allowed. There is a downside to this approach which is that if there is no change required between two releases you still need a different file per version with the same implementation, to satisfy this constraint. Maybe parsing the build tags would be better. I am not sure if |
I completely disagree. Quic-go's use of linkname caused all manner of problems for us release after release too, because anyone using quic-go couldn't update to a new Go version until quic-go did. |
|
Change https://go.dev/cl/585916 mentions this issue: |
|
Change https://go.dev/cl/585915 mentions this issue: |
This comment has been minimized.
This comment has been minimized.
|
We can't fix what we don't know about.
We're open to any reports from closed-source packages. It would be particularly useful to hear about these when the release candidate comes out so they can make the .0 release. |
This comment has been minimized.
This comment has been minimized.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
|
Misuse is undesirable, disabling is even worse, you want to change you maintain that package (go-json), that doesn't solve it? |
|
I would like to say that //go:linkname is very useful for certain types of low level programming such as Ebitengine , etc. While I agree the situation with goccy/go-json is bad, we should look at how it is being used in detail and think of alternatives for the legitimate uses. |
|
@bjorndm should't
|
|
In C, static symbols are not accessible outside of the compilation unit, full stop. There is no way to pull a static symbol from a C library. A number of other languages have similar strict visibility rules. They are very successful languages and are widely used. This suggests that a lot programs can be written and things can go very well without a mechanism to break into a library's internal details. I don't think Go is fundamentally different. Ideally we could also have strict visibility rules. I would think Go unexported symbols are meant to be similar to C static symbols. In fact, that is what gccgo does. Unfortunately for the gc toolchain it is not the case today. But we can get closer to it. And as we care a lot about compatibility, we'll keep the existing code continue to build in Go 1.23 (Step 2 in the plan). And we have a linker flag to disable the restriction (e.g. for experiments; as far as I know, the C linker doesn't seem to have such an option). Also, I think the authors of the code should have a way to decide which symbols are visible externally and which are not. |
|
Purego which is a dependency of Oto, Beep, and Ebitengine as well as others doesn't just pull symbols it also pushes since it reimplements Another potential solution for us is to prebuild Of course, if the Go team wanted to port |
Push linknames are still allowed. If they are currently pushed from
This might be a possible option, but I think we need to understand the rationales better. The |
No, Purego pushes the same symbols that
Indeed, |
|
Thanks.
I don't think there is any plan to break the use case of Purego's pushes. If we do anything to restrict push-only ones, they will be equally applied to the ones runtime/cgo pushing to runtime. So we'll need to fix those first (I think many of them are already in handshake form, but it is possible we missed some). And that should make Purego work as well. |
dmitshur
added
the
NeedsInvestigation
|
Change https://go.dev/cl/586259 mentions this issue: |
|
Change https://go.dev/cl/586137 mentions this issue: |
And I understand that, but if you recognize the need then why be ok with this change? |
|
Just to be clear, I think the |
If you are the only one who are using the code
Because someone decides to use your code as a dependency and someone else decides to use new code as their dependency and so on until we have big project relying on
Once again
Thats why I'm fine with |
For
The same thing would happen if something else breaks. They downgrade or submit an issue. It's literally the same scenario that happens today without
See above
See above I understand your reasoning and argument here, seriously I do. But this change honestly makes more mess than it fixes (and will break more than fix!). Can we do better, sure! But doesn't seem the best route. IMO: To fix the spirit of this issue, disabling external linking using |
|
This has already been said, but the problem is not that people write packages that use The problem is that people write packages that use When these cases happen, the Go team has two bad choices. 1) retain internal details indefinitely, slowing down or even stopping development of the Go standard library. 2) break thousands of Go packages that currently work just fine. Preventing new uses of If you want to argue against this change, please argue against what I am writing here. If you don't publish your package, use the command line argument. If you do publish your package, either don't use Yes, you can make your package run faster in some cases by using Thanks. |
|
I apoligize if I was off topic here.
Fair point.
I'd argue no one here wants 1 and 2 would happen even if the change wasn't made and a breaking internals change was made. (IMO: When I do use
Alright. Well, Its tough, but I agree that it makes life harder for the Go team and on the other side I agree that removing this mechanic may stifle innovation or features in some packages. Since we already change the behavior of Go due to the I'm not 100% sure how hard it would be to implement the linker code, but this would be an idea to make everyone happy. |
|
Thanks for the suggestion. As you say, security fixes are a problem with that kind of approach. We don't want people who indirectly depend on a package using |
This is exactly why so many companies are still on Java 1.7 (Spring Framework is one of biggest culprits here but there are others). If this isn't explicit for the end user from the start, most of the corporate users will simply go "fine, whatever, we will just stick to the old Go version" after their project no longer compiles with latest Go. The price of upgrading will be simply too high. And this stucks. |
|
@DmitriyMV I don't see another method that would easily resolve this for both "sides".
As much as I understand your frustration with this, this is not always the case. Outliers? sure. If there isn't an available upgrade then maybe they'll have to stay at the old version or implement the import manually, not much you can do. For example, I have a project that's stuck on go1.10 as it has to support WinXp, sometimes you have to make it work, so it's already happening anyway. |
|
I noticed that your focus on We all know that for projects like the Golang standard library, adding any public API requires long-term consideration, and it may take several years to be implemented after being marked as
I know you might say that simply passing The existence of third-party libraries is an organic supplement to the standard library. We cannot expect the standard library to realize all the functions that users need. Locking the standard library, or to be precise, locking the runtime, can indeed reduce the cost of maintaining compatibility, but it will also greatly reduce the discoverable functionality of a language. The progress of a language is jointly promoted by the official and third-party library developers. I don't think it is conducive to the future development of the language to rudely lock the third-party libraries out. It is impossible to pursue absolute compatibility. For example, the new version of Golang will give up support for outdated operating systems (such as Windows7/Server2012), will give up outdated and insecure TLS cipher suites, and modify some original behaviors (for example, rlimit mentioned earlier). These seemingly minor changes make upgrading the Golang version without any testing just a good fantasy. So I don't think upgrading the version of third-party dependent libraries while upgrading the Golang version is a question of On the other hand, I still think that setting the default value of I have a premature proposal here. We can require those who use |
|
A guilty pyroscope-go/godeltaprof is included in https://swtch.com/tmp/linkname100.html and relies on linking to the following functions And the last one was renamed in main branch already and differs from 1.22 (cc @felixge ) 1.22: A question to go maintainers: can I submit a PR to |
|
@wwqgtxx Thanks for the note. These kinds of decisions always involve weighing costs and benefits. I think we view the costs and benefits differently. You mention netpoll, so I'll note that I don't yet find that example convincing. The runtime netpoll code is designed to work closely with the os and net packages. We've changed it several times to make the os and net packages more flexible and more efficient. If linkname were used by widely used packages, future development would be seriously restricted. On the other hand, anybody can call the Alternatively, it's possible to use So I think we already have all the building blocks required for a third-party package to efficiently poll descriptors. |
@ianlancetaylor Please read my earlier comment. The building blocks are not there for Windows. |
|
Is it possible add a test, checking the |
|
Change https://go.dev/cl/588695 mentions this issue: |
|
Hi @korniltsev
It looks like the 4 functions you asked about might already be covered in CL https://go.dev/cl/587598, with some possible follow-up in https://go.dev/cl/587756. Note that those are still active (not yet submitted), including it looks like there might be an open question related to Regarding the This is just based on a quick look, so sorry if any of this is off base, but that might give you at least some starting points to dig further if needed. |
As far as I understand, it seems Ian was suggesting two options for Windows:
Are you saying both options do not work for Windows for your use case? Regardless of the linkname discussion here, it probably is worthwhile to raise an issue with the specifics in the hopes of identifying a future improvement (or perhaps workaround) that does not rely on a linkname. |
|
I'm pretty strongly in favor of this. I love to write crazy stuff that pokes around in stdlib, but I know that it is definitionally unportable and can and will fail in the future, and I shouldn't be relying on it. This problem isn't unique to Go, it's been a thing for C programmers for about 50 years now. And I'm pretty solidly on the side of "actually, you should not do this, and if you do, you should not complain it it fails, and you should especially not do it in code you're publishing with intent that other people can rely on it", because the alternative is to wreck the implementation's ability to improve over time. If it's not exported, it's not part of the interface, and if you rely on it anyway, that sounds like a you problem. I know it's frustrating, I know you can do really cool things against a specific implementation sometimes, but... if you're making this a problem for the implementors, they're gonna protect themselves, and they're right to do so. |
They may have a right to, and that's fine, but removing something that allows users to be flexible with the language is a terrible idea.
Not always true, if you maintain the libs that use it.
That's a bad thought to have when you have to do things that are not directly exposed to you. There are many times I've had to write code well beyond what was in the standard library. But I've also never had How would you suggest fixes to those? |
|
@iDigitalFlame My impression is, that the points you are raised are already well known and taken into account by @rsc and @ianlancetaylor. That is, I don't have the impression that there is a mismatch of available information, it's "just" that the tradeoffs are made differently. You are fundamentally correct, that people sometimes feel the need to reach into unexported APIs. You are fundamentally correct, that they won't be able to after this change. And you are fundamentally correct that those people will then either have to solve their problem differently, choose to not solve the problem, or use a different language. As harsh as that may sound, I think that is fine. If the goals of Go as a language are incompatible with the goals of some developers, it is fine for those developers to use a different language.
I think it's become pretty clear recently, that it is unsustainable for the ecosystem and for the individuals involved in it, to create the expectation that open source software is professionally and promptly maintained. Open source dependency graphs are large and it's socially untenable, to "just do good engineering" on all of it. Again, there is a tradeoff here. And part of the goals of Go as a language are to not depend on things being necessarily well-maintained. Go modules where, in part, explicitly designed to allow for situations where you just can't rely on people to apply fixes in a timely manner, while still keeping the ecosystem as a whole largely running. Personally, as someone who mostly tries to just write boring Go code, I would very much love if what the Gophers slack calls |
For #67401. Change-Id: I015408a3f437c1733d97160ef2fb5da6d4efcc5c Reviewed-on: https://go-review.googlesource.com/c/go/+/587598 Reviewed-by: Cherry Mui <cherryyz@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Russ Cox <rsc@golang.org>
A bad merge syncing before the submit of CL 587220 dropped these. (I forgot to write the file out.) For #67401. Change-Id: I6f2ba69f388907f3d24eeef55c80cbb2cf51f580 Reviewed-on: https://go-review.googlesource.com/c/go/+/587755 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Cherry Mui <cherryyz@google.com> Reviewed-by: Marten Seemann <martenseemann@gmail.com>
golang#67401 documents the removal of the ability to perform "Pull" linknames of standard library internals starting in Go1.23. This commit adds go:linkname to aeskeysched since github.com/parquet-go/parquet-go relies on this and would not build on amd systems with this new version of Go (see: https://github.com/parquet-go/parquet-go/blob/d0d9efaa7ab89610ae7228a4105975176de2d0b8/hashprobe/aeshash/aeshash_amd64.s#L10)
and others
Overuse of //go:linkname to reach into Go standard library internals (especially runtime internals) means that when we do change the standard library internals in ways that should not matter, we can end up breaking packages that are depended on by a large swath of the Go ecosystem. For example, https://go.dev/cl/583756 broke github.com/goccy/go-json because it turns out that package copied most of the runtime's internal type API. Now we can't change anything in that list, despite that being an ostensibly internal package, without breaking goccy/go-json. And goccy is used by many packages, including Kubernetes.
This situation is unsustainable. Internals are internal for a reason. We can't keep Go programs working when they create explicit dependencies on details that we have kept internal. But we also care a lot about compatibility: we don't want to break Go programs either. The obvious conclusion is that we have to stop Go programs from being able to create these dependencies on internal details in the first place.
This issue tracks work to prevent new //go:linkname-based dependencies and contain existing ones.
Right now, if package A has a symbol and package B wants to refer to it with //go:linkname, there are three patterns:
(Push) Package A uses a //go:linkname to rename one of its own symbols to B.foo, and then B declares
func foo()without a body. In this form, A clearly intends for B to use foo, although the compiler cannot quite tell what's going on in B and warns about foo not having a body unless you create an empty dummy.s file.(Pull) Package A defines foo without any annotation, and package B uses //go:linkname to access A.foo. In this form, A may not intend for B to use foo at all. That's a serious problem: when A renames foo and/or changes its type signature, B breaks, and A may never even have heard of B.
(Handshake) Package A defines foo with a //go:linkname and package B defines foo also with a //go:linkname, and the two agree on the name (either A.foo or B.foo). This is the ideal form, and it avoids the dummy.s workaround that is needed in the Push case.
The ideal goal state is a world where all //go:linkname usage must be in the Handshake form: both sides must agree to use linkname for a given symbol in order for it to succeed. This will mean that arbitrary packages cannot create new dependencies on runtime internals. At the same time, we realize that the current world is not this ideal world, and we don't want to break all existing uses.
Our plan is as follows.
Introduce a new -checklinkname=1 flag to cmd/link that requires the Handshake form for symbols in the standard library. That flag is already landed in at tip, but it is not the default.
Survey all existing open-source Go packages to find standard library symbols that are being //go:linkname'd (behind our backs!) using the Pull pattern. Add the necessary //go:linkname annotations to the standard library to keep those working, documenting why each exists. The explicit //go:linkname lines and documentation will help avoid accidental breakage in future refactoring. We have done a preliminary survey, but we haven't yet added all the necessary //go:linkname lines.
Make -checklinkname=1 the default for Go 1.23. If this breaks anything, users can use -ldflags=-checklinkname=0 to get unbroken, and we hope they will also file reports letting us know what we missed.
As we get reports of additional breakage we missed, add more //go:linkname annotations to the standard library.
At the completion of that plan, we won't be in the ideal world, but we will have accomplished two important things:
We won't have broken anything.
We will have stopped new damage from accumulating: there will be no more new references to runtime internals introduced. In particular, new internals we added during the Go 1.23 cycle, like coro and weak pointers, cannot be linknamed, now or ever. And anything that wasn't linknamed yet won't grow new linknames in the future.
Note that anyone who wants to experiment can always build with -ldflags=-checklinkname=0 and linkname whatever they like. That's fine. We like experimenting too. But the fact that the code won't build without special flags should help prevent code that digs into internal details from becoming a core dependency in the Go ecosystem that we end up having to maintain forever.
Note also that for now, //go:linkname can still be used in Pull mode to get at internals of non-standard library packages. We'd like to change that eventually too, insisting on Handshakes everywhere. For now, we are starting with the standard library. If all goes well, we'll circle back and try to devise a plan for the rest of the ecosystem.
The text was updated successfully, but these errors were encountered: