Skip to content

rustPlatform.cargoSetupHook: remove references to build directory in binaries #401281

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
winterqt wants to merge 3 commits into from
Closed

rustPlatform.cargoSetupHook: remove references to build directory in binaries #401281

winterqt wants to merge 3 commits into from

Conversation

@winterqt
Copy link
Member

@winterqt winterqt commented Apr 24, 2025

By default, Rust binaries include debug information (e.g. for the panic handler) that specifies source file paths. On sandboxed Linux, this isn't much of an issue since the build will always be in /build, but on any other platform (including sandboxed macOS), this will result in potential impurities (e.g. when using --keep-failed or building multiple derivations with the same name concurrently).

Luckily, rustc provides an option to remap path prefixes when writing this debug info, in the form of --remap-path-prefix. This allows the replacement of any path prefix that would be written to the binary. This change sets this to $NIX_BUILD_TOP, falling back to a noop if there is no $NIX_BUILD_TOP during build (as cases where it's unset, like devshells, don't really benefit from purity).

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@github-actions github-actions bot added the 6.topic: rust General-purpose programming language emphasizing performance, type safety, and concurrency. label Apr 24, 2025
@nix-owners nix-owners bot requested review from figsoda and zowoq April 24, 2025 00:55
@winterqt winterqt requested a review from alyssais April 24, 2025 00:55
@github-actions github-actions bot added 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. labels Apr 24, 2025
lilyball
lilyball reviewed Apr 24, 2025
View reviewed changes
@winterqt winterqt force-pushed the push-nqsmrqvtpsxm branch from bd0632f to 6ed48c9 Compare April 24, 2025 01:05
@winterqt winterqt requested a review from lilyball April 24, 2025 01:05
lilyball
lilyball approved these changes Apr 24, 2025
View reviewed changes
Copy link
Member

@lilyball lilyball left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I haven't looked at these hooks before but this certainly looks like it'll work. I suppose we can assume that $NIX_BUILD_TOP will never contain a path that has a " embedded in it?

@wegank wegank added the 12.approvals: 1 This PR was reviewed and approved by one person. label Apr 24, 2025
alyssais
alyssais reviewed Apr 24, 2025
View reviewed changes
@winterqt winterqt force-pushed the push-nqsmrqvtpsxm branch from 6ed48c9 to 7d29171 Compare April 24, 2025 23:57
@winterqt winterqt requested a review from alyssais April 24, 2025 23:58
alyssais
alyssais reviewed Apr 26, 2025
View reviewed changes
@winterqt winterqt force-pushed the push-nqsmrqvtpsxm branch from 7d29171 to 82a3626 Compare May 6, 2025 06:42
@winterqt
Copy link
Member Author

winterqt commented May 6, 2025

I realized I also need to add this to rustc itself -- I have a diff, but want to test, and don't have the time to run it now.

@winterqt winterqt marked this pull request as draft May 6, 2025 06:56
@winterqt
Copy link
Member Author

winterqt commented May 8, 2025

Ideally, we'd wait for rust-lang/rust#140778 to be fixed before landing this, as without it, rustc source paths get embedded in the resulting binaries.

@winterqt winterqt marked this pull request as ready for review May 9, 2025 21:26
winterqt
winterqt commented May 9, 2025
View reviewed changes
@winterqt winterqt requested review from alyssais and lilyball May 9, 2025 21:27
@nix-owners nix-owners bot requested review from Mic92 and tjni May 9, 2025 21:28
@winterqt winterqt added the 6.topic: reproducible builds Run nix-build twice and get the same result. label May 10, 2025
@wegank wegank added the 2.status: merge conflict This PR has merge conflicts with the target branch label May 17, 2025
alyssais
alyssais reviewed May 25, 2025
View reviewed changes
@winterqt
Copy link
Member Author

winterqt commented Sep 17, 2025

Something interesting between the setup hook commit and the rustc commit:

[nix-shell:~/src/nixpkgs]$ strings result-2/bin/rg | rg "alloc\/"
/private/tmp/nix-build-rustc-1.89.0.drv-1/rustc-1.89.0-src/library/alloc/src/string.rs
/private/tmp/nix-build-rustc-1.89.0.drv-1/rustc-1.89.0-src/library/alloc/src/slice.rs
/private/tmp/nix-build-rustc-1.89.0.drv-1/rustc-1.89.0-src/library/alloc/src/collections/btree/node.rs
/private/tmp/nix-build-rustc-1.89.0.drv-1/rustc-1.89.0-src/library/alloc/src/collections/btree/map/entry.rs

[nix-shell:~/src/nixpkgs]$ strings result/bin/.cargo-wrapped | rg "alloc\/"
/rustc/29483883eed69d5fb4db01964cdf2af4d86e9cb2/library/alloc/src/collections/btree/map/entry.rs
/rustc/29483883eed69d5fb4db01964cdf2af4d86e9cb2/library/alloc/src/collections/btree/node.rs
/rustc/29483883eed69d5fb4db01964cdf2af4d86e9cb2/library/alloc/src/string.rs
/rustc/29483883eed69d5fb4db01964cdf2af4d86e9cb2/library/alloc/src/raw_vec/mod.rs
/rustc/29483883eed69d5fb4db01964cdf2af4d86e9cb2/library/alloc/src/borrow.rs
/rustc/29483883eed69d5fb4db01964cdf2af4d86e9cb2/library/alloc/src/string.rs
/rustc/29483883eed69d5fb4db01964cdf2af4d86e9cb2/library/alloc/src/slice.rs
/rustc/29483883eed69d5fb4db01964cdf2af4d86e9cb2/library/alloc/src/vec/spec_from_iter_nested.rs
/rustc/29483883eed69d5fb4db01964cdf2af4d86e9cb2/library/alloc/src/vec/mod.rs
/rustc/29483883eed69d5fb4db01964cdf2af4d86e9cb2/library/alloc/src/vec/in_place_collect.rs
/rustc/29483883eed69d5fb4db01964cdf2af4d86e9cb2/library/alloc/src/slice.rs
/rustc/29483883eed69d5fb4db01964cdf2af4d86e9cb2/library/alloc/src/slice.rs
/rustc/29483883eed69d5fb4db01964cdf2af4d86e9cb2/library/alloc/src/sync.rs
/rustc/29483883eed69d5fb4db01964cdf2af4d86e9cb2/library/alloc/src/slice.rs
/rustc/29483883eed69d5fb4db01964cdf2af4d86e9cb2/library/alloc/src/string.rs

Where's that /rustc/.../... path coming from?!

github-actions[bot]

This comment was marked as resolved.

Sign in to view

@winterqt
rustPlatform.cargoSetupHook: do less writes to generate cargo config
42ba89a 
We can reproduce the intended behavior with a useful use of `cat`. ;)
@winterqt
rustPlatform.cargoSetupHook: remove references to build directory in …
ecc86b3 
…binaries

By default, Rust binaries include debug information (e.g. for the panic
handler) that specifies source file paths. On sandboxed Linux, this isn't
much of an issue since the build will always be in `/build`, but on any
other platform (including sandboxed macOS), this will result in potential
impurities (e.g. when using `--keep-failed` or building multiple derivations
with the same name concurrently).

Luckily, rustc provides an option to remap path prefixes when writing
this debug info, in the form of `--remap-path-prefix`. This allows
the replacement of any path prefix that would be written to the binary.
This change sets this to `$NIX_BUILD_TOP`, falling back to a noop if
there is no `$NIX_BUILD_TOP` during build (as cases where it's unset, like
devshells, don't really benefit from purity).
@winterqt
rustc: remove references to build directory in binaries
9fb5358 
See previous commit for more info -- we just need to set the same option
here, as the rustc derivation doesn't use `cargoSetupHook`.
@github-actions github-actions bot dismissed their stale review September 17, 2025 03:42

All good now, thank you!

@winterqt winterqt requested a review from alyssais September 17, 2025 03:44
@nixpkgs-ci nixpkgs-ci bot added 11.by: package-maintainer This PR was created by a maintainer of all the package it changes. and removed 2.status: merge conflict This PR has merge conflicts with the target branch 11.by: package-maintainer This PR was created by a maintainer of all the package it changes. labels Sep 17, 2025
alyssais
alyssais reviewed Sep 21, 2025
View reviewed changes
pkgs/build-support/rust/hooks/default.nix
[
''"--remap-path-prefix"''
''"@BUILD_TOP@=/build"''
]
Copy link
Member

@alyssais alyssais Sep 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we put this in build.rustflags and avoid having to repeat it?

@winterqt
Copy link
Member Author

winterqt commented Sep 21, 2025

Seems a better solution will be in-flight eventually: https://matrix.to/#/!UNVBThoJtlIiVwiDjU:nixos.org/$pghG2JN87PUdBDTSG9Wda8Zs15w72PQZxuZk_0TxXXs?via=nixos.org&via=matrix.org&via=tchncs.de

@winterqt winterqt closed this Sep 21, 2025
@winterqt winterqt deleted the push-nqsmrqvtpsxm branch September 21, 2025 20:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alyssais alyssais alyssais left review comments

@github-actions github-actions[bot] github-actions[bot] left review comments

@figsoda figsoda Awaiting requested review from figsoda

@zowoq zowoq Awaiting requested review from zowoq

@lilyball lilyball Awaiting requested review from lilyball

@Mic92 Mic92 Awaiting requested review from Mic92

@tjni tjni Awaiting requested review from tjni

Assignees

No one assigned

Labels

6.topic: reproducible builds Run nix-build twice and get the same result. 6.topic: rust General-purpose programming language emphasizing performance, type safety, and concurrency. 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. 11.by: package-maintainer This PR was created by a maintainer of all the package it changes. 12.approvals: 1 This PR was reviewed and approved by one person.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@winterqt @lilyball @alyssais @wegank