Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

formula_cellar_checks: check for cpuid instruction when needed #11644

Merged
merged 3 commits into from Jul 6, 2021
Merged

formula_cellar_checks: check for cpuid instruction when needed #11644

merged 3 commits into from Jul 6, 2021

Conversation

carlocab
Copy link
Member

@carlocab carlocab commented Jul 3, 2021
edited

  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same change?
  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your changes? Here's an example.
  • Have you successfully run brew style with your changes locally?
  • Have you successfully run brew typecheck with your changes locally?
  • Have you successfully run brew tests with your changes locally?

This implements the second audit discussed in #11608.

I've only done this on macOS for now, since I make use of Keg#mach_o_files, but I wanted to get feedback on the approach here before doing something more generic.

@BrewTestBot
Copy link
Member

Review period will end on 2021-07-06 at 00:00:00 UTC.

@BrewTestBot BrewTestBot added the waiting for feedback Merging is blocked until sufficient time has passed for review label Jul 3, 2021
@carlocab carlocab force-pushed the cpuid-check branch 5 times, most recently from 987a3bc to 9ddf5c3 Compare July 3, 2021 21:19
Rylan12
Rylan12 approved these changes Jul 4, 2021
View reviewed changes
Copy link
Member

@Rylan12 Rylan12 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense to me. I saw some discussion of an allowlist for this in #11608, is that still the plan?

Library/Homebrew/formula_cellar_checks.rb Outdated Show resolved Hide resolved
@carlocab
Copy link
Member Author

carlocab commented Jul 4, 2021

Makes sense to me. I saw some discussion of an allowlist for this in #11608, is that still the plan?

The allowlist was implemented in #11637.

MikeMcQuaid
MikeMcQuaid reviewed Jul 5, 2021
View reviewed changes
Library/Homebrew/formula_cellar_checks.rb
return unless Hardware::CPU.intel?

# macOS `objdump` is a bit slow, so we prioritise llvm's `llvm-objdump` (~5.7x faster)
# or binutils' `objdump` (~1.8x faster) if they are installed.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do these times include the installation time of llvm or binutils? Even if so: I'm not sure it's worth installing binutils just for this rare edge-case (but could be convinced otherwise) given the potential to mess with builds.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They do not include installation time -- this is the time difference reported from running hyperfine on [llvm-]objdump -d libopenblas.dylib.

I'm fine with returning an audit failure if there is no objdump on the system -- our macOS runners have it, and I believe our Linux runners do as well.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's worth benchmarking the installation time as part of the "faster" times. Otherwise it's not a great comparison.

I'm fine with returning an audit failure if there is no objdump on the system -- our macOS runners have it, and I believe our Linux runners do as well.

🆒.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's worth benchmarking the installation time as part of the "faster" times.

I think benchmarking this would be important if we were installing something in this audit, but we no longer are. I agree that it would be a useful benchmark to have, though -- especially if we end up considering installing something for this audit down the road.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@carlocab Fine with me 👍🏻

Library/Homebrew/formula_cellar_checks.rb Outdated Show resolved Hide resolved
Library/Homebrew/formula_cellar_checks.rb Outdated Show resolved Hide resolved
@carlocab
Incorporate suggestions from feedback
63aa192 
1. Never install `binutils`. Instead, report an audit failure.
2. Tighten instruction check with a stricter matching strategy.
@carlocab
Copy link
Member Author

carlocab commented Jul 5, 2021
edited

I've skipped installing binutils and instead opted to report an audit failure when no suitable objdump is found.

I've also tightened the match for cpuid instruction to minimise false positives. (e.g. a binary executable called cpuid would pass the original audit, but would fail the updated one if it doesn't actually contain a cpuid instruction)

Rylan12
Rylan12 reviewed Jul 5, 2021
View reviewed changes
Library/Homebrew/formula_cellar_checks.rb Outdated Show resolved Hide resolved
Library/Homebrew/formula_cellar_checks.rb Outdated Show resolved Hide resolved
@carlocab @Rylan12
Apply suggestions from code review
5ed4430 
Co-authored-by: Rylan Polster <rslpolster@gmail.com>
Rylan12
Rylan12 approved these changes Jul 5, 2021
View reviewed changes
Copy link
Member

@Rylan12 Rylan12 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me. Thanks, @carlocab!

@BrewTestBot BrewTestBot removed the waiting for feedback Merging is blocked until sufficient time has passed for review label Jul 6, 2021
@BrewTestBot
Copy link
Member

Review period ended.

MikeMcQuaid
MikeMcQuaid approved these changes Jul 6, 2021
View reviewed changes
Library/Homebrew/formula_cellar_checks.rb
return unless Hardware::CPU.intel?

# macOS `objdump` is a bit slow, so we prioritise llvm's `llvm-objdump` (~5.7x faster)
# or binutils' `objdump` (~1.8x faster) if they are installed.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's worth benchmarking the installation time as part of the "faster" times. Otherwise it's not a great comparison.

I'm fine with returning an audit failure if there is no objdump on the system -- our macOS runners have it, and I believe our Linux runners do as well.

🆒.

@carlocab carlocab merged commit 10edae9 into Homebrew:master Jul 6, 2021
@carlocab carlocab deleted the cpuid-check branch July 6, 2021 13:29
@MikeMcQuaid
Copy link
Member

Nice work @carlocab!

@github-actions github-actions bot added the outdated PR was locked due to age label Aug 7, 2021
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 7, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@MikeMcQuaid MikeMcQuaid MikeMcQuaid approved these changes

@BrewTestBot BrewTestBot BrewTestBot approved these changes

@Rylan12 Rylan12 Rylan12 approved these changes

Assignees
No one assigned
Labels
outdated PR was locked due to age
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@carlocab @BrewTestBot @MikeMcQuaid @Rylan12