Bootstrappability should be a must #197
Comments
|
Are the ideas applicable to rustc's own bootstrap, and are the appropriate issues open upstream? |
|
Clang also relies on LLVM, so why should Rust be different? |
|
LLVM and GCC can bootstrap each other using relatively old versions of the other as far as I know. Older versions of GCC can be bootstrapped using a small C compiler like tinyc in just a few steps. Rustc can only be bootstrapped using the previous version of rustc, requiring each step in between the rustc version used for bootstrapping and the rustc you want to compiled. Mrustc recently got support for bootstrapping rust 1.39.0 reducing the amount of steps necessary for bootstrapping: https://old.reddit.com/r/rust/comments/mjxbaz/mrustc_upgrade_rustc_1390/ There is also the gccrs project aiming to make a rust frontend for GCC. |
|
Can we have some reasons from the 8 people who think that bootstrappability is dispensable? I stand with those who think that a solid foundation is indispensable, and that further compromission of the Linux kernel will only accelerate its growing crashiness. |
|
I don't understand what bootstrappability has to with trust and reproducibility. C is an old and simple language, that is not changing very much. I'm happy that we have something like mrustc, but for some (maybe long) time it will be just a rustc bootstrapper, not a fully-fledged Rust compiler |
The most basic argument to reply with here is Thompson's turing award lecture "Trusting trust". Here's a PoC of it on rustc (although it works on any compiler, as it's a theoretical attack): P.S. I believe the discussion you're starting about features, complexity and instability should also happen. (in another thread) |
|
I give a thumb down because I don't agree with "mrustc apparently only works on backdoored x86 platforms". Making claim about the entire x86 ISA is crazy to me. First, x86 is not a specific implementation. There are many companies producing x86 chips (Intel, AMD, VIA, etc) for ages. You can certainly get a chip without Intel ME or AMD PSP and use that. If you cannot trust any of these companies, you certainly cannot trust ARM or MIPS, and all cannot even trust on open source CPU because you can make claims like EDA tools or FPGAs are controlled by an untrusted company. Secondly, even if we assume that there is a trustworthy platform and it is not x86, you can still use GCC to cross-compile mrustc to x86, and use QEMU to run it. Saying mrustc is not worthy because it only supports x86 is just nonsense. So yeah, I vote down because you CAN bootstrap rust compiler without any binary. The bootstrapping chain is certainly long and it took a while from mrustc to the latest rustc, but it is not difficult. There are distributions that are already bootstrapping rustc without pre-built binary. |
|
nbdd0121, thanks for specifying! Indeed I do not know of backdoors in the x86_64 ISA itself as of yet, although I do know of backdoors in many of the faster real-world implementations of that ISA. And to be complete, I do not know of any proof of absence of any backdoor in either the x86_64 ISA, or in any real-world implementation of it. Ignorance is just ignorance, it is not reassurance in itself. (if we're going down that rabbit hole: irrefutable statements cannot be disproven any more than they can be proven, so we're back to square one) However, the present issue is not possibility but feasibility/tractability:
The people in support of this issue believe it's a major concern that the bootstrap will:
In summary: the motivation of opening this issue is to ask for a high guarantee level that bootstrapping will not only be theoretically possible, but also feasible by individuals in the real world without prohibitive requirements. And if I had to set a bound on the goal here, although I'm not a fan of comparisons, the process complexity and required computational resources of the bootstrap of Rust should remain in the order of magnitude of that of the bootstrap of a C (or, fine, a C++) compiler. |
|
Once you get a version of rustc, you are not tied to a specific ISA. You can do cross-compilation after that. While I agree that a easier bootstrapping path is desirable, I don't see it as a must and certainly it shouldn't block progress of using Rust in projects like Linux. Memory bugs are a more imminent threat in my opinion. And it is not like people aren't trying to make bootstrapping easier. Projects like mrustc and gcc-rs can certainly help in this direction. If someone is particular concerning about bootstrapping time they can help to improve mrustc so it supports a newer Rust version or a different ISA. |
Not really, you still need to compile LLVM |
I attempted to do so almost a year ago, failed to get a usable rustc, and my partial improvements went ignored by mrustc's maintainer. |
Compiling a working rustc that can bootstrap itself using rustc_codegen_cranelift is possible (I have a CI job for this), but is awfully slow due to a lack of optimizations, I am not sure the cg_clif version matching the latest rustc version supported by mrustc can bootstrap rustc and only x86_64 is supported at the moment. Cross-compiling LLVM shouldn't be much harder than cross-compiling arbitrary programs using rustc I think as rustc needs a compiler toolchain for the target anyway to provide a linker. Once you have the compiler toolchain for the target (linker and C++ compiler) the build system of rustc automatically builds LLVM for the target unless you explicitly point it to an existing LLVM installation. |
|
Closing since it is not a technical issue (please use the mailing list for discussions like this). |
We got issue as follows: ------------[ cut here ]------------ kernel BUG at fs/jbd2/transaction.c:389! invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 9 PID: 131 Comm: kworker/9:1 Not tainted 5.17.0-862.14.0.6.x86_64-00001-g23f87daf7d74-dirty #197 Workqueue: events flush_stashed_error_work RIP: 0010:start_this_handle+0x41c/0x1160 RSP: 0018:ffff888106b47c20 EFLAGS: 00010202 RAX: ffffed10251b8400 RBX: ffff888128dc204c RCX: ffffffffb52972ac RDX: 0000000000000200 RSI: 0000000000000004 RDI: ffff888128dc2050 RBP: 0000000000000039 R08: 0000000000000001 R09: ffffed10251b840a R10: ffff888128dc204f R11: ffffed10251b8409 R12: ffff888116d78000 R13: 0000000000000000 R14: dffffc0000000000 R15: ffff888128dc2000 FS: 0000000000000000(0000) GS:ffff88839d680000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000001620068 CR3: 0000000376c0e000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> jbd2__journal_start+0x38a/0x790 jbd2_journal_start+0x19/0x20 flush_stashed_error_work+0x110/0x2b3 process_one_work+0x688/0x1080 worker_thread+0x8b/0xc50 kthread+0x26f/0x310 ret_from_fork+0x22/0x30 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- Above issue may happen as follows: umount read procfs error_work ext4_put_super flush_work(&sbi->s_error_work); ext4_mb_seq_groups_show ext4_mb_load_buddy_gfp ext4_mb_init_group ext4_mb_init_cache ext4_read_block_bitmap_nowait ext4_validate_block_bitmap ext4_error ext4_handle_error schedule_work(&EXT4_SB(sb)->s_error_work); ext4_unregister_sysfs(sb); jbd2_journal_destroy(sbi->s_journal); journal_kill_thread journal->j_flags |= JBD2_UNMOUNT; flush_stashed_error_work jbd2_journal_start start_this_handle BUG_ON(journal->j_flags & JBD2_UNMOUNT); To solve this issue, we call 'ext4_unregister_sysfs() before flushing s_error_work in ext4_put_super(). Signed-off-by: Ye Bin <[email protected]> Reviewed-by: Jan Kara <[email protected]> Reviewed-by: Ritesh Harjani <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Theodore Ts'o <[email protected]>
Fix invalid access to pgdat during hot-remove operation: ndctl users reported a GPF when trying to destroy a namespace: $ ndctl destroy-namespace all -r all -f Segmentation fault dmesg: Oops: general protection fault, probably for non-canonical address 0xdffffc0000005650: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: probably user-memory-access in range [0x000000000002b280-0x000000000002b287] CPU: 26 UID: 0 PID: 1868 Comm: ndctl Not tainted 6.11.0-rc1 #1 Hardware name: Dell Inc. PowerEdge R640/08HT8T, BIOS 2.20.1 09/13/2023 RIP: 0010:mod_node_page_state+0x2a/0x110 cxl-test users report a GPF when trying to unload the test module: $ modrpobe -r cxl-test dmesg BUG: unable to handle page fault for address: 0000000000004200 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP PTI CPU: 0 UID: 0 PID: 1076 Comm: modprobe Tainted: G O N 6.11.0-rc1 #197 Tainted: [O]=OOT_MODULE, [N]=TEST Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/15 RIP: 0010:mod_node_page_state+0x6/0x90 Currently, when memory is hot-plugged or hot-removed the accounting is done based on the assumption that memmap is allocated from the same node as the hot-plugged/hot-removed memory, which is not always the case. In addition, there are challenges with keeping the node id of the memory that is being remove to the time when memmap accounting is actually performed: since this is done after remove_pfn_range_from_zone(), and also after remove_memory_block_devices(). Meaning that we cannot use pgdat nor walking though memblocks to get the nid. Given all of that, account the memmap overhead system wide instead. For this we are going to be using global atomic counters, but given that memmap size is rarely modified, and normally is only modified either during early boot when there is only one CPU, or under a hotplug global mutex lock, therefore there is no need for per-cpu optimizations. Also, while we are here rename nr_memmap to nr_memmap_pages, and nr_memmap_boot to nr_memmap_boot_pages to be self explanatory that the units are in page count. [[email protected]: address a few nits from David Hildenbrand] Link: https://lkml.kernel.org/r/[email protected] Link: https://lkml.kernel.org/r/[email protected] Link: https://lkml.kernel.org/r/[email protected] Fixes: 15995a3 ("mm: report per-page metadata information") Signed-off-by: Pasha Tatashin <[email protected]> Reported-by: Yi Zhang <[email protected]> Closes: https://lore.kernel.org/linux-cxl/CAHj4cs9Ax1=CoJkgBGP_+sNu6-6=6v=_L-ZBZY0bVLD3wUWZQg@mail.gmail.com Reported-by: Alison Schofield <[email protected]> Closes: https://lore.kernel.org/linux-mm/Zq0tPd2h6alFz8XF@aschofie-mobl2/#t Tested-by: Dan Williams <[email protected]> Tested-by: Alison Schofield <[email protected]> Acked-by: David Hildenbrand <[email protected]> Acked-by: David Rientjes <[email protected]> Tested-by: Yi Zhang <[email protected]> Cc: Domenico Cerasuolo <[email protected]> Cc: Fan Ni <[email protected]> Cc: Joel Granados <[email protected]> Cc: Johannes Weiner <[email protected]> Cc: Li Zhijian <[email protected]> Cc: Matthew Wilcox (Oracle) <[email protected]> Cc: Mike Rapoport <[email protected]> Cc: Muchun Song <[email protected]> Cc: Nhat Pham <[email protected]> Cc: Sourav Panda <[email protected]> Cc: Vlastimil Babka <[email protected]> Cc: Yosry Ahmed <[email protected]> Signed-off-by: Andrew Morton <[email protected]>
Until it's possible to bootstrap a Rust compiler without ANY third-party binaries, Rust shouldn't be used in something as essential as Linux.
Today, it doesn't seem possible (mrustc apparently only works on backdoored x86 platforms). If possible, it is certainly unreasonably difficult.
The text was updated successfully, but these errors were encountered: