Cargo.lock package order is unstable across different cargo versions #9334
Comments
|
Thanks for the report! Can you clarify a bit, though, to help reproduce this? I am unable to get Cargo to nondeterministically generate a particular lock file, the ordering of crates in a lock file is always stable given a singular version of Cargo. What I do see, however, is that stable cargo and nightly cargo are producing the different orderings. Is that the behavior you're seeing as well? Or are you seeing the same Cargo produce different versions of a lock file? |
I think you're right, I was confused because:
It would be great to have an explicit, deterministic order across cargo versions. But perhaps it's not such a priority if the order only changes between releases, and only for a few crates. |
teor2345
changed the title
|
Ok thanks for the info! This is definitely a bug in Cargo and something we strive to not have happen. This is caught up in the larger change for switching the defaults for git dependencies to the HEAD branch instead of a hardcoded The PR at fault here is #9133. The change there is that I'm unfortunately not sure what to do about this change. If we caught this soon after landing I'd say we should revert and fix this before re-landing, but this change has been out for long enough that I don't think it's as feasible to revert any more. At best all I can think of is to hopefully learn from this and ensure that this doesn't happen again in Cargo :( |
To be fair, this situation should be rare - it was actually a bug in our dependencies where we changed one crate in our workspace, rather than patching them all.
I think a revert would just create a bunch of new ordering issues. And I can understand switching to derived Thinking about this a bit more... How can you make sure the ordering doesn't change in future?
It's really tricky, we had a similar issue recently where we left a new field out of a manual It's probably not worth the effort to write a big test harness for these kinds of low-impact, low-probability bugs. But maybe a crater run with a diff would help detect future issues like this? (You might already do that!) |
|
Discussion at today's Cargo meeting concluded that we should:
This will mean that if projects have switched to using the beta/nightly lock file format they'll need to switch back (sorry about that!) but hopefully the transition period won't be too large. I've tried to add at least a small test to catch changes to this in the future as well. |
[beta] Revert #9133, moving to git HEAD dependencies by default This PR reverts #9133 on the beta branch. The reason for this is that I would like to take some more time to investigate fixing #9352 and #9334. I think those should be relatively easy to fix but I would prefer to not be too rushed with the next release happening soon. We realized today in the cargo meeting that this revert is likely to not have a ton of impact. For any projects using the v3 lock file format they'll continue to use it successfully. For projects on stable still using v2 they remain unaffected. This will ideally simply give some more time to fix these issues on nightly.
Fix disagreement about lockfile ordering on stable/nightly This commit fixes an issue where the order of packages serialized into a lock file differs on stable vs nightly. This is due to a bug introduced in #9133 where a manual `Ord` implementation was replaced with a `#[derive]`'d one. This was an unintended consequence of #9133 and means that the same lock file produced by two different versions of Cargo only differs in what order items are serialized. With #9133 being reverted soon on the current beta channel this is intended to be the nightly fix for #9334. This will hopefully mean that those projects which don't build with beta/nightly will remain unaffected, and those affected on beta/nightly will need to switch to the new nightly ordering when it's published (which matches the current stable). The reverted beta will match this ordering as well. Closes #9334
This commit restores the hash value of the crates.io `SourceId` to what it was before rust-lang#9384. In rust-lang#9384 the enum variants of `SourceKind` were reordered which accidentally changed the hash value of the `SourceId` for crates.io. A change here means that users with a new version of Cargo will have to redownload the index and all crates, which is something that we strive to avoid forcing. In changing this, though, it required a manual implementation of `Ord` to still contain the actual fix from rust-lang#9384 which is to sort `SourceKind` differently from how it's defined. I was curious as to why this was necessary since it wasn't ever necessary in the past and this led to an odd spelunking which turned up some interesting information. Turns out Rust 1.47 and after had a breaking change where Cargo would sort dependencies differently. This means that rust-lang#9334 *could* have been opened up much earlier, but it never was. We ironically only saw an issue when we fixed this regression (although we didn't realize we were fixing a regression). This means that we are now permanently codifying the regression in Cargo.
Restore crates.io's `SourceId` hash value to before This commit restores the hash value of the crates.io `SourceId` to what it was before #9384. In #9384 the enum variants of `SourceKind` were reordered which accidentally changed the hash value of the `SourceId` for crates.io. A change here means that users with a new version of Cargo will have to redownload the index and all crates, which is something that we strive to avoid forcing. In changing this, though, it required a manual implementation of `Ord` to still contain the actual fix from #9384 which is to sort `SourceKind` differently from how it's defined. I was curious as to why this was necessary since it wasn't ever necessary in the past and this led to an odd spelunking which turned up some interesting information. Turns out Rust 1.47 and after had a breaking change where Cargo would sort dependencies differently. This means that #9334 *could* have been opened up much earlier, but it never was. We ironically only saw an issue when we fixed this regression (although we didn't realize we were fixing a regression). This means that we are now permanently codifying the regression in Cargo.
Problem
When a lockfile contains multiple entries with the same package name and version, but different sources, the order of these packages in the lockfile changes between builds. (Even though the dependencies are exactly the same.)
Since our project commits the lockfile to git, these redundant changes produce commit noise, checkout conflicts, and merge conflicts.
Steps
Stable to nightly:
Nightly to stable:
Building on a different version changes the lockfile, even though there haven't been any dependency changes.
Note:
cargojust needs to do dependency resolution, so acargo checkshould work just as well as a build.Possible Solution(s)
Notes
Output of
cargo version:The text was updated successfully, but these errors were encountered: