rustc: Stop passing --allow-undefined on wasm targets

[alexcrichton]

View all comments

This commit updates how the linker is invoked on WebAssembly targets (all of them) to avoid passing the --allow-undefined flag to the linker. Historically, if I remember this correctly, when wasm-ld was first integrated this was practically required because at the time it was otherwise impossible to import a function from the host into a wasm binary. Or, at least, I'm pretty sure that was why this was added.

At the time, as the documentation around this option indicates, it was known that this was going to be a hazard. This doesn't match behavior on native, for example, and can easily paper over what should be a linker error with some sort of other obscure runtime error. An example is that this program currently compiles and links, it just prints null:

unsafe extern "C" {
    static nonexistent: u8;
}

fn main() {
    println!("{:?}", &raw const nonexistent);
}

This can easily lead to mistakes like rust-lang/libc#4880 and defer what should be a compile-time link error to weird or unusual behavior at link time. Additionally, in the intervening time since wasm-ld was first introduced here, lots has changed and notably this program works as expected:

#[link(wasm_import_module = "host")]
unsafe extern "C" {
    fn foo();
}

fn main() {
    unsafe {
        foo();
    }
}

This continues to compile without error and the final wasm binary indeed has an imported function from the host. This program:

unsafe extern "C" {
    fn foo();
}

fn main() {
    unsafe {
        foo();
    }
}

this currently compiles successfully and emits an import from the env module. After this change, however, this will fail to compile with a link error stating that the foo symbol is not defined.

[rustbot]

These commits modify compiler targets.
(See the Target Tier Policy.)

[rustbot]

r? @jackh726

rustbot has assigned @jackh726.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

[alexcrichton]

I'll clarify that process-wise I'm not exactly sure how to approach this. This is highly likely to break projects in practice but I don't know how to evaluate the quantity or breadth of breakage. If it's possible to do a wasm crater run or something like that I'd be happy to triage the results and/or send PRs to upstream projects.

In the meantime though I wanted to get this on the radar as I should have done this ~years ago and it's long overdue that this change is made for wasm (my fault)

[Mark-Simulacrum]

It should be possible to run Crater with a custom target (https://github.com/rust-lang/crater/blob/master/docs/bot-usage.md#specifying-toolchains). I'll kick off a try job with the right artifacts (I think) at least. I'm not sure how much that will actually be helpful though in terms of what % of crates are actually supposed to build and do build for wasm32.

One thought is that we could possibly phase this in for at least the wasi targets with the next preview (p4?) assuming that is coming down the line, or in theory with an edition of the leaf crate, but neither feel like amazing options.

One other thought is that we could maybe FCW lint if we run the linker without --allow-undefined and if that fails re-run again with it, and if that works then emit a lint? Not sure how reliable the failure is.

@bors try jobs=dist-x86_64-linux,dist-various-*

[rust-bors]

☀️ Try build successful (CI)
Build commit: 23647e6 (23647e694de8d0904848ad068b2e0ec2dd098c37, parent: f5209000832c9d3bc29c91f4daef4ca9f28dc797)

[alexcrichton]

Oh nice! I'll attempt that here and see how it goes...

@craterbot run start=master#f5209000832c9d3bc29c91f4daef4ca9f28dc797+target=wasm32-wasip1 end=try#23647e694de8d0904848ad068b2e0ec2dd098c37+target=wasm32-wasip1 mode=build-only

One thought is that we could possibly phase this in for at least the wasi targets with the next preview ...

One other thought is that we could maybe FCW lint if we run the linker without --allow-undefined and if that fails re-run again with it, and if that works then emit a lint?

Agreed! I figure we can await the crater results and see if that provides a good signal of which path to take here, as I don't feel I have a great gut feeling myself here.

[craterbot]

👌 Experiment pr-149868 created and queued.
🔍 You can check out the queue and this experiment's details.

ℹ️ Crater is a tool to run experiments across parts of the Rust ecosystem. Learn more

[craterbot]

🚧 Experiment pr-149868 is now running

ℹ️ Crater is a tool to run experiments across parts of the Rust ecosystem. Learn more

[craterbot]

🎉 Experiment pr-149868 is completed!
📊 4983 regressed and 0 fixed (757534 total)
📊 1158 spurious results on the retry-regressed-list.txt, consider a retry¹ if this is a significant amount.
📰 Open the summary report.

⚠️ If you notice any spurious failure please add them to the denylist!
ℹ️ Crater is a tool to run experiments across parts of the Rust ecosystem. Learn more

Footnotes

1. re-run the experiment with crates=https://crater-reports.s3.amazonaws.com/pr-149868/retry-regressed-list.txt ↩

[alexcrichton]

Ok going through some of the failures there. First thing I'm seing is that Crater's dependency analysis won't work for this change because the build failure will always be at the end with some sort of linked artifact as opposed to when the dependency is compiled itself. For example with this report there are undefined symbols in the cosmwasm_std crate but the error log is for https://github.com/DKing2132/counter.

The next thing I'm seeing is that Crater isn't actually configured for wasm cross-compilation in the sense that if a crate compiles C code that will have worked before by accident. Both before/after Crater is compiling C code with the native cc compiler (I believe) which means that the wasm linker just skips the non-wasm-object files and rejects them. Previously this ended up in a successfully linked executable (but with more symbol dependencies) where after it's now a proper link error (due to the symbols not being defined). An example is this crate where the build script in question uses the cc crate which should do the right thing for wasm so long as a wasm compiler is configured (which, as expected, it isn't)

With these combined I think unfortunately that the Crater report is too noisy to draw any information from. The real "regression" here in a sense is the risk of someone using extern "C" { fn foo(); } as the ability to generate (import "env" "foo" (func)) in a wasm binary where that'll need to be annotated with #[link(wasm_import_module = "env")] now instead.

@Mark-Simulacrum is there perhaps historical precedence for approaching a crater report like this? Maybe not wasm-specific but one where it's a possibly-breaking change but crater isn't able to effectively diagnose the breadth/scale of the possible breakage.

[Mark-Simulacrum]

Hm, I'm not sure. If there's something we can get the compiler to dump to it's output (e.g., externs without a wasm import module annotation?) we can do analysis of that offline via the tarballs crater produces which contain all the output files (both for regressed and non-regressed crates).

In your example, how did "env" end up in the import with allow-undefined? Or does it end up as some kind of star module import?

[alexcrichton]

Would it be possible to install wasi-sdk on the crater image that tests are built in? That'd probably be the best way to reduce the noise here because it would at least get properly configured scenarios back-to-working instead of accidentally looking like regressions.

The specific regression this PR might introduce is that, today, this code:

unsafe extern "C" {
    fn foo();
}

fn main() {
    unsafe {
        foo();
    }
}

introduces, in the final wasm binary, (import "env" "foo" (func)). This can either (a) be a mistake that foo should have been defined in C or something like that, or (b) it could be intentional and the location this binary is embedded handles this during instantiation. In the case of (a) the crate probably never built on wasm before anyway since it would be unusable due to users not knowing how to fulfill this symbol. In the case of (b), however, after this PR it would be required to add #[link(wasm_import_module = "env")] to the declaration.

In your example, how did "env" end up in the import with allow-undefined?

What's hapening here on crater is that crates have the definition above, unsafe extern "C" { fn foo(); } and this is referring to some auxiliary code built in build.rs. The intention is to link to C, but on crater there's no wasi-sdk configured so the C code is compiled with the host native compiler. During linking the object files are ignored (with warnings). This means that the C symbol foo is undefined, so with --allow-undefined, before this PR, that ends up emitting a wasm binary with the "env" export.

[Mark-Simulacrum]

Would it be possible to install wasi-sdk on the crater image that tests are built in?

Probably. Crater uses the same images as docs.rs I believe, so that's a PR to https://github.com/rust-lang/crates-build-env.

after this PR it would be required to add #[link(wasm_import_module = "env")] to the declaration.

It seems like the alternative (without requiring source modification to unblock) is for users to pass something like RUSTFLAGS=-Clink-arg=-Wl,--allow-undefined? Does that seem plausible? I think that might be a fairly reasonable bar if we document that in the compat notes for whatever release this ends up in...

Are there 'popular' wasm projects we could check against to see if their dependency trees have any of the implicit import business?

the "env" export.

I think perhaps my question wasn't clear, but I'm wondering why this is "env" and not (say) "environment". I searched in https://webassembly.github.io/spec/core/search.html?q=%22env%22 for "env" but I don't see anything there that looks relevant... is it just the default in lld?

[alexcrichton]

Oh nice! If I send a PR to that repo, and it gets merged, would a rerun in crater automatically pick that up? Or, if we're ok with release notes, should I perhaps do this in parallel to landing this change?

And, yes, fixing the issue would be a RUSTFLAGS away, and I would definitely be happy to write up information on that for release notes. For popular projects I'm not actually sure. For example wasm-bindgen wouldn't work if something unexpectedly imported from "env" (JS wouldn't be able to instantaite), and anything WASI related also wouldn't be able to instantiate. Given that I'm mostly worried about niche things we're not aware of, so I don't know what projects would be off the top of my head.

I don't see anything there that looks relevant... is it just the default in lld?

Oh sorry for misunderstanding! Yes, this is just an LLD default. Without anything else specified it uses "env". I believe that's inherited from the Emscripten days.

[Manishearth]

Hmm, ICU4X was using undefined symbols on wasm32-unknown-unknown so that we can hook things into the importObject parameter of instantiate()

See: https://github.com/rust-diplomat/diplomat/blob/main/runtime/src/wasm_glue.rs#L48

This breaks that; I'm still investigating and plan to produce a reduced testcase but as far as I can tell this is exactly the use case for --allow-undefined: being able to have unlinked symbols that get linked in by WebAssembly.instantiate().

[alexcrichton]

@Manishearth does the workaround listed here, to use #[link(wasm_import_module = "env")], work for your use case?

[Manishearth]

Ah, somehow I misread that entirely. Thanks!

[EvanCarroll]

I found breakage from this, currently suspecting https://github.com/WorldSEnder/wasm-split-prototype but filed bug in Leptos here leptos-rs/cargo-leptos#642

[WorldSEnder]

@alexcrichton Requiring #[wasm_import_module] seems reasonable. Is it documented somewhere that only extern "C" ABI is supported by it? I'm trying to find out why we couldn't annotate extern "Rust" (or any other for that matter, such as "C-unwind") blocks in the same way.

[alexcrichton]

For extern "Rust", my impression is that it's basically UB to use that. There's no definition of the Rust ABI and nor is there likely to ever be (as far as I know). That means that you likely do not want that ABI. That it doesn't work with extern "Rust" is not necessarily intentional but I also wouldn't consider that something to fix.

For extern "C-unwind" can you share the code that doesn't work? Locally using C-unwind with wasm_import_module works for me.

[WorldSEnder]

@alexcrichton for the wasm-split case, I would think that extern "Rust" would be fine. An exported function is used as an alias for an imported function with the same signature. Since they are both in the same binary and build artifact, I would think that the ABI is stable enough. None of the usual arguments like "could depend on build flags, compiler version, time of day" would apply. Correct me I'm wrong though.

Can confirm that "C-unwind" seems to work as expected now on newest nightly. At least surface level, I'm going to have to play a bit more with actually configuring panic=unwind now that we have wasm 3.0

[alexcrichton]

Oh! No yeah that's a good point, I naively assumed that all imports are satisfied by JS/the host but you're right that another wasm module could be used. For that I think it's "just a bug" that extern "Rust" isn't supported, although I'm not sure where in the compiler that would live. Could you open a dedicated issue for this?