search

geiger-rs / cargo-geiger

Detects usage of unsafe Rust in a Rust crate and its dependencies.
https://crates.io/crates/cargo-geiger
1.41k stars 66 forks source link

Panic when adding 'tempfile' dependency #493

Closed mbuesch closed 11 months ago

mbuesch commented 11 months ago

cargo-geiger crashes, if I add the 'tempfile' dependency to a project:

$ RUST_BACKTRACE=1 cargo geiger -v
thread 'main' panicked at /.../.cargo/registry/src/index.crates.io-6f17d22bba15001f/cargo-0.69.1/src/cargo/core/package.rs:708:9:               
assertion failed: self.pending_ids.insert(id)
stack backtrace:
   0: rust_begin_unwind
             at /rustc/a28077b28a02b92985b3a3faecf92813155f1ea1/library/std/src/panicking.rs:597:5
   1: core::panicking::panic_fmt
             at /rustc/a28077b28a02b92985b3a3faecf92813155f1ea1/library/core/src/panicking.rs:72:14
   2: core::panicking::panic
             at /rustc/a28077b28a02b92985b3a3faecf92813155f1ea1/library/core/src/panicking.rs:127:5
   3: cargo::core::package::Downloads::start
   4: cargo::core::package::PackageSet::get_many
   5: cargo::ops::cargo_clean::clean
   6: cargo_geiger::scan::rs_file::resolve_rs_file_deps
   7: cargo_geiger::scan::default::scan
   8: cargo_geiger::scan::default::table::scan_to_table
   9: cargo_geiger::scan::default::scan_unsafe
  10: cargo_geiger::scan::scan
  11: cargo_geiger::main
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.

How to reproduce?

cargo new geigertest
cd geigertest
cargo add tempfile
# tempfile v3.8.1
cargo geiger
# crash

Versions

$ cargo geiger --version
cargo-geiger 0.11.6
$ rustc --version
rustc 1.74.1 (a28077b28 2023-12-04)
$ cargo --version
cargo 1.74.1 (ecb9851af 2023-10-18)
pinkforest commented 11 months ago

Please build & install v0.11.7 using --locked from git:

cargo install --profile release --locked --git https://github.com/geiger-rs/cargo-geiger cargo-geiger

Or use one of the pre-built binaries https://github.com/geiger-rs/cargo-geiger/releases/tag/cargo-geiger%40v0.11.7

I cannot replicate this problem by using--locked and / or 0.11.7

install

$ cargo install --profile release --locked --git https://github.com/geiger-rs/cargo-geiger cargo-geiger
    Updating git repository `https://github.com/geiger-rs/cargo-geiger`

runtime

$ cargo geiger --version
cargo-geiger 0.11.7
$ cargo new geigertest
     Created binary (application) `geigertest` package
$ cd geigertest
$ cargo add tempfile
    Updating crates.io index
      Adding tempfile v3.8.1 to dependencies.
             Features:
             - nightly
    Updating crates.io index
$ cargo geiger
     Removed 0 files
   Compiling rustix v0.38.28
    Checking bitflags v2.4.1
...
    Finished dev [unoptimized + debuginfo] target(s) in 1.15s
    Scanning done

Metric output format: x/y
    x = unsafe code used by the build
    y = total unsafe code found in the crate

Symbols: 
    πŸ”’  = No `unsafe` usage found, declares #![forbid(unsafe_code)]
    ❓  = No `unsafe` usage found, missing #![forbid(unsafe_code)]
    ☒️   = `unsafe` usage found

Functions  Expressions  Impls  Traits  Methods  Dependency

0/0        0/0          0/0    0/0     0/0      ❓ geigertest 0.1.0
0/0        0/46         0/0    0/0     0/0      ❓ └── tempfile 3.8.1
0/0        0/0          0/0    0/0     0/0      ❓     β”œβ”€β”€ cfg-if 1.0.0
0/0        0/0          0/0    0/0     0/0      πŸ”’     β”œβ”€β”€ fastrand 2.0.1
38/381     696/7079     5/8    1/1     15/35    ☒️      └── rustix 0.38.28
0/0        0/0          0/0    0/0     0/0      ❓         β”œβ”€β”€ bitflags 2.4.1
0/0        0/103        0/0    0/0     0/0      ❓         β”œβ”€β”€ errno 0.3.8
0/90       0/582        0/2    0/0     0/63     ❓         β”‚   └── libc 0.2.151
0/90       0/582        0/2    0/0     0/63     ❓         β”œβ”€β”€ libc 0.2.151
10/10      188/4427     0/0    0/0     2/236    ☒️          └── linux-raw-sys 0.4.12

48/481     884/12237    5/10   1/1     17/334 

$

I tried several cargo runtimes and didn't replicate in any platforms I have available.

This problem occured in installs not using --locked relating to some unlocked dependency used in buildtime incompatible with newer cargo runtime - thus build logs are needed to see what is going on.

mbuesch commented 11 months ago

I cannot replicate this problem by using --locked and / or 0.11.7

Ok, well I installed the latest version from crates.io. I was not aware that the version from crates.io is outdated.

pinkforest commented 11 months ago

The current crates.io version is fine but need to use --locked as there was some transient build dep change that broke the runtime in newer cargo runtimes - as we use cargo both as a library as well as at binary runtime which complicates.

I just want to test in the newest version from git which has not been published yet to crates.io but about to.

mbuesch commented 11 months ago

I just want to test in the newest version from git which has not been published yet

Yes, with git it doesn't crash.

pinkforest commented 11 months ago

Thanks for confirming - Closing as resolved - Will publish to crates.io the documentation fix to use --locked soon.