]> git.proxmox.com Git - rustc.git/blob - src/tools/tidy/src/deps.rs
projects / rustc.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
New upstream version 1.61.0+dfsg1
[rustc.git] / src / tools / tidy / src / deps.rs
1 //! Checks the licenses of third-party dependencies.
2
3 use cargo_metadata::{Metadata, Package, PackageId, Resolve};
4 use std::collections::{BTreeSet, HashSet};
5 use std::path::Path;
6
7 /// These are licenses that are allowed for all crates, including the runtime,
8 /// rustc, tools, etc.
9 const LICENSES: &[&str] = &[
10 "MIT/Apache-2.0",
11 "MIT / Apache-2.0",
12 "Apache-2.0/MIT",
13 "Apache-2.0 / MIT",
14 "MIT OR Apache-2.0",
15 "Apache-2.0 OR MIT",
16 "Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT", // wasi license
17 "MIT",
18 "ISC",
19 "Unlicense/MIT",
20 "Unlicense OR MIT",
21 "0BSD OR MIT OR Apache-2.0", // adler license
22 "Zlib OR Apache-2.0 OR MIT", // tinyvec
23 ];
24
25 /// These are exceptions to Rust's permissive licensing policy, and
26 /// should be considered bugs. Exceptions are only allowed in Rust
27 /// tooling. It is _crucial_ that no exception crates be dependencies
28 /// of the Rust runtime (std/test).
29 const EXCEPTIONS: &[(&str, &str)] = &[
30 ("mdbook", "MPL-2.0"), // mdbook
31 ("openssl", "Apache-2.0"), // cargo, mdbook
32 ("colored", "MPL-2.0"), // rustfmt
33 ("ordslice", "Apache-2.0"), // rls
34 ("ryu", "Apache-2.0 OR BSL-1.0"), // rls/cargo/... (because of serde)
35 ("bytesize", "Apache-2.0"), // cargo
36 ("im-rc", "MPL-2.0+"), // cargo
37 ("sized-chunks", "MPL-2.0+"), // cargo via im-rc
38 ("bitmaps", "MPL-2.0+"), // cargo via im-rc
39 ("instant", "BSD-3-Clause"), // rustc_driver/tracing-subscriber/parking_lot
40 ("snap", "BSD-3-Clause"), // rustc
41 // FIXME: this dependency violates the documentation comment above:
42 ("fortanix-sgx-abi", "MPL-2.0"), // libstd but only for `sgx` target
43 ];
44
45 const EXCEPTIONS_CRANELIFT: &[(&str, &str)] = &[
46 ("cranelift-bforest", "Apache-2.0 WITH LLVM-exception"),
47 ("cranelift-codegen", "Apache-2.0 WITH LLVM-exception"),
48 ("cranelift-codegen-meta", "Apache-2.0 WITH LLVM-exception"),
49 ("cranelift-codegen-shared", "Apache-2.0 WITH LLVM-exception"),
50 ("cranelift-entity", "Apache-2.0 WITH LLVM-exception"),
51 ("cranelift-frontend", "Apache-2.0 WITH LLVM-exception"),
52 ("cranelift-jit", "Apache-2.0 WITH LLVM-exception"),
53 ("cranelift-module", "Apache-2.0 WITH LLVM-exception"),
54 ("cranelift-native", "Apache-2.0 WITH LLVM-exception"),
55 ("cranelift-object", "Apache-2.0 WITH LLVM-exception"),
56 ("mach", "BSD-2-Clause"),
57 ("regalloc", "Apache-2.0 WITH LLVM-exception"),
58 ("target-lexicon", "Apache-2.0 WITH LLVM-exception"),
59 ];
60
61 /// These are the root crates that are part of the runtime. The licenses for
62 /// these and all their dependencies *must not* be in the exception list.
63 const RUNTIME_CRATES: &[&str] = &["std", "core", "alloc", "test", "panic_abort", "panic_unwind"];
64
65 /// Crates whose dependencies must be explicitly permitted.
66 const RESTRICTED_DEPENDENCY_CRATES: &[&str] = &["rustc_driver", "rustc_codegen_llvm"];
67
68 /// Crates rustc is allowed to depend on. Avoid adding to the list if possible.
69 ///
70 /// This list is here to provide a speed-bump to adding a new dependency to
71 /// rustc. Please check with the compiler team before adding an entry.
72 const PERMITTED_DEPENDENCIES: &[&str] = &[
73 "addr2line",
74 "adler",
75 "ahash",
76 "aho-corasick",
77 "annotate-snippets",
78 "ansi_term",
79 "arrayvec",
80 "atty",
81 "autocfg",
82 "bitflags",
83 "block-buffer",
84 "block-padding",
85 "byte-tools",
86 "byteorder",
87 "cc",
88 "cfg-if",
89 "chalk-derive",
90 "chalk-engine",
91 "chalk-ir",
92 "chalk-solve",
93 "chrono",
94 "cmake",
95 "compiler_builtins",
96 "cpufeatures",
97 "crc32fast",
98 "crossbeam-deque",
99 "crossbeam-epoch",
100 "crossbeam-utils",
101 "crypto-common",
102 "cstr",
103 "datafrog",
104 "difference",
105 "digest",
106 "dlmalloc",
107 "either",
108 "ena",
109 "env_logger",
110 "expect-test",
111 "fake-simd",
112 "fallible-iterator", // dependency of `thorin`
113 "filetime",
114 "fixedbitset",
115 "flate2",
116 "fortanix-sgx-abi",
117 "generic-array",
118 "getopts",
119 "getrandom",
120 "gimli",
121 "gsgdt",
122 "hashbrown",
123 "hermit-abi",
124 "humantime",
125 "if_chain",
126 "indexmap",
127 "instant",
128 "itertools",
129 "itoa",
130 "jobserver",
131 "lazy_static",
132 "libc",
133 "libloading",
134 "libz-sys",
135 "lock_api",
136 "log",
137 "matchers",
138 "md-5",
139 "measureme",
140 "memchr",
141 "memmap2",
142 "memoffset",
143 "miniz_oxide",
144 "num-integer",
145 "num-traits",
146 "num_cpus",
147 "object",
148 "odht",
149 "once_cell",
150 "opaque-debug",
151 "parking_lot",
152 "parking_lot_core",
153 "pathdiff",
154 "perf-event-open-sys",
155 "petgraph",
156 "pin-project-lite",
157 "pkg-config",
158 "polonius-engine",
159 "ppv-lite86",
160 "proc-macro2",
161 "psm",
162 "punycode",
163 "quick-error",
164 "quote",
165 "rand",
166 "rand_chacha",
167 "rand_core",
168 "rand_hc",
169 "rand_pcg",
170 "rand_xorshift",
171 "rand_xoshiro",
172 "redox_syscall",
173 "regex",
174 "regex-automata",
175 "regex-syntax",
176 "remove_dir_all",
177 "rls-data",
178 "rls-span",
179 "rustc-demangle",
180 "rustc-hash",
181 "rustc-rayon",
182 "rustc-rayon-core",
183 "rustc_version",
184 "ryu",
185 "scoped-tls",
186 "scopeguard",
187 "semver",
188 "serde",
189 "serde_derive",
190 "serde_json",
191 "sha-1",
192 "sha2",
193 "sharded-slab",
194 "smallvec",
195 "snap",
196 "stable_deref_trait",
197 "stacker",
198 "syn",
199 "synstructure",
200 "tempfile",
201 "termcolor",
202 "termize",
203 "thorin-dwp",
204 "thread_local",
205 "time",
206 "tinyvec",
207 "tracing",
208 "tracing-attributes",
209 "tracing-core",
210 "tracing-log",
211 "tracing-subscriber",
212 "tracing-tree",
213 "typenum",
214 "unic-char-property",
215 "unic-char-range",
216 "unic-common",
217 "unic-emoji-char",
218 "unic-ucd-version",
219 "unicode-normalization",
220 "unicode-script",
221 "unicode-security",
222 "unicode-width",
223 "unicode-xid",
224 "vcpkg",
225 "version_check",
226 "wasi",
227 "winapi",
228 "winapi-i686-pc-windows-gnu",
229 "winapi-util",
230 "winapi-x86_64-pc-windows-gnu",
231 // this is a false-positive: it's only used by rustfmt, but because it's enabled through a feature, tidy thinks it's used by rustc as well.
232 "yansi-term",
233 ];
234
235 const PERMITTED_CRANELIFT_DEPENDENCIES: &[&str] = &[
236 "anyhow",
237 "ar",
238 "autocfg",
239 "bitflags",
240 "cfg-if",
241 "cranelift-bforest",
242 "cranelift-codegen",
243 "cranelift-codegen-meta",
244 "cranelift-codegen-shared",
245 "cranelift-entity",
246 "cranelift-frontend",
247 "cranelift-jit",
248 "cranelift-module",
249 "cranelift-native",
250 "cranelift-object",
251 "crc32fast",
252 "gimli",
253 "hashbrown",
254 "indexmap",
255 "libc",
256 "libloading",
257 "log",
258 "mach",
259 "memchr",
260 "object",
261 "once_cell",
262 "regalloc",
263 "region",
264 "rustc-hash",
265 "smallvec",
266 "target-lexicon",
267 "winapi",
268 "winapi-i686-pc-windows-gnu",
269 "winapi-x86_64-pc-windows-gnu",
270 ];
271
272 const FORBIDDEN_TO_HAVE_DUPLICATES: &[&str] = &[
273 // These two crates take quite a long time to build, so don't allow two versions of them
274 // to accidentally sneak into our dependency graph, in order to ensure we keep our CI times
275 // under control.
276 "cargo",
277 ];
278
279 /// Dependency checks.
280 ///
281 /// `root` is path to the directory with the root `Cargo.toml` (for the workspace). `cargo` is path
282 /// to the cargo executable.
283 pub fn check(root: &Path, cargo: &Path, bad: &mut bool) {
284 let mut cmd = cargo_metadata::MetadataCommand::new();
285 cmd.cargo_path(cargo)
286 .manifest_path(root.join("Cargo.toml"))
287 .features(cargo_metadata::CargoOpt::AllFeatures);
288 let metadata = t!(cmd.exec());
289 let runtime_ids = compute_runtime_crates(&metadata);
290 check_exceptions(&metadata, EXCEPTIONS, runtime_ids, bad);
291 check_dependencies(&metadata, PERMITTED_DEPENDENCIES, RESTRICTED_DEPENDENCY_CRATES, bad);
292 check_crate_duplicate(&metadata, FORBIDDEN_TO_HAVE_DUPLICATES, bad);
293 check_rustfix(&metadata, bad);
294
295 // Check rustc_codegen_cranelift independently as it has it's own workspace.
296 let mut cmd = cargo_metadata::MetadataCommand::new();
297 cmd.cargo_path(cargo)
298 .manifest_path(root.join("compiler/rustc_codegen_cranelift/Cargo.toml"))
299 .features(cargo_metadata::CargoOpt::AllFeatures);
300 let metadata = t!(cmd.exec());
301 let runtime_ids = HashSet::new();
302 check_exceptions(&metadata, EXCEPTIONS_CRANELIFT, runtime_ids, bad);
303 check_dependencies(
304 &metadata,
305 PERMITTED_CRANELIFT_DEPENDENCIES,
306 &["rustc_codegen_cranelift"],
307 bad,
308 );
309 check_crate_duplicate(&metadata, &[], bad);
310 }
311
312 /// Check that all licenses are in the valid list in `LICENSES`.
313 ///
314 /// Packages listed in `EXCEPTIONS` are allowed for tools.
315 fn check_exceptions(
316 metadata: &Metadata,
317 exceptions: &[(&str, &str)],
318 runtime_ids: HashSet<&PackageId>,
319 bad: &mut bool,
320 ) {
321 // Validate the EXCEPTIONS list hasn't changed.
322 for (name, license) in exceptions {
323 // Check that the package actually exists.
324 if !metadata.packages.iter().any(|p| p.name == *name) {
325 tidy_error!(
326 bad,
327 "could not find exception package `{}`\n\
328 Remove from EXCEPTIONS list if it is no longer used.",
329 name
330 );
331 }
332 // Check that the license hasn't changed.
333 for pkg in metadata.packages.iter().filter(|p| p.name == *name) {
334 match &pkg.license {
335 None => {
336 tidy_error!(
337 bad,
338 "dependency exception `{}` does not declare a license expression",
339 pkg.id
340 );
341 }
342 Some(pkg_license) => {
343 if pkg_license.as_str() != *license {
344 println!("dependency exception `{name}` license has changed");
345 println!(" previously `{license}` now `{pkg_license}`");
346 println!(" update EXCEPTIONS for the new license");
347 *bad = true;
348 }
349 }
350 }
351 }
352 }
353
354 let exception_names: Vec<_> = exceptions.iter().map(|(name, _license)| *name).collect();
355
356 // Check if any package does not have a valid license.
357 for pkg in &metadata.packages {
358 if pkg.source.is_none() {
359 // No need to check local packages.
360 continue;
361 }
362 if !runtime_ids.contains(&pkg.id) && exception_names.contains(&pkg.name.as_str()) {
363 continue;
364 }
365 let license = match &pkg.license {
366 Some(license) => license,
367 None => {
368 tidy_error!(bad, "dependency `{}` does not define a license expression", pkg.id);
369 continue;
370 }
371 };
372 if !LICENSES.contains(&license.as_str()) {
373 if pkg.name == "fortanix-sgx-abi" {
374 // This is a specific exception because SGX is considered
375 // "third party". See
376 // https://github.com/rust-lang/rust/issues/62620 for more. In
377 // general, these should never be added.
378 continue;
379 }
380 tidy_error!(bad, "invalid license `{}` in `{}`", license, pkg.id);
381 }
382 }
383 }
384
385 /// Checks the dependency of `RESTRICTED_DEPENDENCY_CRATES` at the given path. Changes `bad` to
386 /// `true` if a check failed.
387 ///
388 /// Specifically, this checks that the dependencies are on the `PERMITTED_DEPENDENCIES`.
389 fn check_dependencies(
390 metadata: &Metadata,
391 permitted_dependencies: &[&'static str],
392 restricted_dependency_crates: &[&'static str],
393 bad: &mut bool,
394 ) {
395 // Check that the PERMITTED_DEPENDENCIES does not have unused entries.
396 for name in permitted_dependencies {
397 if !metadata.packages.iter().any(|p| p.name == *name) {
398 tidy_error!(
399 bad,
400 "could not find allowed package `{}`\n\
401 Remove from PERMITTED_DEPENDENCIES list if it is no longer used.",
402 name
403 );
404 }
405 }
406 // Get the list in a convenient form.
407 let permitted_dependencies: HashSet<_> = permitted_dependencies.iter().cloned().collect();
408
409 // Check dependencies.
410 let mut visited = BTreeSet::new();
411 let mut unapproved = BTreeSet::new();
412 for &krate in restricted_dependency_crates.iter() {
413 let pkg = pkg_from_name(metadata, krate);
414 let mut bad =
415 check_crate_dependencies(&permitted_dependencies, metadata, &mut visited, pkg);
416 unapproved.append(&mut bad);
417 }
418
419 if !unapproved.is_empty() {
420 tidy_error!(bad, "Dependencies not explicitly permitted:");
421 for dep in unapproved {
422 println!("* {dep}");
423 }
424 }
425 }
426
427 /// Checks the dependencies of the given crate from the given cargo metadata to see if they are on
428 /// the list of permitted dependencies. Returns a list of disallowed dependencies.
429 fn check_crate_dependencies<'a>(
430 permitted_dependencies: &'a HashSet<&'static str>,
431 metadata: &'a Metadata,
432 visited: &mut BTreeSet<&'a PackageId>,
433 krate: &'a Package,
434 ) -> BTreeSet<&'a PackageId> {
435 // This will contain bad deps.
436 let mut unapproved = BTreeSet::new();
437
438 // Check if we have already visited this crate.
439 if visited.contains(&krate.id) {
440 return unapproved;
441 }
442
443 visited.insert(&krate.id);
444
445 // If this path is in-tree, we don't require it to be explicitly permitted.
446 if krate.source.is_some() {
447 // If this dependency is not on `PERMITTED_DEPENDENCIES`, add to bad set.
448 if !permitted_dependencies.contains(krate.name.as_str()) {
449 unapproved.insert(&krate.id);
450 }
451 }
452
453 // Do a DFS in the crate graph.
454 let to_check = deps_of(metadata, &krate.id);
455
456 for dep in to_check {
457 let mut bad = check_crate_dependencies(permitted_dependencies, metadata, visited, dep);
458 unapproved.append(&mut bad);
459 }
460
461 unapproved
462 }
463
464 /// Prevents multiple versions of some expensive crates.
465 fn check_crate_duplicate(
466 metadata: &Metadata,
467 forbidden_to_have_duplicates: &[&str],
468 bad: &mut bool,
469 ) {
470 for &name in forbidden_to_have_duplicates {
471 let matches: Vec<_> = metadata.packages.iter().filter(|pkg| pkg.name == name).collect();
472 match matches.len() {
473 0 => {
474 tidy_error!(
475 bad,
476 "crate `{}` is missing, update `check_crate_duplicate` \
477 if it is no longer used",
478 name
479 );
480 }
481 1 => {}
482 _ => {
483 tidy_error!(
484 bad,
485 "crate `{}` is duplicated in `Cargo.lock`, \
486 it is too expensive to build multiple times, \
487 so make sure only one version appears across all dependencies",
488 name
489 );
490 for pkg in matches {
491 println!(" * {}", pkg.id);
492 }
493 }
494 }
495 }
496 }
497
498 /// Returns a list of dependencies for the given package.
499 fn deps_of<'a>(metadata: &'a Metadata, pkg_id: &'a PackageId) -> Vec<&'a Package> {
500 let resolve = metadata.resolve.as_ref().unwrap();
501 let node = resolve
502 .nodes
503 .iter()
504 .find(|n| &n.id == pkg_id)
505 .unwrap_or_else(|| panic!("could not find `{pkg_id}` in resolve"));
506 node.deps
507 .iter()
508 .map(|dep| {
509 metadata.packages.iter().find(|pkg| pkg.id == dep.pkg).unwrap_or_else(|| {
510 panic!("could not find dep `{}` for pkg `{}` in resolve", dep.pkg, pkg_id)
511 })
512 })
513 .collect()
514 }
515
516 /// Finds a package with the given name.
517 fn pkg_from_name<'a>(metadata: &'a Metadata, name: &'static str) -> &'a Package {
518 let mut i = metadata.packages.iter().filter(|p| p.name == name);
519 let result =
520 i.next().unwrap_or_else(|| panic!("could not find package `{name}` in package list"));
521 assert!(i.next().is_none(), "more than one package found for `{name}`");
522 result
523 }
524
525 /// Finds all the packages that are in the rust runtime.
526 fn compute_runtime_crates<'a>(metadata: &'a Metadata) -> HashSet<&'a PackageId> {
527 let resolve = metadata.resolve.as_ref().unwrap();
528 let mut result = HashSet::new();
529 for name in RUNTIME_CRATES {
530 let id = &pkg_from_name(metadata, name).id;
531 normal_deps_of_r(resolve, id, &mut result);
532 }
533 result
534 }
535
536 /// Recursively find all normal dependencies.
537 fn normal_deps_of_r<'a>(
538 resolve: &'a Resolve,
539 pkg_id: &'a PackageId,
540 result: &mut HashSet<&'a PackageId>,
541 ) {
542 if !result.insert(pkg_id) {
543 return;
544 }
545 let node = resolve
546 .nodes
547 .iter()
548 .find(|n| &n.id == pkg_id)
549 .unwrap_or_else(|| panic!("could not find `{pkg_id}` in resolve"));
550 for dep in &node.deps {
551 normal_deps_of_r(resolve, &dep.pkg, result);
552 }
553 }
554
555 fn check_rustfix(metadata: &Metadata, bad: &mut bool) {
556 let cargo = pkg_from_name(metadata, "cargo");
557 let compiletest = pkg_from_name(metadata, "compiletest");
558 let cargo_deps = deps_of(metadata, &cargo.id);
559 let compiletest_deps = deps_of(metadata, &compiletest.id);
560 let cargo_rustfix = cargo_deps.iter().find(|p| p.name == "rustfix").unwrap();
561 let compiletest_rustfix = compiletest_deps.iter().find(|p| p.name == "rustfix").unwrap();
562 if cargo_rustfix.version != compiletest_rustfix.version {
563 tidy_error!(
564 bad,
565 "cargo's rustfix version {} does not match compiletest's rustfix version {}\n\
566 rustfix should be kept in sync, update the cargo side first, and then update \
567 compiletest along with cargo.",
568 cargo_rustfix.version,
569 compiletest_rustfix.version
570 );
571 }
572 }
backport for Debian buster