cargo-rbmt 0.2.0

Maintainer tools for rust-bitcoin projects
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590

// SPDX-License-Identifier: MIT AND Apache-2.0

use std::collections::{BTreeMap, BTreeSet, HashSet};
use std::fs;
use std::path::Path;

use xshell::Shell;

use crate::environment::{
    get_workspace_packages, get_workspace_root, CmdExt, Package, PackageManifest, ProgressGuard,
};
use crate::lock::LockFile;
use crate::toolchain::{prepare_toolchain, Toolchain};

/// Lint-specific configuration, read from `[package.metadata.rbmt.lint]` in `Cargo.toml`.
#[derive(Debug, serde::Deserialize, Default)]
#[serde(default)]
struct LintConfig {
    /// List of crate names that are allowed to have duplicate versions.
    allowed_duplicates: Vec<String>,
}

impl LintConfig {
    /// Load lint configuration from `[package.metadata.rbmt.lint]` in the package's `Cargo.toml`.
    fn load(package_dir: &Path) -> Result<Self, Box<dyn std::error::Error>> {
        #[derive(serde::Deserialize, Default)]
        struct RbmtTable {
            #[serde(default)]
            lint: LintConfig,
        }

        let path = package_dir.join("Cargo.toml");
        if !path.exists() {
            return Ok(Self::default());
        }
        let contents = std::fs::read_to_string(&path)?;
        Ok(toml::from_str::<PackageManifest<RbmtTable>>(&contents)?.package.metadata.rbmt.lint)
    }
}

/// Run the lint task.
pub fn run(
    sh: &Shell,
    lockfile: LockFile,
    packages: &[String],
) -> Result<(), Box<dyn std::error::Error>> {
    let packages = get_workspace_packages(sh, packages)?;
    let _lockfile_guard = lockfile.activate(sh)?;
    let _progress = ProgressGuard::new();
    prepare_toolchain(sh, Toolchain::Nightly)?;
    rbmt_eprintln!("Running lint task...");

    lint_workspace(sh)?;
    lint_packages(sh, &packages)?;
    check_duplicate_deps(sh, &packages)?;
    check_cross_package_duplicate_deps(sh)?;
    check_clippy_toml_msrv(sh, &packages)?;

    rbmt_eprintln!("Lint task completed successfully");
    Ok(())
}

/// Lint the workspace with clippy.
fn lint_workspace(sh: &Shell) -> Result<(), Box<dyn std::error::Error>> {
    rbmt_eprintln!("Linting workspace...");

    // Run clippy on workspace with all features.
    rbmt_cmd!(sh, "cargo --locked clippy --workspace --all-targets --all-features --keep-going")
        .args(&["--", "-D", "warnings"])
        .run_verbose()?;

    // Run clippy on workspace without features.
    rbmt_cmd!(sh, "cargo --locked clippy --workspace --all-targets --keep-going")
        .args(&["--", "-D", "warnings"])
        .run_verbose()?;

    Ok(())
}

/// Run extra package-specific lints.
///
/// # Why run at the package level?
///
/// When running `cargo clippy --workspace --no-default-features`, cargo resolves
/// features across the entire workspace, which can enable features through dependencies
/// even when a package's own default features are disabled. Running clippy on each package
/// individually ensures that each package truly compiles and passes lints with only its
/// explicitly enabled features.
fn lint_packages(sh: &Shell, packages: &[Package]) -> Result<(), Box<dyn std::error::Error>> {
    rbmt_eprintln!("Running package-specific lints...");

    let package_names: Vec<_> = packages.iter().map(|p| p.name.as_str()).collect();
    rbmt_eprintln!("Found crates: {}", package_names.join(", "));

    for package in packages {
        // Returns a RAII guard which reverts the working directory to the old value when dropped.
        let _old_dir = sh.push_dir(&package.dir);

        // Run clippy without default features.
        rbmt_cmd!(sh, "cargo --locked clippy --all-targets --no-default-features --keep-going")
            .args(&["--", "-D", "warnings"])
            .run_verbose()?;
    }

    Ok(())
}

/// Check for duplicate dependencies.
///
/// The goal is to catch cases where a package's transitive dependency tree contains two versions
/// of the same crate (e.g. `bitcoin_hashes v0.13.0` and `bitcoin_hashes v0.14.0` both present). This
/// can happen when a package directly depends on a crate at one version while a transitive
/// dependency pulls in a different version. Downstream users inheriting this package will end up
/// with both versions in their build, which can cause confusing type incompatibility errors across
/// crate boundaries and unnecessarily bloat compile times and binary size.
///
/// Dev dependencies are excluded from this check because they are not part of the published
/// crate graph and cannot cause problems for downstream consumers.
///
/// # Why run at the package level?
///
/// Running per-package allows each package to maintain its own whitelist of allowed duplicates
/// via `rbmt.toml`, since some duplicates may be unavoidable for a given package but not others.
fn check_duplicate_deps(
    sh: &Shell,
    packages: &[Package],
) -> Result<(), Box<dyn std::error::Error>> {
    rbmt_eprintln!("Checking for duplicate dependencies...");

    let mut found_duplicates = false;

    for package in packages {
        let config = LintConfig::load(&package.dir)?;

        // Returns a RAII guard which reverts the working directory to the old value when dropped.
        let _old_dir = sh.push_dir(&package.dir);

        // Run cargo tree to find duplicates for this package, exclude dev dependencies
        // since they are not exposed to downstream consumers.
        let output = rbmt_cmd!(
            sh,
            "cargo --locked tree --target=all --all-features --duplicates --edges no-dev --prefix depth"
        )
        .ignore_status()
        .read()?;

        let tree = DuplicateTree::parse(
            &output,
            &[package.name.as_str()].into(),
            &config.allowed_duplicates,
        );
        if !tree.duplicates().is_empty() {
            found_duplicates = true;
            println!("{}", output);
            println!("Error: Found duplicate dependencies in package '{}'!", package.name);
            for (name, versions) in tree.duplicates() {
                for version in versions.keys() {
                    eprintln!("  {} {}", name, version);
                }
            }
        }
    }

    if found_duplicates {
        return Err("Dependency tree contains duplicates".into());
    }

    rbmt_eprintln!("No duplicate dependencies found");
    Ok(())
}

/// Check for duplicate dependencies that span multiple workspace members.
///
/// This is a supplementary check to [`check_duplicate_deps`]. Attemps to catch the case where two
/// workspace members depend on different versions of the same crate. For example, if pkg1
/// depends on `bitcoin_hashes 0.13` and pkg2 depends on `bitcoin_hashes 0.14`, each package's
/// individual tree is clean but a downstream consumer of both packages will end up with both
/// versions in their build. Skipped entirely for single-package workspaces since it cannot find
/// anything the per-package check didn't already catch.
///
/// Dev dependencies are excluded from this check because they are not part of the published
/// crate graph and cannot cause problems for downstream consumers.
///
/// This check is not considered as essential as [`check_duplicate_deps`]. A duplicate dependency
/// in a single package has a much higher chance of causing downstream issues than one across
/// packages since it may not be an issue depending on what versions of the packages downstream
/// users are using. This functionality could probably also be accomplished just with
/// [`check_duplicate_deps`] if a workspace contains a facade package which re-exports all
/// the other packages of the workspace.
fn check_cross_package_duplicate_deps(sh: &Shell) -> Result<(), Box<dyn std::error::Error>> {
    let package_info = get_workspace_packages(sh, &[])?;

    // No point running a workspace-level check for a single package.
    if package_info.len() <= 1 {
        return Ok(());
    }

    rbmt_eprintln!("Checking for cross-package duplicate dependencies...");

    let package_names: HashSet<&str> = package_info.iter().map(|pkg| pkg.name.as_str()).collect();
    let output = rbmt_cmd!(
        sh,
        "cargo --locked tree --target=all --all-features --duplicates --edges no-dev --prefix depth"
    )
    .ignore_status()
    .read()?;

    let tree = DuplicateTree::parse(&output, &package_names, &[]);
    let cross_package_dupes = tree.cross_package_duplicates();
    // Currently logging a warning instead of hard failure until we gain confidence in the check.
    if !cross_package_dupes.is_empty() {
        println!("Warning: found duplicate dependencies spanning multiple workspace members.");
        println!("         These may cause duplicates in consumers that depend on multiple packages from this workspace.");
        for (crate_name, versions) in &cross_package_dupes {
            for (version, members) in *versions {
                let members: Vec<&str> = members.iter().map(String::as_str).collect();
                println!("  {} {}: {}", crate_name, version, members.join(", "));
            }
        }
        println!("Consider aligning dependency versions across workspace members.");
    }

    rbmt_eprintln!("No cross-package duplicate dependencies found");
    Ok(())
}

/// A dependency from `cargo tree --duplicates --prefix depth` output.
struct Dependency {
    /// Depth-0 lines are the duplicate crates themselves; all lines beneath them (at any
    /// depth) trace the paths by which that version is included.
    depth: u32,
    /// Name of the crate.
    name: String,
    /// Version of the crate.
    version: String,
}

impl Dependency {
    /// Lines have the form `<depth><name> <version>[ ...]`.
    ///
    /// ```text
    /// 0bitcoin_hashes v0.13.0
    /// 3bip324 v0.10.0 (/home/user/bip324/protocol)
    /// 1bitcoin_hashes v0.16.0 (https://github.com/rust-bitcoin/rust-bitcoin?rev=abc#abc) (*)
    /// ```
    ///
    /// ## Returns
    ///
    /// `None` for lines that don't start with a depth integer like blank lines
    /// or section headers (e.g. `[dev-dependencies]`).
    fn parse(line: &str) -> Option<Self> {
        let depth_digits = line.chars().take_while(char::is_ascii_digit).count();
        let depth: u32 = line[..depth_digits].parse().ok()?;
        let rest = &line[depth_digits..];

        let mut tokens = rest.split_whitespace();
        let name = tokens.next()?.to_string();
        let version = tokens.next()?.to_string();

        Some(Self { depth, name, version })
    }
}

/// Maps each duplicate crate name to the list of versions found, where each version records which
/// workspace members are responsible for pulling it in (at any depth in the inverted tree).
struct DuplicateTree {
    /// ```text
    /// "hex-conservative" -> {
    ///     "v0.2.0" -> {"pkg1"},
    ///     "v0.3.0" -> {"pkg2", "pkg3"},
    /// }
    /// ```
    inner: BTreeMap<String, BTreeMap<String, BTreeSet<String>>>,
}

impl DuplicateTree {
    /// Parse the raw output of `cargo tree --duplicates --prefix depth`.
    fn parse(output: &str, member_packages: &HashSet<&str>, allowed_duplicates: &[String]) -> Self {
        let mut inner: BTreeMap<String, BTreeMap<String, BTreeSet<String>>> = BTreeMap::new();
        // Current duplicate version being parsed.
        let mut current_duplicate: Option<(String, String)> = None;

        for line in output.lines() {
            let Some(dep) = Dependency::parse(line) else { continue };

            if dep.depth == 0 {
                // Skip crates that are explicitly allowed to have duplicate versions.
                if allowed_duplicates.iter().any(|a| a == &dep.name) {
                    current_duplicate = None;
                    continue;
                }
                // Start of a new version block. Ensure a slot exists for this (name, version).
                inner.entry(dep.name.clone()).or_default().entry(dep.version.clone()).or_default();
                current_duplicate = Some((dep.name, dep.version));
            } else if let Some((ref name, ref version)) = current_duplicate {
                // Any line beneath depth-0 traces the path by which this version is included.
                // Check whether its crate name is a workspace member.
                if member_packages.contains(dep.name.as_str()) {
                    if let Some(members) =
                        inner.get_mut(name).and_then(|versions| versions.get_mut(version))
                    {
                        members.insert(dep.name.clone());
                    }
                }
            }
        }

        Self { inner }
    }

    /// All duplicate crates found in the tree.
    fn duplicates(&self) -> &BTreeMap<String, BTreeMap<String, BTreeSet<String>>> { &self.inner }

    /// Returns cross-package duplicates, crates with different versions pulled in by
    /// different workspace members.
    ///
    /// For example, this is a cross-package duplicate, `pkg1` and `pkg2` each own a different
    /// version, so no per-package fix exists.
    ///
    /// ```text
    /// "foo" -> {
    ///     "v0.1.0" -> {"pkg1"},
    ///     "v0.2.0" -> {"pkg2"},
    /// }
    /// ```
    ///
    /// This is *not* a cross-package duplicate, `pkg1` appears in both version blocks, so it
    /// alone is responsible and the per-package check will catch it.
    ///
    /// ```text
    /// "foo" -> {
    ///     "v0.1.0" -> {"pkg1"},
    ///     "v0.2.0" -> {"pkg1"},
    /// }
    /// ```
    ///
    /// This is also not a cross-package duplicate, since both will get caught at the per-package check.
    ///
    /// ```text
    /// "foo" -> {
    ///     "v0.1.0" -> {"pkg1", "pkg2"},
    ///     "v0.2.0" -> {"pkg1", "pkg2"},
    /// }
    /// ```
    ///
    /// This is a cross-package duplicate since `pkg3` pulls in a whole new version.
    ///
    /// ```text
    /// "foo" -> {
    ///     "v0.1.0" -> {"pkg1", "pkg2"},
    ///     "v0.2.0" -> {"pkg1", "pkg2"},
    ///     "v0.3.0" -> {"pkg3"},
    /// }
    /// ```
    ///
    /// Here is a doozy though. Is this a cross package duplicate? It is reported as *no*, not a duplicate.
    ///
    /// ```text
    /// "foo" -> {
    ///     "v0.1.0" -> {"pkg1", "pkg2", "pkg3"},
    ///     "v0.2.0" -> {"pkg1"},
    /// }
    /// ```
    ///
    /// And this? Also reported as *no* since it is hard to detect and maybe the first step is to deal with `pkg1`
    /// which is caught by the per-package check.
    ///
    /// ```text
    /// "foo" -> {
    ///     "v0.1.0" -> {"pkg1", "pkg2", "pkg3"},
    ///     "v0.2.0" -> {"pkg1", "pkg2"},
    ///     "v0.3.0" -> {"pkg1", "pkg3"}
    /// }
    /// ```
    ///
    ///
    /// ## Returns
    ///
    /// A map from crate name to its versions and the members responsible for each. The map is
    /// empty if no cross-package duplicates were found. For example, given the first example
    /// above the return value would be:
    ///
    /// ```text
    /// { "foo" -> { "v0.1.0" -> {"pkg1"}, "v0.2.0" -> {"pkg2"} } }
    /// ```
    fn cross_package_duplicates(&self) -> BTreeMap<&str, &BTreeMap<String, BTreeSet<String>>> {
        self.inner
            .iter()
            // Filter out per-package duplicates.
            .filter(|(_, versions)| {
                // Cross-package if no single member appears in every version block.
                !versions
                    .values()
                    .flat_map(|members| members.iter())
                    .any(|m| versions.values().all(|s| s.contains(m)))
            })
            .map(|(crate_name, versions)| (crate_name.as_str(), versions))
            .collect()
    }
}

/// Check for deprecated clippy.toml MSRV settings.
///
/// The bitcoin ecosystem has moved to Rust 1.74+ and should use Cargo.toml
/// package.rust-version instead of clippy.toml msrv settings.
fn check_clippy_toml_msrv(
    sh: &Shell,
    packages: &[Package],
) -> Result<(), Box<dyn std::error::Error>> {
    const CLIPPY_CONFIG_FILES: &[&str] = &["clippy.toml", ".clippy.toml"];

    rbmt_eprintln!("Checking for deprecated clippy.toml MSRV settings...");

    let mut clippy_files = Vec::new();

    // Check workspace root.
    let workspace_root = get_workspace_root(sh)?;
    for filename in CLIPPY_CONFIG_FILES {
        let path = workspace_root.join(filename);
        if path.exists() {
            clippy_files.push(path);
        }
    }

    // Check each package.
    for package in packages {
        for filename in CLIPPY_CONFIG_FILES {
            let path = package.dir.join(filename);
            if path.exists() {
                clippy_files.push(path);
            }
        }
    }

    // Check each clippy file for the msrv setting.
    let mut problematic_files = Vec::new();
    for path in clippy_files {
        let contents = fs::read_to_string(&path)?;
        let config: toml::Value = toml::from_str(&contents)?;

        if config.get("msrv").is_some() {
            problematic_files.push(path.display().to_string());
        }
    }

    if !problematic_files.is_empty() {
        println!(
            "\nError: Found MSRV in clippy.toml, use Cargo.toml package.rust-version instead:"
        );
        for file in &problematic_files {
            println!("  {}", file);
        }
        return Err("MSRV should be specified in Cargo.toml, not clippy.toml".into());
    }

    rbmt_eprintln!("No deprecated clippy.toml MSRV settings found");
    Ok(())
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn cross_package_duplicate() {
        // pkg1 and pkg2 each pull in different versions of bitcoin_hashes directly.
        // hex-conservative is pulled in transitively via bitcoin_hashes, but pkg1
        // and pkg2 appear beneath each hex-conservative version block too, so
        // it is also reported as a cross-package duplicate.
        let output = "\
0bitcoin_hashes v0.13.0
1pkg1 v0.1.0

0bitcoin_hashes v0.14.1
1pkg2 v0.1.0

0hex-conservative v0.1.2
1bitcoin_hashes v0.13.0 (*)
2pkg1 v0.1.0

0hex-conservative v0.2.2
1bitcoin_hashes v0.14.1 (*)
2pkg2 v0.1.0
";
        let tree = DuplicateTree::parse(output, &["pkg1", "pkg2", "pkg3"].into(), &[]);
        let dupes = tree.cross_package_duplicates();
        assert!(dupes.contains_key("bitcoin_hashes"));
        assert!(dupes.contains_key("hex-conservative"));
        assert!(dupes["bitcoin_hashes"].contains_key("v0.13.0"));
        assert!(dupes["bitcoin_hashes"].contains_key("v0.14.1"));
        assert!(dupes["hex-conservative"].contains_key("v0.1.2"));
        assert!(dupes["hex-conservative"].contains_key("v0.2.2"));
    }

    #[test]
    fn cross_package_transitive_duplicates() {
        let output = "\
0hex-conservative v0.1.2
1some-lib v1.0.0
2pkg1 v0.1.0

0hex-conservative v0.2.2
1some-lib v2.0.0
2pkg2 v0.1.0
";
        let tree = DuplicateTree::parse(output, &["pkg1", "pkg2", "pkg3"].into(), &[]);
        let dupes = tree.cross_package_duplicates();
        assert!(dupes.contains_key("hex-conservative"));
        assert!(dupes["hex-conservative"].contains_key("v0.1.2"));
        assert!(dupes["hex-conservative"].contains_key("v0.2.2"));
    }

    #[test]
    fn cross_package_single_package_not_reported() {
        let output = "\
0foo v0.1.0
1pkg1 v0.1.0

0foo v0.2.0
1pkg1 v0.1.0
";
        let tree = DuplicateTree::parse(output, &["pkg1", "pkg2", "pkg3"].into(), &[]);
        assert!(tree.cross_package_duplicates().is_empty());
    }

    #[test]
    fn cross_package_dedupe_output() {
        let output = "\
0bitcoin_hashes v0.13.0
1pkg1 v0.1.0

0bitcoin_hashes v0.14.1
1pkg2 v0.1.0

0bitcoin_hashes v0.13.0
1pkg1 v0.1.0

0bitcoin_hashes v0.14.1
1pkg2 v0.1.0
";
        let tree = DuplicateTree::parse(output, &["pkg1", "pkg2", "pkg3"].into(), &[]);
        let dupes = tree.cross_package_duplicates();
        assert_eq!(dupes.len(), 1);
        assert_eq!(dupes["bitcoin_hashes"]["v0.13.0"], BTreeSet::from(["pkg1".to_string()]));
        assert_eq!(dupes["bitcoin_hashes"]["v0.14.1"], BTreeSet::from(["pkg2".to_string()]));
    }

    #[test]
    fn cross_package_shared_packages_across_all_dupes() {
        let output = "\
0foo v0.1.0
1pkg1 v0.1.0
1pkg2 v0.1.0

0foo v0.2.0
1pkg1 v0.1.0
1pkg2 v0.1.0
";
        let tree = DuplicateTree::parse(output, &["pkg1", "pkg2", "pkg3"].into(), &[]);
        assert!(tree.cross_package_duplicates().is_empty());
    }

    #[test]
    fn cross_package_empty_output_no_dupes() {
        let tree = DuplicateTree::parse("", &["pkg1", "pkg2", "pkg3"].into(), &[]);
        assert!(tree.cross_package_duplicates().is_empty());
    }

    #[test]
    fn allowed_duplicates_not_reported() {
        let output = "\
0bitcoin_hashes v0.13.0
1pkg1 v0.1.0

0bitcoin_hashes v0.14.1
1pkg2 v0.1.0

0hex-conservative v0.1.2
1pkg1 v0.1.0

0hex-conservative v0.2.2
1pkg2 v0.1.0
";
        let allowed = vec!["bitcoin_hashes".to_string()];
        let tree = DuplicateTree::parse(output, &["pkg1", "pkg2", "pkg3"].into(), &allowed);
        let dupes = tree.duplicates();
        assert!(!dupes.contains_key("bitcoin_hashes"), "allowed duplicate should be filtered");
        assert!(dupes.contains_key("hex-conservative"), "non-allowed duplicate should be reported");
    }
}