Make the bootstrap process repeatable

[dra27]

This PR makes a series of changes to the build for the ultimate goal of having make bootstrap produce the exact same images in boot/ocamlc and boot/ocamllex regardless of OS and architecture.

This can be seen working in precheck#675. Each worker has successfully bootstrapped (search for "fixpoint reached" in the logs) and then executes git status and "nothing to commit, working tree clean" can be seen in the log.

With this PR, it becomes possible to adapt the GitHub Actions tests to test bootstrap commits automatically (we already test all commits touching configure.ac - this is the same idea) and so remove the need for core developers to repeat bootstraps by external contributors. Of course, we should continue to check during review that a bootstrap is actually needed.

The basic changes required are:

• Restrict the bootstrap to the default configuration of the runtime, so bootstrapping is not permitted if the compiler is configured with --disable-flat-float-array.
• In order to be cross-platform, the boot compiler must never call the C compiler. We already don't, but I added Config.in_boot_compiler to ensure that boot/ocamlc gives a proper error if any attempt is made to utilise shared libraries or to compile C files (the build, naturally, already does not do this).
• When bootstrapping, an alternate utils/config.ml is generated with fixed values for the entire configuration.

This gets us virtually the entire way. The last two changes are optional, but increase the portability of this.

• The CRCs of interfaces vary depending on whether the source .mli file has LF or CRLF line-endings. One day I'd like to finish sorting that out (Allowing displaying multi-line backtrace locations in the same way as errors #10111, etc.), but there is a much simpler solution for the boot images. They don't need the bytecode CRCS section as they don't do any dynamic code loading. So we save a small amount of space in the boot images by stripping the CRCS section alongside the DBUG section and, with that change, make bootstrap works on Windows, regardless of source file formatting.
• The last change is the only externally visible part, because it adds a new flag to Marshal. Big-endian architectures marshal floats in big-endian format (ARM's hybrid format is always marshalled little-endian). If we add a flag to force writing little-endian doubles, then s390x and ppc64 can also do the bootstrap in a repeatable way. In enabling this in the bytecode compiler, I've turned it on unconditionally, inasmuch as trying to write identical bytecode on all systems seems a worthy objective.

The last part almost certainly wants splitting off to another PR, but I'm curious for feedback at this stage - especially before embarking on any changes to CI.

[gasche]

Generally I like the idea, and most of the changes proposed sound fine.

I don't have an opinion on the changes to float marshalling strategy. But: do we really need to marshal floats as part of the bootstrap? (I assume that this would come from float constants in the sources of boot/ocamlc, but do we really need those?) Could we instead forbid float constants when in_boot_compiler and fix the assumedly-small places where floats are currently used?

[dra27]

I don't think we can prohibit floats - for example, the constant 0.0 gets emitted as a result of this line in stdlib/camlinternalFormat.ml:

ocaml/stdlib/camlinternalFormat.ml

Line 1479 in 0a9b6b8

| FP_infinite -> if x < 0.0 then "neg_infinity" else "infinity"

and 1. and .0 this get emitted by this line pulled in by ocamllex from the merciless use of Bool.compare:

ocaml/stdlib/bool.ml

Line 24 in 0a9b6b8

let to_float = function false -> 0. | true -> 1.

Just in case my description made it sound grander, the new flag to Marshal doesn't add any "new" code to extern, it just adds more control to the decisions taken with floats. extern already had the ability to "canonicalize" all floats as little-endian, it just by default doesn't do that on big-endian systems.

The other perfectly reasonable option would be either to actually prohibit bootstrapping on big-endian systems, just altering the first commit to reject the attempt or to accept that, a bit like regenerating configure with the wrong version of autoconf, if you happen to have an IBM mainframe (or a very old Power Mac G5) as your development machine, then you'll need to do your bootstrap commits somewhere else 🙂

[nojb]

Just for the sake of argument: why not always encode floats in little-endian mode? Are there any downsides to it (apart from making past marshalled floats incompatible with the new version)?

[xavierleroy]

Just for the sake of argument: why not always encode floats in little-endian mode? Are there any downsides to it

Marshalling and unmarshalling of floats and esp. float arrays will be slower on big-endian machines, but:

• probably not by much;
• the only big-endian architecture that still matters for OCaml is Z Systems.

The current implementation is designed so that no endianness change is needed in the common case where the same architecture marshals then unmarshals FP numbers. Maybe it's too clever for its own good.

[dra27]

It also wouldn’t break incompatibility - there’d be no reason to remove the code for un-marshalling big-endian floats in intern.

[dra27]

Given that no one’s throwing hands up in horror at the initial parts (common config + stripping CRCS), shall I split this, so that this PR gives repeatable bootstrapping on non-big-endian systems and then move the marshal part to a separate PR? If Xavier (as extern’s main author) is happy for the simplification, I’d be happy to open the PR as being the complete removal of big-endian extern-ing. IIRC we either benchmarked or subsequently found some Marshal-sensitive workloads as part of the removal of the blue colour, so those could be reused to check how bad the impact is on Z?

[dra27]

Or, or course, just remove the Marshal stuff and block big-endian bootstrapping, but I don’t think anyone’s spoken up for that approach yet!

[gasche]

I think your proposed PR split makes a lot of sense.

[dra27]

Marshalling part removed, to be followed up separately.

[shindere]

Why does the bootstrap procedure need to be disabled when either flat-float-array or force-safe-string are disabled?

[shindere]

Two other questions:

Do we really want that boot/ocamlc has a way to know it is different
from another compiler? It makes me a bit nervous to make this compiler
"special".

Why did you have to change the SUBST mechanism? This complication
of the interface between the configuration and build system worries me a
bit, too.

[dra27]

Why does the bootstrap procedure need to be disabled when either flat-float-array or force-safe-string are disabled?

The disallowed options are those which would affect the generation of utils/config.ml (the safe-string is because I originally wrote this on the 4.x branch).

If you configure with --disable-flat-float-array then Config.flat_float_array should be false, but the bootstrap will ignore it and have Config.flat_float_array = true (otherwise utils/config.cmo would be different, and we lose the reproducibility).

Bootstrapping from a system which doesn't have flat float array doesn't fail per se, because the bytecode compiler doesn't containing any float array constants, but it does require a double-bootstrap (the first one will fail to reach a fix-point because of the configuration mismatch) - i.e. the first bootstrap systematically fails.

Two other questions:

Do we really want that boot/ocamlc has a way to know it is different from another compiler? It makes me a bit nervous to make this compiler "special".

We don't have to - it's used solely to display better error messages if the boot compiler were to be accidentally used to do something it must never do (today, the boot compiler must never be used to compile C files, but we nearly did that by mistake with caml-tex (remembering the conversation starting at #10366 (comment)). I agree it would be very worrying for that knowledge to be used for actual compilation/build decisions.

Originally, I added Config.in_boot_compiler to be sure for myself that the build system definitely wasn't using any of the values which I was setting to <boot compiler> but it also seemed worth keeping it in place to stop any risk of generating a command line beginning <boot compiler> -c foo.c etc.!

Why did you have to change the SUBST mechanism? This complication of the interface between the configuration and build system worries me a bit, too.

It doesn't have to be - the main thing is that I needed was a way of getting a consistent utils/config.ml. The alternative would be to have a static utils/config.boot.ml and select between that and the utils/Makefile-generated one? I don't mind - I think adapting SUBST was simply the solution which first occurred to me on the train when I wrote it last November :)

[dra27]

@shindere - I've pushed an alternate implementation in 4827373 which doesn't alter the generation in utils/Makefile. For that to work, I've done three things:

• The "code" which has ended up in utils/config.mlp is now in utils/config.common.ml
• The fixed values used for the boot compiler are statically declared in utils/config.boot.ml
• Both versions are built always in utils/config.boot.cmo and utils/config.main.cmo - this means that if you add a new constant to to config.mli and config.mlp but forget to add it to config.boot.ml then the very next build fails, rather than the next make bootstrap

It's slightly more invasive done that way, but equally the explicit nature of the boot compiler's configuration is also clearer.

[shindere]

Many thanks, David! Will try to discuss this with @damiendoligez.

[damiendoligez]

A few things look wrong to me. I'll also comment on the in_boot_compiler thing.

[damiendoligez]

Suggested change

	let c_compiler = "<boot compiler>"
	let c_compiler = "/ The bootstrap compiler shall not call the C compiler."

[dra27]

Is this just to improve the display in ocamlc -config?

[dra27]

(oh, seen comments in the wrong order - I follow now)

[damiendoligez]

This looks like a mistake. If your aim is perfectly reproducible builds, then certainly we should replace cmpbyt with plain old cmp. Also, stripdebug shouldn't be used to do two unrelated things (stripping debug info and moving/copying files around).

It's a code smell (admittedly not introduced by this PR) that cmpbyt and stripdebug have to be kept in sync when only one of them is really needed.

[dra27]

It's not a mistake - at the point of the comparison the image that's just been built has both DBUG and CRCS sections but the image in boot/ will have neither.

I can refactor the build to use "stripdebug" (possibly with a rename) to the image just built and remove skip_section here - cmpbyt, already existing, has the benefit of displaying slightly more information than cmp when the file actually differs.

[dra27]

Also, stripdebug shouldn't be used to do two unrelated things (stripping debug info and moving/copying files around).

That's what the comment in tools/Makefile precisely says it's for (although I quickly find #340 (comment) from the when it was added)

[damiendoligez]

We don't have to - it's used solely to display better error messages if the boot compiler were to be accidentally used to do something it must never do (today, the boot compiler must never be used to compile C files, but we nearly did that by mistake with caml-tex (remembering the conversation starting at #10366 (comment)). I agree it would be very worrying for that knowledge to be used for actual compilation/build decisions.

You're laying traps for the future, and you're peppering the compiler with patches that are only relevant to misuses of the bootstrap compiler. I don't think this is a good trade-off. IMO it would be better to do away with in_boot_compiler and fatal_in_boot_compiler and carefully design the configuration constants to make sure:

1. that they won't be executed as commands by the shell
2. that they contain a useful-enough error message

I've given an example above with c_compiler. I suggest getting rid of the '<' and '>' that could be misinterpreted by a shell and starting with / (i.e. shash-space) so that, even after tokenization, they can't be executable commands in any circumstance.
The error messages won't be displayed as nicely, but frankly I don't think it's worth adding tests to the compiler just to get nicer error messages when making the exotic mistake of compiling ordinary programs with the bootstrap compiler. That's not something ordinary users are ever likely to do.

[shindere]

Aboout cmpbyt in general, and independently of this PR, what about having a command-line option to specify sections to ignore?

[dra27]

Thanks for the review, @damiendoligez! I have reverted the peppering ("season to taste") - it was not for users, but for core devs... this error in CI (which with the sentinel Config.ext_dll = ".so_" now occurs everywhere rather than the more confusing Windows-only failure that actually happened in AppVeyor in #10366):

../boot/ocamlrun ../boot/ocamlc -nostdlib -I ../boot -g -use-prims ../runtime/primitives -I .. -nostdlib -I ../stdlib -I ../utils -I ../parsing -I ../typing -I ../bytecomp -I ../middle_end -I ../middle_end/closure -I ../middle_end/flambda -I ../middle_end/flambda/base_types -I ../driver -I ../toplevel -I ../file_formats -I ../lambda -I ../otherlibs/str -I ../otherlibs/unix -linkall -o caml-tex -no-alias-deps ../compilerlibs/ocamlcommon.cma ../compilerlibs/ocamlbytecomp.cma ../compilerlibs/ocamltoplevel.cma ../otherlibs/str/str.cma ../otherlibs/unix/unix.cma caml_tex.ml
File "caml_tex.ml", line 1:
Error: I/O error: dllcamlstr.so_: No such file or directory

is less clear/explicit than this error:

../boot/ocamlrun ../boot/ocamlc -nostdlib -I ../boot -g -use-prims ../runtime/primitives -I .. -nostdlib -I ../stdlib -I ../utils -I ../parsing -I ../typing -I ../bytecomp -I ../middle_end -I ../middle_end/closure -I ../middle_end/flambda -I ../middle_end/flambda/base_types -I ../driver -I ../toplevel -I ../file_formats -I ../lambda -I ../otherlibs/str -I ../otherlibs/unix -linkall -o caml-tex -no-alias-deps ../compilerlibs/ocamlcommon.cma ../compilerlibs/ocamlbytecomp.cma ../compilerlibs/ocamltoplevel.cma ../otherlibs/str/str.cma ../otherlibs/unix/unix.cma caml_tex.ml
>> Fatal error: Cannot load DLLs with the boot compiler
Fatal error: exception Misc.Fatal_error

[dra27]

12127c6 removes the special cases from cmpbyt and alters the end of the bootstrap cycle to strip the two artefacts which are in the tree. It's tempting (and cleaner) to get the rules for ocamlc$(EXE) and lex/ocamllex$(EXE) to do the stripping themselves, based on whether we're in the bootstrap cycle or not (given that everything has to be rebuilt at the end) but that gets fiddly quite quickly (in particular, tools/stripdebug isn't guaranteed to be useable at this point if you're in an actual bootstrap). At which point, it starts to be tempting to have options in ocamlc itself to do the stripping at which point this initially simple change balloons out of control......

The version I've done so far removes the logical duplication between tools/stripdebug.ml and tools/cmpbyt.ml and also makes the latter optional (because we could just use cmp), so it seems at least a partial win.

[dra27]

OK, last bit for this evening - this PR now makes no changes to cmpbyt. AppVeyor is revealing that I should have thought harder before trying to trick the compiler into compiling config.boot.ml with config.boot.mli. It was working in the other runs because config.mli is compiled just beforehand - the test for whether the foo.mli is compiled in Typemod uses the module, not the extension-stripped filename. I'll fix that tomorrow and then this should be green again...

[shindere]

Will you please write a note here when you are happy with the code, David?

[dra27]

The version just pushed should pass CI - I tidied up the recent commit history (the switch away from altering SUBST now starts at af06337)

[damiendoligez]

Thanks for the review, @damiendoligez! I have reverted the peppering ("season to taste") - it was not for users, but for core devs... this error in CI (which with the sentinel Config.ext_dll = ".so_" now occurs everywhere rather than the more confusing Windows-only failure that actually happened in AppVeyor in #10366):

../boot/ocamlrun ../boot/ocamlc -nostdlib -I ../boot -g -use-prims ../runtime/primitives -I .. -nostdlib -I ../stdlib -I ../utils -I ../parsing -I ../typing -I ../bytecomp -I ../middle_end -I ../middle_end/closure -I ../middle_end/flambda -I ../middle_end/flambda/base_types -I ../driver -I ../toplevel -I ../file_formats -I ../lambda -I ../otherlibs/str -I ../otherlibs/unix -linkall -o caml-tex -no-alias-deps ../compilerlibs/ocamlcommon.cma ../compilerlibs/ocamlbytecomp.cma ../compilerlibs/ocamltoplevel.cma ../otherlibs/str/str.cma ../otherlibs/unix/unix.cma caml_tex.ml
File "caml_tex.ml", line 1:
Error: I/O error: dllcamlstr.so_: No such file or directory

My suggestion was to set Config.ext_dll = ".so_The boostrap compiler cannot load DLLs" so you still get your nice error message displayed, admittedly in a slightly non-standard format.

[dra27]

Ah, that makes sense! I've updated the extensions with that and tidied the history so that there's only a single bootstrap. I'd quite like to keep the interim commits rather than squashing (as they encode different, but working, approaches), if that's OK.

The discussion in #11182 and the non-trivial bootstraps that entails provide a lovely testcase for automated repeatability, which I'd quite like to get on and add, therefore!

I've pushed a Changes entry - is there a consensus to merge this PR? Incidentally, I've described this as "repeatable" in the title, but that's actually the final objective - this PR of course makes the bootstrap reproducible - repeatability comes in the next PR where we test that each bootstrap artefact can be reproduced from the previous boot artefact.

[shindere]

Will review next week, unless it got merged at that time. I guess the PR is best reviewed globally, rather than commit by commit?

[damiendoligez]

Looks good to me modulo one small change.

[damiendoligez]

We don't use the ml* wildcard anywhere else in the makefiles, probably for good reason (it looks dangerous to me at least).

Suggested change

	rm -f utils/config.ml utils/config_boot.ml* utils/config_main.ml* \
	rm -f utils/config.ml \
	utils/config_boot.ml utils/config_boot.mli \
	utils/config_main.ml utils/config_main.mli \

[dra27]

That’s a very good point, thanks!

[dra27]

And it's now pushed

[shindere]

I must say, this PR makes me a bit nervous in that it makes the build of the compiler a bit more complex than it already is, it feels. In particular, as mentionned earlier, the idea would be to get rid of all the `SUBST` machinery and have `utils/config.ml` produced by `configure` rather than by make. Is it really necessary to make the ubild more complex with regard to the expected result? Is it worth it? Thinking out loud: would it make sense to have a special configure mode to enable building the bootstrap compiler?

[dra27]

I must say, this PR makes me a bit nervous in that it makes the build of the compiler a bit more complex than it already is, it feels. In particular, as mentionned earlier, the idea would be to get rid of all the SUBST machinery and have utils/config.ml produced by configure rather than by make.

This PR now no longer touches that at all - a future PR can start generating utils/config.main.ml in configure and then all that’s left is a cp for the main build and a cat of two static files for the bootstrap.

Is it really necessary to make the ubild more complex with regard to the expected result? Is it worth it?

I will be heretically honest - I don’t care about reproducible builds that much, but I do care about the second class contributor process we have where we have to have a core dev repeat bootstraps and manually merge them, because we can’t trust the process as it is now. So I think that the small bit of complexity to build boot/ocamlc with a fixed Config module is worth it, yes. Making this part of the build truly reproducible is an added bonus.

Thinking out loud: would it make sense to have a special configure mode to enable building the bootstrap compiler?

Bootstrapping is a development activity, though - you make changes on an already coldstart’d tree, bring the new system to stability and then use the coldstart’d compiler and the new one to do the bootstrap - reconfiguring to do that seems strange?

An alternate dance could be to have a way in ocamlc to link ocamlcommon.cma but override its Config module with a different one (gcc does this with .a files IIRC). However, adding new features to the compiler to facilitate this seems more complicated :)

[shindere]

Do you attempt to cleanup the history even more, or to leave it that way? Just asking. In .gitignore, the line `/utils/config_*.ml*` has been added twice. Also, sorry if you already explained, but, why do `--disable-flat-float-array` and ` --disable-force-safe-string` prevent from bootstrapping? Is it because that cwould introduce changes in the format of `.cmi` files and make the artifacts of the two compilers incompatible? If that's the case, isn't it true that any suchmodification which would create incompatibilities will also have to be tested? David Allsopp (2022/04/21 05:03 -0700):

@dra27 commented on this pull request. > @@ -115,7 +124,8 @@ configure: configure.ac aclocal.m4 build-aux/ocaml_version.m4 tools/autogen .PHONY: partialclean partialclean:: - rm -f utils/config.ml utils/domainstate.ml utils/domainstate.mli + rm -f utils/config.ml utils/config_boot.ml* utils/config_main.ml* \ That’s a very good point, thanks!

Could the definition of `IN_COREBOOT_CYCLE` be moved to `Makefile.build_config.in` ? Also, I think we might already have discussed this in other places, but while reviewing hits PR I am wondering again. Why do we insist onmaking our Makefile rules depend on the configuration files and sometimes on the Makefiles themselves? To me this looks overkill and, I have to say, slightly insane. In `utils/config.common.ml`: As this is a new file, I think its header should refer to the persoon who created it, with proper affiliation (Tarides, I guess). "Portions of the Config module common to the both the boot and main": spurious "the". Same remark on the header of `utils/config.fixed.ml`.

[dra27]

Do you attempt to cleanup the history even more, or to leave it that way? Just asking.

The history's as I'd like it, yes :)

In .gitignore, the line /utils/config_*.ml* has been added twice.

Oops - I've deleted the duplicate on the last rebase.

Also, sorry if you already explained, but, why do --disable-flat-float-array and --disable-force-safe-string prevent from bootstrapping? Is it because that cwould introduce changes in the format of .cmi files and make the artifacts of the two compilers incompatible? If that's the case, isn't it true that any suchmodification which would create incompatibilities will also have to be tested?

I removed the safe-string part - there was nothing wrong with it, but it was left-over from when this was based on pre-5.x trunk. If you've configured with --disable-flat-float-array then the setting would contradict the let flat_float_array = true in utils/config.fixed.ml and you'd build a compiler which was lying about itself and which also would have a different binary representation, yes. Nothing needs testing, though. Any future configuration option which affects the bytecode compiler would just get added - the indicator that this needs doing is adding a new fixed value to utils/config.fixed.ml (in passing, flambda, afl and so forth do not matter because they don't affect the bytecode compiler).

Could the definition of IN_COREBOOT_CYCLE be moved to Makefile.build_config.in ?

It's not part of the build configuration, though, surely Makefile.common is the correct place? I expect virtually every line of the .in files to include things configure is substituting.

Also, I think we might already have discussed this in other places, but while reviewing hits PR I am wondering again. Why do we insist onmaking our Makefile rules depend on the configuration files and sometimes on the Makefiles themselves? To me this looks overkill and, I have to say, slightly insane.

The processing of those files directly depends on the recipe in utils/Makefile - if the files don't depend on it, then when working on it (as here), you have to touch the files every time to trigger rebuilds! I grant that having everything depend on the Makefiles would be pretty insane, but developing this PR itself would have been a pain without it (given the iterations)!

In utils/config.common.ml: As this is a new file, I think its header should refer to the persoon who created it, with proper affiliation (Tarides, I guess). "Portions of the Config module common to the both the boot and main": spurious "the". Same remark on the header of utils/config.fixed.ml.

There's nothing of mine in utils/config.common.ml - all I've done is move existing text around. Changing the header feels like plagiarism :) I've claimed the profound constants in utils/config.fixed.ml as mine :)

[shindere]

Many thanks for your explanations, @dra27! I think I'd prefer a dedicated module rather than embedding even further on the SUBST road, which I hope we can leave one day to rely entirely on configure, rather than having two places where substitutions are done, one of which is not that obvious to read. I think it would also be nice to hear @damiendoligez's opinion on this PR. All in all, if the in_boot_compiler machinery is "just" to get more readable messages, I wonder whether it's really worth the introduced complexity, no matter how it is dealt with.