preserve the stage directory across installs of the same package for incremental make

[cosmicexplorer]

Problem: enabling incremental make across different versions of a package

This thought was inspired by this tweet about a surprising (to me) security implication of wiping staging directories by default in alpine linux's abuild build system: https://twitter.com/RichFelker/status/1435659133223587843?s=20. In particular, when the alpine maintainers needed to rebuild firefox in response to a zero-day, they had run up against the inherent time pressure of rebuilding a very large codebase like firefox from scratch. The tweet proposes the following workflow for security-sensitive projects with a large attack surface that take a long time to rebuild:

1. retain the stage and associated build output from the prior version of the software.
2. apply the patch to fix the zero-day to the prior stage.
3. reuse the output from the prior build to take advantage of timestamp-based make.

Application to Spack

There are two points compared/contrasted to spack that I can immediately spot from the above scenario:

• In OS-specific build systems like abuild, packages usually have a single totally-ordered version lineage, so obtaining the "patch to fix the zero-day" is often relatively easy to calculate and occasionally may be provided directly by the upstream maintainer when a new source tarball is created.
  • While spack itself does not enforce a single monolithic version lineage for each package, some spack users or sites using spack may follow that protocol unofficially. This means that the patch from one install of some package to the next one (when it is upgraded) may be relatively small, and incremental rebuilds from a preserved stage directory after applying the small patch may therefore be significantly faster than a clean rebuild.
• Since spack (largely) builds on the local machine instead of pulling down binary packages from a remote server, we have the ability to retain additional data from the build process (which alpine linux would typically only be able to do on their build servers).
  • The abuild build system and aports repository allow users to build packages from source, but this isn't done in most cases (I only do this for a few packages like the kernel on my alpine install). Similarly for spack, many sites use spack buildcache create to avoid their users having to rebuild common packages from scratch each time.

Alternative Approaches

1. spack dev-build allows maintaining an external stage of a specific package, while setting the version to allow it to be used as part of a larger spack build. This can be used with spack stage -p <PATH> to retrieve the appropriate source checkout.
   • However, this doesn't work for more than one package at a time, requires spack to be executed within that stage directory, and isn't intended to be used to produce output in the spack install db (and can't be consumed by spack install).
2. spack install --keep-stage (similarly to abuild's -k flag) will retain the stage directory after a successful installation of a package.
   • However, this isn't retained across separate versions of a package, or even the same version of a package if the hash differs.

Missed opportunity: maintaining an untouched stage directory

Many/most of the underlying build systems that the codebases spack packages use to build themselves (specifically make and things that produce Makefiles) rely on timestamps to calculate what to rebuild (this is also true of abuild). While some build systems such as pants and bazel rely on recursively checksumming directory contents to know what to rebuild, those tools do not understand Makefiles or ./configure scripts, and require forking such packages in order to insert their own build setup, which then quickly diverges from upstream and imposes a significant maintenance burden. While I proposed partially adopting their model in #20407 for some cases, it remains difficult to see how to incrementally introduce the benefits of those tools into any of the packages that spack supports.

Therefore, to avoid an immense continuing effort to rewrite the build processes of upstream packages, spack often relies on timestamps to calculate what to rebuild. This actually works great in the case of spack dev-build or spack build-env, enabling package developers to use spack to pull in any dependencies, then iterate via editing and incrementally rebuilding, without doing a whole fresh build repeatedly. However, as per above, spack dev-build doesn't plug into spack install, and spack currently can't reuse the same stage directory for a new version of a previously-built package. This means that:

1. building a new version of a package to insert into a spack buildcache requires a fresh rebuild (similarly to the situation in the linked tweet at the top).
2. installing any version of a package that's not reachable from a spack buildcache requires a fresh rebuild.

As in the linked tweet at the top, (1) may widen the time range that spack users in a specific site are exposed to a zero-day, although this isn't really an issue since spack install will just build from source if a package version isn't available from a buildcache. However, (2) means users trying out any version of a package that's not already built get to wait a long time to do so, and maybe more significantly, users doing a spack dev-build of a previously-built package still have to wait for a clean rebuild before being able to do their work. This is especially tragic if their site e.g. reserves beefy machines for building LLVM from source, but not for individual spack users (as with alpine linux and abuild/apk install). To make the point stark, none of these issues arise when people build everything from source by hand without spack, which to me implies there is an opportunity here to solve a more general problem than the one mentioned in the linked tweet.

Proposal: specify a persistent staging directory for a package to reuse across builds

1. Specify which packages should have their stage directory persisted with spack install --persist-stage=package1,package2,....
   • We may decide to make this into a config option instead.
2. For those packages, move the stage directory to the install prefix after installation instead of deleting it, and make a note of its location in ~/.spack/caches/persisted-stages/<checksum>.json.
   • A maximum of one persisted stage is retained per package to avoid unbounded disk usage, so just a single json file is retained in the cache directory, renaming the file whenever its contents change.
3. Make spack buildcache create --propagate-persisted-stages --persist-stage=package1,package2,... retain the stage directory in the install prefix for the specified packages, preserving the files' modification times.
4. Allow spack install --persist-stage=package1,package2,... to look for a persisted stage directory in a buildcache or install db for the specified packages (after looking in ~/.spack/caches/persisted-stages/<checksum>.json for those packages).
   • If a persisted stage is found, calculate the diff between spack stage of the new package vs the persisted stage (diffing over just the files that exist in the new package's stage), apply the diff, then build within the persisted stage directory.
     • If the persisted stage is located in a spack buildcache, then it is extracted to a temporary directory for the duration of the install, before the temporary directory is moved to the install prefix as in (2).
   • If a persisted stage is not found, perform (2) for that package, creating a persisted stage for it and noting that in ~/.spack/caches/persisted-stages/<checksum>.json.

[cosmicexplorer]

I'm seeing that spack develop -h is described as "add a spec to an environment's dev-build information", but I'm not seeing the term dev-build in the docs or tutorial on environments. I'm seeing that cmd/develop.py refers to env.dev_specs, but it's not clear to me where dev_specs is documented.

Regardless, the intent of this idea isn't to put the onus on a specific spack user running spack install to create an environment of dev builds that they have to maintain themselves, but rather to make use of prior builds to speed up creation of a dev-build environment, or similarly to speed up any spack install command. It therefore seems to be complementary to and non-overlapping with spack develop. I'll review environment.py further to make sure about this.

[cosmicexplorer]

Ok, seems like spack develop is documented incorrectly and has nothing to do with spack dev-build, is that correct? Running spack develop m4 and spack develop gnupg seem to just modify the environment yaml e.g.

spack:
  specs:
    - gnupg@2.3.1
  view: true
  develop:
    gnupg:
      spec: gnupg@2.3.1
    m4:
      spec: m4@1.4.19
  config:
    debug: true

And does not appear to perform the kind of package build from the current directory that spack dev-build does.

[cosmicexplorer]

I totally didn't think of this at first, but I'm now wondering whether this approach may be extensible to perform ABI diffing with libabigail after the fact as I believe @vsoch was working on a while ago. This is prompted by a further tweet from the same developer (regarding the idea of patching a change from within a persisted stage and rebuilding with incremental make): https://twitter.com/richfelker/status/1435689078587105280?s=21

I think it's desirable because you can reproducibly see that no changes occurred except the security fix (and you can even generate a binary patch to that effect with fancy enough tooling).

I can't immediately see how to directly use the concept of binary diffs in spack as I'm not incredibly familiar with the usage of binary diffing in general, but it may become useful if an OS package manager like alpine's wanted to delegate to spack to provide a build environment. But I'm aware that's not a very strong use case. I mostly wanted to raise the idea of binary diffing from this second tweet since that secondary idea would be more easily enabled by the main proposal in this discussion, in my eyes.

One vague vague idea: I am aware that we have a lot of tooling in spack to modify e.g. rpaths to make shared libraries relocatable, and that we can use libabigail to get semantic ABI information from the output of a build. One extension to the proposal I made in this discussion (using the idea from this second tweet) might be to try to improve the ability of libabigail to perform meaningful ABI diffs from successive package builds by retaining the build output with debug symbols in a subdirectory of the install tree in a buildcache, while continuing to strip debug symbols and/or cut out unwanted libraries to reduce the size of the binary package that spack users actually install from the buildcache during normal usage. Just spitballing.

[vsoch]

@cosmicexplorer I don't see the full big picture, but if you are excited about an idea I'll try to give detail that could help you out (and I'll understand better along the way)! Right now we have the ability to run libabigail as an analyzer, meaning that it will dump out xml corpora for an installed package of interest. There are some details for how to do that here: https://spack.readthedocs.io/en/latest/analyze.html. Once you have those exports, at least if you are using libabigail (there are other ways to represent ABI we are exploring) you can use abidiff to look for (at least ABI relevant) changes. Here are the docs for that -> https://sourceware.org/libabigail/manual/abidiff.html. It could be possible, if you want this integrated more into spack, to have some kind of spack extension that adds running this as a hook, always after a new install, and then running some set of comparisons to save output somewhere. I think minimally you could make a custom install command (using a spack extension https://spack.readthedocs.io/en/latest/extensions.html) that would basically mimic the install command, but add this extra logic to use the analyzer.

Also if you are interested in maintaining debug symbols, see this nice hack: https://spack.readthedocs.io/en/latest/developer_guide.html#developer-environment. Spack does make it very easy to strip things to be smaller (e.g., strip in the spack.yaml to define a containerize setup.

My main issue with libabigail is that it only outputs xml, lol. I did not ever learn to drink that semantic web koolaid 😆

[cosmicexplorer]

omg I love xml!!! or at least I love xpath lol

Once you have those exports, at least if you are using libabigail (there are other ways to represent ABI we are exploring) you can use abidiff to look for (at least ABI relevant) changes. Here are the docs for that -> https://sourceware.org/libabigail/manual/abidiff.html.

It looks like (quite reasonably) that libabigail is unlikely to be able to make use of build output like object files, and that the build output that matters (e.g. generated header files) is going to be available in the install prefix anyway so that other packages can build against it! So that's probably the end of that idea, outside of (maybe not very) exotic circumstances like LTO where object files may contain a lot more info than the resulting binary (although debug symbols are likely to still remain, which looks to be all that libabigail needs).

...HOWEVER! For the higher-level goal of checking combinatorial package compatibility, I think that this discussion's proposal (to persist a stage directory somewhere and make rebuilds of the same package faster) could be used to make the process of building packages in a million different combinations much faster (by adding --persist-stage=package1,package2,... to the spack install command line for all of the packages to be installed). We could also introduce a shorthand --persist-stage=<all> to use this technique to re-use prior build output for every package to be installed, where possible.

I'm not sure how far along the combinatorial package compatibility work is yet, but I do think this proposal would be a really principled and robust way to make rebuilding the same package(s) in a row many times faster, which seems to be relevant for any scenario that involves building a ton of packages repeatedly that aren't likely to be cached (for example, in spack's own CI when a spack package is being edited). Please let me know if I can make that more clear since I think it is possible this technique could speed up many different spack use cases by a significant amount (any situation where the precise DAG hash to be installed isn't cached, but another version of the package is available from a buildcache).

I think minimally you could make a custom install command (using a spack extension https://spack.readthedocs.io/en/latest/extensions.html) that would basically mimic the install command, but add this extra logic to use the analyzer.

This is AWESOME to read about!! I really liked this feature of pants and used it frequently in my work to support the Twitter monorepo build process.

Spack does make it very easy to strip things to be smaller (e.g., strip in the spack.yaml to define a containerize setup.

COOL!! This sounds like a good precedent for the prospect of making the --persist-stage option into a config variable -- I was worried that that would be something that would need to go in a spec.yaml and I didn't want to start breaking the dag_hash for something like this.

[vsoch]

Another area of entry for this "persist stage" idea for a protected/isolated build could be to write something of the same family as the gitlab CI (spack ci) command. E.g., I was able to take the core functionality and generate a Snakefile for a different workload manager. I think Scott was interested in the idea and has plans to refactor generating the DAG for more general use, see #25611 for details (or follow to keep up to date).

[cosmicexplorer]

ooooooooh that's wonderful! Thank you for the tip!