Skip to content

releng: better dynamic library verification#10691

Open
iliana wants to merge 2 commits into
mainfrom
iliana/verify-libraries
Open

releng: better dynamic library verification#10691
iliana wants to merge 2 commits into
mainfrom
iliana/verify-libraries

Conversation

@iliana

@iliana iliana commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator

Closes #7149.

Prior to this change we ran the verify-libraries xtask on release binaries. This appeared like an optimal choice at the time, but I realized that we were no longer testing that debug binaries required only expected dynamic libraries (which ended up regressing for a bit), and because of the differences in how omicron-package and the verify-libraries xtask compiled the software we weren't even testing the actual binaries we shipped. More details in #7149.

This adds two new tasks to releng, host-libraries and recovery-libraries, which runs the verify-libraries check on all the binaries produced by omicron-package. The verify-libraries releng task now compiles and checks debug binaries after all of the cargo build tasks needed for the repo are done.

When approaching this I initially was going to move cargo xtask verify-libraries back to the build-and-test job, because I was annoyed that local runs of cargo xtask releng was running a lengthy check I didn't care about. However that would have added about 6-8 minutes to the runtime of that test (the bins can't be built at the same time as the tests, otherwise the bins end up being linked against test-only libraries that pull in dynamic libraries we explicitly don't want). The whole reason it was moved to this task in the first place is because it was basically "free": the second half-ish of the releng process is building OS images which is mostly network/disk IO and barely uses any CPU. So instead of moving it I added an off-by-default option to enable this check, and added it to the Buildomat job definition.

@iliana iliana requested a review from papertigers June 30, 2026 05:23
@iliana

iliana commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator Author

After looking through all my old PRs/branches I pieced together why I wanted to move verify-libraries back to build-and-test: I had intended to save a bunch of time in releng using the then-new --only option to omicron-package (#7150).

I still want to propose this change as-is, to fix #7149, and then figure out if we should kick cargo xtask verify-libraries out of this Buildomat job later.

@papertigers papertigers left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It took me a bit to fully follow what was happening here since I have never looked at the releng job system before. Just so I follow completely this is always checking the recovery and host libraries but only verifying debug if --verify-debug-libraries is passed?

Otherwise this looks good to me, thanks for doing this work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

problems with current use of cargo xtask verify-libraries

2 participants