Conversation
|
@jerrysxie How would you like to proceed wrt cargo-vet? |
Record first-party cargo-vet audits for all 55 previously unvetted crates, reviewed manually via the cargo-vet auditor agent. Each entry certifies safe-to-deploy or safe-to-run criteria as required by the dependency graph. Also add the bytecode-alliance import source and refresh imports.lock. cargo vet now reports "Vetting Succeeded (95 fully audited)". Assisted-by: GitHub Copilot:claude-opus-4.8
I pushed an update with the audits. |
There was a problem hiding this comment.
Pull request overview
Summary of changes
This PR replaces the existing embedded Rust template with the “Call Graph Analyzer (CGA)” toolchain, including a rustc-driver (cga-driver) and a cargo cga subcommand for checking/extracting callgraphs from post-monomorphization MIR. It adds a substantial UI test suite (including cargo-based UI tests) to validate panic detection, blacklist handling, and edge cases like dyn traits, drops, fn-ptr casts, and async. It also updates CI, toolchain pinning, and supply-chain metadata (cargo-vet imports/audits, cargo-deny config). Overall, the change is a large downstream merge that effectively repurposes the repository into a compiler-adjacent analysis tool with tests and automation to support it.
Step-by-step review guide (grouped by concept)
-
Project repurpose + toolchain assumptions
- The crate is renamed to
cga, moved to edition 2024, and now includes binariescargo-cgaandcga-driver. rust-toolchain.tomlpins a specific nightly and adds rustc-dev components/targets; this is central to building/running a rustc-driver reliably.
- The crate is renamed to
-
Driver + analysis pipeline (rustc_private)
bin/cga-driver.rshooks intocollect_and_partition_mono_itemsto run a post-mono MIR traversal, build a callgraph, emit lints, and optionally export per-crate callgraphs (joined by the cargo subcommand).cga_analysiscontains the core traversal (post_mono.rs), root collection (forked monomorphize logic), panic classification, dyn-trait/vtable expansion, and lint emission.
-
Cargo UX (
cargo cga)cga_cargoimplements CLI parsing (clap) and shells out tocargo +<nightly-date> -Z build-std checkwith the driver set asRUSTC.- For extract/test modes, it captures
cga-emit:lines, merges multiple callgraph JSONs, and optionally writes DOT.
-
Testing strategy
tests/compile-test.rsintegratesui_testfor bothtests/uiandtests/ui-cargo, supports bless workflows, and normalizes output.- The UI fixtures cover multiple panic sources and trace-dedup behavior.
-
Automation & supply-chain
- CI workflow is simplified into a single “check” job plus
cargo-denyandcargo-machete. supply-chain/is expanded with imports and a large set of cargo-vet audits.
- CI workflow is simplified into a single “check” job plus
Potential issues
| # | Severity | File | Description | Code |
|---|---|---|---|---|
| 1 | Medium | cga_analysis/src/diagnostics/mod.rs:341-343 |
Async-specific “leaf” notes are attached to the first trace element, but the trace is constructed entrypoint→…→leaf and then reversed for display; this misplaces async panic notes. | if let Some(leaf) = data.trace.first() { ... } |
| 2 | Medium | cga_cargo/src/command.rs:20 |
RUSTUP_TOOLCHAIN is assumed to always include a suffix after the nightly date; common rustup values like nightly-YYYY-MM-DD will fail the regex and panic. |
Regex::new("^(nightly-...)-.+") |
| 3 | Medium | cga_cargo/src/callgraph.rs:12-16 |
DOT name truncation slices by byte offset and can panic on valid Unicode identifiers (non-UTF8 boundary). | &node.name[0..NAME_MAX_LEN] |
| 4 | Medium | build.rs:2-6 |
Unconditionally injecting GNU ld-style rpath linker args is non-portable (notably breaks Windows/MSVC) and unwraps provide poor diagnostics; should be gated + use expect messages. |
cargo:rustc-link-arg=-Wl,-rpath=... |
Reviewed changes
Copilot reviewed 74 out of 81 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/ui/simple.stderr | Adds UI stderr baseline for a simple panic lint trace/dedup case. |
| tests/ui/simple.rs | Adds simple UI test source for panic detection and trace dedup. |
| tests/ui/large_std_process.stderr | Adds UI stderr baseline covering large backtrace/path counts. |
| tests/ui/large_std_process.rs | Adds UI test for panics in std::process::Command construction/drop. |
| tests/ui/fn_ptr.stderr | Adds UI stderr baseline for fn-ptr cast conservatism. |
| tests/ui/fn_ptr.rs | Adds UI test for fn-pointer casts producing conservative diagnostics. |
| tests/ui/extern_c.stderr | Adds UI stderr baseline for exported C entrypoints. |
| tests/ui/extern_c.rs | Adds UI test for exported extern "C" entrypoints vs uncalled functions. |
| tests/ui/dyn_trait.stderr | Adds UI stderr baseline for dyn-trait/vtable conservative expansion. |
| tests/ui/dyn_trait.rs | Adds UI test for dyn object ambiguity across multiple impls. |
| tests/ui/drop.stderr | Adds UI stderr baseline for panics originating from Drop. |
| tests/ui/drop.rs | Adds UI test for panic in Drop implementation. |
| tests/ui/cycle.stderr | Adds UI stderr baseline for recursion/reachability expansion robustness. |
| tests/ui/cycle.rs | Adds UI test for recursion without infinite expansion plus a panic site. |
| tests/ui/async.stderr | Adds UI stderr baseline for implicit async panic + explicit panic sites. |
| tests/ui/async.rs | Adds UI test covering async “poll after Ready” implicit panic handling. |
| tests/ui/assert_mir.stderr | Adds UI stderr baseline for MIR terminator asserts. |
| tests/ui/assert_mir.rs | Adds UI test for implicit MIR assert classification. |
| tests/ui/assert_macro.stderr | Adds UI stderr baseline for assert! macro expansion classification. |
| tests/ui/assert_macro.rs | Adds UI test for assert! macro and tool-lint registration. |
| tests/ui-cargo/fail-simple/src/main.rs | Adds cargo-based UI fixture crate that triggers multiple lint errors. |
| tests/ui-cargo/fail-simple/Cargo.toml | Adds manifest for cargo-based UI fixture crate. |
| tests/ui-cargo/fail-simple/Cargo.stderr | Adds expected stderr output for cargo-based UI fixture crate. |
| tests/ui-cargo/fail-simple/Cargo.lock | Adds lockfile for cargo-based UI fixture crate. |
| tests/ui-cargo/fail-embedded/target-triple | Adds target triple file for embedded cargo-based UI fixture. |
| tests/ui-cargo/fail-embedded/src/main.rs | Adds embedded/no_std cargo UI fixture using Embassy stack. |
| tests/ui-cargo/fail-embedded/cga.toml | Adds CGA config fixture controlling allow_async_panic/allow_assert. |
| tests/ui-cargo/fail-embedded/Cargo.toml | Adds manifest for embedded cargo-based UI fixture crate. |
| tests/ui-cargo/fail-embedded/Cargo.stderr | Adds expected stderr output for embedded cargo-based UI fixture. |
| tests/ui-cargo/fail-embedded/.cargo/config.toml | Adds per-fixture cargo config (target + runner) for embedded tests. |
| tests/ui-cargo/fail-blacklist/src/main.rs | Adds cargo-based UI fixture for blacklist lint behavior. |
| tests/ui-cargo/fail-blacklist/cga.toml | Adds blacklist configuration fixture. |
| tests/ui-cargo/fail-blacklist/Cargo.toml | Adds manifest for blacklist fixture crate. |
| tests/ui-cargo/fail-blacklist/Cargo.stderr | Adds expected stderr output for blacklist fixture crate. |
| tests/ui-cargo/fail-blacklist/Cargo.lock | Adds lockfile for blacklist fixture crate. |
| tests/compile-test.rs | Introduces the ui_test harness wiring for ui and ui-cargo tests. |
| supply-chain/config.toml | Adds cargo-vet import for bytecodealliance audits feed. |
| supply-chain/audits.toml | Replaces/expands audits list with many crate audit entries. |
| src/main.rs | Removes embedded template binary entrypoint. |
| src/baremetal/mod.rs | Removes baremetal panic handler module from template. |
| rust-toolchain.toml | Pins nightly toolchain and adds required components/targets. |
| README.md | Replaces template README with CGA documentation and usage examples. |
| LICENSE | Normalizes/adjusts trailing newline/formatting in license text. |
| deny.toml | Updates cargo-deny config (ignored advisories/licenses/org git allowlist). |
| cga_test_deps/src/lib.rs | Adds helper crate for UI test dependency builds. |
| cga_test_deps/Cargo.toml | Adds manifest/workspace isolation for UI test dependency crate. |
| cga_data/src/lib.rs | Adds data crate module exports (callgraph + cmd). |
| cga_data/src/cmd.rs | Adds serialized driver input/config schema (lint rules/options). |
| cga_data/src/callgraph.rs | Adds callgraph export data model and merge logic. |
| cga_data/Cargo.toml | Adds manifest for data crate (serde derive). |
| cga_cargo/src/lib.rs | Adds cargo cga entrypoint and argument normalization for subcommand use. |
| cga_cargo/src/command.rs | Adds cargo invocation/extract/check/test orchestration and output merging. |
| cga_cargo/src/callgraph.rs | Adds DOT emitter for exported callgraphs. |
| cga_cargo/src/args/mod.rs | Adds clap CLI structure for check, extract, and internal test. |
| cga_cargo/src/args/cargo.rs | Adds supported Cargo arg forwarding surface for CGA commands. |
| cga_cargo/Cargo.toml | Adds manifest for cargo-subcommand crate and deps. |
| cga_analysis/src/post_mono.rs | Adds post-mono MIR traversal building callgraph edges from MIR uses. |
| cga_analysis/src/panics.rs | Adds panic classification logic (panic impls, asserts, async panic). |
| cga_analysis/src/monomorphize.rs | Adds forked root collection logic with extern/export-name handling. |
| cga_analysis/src/lib.rs | Adds core analysis types, tool lints, and path canonicalization helpers. |
| cga_analysis/src/errors.rs | Adds diagnostic type(s) used for fatal configuration/tooling errors. |
| cga_analysis/src/dyn_object.rs | Adds dyn-trait implementor expansion for vtable call conservatism. |
| cga_analysis/src/diagnostics/rules.rs | Adds whitelist/blacklist rule matching over paths/crate/span. |
| cga_analysis/src/diagnostics/mod.rs | Adds boundary/leaf selection, trace building, and lint emission formatting. |
| cga_analysis/src/callgraph/mod.rs | Adds internal callgraph representation, edge registration, and filtering. |
| cga_analysis/src/callgraph/data.rs | Adds export adapter from internal callgraph to data crate schema. |
| cga_analysis/src/callgraph/bigraph.rs | Adds bidirectional graph utilities for boundaries/traces/path counting. |
| cga_analysis/Cargo.toml | Adds manifest for analysis crate and supporting deps. |
| Cargo.toml | Repurposes root crate to CGA, adds binaries, deps, and test harness config. |
| Cargo.lock | Updates lockfile for the new workspace/dependency set. |
| build.rs | Adds build script that sets linker rpath for sysroot runtime libs. |
| bin/cga-driver.rs | Adds rustc-driver binary that runs analysis/lints and exports callgraphs. |
| bin/cargo-cga.rs | Adds cargo subcommand binary entrypoint delegating to cga_cargo. |
| .vscode/settings.json | Updates rust-analyzer settings for rustc source discovery. |
| .gitignore | Updates ignore rules for new tool outputs and nested targets/locks. |
| .github/workflows/nostd.yml | Removes no-std workflow from the previous embedded template. |
| .github/workflows/check.yml | Replaces prior Rust CI matrix with simplified build/fmt/clippy/test + deny/machete. |
| .gitattributes | Adds consistent EOL handling for UI test stderr/stdout fixtures. |
| .cargo/config.toml | Adds cargo aliases for uitest/uibless workflows. |
|
@jerrysxie feedback has been processed |
|
Note that the Cargo vet PR comment workflow fails (silently) |
Yeah, that CI workflow has permission problem on private repos. We can ignore for now. |
|
@Wassasin Any objection to make this repo public now? |
|
@jerrysxie no objection! Feel free to make it public |
This pull request significantly rebrands and restructures the project, transforming it from an embedded Rust template into the "Call Graph Analyzer (CGA)" tool. The changes include major updates to project metadata, documentation, CI workflows, and development tooling. The new configuration supports CGA as a Rust call graph analysis tool, introduces new binaries, updates continuous integration, and improves developer experience.
Key changes:
Project Rebranding and Metadata
embedded-rust-templatetocga, updated the description, repository, authors, keywords, categories, and set up new binaries (cargo-cga,cga-driver) inCargo.toml. Added relevant dependencies and configuration for development and testing.README.mdto document CGA's purpose, usage, alternatives, examples, and development notes, replacing all template and embedded content.CI/CD and Tooling Updates
.github/workflows/check.ymlto simplify and modernize CI: consolidated jobs, updated actions, removed target-specific and no-std checks, and improved dependency management..github/workflows/nostd.yml, eliminating no-std CI checks, reflecting the project's new focus..github/workflows/cargo-vet.ymlto usecargo-vetversion 0.10.2.Developer Experience
.cargo/config.tomlwith helpful cargo aliases for test workflows (bless,uitest,uibless)..gitattributesto enforce LF line endings for.stderrand.stdoutfiles..vscode/settings.jsonto only specifyrust-analyzer.rustc.source, removing target and formatting settings.Source and Binary Additions
bin/cargo-cga.rsas the entry point for the new cargo subcommand, delegating tocga_cargo::main().These changes collectively establish CGA as a standalone Rust call graph analysis tool, with improved documentation, streamlined CI, and enhanced developer tooling.