feat(resolver): -Zdirect-minimal-versions

[epage]

This is an alternative to -Zminimal-versions as discussed in #5657.

Problems with -Zminimal-versions includes

• Requires the root most dependencies to verify it and we then percolate that up the stack. This requires a massive level of cooperation to accomplish and so far there have been mixed results with it to the point that cargo's unstable
  documentation discourages its use.
• Users expect cargo check -Zminimal-versions to force resolving to minimal but it doesn't as the default maximal resolve is compatible and requires cargo update -Zminimal-versions
• Different compatible versions might be selected, breaking interop between crates, changing feature unification, and breaking -sys crates without bad links

-Zdirect-minimal-versions instead only applies this rule to your
direct dependencies, allowing anyone in the stack to immediately adopt
it, independent of everyone else.

Special notes

• Living up to the name and the existing design, this ignores yanked
  crates. This makes sense for ^1.1 version requirements but might
  look weird for ^1.1.1 version requirements as it could select
  1.1.2.
• This will error if an indirect dependency requires a newer version.
  Your version requirement will need to capture what you use and all
  of you dependencies. An alternative design would have tried to merge
  the result of minimum versions for direct dependencies and maximum
  versions for indirect dependencies. This would have been complex and
  led to weird corner cases, making it harder to predict. I also suspect
  the value gained would be relatively low as you can't verify that
  version requirement in any other way.
  • This also means discrepancies between dependencies and dev-dependencies are errors
  • The error could be improved to call out that this was from minimal
    versions but I felt getting this out now and starting to collect
    feedback was more important.

One advantage of this approach over -Zminimal-versions is that it removes most of the problems that cargo-minimal-versions tried to workaround.

As for the implementation, this might not be the most elegant solution but it works and we can always iterate and improve on it in the future.

• We keep the state as a bool throughout but compensate for that by explicitly creating a variable to abstract away constants
• The name changes depending on the context, from direct_minimal_version when dealing with the unstable flag to first_minimal_version when the concept of "direct" is lost to first_version when we split off the ordering concept into a separate variable
• Packages that respect direct_minimal_versions are determined by whether they are the top-level summaries that get past into resolve

What does this PR try to resolve?

The primary use case is verifying version requirements to avoid depending on something newer than might be available in a dependent

For this to help the MSRV use case, the crate author must directly depend on all indirect dependencies where their latest release has too new of an MSRV but at least they can do so with the ^ operator, rather than < and breaking the ecosystem.

How should we test and review this PR?

The first two commits add tests using -Zminimal-versions. The commit that adds -Zdirect-minimal-versions updates the tests, highlighting the differences in behavior.

Additional information

Potential areas of conversation for stablization

• Flag name
• Handling of yanked (pick first non-yanked, pick yanked, error)
• Quality of error message
• Should the package have a "memory" of this flag being set by writing it to the lockfile?

Potential future work

• Stablize this
• Remove -Zminimal-versions
• Update cargo publishs --verify step to use this.
  • The challenge is this won't be using the packaged Cargo.lock which probably should also be verified.

[rustbot]

r? @weihanglo

(rustbot has picked a reviewer for you, use r? to override)

[epage]

CI will be blocked until rust-lang/rust#107688 lands in nightly.

#11679 (comment)

Should we decouple nightly from the other test jobs so we can at least see the rest of CI status or maybe even allow merging regardless of nightly failures?

[Eh2406]

So if I understand the functionality right you are passing around a flag that means "for this dependency only provide 1 candidate". Then we make sure to pass that as "true" for direct dependencies and "false" for indirect dependencies. Did I understand that correctly?

On a different topic, thank you for adding tests! If you've already written/added the tests for -Zminimal-versions then let's keep them as long as we have that flag.

Similarly there are some tests for -Zminimal-versions in crates/resolver-tests a unit test and a proptest. I would love to see this new functionality added to the proptests. We should think about what properties the new functionality has.

[epage]

So if I understand the functionality right you are passing around a flag that means "for this dependency only provide 1 candidate". Then we make sure to pass that as "true" for direct dependencies and "false" for indirect dependencies. Did I understand that correctly?

Yes, that is correct. It effectively gives us a = semver operator without the complexity of rewriting a version requirement for this.

[Eh2406]

One of the resolver's chronic problems is having a large number of knobs and state that need to be kept synchronized, with little in the code to teach the connections.
I wonder if there is some structure we could put this bool in help make it clear when it needs to be set and what the implications are. (Of course it would be hypocritical of me to block this PR on organizing the code better than I managed.)

Naively it sounds like "this dependency requirement should only ever give one candidate" should live in a Dependency. Can you try that?

[epage]

One of the resolver's chronic problems is having a large number of knobs and state that need to be kept synchronized, with little in the code to teach the connections. I wonder if there is some structure we could put this bool in help make it clear when it needs to be set and what the implications are. (Of course it would be hypocritical of me to block this PR on organizing the code better than I managed.)

Naively it sounds like "this dependency requirement should only ever give one candidate" should live in a Dependency. Can you try that?

I lean towards gathering more information before generalizing this. We have -Zminimal-versions and now -Zdirect-minimal-versions with how they customize the resolver. We will hopefully soon have "my system depends on a single rustc version" for the cargo install MSRV experience and "build with the lowest common denominator"' with the "xargo check MSRV experience. I feel like seeing how each of these systems interact would help provide insight into what would work well for generalizing this while now it feels a little speculative. I could see prototyping the MSRV behavior to lean what is needed but cleaning this up before merging it.

Thoughts?

[Eh2406]

I agree that we are in a prototyping phase. I think the semantics of this new flag are reasonable as a next thing to try. All I'm wondering about is where is the best place to shoehorn in this extra bool. This PR currently passes it around as an argument, and it doesn't look too bad. I would like to see some experimentation adding it to Dependency. Dependency::Inner gets a match_only_one flag. Dependency gets a with_match_only_one(&self, bool) -> Self and a is_match_only_one(&self) -> bool.

[bors]

☔ The latest upstream changes (presumably #11646) made this pull request unmergeable. Please resolve the merge conflicts.

[epage]

@Eh2406 as discussed, I've kept the current approach as its more surgical (Dependencies has a lot more impact) and the proptest cases (I think I got them all)

[Eh2406]

This looks good as a first PR for the feature.

I'd like to register two things that need to be dealt with before stabilization:

• When we know we've got the semantics correct, we must experiment with other abstractions. Only having tried alternatives would I be willing to stabilize passing around this argument.
• We need better error messages. Specifically versions that meet the requirements ^1.1 are: 1.1.0 needs to explain why 1.2.0 does not match. Of course, not a blocker on initial experimentation.

[Eh2406]

Trying to think whether we need to add first_minimal_version to the cache key. I think we do, as it's perfectly reasonable to have a transitive and a non-transitive Dependency but where this query returns different results.

But either adding it to the cash key or adding a comment explaining why it's not needed would be appreciated.

[epage]

I went with your other comment about parent.is_none() though I hesitate about that because that is knowledge outside of the resolver.

[Eh2406]

There are 2 caches here. self.registry_cache has parent in is cache key. Thank you for adding a comment.

But self.registry_cache appears to me not to keep track of the fact that the result of query may differ depending on the value of first_minimal_version. If I've missed something please add a comment.

[epage]

self.registry_cache is now tracking the first_minimal_version

[weihanglo]

Hand this over to Jacob
r? @Eh2406

[Eh2406]

On a larger note... We have many levels of caching going on in the resolver. It is not clear to me that they still all pull their weight. When each one was added it was a significant performance when. But now resolver speed is not the significant bottleneck it used to be so absolute performance is less critical. Especially as I now consider the cost of code complexity as higher than I used to. But in order to decide we would need an objective and repeatable measure of the performance cost. The resolver needs an isolated benchmark.

cc https://rust-lang.zulipchat.com/#narrow/stream/246057-t-cargo/topic/Benchmarking.20without.20lockfile

[Eh2406]

@bors r+

[bors]

📌 Commit 1d153f1 has been approved by Eh2406

It is now in the queue for this repository.

[bors]

⌛ Testing commit 1d153f1 with merge 80f1a5d...

[bors]

☀️ Test successful - checks-actions
Approved by: Eh2406
Pushing 80f1a5d to master...