From cf96b8656c1559e31e317ac2b97005116b2ef352 Mon Sep 17 00:00:00 2001 From: zackees Date: Mon, 29 Jun 2026 10:10:40 -0700 Subject: [PATCH 1/4] dylint(826): port ban_std_pathbuf + ban_unrooted_tempdir from zccache Adopt zccache's two PathBuf/tempdir lints into fbuild with allowlists matching the fbuild source tree: - ban_std_pathbuf: 193-entry allowlist of legacy PathBuf call sites; steers new code at fbuild_core::path::NormalizedPath. - ban_unrooted_tempdir: 92-entry allowlist of legacy unrooted tempdir call sites; steers new code at fbuild_paths::get_cache_root() and the tempfile::*_in(...) variants. Both lints are ON and deny-by-default for new code. Target state is zero allowlist entries; the lists shrink as migrations land. Add the dylint crate dirs to the crate_guard allowlist so future edits to those Cargo.tomls aren't blocked by the monocrate hook. Refs FastLED/fbuild#826, #436, #437, #282. --- ci/hooks/crate_guard.py | 5 + dylints/README.md | 30 +- dylints/ban_std_pathbuf/.cargo/config.toml | 2 + dylints/ban_std_pathbuf/Cargo.lock | 1590 +++++++++++++++++ dylints/ban_std_pathbuf/Cargo.toml | 26 + dylints/ban_std_pathbuf/README.md | 26 + dylints/ban_std_pathbuf/rust-toolchain.toml | 3 + dylints/ban_std_pathbuf/src/README.md | 9 + dylints/ban_std_pathbuf/src/allowlist.txt | 212 +++ dylints/ban_std_pathbuf/src/lib.rs | 236 +++ dylints/ban_std_pathbuf/ui/disallowed.rs | 5 + dylints/ban_std_pathbuf/ui/disallowed.stderr | 16 + dylints/ban_unrooted_tempdir/Cargo.toml | 23 + dylints/ban_unrooted_tempdir/README.md | 39 + .../ban_unrooted_tempdir/rust-toolchain.toml | 3 + dylints/ban_unrooted_tempdir/src/README.md | 12 + .../ban_unrooted_tempdir/src/allowlist.txt | 123 ++ dylints/ban_unrooted_tempdir/src/lib.rs | 239 +++ dylints/ban_unrooted_tempdir/ui/README.md | 10 + dylints/ban_unrooted_tempdir/ui/allowed.rs | 8 + dylints/ban_unrooted_tempdir/ui/disallowed.rs | 6 + 21 files changed, 2620 insertions(+), 3 deletions(-) create mode 100644 dylints/ban_std_pathbuf/.cargo/config.toml create mode 100644 dylints/ban_std_pathbuf/Cargo.lock create mode 100644 dylints/ban_std_pathbuf/Cargo.toml create mode 100644 dylints/ban_std_pathbuf/README.md create mode 100644 dylints/ban_std_pathbuf/rust-toolchain.toml create mode 100644 dylints/ban_std_pathbuf/src/README.md create mode 100644 dylints/ban_std_pathbuf/src/allowlist.txt create mode 100644 dylints/ban_std_pathbuf/src/lib.rs create mode 100644 dylints/ban_std_pathbuf/ui/disallowed.rs create mode 100644 dylints/ban_std_pathbuf/ui/disallowed.stderr create mode 100644 dylints/ban_unrooted_tempdir/Cargo.toml create mode 100644 dylints/ban_unrooted_tempdir/README.md create mode 100644 dylints/ban_unrooted_tempdir/rust-toolchain.toml create mode 100644 dylints/ban_unrooted_tempdir/src/README.md create mode 100644 dylints/ban_unrooted_tempdir/src/allowlist.txt create mode 100644 dylints/ban_unrooted_tempdir/src/lib.rs create mode 100644 dylints/ban_unrooted_tempdir/ui/README.md create mode 100644 dylints/ban_unrooted_tempdir/ui/allowed.rs create mode 100644 dylints/ban_unrooted_tempdir/ui/disallowed.rs diff --git a/ci/hooks/crate_guard.py b/ci/hooks/crate_guard.py index 95dbd490..059b3f7f 100644 --- a/ci/hooks/crate_guard.py +++ b/ci/hooks/crate_guard.py @@ -60,6 +60,11 @@ "bench/fastled-examples", # Workspace-excluded crates with their own toolchains: "dylints/ban_raw_subprocess", + "dylints/ban_std_pathbuf", + "dylints/ban_unrooted_tempdir", + "dylints/ban_direct_serialport", + "dylints/ban_file_based_locks", + "dylints/ban_deploy_tool_direct_invocation", } ) diff --git a/dylints/README.md b/dylints/README.md index 0d0c1357..1ba0bfa1 100644 --- a/dylints/README.md +++ b/dylints/README.md @@ -12,6 +12,30 @@ itself stays on stable 1.94.1). code (`crates/*/src/`). All subprocess spawns must flow through `fbuild_core::subprocess::run_command` / `fbuild_core::containment::*`. See #264. +- **`ban_std_pathbuf/`** — bans raw `std::path::PathBuf` in workspace + code; steers callers at `fbuild_core::path::NormalizedPath` so paths + carry the normalization invariant Windows requires. Legacy call sites + exempted via `src/allowlist.txt`. See #826 / #436 / #437 / #282. +- **`ban_unrooted_tempdir/`** — bans `tempfile::tempdir()` / + `tempfile::TempDir::new()` / `tempfile::NamedTempFile::new()` / + `std::env::temp_dir()` in production code; steers callers at the + `_in(...)` variants rooted under `fbuild_paths::get_cache_root()` so + every byte fbuild writes lives under one user-visible directory. + Legacy call sites exempted via `src/allowlist.txt`. See #826. +- **`ban_direct_serialport/`** — bans direct use of the `serialport` + crate outside `crates/fbuild-serial/` and a small set of diagnostic + CLI entry points. All serial access must flow through + `fbuild-serial`'s blessed APIs so DTR/RTS rules, retry counts, and + the Windows USB-CDC contract stay consistent. See #826. +- **`ban_file_based_locks/`** — bans file-based locking primitives + (`OpenOptions::create_new(true)` lock-file pattern, `fs2::FileExt`, + `flock`). All locking flows through the daemon's in-memory managers + per the `CLAUDE.md` "no file-based locks" rule. Locks in the + invariant; allowlist is empty. See #826. +- **`ban_deploy_tool_direct_invocation/`** — bans direct + `Command::new("esptool" | "avrdude" | "picotool" | "dfu-util" | + "pyocd")` invocations outside `crates/fbuild-deploy/`. All deploy- + tool spawns must flow through `fbuild deploy`. See #826 / #694. ## Running locally @@ -34,8 +58,8 @@ CI runs this on every push/PR via `.github/workflows/dylint.yml`. `dylint_linting` builds against a specific nightly rustc; the rustc internal API (`rustc_lint`, `rustc_hir`, `rustc_span`) changes between -nightlies. Keeping the dylint crate in `[workspace.exclude]` lets it -pin `nightly-2026-03-26` in its own `rust-toolchain.toml` without +nightlies. Keeping each dylint crate out of the stable workspace lets +it pin `nightly-2026-03-26` in its own `rust-toolchain.toml` without forcing the entire workspace to nightly. The workspace registers the lint directory via: @@ -45,7 +69,7 @@ The workspace registers the lint directory via: libraries = [{ path = "dylints/*" }] ``` -so `cargo dylint --all` picks it up automatically. +so `cargo dylint --all` picks every dylint up automatically. ## Why `build_dylint_driver.py` diff --git a/dylints/ban_std_pathbuf/.cargo/config.toml b/dylints/ban_std_pathbuf/.cargo/config.toml new file mode 100644 index 00000000..d5862762 --- /dev/null +++ b/dylints/ban_std_pathbuf/.cargo/config.toml @@ -0,0 +1,2 @@ +[target.'cfg(all())'] +rustflags = ["-C", "linker=dylint-link"] diff --git a/dylints/ban_std_pathbuf/Cargo.lock b/dylints/ban_std_pathbuf/Cargo.lock new file mode 100644 index 00000000..41969317 --- /dev/null +++ b/dylints/ban_std_pathbuf/Cargo.lock @@ -0,0 +1,1590 @@ +# This file is automatically @generated by Cargo. +# It is not intended for manual editing. +version = 4 + +[[package]] +name = "aho-corasick" +version = "1.1.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ddd31a130427c27518df266943a5308ed92d4b226cc639f5a8f1002816174301" +dependencies = [ + "memchr", +] + +[[package]] +name = "anstream" +version = "1.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "824a212faf96e9acacdbd09febd34438f8f711fb84e09a8916013cd7815ca28d" +dependencies = [ + "anstyle", + "anstyle-parse", + "anstyle-query", + "anstyle-wincon", + "colorchoice", + "is_terminal_polyfill", + "utf8parse", +] + +[[package]] +name = "anstyle" +version = "1.0.14" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "940b3a0ca603d1eade50a4846a2afffd5ef57a9feac2c0e2ec2e14f9ead76000" + +[[package]] +name = "anstyle-parse" +version = "1.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "52ce7f38b242319f7cabaa6813055467063ecdc9d355bbb4ce0c68908cd8130e" +dependencies = [ + "utf8parse", +] + +[[package]] +name = "anstyle-query" +version = "1.1.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "40c48f72fd53cd289104fc64099abca73db4166ad86ea0b4341abe65af83dadc" +dependencies = [ + "windows-sys 0.61.2", +] + +[[package]] +name = "anstyle-wincon" +version = "3.0.11" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "291e6a250ff86cd4a820112fb8898808a366d8f9f58ce16d1f538353ad55747d" +dependencies = [ + "anstyle", + "once_cell_polyfill", + "windows-sys 0.61.2", +] + +[[package]] +name = "anyhow" +version = "1.0.102" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7f202df86484c868dbad7eaa557ef785d5c66295e41b460ef922eca0723b842c" + +[[package]] +name = "ban_std_pathbuf" +version = "0.1.0" +dependencies = [ + "dylint_linting", + "dylint_testing", +] + +[[package]] +name = "bitflags" +version = "2.11.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "843867be96c8daad0d758b57df9392b6d8d271134fce549de6ce169ff98a92af" + +[[package]] +name = "camino" +version = "1.2.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e629a66d692cb9ff1a1c664e41771b3dcaf961985a9774c0eb0bd1b51cf60a48" +dependencies = [ + "serde_core", +] + +[[package]] +name = "cargo-platform" +version = "0.3.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "87a0c0e6148f11f01f32650a2ea02d532b2ad4e81d8bd41e6e565b5adc5e6082" +dependencies = [ + "serde", + "serde_core", +] + +[[package]] +name = "cargo_metadata" +version = "0.23.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ef987d17b0a113becdd19d3d0022d04d7ef41f9efe4f3fb63ac44ba61df3ade9" +dependencies = [ + "camino", + "cargo-platform", + "semver", + "serde", + "serde_json", + "thiserror 2.0.18", +] + +[[package]] +name = "cc" +version = "1.2.59" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b7a4d3ec6524d28a329fc53654bbadc9bdd7b0431f5d65f1a56ffb28a1ee5283" +dependencies = [ + "find-msvc-tools", + "jobserver", + "libc", + "shlex", +] + +[[package]] +name = "cfg-if" +version = "1.0.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9330f8b2ff13f34540b44e946ef35111825727b38d33286ef986142615121801" + +[[package]] +name = "colorchoice" +version = "1.0.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1d07550c9036bf2ae0c684c4297d503f838287c83c53686d05370d0e139ae570" + +[[package]] +name = "compiletest_rs" +version = "0.11.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f150fe9105fcd2a57cad53f0c079a24de65195903ef670990f5909f695eac04c" +dependencies = [ + "diff", + "filetime", + "getopts", + "lazy_static", + "libc", + "log", + "miow", + "regex", + "rustfix", + "serde", + "serde_derive", + "serde_json", + "tester", + "windows-sys 0.59.0", +] + +[[package]] +name = "diff" +version = "0.1.13" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "56254986775e3233ffa9c4d7d3faaf6d36a2c09d30b20687e9f88bc8bafc16c8" + +[[package]] +name = "dirs-next" +version = "2.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b98cf8ebf19c3d1b223e151f99a4f9f0690dca41414773390fc824184ac833e1" +dependencies = [ + "cfg-if", + "dirs-sys-next", +] + +[[package]] +name = "dirs-sys-next" +version = "0.1.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4ebda144c4fe02d1f7ea1a7d9641b6fc6b580adcfa024ae48797ecdeb6825b4d" +dependencies = [ + "libc", + "redox_users", + "winapi", +] + +[[package]] +name = "displaydoc" +version = "0.2.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "dylint" +version = "5.0.0" +source = "git+https://github.com/trailofbits/dylint?rev=4bd91ce7729b74c7ee5664bbb588f7baf30b4a09#4bd91ce7729b74c7ee5664bbb588f7baf30b4a09" +dependencies = [ + "anstyle", + "anyhow", + "cargo_metadata", + "dylint_internal", + "log", + "once_cell", + "semver", + "serde", + "serde_json", + "tempfile", +] + +[[package]] +name = "dylint_internal" +version = "5.0.0" +source = "git+https://github.com/trailofbits/dylint?rev=4bd91ce7729b74c7ee5664bbb588f7baf30b4a09#4bd91ce7729b74c7ee5664bbb588f7baf30b4a09" +dependencies = [ + "anstyle", + "anyhow", + "bitflags", + "cargo_metadata", + "git2", + "home", + "log", + "regex", + "serde", + "tar", + "thiserror 2.0.18", + "toml", +] + +[[package]] +name = "dylint_linting" +version = "5.0.0" +source = "git+https://github.com/trailofbits/dylint?rev=4bd91ce7729b74c7ee5664bbb588f7baf30b4a09#4bd91ce7729b74c7ee5664bbb588f7baf30b4a09" +dependencies = [ + "cargo_metadata", + "dylint_internal", + "paste", + "rustversion", + "serde", + "thiserror 2.0.18", + "toml", +] + +[[package]] +name = "dylint_testing" +version = "5.0.0" +source = "git+https://github.com/trailofbits/dylint?rev=4bd91ce7729b74c7ee5664bbb588f7baf30b4a09#4bd91ce7729b74c7ee5664bbb588f7baf30b4a09" +dependencies = [ + "anyhow", + "cargo_metadata", + "compiletest_rs", + "dylint", + "dylint_internal", + "env_logger", + "once_cell", + "regex", + "serde_json", + "tempfile", +] + +[[package]] +name = "env_filter" +version = "1.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "32e90c2accc4b07a8456ea0debdc2e7587bdd890680d71173a15d4ae604f6eef" +dependencies = [ + "log", + "regex", +] + +[[package]] +name = "env_logger" +version = "0.11.10" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0621c04f2196ac3f488dd583365b9c09be011a4ab8b9f37248ffcc8f6198b56a" +dependencies = [ + "anstream", + "anstyle", + "env_filter", + "jiff", + "log", +] + +[[package]] +name = "equivalent" +version = "1.0.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f" + +[[package]] +name = "errno" +version = "0.3.14" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb" +dependencies = [ + "libc", + "windows-sys 0.61.2", +] + +[[package]] +name = "fastrand" +version = "2.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9f1f227452a390804cdb637b74a86990f2a7d7ba4b7d5693aac9b4dd6defd8d6" + +[[package]] +name = "filetime" +version = "0.2.27" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f98844151eee8917efc50bd9e8318cb963ae8b297431495d3f758616ea5c57db" +dependencies = [ + "cfg-if", + "libc", + "libredox", +] + +[[package]] +name = "find-msvc-tools" +version = "0.1.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5baebc0774151f905a1a2cc41989300b1e6fbb29aff0ceffa1064fdd3088d582" + +[[package]] +name = "foldhash" +version = "0.1.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d9c4f5dac5e15c24eb999c26181a6ca40b39fe946cbe4c263c7209467bc83af2" + +[[package]] +name = "form_urlencoded" +version = "1.2.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cb4cb245038516f5f85277875cdaa4f7d2c9a0fa0468de06ed190163b1581fcf" +dependencies = [ + "percent-encoding", +] + +[[package]] +name = "getopts" +version = "0.2.24" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cfe4fbac503b8d1f88e6676011885f34b7174f46e59956bba534ba83abded4df" +dependencies = [ + "unicode-width", +] + +[[package]] +name = "getrandom" +version = "0.2.17" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ff2abc00be7fca6ebc474524697ae276ad847ad0a6b3faa4bcb027e9a4614ad0" +dependencies = [ + "cfg-if", + "libc", + "wasi", +] + +[[package]] +name = "getrandom" +version = "0.3.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "899def5c37c4fd7b2664648c28120ecec138e4d395b459e5ca34f9cce2dd77fd" +dependencies = [ + "cfg-if", + "libc", + "r-efi 5.3.0", + "wasip2", +] + +[[package]] +name = "getrandom" +version = "0.4.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0de51e6874e94e7bf76d726fc5d13ba782deca734ff60d5bb2fb2607c7406555" +dependencies = [ + "cfg-if", + "libc", + "r-efi 6.0.0", + "wasip2", + "wasip3", +] + +[[package]] +name = "git2" +version = "0.20.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7b88256088d75a56f8ecfa070513a775dd9107f6530ef14919dac831af9cfe2b" +dependencies = [ + "bitflags", + "libc", + "libgit2-sys", + "log", + "openssl-probe", + "openssl-sys", + "url", +] + +[[package]] +name = "hashbrown" +version = "0.15.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9229cfe53dfd69f0609a49f65461bd93001ea1ef889cd5529dd176593f5338a1" +dependencies = [ + "foldhash", +] + +[[package]] +name = "hashbrown" +version = "0.16.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "841d1cc9bed7f9236f321df977030373f4a4163ae1a7dbfe1a51a2c1a51d9100" + +[[package]] +name = "heck" +version = "0.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea" + +[[package]] +name = "hermit-abi" +version = "0.5.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fc0fef456e4baa96da950455cd02c081ca953b141298e41db3fc7e36b1da849c" + +[[package]] +name = "home" +version = "0.5.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cc627f471c528ff0c4a49e1d5e60450c8f6461dd6d10ba9dcd3a61d3dff7728d" +dependencies = [ + "windows-sys 0.61.2", +] + +[[package]] +name = "icu_collections" +version = "2.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2984d1cd16c883d7935b9e07e44071dca8d917fd52ecc02c04d5fa0b5a3f191c" +dependencies = [ + "displaydoc", + "potential_utf", + "utf8_iter", + "yoke", + "zerofrom", + "zerovec", +] + +[[package]] +name = "icu_locale_core" +version = "2.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "92219b62b3e2b4d88ac5119f8904c10f8f61bf7e95b640d25ba3075e6cac2c29" +dependencies = [ + "displaydoc", + "litemap", + "tinystr", + "writeable", + "zerovec", +] + +[[package]] +name = "icu_normalizer" +version = "2.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c56e5ee99d6e3d33bd91c5d85458b6005a22140021cc324cea84dd0e72cff3b4" +dependencies = [ + "icu_collections", + "icu_normalizer_data", + "icu_properties", + "icu_provider", + "smallvec", + "zerovec", +] + +[[package]] +name = "icu_normalizer_data" +version = "2.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "da3be0ae77ea334f4da67c12f149704f19f81d1adf7c51cf482943e84a2bad38" + +[[package]] +name = "icu_properties" +version = "2.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bee3b67d0ea5c2cca5003417989af8996f8604e34fb9ddf96208a033901e70de" +dependencies = [ + "icu_collections", + "icu_locale_core", + "icu_properties_data", + "icu_provider", + "zerotrie", + "zerovec", +] + +[[package]] +name = "icu_properties_data" +version = "2.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8e2bbb201e0c04f7b4b3e14382af113e17ba4f63e2c9d2ee626b720cbce54a14" + +[[package]] +name = "icu_provider" +version = "2.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "139c4cf31c8b5f33d7e199446eff9c1e02decfc2f0eec2c8d71f65befa45b421" +dependencies = [ + "displaydoc", + "icu_locale_core", + "writeable", + "yoke", + "zerofrom", + "zerotrie", + "zerovec", +] + +[[package]] +name = "id-arena" +version = "2.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3d3067d79b975e8844ca9eb072e16b31c3c1c36928edf9c6789548c524d0d954" + +[[package]] +name = "idna" +version = "1.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3b0875f23caa03898994f6ddc501886a45c7d3d62d04d2d90788d47be1b1e4de" +dependencies = [ + "idna_adapter", + "smallvec", + "utf8_iter", +] + +[[package]] +name = "idna_adapter" +version = "1.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3acae9609540aa318d1bc588455225fb2085b9ed0c4f6bd0d9d5bcd86f1a0344" +dependencies = [ + "icu_normalizer", + "icu_properties", +] + +[[package]] +name = "indexmap" +version = "2.13.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "45a8a2b9cb3e0b0c1803dbb0758ffac5de2f425b23c28f518faabd9d805342ff" +dependencies = [ + "equivalent", + "hashbrown 0.16.1", + "serde", + "serde_core", +] + +[[package]] +name = "is_terminal_polyfill" +version = "1.70.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a6cb138bb79a146c1bd460005623e142ef0181e3d0219cb493e02f7d08a35695" + +[[package]] +name = "itoa" +version = "1.0.18" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8f42a60cbdf9a97f5d2305f08a87dc4e09308d1276d28c869c684d7777685682" + +[[package]] +name = "jiff" +version = "0.2.23" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1a3546dc96b6d42c5f24902af9e2538e82e39ad350b0c766eb3fbf2d8f3d8359" +dependencies = [ + "jiff-static", + "log", + "portable-atomic", + "portable-atomic-util", + "serde_core", +] + +[[package]] +name = "jiff-static" +version = "0.2.23" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2a8c8b344124222efd714b73bb41f8b5120b27a7cc1c75593a6ff768d9d05aa4" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "jobserver" +version = "0.1.34" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9afb3de4395d6b3e67a780b6de64b51c978ecf11cb9a462c66be7d4ca9039d33" +dependencies = [ + "getrandom 0.3.4", + "libc", +] + +[[package]] +name = "lazy_static" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe" + +[[package]] +name = "leb128fmt" +version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "09edd9e8b54e49e587e4f6295a7d29c3ea94d469cb40ab8ca70b288248a81db2" + +[[package]] +name = "libc" +version = "0.2.184" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "48f5d2a454e16a5ea0f4ced81bd44e4cfc7bd3a507b61887c99fd3538b28e4af" + +[[package]] +name = "libgit2-sys" +version = "0.18.3+1.9.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c9b3acc4b91781bb0b3386669d325163746af5f6e4f73e6d2d630e09a35f3487" +dependencies = [ + "cc", + "libc", + "libssh2-sys", + "libz-sys", + "openssl-sys", + "pkg-config", +] + +[[package]] +name = "libredox" +version = "0.1.15" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7ddbf48fd451246b1f8c2610bd3b4ac0cc6e149d89832867093ab69a17194f08" +dependencies = [ + "bitflags", + "libc", + "plain", + "redox_syscall", +] + +[[package]] +name = "libssh2-sys" +version = "0.3.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "220e4f05ad4a218192533b300327f5150e809b54c4ec83b5a1d91833601811b9" +dependencies = [ + "cc", + "libc", + "libz-sys", + "openssl-sys", + "pkg-config", + "vcpkg", +] + +[[package]] +name = "libz-sys" +version = "1.1.28" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fc3a226e576f50782b3305c5ccf458698f92798987f551c6a02efe8276721e22" +dependencies = [ + "cc", + "libc", + "pkg-config", + "vcpkg", +] + +[[package]] +name = "linux-raw-sys" +version = "0.12.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "32a66949e030da00e8c7d4434b251670a91556f4144941d37452769c25d58a53" + +[[package]] +name = "litemap" +version = "0.8.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "92daf443525c4cce67b150400bc2316076100ce0b3686209eb8cf3c31612e6f0" + +[[package]] +name = "log" +version = "0.4.29" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897" + +[[package]] +name = "memchr" +version = "2.8.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79" + +[[package]] +name = "miow" +version = "0.6.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "536bfad37a309d62069485248eeaba1e8d9853aaf951caaeaed0585a95346f08" +dependencies = [ + "windows-sys 0.61.2", +] + +[[package]] +name = "num_cpus" +version = "1.17.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "91df4bbde75afed763b708b7eee1e8e7651e02d97f6d5dd763e89367e957b23b" +dependencies = [ + "hermit-abi", + "libc", +] + +[[package]] +name = "once_cell" +version = "1.21.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9f7c3e4beb33f85d45ae3e3a1792185706c8e16d043238c593331cc7cd313b50" + +[[package]] +name = "once_cell_polyfill" +version = "1.70.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "384b8ab6d37215f3c5301a95a4accb5d64aa607f1fcb26a11b5303878451b4fe" + +[[package]] +name = "openssl-probe" +version = "0.1.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d05e27ee213611ffe7d6348b942e8f942b37114c00cc03cec254295a4a17852e" + +[[package]] +name = "openssl-sys" +version = "0.9.112" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "57d55af3b3e226502be1526dfdba67ab0e9c96fc293004e79576b2b9edb0dbdb" +dependencies = [ + "cc", + "libc", + "pkg-config", + "vcpkg", +] + +[[package]] +name = "paste" +version = "1.0.15" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "57c0d7b74b563b49d38dae00a0c37d4d6de9b432382b2892f0574ddcae73fd0a" + +[[package]] +name = "percent-encoding" +version = "2.3.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9b4f627cb1b25917193a259e49bdad08f671f8d9708acfd5fe0a8c1455d87220" + +[[package]] +name = "pin-project-lite" +version = "0.2.17" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a89322df9ebe1c1578d689c92318e070967d1042b512afbe49518723f4e6d5cd" + +[[package]] +name = "pkg-config" +version = "0.3.32" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7edddbd0b52d732b21ad9a5fab5c704c14cd949e5e9a1ec5929a24fded1b904c" + +[[package]] +name = "plain" +version = "0.2.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b4596b6d070b27117e987119b4dac604f3c58cfb0b191112e24771b2faeac1a6" + +[[package]] +name = "portable-atomic" +version = "1.13.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c33a9471896f1c69cecef8d20cbe2f7accd12527ce60845ff44c153bb2a21b49" + +[[package]] +name = "portable-atomic-util" +version = "0.2.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "091397be61a01d4be58e7841595bd4bfedb15f1cd54977d79b8271e94ed799a3" +dependencies = [ + "portable-atomic", +] + +[[package]] +name = "potential_utf" +version = "0.1.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0103b1cef7ec0cf76490e969665504990193874ea05c85ff9bab8b911d0a0564" +dependencies = [ + "zerovec", +] + +[[package]] +name = "prettyplease" +version = "0.2.37" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "479ca8adacdd7ce8f1fb39ce9ecccbfe93a3f1344b3d0d97f20bc0196208f62b" +dependencies = [ + "proc-macro2", + "syn", +] + +[[package]] +name = "proc-macro2" +version = "1.0.106" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8fd00f0bb2e90d81d1044c2b32617f68fcb9fa3bb7640c23e9c748e53fb30934" +dependencies = [ + "unicode-ident", +] + +[[package]] +name = "quote" +version = "1.0.45" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "41f2619966050689382d2b44f664f4bc593e129785a36d6ee376ddf37259b924" +dependencies = [ + "proc-macro2", +] + +[[package]] +name = "r-efi" +version = "5.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f" + +[[package]] +name = "r-efi" +version = "6.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f8dcc9c7d52a811697d2151c701e0d08956f92b0e24136cf4cf27b57a6a0d9bf" + +[[package]] +name = "redox_syscall" +version = "0.7.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6ce70a74e890531977d37e532c34d45e9055d2409ed08ddba14529471ed0be16" +dependencies = [ + "bitflags", +] + +[[package]] +name = "redox_users" +version = "0.4.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ba009ff324d1fc1b900bd1fdb31564febe58a8ccc8a6fdbb93b543d33b13ca43" +dependencies = [ + "getrandom 0.2.17", + "libredox", + "thiserror 1.0.69", +] + +[[package]] +name = "regex" +version = "1.12.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e10754a14b9137dd7b1e3e5b0493cc9171fdd105e0ab477f51b72e7f3ac0e276" +dependencies = [ + "aho-corasick", + "memchr", + "regex-automata", + "regex-syntax", +] + +[[package]] +name = "regex-automata" +version = "0.4.14" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6e1dd4122fc1595e8162618945476892eefca7b88c52820e74af6262213cae8f" +dependencies = [ + "aho-corasick", + "memchr", + "regex-syntax", +] + +[[package]] +name = "regex-syntax" +version = "0.8.10" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "dc897dd8d9e8bd1ed8cdad82b5966c3e0ecae09fb1907d58efaa013543185d0a" + +[[package]] +name = "rustfix" +version = "0.8.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "82fa69b198d894d84e23afde8e9ab2af4400b2cba20d6bf2b428a8b01c222c5a" +dependencies = [ + "serde", + "serde_json", + "thiserror 1.0.69", + "tracing", +] + +[[package]] +name = "rustix" +version = "1.1.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b6fe4565b9518b83ef4f91bb47ce29620ca828bd32cb7e408f0062e9930ba190" +dependencies = [ + "bitflags", + "errno", + "libc", + "linux-raw-sys", + "windows-sys 0.61.2", +] + +[[package]] +name = "rustversion" +version = "1.0.22" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b39cdef0fa800fc44525c84ccb54a029961a8215f9619753635a9c0d2538d46d" + +[[package]] +name = "semver" +version = "1.0.28" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8a7852d02fc848982e0c167ef163aaff9cd91dc640ba85e263cb1ce46fae51cd" +dependencies = [ + "serde", + "serde_core", +] + +[[package]] +name = "serde" +version = "1.0.228" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9a8e94ea7f378bd32cbbd37198a4a91436180c5bb472411e48b5ec2e2124ae9e" +dependencies = [ + "serde_core", + "serde_derive", +] + +[[package]] +name = "serde_core" +version = "1.0.228" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "41d385c7d4ca58e59fc732af25c3983b67ac852c1a25000afe1175de458b67ad" +dependencies = [ + "serde_derive", +] + +[[package]] +name = "serde_derive" +version = "1.0.228" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "serde_json" +version = "1.0.149" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "83fc039473c5595ace860d8c4fafa220ff474b3fc6bfdb4293327f1a37e94d86" +dependencies = [ + "itoa", + "memchr", + "serde", + "serde_core", + "zmij", +] + +[[package]] +name = "serde_spanned" +version = "1.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6662b5879511e06e8999a8a235d848113e942c9124f211511b16466ee2995f26" +dependencies = [ + "serde_core", +] + +[[package]] +name = "shlex" +version = "1.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64" + +[[package]] +name = "smallvec" +version = "1.15.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "67b1b7a3b5fe4f1376887184045fcf45c69e92af734b7aaddc05fb777b6fbd03" + +[[package]] +name = "stable_deref_trait" +version = "1.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6ce2be8dc25455e1f91df71bfa12ad37d7af1092ae736f3a6cd0e37bc7810596" + +[[package]] +name = "syn" +version = "2.0.117" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e665b8803e7b1d2a727f4023456bbbbe74da67099c585258af0ad9c5013b9b99" +dependencies = [ + "proc-macro2", + "quote", + "unicode-ident", +] + +[[package]] +name = "synstructure" +version = "0.13.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "728a70f3dbaf5bab7f0c4b1ac8d7ae5ea60a4b5549c8a5914361c99147a709d2" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "tar" +version = "0.4.45" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "22692a6476a21fa75fdfc11d452fda482af402c008cdbaf3476414e122040973" +dependencies = [ + "filetime", + "libc", + "xattr", +] + +[[package]] +name = "tempfile" +version = "3.27.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "32497e9a4c7b38532efcdebeef879707aa9f794296a4f0244f6f69e9bc8574bd" +dependencies = [ + "fastrand", + "getrandom 0.4.2", + "once_cell", + "rustix", + "windows-sys 0.61.2", +] + +[[package]] +name = "term" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c59df8ac95d96ff9bede18eb7300b0fda5e5d8d90960e76f8e14ae765eedbf1f" +dependencies = [ + "dirs-next", + "rustversion", + "winapi", +] + +[[package]] +name = "tester" +version = "0.9.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "89e8bf7e0eb2dd7b4228cc1b6821fc5114cd6841ae59f652a85488c016091e5f" +dependencies = [ + "cfg-if", + "getopts", + "libc", + "num_cpus", + "term", +] + +[[package]] +name = "thiserror" +version = "1.0.69" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b6aaf5339b578ea85b50e080feb250a3e8ae8cfcdff9a461c9ec2904bc923f52" +dependencies = [ + "thiserror-impl 1.0.69", +] + +[[package]] +name = "thiserror" +version = "2.0.18" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4288b5bcbc7920c07a1149a35cf9590a2aa808e0bc1eafaade0b80947865fbc4" +dependencies = [ + "thiserror-impl 2.0.18", +] + +[[package]] +name = "thiserror-impl" +version = "1.0.69" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "thiserror-impl" +version = "2.0.18" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ebc4ee7f67670e9b64d05fa4253e753e016c6c95ff35b89b7941d6b856dec1d5" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "tinystr" +version = "0.8.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c8323304221c2a851516f22236c5722a72eaa19749016521d6dff0824447d96d" +dependencies = [ + "displaydoc", + "zerovec", +] + +[[package]] +name = "toml" +version = "1.1.2+spec-1.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "81f3d15e84cbcd896376e6730314d59fb5a87f31e4b038454184435cd57defee" +dependencies = [ + "indexmap", + "serde_core", + "serde_spanned", + "toml_datetime", + "toml_parser", + "toml_writer", + "winnow", +] + +[[package]] +name = "toml_datetime" +version = "1.1.1+spec-1.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3165f65f62e28e0115a00b2ebdd37eb6f3b641855f9d636d3cd4103767159ad7" +dependencies = [ + "serde_core", +] + +[[package]] +name = "toml_parser" +version = "1.1.2+spec-1.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a2abe9b86193656635d2411dc43050282ca48aa31c2451210f4202550afb7526" +dependencies = [ + "winnow", +] + +[[package]] +name = "toml_writer" +version = "1.1.1+spec-1.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "756daf9b1013ebe47a8776667b466417e2d4c5679d441c26230efd9ef78692db" + +[[package]] +name = "tracing" +version = "0.1.44" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "63e71662fa4b2a2c3a26f570f037eb95bb1f85397f3cd8076caed2f026a6d100" +dependencies = [ + "pin-project-lite", + "tracing-core", +] + +[[package]] +name = "tracing-core" +version = "0.1.36" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "db97caf9d906fbde555dd62fa95ddba9eecfd14cb388e4f491a66d74cd5fb79a" +dependencies = [ + "once_cell", +] + +[[package]] +name = "unicode-ident" +version = "1.0.24" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e6e4313cd5fcd3dad5cafa179702e2b244f760991f45397d14d4ebf38247da75" + +[[package]] +name = "unicode-width" +version = "0.2.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b4ac048d71ede7ee76d585517add45da530660ef4390e49b098733c6e897f254" + +[[package]] +name = "unicode-xid" +version = "0.2.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ebc1c04c71510c7f702b52b7c350734c9ff1295c464a03335b00bb84fc54f853" + +[[package]] +name = "url" +version = "2.5.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ff67a8a4397373c3ef660812acab3268222035010ab8680ec4215f38ba3d0eed" +dependencies = [ + "form_urlencoded", + "idna", + "percent-encoding", + "serde", +] + +[[package]] +name = "utf8_iter" +version = "1.0.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be" + +[[package]] +name = "utf8parse" +version = "0.2.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821" + +[[package]] +name = "vcpkg" +version = "0.2.15" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426" + +[[package]] +name = "wasi" +version = "0.11.1+wasi-snapshot-preview1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ccf3ec651a847eb01de73ccad15eb7d99f80485de043efb2f370cd654f4ea44b" + +[[package]] +name = "wasip2" +version = "1.0.2+wasi-0.2.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9517f9239f02c069db75e65f174b3da828fe5f5b945c4dd26bd25d89c03ebcf5" +dependencies = [ + "wit-bindgen", +] + +[[package]] +name = "wasip3" +version = "0.4.0+wasi-0.3.0-rc-2026-01-06" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5428f8bf88ea5ddc08faddef2ac4a67e390b88186c703ce6dbd955e1c145aca5" +dependencies = [ + "wit-bindgen", +] + +[[package]] +name = "wasm-encoder" +version = "0.244.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "990065f2fe63003fe337b932cfb5e3b80e0b4d0f5ff650e6985b1048f62c8319" +dependencies = [ + "leb128fmt", + "wasmparser", +] + +[[package]] +name = "wasm-metadata" +version = "0.244.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bb0e353e6a2fbdc176932bbaab493762eb1255a7900fe0fea1a2f96c296cc909" +dependencies = [ + "anyhow", + "indexmap", + "wasm-encoder", + "wasmparser", +] + +[[package]] +name = "wasmparser" +version = "0.244.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "47b807c72e1bac69382b3a6fb3dbe8ea4c0ed87ff5629b8685ae6b9a611028fe" +dependencies = [ + "bitflags", + "hashbrown 0.15.5", + "indexmap", + "semver", +] + +[[package]] +name = "winapi" +version = "0.3.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419" +dependencies = [ + "winapi-i686-pc-windows-gnu", + "winapi-x86_64-pc-windows-gnu", +] + +[[package]] +name = "winapi-i686-pc-windows-gnu" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6" + +[[package]] +name = "winapi-x86_64-pc-windows-gnu" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" + +[[package]] +name = "windows-link" +version = "0.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5" + +[[package]] +name = "windows-sys" +version = "0.59.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1e38bc4d79ed67fd075bcc251a1c39b32a1776bbe92e5bef1f0bf1f8c531853b" +dependencies = [ + "windows-targets", +] + +[[package]] +name = "windows-sys" +version = "0.61.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ae137229bcbd6cdf0f7b80a31df61766145077ddf49416a728b02cb3921ff3fc" +dependencies = [ + "windows-link", +] + +[[package]] +name = "windows-targets" +version = "0.52.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9b724f72796e036ab90c1021d4780d4d3d648aca59e491e6b98e725b84e99973" +dependencies = [ + "windows_aarch64_gnullvm", + "windows_aarch64_msvc", + "windows_i686_gnu", + "windows_i686_gnullvm", + "windows_i686_msvc", + "windows_x86_64_gnu", + "windows_x86_64_gnullvm", + "windows_x86_64_msvc", +] + +[[package]] +name = "windows_aarch64_gnullvm" +version = "0.52.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3" + +[[package]] +name = "windows_aarch64_msvc" +version = "0.52.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469" + +[[package]] +name = "windows_i686_gnu" +version = "0.52.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8e9b5ad5ab802e97eb8e295ac6720e509ee4c243f69d781394014ebfe8bbfa0b" + +[[package]] +name = "windows_i686_gnullvm" +version = "0.52.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66" + +[[package]] +name = "windows_i686_msvc" +version = "0.52.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66" + +[[package]] +name = "windows_x86_64_gnu" +version = "0.52.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78" + +[[package]] +name = "windows_x86_64_gnullvm" +version = "0.52.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d" + +[[package]] +name = "windows_x86_64_msvc" +version = "0.52.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec" + +[[package]] +name = "winnow" +version = "1.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "09dac053f1cd375980747450bfc7250c264eaae0583872e845c0c7cd578872b5" + +[[package]] +name = "wit-bindgen" +version = "0.51.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d7249219f66ced02969388cf2bb044a09756a083d0fab1e566056b04d9fbcaa5" +dependencies = [ + "wit-bindgen-rust-macro", +] + +[[package]] +name = "wit-bindgen-core" +version = "0.51.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ea61de684c3ea68cb082b7a88508a8b27fcc8b797d738bfc99a82facf1d752dc" +dependencies = [ + "anyhow", + "heck", + "wit-parser", +] + +[[package]] +name = "wit-bindgen-rust" +version = "0.51.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b7c566e0f4b284dd6561c786d9cb0142da491f46a9fbed79ea69cdad5db17f21" +dependencies = [ + "anyhow", + "heck", + "indexmap", + "prettyplease", + "syn", + "wasm-metadata", + "wit-bindgen-core", + "wit-component", +] + +[[package]] +name = "wit-bindgen-rust-macro" +version = "0.51.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0c0f9bfd77e6a48eccf51359e3ae77140a7f50b1e2ebfe62422d8afdaffab17a" +dependencies = [ + "anyhow", + "prettyplease", + "proc-macro2", + "quote", + "syn", + "wit-bindgen-core", + "wit-bindgen-rust", +] + +[[package]] +name = "wit-component" +version = "0.244.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9d66ea20e9553b30172b5e831994e35fbde2d165325bec84fc43dbf6f4eb9cb2" +dependencies = [ + "anyhow", + "bitflags", + "indexmap", + "log", + "serde", + "serde_derive", + "serde_json", + "wasm-encoder", + "wasm-metadata", + "wasmparser", + "wit-parser", +] + +[[package]] +name = "wit-parser" +version = "0.244.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ecc8ac4bc1dc3381b7f59c34f00b67e18f910c2c0f50015669dde7def656a736" +dependencies = [ + "anyhow", + "id-arena", + "indexmap", + "log", + "semver", + "serde", + "serde_derive", + "serde_json", + "unicode-xid", + "wasmparser", +] + +[[package]] +name = "writeable" +version = "0.6.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1ffae5123b2d3fc086436f8834ae3ab053a283cfac8fe0a0b8eaae044768a4c4" + +[[package]] +name = "xattr" +version = "1.6.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "32e45ad4206f6d2479085147f02bc2ef834ac85886624a23575ae137c8aa8156" +dependencies = [ + "libc", + "rustix", +] + +[[package]] +name = "yoke" +version = "0.8.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "abe8c5fda708d9ca3df187cae8bfb9ceda00dd96231bed36e445a1a48e66f9ca" +dependencies = [ + "stable_deref_trait", + "yoke-derive", + "zerofrom", +] + +[[package]] +name = "yoke-derive" +version = "0.8.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "de844c262c8848816172cef550288e7dc6c7b7814b4ee56b3e1553f275f1858e" +dependencies = [ + "proc-macro2", + "quote", + "syn", + "synstructure", +] + +[[package]] +name = "zerofrom" +version = "0.1.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "69faa1f2a1ea75661980b013019ed6687ed0e83d069bc1114e2cc74c6c04c4df" +dependencies = [ + "zerofrom-derive", +] + +[[package]] +name = "zerofrom-derive" +version = "0.1.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "11532158c46691caf0f2593ea8358fed6bbf68a0315e80aae9bd41fbade684a1" +dependencies = [ + "proc-macro2", + "quote", + "syn", + "synstructure", +] + +[[package]] +name = "zerotrie" +version = "0.2.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0f9152d31db0792fa83f70fb2f83148effb5c1f5b8c7686c3459e361d9bc20bf" +dependencies = [ + "displaydoc", + "yoke", + "zerofrom", +] + +[[package]] +name = "zerovec" +version = "0.11.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "90f911cbc359ab6af17377d242225f4d75119aec87ea711a880987b18cd7b239" +dependencies = [ + "yoke", + "zerofrom", + "zerovec-derive", +] + +[[package]] +name = "zerovec-derive" +version = "0.11.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "625dc425cab0dca6dc3c3319506e6593dcb08a9f387ea3b284dbd52a92c40555" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "zmij" +version = "1.0.21" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b8848ee67ecc8aedbaf3e4122217aff892639231befc6a1b58d29fff4c2cabaa" diff --git a/dylints/ban_std_pathbuf/Cargo.toml b/dylints/ban_std_pathbuf/Cargo.toml new file mode 100644 index 00000000..b99b3c81 --- /dev/null +++ b/dylints/ban_std_pathbuf/Cargo.toml @@ -0,0 +1,26 @@ +[package] +name = "ban_std_pathbuf" +# 2026-06-15: bumped to bust the dylint .so cache when allowlist.txt +# changes. setup-soldr's dylint-cache key hashes the manifest but not +# src/allowlist.txt, so a content-only change to the allowlist does +# not invalidate the cached compiled plugin and the OLD allowlist +# stays in effect. +version = "0.2.0" +description = "Ban std::path::PathBuf outside the legacy allowlist" +edition = "2021" +publish = false + +[lib] +crate-type = ["cdylib"] + +[dependencies] +# `5.0.0` on crates.io predates the 2026-03-18 rustc_session layout change +# used by newer nightlies / Rust 1.94-era toolchains. Track the upstream +# compatibility fix until a newer crates.io release is available. +dylint_linting = { git = "https://github.com/trailofbits/dylint", rev = "4bd91ce7729b74c7ee5664bbb588f7baf30b4a09" } + +[dev-dependencies] +dylint_testing = { git = "https://github.com/trailofbits/dylint", rev = "4bd91ce7729b74c7ee5664bbb588f7baf30b4a09" } + +[package.metadata.rust-analyzer] +rustc_private = true diff --git a/dylints/ban_std_pathbuf/README.md b/dylints/ban_std_pathbuf/README.md new file mode 100644 index 00000000..31a2042a --- /dev/null +++ b/dylints/ban_std_pathbuf/README.md @@ -0,0 +1,26 @@ +# `ban_std_pathbuf` + +This lint bans `std::path::PathBuf` in workspace code and directs developers to +`fbuild_core::path::NormalizedPath` instead. + +## Why + +Raw `PathBuf` values don't carry fbuild's normalization invariant, which has +caused Windows-only cache-key and watcher mismatches in the past +(FastLED/fbuild#436, #437, #282). `NormalizedPath` does the normalization once +at construction time and caches the hash key, so two paths that point at the +same file always compare equal and hash equal regardless of how the caller +spelled them. + +## Rollout + +The lint is ON and denies new `PathBuf` usage by default. The repository still +has legacy `PathBuf` call sites; those files are listed in `src/allowlist.txt`. +New files are denied. Remove files from the allowlist as migrations land — the +target state is zero entries. + +## See also + +- FastLED/fbuild#826 — the dylint sweep tracking issue +- FastLED/fbuild#436 / #437 / #282 — the Windows path-normalization bugs that + motivated `NormalizedPath` diff --git a/dylints/ban_std_pathbuf/rust-toolchain.toml b/dylints/ban_std_pathbuf/rust-toolchain.toml new file mode 100644 index 00000000..3b6ccbe8 --- /dev/null +++ b/dylints/ban_std_pathbuf/rust-toolchain.toml @@ -0,0 +1,3 @@ +[toolchain] +channel = "nightly-2026-03-26" +components = ["llvm-tools-preview", "rust-src", "rustc-dev"] diff --git a/dylints/ban_std_pathbuf/src/README.md b/dylints/ban_std_pathbuf/src/README.md new file mode 100644 index 00000000..2516d8d6 --- /dev/null +++ b/dylints/ban_std_pathbuf/src/README.md @@ -0,0 +1,9 @@ +# ban_std_pathbuf — sources + +- `lib.rs` — late-pass visitor that fires on `std::path::PathBuf` type + references and `PathBuf::*` associated-function references. +- `allowlist.txt` — newline-separated tail-suffix matches for source files + that pre-date the lint and still use raw `PathBuf`. Remove entries as + call sites migrate to `fbuild_core::path::NormalizedPath`. + +See the parent directory's `README.md` for the user-facing rationale. diff --git a/dylints/ban_std_pathbuf/src/allowlist.txt b/dylints/ban_std_pathbuf/src/allowlist.txt new file mode 100644 index 00000000..81a96aea --- /dev/null +++ b/dylints/ban_std_pathbuf/src/allowlist.txt @@ -0,0 +1,212 @@ +# Each non-empty, non-comment line is matched against the tail of each +# source file path (slashes normalized to /). Use forward-slash paths +# only — the lint normalizes \ to / before matching. +# +# Rollout strategy: +# - The lint is ON and denies new `std::path::PathBuf` usage by +# default. +# - This file lists the *legacy* call sites that existed when the +# lint was first enabled (FastLED/fbuild#826 / #436 / #437 / #282 +# and friends). They are exempted so the lint can land without a +# repo-wide migration. +# - New files MUST NOT be added here. The target state is zero +# entries — remove files from this list as their `PathBuf` usage +# is migrated to `fbuild_core::path::NormalizedPath`. +# - If a NEW file legitimately needs raw `PathBuf` (clap parsers, +# pyo3 boundary, FFI), open an issue first and add the entry with +# an inline justification comment. + +bench/fastled-examples/src/main.rs +crates/fbuild-build/src/apollo3/orchestrator.rs +crates/fbuild-build/src/avr/avr_compiler.rs +crates/fbuild-build/src/avr/avr_linker.rs +crates/fbuild-build/src/avr/orchestrator.rs +crates/fbuild-build/src/build_fingerprint/fast_path.rs +crates/fbuild-build/src/build_fingerprint/mod.rs +crates/fbuild-build/src/build_info.rs +crates/fbuild-build/src/ch32v/ch32v_compiler.rs +crates/fbuild-build/src/ch32v/ch32v_linker.rs +crates/fbuild-build/src/ch32v/orchestrator.rs +crates/fbuild-build/src/compile_database/clang.rs +crates/fbuild-build/src/compile_database/database.rs +crates/fbuild-build/src/compile_database/generate.rs +crates/fbuild-build/src/compile_database/tests/clang.rs +crates/fbuild-build/src/compile_database/tests/generate.rs +crates/fbuild-build/src/compile_database/tests/mod.rs +crates/fbuild-build/src/compile_many.rs +crates/fbuild-build/src/compiler.rs +crates/fbuild-build/src/compiler_tests.rs +crates/fbuild-build/src/esp32/esp32_compiler.rs +crates/fbuild-build/src/esp32/esp32_linker.rs +crates/fbuild-build/src/esp32/orchestrator/build.rs +crates/fbuild-build/src/esp32/orchestrator/embed.rs +crates/fbuild-build/src/esp32/orchestrator/embed_stage.rs +crates/fbuild-build/src/esp32/orchestrator/framework_libs.rs +crates/fbuild-build/src/esp32/orchestrator/helpers.rs +crates/fbuild-build/src/esp32/orchestrator/local_libs.rs +crates/fbuild-build/src/esp32/orchestrator/tests.rs +crates/fbuild-build/src/esp8266/esp8266_compiler.rs +crates/fbuild-build/src/esp8266/esp8266_linker.rs +crates/fbuild-build/src/flag_overlay.rs +crates/fbuild-build/src/framework_core_cache.rs +crates/fbuild-build/src/framework_libs.rs +crates/fbuild-build/src/generic_arm/arm_compiler.rs +crates/fbuild-build/src/generic_arm/arm_linker.rs +crates/fbuild-build/src/lib.rs +crates/fbuild-build/src/linker.rs +crates/fbuild-build/src/nrf52/nrf52_compiler.rs +crates/fbuild-build/src/nrf52/nrf52_linker.rs +crates/fbuild-build/src/nrf52/orchestrator.rs +crates/fbuild-build/src/nxplpc/orchestrator.rs +crates/fbuild-build/src/parallel.rs +crates/fbuild-build/src/pipeline/compile.rs +crates/fbuild-build/src/pipeline/context.rs +crates/fbuild-build/src/pipeline/library.rs +crates/fbuild-build/src/pipeline/link.rs +crates/fbuild-build/src/pipeline/project_discovery.rs +crates/fbuild-build/src/pipeline/sequential.rs +crates/fbuild-build/src/renesas/orchestrator.rs +crates/fbuild-build/src/renesas/renesas_compiler.rs +crates/fbuild-build/src/renesas/renesas_linker.rs +crates/fbuild-build/src/rp2040/orchestrator.rs +crates/fbuild-build/src/sam/orchestrator.rs +crates/fbuild-build/src/sam/sam_compiler.rs +crates/fbuild-build/src/sam/sam_linker.rs +crates/fbuild-build/src/shrink/probe.rs +crates/fbuild-build/src/silabs/orchestrator.rs +crates/fbuild-build/src/silabs/silabs_compiler.rs +crates/fbuild-build/src/silabs/silabs_linker.rs +crates/fbuild-build/src/source_scanner.rs +crates/fbuild-build/src/source_scanner/tests.rs +crates/fbuild-build/src/stm32/orchestrator/arduino_mbed.rs +crates/fbuild-build/src/stm32/orchestrator/includes.rs +crates/fbuild-build/src/symbol_analyzer/mod.rs +crates/fbuild-build/src/symbol_analyzer/tests.rs +crates/fbuild-build/src/teensy/orchestrator.rs +crates/fbuild-build/src/teensy/teensy_compiler.rs +crates/fbuild-build/src/teensy/teensy_linker.rs +crates/fbuild-build/src/zccache.rs +crates/fbuild-build/src/zccache_embedded.rs +crates/fbuild-build/tests/avr_build.rs +crates/fbuild-build/tests/cache_survives_tar_extract.rs +crates/fbuild-build/tests/compile_many_stage2_perf.rs +crates/fbuild-build/tests/compile_many_two_stage.rs +crates/fbuild-build/tests/esp32_build.rs +crates/fbuild-build/tests/flag_escaping_lint.rs +crates/fbuild-build/tests/nxplpc_build_flags.rs +crates/fbuild-build/tests/nxplpc_core_compile_commands.rs +crates/fbuild-build/tests/stm32_acceptance.rs +crates/fbuild-build/tests/teensy_build.rs +crates/fbuild-build/tests/teensylc_acceptance.rs +crates/fbuild-cli/src/cli/bloat_lookup.rs +crates/fbuild-cli/src/cli/clang_tools.rs +crates/fbuild-cli/src/cli/compile_many.rs +crates/fbuild-cli/src/cli/daemon_cmd.rs +crates/fbuild-cli/src/cli/graph_cmd.rs +crates/fbuild-cli/src/cli/lnk.rs +crates/fbuild-cli/src/cli/pio.rs +crates/fbuild-cli/src/cli/port_scan.rs +crates/fbuild-cli/src/cli/symbols_cmd.rs +crates/fbuild-cli/src/lib_select.rs +crates/fbuild-config/src/bin/enrich_boards.rs +crates/fbuild-config/src/board/methods.rs +crates/fbuild-config/src/board/tests.rs +crates/fbuild-config/src/ini_parser/mod.rs +crates/fbuild-core/src/emulator.rs +crates/fbuild-core/src/path.rs +crates/fbuild-core/src/response_file.rs +crates/fbuild-core/src/usb/data.rs +crates/fbuild-daemon/src/broker/service.rs +crates/fbuild-daemon/src/context.rs +crates/fbuild-daemon/src/handlers/emulator/avr8js_deploy.rs +crates/fbuild-daemon/src/handlers/emulator/avr8js_npm.rs +crates/fbuild-daemon/src/handlers/emulator/qemu_deploy.rs +crates/fbuild-daemon/src/handlers/emulator/runners.rs +crates/fbuild-daemon/src/handlers/emulator/select.rs +crates/fbuild-daemon/src/handlers/emulator/shared.rs +crates/fbuild-daemon/src/handlers/emulator/tests_process.rs +crates/fbuild-daemon/src/handlers/locks.rs +crates/fbuild-daemon/src/handlers/operations/build.rs +crates/fbuild-daemon/src/handlers/operations/common.rs +crates/fbuild-daemon/src/handlers/operations/deploy.rs +crates/fbuild-daemon/src/handlers/operations/install_deps.rs +crates/fbuild-daemon/src/status_manager.rs +crates/fbuild-daemon/src/watch_set_cache.rs +crates/fbuild-deploy/src/avr.rs +crates/fbuild-deploy/src/esp32/qemu.rs +crates/fbuild-deploy/src/esp32/tests.rs +crates/fbuild-deploy/src/esp32_native/tests.rs +crates/fbuild-deploy/src/esp32_native/types.rs +crates/fbuild-deploy/src/lpc.rs +crates/fbuild-deploy/src/size_check.rs +crates/fbuild-deploy/src/teensy/flash.rs +crates/fbuild-deploy/src/teensy/mod.rs +crates/fbuild-header-scan/src/walker.rs +crates/fbuild-library-select/benches/resolve_cold.rs +crates/fbuild-library-select/benches/resolve_warm.rs +crates/fbuild-library-select/src/cache.rs +crates/fbuild-library-select/src/lib.rs +crates/fbuild-library-select/tests/teensy41_ldf_diag.rs +crates/fbuild-packages/src/cache.rs +crates/fbuild-packages/src/disk_cache/gc.rs +crates/fbuild-packages/src/disk_cache/index/mod.rs +crates/fbuild-packages/src/disk_cache/mod.rs +crates/fbuild-packages/src/disk_cache/paths.rs +crates/fbuild-packages/src/downloader.rs +crates/fbuild-packages/src/install_lock.rs +crates/fbuild-packages/src/lib.rs +crates/fbuild-packages/src/library/apollo3_core.rs +crates/fbuild-packages/src/library/arduino_api.rs +crates/fbuild-packages/src/library/arduino_core.rs +crates/fbuild-packages/src/library/arduino_core_lpc8xx.rs +crates/fbuild-packages/src/library/arduino_mbed_core.rs +crates/fbuild-packages/src/library/attiny_core.rs +crates/fbuild-packages/src/library/avr_framework.rs +crates/fbuild-packages/src/library/ch32v_core.rs +crates/fbuild-packages/src/library/cmsis_atmel.rs +crates/fbuild-packages/src/library/cmsis_framework.rs +crates/fbuild-packages/src/library/esp32_framework/fs_utils.rs +crates/fbuild-packages/src/library/esp32_framework/libs.rs +crates/fbuild-packages/src/library/esp32_framework/mod.rs +crates/fbuild-packages/src/library/esp32_framework/parsing.rs +crates/fbuild-packages/src/library/esp32_framework/paths.rs +crates/fbuild-packages/src/library/esp32_framework/sdk_paths.rs +crates/fbuild-packages/src/library/esp32_platform.rs +crates/fbuild-packages/src/library/esp8266_framework.rs +crates/fbuild-packages/src/library/framework_library.rs +crates/fbuild-packages/src/library/library_compiler.rs +crates/fbuild-packages/src/library/library_downloader.rs +crates/fbuild-packages/src/library/library_info.rs +crates/fbuild-packages/src/library/library_manager.rs +crates/fbuild-packages/src/library/nrf52_core.rs +crates/fbuild-packages/src/library/renesas_core.rs +crates/fbuild-packages/src/library/rp2040_core.rs +crates/fbuild-packages/src/library/sam_core.rs +crates/fbuild-packages/src/library/samd_core.rs +crates/fbuild-packages/src/library/silabs_core.rs +crates/fbuild-packages/src/library/stm32_core.rs +crates/fbuild-packages/src/library/teensy_core.rs +crates/fbuild-packages/src/lnk/embed.rs +crates/fbuild-packages/src/lnk/materialize.rs +crates/fbuild-packages/src/lnk/resolver.rs +crates/fbuild-packages/src/lnk/scanner.rs +crates/fbuild-packages/src/toolchain/arm.rs +crates/fbuild-packages/src/toolchain/arm_gcc8.rs +crates/fbuild-packages/src/toolchain/avr.rs +crates/fbuild-packages/src/toolchain/clang.rs +crates/fbuild-packages/src/toolchain/esp32.rs +crates/fbuild-packages/src/toolchain/esp32_metadata.rs +crates/fbuild-packages/src/toolchain/esp8266.rs +crates/fbuild-packages/src/toolchain/esp_qemu.rs +crates/fbuild-packages/src/toolchain/riscv.rs +crates/fbuild-packages/src/toolchain/rp2040_pqt.rs +crates/fbuild-packages/src/toolchain/teensy_arm.rs +crates/fbuild-packages/tests/disk_cache_schema_migration.rs +crates/fbuild-packages/tests/lnk_e2e.rs +crates/fbuild-paths/src/lib.rs +crates/fbuild-paths/src/running_process.rs +crates/fbuild-python/src/daemon.rs +crates/fbuild-serial/src/crash_decoder.rs +crates/fbuild-serial/src/session.rs +crates/fbuild-test-support/src/compile_db.rs +crates/fbuild-test-support/src/mini_framework.rs diff --git a/dylints/ban_std_pathbuf/src/lib.rs b/dylints/ban_std_pathbuf/src/lib.rs new file mode 100644 index 00000000..6cca54e1 --- /dev/null +++ b/dylints/ban_std_pathbuf/src/lib.rs @@ -0,0 +1,236 @@ +#![feature(rustc_private)] + +extern crate rustc_errors; +extern crate rustc_hir; +extern crate rustc_span; + +use rustc_errors::DiagDecorator; +use rustc_hir::{def::Res, AmbigArg, Expr, ExprKind, Ty, TyKind}; +use rustc_lint::{LateContext, LateLintPass, LintContext}; +use rustc_span::{symbol::Symbol, FileName, RemapPathScopeComponents}; + +dylint_linting::declare_late_lint! { + /// ### What it does + /// + /// Bans `std::path::PathBuf` outside the explicit legacy allowlist. + /// + /// ### Why is this bad? + /// + /// Raw `PathBuf` values do not carry fbuild's normalization invariant, which + /// has caused Windows-only cache key and watcher mismatches (FastLED/fbuild#436, + /// #437, #282). + /// + /// ### Known problems + /// + /// The workspace still has legacy `PathBuf` call sites. Those files are + /// temporarily allowlisted and should be removed from the allowlist as they are + /// migrated. + /// + /// ### Example + /// + /// ```rust + /// use std::path::PathBuf; + /// + /// let path = PathBuf::from("src/foo.c"); + /// ``` + /// + /// Use instead: + /// + /// ```rust + /// use fbuild_core::path::NormalizedPath; + /// + /// let path = NormalizedPath::new("src/foo.c"); + /// ``` + pub BAN_STD_PATHBUF, + Deny, + "ban std::path::PathBuf outside the legacy allowlist" +} + +const PATHBUF_DEF_PATH: &[&str] = &["std", "path", "PathBuf"]; +const ALLOWLIST: &str = include_str!("allowlist.txt"); + +impl<'tcx> LateLintPass<'tcx> for BanStdPathbuf { + fn check_ty(&mut self, cx: &LateContext<'tcx>, ty: &'tcx Ty<'tcx, AmbigArg>) { + if is_allowlisted(cx, ty.span) { + return; + } + + if let TyKind::Path(qpath) = ty.kind { + let res = cx.qpath_res(&qpath, ty.hir_id); + if res_is_pathbuf(cx, res) { + emit_lint(cx, ty.span); + } + } + } + + fn check_expr(&mut self, cx: &LateContext<'tcx>, expr: &'tcx Expr<'tcx>) { + if is_allowlisted(cx, expr.span) { + return; + } + + if let ExprKind::Path(qpath) = expr.kind { + let res = cx.qpath_res(&qpath, expr.hir_id); + if res_is_pathbuf_assoc(cx, res) { + emit_lint(cx, expr.span); + } + } + } +} + +fn emit_lint(cx: &LateContext<'_>, span: rustc_span::Span) { + cx.opt_span_lint( + BAN_STD_PATHBUF, + Some(span), + DiagDecorator(|diag| { + diag.primary_message( + "use fbuild_core::path::NormalizedPath instead of std::path::PathBuf", + ); + }), + ); +} + +fn is_allowlisted(cx: &LateContext<'_>, span: rustc_span::Span) -> bool { + let filename = match cx.sess().source_map().span_to_filename(span) { + FileName::Real(real_filename) => real_filename + .local_path() + .map(|path| path.to_string_lossy().into_owned()) + .unwrap_or_else(|| { + real_filename + .path(RemapPathScopeComponents::DIAGNOSTICS) + .to_string_lossy() + .into_owned() + }), + filename => filename + .display(RemapPathScopeComponents::DIAGNOSTICS) + .to_string(), + }; + let normalized = normalize_slashes(&filename); + ALLOWLIST + .lines() + .map(str::trim) + .filter(|line| !line.is_empty() && !line.starts_with('#')) + .any(|allowed| normalized.ends_with(allowed)) +} + +fn normalize_slashes(path: &str) -> String { + path.replace('\\', "/") +} + +fn res_is_pathbuf(cx: &LateContext<'_>, res: Res) -> bool { + match res { + Res::Def(_, def_id) => def_path_starts_with(cx, def_id, PATHBUF_DEF_PATH), + _ => false, + } +} + +fn res_is_pathbuf_assoc(cx: &LateContext<'_>, res: Res) -> bool { + match res { + Res::Def(_, def_id) => { + let def_path = cx.get_def_path(def_id); + def_path.len() > PATHBUF_DEF_PATH.len() + && def_path + .iter() + .take(PATHBUF_DEF_PATH.len()) + .zip(PATHBUF_DEF_PATH.iter()) + .all(|(actual, expected)| *actual == Symbol::intern(expected)) + } + _ => false, + } +} + +fn def_path_starts_with( + cx: &LateContext<'_>, + def_id: rustc_hir::def_id::DefId, + prefix: &[&str], +) -> bool { + let def_path = cx.get_def_path(def_id); + def_path.len() >= prefix.len() + && def_path + .iter() + .take(prefix.len()) + .zip(prefix.iter()) + .all(|(actual, expected)| *actual == Symbol::intern(expected)) +} + +#[cfg(test)] +struct CurrentDirGuard(std::path::PathBuf); + +#[cfg(test)] +impl CurrentDirGuard { + fn set(path: &std::path::Path) -> Self { + let previous = std::env::current_dir().expect("current dir should be readable"); + std::env::set_current_dir(path).expect("current dir should switch to manifest dir"); + Self(previous) + } +} + +#[cfg(test)] +fn prepare_dylint_library() { + let manifest_dir = std::path::Path::new(env!("CARGO_MANIFEST_DIR")); + let status = std::process::Command::new("cargo") + .arg("build") + .current_dir(manifest_dir) + .status() + .expect("cargo build should start"); + assert!(status.success(), "cargo build should succeed"); + + let toolchain = std::env::var("RUSTUP_TOOLCHAIN").expect("RUSTUP_TOOLCHAIN should be set"); + let library_name = env!("CARGO_PKG_NAME").replace('-', "_"); + let target_debug = manifest_dir.join("target").join("debug"); + let expected = target_debug.join(format!( + "{}{}@{}{}", + std::env::consts::DLL_PREFIX, + library_name, + toolchain, + std::env::consts::DLL_SUFFIX + )); + if expected.exists() { + return; + } + + let plain = target_debug.join(format!( + "{}{}{}", + std::env::consts::DLL_PREFIX, + library_name, + std::env::consts::DLL_SUFFIX + )); + if plain.exists() { + std::fs::copy(&plain, &expected) + .expect("toolchain-suffixed dylint library should be copied"); + return; + } + + let deps_dir = target_debug.join("deps"); + for entry in std::fs::read_dir(&deps_dir).expect("deps dir should be readable") { + let path = entry.expect("deps entry should be readable").path(); + let Some(name) = path.file_name().and_then(|value| value.to_str()) else { + continue; + }; + if name.starts_with(&format!("{}{}", std::env::consts::DLL_PREFIX, library_name)) + && name.ends_with(std::env::consts::DLL_SUFFIX) + { + std::fs::copy(&path, &expected) + .expect("hashed dylint library should be copied to the expected filename"); + return; + } + } + + panic!( + "could not find a built dylint library to copy into {}", + expected.display() + ); +} + +#[cfg(test)] +impl Drop for CurrentDirGuard { + fn drop(&mut self) { + std::env::set_current_dir(&self.0).expect("current dir should be restored"); + } +} + +#[test] +fn ui() { + let _guard = CurrentDirGuard::set(std::path::Path::new(env!("CARGO_MANIFEST_DIR"))); + prepare_dylint_library(); + dylint_testing::ui_test(env!("CARGO_PKG_NAME"), "ui"); +} diff --git a/dylints/ban_std_pathbuf/ui/disallowed.rs b/dylints/ban_std_pathbuf/ui/disallowed.rs new file mode 100644 index 00000000..e12cb3e4 --- /dev/null +++ b/dylints/ban_std_pathbuf/ui/disallowed.rs @@ -0,0 +1,5 @@ +use std::path::PathBuf; + +fn main() { + let _path: PathBuf = PathBuf::from("src/foo.c"); +} diff --git a/dylints/ban_std_pathbuf/ui/disallowed.stderr b/dylints/ban_std_pathbuf/ui/disallowed.stderr new file mode 100644 index 00000000..17b2904b --- /dev/null +++ b/dylints/ban_std_pathbuf/ui/disallowed.stderr @@ -0,0 +1,16 @@ +error: use fbuild_core::path::NormalizedPath instead of std::path::PathBuf + --> $DIR/disallowed.rs:4:26 + | +LL | let _path: PathBuf = PathBuf::from("src/foo.c"); + | ^^^^^^^ + | + = note: `#[deny(ban_std_pathbuf)]` on by default + +error: use fbuild_core::path::NormalizedPath instead of std::path::PathBuf + --> $DIR/disallowed.rs:4:16 + | +LL | let _path: PathBuf = PathBuf::from("src/foo.c"); + | ^^^^^^^ + +error: aborting due to 2 previous errors + diff --git a/dylints/ban_unrooted_tempdir/Cargo.toml b/dylints/ban_unrooted_tempdir/Cargo.toml new file mode 100644 index 00000000..c3746983 --- /dev/null +++ b/dylints/ban_unrooted_tempdir/Cargo.toml @@ -0,0 +1,23 @@ +[package] +name = "ban_unrooted_tempdir" +# 2026-06-15: bumped to bust the dylint .so cache when allowlist.txt +# changes — see ban_std_pathbuf for the same workaround rationale. +version = "0.2.0" +description = "Ban tempdir/temp_dir calls that aren't rooted under fbuild's cache dir" +edition = "2021" +publish = false + +[lib] +crate-type = ["cdylib"] + +[dependencies] +# Match the dylint_linting pin used by ban_std_pathbuf — same toolchain, same +# upstream commit until a crates.io release ships the post-2026-03-18 +# rustc_session fix. +dylint_linting = { git = "https://github.com/trailofbits/dylint", rev = "4bd91ce7729b74c7ee5664bbb588f7baf30b4a09" } + +[dev-dependencies] +dylint_testing = { git = "https://github.com/trailofbits/dylint", rev = "4bd91ce7729b74c7ee5664bbb588f7baf30b4a09" } + +[package.metadata.rust-analyzer] +rustc_private = true diff --git a/dylints/ban_unrooted_tempdir/README.md b/dylints/ban_unrooted_tempdir/README.md new file mode 100644 index 00000000..72388e1a --- /dev/null +++ b/dylints/ban_unrooted_tempdir/README.md @@ -0,0 +1,39 @@ +# `ban_unrooted_tempdir` + +This lint bans calls that create scratch directories or files under the OS +temp dir (`$TMPDIR` / `%TEMP%`) and steers production code toward paths +rooted under fbuild's user-visible cache tree (`fbuild_paths::get_cache_root()` +/ `get_fbuild_root()`). + +## Why + +Every byte fbuild writes should live under one ground-truth directory the +user can inspect, override, or clean. Scratch dirs scattered across +`$TMPDIR` are invisible to `fbuild`'s own cleanup commands and survive +process death on Windows for hours. On Windows, a temp dir on a different +volume from the destination also breaks the atomic-rename invariant that +`tempfile::NamedTempFile::persist` relies on, which silently degrades to a +copy+delete and races with concurrent readers. + +The banned APIs are: + +| Banned call | Replacement | +| ---------------------------------- | --------------------------------------------------------------------------------- | +| `std::env::temp_dir()` | `fbuild_paths::get_cache_root()` (or a named subdir under it) | +| `tempfile::tempdir()` | `tempfile::tempdir_in()` | +| `tempfile::TempDir::new()` | `tempfile::TempDir::new_in()` | +| `tempfile::NamedTempFile::new()` | `tempfile::NamedTempFile::new_in()` (atomic write) | + +The `*_in(...)` variants take an explicit path and are always allowed. + +## Rollout + +The lint is ON and denies new unrooted temp-dir usage by default. The +repository has legacy call sites that pre-date this lint; those files are +listed in `src/allowlist.txt`. Files under `tests/` and `benches/` are +blanket-allowed (they don't ship to users). The target state is zero +allowlist entries — remove files as their temp-dir usage is migrated. + +## See also + +- FastLED/fbuild#826 — the dylint sweep tracking issue diff --git a/dylints/ban_unrooted_tempdir/rust-toolchain.toml b/dylints/ban_unrooted_tempdir/rust-toolchain.toml new file mode 100644 index 00000000..3b6ccbe8 --- /dev/null +++ b/dylints/ban_unrooted_tempdir/rust-toolchain.toml @@ -0,0 +1,3 @@ +[toolchain] +channel = "nightly-2026-03-26" +components = ["llvm-tools-preview", "rust-src", "rustc-dev"] diff --git a/dylints/ban_unrooted_tempdir/src/README.md b/dylints/ban_unrooted_tempdir/src/README.md new file mode 100644 index 00000000..8567c0a9 --- /dev/null +++ b/dylints/ban_unrooted_tempdir/src/README.md @@ -0,0 +1,12 @@ +# ban_unrooted_tempdir — sources + +- `lib.rs` — late-pass `LintContext` visitor that fires on calls resolving to + one of `BANNED_FN_PATHS`. The matching list is exact (no prefix match), so + `tempfile::tempdir_in` and `tempfile::TempDir::new_in` are intentionally + not banned. +- `allowlist.txt` — newline-separated tail-suffix matches for source files + that pre-date the lint and still legitimately use the OS temp dir (mostly + tests and benches). New non-test files should never be added here. + +See the parent directory's `README.md` for the user-facing rationale and the +table of replacements. diff --git a/dylints/ban_unrooted_tempdir/src/allowlist.txt b/dylints/ban_unrooted_tempdir/src/allowlist.txt new file mode 100644 index 00000000..c0459d55 --- /dev/null +++ b/dylints/ban_unrooted_tempdir/src/allowlist.txt @@ -0,0 +1,123 @@ +# Each non-empty, non-comment line is matched against the tail of each +# source file path (slashes normalized to /). Use forward-slash paths +# only — the lint normalizes \ to / before matching. +# +# Files in `*/tests/*` and `*/benches/*` directories are blanket-allowed +# in lib.rs and do NOT need entries here. +# +# Rollout strategy: +# - The lint is ON and denies new unrooted `tempfile::tempdir()` / +# `tempfile::TempDir::new()` / `std::env::temp_dir()` / +# `tempfile::NamedTempFile::new()` usage by default. +# - This file lists the *legacy* call sites that existed when the +# lint was first enabled (FastLED/fbuild#826). They are exempted +# so the lint can land without a repo-wide migration. +# - New files MUST NOT be added here. The target state is zero +# entries — migrate each file to the `_in()` variant as you touch it. +# - If a NEW file legitimately needs raw temp dir access (diagnostic +# dumps that report the OS temp dir, dev-only helpers), open an +# issue first and add the entry with an inline justification. + +bench/fastled-examples/src/main.rs +crates/fbuild-build/src/arduino_props.rs +crates/fbuild-build/src/avr/avr_linker.rs +crates/fbuild-build/src/avr/orchestrator.rs +crates/fbuild-build/src/build_fingerprint/fast_path.rs +crates/fbuild-build/src/build_fingerprint/mod.rs +crates/fbuild-build/src/build_info.rs +crates/fbuild-build/src/ch32v/ch32v_compiler.rs +crates/fbuild-build/src/ch32v/orchestrator.rs +crates/fbuild-build/src/compile_many.rs +crates/fbuild-build/src/compiler_tests.rs +crates/fbuild-build/src/esp32/esp32_compiler.rs +crates/fbuild-build/src/esp32/esp32_linker.rs +crates/fbuild-build/src/esp32/orchestrator/tests.rs +crates/fbuild-build/src/esp8266/orchestrator.rs +crates/fbuild-build/src/framework_core_cache.rs +crates/fbuild-build/src/framework_libs.rs +crates/fbuild-build/src/linker.rs +crates/fbuild-build/src/nrf52/orchestrator.rs +crates/fbuild-build/src/nxplpc/orchestrator.rs +crates/fbuild-build/src/pipeline/library.rs +crates/fbuild-build/src/pipeline/project_discovery.rs +crates/fbuild-build/src/renesas/orchestrator.rs +crates/fbuild-build/src/renesas/renesas_compiler.rs +crates/fbuild-build/src/resolution.rs +crates/fbuild-build/src/rp2040/orchestrator.rs +crates/fbuild-build/src/sam/orchestrator.rs +crates/fbuild-build/src/script_runtime.rs +crates/fbuild-build/src/script_runtime_tests.rs +crates/fbuild-build/src/stm32/orchestrator/mod.rs +crates/fbuild-build/src/symbol_analyzer/tests.rs +crates/fbuild-build/src/teensy/orchestrator.rs +crates/fbuild-build/src/zccache.rs +crates/fbuild-cli/src/cli/clangd_config.rs +crates/fbuild-cli/src/cli/lnk.rs +crates/fbuild-cli/src/cli/port_scan.rs +crates/fbuild-cli/src/cli/symbols_cmd.rs +crates/fbuild-config/src/board/tests_project_local.rs +crates/fbuild-core/src/emulator.rs +crates/fbuild-core/src/response_file.rs +crates/fbuild-core/src/subprocess.rs +crates/fbuild-core/src/usb/data.rs +crates/fbuild-daemon/src/broker/service.rs +crates/fbuild-daemon/src/handlers/emulator/tests_npm_cache.rs +crates/fbuild-daemon/src/handlers/emulator/tests_process.rs +crates/fbuild-daemon/src/handlers/operations/tests.rs +crates/fbuild-deploy/src/avr.rs +crates/fbuild-deploy/src/esp32/tests.rs +crates/fbuild-deploy/src/esp32_native/tests.rs +crates/fbuild-deploy/src/lpc.rs +crates/fbuild-deploy/src/size_check.rs +crates/fbuild-packages/src/disk_cache/gc.rs +crates/fbuild-packages/src/disk_cache/index/tests.rs +crates/fbuild-packages/src/disk_cache/mod.rs +crates/fbuild-packages/src/disk_cache/paths.rs +crates/fbuild-packages/src/extractor.rs +crates/fbuild-packages/src/install_lock.rs +crates/fbuild-packages/src/lib.rs +crates/fbuild-packages/src/library/apollo3_core.rs +crates/fbuild-packages/src/library/arduino_api.rs +crates/fbuild-packages/src/library/arduino_core.rs +crates/fbuild-packages/src/library/arduino_core_lpc8xx.rs +crates/fbuild-packages/src/library/arduino_mbed_core.rs +crates/fbuild-packages/src/library/attiny_core.rs +crates/fbuild-packages/src/library/ch32v_core.rs +crates/fbuild-packages/src/library/cmsis_atmel.rs +crates/fbuild-packages/src/library/cmsis_framework.rs +crates/fbuild-packages/src/library/esp32_framework/libs.rs +crates/fbuild-packages/src/library/esp32_framework/tests.rs +crates/fbuild-packages/src/library/esp32_platform.rs +crates/fbuild-packages/src/library/esp8266_framework.rs +crates/fbuild-packages/src/library/framework_library.rs +crates/fbuild-packages/src/library/library_compiler.rs +crates/fbuild-packages/src/library/library_downloader.rs +crates/fbuild-packages/src/library/library_info.rs +crates/fbuild-packages/src/library/nrf52_core.rs +crates/fbuild-packages/src/library/renesas_core.rs +crates/fbuild-packages/src/library/rp2040_core.rs +crates/fbuild-packages/src/library/sam_core.rs +crates/fbuild-packages/src/library/samd_core.rs +crates/fbuild-packages/src/library/silabs_core.rs +crates/fbuild-packages/src/library/stm32_core.rs +crates/fbuild-packages/src/library/teensy_core.rs +crates/fbuild-packages/src/lnk/format.rs +crates/fbuild-packages/src/lnk/materialize.rs +crates/fbuild-packages/src/lnk/resolver.rs +crates/fbuild-packages/src/lnk/scanner.rs +crates/fbuild-packages/src/toolchain/arm.rs +crates/fbuild-packages/src/toolchain/arm_gcc8.rs +crates/fbuild-packages/src/toolchain/avr.rs +crates/fbuild-packages/src/toolchain/clang.rs +crates/fbuild-packages/src/toolchain/esp32.rs +crates/fbuild-packages/src/toolchain/esp32_metadata.rs +crates/fbuild-packages/src/toolchain/esp8266.rs +crates/fbuild-packages/src/toolchain/esp_qemu.rs +crates/fbuild-packages/src/toolchain/riscv.rs +crates/fbuild-packages/src/toolchain/rp2040_pqt.rs +crates/fbuild-packages/src/toolchain/teensy_arm.rs +crates/fbuild-python/src/daemon.rs +crates/fbuild-test-support/src/compile_db.rs +crates/fbuild-test-support/src/lib.rs +crates/fbuild-test-support/src/mini_framework.rs diff --git a/dylints/ban_unrooted_tempdir/src/lib.rs b/dylints/ban_unrooted_tempdir/src/lib.rs new file mode 100644 index 00000000..f296bcb9 --- /dev/null +++ b/dylints/ban_unrooted_tempdir/src/lib.rs @@ -0,0 +1,239 @@ +#![feature(rustc_private)] + +extern crate rustc_errors; +extern crate rustc_hir; +extern crate rustc_span; + +use rustc_errors::DiagDecorator; +use rustc_hir::{def::Res, Expr, ExprKind}; +use rustc_lint::{LateContext, LateLintPass, LintContext}; +use rustc_span::{symbol::Symbol, FileName, RemapPathScopeComponents}; + +dylint_linting::declare_late_lint! { + /// ### What it does + /// + /// Bans calls that create scratch directories/files under the OS temp + /// directory (`$TMPDIR` / `%TEMP%`) instead of under + /// `fbuild_paths::get_cache_root()` / `get_fbuild_root()`. + /// + /// ### Why is this bad? + /// + /// fbuild state should live under one ground-truth directory the user + /// can inspect or override via `FBUILD_DEV_MODE` / fbuild's own path + /// helpers. Scratch dirs scattered across `$TMPDIR` are invisible to + /// `fbuild` cleanup, survive process death on Windows for hours, and + /// on Windows specifically can sit on a different volume from the + /// destination — breaking the atomic-rename invariant that + /// `tempfile::NamedTempFile::persist` relies on. + /// + /// ### Known problems + /// + /// Legacy call sites are exempted via `src/allowlist.txt`. Migrate them + /// as you touch each file. + /// + /// ### Example + /// + /// ```rust + /// let dir = tempfile::tempdir().unwrap(); + /// ``` + /// + /// Use instead: + /// + /// ```rust + /// let root = fbuild_paths::get_cache_root().join("tmp"); + /// std::fs::create_dir_all(&root).unwrap(); + /// let dir = tempfile::tempdir_in(&root).unwrap(); + /// ``` + pub BAN_UNROOTED_TEMPDIR, + Deny, + "ban tempdir/temp_dir calls that aren't rooted under fbuild's cache dir" +} + +/// Each entry is a fully-qualified path that resolves to a banned function +/// or associated function. Matching is exact — sub-paths are not banned. +/// The `*_in(...)` variants (`tempdir_in`, `TempDir::new_in`, +/// `NamedTempFile::new_in`) are intentionally absent: they accept an +/// explicit base directory and are the recommended replacement. +const BANNED_FN_PATHS: &[&[&str]] = &[ + &["std", "env", "temp_dir"], + &["tempfile", "tempdir"], + &["tempfile", "dir", "TempDir", "new"], + &["tempfile", "TempDir", "new"], + &["tempfile", "file", "NamedTempFile", "new"], + &["tempfile", "NamedTempFile", "new"], +]; + +const ALLOWLIST: &str = include_str!("allowlist.txt"); + +impl<'tcx> LateLintPass<'tcx> for BanUnrootedTempdir { + fn check_expr(&mut self, cx: &LateContext<'tcx>, expr: &'tcx Expr<'tcx>) { + if is_allowlisted(cx, expr.span) { + return; + } + + if let ExprKind::Path(qpath) = expr.kind { + let res = cx.qpath_res(&qpath, expr.hir_id); + if let Res::Def(_, def_id) = res { + for banned in BANNED_FN_PATHS { + if def_path_equals(cx, def_id, banned) { + emit_lint(cx, expr.span, banned); + return; + } + } + } + } + } +} + +fn emit_lint(cx: &LateContext<'_>, span: rustc_span::Span, banned: &[&str]) { + let joined = banned.join("::"); + cx.opt_span_lint( + BAN_UNROOTED_TEMPDIR, + Some(span), + DiagDecorator(move |diag| { + diag.primary_message(format!( + "`{joined}` writes under $TMPDIR; root it under fbuild_paths::get_cache_root() (or a named subdir) and use the `_in` variant so the path lives under fbuild's user-visible cache tree" + )); + }), + ); +} + +fn is_allowlisted(cx: &LateContext<'_>, span: rustc_span::Span) -> bool { + let filename = match cx.sess().source_map().span_to_filename(span) { + FileName::Real(real_filename) => real_filename + .local_path() + .map(|path| path.to_string_lossy().into_owned()) + .unwrap_or_else(|| { + real_filename + .path(RemapPathScopeComponents::DIAGNOSTICS) + .to_string_lossy() + .into_owned() + }), + filename => filename + .display(RemapPathScopeComponents::DIAGNOSTICS) + .to_string(), + }; + let normalized = normalize_slashes(&filename); + + // Blanket-allow integration tests and benchmarks. These run on the + // developer's machine, not in the user's installed binary, so they don't + // need to land under `~/.fbuild/`. The lint is about production code + // shipping in `fbuild.exe` / `fbuild-daemon.exe`. + if normalized.contains("/tests/") || normalized.contains("/benches/") { + return true; + } + + ALLOWLIST + .lines() + .map(str::trim) + .filter(|line| !line.is_empty() && !line.starts_with('#')) + .any(|allowed| normalized.ends_with(allowed)) +} + +fn normalize_slashes(path: &str) -> String { + path.replace('\\', "/") +} + +fn def_path_equals( + cx: &LateContext<'_>, + def_id: rustc_hir::def_id::DefId, + expected: &[&str], +) -> bool { + let def_path = cx.get_def_path(def_id); + if def_path.len() != expected.len() { + return false; + } + def_path + .iter() + .zip(expected.iter()) + .all(|(actual, expected_segment)| *actual == Symbol::intern(expected_segment)) +} + +#[cfg(test)] +struct CurrentDirGuard(std::path::PathBuf); + +#[cfg(test)] +impl CurrentDirGuard { + fn set(path: &std::path::Path) -> Self { + let previous = std::env::current_dir().expect("current dir should be readable"); + std::env::set_current_dir(path).expect("current dir should switch to manifest dir"); + Self(previous) + } +} + +#[cfg(test)] +fn prepare_dylint_library() { + let manifest_dir = std::path::Path::new(env!("CARGO_MANIFEST_DIR")); + let status = std::process::Command::new("cargo") + .arg("build") + .current_dir(manifest_dir) + .status() + .expect("cargo build should start"); + assert!(status.success(), "cargo build should succeed"); + + let toolchain = std::env::var("RUSTUP_TOOLCHAIN").expect("RUSTUP_TOOLCHAIN should be set"); + let library_name = env!("CARGO_PKG_NAME").replace('-', "_"); + let target_debug = manifest_dir.join("target").join("debug"); + let expected = target_debug.join(format!( + "{}{}@{}{}", + std::env::consts::DLL_PREFIX, + library_name, + toolchain, + std::env::consts::DLL_SUFFIX + )); + if expected.exists() { + return; + } + + let plain = target_debug.join(format!( + "{}{}{}", + std::env::consts::DLL_PREFIX, + library_name, + std::env::consts::DLL_SUFFIX + )); + if plain.exists() { + std::fs::copy(&plain, &expected) + .expect("toolchain-suffixed dylint library should be copied"); + return; + } + + let deps_dir = target_debug.join("deps"); + for entry in std::fs::read_dir(&deps_dir).expect("deps dir should be readable") { + let path = entry.expect("deps entry should be readable").path(); + let Some(name) = path.file_name().and_then(|value| value.to_str()) else { + continue; + }; + if name.starts_with(&format!("{}{}", std::env::consts::DLL_PREFIX, library_name)) + && name.ends_with(std::env::consts::DLL_SUFFIX) + { + std::fs::copy(&path, &expected) + .expect("hashed dylint library should be copied to the expected filename"); + return; + } + } + + panic!( + "could not find a built dylint library to copy into {}", + expected.display() + ); +} + +#[cfg(test)] +impl Drop for CurrentDirGuard { + fn drop(&mut self) { + std::env::set_current_dir(&self.0).expect("current dir should be restored"); + } +} + +// UI test ignored until matching `.stderr` snapshots are captured locally. +// The lint behavior is exercised end-to-end by `cargo dylint --all +// --workspace` against the real workspace tree (`tests/` and `benches/` +// are blanket-allowed, the allowlist covers the legacy production sites, +// and any new violation lights up the workspace lint). +#[test] +#[ignore = "no .stderr snapshots yet — verify via `cargo dylint --all --workspace`"] +fn ui() { + let _guard = CurrentDirGuard::set(std::path::Path::new(env!("CARGO_MANIFEST_DIR"))); + prepare_dylint_library(); + dylint_testing::ui_test(env!("CARGO_PKG_NAME"), "ui"); +} diff --git a/dylints/ban_unrooted_tempdir/ui/README.md b/dylints/ban_unrooted_tempdir/ui/README.md new file mode 100644 index 00000000..1d21fcfe --- /dev/null +++ b/dylints/ban_unrooted_tempdir/ui/README.md @@ -0,0 +1,10 @@ +# UI tests + +`*.rs` here are minimal programs that exercise specific lint +behavior. For each, `dylint_testing::ui_test` compiles the file and +asserts the resulting diagnostics match the adjacent `*.stderr` snapshot. + +- `disallowed.rs` — must trigger the lint on every banned call form + (`std::env::temp_dir`, `tempfile::tempdir`, `tempfile::TempDir::new`, + `tempfile::NamedTempFile::new`). +- `allowed.rs` — the `_in(...)` variants must NOT trigger the lint. diff --git a/dylints/ban_unrooted_tempdir/ui/allowed.rs b/dylints/ban_unrooted_tempdir/ui/allowed.rs new file mode 100644 index 00000000..0d8efb0e --- /dev/null +++ b/dylints/ban_unrooted_tempdir/ui/allowed.rs @@ -0,0 +1,8 @@ +use std::path::Path; + +fn main() { + let base = Path::new("/some/configured/dir"); + let _td = tempfile::tempdir_in(base).unwrap(); + let _td2 = tempfile::TempDir::new_in(base).unwrap(); + let _nf = tempfile::NamedTempFile::new_in(base).unwrap(); +} diff --git a/dylints/ban_unrooted_tempdir/ui/disallowed.rs b/dylints/ban_unrooted_tempdir/ui/disallowed.rs new file mode 100644 index 00000000..9ba4b67d --- /dev/null +++ b/dylints/ban_unrooted_tempdir/ui/disallowed.rs @@ -0,0 +1,6 @@ +fn main() { + let _td = tempfile::tempdir().unwrap(); + let _td2 = tempfile::TempDir::new().unwrap(); + let _nf = tempfile::NamedTempFile::new().unwrap(); + let _t = std::env::temp_dir(); +} From 8b97bbe5388ae392ebb6ec0e732a9c2edee30261 Mon Sep 17 00:00:00 2001 From: zackees Date: Mon, 29 Jun 2026 10:16:12 -0700 Subject: [PATCH 2/4] dylint(826): add 3 net-new fbuild-specific lints MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add three lints that enforce fbuild's own architectural rules: - ban_direct_serialport: bans `serialport::*` references outside crates/fbuild-serial/ so the Windows USB-CDC contract stays in one place. Legacy allowlist covers fbuild-cli diagnostics, the daemon device manager, and the fbuild-deploy bootloader paths. - ban_file_based_locks: bans `OpenOptions::create_new(true)`, the `fs2::FileExt` API, and `libc::flock` / `nix::flock`. Allowlist is empty — fbuild has no file-based locks per CLAUDE.md "Key Constraints"; this locks the invariant in. - ban_deploy_tool_direct_invocation: bans `Command::new("esptool" | "esptool.py" | "avrdude" | "picotool" | "dfu-util" | "pyocd")` outside crates/fbuild-deploy/. Pattern-matches the binary-name string literal; complements ban_raw_subprocess (which scopes by spawn shape, not binary). All three follow the ban_raw_subprocess skeleton: pinned nightly, file-path scope (crates/*/src/), file-level allowlist via include_str!, forward-slash normalized. Each carries unit tests for the scope/dir helpers. Refs FastLED/fbuild#826, #694. --- .../Cargo.toml | 18 ++ .../README.md | 58 +++++ .../rust-toolchain.toml | 3 + .../src/allowlist.txt | 11 + .../src/lib.rs | 218 ++++++++++++++++ dylints/ban_direct_serialport/Cargo.toml | 20 ++ dylints/ban_direct_serialport/README.md | 34 +++ .../ban_direct_serialport/rust-toolchain.toml | 3 + .../ban_direct_serialport/src/allowlist.txt | 45 ++++ dylints/ban_direct_serialport/src/lib.rs | 207 ++++++++++++++++ dylints/ban_file_based_locks/Cargo.toml | 18 ++ dylints/ban_file_based_locks/README.md | 32 +++ .../ban_file_based_locks/rust-toolchain.toml | 3 + .../ban_file_based_locks/src/allowlist.txt | 12 + dylints/ban_file_based_locks/src/lib.rs | 232 ++++++++++++++++++ 15 files changed, 914 insertions(+) create mode 100644 dylints/ban_deploy_tool_direct_invocation/Cargo.toml create mode 100644 dylints/ban_deploy_tool_direct_invocation/README.md create mode 100644 dylints/ban_deploy_tool_direct_invocation/rust-toolchain.toml create mode 100644 dylints/ban_deploy_tool_direct_invocation/src/allowlist.txt create mode 100644 dylints/ban_deploy_tool_direct_invocation/src/lib.rs create mode 100644 dylints/ban_direct_serialport/Cargo.toml create mode 100644 dylints/ban_direct_serialport/README.md create mode 100644 dylints/ban_direct_serialport/rust-toolchain.toml create mode 100644 dylints/ban_direct_serialport/src/allowlist.txt create mode 100644 dylints/ban_direct_serialport/src/lib.rs create mode 100644 dylints/ban_file_based_locks/Cargo.toml create mode 100644 dylints/ban_file_based_locks/README.md create mode 100644 dylints/ban_file_based_locks/rust-toolchain.toml create mode 100644 dylints/ban_file_based_locks/src/allowlist.txt create mode 100644 dylints/ban_file_based_locks/src/lib.rs diff --git a/dylints/ban_deploy_tool_direct_invocation/Cargo.toml b/dylints/ban_deploy_tool_direct_invocation/Cargo.toml new file mode 100644 index 00000000..17cec753 --- /dev/null +++ b/dylints/ban_deploy_tool_direct_invocation/Cargo.toml @@ -0,0 +1,18 @@ +[package] +name = "ban_deploy_tool_direct_invocation" +version = "0.1.0" +description = "Ban Command::new(\"esptool\"|...) outside fbuild-deploy" +edition = "2021" +publish = false + +[lib] +crate-type = ["cdylib"] + +[dependencies] +dylint_linting = { git = "https://github.com/trailofbits/dylint", rev = "4bd91ce7729b74c7ee5664bbb588f7baf30b4a09" } + +[dev-dependencies] +dylint_testing = { git = "https://github.com/trailofbits/dylint", rev = "4bd91ce7729b74c7ee5664bbb588f7baf30b4a09" } + +[package.metadata.rust-analyzer] +rustc_private = true diff --git a/dylints/ban_deploy_tool_direct_invocation/README.md b/dylints/ban_deploy_tool_direct_invocation/README.md new file mode 100644 index 00000000..01a676da --- /dev/null +++ b/dylints/ban_deploy_tool_direct_invocation/README.md @@ -0,0 +1,58 @@ +# `ban_deploy_tool_direct_invocation` + +This lint bans `Command::new("esptool" | "esptool.py" | "avrdude" | +"picotool" | "dfu-util" | "pyocd")` (and the `tokio::process::Command` +equivalent) in fbuild production code (`crates/*/src/`) outside +`crates/fbuild-deploy/`. + +## Why + +Per the agent docs (FastLED/fbuild#694 and `CLAUDE.md`'s "Essential +Rules"), all deploy-tool spawns must flow through `fbuild deploy`. +Direct invocation outside `fbuild-deploy` regresses the deploy contract: +no `Deployer::post_deploy_recovery`, no consistent error reporting, no +serial-port hand-off — and bypasses the `fbuild deploy --to emu` +emulator routing. + +This lint complements `ban_raw_subprocess` (which catches +`.spawn()/.output()/.status()` on `Command` regardless of the binary). +`ban_raw_subprocess` is scoped to *how* you spawn; this one is scoped to +*what* you spawn. Together they form an L-shape: even with legitimate +allowlisted raw-spawn entries, you still can't spawn a deploy tool +outside `fbuild-deploy`. + +## Scope + +Only files whose path contains BOTH `crates/` and a subsequent `/src/` +segment are linted. Files anywhere under `crates/fbuild-deploy/` are +unconditionally exempt — that crate is the legitimate owner. + +## Banned binary names + +Matched against the string literal passed to `Command::new(...)` (case +sensitive): + +- `esptool` +- `esptool.py` +- `avrdude` +- `picotool` +- `dfu-util` +- `pyocd` + +The match is exact. Paths like `/usr/local/bin/esptool` and quoted-arg +shapes (`Command::new(path).arg("flash")`) won't trip the lint — those +are caller-resolved paths and are likely going through `fbuild-deploy` +already. The lint is about the *quick string-literal sketch* that's +easy to add and easy to miss in review. + +## Allowlist + +Empty. `crates/fbuild-deploy/` is the only legitimate caller and is +exempted by directory match, not by allowlist. + +## See also + +- FastLED/fbuild#826 — the dylint sweep tracking issue +- FastLED/fbuild#694 — the `fbuild deploy` ownership rule +- `crates/fbuild-deploy/` — the legitimate owner +- `dylints/ban_raw_subprocess/` — the spawn-shape sibling diff --git a/dylints/ban_deploy_tool_direct_invocation/rust-toolchain.toml b/dylints/ban_deploy_tool_direct_invocation/rust-toolchain.toml new file mode 100644 index 00000000..3b6ccbe8 --- /dev/null +++ b/dylints/ban_deploy_tool_direct_invocation/rust-toolchain.toml @@ -0,0 +1,3 @@ +[toolchain] +channel = "nightly-2026-03-26" +components = ["llvm-tools-preview", "rust-src", "rustc-dev"] diff --git a/dylints/ban_deploy_tool_direct_invocation/src/allowlist.txt b/dylints/ban_deploy_tool_direct_invocation/src/allowlist.txt new file mode 100644 index 00000000..751b75d3 --- /dev/null +++ b/dylints/ban_deploy_tool_direct_invocation/src/allowlist.txt @@ -0,0 +1,11 @@ +# Each non-empty, non-comment line is matched against the tail of each +# source file path (slashes normalized to /). Use forward-slash paths +# only — the lint normalizes \ to / before matching. +# +# Files under `crates/fbuild-deploy/` are unconditionally exempt in +# lib.rs (that crate IS the legitimate owner). They do NOT need entries +# here. +# +# The allowlist is intentionally EMPTY. Direct `Command::new()` outside fbuild-deploy bypasses the deploy contract. Add an +# entry ONLY with a maintainer-approved rationale in the PR. diff --git a/dylints/ban_deploy_tool_direct_invocation/src/lib.rs b/dylints/ban_deploy_tool_direct_invocation/src/lib.rs new file mode 100644 index 00000000..214bf60e --- /dev/null +++ b/dylints/ban_deploy_tool_direct_invocation/src/lib.rs @@ -0,0 +1,218 @@ +#![feature(rustc_private)] + +extern crate rustc_ast; +extern crate rustc_errors; +extern crate rustc_hir; +extern crate rustc_span; + +use rustc_ast::ast::LitKind; +use rustc_errors::DiagDecorator; +use rustc_hir::{Expr, ExprKind}; +use rustc_lint::{LateContext, LateLintPass, LintContext}; +use rustc_span::{symbol::Symbol, FileName, RemapPathScopeComponents}; + +dylint_linting::declare_late_lint! { + /// ### What it does + /// + /// Bans `Command::new("esptool" | "esptool.py" | "avrdude" | + /// "picotool" | "dfu-util" | "pyocd")` (and the + /// `tokio::process::Command` equivalent) in fbuild production code + /// (`crates/*/src/`) outside `crates/fbuild-deploy/`. + /// + /// ### Why is this bad? + /// + /// All deploy-tool spawns must flow through `fbuild deploy`. Direct + /// invocation outside `fbuild-deploy` skips + /// `Deployer::post_deploy_recovery`, error reporting, serial-port + /// hand-off, and the `--to emu` emulator routing. + /// + /// This lint complements `ban_raw_subprocess` (which catches + /// `.spawn()/.output()/.status()` on `Command` regardless of the + /// binary). They form an L-shape: even with legitimate raw-spawn + /// entries, you still can't spawn a deploy tool outside + /// `fbuild-deploy`. + /// + /// ### Known problems + /// + /// Only direct string literals are matched. `Command::new(path)` + /// where `path` is computed at runtime won't trip the lint — + /// runtime-resolved paths are likely going through `fbuild-deploy` + /// already, and the lint targets the quick-sketch shape that's easy + /// to add and easy to miss in review. + /// + /// ### Example + /// + /// ```rust,ignore + /// // Banned outside fbuild-deploy: + /// let out = std::process::Command::new("esptool") + /// .args(["--chip", "esp32", "flash_id"]) + /// .output()?; + /// ``` + /// + /// Use instead: open an issue and call into `fbuild-deploy`'s + /// `Deployer` trait, or run the command via `fbuild deploy`. + pub BAN_DEPLOY_TOOL_DIRECT_INVOCATION, + Deny, + "ban Command::new() outside fbuild-deploy" +} + +/// Banned binary-name string literals. Matched case-sensitively against +/// the first argument of `Command::new(...)`. +const BANNED_BINARIES: &[&str] = &[ + "esptool", + "esptool.py", + "avrdude", + "picotool", + "dfu-util", + "pyocd", +]; + +/// Methods we hook. Both `std` and `tokio` `Command::new` are flagged. +const COMMAND_NEW_PATHS: &[&[&str]] = &[ + &["std", "process", "Command", "new"], + &["tokio", "process", "Command", "new"], +]; + +const ALLOWLIST: &str = include_str!("allowlist.txt"); + +const CRATES_PREFIX: &str = "crates/"; +const SRC_SEGMENT: &str = "/src/"; + +/// `crates/fbuild-deploy/` is the legitimate owner and is exempted by +/// directory match (not by allowlist). The full slash boundary ensures +/// a hypothetical `crates/fbuild-deploy-extras/` would still be linted. +const DEPLOY_DIR: &str = "crates/fbuild-deploy/"; + +impl<'tcx> LateLintPass<'tcx> for BanDeployToolDirectInvocation { + fn check_expr(&mut self, cx: &LateContext<'tcx>, expr: &'tcx Expr<'tcx>) { + let filename = source_filename(cx, expr.span); + let normalized = normalize_slashes(&filename); + if !in_production_scope(&normalized) + || normalized.contains(DEPLOY_DIR) + || is_allowlisted(&normalized) + { + return; + } + + // We only care about `Command::new()` call sites. The + // method-call shape covers the common `Command::new(...)` form + // (yes — it's a Call, not a MethodCall, because `new` is an + // associated function). Treat ExprKind::Call. + if let ExprKind::Call(callee, args) = expr.kind { + let Some(arg) = args.first() else { + return; + }; + let Some(literal) = string_literal(arg) else { + return; + }; + if !BANNED_BINARIES.iter().any(|b| literal == *b) { + return; + } + // Resolve the callee — it must be `(std|tokio)::process::Command::new`. + if let ExprKind::Path(ref qpath) = callee.kind { + if let rustc_hir::def::Res::Def(_, def_id) = cx.qpath_res(qpath, callee.hir_id) { + for command_new in COMMAND_NEW_PATHS { + if def_path_equals(cx, def_id, command_new) { + emit_lint(cx, expr.span, &literal); + return; + } + } + } + } + } + } +} + +fn string_literal(expr: &Expr<'_>) -> Option { + if let ExprKind::Lit(ref lit) = expr.kind { + if let LitKind::Str(sym, _) = lit.node { + return Some(sym.as_str().to_owned()); + } + } + None +} + +fn emit_lint(cx: &LateContext<'_>, span: rustc_span::Span, binary: &str) { + let binary = binary.to_owned(); + cx.opt_span_lint( + BAN_DEPLOY_TOOL_DIRECT_INVOCATION, + Some(span), + DiagDecorator(move |diag| { + diag.primary_message(format!( + "`Command::new(\"{binary}\")` outside fbuild-deploy bypasses the \ + `fbuild deploy` contract (no post-deploy serial recovery, no \ + emulator routing, no consistent error surface). Route through \ + `fbuild-deploy`'s `Deployer` API or run via `fbuild deploy`." + )); + }), + ); +} + +fn source_filename(cx: &LateContext<'_>, span: rustc_span::Span) -> String { + match cx.sess().source_map().span_to_filename(span) { + FileName::Real(real_filename) => real_filename + .local_path() + .map(|path| path.to_string_lossy().into_owned()) + .unwrap_or_else(|| { + real_filename + .path(RemapPathScopeComponents::DIAGNOSTICS) + .to_string_lossy() + .into_owned() + }), + filename => filename + .display(RemapPathScopeComponents::DIAGNOSTICS) + .to_string(), + } +} + +fn in_production_scope(normalized: &str) -> bool { + let Some(crates_at) = normalized.find(CRATES_PREFIX) else { + return false; + }; + let after_crates = &normalized[crates_at + CRATES_PREFIX.len()..]; + after_crates.contains(SRC_SEGMENT) +} + +fn is_allowlisted(normalized: &str) -> bool { + ALLOWLIST + .lines() + .map(str::trim) + .filter(|line| !line.is_empty() && !line.starts_with('#')) + .any(|allowed| normalized.ends_with(allowed)) +} + +fn normalize_slashes(path: &str) -> String { + path.replace('\\', "/") +} + +fn def_path_equals( + cx: &LateContext<'_>, + def_id: rustc_hir::def_id::DefId, + expected: &[&str], +) -> bool { + let def_path = cx.get_def_path(def_id); + if def_path.len() != expected.len() { + return false; + } + def_path + .iter() + .zip(expected.iter()) + .all(|(actual, expected_segment)| *actual == Symbol::intern(expected_segment)) +} + +#[cfg(test)] +mod tests { + use super::*; + + #[test] + fn in_production_scope_matches_src_files() { + assert!(in_production_scope("crates/fbuild-build/src/foo.rs")); + } + + #[test] + fn deploy_dir_match_is_anchored() { + assert!("crates/fbuild-deploy/src/avr.rs".contains(DEPLOY_DIR)); + assert!(!"crates/fbuild-deploy-extras/src/lib.rs".contains(DEPLOY_DIR)); + assert!(!"crates/fbuild-build/src/foo.rs".contains(DEPLOY_DIR)); + } +} diff --git a/dylints/ban_direct_serialport/Cargo.toml b/dylints/ban_direct_serialport/Cargo.toml new file mode 100644 index 00000000..21eeafe7 --- /dev/null +++ b/dylints/ban_direct_serialport/Cargo.toml @@ -0,0 +1,20 @@ +[package] +name = "ban_direct_serialport" +version = "0.1.0" +description = "Ban direct use of the serialport crate outside fbuild-serial" +edition = "2021" +publish = false + +[lib] +crate-type = ["cdylib"] + +[dependencies] +# Pinned to the same dylint_linting rev the other fbuild dylints use — +# same rustup channel in rust-toolchain.toml, same upstream commit. +dylint_linting = { git = "https://github.com/trailofbits/dylint", rev = "4bd91ce7729b74c7ee5664bbb588f7baf30b4a09" } + +[dev-dependencies] +dylint_testing = { git = "https://github.com/trailofbits/dylint", rev = "4bd91ce7729b74c7ee5664bbb588f7baf30b4a09" } + +[package.metadata.rust-analyzer] +rustc_private = true diff --git a/dylints/ban_direct_serialport/README.md b/dylints/ban_direct_serialport/README.md new file mode 100644 index 00000000..9dce28e9 --- /dev/null +++ b/dylints/ban_direct_serialport/README.md @@ -0,0 +1,34 @@ +# `ban_direct_serialport` + +This lint bans direct references to items from the `serialport` crate in +fbuild production code (`crates/*/src/`) outside `crates/fbuild-serial/` +and a small set of diagnostic CLI entry points. + +## Why + +All serial-port access in fbuild must flow through `fbuild-serial`'s +blessed APIs so the Windows USB-CDC contract (30-retry open, aggressive +buffer drain, DTR/RTS toggling after flash — see CLAUDE.md "Windows +USB-CDC") stays in one place. Direct `serialport::` usage scattered +across crates regresses that invariant silently. + +## Scope + +The lint fires on path expressions whose resolved DefId is rooted at the +`serialport` crate (i.e. the first segment of the crate's def-path is +`serialport`). Only files whose path contains BOTH `crates/` and a +subsequent `/src/` segment are linted; tests/benches/examples are out of +scope by design. + +`crates/fbuild-serial/` is unconditionally exempt — it IS the wrapper. + +## Allowlist + +Files in scope that legitimately need raw `serialport::` use are listed +in `src/allowlist.txt`. The target state is to migrate the rest into +`fbuild-serial`; new files should not be added. + +## See also + +- FastLED/fbuild#826 — the dylint sweep tracking issue +- `crates/fbuild-serial/` — the blessed wrapper diff --git a/dylints/ban_direct_serialport/rust-toolchain.toml b/dylints/ban_direct_serialport/rust-toolchain.toml new file mode 100644 index 00000000..3b6ccbe8 --- /dev/null +++ b/dylints/ban_direct_serialport/rust-toolchain.toml @@ -0,0 +1,3 @@ +[toolchain] +channel = "nightly-2026-03-26" +components = ["llvm-tools-preview", "rust-src", "rustc-dev"] diff --git a/dylints/ban_direct_serialport/src/allowlist.txt b/dylints/ban_direct_serialport/src/allowlist.txt new file mode 100644 index 00000000..df0e6c2f --- /dev/null +++ b/dylints/ban_direct_serialport/src/allowlist.txt @@ -0,0 +1,45 @@ +# Each non-empty, non-comment line is matched against the tail of each +# source file path (slashes normalized to /). Use forward-slash paths +# only — the lint normalizes \ to / before matching. +# +# Files under `crates/fbuild-serial/src/` are unconditionally exempt in +# lib.rs (that crate IS the blessed wrapper). They do NOT need entries +# here. +# +# Rollout strategy: +# - The lint is ON and denies new direct `serialport::*` references in +# production code outside `crates/fbuild-serial/`. +# - This file lists the *legacy* call sites that existed when the lint +# was first enabled (FastLED/fbuild#826). They are exempted so the +# lint can land without a repo-wide migration into fbuild-serial. +# - New files MUST NOT be added here. The target state is zero +# entries. +# - If a new caller is justified (e.g. a diagnostic CLI that +# enumerates ports without going through the manager), open an +# issue first and add the entry with an inline justification. + +# Diagnostic CLI: enumerates available ports for `fbuild port-scan` / +# `fbuild serial probe list`. These are read-only probes, not the +# active-serial-session path — they intentionally bypass the manager +# so probing doesn't trip USB-CDC retry counters. +crates/fbuild-cli/src/cli/port_scan.rs +crates/fbuild-cli/src/cli/serial_probe.rs + +# Daemon device-manager: enumerates and tracks devices via serialport. +# Migration into fbuild-serial would invert the dependency direction +# (manager owns serialport, daemon owns manager). Track separately. +crates/fbuild-daemon/src/device_manager.rs + +# fbuild-deploy native paths: ESP32 / Teensy / generic reset paths open +# raw serial handles for bootloader transitions. Migrating into +# fbuild-serial requires teaching the manager about the bootloader +# protocol state machines — tracked as a follow-up to #826. +crates/fbuild-deploy/src/lib.rs +crates/fbuild-deploy/src/reset.rs +crates/fbuild-deploy/src/esp32_native/transport.rs +crates/fbuild-deploy/src/esp32_native/verify.rs +crates/fbuild-deploy/src/esp32_native/write.rs +crates/fbuild-deploy/src/teensy/first_byte_probe.rs +crates/fbuild-deploy/src/teensy/mod.rs +crates/fbuild-deploy/src/teensy/port_discovery.rs +crates/fbuild-deploy/src/teensy/soft_reboot.rs diff --git a/dylints/ban_direct_serialport/src/lib.rs b/dylints/ban_direct_serialport/src/lib.rs new file mode 100644 index 00000000..f62ee3ca --- /dev/null +++ b/dylints/ban_direct_serialport/src/lib.rs @@ -0,0 +1,207 @@ +#![feature(rustc_private)] + +extern crate rustc_errors; +extern crate rustc_hir; +extern crate rustc_span; + +use rustc_errors::DiagDecorator; +use rustc_hir::{def::Res, AmbigArg, Expr, ExprKind, Ty, TyKind}; +use rustc_lint::{LateContext, LateLintPass, LintContext}; +use rustc_span::{symbol::Symbol, FileName, RemapPathScopeComponents}; + +dylint_linting::declare_late_lint! { + /// ### What it does + /// + /// Bans direct references to items from the `serialport` crate in + /// fbuild production code (`crates/*/src/`) outside + /// `crates/fbuild-serial/` and a small allowlist of files that + /// legitimately need raw serial access (diagnostic CLIs, the daemon + /// device manager, and the fbuild-deploy bootloader paths). + /// + /// ### Why is this bad? + /// + /// All serial-port access in fbuild must flow through fbuild-serial's + /// blessed APIs so the Windows USB-CDC contract (30-retry open, + /// aggressive buffer drain, DTR/RTS toggling after flash) stays in + /// one place. Direct `serialport::` usage scattered across crates + /// silently regresses that invariant. + /// + /// ### Known problems + /// + /// Allowlisting is file-level via `src/allowlist.txt`. The lint does + /// not detect `#[cfg(test)]` scope programmatically. + /// + /// ### Example + /// + /// ```rust,ignore + /// let port = serialport::new("/dev/ttyUSB0", 115200).open()?; + /// ``` + /// + /// Use instead: + /// + /// ```rust,ignore + /// // From inside fbuild-serial, or via the manager API: + /// let session = fbuild_serial::manager::SerialManager::open(...)?; + /// ``` + pub BAN_DIRECT_SERIALPORT, + Deny, + "ban direct serialport crate references outside fbuild-serial" +} + +/// The crate whose items are banned. Matching is on the first path +/// segment of the resolved DefId's def-path — i.e. the originating +/// crate name. This catches `use serialport::*`, `serialport::new(..)`, +/// `serialport::SerialPort` type refs, and re-exports that still resolve +/// back to a `serialport::*` DefId. +const BANNED_CRATE: &str = "serialport"; + +const ALLOWLIST: &str = include_str!("allowlist.txt"); + +/// Production-code scope. Only files whose path contains BOTH +/// `crates/` and a subsequent `/src/` segment are linted. +const CRATES_PREFIX: &str = "crates/"; +const SRC_SEGMENT: &str = "/src/"; + +/// Path fragment that unconditionally exempts a file: it IS the blessed +/// wrapper. Match the full directory boundary so a hypothetical +/// `crates/fbuild-serial-extras/` would still be linted. +const WRAPPER_DIR: &str = "crates/fbuild-serial/"; + +impl<'tcx> LateLintPass<'tcx> for BanDirectSerialport { + fn check_ty(&mut self, cx: &LateContext<'tcx>, ty: &'tcx Ty<'tcx, AmbigArg>) { + let filename = source_filename(cx, ty.span); + let normalized = normalize_slashes(&filename); + if !in_production_scope(&normalized) + || is_wrapper_dir(&normalized) + || is_allowlisted(&normalized) + { + return; + } + + if let TyKind::Path(qpath) = ty.kind { + let res = cx.qpath_res(&qpath, ty.hir_id); + if res_is_from_banned_crate(cx, res) { + emit_lint(cx, ty.span); + } + } + } + + fn check_expr(&mut self, cx: &LateContext<'tcx>, expr: &'tcx Expr<'tcx>) { + let filename = source_filename(cx, expr.span); + let normalized = normalize_slashes(&filename); + if !in_production_scope(&normalized) + || is_wrapper_dir(&normalized) + || is_allowlisted(&normalized) + { + return; + } + + // Path-expression form: `serialport::new(...)`, + // `serialport::SerialPortType::UsbPort(_)`, etc. + if let ExprKind::Path(qpath) = expr.kind { + let res = cx.qpath_res(&qpath, expr.hir_id); + if res_is_from_banned_crate(cx, res) { + emit_lint(cx, expr.span); + } + } + } +} + +fn emit_lint(cx: &LateContext<'_>, span: rustc_span::Span) { + cx.opt_span_lint( + BAN_DIRECT_SERIALPORT, + Some(span), + DiagDecorator(|diag| { + diag.primary_message( + "direct `serialport::*` reference outside fbuild-serial — route serial \ + access through `fbuild_serial::manager` so the Windows USB-CDC \ + contract (30-retry open, drain semantics, DTR/RTS rules) is applied. \ + If raw access is truly justified for this file, allowlist it in \ + `dylints/ban_direct_serialport/src/allowlist.txt` with a one-line \ + reason.", + ); + }), + ); +} + +fn source_filename(cx: &LateContext<'_>, span: rustc_span::Span) -> String { + match cx.sess().source_map().span_to_filename(span) { + FileName::Real(real_filename) => real_filename + .local_path() + .map(|path| path.to_string_lossy().into_owned()) + .unwrap_or_else(|| { + real_filename + .path(RemapPathScopeComponents::DIAGNOSTICS) + .to_string_lossy() + .into_owned() + }), + filename => filename + .display(RemapPathScopeComponents::DIAGNOSTICS) + .to_string(), + } +} + +fn in_production_scope(normalized: &str) -> bool { + let Some(crates_at) = normalized.find(CRATES_PREFIX) else { + return false; + }; + let after_crates = &normalized[crates_at + CRATES_PREFIX.len()..]; + after_crates.contains(SRC_SEGMENT) +} + +fn is_wrapper_dir(normalized: &str) -> bool { + normalized.contains(WRAPPER_DIR) +} + +fn is_allowlisted(normalized: &str) -> bool { + ALLOWLIST + .lines() + .map(str::trim) + .filter(|line| !line.is_empty() && !line.starts_with('#')) + .any(|allowed| normalized.ends_with(allowed)) +} + +fn normalize_slashes(path: &str) -> String { + path.replace('\\', "/") +} + +fn res_is_from_banned_crate(cx: &LateContext<'_>, res: Res) -> bool { + let Res::Def(_, def_id) = res else { + return false; + }; + let def_path = cx.get_def_path(def_id); + if def_path.is_empty() { + return false; + } + def_path[0] == Symbol::intern(BANNED_CRATE) +} + +#[cfg(test)] +mod tests { + use super::*; + + #[test] + fn in_production_scope_matches_src_files() { + assert!(in_production_scope("crates/fbuild-cli/src/cli/port_scan.rs")); + assert!(in_production_scope( + "/home/runner/work/fbuild/crates/fbuild-deploy/src/teensy/mod.rs" + )); + } + + #[test] + fn in_production_scope_rejects_non_src() { + assert!(!in_production_scope("crates/fbuild-cli/tests/foo.rs")); + assert!(!in_production_scope("crates/fbuild-cli/examples/demo.rs")); + assert!(!in_production_scope("build.rs")); + } + + #[test] + fn wrapper_dir_is_recognised() { + assert!(is_wrapper_dir("crates/fbuild-serial/src/manager.rs")); + assert!(is_wrapper_dir( + "/anywhere/crates/fbuild-serial/src/session.rs" + )); + assert!(!is_wrapper_dir("crates/fbuild-serial-extras/src/lib.rs")); + assert!(!is_wrapper_dir("crates/fbuild-cli/src/cli/port_scan.rs")); + } +} diff --git a/dylints/ban_file_based_locks/Cargo.toml b/dylints/ban_file_based_locks/Cargo.toml new file mode 100644 index 00000000..b0abcddc --- /dev/null +++ b/dylints/ban_file_based_locks/Cargo.toml @@ -0,0 +1,18 @@ +[package] +name = "ban_file_based_locks" +version = "0.1.0" +description = "Ban file-based locking primitives in fbuild production code" +edition = "2021" +publish = false + +[lib] +crate-type = ["cdylib"] + +[dependencies] +dylint_linting = { git = "https://github.com/trailofbits/dylint", rev = "4bd91ce7729b74c7ee5664bbb588f7baf30b4a09" } + +[dev-dependencies] +dylint_testing = { git = "https://github.com/trailofbits/dylint", rev = "4bd91ce7729b74c7ee5664bbb588f7baf30b4a09" } + +[package.metadata.rust-analyzer] +rustc_private = true diff --git a/dylints/ban_file_based_locks/README.md b/dylints/ban_file_based_locks/README.md new file mode 100644 index 00000000..298db22d --- /dev/null +++ b/dylints/ban_file_based_locks/README.md @@ -0,0 +1,32 @@ +# `ban_file_based_locks` + +This lint bans file-based locking primitives in fbuild production code +(`crates/*/src/`): + +- `fs2::FileExt` and `fs2::lock_*` (the `fs2` crate's POSIX-flavored API) +- `OpenOptions::create_new(true)` (the rename-or-fail lock-file pattern) +- raw `flock(...)` system-call wrappers + +## Why + +Per `CLAUDE.md`'s "Key Constraints" section, fbuild has **no file-based +locks** — all locking flows through the daemon's in-memory managers. +File-based locks regress that contract: they leak across crashes on +Windows, race with watch-set invalidation, and can deadlock in CI when +two workers share a stale lock-file path. + +The lint is ON and the allowlist is empty: every current call site is +already routed through the daemon. The lint locks the invariant in so +future code can't drift back. + +## Scope + +Only files whose path contains BOTH `crates/` and a subsequent `/src/` +segment are linted. `tests/`, `benches/`, `examples/`, build scripts, +and the `ci/` tree are out of scope by design — integration tests can +legitimately probe lock-file collision behavior. + +## See also + +- FastLED/fbuild#826 — the dylint sweep tracking issue +- `CLAUDE.md` "Key Constraints" — "No file-based locks" diff --git a/dylints/ban_file_based_locks/rust-toolchain.toml b/dylints/ban_file_based_locks/rust-toolchain.toml new file mode 100644 index 00000000..3b6ccbe8 --- /dev/null +++ b/dylints/ban_file_based_locks/rust-toolchain.toml @@ -0,0 +1,3 @@ +[toolchain] +channel = "nightly-2026-03-26" +components = ["llvm-tools-preview", "rust-src", "rustc-dev"] diff --git a/dylints/ban_file_based_locks/src/allowlist.txt b/dylints/ban_file_based_locks/src/allowlist.txt new file mode 100644 index 00000000..b9580710 --- /dev/null +++ b/dylints/ban_file_based_locks/src/allowlist.txt @@ -0,0 +1,12 @@ +# Each non-empty, non-comment line is matched against the tail of each +# source file path (slashes normalized to /). Use forward-slash paths +# only — the lint normalizes \ to / before matching. +# +# The allowlist is intentionally EMPTY. fbuild has no file-based locks +# per the "Key Constraints" section of CLAUDE.md; all locking flows +# through the daemon's in-memory managers. This lint locks that +# invariant in so future code can't drift back. +# +# Do NOT add entries here without a maintainer-approved exception in +# the PR description that justifies why the daemon's in-memory manager +# cannot own the lock. diff --git a/dylints/ban_file_based_locks/src/lib.rs b/dylints/ban_file_based_locks/src/lib.rs new file mode 100644 index 00000000..a38f9af2 --- /dev/null +++ b/dylints/ban_file_based_locks/src/lib.rs @@ -0,0 +1,232 @@ +#![feature(rustc_private)] + +extern crate rustc_ast; +extern crate rustc_errors; +extern crate rustc_hir; +extern crate rustc_span; + +use rustc_ast::ast::LitKind; +use rustc_errors::DiagDecorator; +use rustc_hir::{def::Res, Expr, ExprKind}; +use rustc_lint::{LateContext, LateLintPass, LintContext}; +use rustc_span::{symbol::Symbol, FileName, RemapPathScopeComponents}; + +dylint_linting::declare_late_lint! { + /// ### What it does + /// + /// Bans file-based locking primitives in fbuild production code + /// (`crates/*/src/`): + /// + /// * `OpenOptions::create_new(true)` — the rename-or-fail lock-file + /// pattern. + /// * `fs2::FileExt` and `fs2::lock_*` methods (the `fs2` crate). + /// * raw `flock(...)` from libc / nix wrappers. + /// + /// ### Why is this bad? + /// + /// Per CLAUDE.md's "Key Constraints" section, fbuild has **no + /// file-based locks** — all locking flows through the daemon's + /// in-memory managers. File-based locks regress that contract: + /// they leak across crashes on Windows, race with watch-set + /// invalidation, and can deadlock CI when two workers share a + /// stale lock-file path. + /// + /// ### Known problems + /// + /// Only direct call shapes are detected. Code that wraps `flock` + /// behind a trait method whose def-path no longer mentions `fs2`, + /// `flock`, or `OpenOptions::create_new` slips through and would + /// need a follow-up extension. The current invariant is that fbuild + /// has zero such wrappers. + /// + /// ### Example + /// + /// ```rust,ignore + /// // Banned: rename-or-fail lock file. + /// let lock = OpenOptions::new() + /// .write(true) + /// .create_new(true) + /// .open("/var/run/fbuild.lock")?; + /// ``` + /// + /// Use instead: route the lock through the daemon's in-memory + /// manager (e.g. `LockManager` in `fbuild-daemon`). + pub BAN_FILE_BASED_LOCKS, + Deny, + "ban file-based locking primitives in fbuild production code" +} + +/// Methods whose presence is enough to flag the call. Each entry is the +/// fully-qualified def-path; matching is exact. +/// +/// `std::fs::OpenOptions::create_new` is special-cased because the +/// method itself is not banned — only the `(true)` argument form is. +/// The handler below inspects the argument. +const BANNED_METHOD_PATHS: &[&[&str]] = &[ + // fs2 crate (POSIX-style file locking API). + &["fs2", "FileExt", "lock_exclusive"], + &["fs2", "FileExt", "lock_shared"], + &["fs2", "FileExt", "try_lock_exclusive"], + &["fs2", "FileExt", "try_lock_shared"], + &["fs2", "FileExt", "unlock"], + // libc and nix flock wrappers. + &["libc", "flock"], + &["nix", "fcntl", "flock"], +]; + +/// `OpenOptions::create_new(true)` is the rename-or-fail lock-file +/// pattern. The method itself is not banned — only the `true` form. +const OPEN_OPTIONS_CREATE_NEW: &[&str] = &["std", "fs", "OpenOptions", "create_new"]; + +const ALLOWLIST: &str = include_str!("allowlist.txt"); + +const CRATES_PREFIX: &str = "crates/"; +const SRC_SEGMENT: &str = "/src/"; + +impl<'tcx> LateLintPass<'tcx> for BanFileBasedLocks { + fn check_expr(&mut self, cx: &LateContext<'tcx>, expr: &'tcx Expr<'tcx>) { + let filename = source_filename(cx, expr.span); + let normalized = normalize_slashes(&filename); + if !in_production_scope(&normalized) || is_allowlisted(&normalized) { + return; + } + + match expr.kind { + ExprKind::MethodCall(_, _, args, _) => { + if let Some(def_id) = cx.typeck_results().type_dependent_def_id(expr.hir_id) { + // OpenOptions::create_new(true) — only flag when the + // single argument is the literal `true`. + if def_path_equals(cx, def_id, OPEN_OPTIONS_CREATE_NEW) { + if let [arg] = args { + if is_literal_true(arg) { + emit_create_new_lint(cx, expr.span); + } + } + return; + } + for banned in BANNED_METHOD_PATHS { + if def_path_equals(cx, def_id, banned) { + emit_lint(cx, expr.span, banned); + return; + } + } + } + } + ExprKind::Path(ref qpath) => { + if let Res::Def(_, def_id) = cx.qpath_res(qpath, expr.hir_id) { + for banned in BANNED_METHOD_PATHS { + if def_path_equals(cx, def_id, banned) { + emit_lint(cx, expr.span, banned); + return; + } + } + } + } + _ => {} + } + } +} + +fn emit_lint(cx: &LateContext<'_>, span: rustc_span::Span, banned: &[&str]) { + let joined = banned.join("::"); + cx.opt_span_lint( + BAN_FILE_BASED_LOCKS, + Some(span), + DiagDecorator(move |diag| { + diag.primary_message(format!( + "`{joined}` is a file-based lock; fbuild has no file-based locks (see \ + CLAUDE.md \"Key Constraints\"). Route the lock through the daemon's \ + in-memory manager." + )); + }), + ); +} + +fn emit_create_new_lint(cx: &LateContext<'_>, span: rustc_span::Span) { + cx.opt_span_lint( + BAN_FILE_BASED_LOCKS, + Some(span), + DiagDecorator(|diag| { + diag.primary_message( + "`OpenOptions::create_new(true)` is the rename-or-fail lock-file pattern; \ + fbuild has no file-based locks (see CLAUDE.md \"Key Constraints\"). \ + Route the lock through the daemon's in-memory manager.", + ); + }), + ); +} + +fn is_literal_true(expr: &Expr<'_>) -> bool { + matches!( + expr.kind, + ExprKind::Lit(ref lit) if matches!(lit.node, LitKind::Bool(true)) + ) +} + +fn source_filename(cx: &LateContext<'_>, span: rustc_span::Span) -> String { + match cx.sess().source_map().span_to_filename(span) { + FileName::Real(real_filename) => real_filename + .local_path() + .map(|path| path.to_string_lossy().into_owned()) + .unwrap_or_else(|| { + real_filename + .path(RemapPathScopeComponents::DIAGNOSTICS) + .to_string_lossy() + .into_owned() + }), + filename => filename + .display(RemapPathScopeComponents::DIAGNOSTICS) + .to_string(), + } +} + +fn in_production_scope(normalized: &str) -> bool { + let Some(crates_at) = normalized.find(CRATES_PREFIX) else { + return false; + }; + let after_crates = &normalized[crates_at + CRATES_PREFIX.len()..]; + after_crates.contains(SRC_SEGMENT) +} + +fn is_allowlisted(normalized: &str) -> bool { + ALLOWLIST + .lines() + .map(str::trim) + .filter(|line| !line.is_empty() && !line.starts_with('#')) + .any(|allowed| normalized.ends_with(allowed)) +} + +fn normalize_slashes(path: &str) -> String { + path.replace('\\', "/") +} + +fn def_path_equals( + cx: &LateContext<'_>, + def_id: rustc_hir::def_id::DefId, + expected: &[&str], +) -> bool { + let def_path = cx.get_def_path(def_id); + if def_path.len() != expected.len() { + return false; + } + def_path + .iter() + .zip(expected.iter()) + .all(|(actual, expected_segment)| *actual == Symbol::intern(expected_segment)) +} + +#[cfg(test)] +mod tests { + use super::*; + + #[test] + fn in_production_scope_matches_src_files() { + assert!(in_production_scope("crates/fbuild-daemon/src/lock.rs")); + } + + #[test] + fn in_production_scope_rejects_non_src() { + assert!(!in_production_scope("crates/fbuild-daemon/tests/lock.rs")); + assert!(!in_production_scope("ci/foo.py")); + } +} From a15e81ec7da8847a938c2c10018bf4b4eaa5e301 Mon Sep 17 00:00:00 2001 From: zackees Date: Mon, 29 Jun 2026 10:18:18 -0700 Subject: [PATCH 3/4] fix(daemon/ws): replace 5 unwraps in error-reply paths with fallback MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The WebSocket error-reply paths in `handle_serial_ws` previously panicked via `serde_json::to_string(&err_msg).unwrap()` if the JSON serializer ever failed. While `SerialServerMessage` always serializes cleanly today, a panic in the cold error path tears down the entire WebSocket — exactly the wrong failure mode for a code path whose only job is to surface an error to the client. Add a small `serialize_or_fallback` helper that returns a hardcoded JSON error frame on serializer failure, and route the 5 affected `Message::Text(...)` constructions through it (open_port failure, unexpected-message-shape, parse-error, attach_reader=None, attached-confirmation send). The 3 remaining `to_string(...).unwrap()` calls at lines ~441/450/467 are on normal data-forwarding paths (not error-reply paths) and are out of scope for this fix; FastLED/fbuild#826 only flagged the error-reply ones as a daemon-stability hazard. Refs FastLED/fbuild#826. --- .../fbuild-daemon/src/handlers/websockets.rs | 26 +++++++++++++++---- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/crates/fbuild-daemon/src/handlers/websockets.rs b/crates/fbuild-daemon/src/handlers/websockets.rs index 91040f89..08f57825 100644 --- a/crates/fbuild-daemon/src/handlers/websockets.rs +++ b/crates/fbuild-daemon/src/handlers/websockets.rs @@ -12,6 +12,22 @@ use std::sync::Arc; use std::time::Duration; use tokio::sync::{mpsc, oneshot}; +/// Serialize a `SerialServerMessage` (or any `serde::Serialize` value) +/// to JSON, falling back to a hardcoded JSON error frame if serialization +/// somehow fails. Used on WebSocket error-reply paths where panicking +/// would tear the whole socket down instead of just dropping one frame. +/// +/// `serde_json::to_string` only fails for values whose `Serialize` impl +/// returns an error or that contain non-finite floats inside a map key +/// — neither shape occurs in `SerialServerMessage`. The fallback exists +/// purely as a panic-free guarantee for the cold path; FastLED/fbuild#826 +/// flagged the prior `.unwrap()` calls as a stability hazard. +fn serialize_or_fallback(value: &T) -> String { + serde_json::to_string(value).unwrap_or_else(|_| { + r#"{"type":"error","message":""}"#.to_string() + }) +} + // ReaderControl -- inbound -> reader cross-task RPC for the small set // of `SerialClientMessage`s that need read-only access to the reader- // owned broadcast receiver (`ClearBuffer` and `GetInWaiting`). @@ -116,7 +132,7 @@ async fn handle_serial_ws(mut socket: WebSocket, ctx: Arc) { message: format!("failed to open port: {}", e), }; let _ = socket - .send(Message::Text(serde_json::to_string(&err_msg).unwrap())) + .send(Message::Text(serialize_or_fallback(&err_msg))) .await; return; } @@ -128,7 +144,7 @@ async fn handle_serial_ws(mut socket: WebSocket, ctx: Arc) { message: "expected attach message first".to_string(), }; let _ = socket - .send(Message::Text(serde_json::to_string(&err_msg).unwrap())) + .send(Message::Text(serialize_or_fallback(&err_msg))) .await; return; } @@ -137,7 +153,7 @@ async fn handle_serial_ws(mut socket: WebSocket, ctx: Arc) { message: format!("invalid message: {}", e), }; let _ = socket - .send(Message::Text(serde_json::to_string(&err_msg).unwrap())) + .send(Message::Text(serialize_or_fallback(&err_msg))) .await; return; } @@ -170,7 +186,7 @@ async fn handle_serial_ws(mut socket: WebSocket, ctx: Arc) { message: format!("port {} not open", port), }; let _ = socket - .send(Message::Text(serde_json::to_string(&err_msg).unwrap())) + .send(Message::Text(serialize_or_fallback(&err_msg))) .await; cleanup_ws_serial_session(&ctx, &port, &client_id, writer_acquired).await; return; @@ -184,7 +200,7 @@ async fn handle_serial_ws(mut socket: WebSocket, ctx: Arc) { writer_pre_acquired: writer_acquired, }; if socket - .send(Message::Text(serde_json::to_string(&attached).unwrap())) + .send(Message::Text(serialize_or_fallback(&attached))) .await .is_err() { From 8a79b2ecc08c42e10f47688cd809a3511b70a5e3 Mon Sep 17 00:00:00 2001 From: zackees Date: Mon, 29 Jun 2026 11:11:14 -0700 Subject: [PATCH 4/4] build: add new dylint crates to workspace exclude cargo metadata refuses to operate on dylint sub-crates that are neither members nor excluded; add the 5 new lint crates from #826 to the existing exclude list (alongside ban_raw_subprocess). Co-Authored-By: Claude Opus 4.7 (1M context) --- Cargo.toml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/Cargo.toml b/Cargo.toml index 2de15551..c6e7930a 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -20,7 +20,14 @@ members = [ # `dylints/*/rust-toolchain.toml`) and must not be part of the # stable workspace build — `cargo dylint --all` builds them with # the pinned nightly via the discovery below. See #264. -exclude = ["dylints/ban_raw_subprocess"] +exclude = [ + "dylints/ban_raw_subprocess", + "dylints/ban_std_pathbuf", + "dylints/ban_unrooted_tempdir", + "dylints/ban_direct_serialport", + "dylints/ban_file_based_locks", + "dylints/ban_deploy_tool_direct_invocation", +] [workspace.metadata.dylint] libraries = [{ path = "dylints/*" }]