2 research outputs found
Dependency Solving Is Still Hard, but We Are Getting Better at It
Dependency solving is a hard (NP-complete) problem in all non-trivial component models due to either mutually incompatible versions of the same packages or explicitly declared package conflicts. As such, software upgrade planning needs to rely on highly specialized dependency solvers, lest falling into pitfalls such as incompleteness - a combination of package versions that satisfy dependency constraints does exist, but the package manager is unable to find it. In this paper we look back at proposals from dependency solving research dating back a few years. Specifically, we review the idea of treating dependency solving as a separate concern in package manager implementations, relying on generic dependency solvers based on tried and tested techniques such as SAT solving, PBO, MILP, etc. By conducting a census of dependency solving capabilities in state-of-the-art package managers we conclude that some proposals are starting to take off (e.g., SAT-based dependency solving) while - with few exceptions - others have not (e.g., outsourcing dependency solving to reusable components). We reflect on why that has been the case and look at novel challenges for dependency solving that have emerged since.Software Engineerin
Demystifying Compiler Unstable Feature Usage and Impacts in the Rust Ecosystem
Rust programming language is gaining popularity rapidly in building reliable
and secure systems due to its security guarantees and outstanding performance.
To provide extra functionalities, the Rust compiler introduces Rust unstable
features (RUF) to extend compiler functionality, syntax, and standard library
support. However, these features are unstable and may get removed, introducing
compilation failures to dependent packages. Even worse, their impacts propagate
through transitive dependencies, causing large-scale failures in the whole
ecosystem. Although RUF is widely used in Rust, previous research has primarily
concentrated on Rust code safety, with the usage and impacts of RUF from the
Rust compiler remaining unexplored. Therefore, we aim to bridge this gap by
systematically analyzing the RUF usage and impacts in the Rust ecosystem. We
propose novel techniques for extracting RUF precisely, and to assess its impact
on the entire ecosystem quantitatively, we accurately resolve package
dependencies. We have analyzed the whole Rust ecosystem with 590K package
versions and 140M transitive dependencies. Our study shows that the Rust
ecosystem uses 1000 different RUF, and at most 44% of package versions are
affected by RUF, causing compiling failures for at most 12%. To mitigate wide
RUF impacts, we further design and implement a RUF-compilation-failure recovery
tool that can recover up to 90% of the failure. We believe our techniques,
findings, and tools can help to stabilize the Rust compiler, ultimately
enhancing the security and reliability of the Rust ecosystem.Comment: Published in ICSE'2024 Conference:
https://conf.researchr.org/details/icse-2024/icse-2024-research-track/6/Demystifying-Compiler-Unstable-Feature-Usage-and-Impacts-in-the-Rust-Ecosystem.
Project webiste: https://sites.google.com/view/ruf-study/home. Released
Source Code Zonodo: https://zenodo.org/records/828937