Skip to content

Fix unresolved ${out_dir} token in dep env files#4124

Open
basvandijk wants to merge 1 commit into
bazelbuild:mainfrom
basvandijk:fix-dep-env-out-dir-redaction
Open

Fix unresolved ${out_dir} token in dep env files#4124
basvandijk wants to merge 1 commit into
bazelbuild:mainfrom
basvandijk:fix-dep-env-out-dir-redaction

Conversation

@basvandijk

Copy link
Copy Markdown

The bug

Since the OUT_DIR sanitization work (#4050 / #4011, first released in 0.71.x), outputs_to_dep_env redacts the producer's out_dir to the generic ${out_dir} substitution token, the same way outputs_to_env does.

That redaction is only correct for _bs.env files, which are consumed by the target that directly owns the build script (where process_wrapper's --out-dir resolves the token to the right directory). Dep env (DEP_*) files, however, are consumed by downstream crates' build scripts: their runner only substitutes ${pwd}, and their own out_dir points to a different directory. The token is therefore left unresolved, or would resolve to the wrong directory.

Real-world failure: libssh2-sys's build script fails to find zlib.h because libz-sys's DEP_Z_INCLUDE contains a literal ${out_dir} path component. Found while upgrading rules_rust to 0.71.3 in dfinity/ic (see dfinity/ic#10632, where this fix is currently carried as a patch).

The fix

Only substitute the exec root in dep env files and keep the real out_dir path. That path is valid for consumers: the producer's out_dir is a declared input of downstream build script actions.

Tests

  • Unit test out_dir_in_dep_env_value_is_not_redacted_to_substitution_token in cargo/private/cargo_build_script_runner/lib.rs.
  • End-to-end regression test //cargo/tests/dep_env:build_read_out_dir mirroring the libz-sys → libssh2-sys scenario: a producer build script advertises cargo:include=$OUT_DIR/include and the consumer build script asserts DEP_Z_INCLUDE points at an existing directory. Fails without the fix, passes with it.

Assisted-by: GitHub Copilot

`outputs_to_dep_env` redacted the producer's out_dir to the generic
`${out_dir}` substitution token, the same way `outputs_to_env` does.
But dep env (`DEP_*`) files are consumed by *downstream* crates' build
scripts, whose runner only substitutes `${pwd}` and whose own out_dir
points to a different directory, so the token was left unresolved (or
would resolve to the wrong directory). For example, libssh2-sys failed
to find zlib.h from libz-sys's DEP_Z_INCLUDE.

Only substitute the exec root in dep env files and keep the real
out_dir path, which is a declared input of downstream build script
actions.

Assisted-by: GitHub Copilot
@basvandijk basvandijk marked this pull request as ready for review July 2, 2026 13:54
@UebelAndre UebelAndre self-requested a review July 2, 2026 14:06
@basvandijk basvandijk marked this pull request as draft July 2, 2026 14:32
@basvandijk

basvandijk commented Jul 2, 2026

Copy link
Copy Markdown
Author

Converting to draft since I see some tests failing on dfinity/ic#10632 which are likely due to this. Will have to debug this further ...

EDIT: False alarm. The bug was caused by something else and fixed in dfinity/ic@082d8ae.

@basvandijk basvandijk marked this pull request as ready for review July 2, 2026 14:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant