ruff icon indicating copy to clipboard operation
ruff copied to clipboard
verified publisher icon astral-sh

ruff binary varies from ASLR

Open bmwiedemann opened this issue 1 year ago • 2 comments

While working on reproducible builds for openSUSE, I found that our python-ruff package varies from Address-Space-Layout-Randomization (ASLR).

I reproduced this with both 0.5.0 and 0.4.10.

It is a variation that happens with low-entropy - maybe just 1 bit, so occasionally, two identical ruff binaries are produced.

I uploaded two 0.5.0 binaries and a diff into http://rb.zq1.de/other/python-ruff/ - maybe something related to rust/llvm.

bmwiedemann avatar Jul 03 '24 12:07 bmwiedemann

Scanning through the diff, it seems that most (all?) are related to the libCST dependency.

Maybe a non-determinism in their macro?

MichaReiser avatar Jul 03 '24 12:07 MichaReiser

grep ^- ruff-strings-diff.txt | grep -vi libcst also shows

-anon.ea5251168591221b31fa999991ef59a1.39.llvm.6396498261944353430
-_ZN60_$LT$alloc..string..String$u20$as$u20$core..fmt..Display$GT$3fmt17hb6d27bec17dc24a4E.llvm.1673184941240675199

bmwiedemann avatar Jul 03 '24 12:07 bmwiedemann

There is indeed an issue with rust/llvm LTO in libCST https://github.com/Instagram/LibCST/pull/1213 - but not sure if this is the only issue here.

bmwiedemann avatar Jan 07 '25 06:01 bmwiedemann