trofi - All posts

sequoia pgp

2026-02-14T00:00:00Z

TL;DR

If you are a PGP newbie (like me) then consider reading sq user documentation book! It gave me an idea of how to use the sq tool and how PGP concepts map to it. The book also has a “Background” section that I missed so much to get a better grasp of PGP model.

Story mode

I created my first PGP key in 2008:

$ gpg --list-public-keys slyich@gmail.com
pub   dsa1024/0x71A1EE76611FF3AA 2008-10-18 [SC] [revoked: 2018-07-04]
      9929AD151B96AF651958D35871A1EE76611FF3AA
uid                   [ revoked] Sergei Trofimovich 
uid                   [ revoked] Sergei Trofimovich 
uid                   [ revoked] Sergei Trofimovich 
uid                   [ revoked] Sergei Trofimovich 
uid                   [ revoked] Sergei Trofimovich 
uid                   [ revoked] Sergei Trofimovich 

pub   rsa4096/0x44FE231F3F3926E4 2018-07-03 [SC] [expires: 2027-08-18]
      62197C11C7C25A61C448E95644FE231F3F3926E4
uid                   [ultimate] Sergei Trofimovich 
sub   rsa4096/0xBA6C2FC245B4DF2C 2018-07-03 [E] [expires: 2027-08-18]
sub   rsa4096/0xED5E45E06F2AC293 2018-07-03 [S] [expires: 2027-08-18]

You could tell I had no idea how to use it then even by looking at the key! No subkeys, long list of attached identities some of which were stale, I revoked DSA-1024 key years after algorithm was officially declared weak.

Looking back into the mail history I suspect I started using PGP after Mikhail’s suggestion. Mikhail always introduced me to the new fancy things he recently found. Be it SoftICE, Gmail beta, XMPP, Wave, GitHub and infinite list of other things I already forgot.

Fast forward into 2018 Gentoo updated GLEP 63 and started requiring all the devs to have an RSA key, use keys with expiration dates and discourage DSA key usage. This made my 2008 key invalid. I had to generate a new key and picked RSA-4096. I either did not follow an equivalent of modern guide or it did not exist at the time. As a result I got very slow commit signing experience :)

Even 10 years after I started using PGP I had almost no mental model of what a key vs a subkey is. How both relate to private key (or keys?). How does Web of Trust work. How to make sure you don’t export to much to the keyservers. Why editing the expiration date does not change the key itself. All I read at the time was The GNU Privacy Handbook from 1999. From what I understand it was not updated since.

I used gnupg for key management and occasional file decryption. Email clients had a decent PGP UI integration to be easily usable. But many non-tech users were confused to see signature attaches and tried to download and unpack it. I stopped using email signing by default.

I felt that gnupg as a tool was not very user friendly: it has a ton of options and interactive questions that I have no idea how to answer confidently.

Recent Fedora and GPG 2.5 LWN article from 2026 tricked me into looking at Sequoia PGP. Having heard a bit of LibrePGP vs OpenPGP story it made me wonder: would sq tool allow me to get a bit better mental model of basic PGP concepts and ability to introspect keys and messages?

Trying out `sq`

I read sq user documentation and I strongly recommend reading it to get both the idea of PGP basics and sq specifics on how to do trivial things!

Here is what sq has to say about my (private) PGP keys:

$ sq key list
 - Backend softkeys has no keys.

 - 62197C11C7C25A61C448E95644FE231F3F3926E4
   - user IDs:
     - Sergei Trofimovich  (authenticated)
     - Sergei Trofimovich  (UNAUTHENTICATED) revoked
   - created 2018-07-03 08:06:04 UTC
   - will expire 2027-08-18T20:45:35Z
   - usable for signing and decryption
   - @gpg-agent/default: available, locked

   - B6E7C10B37726D7DF059BFE7BA6C2FC245B4DF2C
     - created 2018-07-03 08:06:04 UTC
     - will expire 2027-08-18T20:45:44Z
     - usable for signing and decryption
     - @gpg-agent/default: available, locked
   - FA0D7526A27870BE3842498DED5E45E06F2AC293
     - created 2018-07-03 19:19:15 UTC
     - will expire 2027-08-18T20:46:23Z
     - usable for signing and decryption
     - @gpg-agent/default: available, locked

 - 9929AD151B96AF651958D35871A1EE76611FF3AA
   - user IDs:
     - Sergei Trofimovich  (UNAUTHENTICATED)
     - Sergei Trofimovich  (UNAUTHENTICATED)
     - Sergei Trofimovich  (UNAUTHENTICATED)
     - Sergei Trofimovich  (UNAUTHENTICATED)
     - Sergei Trofimovich  (UNAUTHENTICATED)
     - Sergei Trofimovich  (UNAUTHENTICATED)
   - created 2008-10-18 10:28:05 UTC
   - revoked on 2018-07-04 19:35:27 UTC, Key is superseded: Migrated to new more secure key 62197C11C7C25A61C448E95644FE231F3F3926E4
   - not valid: Policy rejected asymmetric algorithm: DSA1024 is not considered secure since 2014-02-01T00:00:00Z
   - usable for signing
   - @gpg-agent/default: available, locked

   - BD21D77765C9B8A655EAC11B8F20BA89A99E563C
     - created 2008-10-18 10:28:05 UTC
     - usable for decryption
     - @gpg-agent/default: available, locked

This command shown me outright which identities I revoked in my current key and they were wrong! (I fixed it since). If nothing else that was a nice side-effect of trying sq.

I find this verbose output slightly more readable at least as a first-time user. It shows a bit more detail on advertised algorithms in the keys, violated security policies for outdated algorithms.

Other random bits

sq network search allows for a key lookup and gets keys into the cache without any explicit assignment of trustworthiness to them.

sq pki link add and sq pki authenticate allow for a lighter-weight way of tracking the key authenticity locally without the need to export your relation to other IDs.

I’ll not spend too much time here, but the book mentions nice things like implementation bits of WKD and DANE to support PGP infrastructure.

Introspection: `sq introspect` and `sq dump`

sq inspect is a nice tool to explore the PGP keys and PGP messages.

Encrypting the message:

$ sq encrypt --signer-email=slyich@gmail.com --for-email slyich@gmail.com foo --output foo.pgp
Composing a message...

 - encrypted for Sergei Trofimovich  (authenticated)
   - using 62197C11C7C25A61C448E95644FE231F3F3926E4

 - signed by Sergei Trofimovich  (authenticated)
   - using 62197C11C7C25A61C448E95644FE231F3F3926E4

Exploring the content:

$ sq inspect foo.pgp
foo.pgp: Encrypted OpenPGP Message.

      Recipient: BA6C2FC245B4DF2C
        Associated certificate:
          62197C11C7C25A61C448E95644FE231F3F3926E4
          Sergei Trofimovich  (authenticated)

I think the equivalent gpg command is gpg --list-packets:

$ gpg --list-packets foo.pgp
gpg: encrypted with rsa4096 key, ID 0xBA6C2FC245B4DF2C, created 2018-07-03
      "Sergei Trofimovich "



gpg: using "0xED5E45E06F2AC293" as default secret key for signing
# off=0 ctb=c1 tag=1 hlen=3 plen=523 new-ctb
:pubkey enc packet: version 3, algo 1, keyid BA6C2FC245B4DF2C
        data: [4088 bits]
# off=526 ctb=d2 tag=18 hlen=3 plen=729 new-ctb
:encrypted data packet:
        length: 729
        mdc_method: 2
# off=548 ctb=c4 tag=4 hlen=2 plen=13 new-ctb
:onepass_sig packet: keyid 44FE231F3F3926E4
        version 3, sigclass 0x00, digest 10, pubkey 1, last=1
# off=563 ctb=cb tag=11 hlen=2 plen=10 new-ctb
:literal data packet:
        mode b (62), created 0, name="",
        raw data: 4 bytes
# off=575 ctb=c2 tag=2 hlen=3 plen=658 new-ctb
:signature packet: algo 1, keyid 44FE231F3F3926E4
        version 4, created 1771059670, md5len 0, sigclass 0x00
        digest algo 10, begin of digest f2 08
        critical hashed subpkt 2 len 4 (sig created 2026-02-14)
        hashed subpkt 16 len 8 (issuer key ID 44FE231F3F3926E4)
        hashed subpkt 20 len 70 (notation: salt@notations.sequoia-pgp.org=[not human readable])
        hashed subpkt 33 len 21 (issuer fpr v4 62197C11C7C25A61C448E95644FE231F3F3926E4)
        hashed subpkt 35 len 21 (?)
        data: [4096 bits]

It’s a lot more verbose than sq inspect (that’s nice!). But is it obvious what algorithm was used to encrypt the message? One probably needs to know algorithm numbers like algo 1 or digest algo 10.

An sq equivalent would be sq packet invocation:

$ sq packet dump foo.pgp
Public-Key Encrypted Session Key Packet, new CTB, 523 bytes
    Version: 3
    Recipient: BA6C2FC245B4DF2C
    Pk algo: RSA

Sym. Encrypted and Integrity Protected Data Packet, new CTB, 729 bytes
│   Version: 1
│   Session key: 477E1CA59418C21B6D95AB78B129EED8A53888447159D1660232F3EE03E151B9
│   Symmetric algo: AES-256
│   Decryption successful
│
├── One-Pass Signature Packet, new CTB, 13 bytes
│       Version: 3
│       Type: Binary
│       Pk algo: RSA
│       Hash algo: SHA512
│       Issuer: 44FE231F3F3926E4
│       Last: true
│
├── Literal Data Packet, new CTB, 10 bytes
│       Format: Binary data
│       Content: "foo\n"
│
├── Signature Packet, new CTB, 658 bytes
│       Version: 4
│       Type: Binary
│       Pk algo: RSA
│       Hash algo: SHA512
│       Hashed area:
│         Signature creation time: 2026-02-14 09:01:10 UTC (critical)
│         Issuer: 44FE231F3F3926E4
│           Sergei Trofimovich  (authenticated)
│         Notation: salt@notations.sequoia-pgp.org
│           00000000  25 33 44 74 e7 b8 1a 28  1c b1 56 bd f0 02 4e 02
│           00000010  26 fe dd 1f c8 8c ab 11  9d 18 f3 7b bd 39 0c ad
│         Issuer Fingerprint: 62197C11C7C25A61C448E95644FE231F3F3926E4
│           Sergei Trofimovich  (authenticated)
│         Intended Recipient: 62197C11C7C25A61C448E95644FE231F3F3926E4
│       Digest prefix: F208
│       Level: 0 (signature over data)
│
└── Modification Detection Code Packet, new CTB, 20 bytes
        Digest: 1A14AA0FFDCB56E6BD64E005BA088EF591344F8D
        Computed digest: 1A14AA0FFDCB56E6BD64E005BA088EF591344F8D
        Valid: true

Here it’s slightly more obvious that session key was encrypted with RSA, data was encrypted with AES-256 and was signed with SHA-512.

sq key export (private) and sq cert export (public) are a nice complement to sq inspect and sq packet dump to get the idea what’s in the keys.

Parting words

I found sq UI quite usable to rekindle some PGP interest in me. I even managed to fix messed up list of revoked identities on the current key.

I don’t use anything advanced like smart cards to store keys or detached offline certification key and I suspect sq has some limitations there. But at least now I do understand what those things are and how they are useful!

Have fun!

nixpkgs and repology changes

2026-01-25T00:00:00Z

Tl;DR: `nixpkgs` changed the way it exports data to `repology` and many packages need fixing

In nixpkgs/451424 nixpkgs changed substantially how it exports data about available packages. As a result some packages like flare stopped being reported to repology.org correctly. Luckily the fix is to usually use pname / version instead of direct name. Example fix for flare package:

--- a/pkgs/by-name/fl/flare/package.nix
+++ b/pkgs/by-name/fl/flare/package.nix
@@ -6,7 +6,8 @@
 }:

 buildEnv {
-  name = "flare-1.14";
+  pname = "flare";
+  version = "1.14";

   paths = [
     (callPackage ./engine.nix { })

The bug

I happen to maintain nix-olde program. It’s a tool to show you what outdated packages your system has installed. The tool is hacky: both in a way how it looks up what you have installed in the system and in how it maps that information to repology.org database. It errs on the side to not print possibly wrong or missing information.

A few days ago I casually ran nix-olde against my system and got very odd outputs, like:

        repology r:clock "0.7.4" | nixpkgs {"0.8.4"} {"haskellPackages.clock"}
        repology r:digest "0.6.39" | nixpkgs {"0.0.2.1"} {"haskellPackages.digest"}
        repology r:hedgehog "0.2" | nixpkgs {"1.5"} {"haskellPackages.hedgehog"}
        repology r:mmap "0.6-23" | nixpkgs {"0.5.9"} {"haskellPackages.mmap"}
        repology r:warp "0.2.3" | nixpkgs {"3.4.9"} {"haskellPackages.warp"}
        repology r:yaml "2.3.12" | nixpkgs {"0.11.11.2"} {"haskellPackages.yaml"}

Here nix-olde says that it compared R language packages against Haskell language packages and was unhappy about version mismatch. That looked very wrong. Turns out that repology.org changed the way it reports nixpkgs packages for nixpkgs_unstable repository. Before the change repology reported the following package descriptions:

"python:networkx": [
  {
    "repo": "nixpkgs_unstable",
    "srcname": "python310Packages.networkx",
    "visiblenamename": "python3.10-networkx",
    "version": "2.8.6",
    "status": "outdated",
  },
]

After the change it started producing the following output:

"python:networkx": [
  {
    "repo": "nixpkgs_unstable",
    "srcname": "python310Packages.networkx",
    "visiblename": "networkx",
    "version": "2.8.6",
    "status": "outdated",
  },
]

nix-olde used to rely on visiblename: it was conveniently not too specific (did not contain a version) and yet was specific enough to contain package ecosystem prefix. But now visiblename omits ecosystem entirely. This caused all the problematic reports. I fixed it with this commit.

How does `nixpkgs` export data to repology?

repology.org is configured to fetch package lists from nixpkgs here:

- name: nix_unstable
  type: repository
  desc: nixpkgs unstable
  statsgroup: nix
  family: nix
  ruleset: [nix, nix_name]
  color: '7eb2dd'
  minpackages: 120000
  default_maintainer: fallback-mnt-nix@repology
  sources:
    - name: packages-unstable.json
      fetcher:
        class: FileFetcher
        url: https://channels.nixos.org/nixos-unstable/packages.json.br
      parser:
        class: NixJsonParser
        use_pname: true

Note that it was changed very recently to enable use_pname.

nixpkgs on its side generates packages.json.br with an equivalent of this:

NIX_STATE_DIR=$TMPDIR NIX_PATH= nix-instantiate --eval --raw --expr "import $src/pkgs/top-level/packages-info.nix {}" | sed "s|$src/||g" | jq -c > packages.json
brotli -9 < packages.json > packages.json.br

Note that this also changed recently. Before the change the code used to use nix-env:

(
  echo -n '{"version":2,"packages":'
  NIX_STATE_DIR=$TMPDIR NIX_PATH= nix-env -f $src -qa --meta --json --show-trace --arg config 'import ${./packages-config.nix}'
  echo -n '}'
) | sed "s|$src/||g" | jq -c > packages.json
brotli -9 < packages.json > packages.json.br

Is there a difference introduced?

Why does it matter? Conveniently currently only nixpkgs_unstable has the change. Previous releases like nixos-25.11 still use the previous mechanism. Let’s compare the outputs of python3Packages.networkx:

$ curl -L https://channels.nixos.org/nixos-unstable/packages.json.br > unstable-packages.json.br

$ brotli -d  25.11-packages.json.br

$ brotli -d <25.11-packages.json.br | jq '.packages."python313Packages.networkx"|[.name, .pname, .version]'
[
  "python3.13-networkx-3.5",
  "python3.13-networkx",
  "3.5"
]

Here we see that pname changed from python3.13-networkx to networkx. For this package it’s a reasonable change. Let’s look at flare instead:

$ brotli -d


Here the change effectively broke both package name and version reporting
in unstable. As a result flare-rpg is missing an unstable entry on
repology:
nixpkgs stable 23.11	flare	1.14
nixpkgs stable 24.05	flare	1.14
nixpkgs stable 24.11	flare	1.14
nixpkgs stable 25.05	flare	1.14
nixpkgs stable 25.11	flare	1.14
Normally unstable entry looks like
this:
nixpkgs stable 23.11	re2c	3.1
nixpkgs stable 24.05	re2c	3.1
nixpkgs stable 24.11	re2c	3.1
nixpkgs stable 25.05	re2c	4.1
nixpkgs stable 25.11	re2c	4.3.1
nixpkgs unstable	re2c	4.4
Why does it happen?
Before the nixpkgs/451424
change the split from "flare-1.14" down to "flare" "1.14" was done
by nix-env -qa itself! It does not have any advanced heuristics. I
noticed it before when I just started on nix-olde.
For example in
nix/7540 nix splits
"font-adobe-75dpi-1.0.3" in an unexpected way:
$ nix-env -f. -qa --json | fgrep -A9  xorg.fontadobe75dpi
  "xorg.fontadobe75dpi": {
    "name": "font-adobe-75dpi-1.0.3",
    "outputName": "out",
    "outputs": {
      "out": null
    },
    "pname": "font-adobe",
    "system": "x86_64-linux",
    "version": "75dpi-1.0.3"
  },
It’s "font-adobe" "75dpi-1.0.3". But it should have been
"font-adobe-75dpi" "1.0.3" instead!
Normally all 3 name / pname / version come directly from the attributes
of a package:
$ nix repl -f ''

nix-repl> with re2c; [ name pname version ]
[
  "re2c-4.4"
  "re2c"
  "4.4"
]
For some packages not all of them are defined:
nix-repl> with flare; [ name pname version ]
[
  "flare-1.14"
  «error: undefined variable 'pname'»
  «error: undefined variable 'version'»
]
The fix is usually simple: instead of defining name directly use
pname / version split. For example:
--- a/pkgs/by-name/fl/flare/package.nix
+++ b/pkgs/by-name/fl/flare/package.nix
@@ -6,7 +6,8 @@
 }:

 buildEnv {
-  name = "flare-1.14";
+  pname = "flare";
+  version = "1.14";

   paths = [
     (callPackage ./engine.nix { })
How does repology handle such packages?
Does repology do anything special about these "version": "" cases?
repology-updater/repology/parsers/parsers/nix.py handles versions
somewhere here.
It already has to work around cases of wrong version splits:
    for verprefix in ['100dpi', '75dpi']:
        if packagedata['version'].startswith(verprefix):
            pkg.log('dropping "{}", "{}" does not belong to version'.format(packagedata['name'], verprefix), severity=Logger.ERROR)
            skip = True
            break
Otherwise, "version" is extracted
as is:
    pname = packagedata['pname']
    version = packagedata['version']
    # This is temporary solution (see #854) which overrides pname and version with ones
    # (ambigiously) parsed from name. That's what nix currently does (instead of exposing
    # explicitly set pname and version), and we do the same instead of using pname/version
    # provided by them to avoid unexpected change in data when/if they change their logic
    # As soon as they do and changed data is verified, this block may be removed
    match = re.match('(.+?)-([0-9].*)$', packagedata['name'])
    if match is None:
        pkg.log('cannot parse name "{}"'.format(packagedata['name']), severity=Logger.ERROR)
        continue
    elif not self._use_pname:
        pname = match.group(1)
        version = match.group(2)
Thus, _use_pname (enabled in nixpkgs_unstable) effectively disables name version
heuristics.
Are there any more affected packages?
I wondered now many more packages in packages.json that do have
version in pname with a version specified, but lack name form:
$ brotli -d 

Here I filtered only pname that seemingly look like a version. I probably
missed a few complicated cases. But it’s a good first pass. Here are
package examples:
$ brotli -d 

At least flare is in the list. I think most of these require a similar
fix.
Parting words
nixpkgs now exposes slight less mangled data to repology.org for version
comparison. Unfortunately nixpkgs itself is not fully switched to
pname / version everywhere. And thus a small set of data is now lost.
It should be easy to find and to restore those with a fix similar to
flare.
Have fun!



zellij terminal emulator
2025-12-28T00:00:00Z
my tmux setup
I use tmux by default for all my terminal sessions since around 2016
(almost 10 years!): on most days I switch from local desktop keyboard to
a laptop and back to run/debug stuff on my desktop. I usually have 4
sessions: various builders, development session, chat session and
various one-off investigations.
I have a moderate ~/.tmux.conf:
set -ga terminal-overrides ',xterm*:smcup@:rmcup@'

set -sg escape-time 0

set -g mouse on
bind -T root WheelUpPane   if-shell -F -t = "#{alternate_on}" "send-keys -M" "select-pane -t =; copy-mode -e; send-keys -M"
bind -T root WheelDownPane if-shell -F -t = "#{alternate_on}" "send-keys -M" "select-pane -t =; send-keys -M"

set -g @scroll-speed-num-lines-per-scroll 3

# override default
set -g status-right-length 60 # was 40
set -g status-right '#h, %Y-%m-%d %H:%M' # was something like '"#h", #S'

# Start windows and panes at 1, not 0
set -g base-index 1
setw -g pane-base-index 1

# defatul is ~2000
set-option -g history-limit 10000

# Allow title update from within tmux apps
set-option -g set-titles on

# Host-specific overrides
if-shell "[ -e ~/.tmux.conf.local ]" "source-file ~/.tmux.conf.local"

# Extend default variable list of:
#   "DISPLAY SSH_ASKPASS SSH_AUTH_SOCK SSH_AGENT_PID SSH_CONNECTION WINDOWID XAUTHORITY"
set-option -g update-environment "DISPLAY SSH_ASKPASS SSH_AUTH_SOCK SSH_AGENT_PID SSH_CONNECTION WINDOWID XAUTHORITY   WAYLAND_DISPLAY SWAYSOCK I3SOCK"

# Join current window into a previous one. Should act as inverse of Ctrl-b !
bind-key j "join-pane -s !"
While a bit wordy it’s not a big or complicated setup. And it already
contains a few hacks like set -sg escape-time 0 to make ESC button
act more responsive. Without it switching modes in vim-like editors
has a perceptible delay. I had to press ESC twice to get something out
of vim instantly.
a tmux hickup
A month ago I casually sshed on my desktop and was not able to access
any of my running tmux sessions:
$ tmux a
open terminal failed: not a terminal
$ tmux
open terminal failed: not a terminal
This happened because tmux updated from 3.5a version to 3.6 and
changed its protocol implementation between server (still ran 3.5a)
and the client (updated to 3.6). The workaround was trivial: run 3.5
client for a while until the machine get scheduled for a reboot.
I debugged it a bit and find out it was an intentional change. I filed
tmux issue #4711 to improve
the error message on tmux side.
From what I understand at least on linux the change that caused the
protocol change was entirely in tmux source code base (around
compat/imsg.h / compat/imsg.c files imported from OpenBSD).
tmux author decided not to improve the error message.
zellij
This event prompted me to wonder what are the other terminal
multiplexers out there.
I tried zellij and am using it for the past month. It’s not a drop-in
replacement for tmux but it gets very close for my use cases. I
collected a few niceties and a few snags below I encountered while using
it.
nice: zellij retains many Ctrl-b tmux-style keys as is
Default zellij configuration is usable as is for a tmux user:
Ctrl-b c opens a new pane (as expected), Ctrl-b , renames a tab and
so on. That makes it very easy to try zellij without any exploration
of config file format.
snag: some keybindings interfere with other applications
zellij uses a few escape-style initial sequences, not just
tmux-style Ctrl-b, but also Ctrl-p (panes), Ctrl-n (resizes),
Ctrl-h (moves), Ctrl-o (session operations) and a bunch of Alt-
ones.
Sometimes these escapes interfere with rich applications like mc,
vifm, vim or helix editors.
On the bright side many of them are very convenient, like Alt-n /
Alt-f to get a short-lived pane.
Status bar always makes it clear that you got into one of zellij
modes. But I had to disable quite a few Ctrl- and Alt--based key
bindings in favor of deeper nested Ctrl-b ones in tmux style.
nice: Ctrl-g to disable all the zellij bindings
Given the above zellij has a nice Ctrl-g kill-switch to turn all
bindings off (except Ctrl-g itself).
nice: scrollback buffer editing
When in the scrollback scrolling mode (Ctrl-b [ intmux) I sometimes
want to save part of the log (or all the contents) into a file. In zellij
it’s right there at e key: it opens default editor with full contents.
nice: fast scrolling on copy/paste from the scrollback
Very occasionally I want to copy 100-200 lines of a scrollback and paste
it into the browser. I usually use the mouse and in tmux it was very
slow for me. I did not always succeed on a ChromeOS terminal.
nice: modern features
I noticed that many features like link uderscores and tooltip pop-ups
work inzellij without any configuration just like they work in a host
terminal. tmux does not advertise some of them.
snag: CPU / RAM usage is high
zellij can use quite a bit of CPU (and RAM) if the program pipes
out a lot of text. For example cat -v /dev/zero command will use
135% CPU on my system with quite a bit of RAM usage (I Ctrl-Ced
at 15GiB).
It’s not as bad on more typical multiline workloads.
There is an existing report
to get it slightly better.
snag: a banner in the status line
zellij keeps its verbatim name in status bar as an advertisement bit.
Which takes away 10 bytes from the status bar
(the report).
In theory it’s a one-liner change. But patching it out is not very
convenient as zellij implements plugins as wasm binaries and ships
the status bar as precompiled .wasm file. I did not manage to rebuild
it locally yet.
snag: no tmux-style mouse drag support
I liked how tmux allows you to resize panes just by dragging them.
zellij did not implement it yet (the report).
Ctrl-n and arrow keys would have to do for now.
snag: no environment variable clobber support
tmux has a nice variable clobbering feature when DISPLAY,
SSH_AUTH_SOCK and a few other variables are updated with variable
values of the most recent attached client. As a result ssh-agent,
X11 sessions and other things Just Work in newly opened panes.
zellij does not have the feature yet
(the report’
snag: no support for editing keys in tab editor
In tmux when renaming a tab you can use things like Ctrl-w to delete
existing word. zellij dumps a [119;5u escape.
parting words
When I started using zellij I got a lot more than I expected:

friendly UI that tells you what modes are there and which one is active
nice and short configuration file format
modern terminal features support (URL underscores, tooltips)
mostly compatible with tmux key bindings
intuitive text selection in the scrollback

But it has quite a few snags as well:

banner in the status line
no environment variable clobber support
default config needs some tweaking to be more usable:

disable hello pop-up (show_startup_tips false)
disable key bindings that clash with helix editor
disable pane frames by default (pane_frames false)
disable session serialization (session_serialization false)


So far zellij is a nice alternative to tmux for me.
Have fun!


AoC of 2025
2025-12-17T00:00:00Z
This time I managed to finish all AoC challenges within a week of
problems being published.
My solutions: https://github.com/trofi/AoC/tree/main/2025.
First 9 problems I managed to do in a day they were published. But the
10th one was tough.
As usual I tried to solve the problems within 24 hours of publish
time and get the source code under 4K. I used rust again. I did not
use any external crates.
This time I also attempted to handle errors in a more graceful way to
avoid .unwrap() / .expect("") calls. I found a few nice patterns
like collecting into Result>:
$ evcxr

>> #[derive(Debug)] struct E{}

>> [Ok(1),Ok(3),Ok(5)].into_iter().collect::, E>>()
Ok([1, 3, 5])
Or reducing Result values:
>> [Ok(1),Ok(3),Ok(5)].into_iter().sum::>()
Ok(9)
I felt I did a bit too much .map_err() conversions to capture more into
error context. I also relied on Debug instances instead of Display
as I allowed main() to return by error type outside main(). There
probably are better mechanisms to achieve the same. But otherwise error
propagation is quite pleasant in rust.
Funniest problems
No pencil-and-paper problems this time. All required a program to write.
I did solve a few examples from Day 10 by hand to explore it a bit
better. A few of the problems had very interesting problem statement:

Day 8: Playground is a nice
concise definition of a large input graph.
Day 10: Factory tricked me
into searching for a brute force solution. After failing that I managed
to see a nice system of equations and a function to minimize.
I did not solve the minimization part nicely, but I liked the equation
solver.

It felt like first few problems had very gnarly corner cases to handle.
I was afraid the problem complexity will really go up. But it was just
about right for me.
Have fun!


Zero Hydra Failures towards 25.11 NixOS release
2025-11-03T00:00:00Z
It is November again! The usual plan is to have a NixOS-.25.11 release
on 30th (full schedule).
Yesterday the schedule got to
ZHF phase where no
major changes are accepted to master branch and the focus is on fixing
build failures
It’s a good time to fix easy build failures or remove long broken
packages. https://github.com/NixOS/nixpkgs/issues/457852 contains
detailed step-by-step to identify interesting packages.
This year nixpkgs has especially large list of failures to sort out.
It feels like most build failures are either cmake-4 or qt-6.10
related.
an example package fix
Let’s try to fix a single package for ZHF. I’ll pick the
diskscan. It’s build log
is typical of cmake-4 failure:
...
CMake Error at CMakeLists.txt:1 (cmake_minimum_required):
  Compatibility with CMake < 3.5 has been removed from CMake.

  Update the VERSION argument  value.  Or, use the ... syntax
  to tell CMake that the project requires at least  but has been updated
  to work with policies introduced by  or earlier.

  Or, add -DCMAKE_POLICY_VERSION_MINIMUM=3.5 to try configuring anyway.
I know little to nothing about cmake. But this failure is the result
of cmake dropping support for pre-cmake-3.5 behavior. Chances are
upstream already fixed the problem and we can use the patch as is.
Let’s find the source repository by inspecting the package’s definition:
$ EDITOR=cat nix edit -f '' diskscan
{
  lib,
  stdenv,
  fetchFromGitHub,
  cmake,
  ncurses,
  zlib,
}:

stdenv.mkDerivation rec {
  pname = "diskscan";
  version = "0.21";

  src = fetchFromGitHub {
    owner = "baruch";
    repo = "diskscan";
    rev = version;
    sha256 = "sha256-2y1ncPg9OKxqImBN5O5kXrTsuwZ/Cg/8exS7lWyZY1c=";
  };

  buildInputs = [
    ncurses
    zlib
  ];

  nativeBuildInputs = [ cmake ];

  meta = with lib; {
    homepage = "https://github.com/baruch/diskscan";
    description = "Scan HDD/SSD for failed and near failed sectors";
    platforms = with platforms; linux;
    maintainers = with maintainers; [ peterhoeg ];
    license = licenses.gpl3;
    mainProgram = "diskscan";
  };
}
Easy! https://github.com/baruch/diskscan displayed nothing related to
cmake-4 fix. Let’s write one! Trying to reproduce the failure locally
against upstream master branch:
$ git clone https://github.com/baruch/diskscan
$ cd diskscan

$ nix build --impure --expr 'with import  {}; diskscan.overrideAttrs (oa: { src = builtins.fetchGit ./.; })' -L
...
diskscan> CMake Error at CMakeLists.txt:1 (cmake_minimum_required):
diskscan>   Compatibility with CMake < 3.5 has been removed from CMake.
Yay! Same failure! For this particular case the fix is trivial:
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1,4 +1,4 @@
-cmake_minimum_required(VERSION 3.0.2)
+cmake_minimum_required(VERSION 3.10)
 project(diskscan
         VERSION 0.19)

Testing the fix:
$ nix build --impure --expr 'with import  {}; diskscan.overrideAttrs (oa: { src = builtins.fetchGit ./.; })' -L
warning: Git tree '/tmp/diskscan' is dirty
# done!

$ find result/
result/
result/bin
result/bin/diskscan
result/share
result/share/man
result/share/man/man1
result/share/man/man1/diskscan.1.gz
You can run the result and see if it does what’s expected. I proposed
this trivial fix upstream as PR#77.
Now we can use that to craft the nixpkgs fix! Let’s check if the bug
is still there:
$ git clone https://github.com/NixOS/nixpkgs
$ cd nixpkgs

$ nix build -f. diskscan -L
...
diskscan> CMake Error at CMakeLists.txt:1 (cmake_minimum_required):
diskscan>   Compatibility with CMake < 3.5 has been removed from CMake.
Still there. Crafting the patch against nixpkgs:
--- a/pkgs/by-name/di/diskscan/package.nix
+++ b/pkgs/by-name/di/diskscan/package.nix
@@ -2,6 +2,7 @@
   lib,
   stdenv,
   fetchFromGitHub,
+  fetchpatch,
   cmake,
   ncurses,
   zlib,
@@ -18,6 +19,16 @@ stdenv.mkDerivation rec {
     sha256 = "sha256-2y1ncPg9OKxqImBN5O5kXrTsuwZ/Cg/8exS7lWyZY1c=";
   };

+  patches = [
+    # cmake-4 support:
+    #   https://github.com/baruch/diskscan/pull/77
+    (fetchpatch {
+      name = "cmake-4.patch";
+      url = "https://github.com/baruch/diskscan/commit/6e342469dcab32be7a33109a4d394141d5c905b5.patch?full_index=1";
+      hash = "sha256-05ctYPmGWTJRUc4aN35fvb0ITwIZlQdIweH7tSQ0RjA=";
+    })
+  ];
+
   buildInputs = [
     ncurses
     zlib
And testing the build:
$ nix build -f. diskscan -L
...

$ find result/
result/
result/bin
result/bin/diskscan
result/share
result/share/man
result/share/man/man1
result/share/man/man1/diskscan.1.gz
All good! Proposed the fix as
PR#458258.
parting words
If you are thinking to contribute to nixpkgs and never did ZHF is a
good time to start!
cmake-4 set of failures has it’s own seemingly infinite list of
failures waiting to be
fixed just like the example above.
Have fun!


AoC of 2024
2025-11-01T00:00:00Z
Almost a year later I finally finished AoC 2024:
https://adventofcode.com/2024.
My solutions: https://github.com/trofi/AoC/tree/main/2024.
Similar to last year I managed to solve most of problem within a day of
them being published with a single exception of
problem 21. That one took me
most of 2025 :)
As usual problems were appearing once a day at 5AM from Dec 1 to Dec 25.
Nowadays I get up at 6 AM. Sometimes I had a chance to at least read the
problem descriptions in the morning and try to solve in the evening.
My personal goal was to solve the problems within 24 hours of publish
time and get the source code under 4K. I failed it in a few problems.
Again, I used rust. I tried not to use external crates but I started
using cargo and workspaces to make rust-analyzer and cargo run
to Just Work in the source directory. I enabled cargo very late once
I got stuck on problem 21.
Funniest problems
Most of the problems felt slightly easier than last year’s ones (where
I did not get past problem 21).
Again, there are no miracles in the solutions I did. If they ran in a
few seconds time I did not do much to tune them. But some of them
required a pencil and paper style solution. Those were great!
Here is my list of fun problems I remembered:

Day 3: Mull It Over:
slightly unusual problem where I had the chance to use
re2c lexer generator.
Day 12: Garden Groups:
while being one of the typical graph traversal problems I liked
how part 2 could be solved entirely with primitives built from part 1.
Day 17: Chronospatial Computer:
an opportunity to write a CPU emulator! I could not resist. Part 2
required me a bit of pencil and paper.
Day 20: Race Condition:
it’s a nice form of finding shortest path in the maze with a warp
twist.
Day 21: Keypad Conundrum:
a simple “control the robot with a keypad” problem. Part 2 has a great
twist.
Day 24: Crossed Wires:
part 2is a deceptively simple problem description that I found easier
to solve by staring into graphviz output.

Looks like this year we had even more graph traversal problems. Quick
grep for visited says it is 8.
Have fun!


profiling binutils linkers in nixpkgs
2025-10-11T00:00:00Z
background
I’ve been using binutils-2.45 against local nixpkgs checkout for a
while to weed out minor problems in other packages. So far I encountered
my old friend
guile over-stripping issue.
GNU gold linker was
deprecated
in binutils upstream as it does not have developer
power behind it. While bfd linker (the default) gets maintenance
attention. binutils-2.45 intentionally does not have gold source
distributed with it to nudge users off gold.
To fix rare nixpkgs package build failures that rely on ld.gold I
trivially replaced all the links to ld.bfd locally and built my system.
No major problems found.
an ld.gold removal obstacle
In a recent discussion thread
the question was raised if/how nixpkgs could switch to gold-less
binutils. One of the interesting points of the thread is that ld.bfd
is occasionally ~3x times slower than ld.gold
on files that already take multiple seconds to link with ld.gold.
For me it was quite a surprise as ld.bfd does
get speedup improvements
time to time. Thus, I suspected it should be some kind of a serious bug
on ld.bfd side.
I wondered if I could reproduce such a big performance
drop and if I could find a low hanging fix. Or at least report a bug to
binutils upstream.
I used the same pandoc nixpkgs package to do the linker testing. It’s
a nice example as it builds only 4 small haskell source files and
links in a huge amount of static haskell libraries. A perfect linker
load test. Preparing the baseline:
# pulling in already built package into cache
$ nix build --no-link -f. pandoc
# pulling in all the build dependencies into cache
$ nix build --no-link -f. pandoc --rebuild

# timing the build:
$ time nix build --no-link -f. pandoc --rebuild
error: derivation '/nix/store/az6dbzm341jc7n4sw7w0ifspxgsm4093-pandoc-cli-3.7.0.2.drv' may not be deterministic: output '/nix/store/znmj21k8nrqc3hcax6yfy446g8bgk7z3-pandoc-cli-3.7.0.2' differs

real    0m12,850s
user    0m0,719s
sys     0m0,105s
Do not mind that determinism error. I got about 13 seconds of the
package build time. Seems to match the original timing. Then I tried
ld.bfd by passing extra --ghc-option=-optl-fuse-ld=bfd option to
./Setup configure:
$ time nix build --impure --expr 'with import  {};
    pandoc.overrideAttrs (oa: {
        configureFlags = oa.configureFlags ++ ["--ghc-option=-optl-fuse-ld=bfd"];})'
...
real    0m37,391s
user    0m0,691s
sys     0m0,120s
37 seconds! At least 3x slowdown. I was glad to see such a simple
reproducer.
linker performance profiles
I dropped into a development shell to explore individual ld commands:
$ nix develop --impure --expr 'with import  {};
    pandoc.overrideAttrs (oa: {
        configureFlags = oa.configureFlags ++ ["--ghc-option=-optl-fuse-ld=bfd" ];})'
$$ genericBuild
...
[4 of 4] Linking dist/build/pandoc/pandoc
^C

$$ # ready for interactive exploration
I ran the ./Setup build -v to extract exact ghc --make ... invocation:
$$ ./Setup build -v
...
Linking...
Running: <>-ghc-9.10.3/bin/ghc --make -fbuilding-cabal-package -O -split-sections -static -outputdir dist/build/pandoc/pandoc-tmp -odir dist/build/pandoc/pandoc-tmp ...
And ran ld.bfd under perf:
$ perf record -g <>-ghc-9.10.3/bin/ghc --make ... '-optl-fuse-ld=bfd' -fforce-recomp
Then I built the flamegraph picture:
$ perf script > out.perf
$ perl ~/dev/git/FlameGraph/stackcollapse-perf.pl out.perf > out.folded
$ perl ~/dev/git/FlameGraph/flamegraph.pl out.folded > bfd.svg

You can click on the pictures and explore it interactively.
Does it look fine to you? Anything odd?
We already see a tiny hint: _bfd_elf_gc_mark() takes suspiciously large
amount of space on the picture.
Let’s build the same picture for gold using -optl-fuse-ld=gold option:
$ perf record -g <>-ghc-9.10.3/bin/ghc --make ... '-optl-fuse-ld=gold' -fforce-recomp
$ perf script > out.perf
$ perl ~/dev/git/FlameGraph/stackcollapse-perf.pl out.perf > out.folded
$ perl ~/dev/git/FlameGraph/flamegraph.pl out.folded > gold.svg

The profile looks more balanced. The staircase around sorting looks
peculiar. Most of the time is spent
on section sorting in gold::Output_section::sort_attached_input_sections.
It’s also a great hint: how many sections should there be so that sorting
alone would take 25% of the link time?
section count
Where do these numerous sections come from?
nixpkgs enables -split-sections
by default on linux which uses ghc -fsplit-sections.
Those are very close in spirit to gcc -ffunction-sections
feature. Both place each function in a separate ELF section assuming
that the user will use -Wl,--gc-sections linker option to
garbage-collect unreferenced sections in the final executable to make
binaries smaller.
So how many sections do you normally expect per object file?
In C (with -ffunction-sections) I would expect section count to
be close to function count in the source
file. Some optimization passes duplicate (clone) or inline functions,
but the expansion should not be too large (famous last words). Hopefully
not 100x, but closer to 1.5x maybe? C++ might be trickier to
reason about.
In haskell it’s a lot more complicated: lazy evaluation model creates
numerous smaller functions out of one source function, cross-module
aggressive inlining brings in many expressions.
Here is an example of a one liner compilation and it’s section count:
-- # cat Main.hs
main = print "hello"
Quiz question: how many sections do you expect to see for this source
file after ghc -c Main.hs?
Building and checking unsplit form first:
$ ghc -c Main.hs -fforce-recomp

$ size Main.o
   text    data     bss     dec     hex filename
    378     304       0     682     2aa Main.o

$ readelf -SW Main.o
There are 13 section headers, starting at offset 0xb50:

Section Headers:
  [Nr] Name              Type            Address          Off    Size   ES Flg Lk Inf Al
  [ 0]                   NULL            0000000000000000 000000 000000 00      0   0  0
  [ 1] .text             PROGBITS        0000000000000000 000040 00013a 00  AX  0   0  8
  [ 2] .rela.text        RELA            0000000000000000 000708 0001c8 18   I 10   1  8
  [ 3] .data             PROGBITS        0000000000000000 000180 000130 00  WA  0   0  8
  [ 4] .rela.data        RELA            0000000000000000 0008d0 000210 18   I 10   3  8
  [ 5] .bss              NOBITS          0000000000000000 0002b0 000000 00  WA  0   0  1
  [ 6] .rodata.str       PROGBITS        0000000000000000 0002b0 000010 01 AMS  0   0  1
  [ 7] .note.GNU-stack   PROGBITS        0000000000000000 0002c0 000000 00      0   0  1
  [ 8] .comment          PROGBITS        0000000000000000 0002c0 00000c 01  MS  0   0  1
  [ 9] .note.gnu.property NOTE            0000000000000000 0002d0 000030 00   A  0   0  8
  [10] .symtab           SYMTAB          0000000000000000 000300 000228 18     11   5  8
  [11] .strtab           STRTAB          0000000000000000 000528 0001dd 00      0   0  1
  [12] .shstrtab         STRTAB          0000000000000000 000ae0 00006e 00      0   0  1
Key to Flags:
  W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
  L (link order), O (extra OS processing required), G (group), T (TLS),
  C (compressed), x (unknown), o (OS specific), E (exclude),
  D (mbind), l (large), p (processor specific)
378 bytes of code, 12 sections. 6 of them are relevant: .text, .rela.text,
.data, .rela.data, .rodata.str. All very close to a typical C program.
Now let’s throw in -fsplit-sections.
Quiz question: guess how many more sections there will be? 0? 1? 10? 100? 1000?
$ ghc -c Main.hs -fforce-recomp -fsplit-sections

$ size Main.o
   text    data     bss     dec     hex filename
    365     304       0     669     29d Main.o

$ readelf -SW Main.o
There are 39 section headers, starting at offset 0xd90:

Section Headers:
  [Nr] Name              Type            Address          Off    Size   ES Flg Lk Inf Al
  [ 0]                   NULL            0000000000000000 000000 000000 00      0   0  0
  [ 1] .text             PROGBITS        0000000000000000 000040 000000 00  AX  0   0  1
  [ 2] .data             PROGBITS        0000000000000000 000040 000000 00  WA  0   0  1
  [ 3] .bss              NOBITS          0000000000000000 000040 000000 00  WA  0   0  1
  [ 4] .rodata.str..LrKs_bytes PROGBITS        0000000000000000 000040 000005 01 AMS  0   0  1
  [ 5] .rodata.str..LrKq_bytes PROGBITS        0000000000000000 000045 000005 01 AMS  0   0  1
  [ 6] .rodata.str.cKA_str PROGBITS        0000000000000000 00004a 000006 01 AMS  0   0  1
  [ 7] .data..LsKw_closure PROGBITS        0000000000000000 000050 000028 00  WA  0   0  8
  [ 8] .rela.data..LsKw_closure RELA            0000000000000000 0007c8 000030 18   I 36   7  8
  [ 9] .data..LuKL_srt   PROGBITS        0000000000000000 000078 000020 00  WA  0   0  8
  [10] .rela.data..LuKL_srt RELA            0000000000000000 0007f8 000048 18   I 36   9  8
  [11] .text..LsKu_info  PROGBITS        0000000000000000 000098 000062 00  AX  0   0  8
  [12] .rela.text..LsKu_info RELA            0000000000000000 000840 000090 18   I 36  11  8
  [13] .data..LsKu_closure PROGBITS        0000000000000000 000100 000020 00  WA  0   0  8
  [14] .rela.data..LsKu_closure RELA            0000000000000000 0008d0 000018 18   I 36  13  8
  [15] .data..LuL2_srt   PROGBITS        0000000000000000 000120 000028 00  WA  0   0  8
  [16] .rela.data..LuL2_srt RELA            0000000000000000 0008e8 000060 18   I 36  15  8
  [17] .text.Main_main_info PROGBITS        0000000000000000 000148 000069 00  AX  0   0  8
  [18] .rela.text.Main_main_info RELA            0000000000000000 000948 0000a8 18   I 36  17  8
  [19] .data.Main_main_closure PROGBITS        0000000000000000 0001b8 000020 00  WA  0   0  8
  [20] .rela.data.Main_main_closure RELA            0000000000000000 0009f0 000018 18   I 36  19  8
  [21] .data..LuLj_srt   PROGBITS        0000000000000000 0001d8 000020 00  WA  0   0  8
  [22] .rela.data..LuLj_srt RELA            0000000000000000 000a08 000048 18   I 36  21  8
  [23] .text.ZCMain_main_info PROGBITS        0000000000000000 0001f8 000062 00  AX  0   0  8
  [24] .rela.text.ZCMain_main_info RELA            0000000000000000 000a50 000090 18   I 36  23  8
  [25] .data.ZCMain_main_closure PROGBITS        0000000000000000 000260 000020 00  WA  0   0  8
  [26] .rela.data.ZCMain_main_closure RELA            0000000000000000 000ae0 000018 18   I 36  25  8
  [27] .data..LrKr_closure PROGBITS        0000000000000000 000280 000010 00  WA  0   0  8
  [28] .rela.data..LrKr_closure RELA            0000000000000000 000af8 000030 18   I 36  27  8
  [29] .data..LrKt_closure PROGBITS        0000000000000000 000290 000010 00  WA  0   0  8
  [30] .rela.data..LrKt_closure RELA            0000000000000000 000b28 000030 18   I 36  29  8
  [31] .data.Main_zdtrModule_closure PROGBITS        0000000000000000 0002a0 000020 00  WA  0   0  8
  [32] .rela.data.Main_zdtrModule_closure RELA            0000000000000000 000b58 000048 18   I 36  31  8
  [33] .note.GNU-stack   PROGBITS        0000000000000000 0002c0 000000 00      0   0  1
  [34] .comment          PROGBITS        0000000000000000 0002c0 00000c 01  MS  0   0  1
  [35] .note.gnu.property NOTE            0000000000000000 0002d0 000030 00   A  0   0  8
  [36] .symtab           SYMTAB          0000000000000000 000300 0002e8 18     37  13  8
  [37] .strtab           STRTAB          0000000000000000 0005e8 0001dd 00      0   0  1
  [38] .shstrtab         STRTAB          0000000000000000 000ba0 0001ea 00      0   0  1
Key to Flags:
  W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
  L (link order), O (extra OS processing required), G (group), T (TLS),
  C (compressed), x (unknown), o (OS specific), E (exclude),
  D (mbind), l (large), p (processor specific)
38 sections! If we ignore 6 irrelevant sections it’s 32 relevant sections
compared to 6 relevant sections before.
Our actual main top-level function itself is hiding in .*Main_main.*
sections. You will notices a lot of them. And on top of that whatever ghc
managed to “float-out” outside the function.
This is unoptimized code. If we throw in -O2 we will get this:
$ ghc -c Main.hs -fforce-recomp -fsplit-sections -O2

$ size Main.o
   text    data     bss     dec     hex filename
    306     304       0     610     262 Main.o

$ readelf -SW Main.o
There are 45 section headers, starting at offset 0x10d0:

Section Headers:
  [Nr] Name              Type            Address          Off    Size   ES Flg Lk Inf Al
  [ 0]                   NULL            0000000000000000 000000 000000 00      0   0  0
  [ 1] .text             PROGBITS        0000000000000000 000040 000000 00  AX  0   0  1
  [ 2] .data             PROGBITS        0000000000000000 000040 000000 00  WA  0   0  1
  [ 3] .bss              NOBITS          0000000000000000 000040 000000 00  WA  0   0  1
  [ 4] .rodata.str.Main_zdtrModule2_bytes PROGBITS        0000000000000000 000040 000005 01 AMS  0   0  1
  [ 5] .rodata.str.Main_zdtrModule4_bytes PROGBITS        0000000000000000 000045 000005 01 AMS  0   0  1
  [ 6] .rodata.str.Main_main5_bytes PROGBITS        0000000000000000 00004a 000006 01 AMS  0   0  1
  [ 7] .data.Main_main4_closure PROGBITS        0000000000000000 000050 000028 00  WA  0   0  8
  [ 8] .rela.data.Main_main4_closure RELA            0000000000000000 000a60 000030 18   I 42   7  8
  [ 9] .data..Lu1AB_srt  PROGBITS        0000000000000000 000078 000020 00  WA  0   0  8
  [10] .rela.data..Lu1AB_srt RELA            0000000000000000 000a90 000048 18   I 42   9  8
  [11] .text.Main_main3_info PROGBITS        0000000000000000 000098 000062 00  AX  0   0  8
  [12] .rela.text.Main_main3_info RELA            0000000000000000 000ad8 000090 18   I 42  11  8
  [13] .data.Main_main3_closure PROGBITS        0000000000000000 000100 000020 00  WA  0   0  8
  [14] .rela.data.Main_main3_closure RELA            0000000000000000 000b68 000018 18   I 42  13  8
  [15] .data.Main_main2_closure PROGBITS        0000000000000000 000120 000020 00  WA  0   0  8
  [16] .rela.data.Main_main2_closure RELA            0000000000000000 000b80 000048 18   I 42  15  8
  [17] .text.Main_main1_info PROGBITS        0000000000000000 000140 000032 00  AX  0   0  8
  [18] .rela.text.Main_main1_info RELA            0000000000000000 000bc8 000060 18   I 42  17  8
  [19] .data.Main_main1_closure PROGBITS        0000000000000000 000178 000028 00  WA  0   0  8
  [20] .rela.data.Main_main1_closure RELA            0000000000000000 000c28 000060 18   I 42  19  8
  [21] .text.Main_main_info PROGBITS        0000000000000000 0001a0 00001d 00  AX  0   0  8
  [22] .rela.text.Main_main_info RELA            0000000000000000 000c88 000030 18   I 42  21  8
  [23] .data.Main_main_closure PROGBITS        0000000000000000 0001c0 000010 00  WA  0   0  8
  [24] .rela.data.Main_main_closure RELA            0000000000000000 000cb8 000018 18   I 42  23  8
  [25] .text.Main_main6_info PROGBITS        0000000000000000 0001d0 000024 00  AX  0   0  8
  [26] .rela.text.Main_main6_info RELA            0000000000000000 000cd0 000030 18   I 42  25  8
  [27] .data.Main_main6_closure PROGBITS        0000000000000000 0001f8 000020 00  WA  0   0  8
  [28] .rela.data.Main_main6_closure RELA            0000000000000000 000d00 000048 18   I 42  27  8
  [29] .text.ZCMain_main_info PROGBITS        0000000000000000 000218 00001d 00  AX  0   0  8
  [30] .rela.text.ZCMain_main_info RELA            0000000000000000 000d48 000030 18   I 42  29  8
  [31] .data.ZCMain_main_closure PROGBITS        0000000000000000 000238 000010 00  WA  0   0  8
  [32] .rela.data.ZCMain_main_closure RELA            0000000000000000 000d78 000018 18   I 42  31  8
  [33] .data.Main_zdtrModule3_closure PROGBITS        0000000000000000 000248 000010 00  WA  0   0  8
  [34] .rela.data.Main_zdtrModule3_closure RELA            0000000000000000 000d90 000030 18   I 42  33  8
  [35] .data.Main_zdtrModule1_closure PROGBITS        0000000000000000 000258 000010 00  WA  0   0  8
  [36] .rela.data.Main_zdtrModule1_closure RELA            0000000000000000 000dc0 000030 18   I 42  35  8
  [37] .data.Main_zdtrModule_closure PROGBITS        0000000000000000 000268 000020 00  WA  0   0  8
  [38] .rela.data.Main_zdtrModule_closure RELA            0000000000000000 000df0 000048 18   I 42  37  8
  [39] .note.GNU-stack   PROGBITS        0000000000000000 000288 000000 00      0   0  1
  [40] .comment          PROGBITS        0000000000000000 000288 00000c 01  MS  0   0  1
  [41] .note.gnu.property NOTE            0000000000000000 000298 000030 00   A  0   0  8
  [42] .symtab           SYMTAB          0000000000000000 0002c8 000378 18     43   2  8
  [43] .strtab           STRTAB          0000000000000000 000640 00041a 00      0   0  1
  [44] .shstrtab         STRTAB          0000000000000000 000e38 000295 00      0   0  1
Key to Flags:
  W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
  L (link order), O (extra OS processing required), G (group), T (TLS),
  C (compressed), x (unknown), o (OS specific), E (exclude),
  D (mbind), l (large), p (processor specific)
44 sections! A Lot.
Back to our pandoc binary. It just calls into libHSpandoc.a library
(nixpkgs uses static linking for haskell bits today). Linker would
have to wade through all it’s sections to pick only used things.
Quiz question: guess how many sections does pandoc library have?
100? 1000? 10000? A million? What is your guess?
Let’s count! On my system pandoc library happens to hide at
<>-pandoc-3.7.0.2/lib/ghc-9.10.3/lib/x86_64-linux-ghc-9.10.3-2870/pandoc-3.7.0.2-Af80LA3Iq30D5LRTMZUszs/libHSpandoc-3.7.0.2-Af80LA3Iq30D5LRTMZUszs.a.
I’ll just use that ugly path.
# dumping section count per individual object file in the archive:
$ readelf -h <>-pandoc-3.7.0.2/lib/ghc-9.10.3/lib/x86_64-linux-ghc-9.10.3-2870/pandoc-3.7.0.2-Af80LA3Iq30D5LRTMZUszs/libHSpandoc-3.7.0.2-Af80LA3Iq30D5LRTMZUszs.a |
    grep 'Number of section'
  Number of section headers:         18
  ...
  Number of section headers:         26207
  Number of section headers:         16755
  ...
  Number of section headers:         8898
  ..
  Number of section headers:         1047
  Number of section headers:         1324
  ...
  Number of section headers:         687
  Number of section headers:         228

# summing up all section counts:
$ readelf -h <>-pandoc-3.7.0.2/lib/ghc-9.10.3/lib/x86_64-linux-ghc-9.10.3-2870/pandoc-3.7.0.2-Af80LA3Iq30D5LRTMZUszs/libHSpandoc-3.7.0.2-Af80LA3Iq30D5LRTMZUszs.a |
    grep 'Number of section' | awk '{ size += $5 } END { print size }'
494450
494 thousands sections! Almost half a million sections. And it’s just
one (largest) of many pandoc dependencies. That’s why ld.gold takes
a considerable amount of time to just sort through all these sections.
performance hog clues
ld.bfd has even harder time getting through such a big list of sections.
But why exactly? The names
of _bfd_elf_gc_mark / _bfd_elf_gc_mark_reloc functions in the profiles
hint that they track unreferenced sections.
To trigger section garbage collection
ghc uses -Wl,--gc-sections
linker option.
Note that ghc only enables garbage collection for GNU ld (I think
both ld.gold and ld.bfd count as GNU). lld and mold
both support -Wl,--gc-sections option as well.
If we look at the implementation
of _bfd_elf_gc_mark we see a suspicious
list traversal
and some recursive descend:
bool
_bfd_elf_gc_mark_reloc (struct bfd_link_info *info,
                        asection *sec,
                        elf_gc_mark_hook_fn gc_mark_hook,
                        struct elf_reloc_cookie *cookie)
{
  asection *rsec;
  bool start_stop = false;

  rsec = _bfd_elf_gc_mark_rsec (info, sec, gc_mark_hook, cookie, &start_stop);
  while (rsec != NULL)
    {
      if (!rsec->gc_mark)
        {
          if (bfd_get_flavour (rsec->owner) != bfd_target_elf_flavour
              || (rsec->owner->flags & DYNAMIC) != 0)
            rsec->gc_mark = 1;
          else if (!_bfd_elf_gc_mark (info, rsec, gc_mark_hook))
            return false;
        }
      if (!start_stop)
        break;
      rsec = bfd_get_next_section_by_name (rsec->owner, rsec);
    }
  return true;
}
If we do such marking for each section it probably has quadratic complexity.
But maybe not. To get something simpler to explore I tried to craft a
trivial example of 1 million sections:
$ for (( i=0; i<1000000; i++ )); do printf "int var_$i __attribute__ ((section (\".data.$i\"))) = { $i };\n"; done > main.c; printf "int main() {}" >> main.c; gcc -c main.c -o main.o; echo "bfd:"; time gcc main.o -o main -fuse-ld=bfd; echo "gold:"; time gcc main.o -o main -fuse-ld=gold
bfd:

real    0m6,123s
user    0m5,384s
sys     0m0,701s
gold:

real    0m1,107s
user    0m0,844s
sys     0m0,242s
This test generates the following boilerplate code:
// $ head -n 5 main.c
int var_0 __attribute__ ((section (".data.0"))) = { 0 };
int var_1 __attribute__ ((section (".data.1"))) = { 1 };
int var_2 __attribute__ ((section (".data.2"))) = { 2 };
int var_3 __attribute__ ((section (".data.3"))) = { 3 };
int var_4 __attribute__ ((section (".data.4"))) = { 4 };
// ...
// $ tail -n 5 main.c
int var_999996 __attribute__ ((section (".data.999996"))) = { 999996 };
int var_999997 __attribute__ ((section (".data.999997"))) = { 999997 };
int var_999998 __attribute__ ((section (".data.999998"))) = { 999998 };
int var_999999 __attribute__ ((section (".data.999999"))) = { 999999 };
int main() {}
We are seeing 6x time difference between linkers. Could it be our case?
Let’s check with perf if we hit the same hot paths as in pandoc case:
$ perf record -g gcc main.o -o main -fuse-ld=bfd
$ perf script > out.perf && perl ~/dev/git/FlameGraph/stackcollapse-perf.pl out.perf > out.folded && perl ~/dev/git/FlameGraph/flamegraph.pl out.folded > try1.svg

The profile looks not too bad: no large .*_gc_.* bits seen anywhere.
Not exactly our problem then. Let’s try to add more references across
sections to see if we start seeing the symbol traversals:
$ printf "int var_0 __attribute__ ((section (\".data.0\"))) = { $i };\n" > main.c; for (( i=1; i<1000000; i++ )); do printf "void * var_$i __attribute__ ((section (\".data.$i\"))) = { &var_$((i-1)) };\n"; done >> main.c; printf "int main() { return (long)var_99999; }" >> main.c; gcc -c main.c -o main.o; echo "bfd:"; time gcc main.o -o main -fuse-ld=bfd -Wl,--gc-sections -Wl,--no-as-needed; echo "gold:"; time gcc main.o -o main -fuse-ld=gold -Wl,--gc-sections -Wl,--no-as-needed
gcc: internal compiler error: Segmentation fault signal terminated program cc1
Please submit a full bug report, with preprocessed source (by using -freport-bug).
See  for instructions.
Whoops, crashed gcc. Filed PR122198.
It’s a stack overflow. Throwing more stack at the problem with ulimit -s unlimited:
$ printf "int var_0 __attribute__ ((section (\".data.0\"))) = { $i };\n" > main.c; for (( i=1; i<1000000; i++ )); do printf "void * var_$i __attribute__ ((section (\".data.$i\"))) = { &var_$((i-1)) };\n"; done >> main.c; printf "int main() { return (long)var_99999; }" >> main.c; gcc -c main.c -o main.o; echo "bfd:"; time gcc main.o -o main -fuse-ld=bfd -Wl,--gc-sections -Wl,--no-as-needed; echo "gold:"; time gcc main.o -o main -fuse-ld=gold -Wl,--gc-sections -Wl,--no-as-needed
bfd:

real    0m5.296s
user    0m4.572s
sys     0m0.714s
gold:

real    0m1.172s
user    0m0.874s
sys     0m0.295s
This test generates slightly different form:
// $ head -n 5 main.c
int var_0 __attribute__ ((section (".data.0"))) = { 1000000 };
void * var_1 __attribute__ ((section (".data.1"))) = { &var_0 };
void * var_2 __attribute__ ((section (".data.2"))) = { &var_1 };
void * var_3 __attribute__ ((section (".data.3"))) = { &var_2 };
void * var_4 __attribute__ ((section (".data.4"))) = { &var_3 };
// ...
// $ tail -n 5 main.c
void * var_999996 __attribute__ ((section (".data.999996"))) = { &var_999995 };
void * var_999997 __attribute__ ((section (".data.999997"))) = { &var_999996 };
void * var_999998 __attribute__ ((section (".data.999998"))) = { &var_999997 };
void * var_999999 __attribute__ ((section (".data.999999"))) = { &var_999998 };
int main() { return (long)var_99999; }
The main difference compared to the previous attempt is that sections are used
and can’t be removed by section garbage collector. Is this profile closer to
pandoc case? Looking at the trace:
$ perf record -g gcc main.o -o main -fuse-ld=bfd -Wl,--gc-sections -Wl,--no-as-needed
$ perf script > out.perf && perl ~/dev/git/FlameGraph/stackcollapse-perf.pl out.perf > out.folded && perl ~/dev/git/FlameGraph/flamegraph.pl out.folded > try2.svg

It’s not too close to pandoc case, but the huge vertical thing on the
left is a good sign that we at least start hitting the gc traversal
code. Now we need to increase its presence somehow.
Perhaps it’s more symbols per section? I tried to simulate code
references instead of data references and see what happens:
$ printf "int f_0() __attribute__ ((section (\".text.0\"))); int f_0() { return 0; };\n" > main.c; for (( i=1; i<20000; i++ )); do printf "int f_$i() __attribute__ ((section (\".text.$i\"))); int f_$i() { return f_$((i-1))(); };\n"; done >> main.c; printf "int main() { return f_19999(); }" >> main.c; gcc -O0 -c main.c -o main.o; echo "bfd:"; time gcc main.o -o main -fuse-ld=bfd -Wl,--gc-sections -Wl,--no-as-needed; echo "gold:"; time gcc main.o -o main -fuse-ld=gold -Wl,--gc-sections -Wl,--no-as-needed
bfd:

real    0m5,627s
user    0m2,567s
sys     0m3,047s
gold:

real    0m0,053s
user    0m0,041s
sys     0m0,012s
How the test generates this file:
// $ head -n 5 main.c
int f_0() __attribute__ ((section (".text.0"))); int f_0() { return 0; };
int f_1() __attribute__ ((section (".text.1"))); int f_1() { return f_0(); };
int f_2() __attribute__ ((section (".text.2"))); int f_2() { return f_1(); };
int f_3() __attribute__ ((section (".text.3"))); int f_3() { return f_2(); };
int f_4() __attribute__ ((section (".text.4"))); int f_4() { return f_3(); };
// ..
// $ tail -n 5 main.c
int f_19996() __attribute__ ((section (".text.19996"))); int f_19996() { return f_19995(); };
int f_19997() __attribute__ ((section (".text.19997"))); int f_19997() { return f_19996(); };
int f_19998() __attribute__ ((section (".text.19998"))); int f_19998() { return f_19997(); };
int f_19999() __attribute__ ((section (".text.19999"))); int f_19999() { return f_19998(); };
int main() { return f_19999(); }
That time difference is more interesting! Note that ld.gold spends just
50ms on the input while ld.bfd does something for 5 seconds!
Getting the profile:
$ perf record -g gcc main.o -o main -fuse-ld=bfd -Wl,--gc-sections -Wl,--no-as-needed
$ perf script > out.perf && perl ~/dev/git/FlameGraph/stackcollapse-perf.pl out.perf > out.folded && perl ~/dev/git/FlameGraph/flamegraph.pl out.folded > try3.svg

At last! We managed to hit exactly the _bfd_elf_gc_mark ().
The final input file object file is not too large:
$ ls -lh main.o
-rw-r--r-- 1 slyfox users 5.7M Oct  8 20:58 main.o
I filed PR33530 upstream bug report
hoping that fix will not be too complicated and started writing this
blog post.
testing the patch
My plan was to figure out more details about binutils gc in this post
and try to fix it. Alas even before I got to it H.J. already prepared
the fix!
Synthetic test shown great results:
$ printf "int f_0() __attribute__ ((section (\".text.0\"))); int f_0() { return 0; };\n" > main.c; for (( i=1; i<20000; i++ )); do printf "int f_$i() __attribute__ ((section (\".text.$i\"))); int f_$i() { return f_$((i-1))(); };\n"; done >> main.c; printf "int main() { return f_19999(); }" >> main.c; gcc -O0 -c main.c -o main.o; echo "bfd:"; time gcc main.o -o main -fuse-ld=bfd -Wl,--gc-sections
bfd:

real    0m0,119s
user    0m0,080s
sys     0m0,038s
120ms compared to the previous 5s is a 40x speedup. It’s still
twice as slow as 50ms for ld.gold, but the absolute time is way
harder to notice. I tried to find a new degradation point by adding more
functions:
# 100K sections:
$ printf "int f_0() __attribute__ ((section (\".text.0\"))); int f_0() { return 0; };\n" > main.c; for (( i=1; i<100000; i++ )); do printf "int f_$i() __attribute__ ((section (\".text.$i\"))); int f_$i() { return f_$((i-1))(); };\n"; done >> main.c; printf "int main() { return f_99999(); }" >> main.c; gcc -O0 -c main.c -o main.o; echo "bfd:"; time gcc main.o -o main -fuse-ld=bfd -Wl,--gc-sections
bfd:

real    0m0.628s
user    0m0.472s
sys     0m0.154s

# 1M sections:
$ printf "int f_0() __attribute__ ((section (\".text.0\"))); int f_0() { return 0; };\n" > main.c; for (( i=1; i<1000000; i++ )); do printf "int f_$i() __attribute__ ((section (\".text.$i\"))); int f_$i() { return f_$((i-1))(); };\n"; done >> main.c; printf "int main() { return f_999999(); }" >> main.c; gcc -O0 -c main.c -o main.o; echo "bfd:"; time gcc main.o -o main -fuse-ld=bfd -Wl,--gc-sections
bfd:

real    0m8.697s
user    0m6.956s
sys     0m1.726s

$ size main.o
   text    data     bss     dec     hex filename
43000115              0       0 43000115        2902133 main.o
8s on a file with 1M sections sounds quite fast! Let’s see where
ld.bfd spends its time now:
$ perf record -g gcc main.o -o main -fuse-ld=bfd -Wl,--gc-sections
$ perf script > out.perf && perl ~/dev/git/FlameGraph/stackcollapse-perf.pl out.perf > out.folded && perl ~/dev/git/FlameGraph/flamegraph.pl out.folded > fixed.svg

Once again the profile looks more balanced now. Yay! How about real
pandoc?
$ time nix build --no-link -f. pandoc --rebuild

real    0m17,013s
user    0m0,672s
sys     0m0,123s
17s is a bit slower than 13s of ld.gold, but not as bad as it used
to be. And it’s profile:
$ perf record -g <>-ghc-9.10.3/bin/ghc --make ... '-optl-fuse-ld=bfd' -fforce-recomp

$ perf script > out.perf && perl ~/dev/git/FlameGraph/stackcollapse-perf.pl out.perf > out.folded && perl ~/dev/git/FlameGraph/flamegraph.pl out.folded > fixed-pandoc.svg

bonus: other linkers
Both ld.gold and ld.lld are quite fast at handling synthetic tests now,
But both still spend a few seconds on pandoc. How about other linkers?
Let’s add lld and mold to the mix. I’ll measure
ghc --make '-optl-fuse-ld=$linker' -fforce-recomp execution time:
# without the fix
$ time <>-ghc-9.10.3/bin/ghc --make ... pandoc ... -optl-fuse-ld=bfd -fforce-recomp
real    0m30.589s user    0m24.576s sys     0m6.447s

# with the fix
$ time <>-ghc-9.10.3/bin/ghc --make ... pandoc ... -optl-fuse-ld=bfd -fforce-recomp
real    0m8.676s user    0m6.484s sys     0m2.584s

$ time <>-ghc-9.10.3/bin/ghc --make ... pandoc ... -optl-fuse-ld=gold -fforce-recomp
real    0m5.929s user    0m5.543s sys     0m0.829s

$ time <>-ghc-9.10.3/bin/ghc --make ... pandoc ... -optl-fuse-ld=lld -fforce-recomp
real    0m1.413s user    0m1.754s sys     0m1.509s

$ time <>-ghc-9.10.3/bin/ghc --make ... pandoc ... -optl-fuse-ld=mold -fforce-recomp
real    0m1.209s user    0m0.424s sys     0m0.215s
Note: we do measure not just liker time, but also ghc code generation
time. Actual link time does not take as much. Same values in tables:



linker
real (sec)
user (sec)
sys (sec)




ld.bfd (orig)
30.6
24.6
6.4


ld.bdf (fixed)
8.7
6.5
2.6


ld.gold
5.9
5.5
0.8


lld
1.4
1.8
1.5


mold
1.2
0.4
0.2



lld and mold link times are impressive! They are 6x-7x times faster
than fixed version of ld.bfd. Let’s look at their profiles to see what
they spend their time on. lld goes first:
$ perf record -g <>-ghc-9.10.3/bin/ghc --make ... pandoc ... -optl-fuse-ld=lld -fforce-recomp

$ perf script > out.perf && perl ~/dev/git/FlameGraph/stackcollapse-perf.pl out.perf > out.folded && perl ~/dev/git/FlameGraph/flamegraph.pl out.folded > lld-pandoc.svg

The only things that stick out in this profile are malloc() (about 20%
of the time?) and memmove() calls (about 6% of the time). Otherwise,
we see about equal time spent on reading (linkerDriver part on the right),
relocation processing (RelocationScanner in the middle) and writing
(HashTableSection::writeTo slightly to the left).
I wonder if memory management were to be optimized for lld, would it be
as fast as mold on this input? And now mold profile:
$ perf record -g <>-ghc-9.10.3/bin/ghc --make ... pandoc ... -optl-fuse-ld=mold -fforce-recomp

$ perf script > out.perf && perl ~/dev/git/FlameGraph/stackcollapse-perf.pl out.perf > out.folded && perl ~/dev/git/FlameGraph/flamegraph.pl out.folded > mold-pandoc.svg

The profile is not very readable as we mainly see the tbb threading
dispatch of chunks of work to do. If I scroll around I see
things like scan_abs_relocations, apply_reloc_alloc, resolve_symbols,
split_contents, scan_relocations. It looks like half the time
is spent on the management of parallelism. Playing a bit with the
mold parameters I noticed that -Wl,--threads=4 is the maximum thread
count where I get any speed improvements for parallelism. Anything above
will clutter CPU usage profile with sched_yield “busy” wait threads.
To get the idea where actual CPU is spent it might be more interesting to
look at single-threaded profile using -optl-Wl,--no-threads:
$ perf record -g <>-ghc-9.10.3/bin/ghc --make ... pandoc ... -optl-fuse-ld=mold -optl-Wl,--no-threads -fforce-recomp

$ perf script > out.perf && perl ~/dev/git/FlameGraph/stackcollapse-perf.pl out.perf > out.folded && perl ~/dev/git/FlameGraph/flamegraph.pl out.folded > mold-no-threads.svg

I’ll leave the interpretation of the picture to the reader.
parting words
ld.gold is about to be removed from binutils.
In -fsplit-sections mode ghc code generator produces huge amount of
sections per ELF file which manages to strain both ld.bfd and
ld.gold linkers. ghc should probably be fixed to produce one section
per strongly connected component of functions that refer one another.
libHSpandoc consists of almost half a million ELF sections. Average
section size for which is about 250 bytes.
ld.bfd while being slower than ld.gold still has simple performance
bugs in obscure scenarios. Just like today’s
PR33530 example.
binutils upstream was very fast to come up with a possible fix to test.
Even fixed ld.bfd is still quite a bit slower on synthetic test with
huge sections compared to ld.gold. But at least it’s not exponentially
worse.
lld and mold are still way faster than either ld.bfd or ld.gold.
About 6-7 times on pandoc test. ld.bfd still has a lot of room for
improvement :)
Have fun!


gcc-16 devirtualization changes
2025-09-27T00:00:00Z
A quiz
Let’s start from a quiz: is this single file program a valid c++
program? Will it always build and run?
void d_impl(void); /* has no definition at all! */

struct B { virtual void f(void) {} };

struct D : public B { virtual void f(void) { d_impl(); } };

void do_f(struct B* o) { o->f(); }

int main(void) { return 0; }
Running gcc
It feels like this whole program is just an obfuscated version of
int main(){} and thus should Just Work, right? And gcc-15 would agree:
$ g++-15 a.cc -o a -fopt-info -O2
$ ./a
But with gcc-16 it fails to link:
$ g++-16 a.cc -o a -fopt-info -O2
a.cc:11:30: optimized: speculatively devirtualizing call in void do_f(B*)/3 to virtual void B::f()/1
a.cc:11:30: optimized: speculatively devirtualizing call in void do_f(B*)/3 to virtual void D::f()/2
a.cc:11:30: optimized: devirtualized call in void do_f(B*)/3 to 2 targets
a.cc:11:30: optimized:  Inlined virtual void B::f()/10 into void do_f(B*)/3 which now has time 12.400000 and size 11, net change of -2.
a.cc:11:30: optimized:  Inlined virtual void D::f()/11 into void do_f(B*)/3 which now has time 12.160000 and size 10, net change of -1.

ld: /tmp/nix-shell.QW52Fh/ccNR2yWI.o: in function `do_f(B*)':
a.cc:(.text+0x29): undefined reference to `d_impl()'
ld: /tmp/nix-shell.QW52Fh/ccNR2yWI.o: in function `D::f()':
a.cc:(.text._ZN1D1fEv[_ZN1D1fEv]+0x1): undefined reference to `d_impl()'
collect2: error: ld returned 1 exit status
Note: it fails to find an implementation of void d_impl(void); function.
devirtualization mechanics
Why did gcc not notice missing reference before?
-fopt-info gives us a hint that gcc “devirtualized” virtual call
of void do_f(struct B* o) { o->f(); } into non-virtual calls and got
extra references into the code.
-fdump-tree-all can show us the result after these transformations:
$ g++ a.cc -o a -fopt-info -O2 -fdump-tree-all
...

# I removed a bit of unrelated detail manually
$ cat a.cc.273t.optimized

void B::f (struct B * const this) { return; }

void D::f (struct D * const this) { d_impl (); }

void do_f (struct B * o)
{
  int (*) () * _1;
  int (*) () _2;
  void * PROF_6;
  void * PROF_8;

  _1 = o_4(D)->_vptr.B;
  _2 = *_1;
  PROF_6 = [obj_type_ref] OBJ_TYPE_REF(_2;(struct B)o_4(D)->0B);
  if (PROF_6 == D::f) {
    d_impl (); [tail call]
    return;
  }

  PROF_8 = [obj_type_ref] OBJ_TYPE_REF(_2;(struct B)o_4(D)->0B);
  if (PROF_8 == B::f)
    return;

  OBJ_TYPE_REF(_2;(struct B)o_4(D)->0B) (o_4(D)); [tail call]
}

int main () { return 0; }
Here gcc-16 expanded void do_f(struct B* o) { o->f(); } against
unknown o->f() call into a few known types: o->B::f() and
o->D::f() calls by checking the function addresses via vtable. This
allowed gcc to inline B::f() and D::f(). Pseudocode of the result:
// before
void do_f(struct B* o) { o->f(); }

// after
void do_f(struct B* o) {

  if (o->f == D::f) {
    // inlined D::f()
    d_impl(); // our new reference!
    return;
  }

  if (o->f == B::f) {
    // inlined B::f()
    return;
  }

  // other types
  o->f();
}
gcc-15 did not use to do this kind of transformations. It’s a recent
change added in the commit Add --param max-devirt-targets.
This extended existing devirtualization optimization to consider not
just one possible devirtualization target (before the patch), but at most
3.
Fixes and workarounds
Now we can even work the original example around and build it:
$ g++ a.cc -o a -fopt-info -O2 --param=max-devirt-targets=1
$ ./a
Is the above a completely hypothetical scenario? Why would you have such
code lying around? Well, I initially noticed it on
cmake build failure.
There ./bootstrap script failed to build initial cmake on
gcc-16. ./bootstrap code uses only a subset of cmake source code,
but it had a few #include that do refer to the code that does not
get compiled/linked in ./bootstrap. The devirtualization change exposed
it. The fix
was to #ifdef out the code that has no chance to execute on ./bootstrap.
To transfer it back to our example the fix is similar to the following:
void d_impl(void); /* has no definition at all! */

struct B { virtual void f(void) {} };

#if 0
struct D : public B { virtual void f(void) { d_impl(); } };
#endif

void do_f(struct B* o) { o->f(); }

int main(void) { return 0; }
$ g++ a.cc -o a -fopt-info -O2
a.cc:9:30: optimized: speculatively devirtualizing call in void do_f(B*)/2 to virtual void B::f()/1
a.cc:9:30: optimized:  Inlined virtual void B::f()/6 into void do_f(B*)/2 which now has time 7.200000 and size 9, net change of -2.

$ ./a
All good now!
Parting words
The initial example was not quite correct and caused link failures when
devirtualization kicked in. Including headers to the unlinked code does
not always work.
Devirtualization does sometimes bloat the code a bit with references that
have no chance to execute in real programs. Profile-guided optimizations
help a lot to avoid generation of completely dead code by getting better
estimates of observed behavior.
cmake is fixed
and can now be built with gcc-16!
Have fun!


nix-build in tmpfs
2025-08-22T00:00:00Z
I build a lot of nix packages locally. Until nix-2.30 release
nix-build command triggered builds in /tmp directory by default.
As it’s not a tmpfs by default I used to enable
boot.tmp.useTmpfs = true; to force all of /tmp into tmpfs to get
slightly faster builds.
In nix-2.30 nix switched
its default build directory to /nix/var/nix/builds:
... `build-dir` no longer defaults to `$TMPDIR` ...
This made my builds slow again. It’s especially noticeable when a few
huge tarballs start unpacking on disk in parallel. Here is my new
workaround to get that directory to tmpfs as well:
# cat /etc/nixos/tmpfs.nix
{ lib, ... }:
{
  systemd.mounts = [{
    wantedBy = [ "nix-daemon.service" ];
    what = "tmpfs";
    where = "/nix/var/nix/builds";
    type = "tmpfs";
    mountConfig.Options = lib.concatStringsSep "," [
      "mode=0755"
      "strictatime"
      "rw"
      "nosuid"
      "nodev"
      "size=100G" # WARNING: you might want to change this value
    ];
  }];
}
It creates a systemd mount unit and makes it a pre-requisite of
nix-daemon and mounts just before nix-daemon start.
Have fun!


four years on NixOS
2025-08-20T00:00:00Z
It’s another yearly instance of my NixOS journey
(2024 instance). I meant to
write it around 25.05 but completely forgot!
system maintenance
As usual I don’t remember what I did to my system over the past year,
so I’m at the git log for /etc/nixos as it contains all the changes:

follow hardware.opengl -> hardware.graphics rename
follow hardware.opengl.driSupport{,32Bit} removal
follow rename of gnome.adwaita-icon-theme
follow hardware.pulseaudio -> services.pulseaudio rename
follow okular -> kdePackages.okular rename
drop deprecated i18n.supportedLocales
follow networking.wireless.iwd.settings.General -> networking.wireless.iwd.settings.DriverQuirks rename
follow services.postfix.config -> services.postfix.settings.main rename
fix services.postfix.settings.main.mynetworks type (changed from string to array)

It is quite a bit more of renames than last year. I think locale changes
actually broke my locales at runtime and I had to figure out what to
change to get them back.
I did not have major package build failures that required any local
changes.
This time I had the following non-trivial problems in upstream packages:

duperemove would hang up on NoCOW files: https://github.com/markfasheh/duperemove/pull/376.
I had to bisect the regression and fix it upstream. It was easy as I
am somewhat familiar with duperemove implementation.
nix started stripping too much in gcc-14 warning logs: https://github.com/NixOS/nix/pull/13109.
It came up after nixpkgs switched to gcc-14. Took some time to figure
out what is so special about gcc warnings. Ended up being quite easy.
perf stated to hang up on my system: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c21986d33d6beb269a35b38dcb8adaa5bd228527.
It came up after I ran system-wide profiler to see what wine does to
use 100% CPU on an ancient game. THe fix was trivial once looked at.
I don’t remember what changed to expose the hangups. Maybe I just never
did it before? Ended up being easy as well.
mpv started failing GPU rendering due to libplacebo / shaderc
incompatibility: https://code.videolan.org/videolan/libplacebo/-/issues/335.
Most arcane bug of all: had to bisect the whole system to find the
package first, then had to bisect down to the commit. Upstream eventually
fixed it. But if nixpkgs had up-to-date shaderc we would not stumble
on this bug. The only non-trivial bug from the whole list.

Community support
I still feel that NixOS community is a welcoming place for newcomers,
experimenters and people who do grunt maintenance work. NixOS community
now had elected their first Steering Committee who can help resolving
high-level conflicts.
Some of the amusing things I did over the past year:

nix language non-determinism in sort built-in
stdenv fix to handle root directories that start with dash (-): https://github.com/NixOS/nixpkgs/pull/317106.
diffoscope-269 release was a great stress test for nixpkgs bash code :)
Found and fixed ~50 more eval failures in nixpkgs found by the hack.
This hack was also the trigger that exposed sort non-determinism above.
Fixed nixpkgs isMachO helper: https://github.com/NixOS/nixpkgs/pull/432097.
Reading 4 bytes from the file in pure bash. How hard could it be?

Just like last year I managed to get about 800 commits into nixpkgs
this year.
I stopped reading any Matrix channels completely and only skim through
discourse and read github notifications.
Home server experience
I did not have to adapt anything for the past year. Things still Just Work.
Local experiments
I switched to helix editor
and to chromium browser. Both were quite
smooth transitions.
I continued gcc testing. This year it was gcc-15 branch. nixpkgs
still manages to serve as a reasonable vehicle to
find bugs. Just like last year I
found about 50 compiler bugs. Did not manage to fix any myself.
Parting words
NixOS still works for me.
Give NixOS a go if you did not yet :)


nix and guix for Gentoo in 2025
2025-08-19T00:00:00Z
Two years have passed since the last issue
of ::nix-guix overlay updates.
The overlay still ships latest nix-2.30.2 and guix-1.4.0
packages. One notable addition is lix-2.93.3!
Our list of contributors over past 2 years is:
dependabot[bot]
G-Src
Jiajie Chen
Kris Scott
Sergei Trofimovich
Vincent de Phily
There are no major user-visible changes. But a few things to note are:

sys-apps/lix was added to the family of nix-like package managers
sys-apps/guix is not masked any more as guile-3 was unmasked in
::gentoo!
old pre-meson version of nix are dropped
sys-apps/nix does not enable fallback if user namespaces fail to
initialize. This should guard users from accidentally building
non-hermetic packages (they are very likely to break on Gentoo for
various reasons)
added USE=allocate-build-users to sys-apps/nix to use fully dynamic
user builders (instead of requiring acc-user/ set of static users)
sys-apps/guix ebuild was ported to guile-single.eclass

Have fun!


sort by key in coreutils
2025-05-08T00:00:00Z
This post is about sort tool from GNU coreutils. Until today I
foolishly thought that to sort a file by a second (and just second
column) you just need to use sort -k2 option.
Indeed, that does seem to work for a simple case:
$ printf "1 2\n2 1\n"
1 2
2 1
$ printf "1 2\n2 1\n" | sort -k2
2 1
1 2
But today I attempted a slightly more complicated sort by sorting commit
history:
abcd foo: commit z
bcde bar: commit a
cdef foo: commit y
defg bar: commit b
I wanted to sort these by the foo: / bar: component while preserving
the order of commit within the component. I want this outcome:
bcde bar: commit a
defg bar: commit b
abcd foo: commit z
cdef foo: commit y
How do you achieve that? My naive attempt was to use sort -k2 --stable:
$ sort -k2 --stable 

Note how foo: commits were unexpectedly reordered.
Quick quiz: why did excessive reorder happen? How to fix it?
The answer
sort --help has an answer by describing what -k2 key selection
actually does. But --debug option is even better at illustrating what
is being compared. Let’s use that:
$ LANG=C sort -k2 --stable --debug 

The ______________ underscore shows the actual compared key: it’s not
just foo: or bar:. It’s the whole line that starts at the
whitespace right before foo: and bar:. The fix is to tweak the selector:
$ LANG=C sort -k2,2 --stable --debug 

or with -b if leading spaces look confusing:
$ LANG=C sort -k2,2 --stable --debug -b 

This way the sorting works as expected:
$ LANG=C sort -k2,2 --stable -b 

parting words
sort -k is tricky: it’s not a field number but a field range. --debug
option is great at showing used sorting key (or keys of --stable is not
used).
Have fun!


Zero Hydra Failures towards 25.05 NixOS release
2025-05-01T00:00:00Z
It’s May 1 and that means NixOS-25.05 is almost
there. Today the
release entered ZHF phase
(Zero Hydra Failures) where the main focus
is to squash as many build failures as possible before the release.
It’s a good time to fix easy build failures or remove long broken
packages. https://github.com/NixOS/nixpkgs/issues/390768 contains
detailed step-by-step to identify interesting packages.
an example package fix
I usually try to fix at least one package during ZHF. This time I
picked hheretic. The
failure does not look too cryptic:
...
checking for OpenGL support... no
configure: error: *** OpenGL not found!
To get a bit more detail I usually use nix develop:
$ nix develop -f. hheretic
$$ genericBuild
checking for OpenGL support... no
configure: error: *** OpenGL not found!
...
Running phase: buildPhase
no Makefile or custom buildPhase, doing nothing
...
Here I ran genericBuild to start a build process similar to what a
nix build -f. hheretic would do.
I got expected error (and a bit of extra stuff). Now I can peek at
config.log to check why OpenGL was not detected:
$ cat config.log
...
configure:5413: checking for OpenGL support
configure:5429: gcc -o conftest  -Wall -O2 -ffast-math -fomit-frame-pointer   conftest.c -lm  -Lno -lGL -lGLU >&5
conftest.c:30:10: fatal error: GL/gl.h: No such file or directory
   30 | #include 
      |          ^~~~~~~~~
compilation terminated.
The compiler does not see GL/gl.h header: a missing dependency. The
first thing I tried was this patch:
--- a/pkgs/by-name/hh/hheretic/package.nix
+++ b/pkgs/by-name/hh/hheretic/package.nix
@@ -4,6 +4,8 @@
   fetchFromGitHub,
   SDL,
   SDL_mixer,
+  libGL,
+  libGLU,
   autoreconfHook,
   gitUpdater,
 }:
@@ -27,6 +29,8 @@ stdenv.mkDerivation (finalAttrs: {
   buildInputs = [
     SDL
     SDL_mixer
+    libGL
+    libGLU
   ];

   strictDeps = true;
Running nix build -f. hheretic against it makes the package build
successfully. The change is proposed as a
PR#403458 now.
As a bonus let’s figure out when the package broke. In the
history tab
we can see that:

https://hydra.nixos.org/build/292311010 was the last successful build
https://hydra.nixos.org/build/293013734 was the first failing build

Both links have Inputs tab where we can extract nixpkgs commits that
correspond to the build. That is enough for bisection:
$ git clone https://github.com/NixOS/nixpkgs
$ cd nixpkgs/
$ git bisect start 81b934af6399c868c693a945415bd59771f41718 316f79657ec153b51bee287fb1fb016b104af9ef
    Bisecting: 2949 revisions left to test after this (roughly 12 steps)
    [8490862820028f5c371ac0a7fde471990ff6ad80] evcc: 0.200.9 -> 0.201.0 (#390530)
$ git bisect run nix build -f. hheretic
running 'nix' 'build' '-f.' 'hheretic'
Bisecting: 1476 revisions left to test after this (roughly 11 steps)
...
Bisecting: 0 revisions left to test after this (roughly 1 step)
[e24f567a68111784e81cdda85e3784dd977f2ef8] Merge master into staging-next
running 'nix' 'build' '-f.' 'hheretic'
e47403cf2a2c76ae218bbf519c538b0ed419fa5f is the first bad commit
commit e47403cf2a2c76ae218bbf519c538b0ed419fa5f
Date:   Tue Mar 11 09:41:21 2025 +0100

    SDL: point alias to SDL_compat

 pkgs/top-level/all-packages.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
bisect found first bad commit
Looking at https://github.com/NixOS/nixpkgs/commit/e47403cf2a2c76ae218bbf519c538b0ed419fa5f
the GitHub UI says it corresponds to
PR#389106.
Added
the comment
there to get attention of relevant authors.
parting words
ZHF event is a good way to contribute to nixpkgs. If you never did
but were waiting for an occasion it’s a good one to try!
Have fun!


To chromium
2025-04-20T00:00:00Z
Tl;DR
I switched from firefox to chromium as a primary web browser on my
desktop.
On firefox
I was a happy firefox user since the 1.5 release. Internet says it was
released in 2005. This made a 20-year run for me. The web changed so
much since then. Adobe Flash went away and web 2.0 javascript-heavy
applications took its place. At some point I had to start using content
filtering extensions to be able to browse the web.
firefox was able to keep up with the times most of the time. It felt
like at some point UI became too sluggish. Subjectively quantum 2017
release made it snappy again.
Fast forward to 2025 firefox mostly meets my needs, but there are a
few performance warts I don’t know how to deal with:

Some of web-based instance messengers are very slow in firefox: when
I switch to the tab it freezes the whole of firefox for a few
seconds (it happens every time I switch to a tab, not just for the
first time).
Branch selection (drop-down menu) at pull request creation time on
github is visibly slow on repositories with many branches (200+
in nixpkgs).
firefox start up time on mostly empty user profiles on HDDs are very
slow: about tens of seconds.

Over past few years I have encountered a few widespread bugs in firefox:

100% CPU usage on HTTP3: https://bugzilla.mozilla.org/show_bug.cgi?id=1749914
tab crashes due to LLVM bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1741454

On chrome
I already used chrome at work for about 10 years. And 3 years ago I
started using chrome on a chromebook laptop for some of personal
things. But for a personal desktop my strong preference prefer is not to
use proprietary software.
With a recent shift to AI and advertising at Mozilla I wondered what are
the alternatives to firefox there are if I should give chromium a
proper try.
On chromium
After about 2 months using chromium I should say that it is very
pleasant to use. Subjectively fonts look a bit better in chromium and
most performance hiccups I encountered in firefox disappeared (but a
new one appeared, mentioned below).
Helper pages like chrome://about, chrome://flags and chrome://gpu
are a reasonable substitute for firefox about:config.
I also discovered a few bugs/warts/known-issues as well:

wayland backend is not enabled by default and needs either a flag
like --enable-features=UseOzonePlatform --ozone-platform=wayland or
an option selected at
chrome://flags > Preferred Ozone platform > Wayland.
While it’s a one-off setup it feels like wayland might not be the
primary target for linux desktops.
pdf viewer is quite a bit slower than in firefox. 350-paged doc
make chromium visibly struggle to scroll around, might be a known
https://issues.chromium.org/issues/345117890.
I have to fall back to local viewers for larger docs.
UPDATE: installing pdf.js
ended up being even better solution.
chromium syncs on disk somewhat frequently. There is a 15-years old
https://issues.chromium.org/issues/41198599 that mentions it’s all
the actions user does are synced on disk time to time. I don’t think
it’s a real problem for modern SSDs, but still it feel quite wasteful.
sway sometimes crashes completely when I visit certain utility
provider sites with a message like:
00:00:25.696 [sway/sway_text_node.c:110] cairo_image_surface_create failed: invalid value (typically too big) for the size of the input (surface, pattern, etc.)
00:00:25.696 [sway/sway_text_node.c:110] cairo_image_surface_create failed: invalid value (typically too big) for the size of the input (surface, pattern, etc.)
sway: render/pass.c:23: wlr_render_pass_add_texture: Assertion `box->x >= 0 && box->y >= 0 && box->x + box->width <= options->texture->width && box->y + box->height <= options->texture->height' failed.
There is a bunch of open bugs with related error messages. I looks
like those are usually sway or wlroots robustness bugs. chromium
is probably also at fault here trying to create surfaces of
unreasonable dimensions.
Installing sway and wlroots from git master fixed all crashes
for me.

Have fun!


gcc-15 bugs, pile 2
2025-04-19T00:00:00Z
8 more months have passed since my previous
pile report. gcc-15 was
branched off
from master and will receive only regression fixes. master is called
gcc-16 now.
It’s a good time to look at the compiler bugs I encountered.
summary
I got about 30 of those:

rtl-optimization/116516: ICE on
linux-6.10 due to inability to handle some address calculation
expressions.
middle-end/116516: ICE on
libvpx-1.14.1 due to a vectorizer bug that tried to access outside
array boundary.
middle-end/116814: ICE on
libjack2-1.9.22 due to gcc inability to generate code for
saturated subtraction
tree-optimization/116817: ICE on
libajantv2-16.2 gcc vectorizer broke on a loop invariant
libstdc++/116857: mingw32 build
failure, was exposed after re-enabling most warnings on gcc headers.
c++/116880: co_await use-after-free
on nix-2.24.8 code. A gcc bug in coroutine lifetime management.
c++/116911: qt5.qtbase build
failure due to gcc regression in assigning external linkage to local
variables.
bootstrap/117039: -Werror= libcpp
gcc build failure due to format string problems.
c++/117114: -Woverloaded-virtual
false positives due to a gcc in how it tracks methods in case of
multiple inheritance.
middle-end/117141: duplicate pattern
definitions for subtraction-with-saturation primitive. A build warning.
c/117177: wrong code on global arrays
used by python-3.12.7 and others. gcc generated invalid bytes that
represent the array.
c/117190: ICE on linux-6.11.3,
another case of gcc inability to generate static const arrays
similar to the previous entry.
target/117194: wrong code on
highway-1.2.0 in vectorizer code. gcc used incorrect order of
operands in ANDN primitive.
libstdc++/117220: stl_iterator and
clang incompatibility: gcc allows slightly different mix of
[[..]] and __attribute((..)) style of attributes ordering than
clang.
lto/117288: lto ICE on wolfssl,
constant arrays are not handled by gcc. This time in LTO bytecode.
tree-optimization/117306: -O3
vectorizer ICE on netpbm-11.8.0 of certain bool calculation patterns.
middle-end/117378: waybar ICE on
c++ due to a gcc bug in expansion of ternary operators.
rtl-optimization/117476: wrong code
on grep and libgcrypt in a code that handles zero-extension.
middle-end/117496: infinite recursion
on cdrkit due to a | b pattern generating still foldable result.
bootstrap/117843: fortran bootstrap
build failure (-Werror). A missing enum entry handling.
c++/117980: ICE on nix-2.25.2 where
gcc transformation broke the type of underlying expression.
c++/118124: ICE on nss, c++
constant arrays were not handled in initializer_list<...>.
preprocessor/118168: slow mypy
compilation on -Wmisleading-indentation. gcc parsed the whole file
multiple times to resolve locations.
tree-optimization/118205: libdeflate
wrong code, fails libtiff tests due to a gcc bug in handling
certain form of PHI modes.
tree-optimization/118409: gas is
compiled incorrectly due to gcc bug in handling xor on sub-byte
bit fields.
c++/118856: mesonlsp-4.3.7 ICE
and wrong code due to too early temporary destruction for arrays.
c++/119138: mingw32 bootstrap
failure due to a gcc regression in attribute tracking for pointers.
middle-end/119226: vifm-0.14 ICE on
strcspn() due to a bad folding recently added to gcc just for this
function.
analyzer/119278: gnutls -fanalyzer
ICE due to lack of handling of a new type for static const arrays.
target/119428: e2fsprogs-1.47.2
wrong code on bit reset due to a wrong btr pattern.
c++/119428: lix ICE on coroutine
code where coroutine types and values cause gcc to fail to handle
more complicated (but allowed by standard) cases.

fun bugs
e2fsprogs bug
The e2fsprogs bug was an interesting
case of wrong code. This was enough to trigger it:
// $ cat bug.c
__attribute__((noipa, optimize(1)))
void bug_o1(unsigned int nr, void * addr)
{
        unsigned char   *ADDR = (unsigned char *) addr;

        ADDR += nr >> 3;
        *ADDR &= (unsigned char) ~(1 << (nr & 0x07));
}

__attribute__((noipa, optimize(2)))
void bug_o2(unsigned int nr, void * addr)
{
        unsigned char   *ADDR = (unsigned char *) addr;

        ADDR += nr >> 3;
        *ADDR &= (unsigned char) ~(1 << (nr & 0x07));
}

int main() {
  void * bmo1 = __builtin_malloc(1024);
  void * bmo2 = __builtin_malloc(1024);
  for (unsigned bno = 0; bno < 1024 * 8; ++bno) {
    __builtin_memset(bmo1, 0xff, 1024);
    __builtin_memset(bmo2, 0xff, 1024);
    bug_o1(bno, bmo1);
    bug_o2(bno, bmo2);
    if (__builtin_memcmp(bmo1, bmo2, 1024) != 0)
      __builtin_trap();
  }
}
Crashing as:
$ gcc bug.c -o bug -O0 && ./bug
Illegal instruction (core dumped)
The gcc fix
amends mask calculation as:
--- a/gcc/config/i386/i386.md
+++ b/gcc/config/i386/i386.md
@@ -18168,7 +18168,8 @@
  [(set (match_dup 4) (match_dup 1))
   (set (match_dup 0)
        (any_rotate:SWI (match_dup 4)
-		       (subreg:QI (match_dup 2) 0)))]
+		       (subreg:QI
+			 (and:SI (match_dup 2) (match_dup 3)) 0)))]
  "operands[4] = gen_reg_rtx (mode);")
 
 (define_insn_and_split "*3_mask_1"
@@ -18202,7 +18203,8 @@
   == GET_MODE_BITSIZE (mode) - 1"
  [(set (match_dup 4) (match_dup 1))
   (set (match_dup 0)
-       (any_rotate:SWI (match_dup 4) (match_dup 2)))]
+       (any_rotate:SWI (match_dup 4)
+		       (and:QI (match_dup 2) (match_dup 3))))]
  "operands[4] = gen_reg_rtx (mode);")
 
 (define_insn_and_split "*3_add"
Here gcc incorrectly compiled bug_o2() into a single btr
instruction. gcc assumed btr performs a typical 8-bit mask on
register operand like other instructions do. But in case of btr it’s
a 3/4/5-bit mask (for 8/16/32-bit offsets).
mesonlsp bug
The mesonlsp bug was also interesting.
There seemingly trivial code:
// $ cat bug.cpp
#include 
#include 

int main(){
  for (const auto &vec : std::vector>{
           {"aaa"},
       }) {
  }
}
crashed at runtime:
# ok
$ g++ bug.cpp -o bug -fsanitize=address
$ ./bug

# bad:
$ g++ bug.cpp -o bug -fsanitize=address -std=c++23
$ ./bug

=================================================================
==3828042==ERROR: AddressSanitizer: heap-use-after-free on address 0x7ba90dbe0040 at pc 0x000000404279 bp 0x7ffd9db5c110 sp 0x7ffd9db5c108
READ of size 8 at 0x7ba90dbe0040 thread T0
    #0 0x000000404278 in std::__cxx11::basic_string, std::allocator >::_M_data() const (bug+0x404278)
...

0x7ba90dbe0040 is located 0 bytes inside of 32-byte region [0x7ba90dbe0040,0x7ba90dbe0060)
freed by thread T0 here:
    #0 0x7f790f1180c8 in operator delete(void*, unsigned long) (/<>/gcc-15.0.1-lib/lib/libasan.so.8+0x1180c8)
    #1 0x000000406a4b in std::__new_allocator, std::allocator > >::deallocate(std::__cxx11::basic_string, std::allocator >*, unsigned long) (bug+0x406a4b)
...

previously allocated by thread T0 here:
    #0 0x7f790f1171a8 in operator new(unsigned long) (/<>/gcc-15.0.1-lib/lib/libasan.so.8+0x1171a8)
    #1 0x000000404c9f in std::__new_allocator, std::allocator > >::allocate(unsigned long, void const*) (bug+0x404c9f)
...

SUMMARY: AddressSanitizer: heap-use-after-free (bug+0x404278) in std::__cxx11::basic_string, std::allocator >::_M_data() const
Shadow bytes around the buggy address:
  0x7ba90dbdfd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7ba90dbdfe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7ba90dbdfe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7ba90dbdff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7ba90dbdff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x7ba90dbe0000: fa fa 00 00 00 fa fa fa[fd]fd fd fd fa fa fd fd
  0x7ba90dbe0080: fd fa fa fa fd fd fd fd fa fa fa fa fa fa fa fa
  0x7ba90dbe0100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7ba90dbe0180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7ba90dbe0200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7ba90dbe0280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3828042==ABORTING
It’s a use-after-free bug. Caused by the gcc bugs in temporary
variables lifetime tracking. The gcc fixes
(one,
two)
are not very small, thus I’ll not post them here.
histograms
As usual what are the subsystems we found the bugs in?

c++: 8
middle-end: 6
tree-optimization: 4
bootstrap: 2
c: 2
libstdc++: 2
lto: 2
rtl-optimization: 2
target: 2
analyzer: 1
preprocessor: 1

Surprisingly this time c++ is at the top of the list. It feels like
coroutine related bugs pushed the needle. Otherwise, middle-end and
tree-optimization that follow are expected.
parting words
Of the bugs above it looks like I reported only 18 of those while 13
were already reported by others.
Optimized handling of global constant arrays (#embed-style code) caused
numerous bugs in various subsystems from compiler crashes to wrong code.
The most disruptive change probably is the switch to
c23.
Past month was very quiet from gcc bugs view. gcc-15 is in a good
shape to be released.
Have fun!


Trying out helix editor
2025-02-15T00:00:00Z
This is another February story about text editors similar to the
vim one. You might want to
ignore this one as well :)
Tl;DR
helix is a nice program: I switched to it from vim as a default text
editor. If you never heard of helix editor and are vim or nvim
user I suggest you to look at it. hx --tutor is short and yet
it covers a few cool things. https://helix-editor.com/ has a nice
asciinema intro and shows expected look and feel.
Background
I am a happy 2 years old vim user with a simple
~/.vimrc config.
Strong vim features for me are:

startup speed
UI speed
basic spell checking
syntax highlighting for many languages
tab/space whitespace highlighting
configurable color scheme (ideally a blue one)
emacs-style page scrolling and line editing when in insert mode

I still manage to use vim without any external plugins.
The weak vim points for me are:

vim-specific configuration language (I don’t know how to read anything
beyond trivial set assignments)
vim-specific regex language extensions (:h /magic)
lack of language server protocol support (LSP) support without
external plugins
defaults keep compatibility with old versions of vim which sometimes
don’t make sense to me as a new user
it’s written in an ancient form of C which is known to trigger some
ubiquitous safety checks and have to disable them like
-D_FORTIFY_SOURCE=1 hack
“backwards” model of many actions in normal mode

To expand a bit on “backwards” model here is a simple example: in vim
the key sequence df< will delete (d) everything from current
position to < symbol inclusive. But you will not see what exactly
vim is about to delete until you press <. Would be nice to see what
f< selects first and only then press d with more confidence. As a
result I rarely use such shortcuts despite them being very convenient
for a common editing use case. vim’s very own vf command sequence
is a lot more intuitive to what I would expect, but that requires switch
to a visual mode (prefixed v).

A fun problem
From time to time I use vim to write markdown files (such as this
blog post). I like pasting code snippets here and there for better
illustration. Once day I idly wondered if vim could be taught to
support syntax highlighting of the code snippets within the markdown
files:
# Would it not be magic if it just worked?

An example `c` snippet within `markdown`:

```c
// What's up here with the highlight?
int like_this_one(long long);
```
vim does not do any special highlighting in a c block.
Many days later I encountered a mastodon thread that mentioned vim
proposal to use TextMate grammar
Issue#9087. It discussed
various options of different highlighter engines, their pros, cons, and
what vim should use longer term.
Tree-sitter was
specifically mentioned multiple times there as The Solution to all
the highlighting problems an editor could have. It’s a long discussion
with many branches.
From there I learned about (and started using) a few tree-sitter based
programs, like bat,
difftastic and
helix.
helix editor was mentioned as one of tree-sitter users. I heard
about helix before from my friend. At the time I just started my vim
journey and I did not give helix a serious try.
But this time I felt I was able to compare both.
My setup
I got helix up and running to the state I could use it by default in
2 short evenings. After that I did a few incremental tweaks. My whole
configuration right now is one page long:
# $ cat config.toml
[editor]
auto-pairs = false
bufferline = "always"
rulers = [73]
true-color = true # TMUX term does not always agree

[editor.statusline]
# added "file-type", "position-percentage"
right = ["file-type", "diagnostics", "selections", "register", "position", "position-percentage", "file-encoding"]

[editor.whitespace.render]
space = "all"
tab = "all"
nbsp = "all"
nnbsp = "all"

[editor.whitespace.characters]
tab = ">"
tabpad = "-"

[keys.insert]
C-c = "normal_mode"
C-up = ["scroll_up", "move_visual_line_up"]
C-down = ["scroll_down", "move_visual_line_down"]

[keys.normal]
C-c = "normal_mode"
C-up = ["scroll_up", "move_visual_line_up"]
C-down = ["scroll_down", "move_visual_line_down"]
ins = ["insert_mode"]

[keys.select]
C-c = "normal_mode"
C-up = ["scroll_up", "move_visual_line_up"]
C-down = ["scroll_down", "move_visual_line_down"]
On top of that I enabled a few language servers not configured in
helix by default:
# $ cat languages.toml

# spell checker
[language-server.harper-ls]
command = "harper-ls"
args = ["--stdio"]

[[language]]
name = "markdown"
language-servers = ["marksman", "harper-ls"]
auto-format = false

[language-server.rust-analyzer.config]
check.command = "clippy"
Niceties
I was surprised to discover how much helix already provides without
much extra configuration:

24-bit colors in the terminal emulator (I use alacritty most of the
time and I appreciate finer grained colors)
a ton of pre-configure LSP servers: hx --health reports 273 lines
helpful pop-ups when prefix keys are pressed, like , :, or
m
tree-sitter-based syntax highlighting makes highlighting more
consistent across languages

toml configuration language
I grew to like toml compared to other custom .ini-like formats.
Custom configurations are sometimes not general enough. For example in
nix.conf config there is no way (to my knowledge) to add a trailing
whitespace to:
bash-prompt-suffix = dev>
toml on the other hand, is more predictable in this regard. It is quite
common and expressive enough to encode simple arrays and strings with
any contents.
I’m a bit afraid of the configurations that are programming languages.
It’s not too bad for me when they are general-purpose languages with
good error messages, well understood semantics, and present
introspection for available options and helpers.
Color themes can be set in RGB
Using full RGB range to define color elements is great. helix comes
with a nice dark default theme suitable for long editing sessions.
The only caveat of a default theme is that some colors are not unique
for cases where it matters. For example, to work around a bug in default
theme I needed to pick a different color for secondary selection:
# $ cat themes/sf.toml
inherits = "default"

# workaround https://github.com/helix-editor/helix/issues/12601
"ui.selection" = { bg = "#540020" }
"ui.selection.primary" = { bg = "#540099" }
Using RGB is so much better than picking a pre-defined color. I did
not know I need it until I tried :)
Selection and multi-selection feels intuitive
helix does show what navigation commands select before I about to do
an action. An example would be vim df" sequence compared to
helix f"d sequence. Before pressing d I am more confident what
it is about to delete.
After using helix for a while I am actually more comfortable using
vim f / t (and similar) navigation commands because I understand
better what they actually do.
Multi-selection is also very natural: you create a bunch of cursors
based on you search (s command) in your selection (or by extending a
column with C command) and start modifying text interactively at each
active cursor at the same time. In multi-selection mode it’s more
natural to use navigation commands like f, t and w to do bulk
edits. In vim I used to use arrow keys more and did not see much use
for more complex navigation commands. But now once I’m used to then I’m
using them in vim as well.
IDE experience is unexpectedly good
The LSPs provide you a navigation, hints, symbol search and so much
more. It’s so easy to explore new and existing projects for various
cross-references. Before jumping into the target you can look at the bit
of context in preview and it might be enough for a thing you are
looking for!
Even in this post s (symbol lookup) provides a Table Of
Contents output with a preview.
For development projects f provides you a file picker with a
fuzzy search. Now I have to rely a lot less on mashing  in the
shell to get to a file I want to edit. I even installed fzf to emulate
similar fuzzy search experience when I need it in bash to pass a file
to other programs.
To make clangd to work (a C or C++ LSP) one needs
a compile_commands.json file. meson-based projects just create it
unconditionally, cmake-based projects do it after
-DCMAKE_EXPORT_COMPILE_COMMANDS=YES option is enabled and for
autotools-based projects there is a
bear hack to wrap make and
extract the commands after the build.
bear is not able to handle projects like gcc where local gcc is
used to compile most of the code. But smaller ones work good enough.
https://github.com/helix-editor/helix/wiki/Language-Server-Configurations
has tips for many more language servers.
Snags
Over past month of helix use as a default editor I encountered a few
limitations I had to work around or just accept the limitation.
Trailing whitespace highlighting (minor)
Whitespace highlighting is a bit blunt: I would prefer spaces to be
highlighted only in trailing context while highlighting tabs everywhere.
https://github.com/helix-editor/helix/issues/2719.
But it’s not a big deal. I need to be careful to copy text into clipboard
buffer not with a mouse selection but via y
Spell checking (minor)
I was surprised to see that helix does not yet have spell checking
integration and was afraid I could not use it as I make huge amount of
typos and rely on aspell so much. The integration is tracked by
https://github.com/helix-editor/helix/issues/11660.
But luckily there are a few language servers that do implement spell
checking. I’m using harper as:
[language-server.harper-ls]
command = "harper-ls"
args = ["--stdio"]
It works reasonably well for English but does not support anything else.
Having an LSP based on something like aspell would be nice.
Default theme colors (minor)
helix tutorial has section that demonstrates primary and secondary
selections via ( and ) navigation. But the colors of both selection
types are identical in the default theme. That was very confusing. The
issue is 2.5 years old:
https://github.com/helix-editor/helix/issues/12601.
Luckily the workaround is trivial: you can modify default theme just
for selection distinct colors:
inherits = "default"

"ui.selection" = { bg = "#540020" }
"ui.selection.primary" = { bg = "#540099" }
Saving last cursor position in the file
I like the save/restore of the file cursor in edited file. It was a
default vim setting. helix does not have an equivalent yet:
https://github.com/helix-editor/helix/issues/1133
Buffer search only highlights current search, not all
In vim I was using set hlsearch option to highlight (and keep
highlighted) all the occurrences that match the search. Not just the
current one. helix is yet to implement it:
https://github.com/helix-editor/helix/issues/1733.
Generic autocomplete
I like autocompletion of arbitrary words in a text file.
So far helix only ever does LSP autocompletion.
https://github.com/helix-editor/helix/issues/1063 tracks the addition
of a simple keyword-based completer.
Parting words
helix feels like a good modern vim successor for my use cases. It’s
extensive use of RGB colors and unicode characters gives a look and
feel of a program beyond a terminal application. A ton of pre-configured
LSPs makes it a nice lightweight code navigator on par with IDE
experience.
Have fun!


Another Nix Expression Language non-determinism example
2024-12-26T00:00:00Z
Today I found another source of non-determinism in nix expression language.
This time it’s a
builtins.sort primitive!
How do you break sort?
Compared to the
previous non-determinism instance
this case of non-determinism breaking sort is not as arcane.
a working sort example
Before triggering the problematic condition let’s look at a working sort:
$ nix repl
nix-repl> builtins.sort builtins.lessThan [ 4 3 2 1 ]
[
  1
  2
  3
  4
]

nix-repl> builtins.sort (a: b: a < b) [ 4 3 2 1 ]
[
  1
  2
  3
  4
]
All nice and good: we pass the comparison predicate and get some result
back. In the first case we are passing a builtin comparator. In the
second case we write a lambda that implements <. Nothing fancy.
Normally sort function expects a bunch of properties from the passed
predicate, like
“strict weak ordering”
to return something that looks sorted.
suspicious sort call
But what happens if we pass a predicate that does not satisfy that
property? On vanilla nix that would be:
nix-repl> builtins.sort (a: b: true) [ 4 3 1 2 ]
[ 2 1 3 4 ]
The result is not sensible, but at least it did not crash. All good?
Quiz question: Is this returned order guaranteed to be the same across nix implementations
on different platforms?
triggering the non-determinism
Today I tried to build nix package with gcc STL
debugging enabled.
In theory it’s simple: you pass -D_GLIBCXX_DEBUG via
CXXFLAGS and you get your debugging for free.
I was chasing an unrelated nix memory corruption bug and did just that.
I hoped for a simple case like the past PR#8825.
To my surprise nixpkgs evaluation started triggering libstdc++
assertions. For the above “suspicious sort” example the execution was:
$ nix eval --expr 'builtins.sort (a: b: true) [ 4 3 2 1 ]

/nix/store/L89IQC7AM6I60Y8VK507ZWRZXF0WCD3V-gcc-14-20241116/include/c++/14-20241116/bits/stl_algo.h:5027:
In function:
    void std::stable_sort(_RAIter, _RAIter, _Compare) [with _RAIter =
    nix::Value**; _Compare = nix::prim_sort(EvalState&, PosIdx, Value**,
    Value&)::]

Error: comparison doesn't meet irreflexive requirements, assert(!(a < a)).

Objects involved in the operation:
    instance "functor" @ 0x7ffd7d2fdb00 {
      type = nix::prim_sort(nix::EvalState&, nix::PosIdx, nix::Value**, nix::Value&)::{lambda(nix::Value*, nix::Value*)#1};
    }
    iterator::value_type "ordered type"  {
      type = nix::Value*;
    }
Aborted (core dumped)
Uh-oh. A crash where there was none before. Note how libstdc++ tells us
that our comparator is not expected to return true for a < a.
builtins.sort implementation
Looking at the nix implementation around the crash it reveals that
nix uses std::stable_sort to implement builtins.sort
(link) with no predicate validation:
static void prim_sort(EvalState & state, const PosIdx pos, Value * * args, Value & v)
{
    state.forceList(*args[1], pos, "while evaluating the second argument passed to builtins.sort");

    auto len = args[1]->listSize();
    if (len == 0) {
        v = *args[1];
        return;
    }

    state.forceFunction(*args[0], pos, "while evaluating the first argument passed to builtins.sort");

    auto list = state.buildList(len);
    for (const auto & [n, v] : enumerate(list))
        state.forceValue(*(v = args[1]->listElems()[n]), pos);

    auto comparator = [&](Value * a, Value * b) {
        /* Optimization: if the comparator is lessThan, bypass
           callFunction. */
        if (args[0]->isPrimOp()) {
            auto ptr = args[0]->primOp()->fun.target();
            if (ptr && *ptr == prim_lessThan)
                return CompareValues(state, noPos, "while evaluating the ordering function passed to builtins.sort")(a, b);
        }

        Value * vs[] = {a, b};
        Value vBool;
        state.callFunction(*args[0], vs, vBool, noPos);
        return state.forceBool(vBool, pos, "while evaluating the return value of the sorting function passed to builtins.sort");
    };

    /* FIXME: std::sort can segfault if the comparator is not a strict
       weak ordering. What to do? std::stable_sort() seems more
       resilient, but no guarantees... */
    std::stable_sort(list.begin(), list.end(), comparator);

    v.mkList(list);
}
Here comparator() calls user-supplied function written in
nix expression language directly (if we ignore a performance special
case) into std::stable_sort(). The comment suggests that std::sort()
was already crashing here.
This means that today builtins.sort semantics are following c++
std::stable_sort() along with it’s undefined behaviors and
instability for non-conformant comparator() predicate.
tracking down bad predicates
nixpkgs is a vast codebase. It’s quite hard to figure out which part
of nix expression language code triggers this condition from a C++
stack trace. I added the following hack into local nix to convert
those violations into nix-level exceptions:
--- a/src/libexpr/primops.cc
+++ b/src/libexpr/primops.cc
@@ -3633,6 +3633,24 @@ static void prim_sort(EvalState & state, const PosIdx pos, Value * * args, Value
                 return CompareValues(state, noPos, "while evaluating the ordering function passed to builtins.sort")(a, b);
         }

+        /* Validate basic ordering requirements for comparator: */
+        {
+            Value * vs[] = {a, a};
+            Value vBool;
+            state.callFunction(*args[0], vs, vBool, noPos);
+            bool br = state.forceBool(vBool, pos, "while evaluating the return value of the sorting function passed to builtins.sort");
+            if (br)
+                state.error("!(a < a) assert failed").atPos(pos).debugThrow();
+        }
+        {
+            Value * vs[] = {b, b};
+            Value vBool;
+            state.callFunction(*args[0], vs, vBool, noPos);
+            bool br = state.forceBool(vBool, pos, "while evaluating the return value of the sorting function passed to builtins.sort");
+            if (br)
+                state.error("!(b < b) assert failed").atPos(pos).debugThrow();
+        }
+
         Value * vs[] = {a, b};
         Value vBool;
         state.callFunction(*args[0], vs, vBool, noPos);
Here before calling the compare(a,b) against two different list
elements we are making sure that compare(a,a) and compare(b,b) does
not return true.
And now the error is a bit less intimidating:
nix-repl> builtins.sort (a: b: true) [ 4 3 2 1 ]
error:
       … while calling the 'sort' builtin
         at «string»:1:1:
            1| builtins.sort (a: b: true) [ 4 3 2 1 ]
             | ^

       error: !(a < a) assert failed
On a nixpkgs input the evaluation now fails as:
$ nix-instantiate -A colmapWithCuda --show-trace
error:
       … while calling a functor (an attribute set with a '__functor' attribute)
         at pkgs/top-level/all-packages.nix:5843:20:
         5842|   colmap = libsForQt5.callPackage ../applications/science/misc/colmap { inherit (config) cudaSupport; };
         5843|   colmapWithCuda = colmap.override { cudaSupport = true; };
             |                    ^
         5844|
...
         at pkgs/development/cuda-modules/generic-builders/multiplex.nix:88:17:
           87|   # perSystemReleases :: List Package
           88|   allReleases = lib.pipe releaseSets [
             |                 ^
           89|     (lib.attrValues)
This points us at
cuda-modules/generic-builders/multiplex.nix:
  preferable =
    p1: p2: (isSupported p2 -> isSupported p1) && (strings.versionAtLeast p1.version p2.version);

  # ...

  newest = builtins.head (builtins.sort preferable allReleases);
Can you quickly say if preferable satisfies lessThan requirements?
left >= right is generally problematic for sorts:
nix-repl> builtins.sort (a: b: a >= b) [ 4 3 3 1 ]
error:
       … while calling the 'sort' builtin
         at «string»:1:1:
            1| builtins.sort (a: b: a >= b) [ 4 3 3 1 ]
             | ^

       error: !(a < a) assert failed
To make the comparator stricter it should contain strict inequality,
like b < a or !(a >= b):
nix-repl> builtins.sort (a: b: b < a) [ 4 3 3 1 ]
[
  4
  3
  3
  1
]

nix-repl> builtins.sort (a: b: !(b >= a)) [ 4 3 3 1 ]
[
  4
  3
  3
  1
]
I proposed a seemingly trivial change as PR#368366:
--- a/pkgs/development/cuda-modules/generic-builders/multiplex.nix
+++ b/pkgs/development/cuda-modules/generic-builders/multiplex.nix
@@ -81,7 +81,7 @@ let
   redistArch = flags.getRedistArch hostPlatform.system;

   preferable =
-    p1: p2: (isSupported p2 -> isSupported p1) && (strings.versionAtLeast p1.version p2.version);
+    p1: p2: (isSupported p2 -> isSupported p1) && (strings.versionOlder p2.version p1.version);

   # All the supported packages we can build for our platform.
   # perSystemReleases :: List Package

I’m not sure it’s correct.
cuda-modules is not the only sort lessThan property violation. Next
failure is a stan package:
$ nix build --no-link -f. cmdstan --show-trace
...
       … while calling the 'sort' builtin
         at pkgs/build-support/coq/meta-fetch/default.nix:115:55:
          114|     if (isString x && match "^/.*" x == null) then
          115|       findFirst (v: versions.majorMinor v == x) null (sort versionAtLeast (attrNames release))
             |                                                       ^
          116|     else

       error: !(a < a) assert failed
Here you can already see that the pattern is suspiciously similar:
sort versionAtLeast probably does not do what it’s expected to do.
Proposed a similar fix as PR#368429.
Other packages affected:

mathematica: PR#368433

More stuff to fix!
Parting words
nix expression language used in nix package manager is of
minimalistic kind: it does not have much syntax sugar
hoping to reach high performance and predictability of the evaluation.
And it it manages to surprise me time and time again where I have to
debug both nix expression language and it’s underlying c++
implementation.
Sorting is tricky if you allow a user-supplied sorting predicate.
nixpkgs has a few more sorting predicate violations that needs to be
fixed. I found at least cuda,
coq and
mathematica.
Examples found after the first version of the post was published:
- coqPackages_8_20 used sort (<=)
Have fun!


Rebasing past reformats
2024-12-12T00:00:00Z
TL;DR
Did you ever have to deal with a huge list of conflicts on rebase caused
by automatic reformatting of an upstream codebase?
If you got into a similar situation you might be able to automatically
recreate your changes with git filter-branch --tree-filter and a
git commit --allow-empty trick.
story mode
I have local fork of staging branch of
nixpkgs git repository to do
various tests against experimental upstream packages (like gcc from
master branch) or experimental nix features (like ca-derivations).
I have about 350 patches in the fork. I sync this forked branch about
daily against the upstream nixpkgs/staging. Most of the time
git pull --rebase is enough and no conflicts are there. Once a month
there is one or two files to tweak. Not a big deal.
A few days ago nixpkgs landed a partial source code reformatting
patch as PR#322537. It
automatically re-indents ~21000 .nix files in the repository with a
nixfmt tool. My git pull --rebase generated conflicts on first few
patches against my branch. I aborted it with git rebase --abort.
I would not be able to manually solve such a huge list of commits and I
wondered if I could somehow regenerate my patches against the indented
source.
In theory rebasing past such change should be a mechanical operation: I
have the source tree before the patch and after the patch. All I need to
do is to autoformat both before and after trees and then diff
them.
I managed to do it with help of git commit --allow-empty and
git filter-branch --tree-filter.
actual commands
Here is the step-by-step I did to rebase my local staging branch past
the source reformatting
667d42c00d566e091e6b9a19b365099315d0e611 commit
to avoid conflicts:

Create an empty commit (to absorb initial formatting later):
$ git commit --allow-empty -m "EMPTY commit: will absorb relevant formatting changes"
Move the last empty commit in the patch queue to the beginning of
the patch queue:
$ git rebase -i --keep-base
In the edit menu move the
"EMPTY commit: will absorb relevant formatting changes" entry from
last line of the list to the first line.
Get files in the branch affected by the formatting change:
The formatting change is 667d42c00d566e091e6b9a19b365099315d0e611.
$ FORMATTED_FILES=$(git diff --name-only \
    667d42c00d566e091e6b9a19b365099315d0e611^..667d42c00d566e091e6b9a19b365099315d0e611 \
    -- $(git diff --name-only origin/staging...staging) | tr $'\n' ' ')
This will populate FORMATTED_FILES shell variable with affected
files.
Reformat the $FORMATTED_FILES files:
$ FILTER_BRANCH_SQUELCH_WARNING=1 git filter-branch \
  --tree-filter "nixfmt $FORMATTED_FILES" -- $(git merge-base origin/staging staging)..
...
Rewrite 6fc0a951e9b7a7e3f80628ca0a6c4c9f54fd2dd6 (56/327) (65 seconds passed, remaining 314 predicted)
...
Rewrite c20df82da66da6521f355af508bfedc047cffa64 (326/326) (1183 seconds passed, remaining 0 predicted)
Ref 'refs/heads/staging' was rewritten
This command will populate our empty commit with reformatting changes
and rebase the rest of commits against it without manual intervention.
Rebase past the formatting as usual:
$ git rebase -i
Here git rebase -i will tell you that the first commit became empty.
You can either skip or commit an empty one. I skipped it with
git rebase --skip.

Done!
Once I executed the above I got just one trivial conflict unrelated to
reformatting.
parting words
git filter-branch --tree-filter is a great tool to mangle the
repository! But before using it make sure you back you local tree: it’s
very easy to get it to “destroy” all your work (git reflog will still
be able to save your past commits).
It took git filter-branch --tree-filter about 5 minutes to rebase
326 commits that touch ~200 files. My understanding is that most time
is spent on nixfmt utility itself and not on git operations.
nixfmt is not very fast: it takes about a minute to reformat the whole
of nixpkgs (~300MB of .nix files).
nixpkgs plans for reformat event more sources in future. I will likely
be using this tip a few more times.
Have fun!


C union initialization and gcc-15
2024-12-01T00:00:00Z
a contrived example
Let’s start from a quiz. What do you think will this program print:
#include 

__attribute__((noipa)) static void use_stack(void) {
    volatile int foo[] = { 0x40, 0x41, 0x42, 0x43, };
}

__attribute__((noipa)) static int do_it(void) {
    // use 'volatile' to inhibit constant propagation
    volatile union {
        int dummy;
        struct { int fs[4]; } s;
    } v = { 0 };
    return v.s.fs[3];
}

int main(void) {
    use_stack();
    int r = do_it();
    printf("v.s:\n");
    printf("  .fs[3] = %#08x\n", r);
}
The program initializes v union with { 0 }. Which should be an
equivalent of v.dummy = 0;. Then the program accesses v.s.fs[3].
That element does not overlap in memory with v.dummy. What should it
do?
One of the possible answers is: v.s.fs[3] is a garbage value.
Let’s try to run it on gcc-14:
$ gcc-14 a.c -o a -O2 && ./a
v.s:
  .fs[3] = 00000000
The value is all zeros. Is it a coincidence? valgrind does not
complain either. Let’s have a peek at the disassembly dump:
; $ objdump --no-addresses --no-show-raw-insn -d a
:
        movdqa 0xea8(%rip),%xmm0 ; load the constant from memory
        movaps %xmm0,-0x18(%rsp) ; store the constant on stack
        ret
        xchg   %ax,%ax

:
        pxor   %xmm0,%xmm0       ; zero-initialize 16 bytes
        movaps %xmm0,-0x18(%rsp) ; store all 16 bytes of zeros on stack
        mov    -0xc(%rsp),%eax   ; read 32-bits of zeros (part of 16-byte
                                 ; zeroing one line above)
        ret
gcc-14 implements v = { 0 }; as a 128-bit (16-byte)
zero initialization of sizeof(v) via
pxor %xmm0,%xmm0; movaps %xmm0,-0x18(%rsp).
How about gcc-15?
$ gcc a.c -o a -O2 && ./a
v.s:
  .fs[3] = 0x000043
Whoops. That is clearly uninitialized value left after use_stack()
execution. valigrind is also not happy about it:
$ valgrind --quiet --track-origins=yes ./a
v.s:
Use of uninitialised value of size 8
   at 0x48B954A: _itoa_word (in ...-glibc-2.40-36/lib/libc.so.6)
   by 0x48C43EB: __printf_buffer (in ...-glibc-2.40-36/lib/libc.so.6)
   by 0x48C6300: __vfprintf_internal (in ...-glibc-2.40-36/lib/libc.so.6)
   by 0x48BA71E: printf (in ...-glibc-2.40-36/lib/libc.so.6)
   by 0x401074: main (a.c:20)
 Uninitialised value was created by a stack allocation
   at 0x401190: do_it (a.c:12)
Disassembly:
; $ objdump --no-addresses --no-show-raw-insn -d a
:
        movabs $0x4100000040,%rax ; load 64-bit part 1
        movabs $0x4300000042,%rdx ; load 64-bit part 2
        mov    %rax,-0x18(%rsp)   ; store part 1 on stack
        mov    %rdx,-0x10(%rsp)   ; store part 2 on stack
        ret
        nop

:
        movl   $0x0,-0x18(%rsp)   ; zero-initialize first 32 bits of a union
        mov    -0xc(%rsp),%eax    ; read uninitialized 32-bit value at 12-byte
                                  ; offset from a union start
        ret
gcc-15 implements v = { 0 } as a single 32-bit store as if it was
v.dummy = 0; and leaves the rest of the union intact.
Is it a bug?
gcc-15 intentionally changed the zeroing behavior to do less in
PR116416 with
this commit
to generate more optimal code.
Fun fact: the patch also adds a -fzero-init-padding-bits=unions
option to enable the old behavior.
the real bug
The above example might sound theoretical, but I extracted it from an
mbedtls test suite failure. After a recent gcc-15 update the tests
are now failing as:
The following tests FAILED:
        91 - psa_crypto-suite (Failed)
       113 - psa_crypto_storage_format.v0-suite (Failed)
I initially thought it’s a compiler bug related to arithmetic. But
exploring the failing test I found the following pattern:
// at tests/src/psa_exercise_key.c:
  psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;

// library/psa_crypto.c:

  if (operation.hash_ctx.id != 0) { return error; }
  //...

// include/psa/crypto_struct.h:
  #define PSA_MAC_OPERATION_INIT { 0, 0, 0, { 0 } }

// include/psa/crypto.h:
  typedef struct psa_mac_operation_s psa_mac_operation_t;

// include/psa/crypto_struct.h:
  struct psa_mac_operation_s {
    unsigned int id;
    uint8_t mac_size;
    unsigned int is_sign : 1;
    psa_driver_mac_context_t ctx;
  };

// include/psa/crypto_driver_contexts_composites.h:
  typedef union {
    unsigned dummy; /* Make sure this union is always non-empty */
    mbedtls_psa_mac_operation_t mbedtls_ctx;
  } psa_driver_mac_context_t;

// include/psa/crypto_builtin_composites.h:
  typedef struct {
    psa_algorithm_t alg;
    union {
        unsigned dummy; /* Make the union non-empty even with no supported algorithms. */
        mbedtls_psa_hmac_operation_t hmac;
        mbedtls_cipher_context_t cmac;
    } ctx;
  } mbedtls_psa_mac_operation_t;

// include/psa/crypto_builtin_composites.h
  typedef struct {
    /** The HMAC algorithm in use */
    psa_algorithm_t alg;
    /** The hash context. */
    struct psa_hash_operation_s hash_ctx;
    /** The HMAC part of the context. */
    uint8_t opad[PSA_HMAC_MAX_HASH_BLOCK_SIZE];
  } mbedtls_psa_hmac_operation_t;

// include/psa/crypto_types.h
  typedef uint32_t psa_algorithm_t;

// include/psa/crypto_struct.h
  struct psa_hash_operation_s {
    /** Unique ID indicating which driver got assigned to do the
     * operation. Since driver contexts are driver-specific, swapping
     * drivers halfway through the operation is not supported.
     * ID values are auto-generated in psa_driver_wrappers.h.
     * ID value zero means the context is not valid or not assigned to
     * any driver (i.e. the driver context is not active, in use). */
    unsigned int id;
    psa_driver_hash_context_t ctx;
  };
It’s quite a bit of indirection, but if we compress it into a single
struct definition and remove irrelevant bits we will get something
like that:
  struct {
    unsigned int id; // initialized below
    uint8_t mac_size; // initialized below
    unsigned int is_sign : 1; // initialized below
    union {
      unsigned dummy; // initialized below
      struct {
        uint32_t alg; // initialized below, alias of `dummy`

        // anything below is NOT initialized

        union {
          unsigned dummy;
          struct {
              uint32_t alg;
              struct {
                  unsigned int id; // <- we are about to use this field
                  psa_driver_hash_context_t ctx;
              } hash_ctx;
              uint8_t opad[PSA_HMAC_MAX_HASH_BLOCK_SIZE];
          } hmac;
          // ..
       } mbedtls_ctx;
    } ctx;
  } operation = {
    0, // id
    0, // mac_size
    0, // is_sign
    { 0 } // ctx.dummy
  };

  if (operation.hash_ctx.id != 0) { return error; }
valgrind complains about the use of an uninitialized value as:
$ valgrind --track-origins=yes --trace-children=yes --num-callers=50 --track-fds=yes --leak-check=full --show-reachable=yes --malloc-fill=0xE1 --free-fill=0xF1 tests/test_suite_psa_crypto
...
==2758824== Conditional jump or move depends on uninitialised value(s)
==2758824==    at 0x483C6B: psa_hash_setup (psa_crypto.c:2298)
==2758824==    by 0x490ADA: psa_hmac_setup_internal (psa_crypto_mac.c:90)
==2758824==    by 0x490ADA: psa_mac_setup (psa_crypto_mac.c:299)
==2758824==    by 0x48412C: psa_driver_wrapper_mac_sign_setup (psa_crypto_driver_wrappers.h:2297)
==2758824==    by 0x48412C: psa_mac_setup (psa_crypto.c:2619)
==2758824==    by 0x4083BC: test_mac_key_policy (test_suite_psa_crypto.function:2192)
==2758824==    by 0x408877: test_mac_key_policy_wrapper (test_suite_psa_crypto.function:2264)
==2758824==    by 0x429F4E: dispatch_test (main_test.function:170)
==2758824==    by 0x42A813: execute_tests (host_test.function:676)
==2758824==    by 0x40247A: main (main_test.function:263)
==2758824==  Uninitialised value was created by a stack allocation
==2758824==    at 0x40822C: test_mac_key_policy (test_suite_psa_crypto.function:2167)
Unfortunately I don’t think there is a simple fix for that (apart from
enabling new -fzero-init-padding-bits=unions compiler flag if it’s
supported.
I filed the issue upstream as
Issue #9814 hoping to
get some guidance.
parting words
gcc-15 will be more efficient at handling partial union initialization.
It will likely be at expense of exposing real code bugs like the
mbedtls one to the
users. It’s a bit scary to discover it in security library first.
At least valgrind is able to detect trivial cases of uninitialized
use of partially initialized unions.
gcc-15 also provides -fzero-init-padding-bits=unions to flip the old
behavior back on. This will allow nailing down bugs using a single
compiler version instead of comparing to gcc-14.
I suspect gcc historically zero-initialized the whole enums to be
closer to incomplete struct initialization
rule.
But now it causes performance problems if the union branches are
different in size.
I suspect we’ll see a few more projects affected by this change.
Have fun!


ski 1.5.0 is out
2024-11-23T00:00:00Z
TL;DR: ski-1.5.0 is
available for download!
It is primarily a maintenance release that completely removes motif and
gtk backends, fixes building against C23 toolchains and adds a small
-initramfs option to supply separate initramfs file to be used along
with emulated kernel.
1.4.0 announcement has a few hints
on how to run it.
Have fun!


gcc-15 switched to C23
2024-11-17T00:00:00Z
Tl;DR
In November gcc
merged
the switch from C17 (-std=gnu17) to C23 (-std=c23) language
standard used by default for C code.
This will cause quite a few build failures in projects written in
C. A few example fixes:

libffi: optional
va_start parameter.
ncompress:
void foo() changed the meaning to void foo(void).
ell
bool, true and false are new keywords. And specifically false
is not equals to 0 or NULL.

more words
C23 has a few high-visibility breaking changes compared to C17.
bool, true, and false are unconditionally defined now
true and false are now predefined constants (instead of being a
part of  macros and typedefs). Thus, code like below does
not compile any more:
enum { false = 0; }
typedef int bool;
Error messages:
$ printf 'enum { false = 0 };' | gcc -std=c17 -c -x c -
$ printf 'enum { false = 0 };' | gcc -c -x c -
:1:8: error: expected identifier before 'false'

$ printf 'typedef int bool;' | gcc -std=c17 -c -x c -
$ printf 'typedef int bool;' | gcc -c -x c -
:1:13: error: two or more data types in declaration specifiers
:1:1: warning: useless type name in empty declaration
The fix is usually to use  or avoid name collisions.
Example affected project is linux.
partially defined int (*)() function prototypes are just int (*)(void) now
This one is trickier to fix when intentionally used. C happened to
allow the following code:
// $ cat a.c
typedef void (*PF)();

static int f0(void)  { return 42; }
static int f1(int a) { return 42 + a; }

int main() {
    PF pf;

    // 0-argument function pointer
    pf = f0;
    pf();

    // 1-argument function pointer
    pf = f1;
    pf(42);

    // 3-argument function pointer: an odd one, but happens to work
    pf(42,42,42);
}
But not any more:
$ gcc -std=c17 -c a.c
$ gcc -c a.c
a.c: In function 'main':
a.c:15:8: error: assignment to 'PF' {aka 'int (*)(void)'} from incompatible pointer type 'int (*)(int)' [-Wincompatible-pointer-types]
   15 |     pf = f1;
      |        ^
a.c:16:5: error: too many arguments to function 'pf'
   16 |     pf(42);
      |     ^~
a.c:19:5: error: too many arguments to function 'pf'
   19 |     pf(42,42,42);
      |     ^~
This hack is used at least in ski, ghc and ncompress. But more
frequently it’s use is an accident (ell, iwd, bash and a few others).
parting words
Quick quiz: the above changes look like they tickle some very obscure
case. How many packages are affected on a typical desktop system? What
would be your guess? 1? 5? 100? 1000?
So far on my system (~2000 installed packages) I observed the failures
of the following projects:

linux
speechd
vde2
sane-backends
timidity
neovim
bluez
samba
weechat
iwd
protobuf
netpbm
mariadb-connector-c
liblqr1
sqlite-odbc-driver
python:typed-ast
python2
perl:XS-Parse-Keyword
pgpdump
ell
SDL-1
ruby-3.1
dnsmasq
ghc
gnupg
ghostscript
procmail
jq
libsndfile
ppp
time
postfix
mcpp
xmlrpc-c
unifdef
hotdoc
mypy
rustc
xorg:libXt
rsync
oniguruma
ltrace
sudo
lsof
lv
dbus-glib
argyllcms
valgrind
postgresql-14
gdb
git
ncompress
w3m
freeglut
xcur2png
vifm
p11-kit
cyrus-sasl
xvidcore
guile
editline
e2fsprogs
gsm
libconfig
db
libtirpc
nghttp2
libkrb5
libgpg-error
cpio
sharutils
gpm
expect
ncurses
yasm
texinfo-6.7
gettext
unzip
gdbm
m4
binutils
ed
gmp
bash

That’s more than 80 packages, or about 4% of all the packages I have
installed.
Looks like gcc-15 will be a disruptive release (just like gcc-14)
that will require quite a few projects to adapt to new requirements
(either by fixing code or by slapping -std=gnu17 as a requirement).
Most of the build failures above are not yet fixed upstream. These can be
good first contribution fixes if you are thinking of making one.
Have fun!


Zero Hydra Failures towards 24.11 NixOS release
2024-11-04T00:00:00Z
ZHF (or Zero Hydra Failures) is the time when most build failures are
squashed before final NixOS-24.11 release
(see full release schedule).
To follow the tradition let’s fix one bug for ZHF.
I picked xorg.libAppleWM build
failure. It’s not a very popular package.
The failure looks trivial:
make[2]: Entering directory '/build/libapplewm-be972ebc3a97292e7d2b2350eff55ae12df99a42/src'
  CC       applewm.lo
gcc: error: unrecognized command-line option '-iframeworkwithsysroot'
The build was happening for x86_64-linux target. While this package
is MacOS-specific: it uses Darwin APIs and links to its libraries
directly. No reason to try to build it on x86_64-linux.
The fix is to constrain the package to darwin targets (the default
platforms for xorg packages is unix):
--- a/pkgs/servers/x11/xorg/overrides.nix
+++ b/pkgs/servers/x11/xorg/overrides.nix
@@ -171,6 +171,9 @@ self: super:
   libAppleWM = super.libAppleWM.overrideAttrs (attrs: {
     nativeBuildInputs = attrs.nativeBuildInputs ++ [ autoreconfHook ];
     buildInputs =  attrs.buildInputs ++ [ xorg.utilmacros ];
+    meta = attrs.meta // {
+      platforms = lib.platforms.darwin;
+    };
   });

   libXau = super.libXau.overrideAttrs (attrs: {
This fix is now known as
PR#353618.
Parting words
I picked very lazy example of a broken package.
https://github.com/NixOS/nixpkgs/issues/352882 contains more links and
hints on how to find and fix known failures.
As usual contributing towards ZHF is very easy. Give it a try!
Have fun!


xmms2 0.9.4 is out
2024-10-07T00:00:00Z
Tl;DR: xmms2-0.9.4 is out and you can get it at
https://github.com/xmms2/xmms2-devel/releases/tag/0.9.4!
xmms2 is still a music player
daemon with various plugins to support stream decoding and
transformation. See
older announcement on how to
get started with xmms2.
Highlights
It’s a small maintenance release. The only notable change is support for
ffmpeg-7 as a build dependency.
Have fun!


gcc-15 bugs, pile 1
2024-08-25T00:00:00Z
About 4 months have passed since gcc-14.1.0 release. Around the same
time gcc-15 development has started and a few major changes were
merged into the master development branch.
summary
This time I waited to collect about 20 bug reports I encountered:

c++/114933: mcfgthread-1.6.1
type check failure. Ended up being mcfgthread bug caused by stronger
gcc checks.
tree-optimization/114872: sagemath
SIGSEGVed due to broken assumptions around setjmp() / longjmp().
Not a gccbug either.
target/115115: highway-1.0.7 test
suite expected too specific _mm_cvttps_epi32() semantics. A gcc-12
regression!
target/115146: highway-1.0.7 test
suite exposed gcc-15 bug in vectoring bswap16()-like code.
tree-optimization/115227: libepoxy,
p11-kit and doxygen can’t fit in RAM of 32-bit gcc due to memory
leak in value range propagation subsystem.
target/115397: numpy ICE for -m32:
gcc code generator generated a constant pool memory reference and
crashed in instruction selection.
c++/115403: highway build failure
due to wrong scope handling of #pragma GCC target by gcc.
tree-optimization/115602:
liblapack-3.12.0 ICE in slp pass. gcc generated a self-reference
cycle after applying code sub-expression elimination.
bootstrap/115655: gcc bootstrap
failure on -Werror=unused-function.
libstdc++/115797: gcc failed to
compile extern "C" { #include  } code.  was fixed
to survive such imports.
middle-end/115863: wrong code on
zlib when handling saturated logic. A bug in truncation handling.
rtl-optimization/115916: wrong code on
highway. Bad arithmetic shift ubsan-related fix in gcc’s own code.
middle-end/115961: wrong code on llvm,
bad bit field truncation handling for sub-byte bitfield sizes. Saturated
truncation arithmetics handling was applied too broadly.
tree-optimization/115991: ICE on
linux-6.10. Caused by too broad acceptance of sub-register use in an
instruction. ENded up selecting invalid instructions.
rtl-optimization/116037: python3
hang up due to an -fext-dce bug.
rtl-optimization/116200: crash during
gcc bootstrap, wrong code on libgcrypt. A bug in RTL constant pool
handling.
rtl-optimization/116353: ICE on
glibc-2.39. Another RTL bug where gcc instruction selector was
presented with invalid value reference.
middle-end/116411: ICE on
readline-8.2p13. Conditional operation was incorrectly optimized for
some of built-in functions used in branches.
tree-optimization/116412: ICE on
openblas-0.3.28. Similar to the above: conditional operation was
incorrectly optimized for complex types.

fun bug
The zlib bug is probably the most
unusual one. Due to a typo in newly introduced set of optimizations
gcc managed to convert a > b ? b : a type of expressions into an
equivalent of b > a ? b : a. But it only does it for b = INT_MAX
type of arguments (case of saturation).
As a result it only broke zlib test suite as it specifically tests for
out of range access to cause SIGSEGV. For well-behaved inputs it never
caused any problems. The gcc fix
was trivial:
--- a/gcc/config/i386/i386.md
+++ b/gcc/config/i386/i386.md
@@ -9990,7 +9990,7 @@
   rtx sat = force_reg (DImode, GEN_INT (GET_MODE_MASK (mode)));
   rtx dst;

-  emit_insn (gen_cmpdi_1 (op1, sat));
+  emit_insn (gen_cmpdi_1 (sat, op1));

   if (TARGET_CMOVE)
     {
@@ -10026,7 +10026,7 @@
   rtx sat = force_reg (SImode, GEN_INT (GET_MODE_MASK (mode)));
   rtx dst;

-  emit_insn (gen_cmpsi_1 (op1, sat));
+  emit_insn (gen_cmpsi_1 (sat, op1));

   if (TARGET_CMOVE)
     {
@@ -10062,7 +10062,7 @@
   rtx sat = force_reg (HImode, GEN_INT (GET_MODE_MASK (QImode)));
   rtx dst;

-  emit_insn (gen_cmphi_1 (op1, sat));
+  emit_insn (gen_cmphi_1 (sat, op1));

   if (TARGET_CMOVE)
     {
We swap argument order to restore original intent.
histograms
Where did most gcc bugs come from?

tree-optimization: 4
rtl-optimization: 4
middle-end: 3
target: 3
c++: 1
bootstrap: 1
libstdc++: 1

As usual tree-optimization is at the top of subsystem causing troubles.
But this time rtl-optimization got close to it as well.
highway managed to yield us 4 new bugs while llvm got us just one
new bug.
parting words
gcc-15 got a few very nice optimizations (and bugs) related to
saturated truncation, zero/sign-extension elimination, constant folding
in RTL.
I saw at least 5 bugs related to wrong code generation (I’m also
slowly reducing another one in the background). middl-end ones
were easy to reduce and explore, RTL ones were very elusive.
The most disruptive change is probably a removal of #include 
from one of libstdc++ headers. That requires quite a few upstream
fixes to add missing headers (cppdap,
woff2,
graphite,
glslang,
widelands,
wesnoth and many others).
Have fun!


gcc-15 template checking improvements
2024-07-22T00:00:00Z
Tl;DR
On 18 Jul gcc
merged
extended correctness checks for template functions. This will cause some
incorrect unused code to fail to compile. Consider fixing or deleting
the code. I saw at least two projects affected by it:

aspell
mjpegtools

more words
c++ is a complex language with a type system that does static checking.
Most of the time checking the type correctness is easy by both human and
the compiler. But sometimes it’s less trivial. Namespaces and function
arguments can bring various declarations into the scope. Template code
splits a single definition point into two: template definition point
and template instantiation.
Let’s look at a simple example:
template  struct S {
    int foo(void) { return bar(); }
};

int bar() { return 42; }

int main() {
    S v;
    return v.foo();
}
This fails to build on all recent gcc as:
$ g++ -c a.cc
a.cc: In member function 'int S::foo()':
a.cc:2:28: error: there are no arguments to 'bar' that depend on a
  template parameter, so a declaration of 'bar' must be available [-fpermissive]
    2 |     int foo(void) { return bar(); }
      |                            ^~~
a.cc:2:28: note: (if you use '-fpermissive', G++ will accept your code,
  but allowing the use of an undeclared name is deprecated)
gcc really wants bar to be visible at the template instantiation
time. But what is we don’t call foo at all?
template  struct S {
    int foo(void) { return bar(); }
};

int main() {}
Still fails the same:
$ g++ -c a.cc
a.cc: In member function 'int S::foo()':
a.cc:2:28: error: there are no arguments to 'bar' that depend on a
  template parameter, so a declaration of 'bar' must be available [-fpermissive]
    2 |     int foo(void) { return bar(); }
      |                            ^~~
a.cc:2:28: note: (if you use '-fpermissive', G++ will accept your code,
  but allowing the use of an undeclared name is deprecated)
That is neat: even if you never try to instantiate a function gcc
still tries to do basic checks on it.
But what if we call foo() via this pointer explicitly?
template  struct S {
    int foo(void) { return this->bar(); }
};

int main() {}
Is it valid c++?
gcc-14 says it’s fine:
$ g++-14 -c a.cc

Is there a way to somehow make bar() available via this? Maybe, via
inheritance? Apparently, no. gcc-15 now flags the code above as
unconditionally invalid:
$ g++-15 -c a.cc
a.cc: In member function 'int S::foo()':
a.cc:2:34: error: 'struct S' has no member named 'bar'
    2 |     int foo(void) { return this->bar(); }
      |                                  ^~~
To get it to work you need something like a
CRTP
pattern:
// Assume Derived::bar() will be provided.
template  struct S {
    int foo(void) { return static_cast(this)->bar(); }
};

int main() {}
Interestingly the above problem pops up time to time in real projects in
template code that was not tried after refactors. One such example is an
aspell bug:
  template
  void VectorHashTable::recalc_size() {
    size_ = 0;
    for (iterator i = begin(); i != this->e; ++i, ++this->_size);
  }
gcc-14 built it just fine. gcc-15 started rejecting the build as:
In file included from modules/speller/default/readonly_ws.cpp:51:
modules/speller/default/vector_hash-t.hpp:
  In member function 'void aspeller::VectorHashTable::recalc_size()':
modules/speller/default/vector_hash-t.hpp:186:43:
  error: 'class aspeller::VectorHashTable' has no member named 'e'
  186 |     for (iterator i = begin(); i != this->e; ++i, ++this->_size);
      |                                           ^
modules/speller/default/vector_hash-t.hpp:186:59:
  error: 'class aspeller::VectorHashTable' has no member named '_size'; did you mean 'size'?
  186 |     for (iterator i = begin(); i != this->e; ++i, ++this->_size);
      |                                                           ^~~~~
      |                                                           size
VectorHashTable does not contain _size field, but it does contain
size_ (used just a line before). e field is not a thing either.
The change is simple:
--- a/modules/speller/default/vector_hash-t.hpp
+++ b/modules/speller/default/vector_hash-t.hpp
@@ -183,7 +183,7 @@ namespace aspeller {
   template
   void VectorHashTable::recalc_size() {
     size_ = 0;
-    for (iterator i = begin(); i != this->e; ++i, ++this->_size);
+    for (iterator i = begin(), e = end(); i != e; ++i, ++size_);
   }

 }
Or you could also delete the function if it was broken like that for a
while.
Another example is mjpegtools bug:
// The commented-out method prototypes are methods to be implemented by
// subclasses.  Not all methods have to be implemented, depending on
// whether it's appropriate for the subclass, but that may impact how
// widely the subclass may be used.
template 
class Region2D
{
  public:
    // ...

    template 
    void UnionDebug (Status_t &a_reStatus,
        REGION_O &a_rOther, REGION_TEMP &a_rTemp);

    // bool DoesContainPoint (INDEX a_tnY, INDEX a_tnX);

    // ...
}

template 
template 
void
Region2D::UnionDebug (Status_t &a_reStatus, INDEX a_tnY,
    INDEX a_tnXStart, INDEX a_tnXEnd, REGION_TEMP &a_rTemp)
{
    // ...
            if (!((rHere.m_tnY == a_tnY
                && (tnX >= a_tnXStart && tnX < a_tnXEnd))
            || this->DoesContainPoint (rHere.m_tnY, tnX)))
                goto error;
    // ...
}
Here mjpegtools assumes that DoesContainPoint should come from
derived type. But modern c++ just does allow it to be defined like that:
In file included from SetRegion2D.hh:12,
                 from MotionSearcher.hh:15,
                 from newdenoise.cc:19:
Region2D.hh: In member function 'void Region2D::UnionDebug(Status_t&, INDEX, INDEX, INDEX, REGION_TEMP&)':
Region2D.hh:439:34: error: 'class Region2D' has no member named 'DoesContainPoint'
  439 |                         || this->DoesContainPoint (rHere.m_tnY, tnX)))
      |                                  ^~~~~~~~~~~~~~~~
The fix just deleted these
unusable functions. An alternative fix would need to look closer to a
CRTP tweak in our contrived example. But it’s a bit more invasive change.
parting words
gcc-15 will reject more invalid unusable c++ code in uninstantiated
templates. The simplest code change might be to just delete broken code.
More involved fix would require some knowledge of the codebase to fix
the declaration lookups (or to fix obvious typos).
Have fun!


seekwatcher 0.15
2024-07-07T00:00:00Z
seekwatcher-0.15 is here!
seekwatcher is a tool to visualize access to the block device.
It’s been 2.5 years since seekwatcher-0.14 release.
The only change is the switch from mencoder to ffmpeg tool. While at
it default codec is switched from MPEG2 to H264.
As usual here is the program’s result ran against btrfs scrub on my
device:
$ seekwatcher -t scrub.trace -p 'echo 3 > /proc/sys/vm/drop_caches; sync; btrfs scrub start -B /' -d /dev/nvme1n1p2
$ seekwatcher -t scrub.trace -o scrub.mpeg --movie
$ seekwatcher -t scrub.trace -o scrub.png
Outputs:

image (127K)
video (926K)

H264 makes video size comparable to the image report size.
Have fun!


blog tweaks
2024-07-06T00:00:00Z
Tl;DR
A few changes happened to this blog in the past few weeks:

RSS feed and web pages no longer embed svg images into 
and include them via .
This fixes RSS readers like miniflux but might break others. At
least now there should be an icon in place of a missing picture
instead of just stripped tags.
As a small bonus RSS feed should not be as large to download.
RSS feed now includes source code snippets without syntax
highlighting.
I never included css style into rss feed. highlighting-kate uses
various tags and decorates them with links heavily. This change fixes
source code rendering in liferea.
RSS feed now embeds https:// self-links instead of http://
(except for a few recent entries to avoid breaking reading history).

More words
I started this blog in 2010. In 2013 I moved it to
hakyll static site generator. The
initial version was just
88 lines of haskell code.
I did not know much about hakyll back then and I kept it that way for
about 10 years: it just worked for me. The only thing I missed were
tag-based RSS feeds and article breakdown per tag. It prevented the
blog from being added to thematic RSS aggregators like
Planet Gentoo. But it was not a big deal.
I though I would add it “soon” and never did.
The only “non-trivial” tweaks I did were
dot support
and gunplot support.
Fast forward to 2024 a few weeks ago I boasted to my friend how cool my
new gnuplot embeddings are. To what the response was “What pictures?”.
Apparently miniflux does not like  tags embedded into 
and strips them away leaving only bits of </code> tags that almost
looks like original <code>graphviz</code> input :)</p>
<p>That meant my cool hack with <code>svg</code> embedding did not quite work for
<code>RSS</code> feed. I moved all the embeddings into separate <code>.svg</code> files with
<a href="https://github.com/trofi/trofi.github.io.gen/commit/12812bab87ce4bdff91227527d543ee3ac2161a9">this change</a>.</p>
<p>It’s not a big change, but it does violate some <code>hakyll</code> assumptions.
Apparently <code>hakyll</code> can output only one destination file for a source
file. For example, <code>foo.md</code> can only produce <code>foo.html</code> and not <code>foo.html</code>
plus indefinite amount of pictures. There is a
<a href="https://jaspervdj.be/hakyll/tutorials/06-versions.html">version support</a>
in <code>hakyll</code>, but it assumes that we know number of outputs upfront. It’s
not really usable for cases like <code>N</code> unknown outputs from an input. To
work it around I’m writing all the auxiliary files without the <code>hakyll</code>
dependency tracker knowledge. I do it by defining <code>Writable</code> instance:</p>
<pre class="haskell"><code>data PWI = PWI {
    pandoc :: H.Item String
  , inlines :: [(String, H.Item DBL.ByteString)]
} deriving (GG.Generic)

deriving instance DB.Binary PWI

instance H.Writable PWI where
    write path item = do
        -- emit page itself:
        let PWI pand inls = H.itemBody item
        H.write path pand
        -- emit inlines nearby:
        CM.forM_ inls $ \(fp, contents) -> do
            H.makeDirectories fp
            H.write fp contents</code></pre>
<p>Here <code>inlines</code> is the list of pairs of filenames and their contents to
write on disk and <code>pandoc</code> is the primary content one would normally
write as <code>H.Item String</code>.</p>
<p>While at it, I disabled syntax highlighting in <code>RSS</code> feed as <code>liferea</code>
rendered highlighted source as an unreadable mess. And <code>miniflux</code> just
stripped out all the links and styles. <a href="https://github.com/trofi/trofi.github.io.gen/commit/1dc9d5a9d6b54db928f3fdaef1c0dcb4b6d567df">The change</a>
is somewhat long, but it’s gist is a single extra <code>writerHighlightStyle</code>
option passed to <code>pandoc</code> render:</p>
<pre class="haskell"><code>pandocRSSWriterOptions :: TPO.WriterOptions
pandocRSSWriterOptions = pandocWriterOptions{
    -- disable highlighting
    TPO.writerHighlightStyle = Nothing
}</code></pre>
<p>The last thing I changed was to switch from <code>http://</code> links to
<code>https://</code> links by default. In theory it’s a
<a href="https://github.com/trofi/trofi.github.io.gen/commit/cfc80bb575c1b131225c43c1fed47ff639540bd9">one-character change</a>.
In practice that would break unread history for all <code>RSS</code> users. I worked
it around by restoring <code>http://</code> root link for current <code>RSS</code> entries
with <a href="https://github.com/trofi/trofi.github.io.gen/commit/6b1883a1b23f6965314bfd2b55cb3e9e6a42ec16">metadata change</a>.</p>
<p>That way all new posts should contain <code>https://</code> root links and all
site-local links should automatically become <code>https://</code> links.</p>
<p>Still no tag support. Maybe later.</p>
<p>Have fun!</p>
</article>
<article>
<h1>probabilities are hard</h1>
<p>2024-06-23T00:00:00Z</p>
<h2 id="make---shuffle-background"><code>make --shuffle</code> background</h2>
<p><a href="https://trofi.github.io/posts/238-new-make-shuffle-mode.html">A while ago</a> I added <code>--shuffle</code>
mode to <code>GNU make</code> to shake out missing dependencies in build rules of
<code>make</code>-based build systems. It managed to find
<a href="https://trofi.github.io/posts/249-an-update-on-make-shuffle.html">a few bugs</a> since.</p>
<h2 id="the-shuffling-algorithm">the shuffling algorithm</h2>
<p>The core function of <code>--shuffle</code> is to generate one random permutation
of prerequisites for a target. I did not try to implement anything
special. I searched for “random shuffle” and got
<a href="https://en.wikipedia.org/wiki/Fisher%E2%80%93Yates_shuffle">Fisher–Yates shuffle</a>
link from <code>wikipedia</code>, skimmed the page and came up with this algorithm:</p>
<pre class="c"><code>/* Shuffle array elements using RAND().  */
static void
random_shuffle_array (void **a, size_t len)
{
  size_t i;
  for (i = 0; i < len; i++)
    {
      void *t;

      /* Pick random element and swap. */
      unsigned int j = rand () % len;
      if (i == j)
        continue;

      /* Swap. */
      t = a[i];
      a[i] = a[j];
      a[j] = t;
    }
}</code></pre>
<p>The diagram of a single step looks this way:</p>

<p>The implementation looked so natural: we attempt to shuffle each element
with another element chosen randomly using equal probability (assuming
<code>rand () % len</code> is unbiased). At least it seemed to produce random
results.</p>
<p><strong>Quiz question</strong>: do you see the bug in this implementation?</p>
<p>This version was shipped in <code>make-4.4.1</code>.
I ran <code>make</code> from <code>git</code> against <code>nixpkgs</code> and discovered a ton of
parallelism bugs. I could not be happier than that. I never got to
actual testing the quality of permutation probabilities.</p>
<h2 id="bias-in-initial-implementation">bias in initial implementation</h2>
<p>Artem Klimov had a closer look at it and discovered a bug in the
algorithm above! The algorithm has a common implementation error for
Fisher–Yates
<a href="https://en.wikipedia.org/wiki/Fisher%E2%80%93Yates_shuffle#Implementation_errors">documented</a>
on the very page I looked at before /o\. Artem demonstrated problems of
permutation quality on the following trivial <code>Makefile</code>:</p>
<pre class="makefile"><code>all: test1 test2 test3 test4 test5 test6 test7 test8;

test%:
	mkdir -p tests
	echo $@ > tests/$@

test8:
	# no mkdir
	echo 'override' > tests/$@</code></pre>
<p>This test was supposed to fail <code>12.5%</code> of the time in <code>--shuffle</code> mode:
only when <code>test8</code> is scheduled as the first to execute. Alas the test
when ran over thousands runs failed with <code>10.1%</code> probability. That is
<code>2%</code> too low.</p>
<p>Artem also provided a fixed version of the shuffle implementation:</p>
<pre class="c"><code>static void
random_shuffle_array (void **a, size_t len)
{
  size_t i;
  for (i = len - 1; i >= 1; i--)
    {
      void *t;

      /* Pick random element and swap. */
      unsigned int j = make_rand () % (i + 1);

      /* Swap. */
      t = a[i];
      a[i] = a[j];
      a[j] = t;
    }
}</code></pre>
<p>The diagram of a single step looks this way:</p>

<p>Note how this version makes sure that shuffled indices (“gray” color)
never gets considered for future shuffle iterations.</p>
<p>At least for me it’s more obvious to see why this algorithm does not
introduce any biases. But then again I did not suspect problems in the
previous one either. I realized I don’t have a good intuition on why the
initial algorithm manages to produce biases. Where does bias come from
if we pick the target element with equal probability from all the
elements available?</p>
<h1 id="a-simple-test">a simple test</h1>
<p>To get the idea how the bias looks like I wrote a tiny program:</p>
<pre class="c"><code>// $ cat a.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>

#define LEN 3
static int a[LEN];

static void random_shuffle_array (void) {
  for (size_t i = 0; i < LEN; i++) {
      unsigned int j = rand () % LEN;
      int t = a[i]; a[i] = a[j]; a[j] = t;
    }
}

static void random_shuffle_array_fixed (void) {
  for (size_t i = LEN - 1; i >= 1; i--) {
      unsigned int j = rand () % (i + 1);
      int t = a[i]; a[i] = a[j]; a[j] = t;
    }
}

static void do_test(const char * name, void(*shuffler)(void)) {
    size_t hist[LEN][LEN];
    memset(hist, 0, sizeof(hist));

    size_t niters = 10000000;

    printf("%s shuffle probability over %zu iterations:\n", name, niters);
    for (size_t iter = 0; iter < niters; ++iter) {
        // Initialize array `a` with { `0`,  ..., `LEN - 1` }.
        for (size_t i = 0; i < LEN; ++i) a[i] = i;
        shuffler ();
        for (size_t i = 0; i < LEN; ++i) hist[i][a[i]] += 1;
    }

    int prec_digits = 3; /* 0.??? */
    int cell_width = 3 + prec_digits; /* " 0.???" */

    printf("%*s  ", cell_width, "");
    for (size_t j = 0; j < LEN; ++j)
        printf("%*zu", cell_width, j);
    puts("");

    for (size_t i = 0; i < LEN; ++i) {
        printf("%*zu |", cell_width, i);
        for (size_t j = 0; j < LEN; ++j)
            printf(" %.*f", prec_digits, (double)(hist[i][j]) / (double)(niters));
        puts("");
    }
}

int main() {
    srand(time(NULL));
    do_test("broken", &random_shuffle_array);
    puts("");
    do_test("fixed", &random_shuffle_array_fixed);
}</code></pre>
<p>Here the program implement both current (broken) and new (fixed) shuffle
implementations. The histogram is collected over 10 million runs.
Then it prints a probability of each element to be found at a location.
We shuffle an array of <code>LEN = 3</code> elements: <code>{ 0, 1, 2, }</code>.
Here is the output of the program:</p>
<pre><code>$ gcc a.c -o a -O2 -Wall && ./a
broken shuffle probability over 10000000 iterations:
             0     1     2
     0 | 0.333 0.370 0.296
     1 | 0.333 0.297 0.370
     2 | 0.334 0.333 0.333

fixed shuffle probability over 10000000 iterations:
             0     1     2
     0 | 0.333 0.333 0.334
     1 | 0.333 0.334 0.333
     2 | 0.333 0.333 0.333</code></pre>
<p>Here the program tells us that:</p>
<ul>
<li>broken version of the shuffle moves element <code>0</code> to <code>1</code> position <code>37%</code> of the time</li>
<li>broken version moves element <code>0</code> to <code>2</code> position <code>29.6%</code> of the time</li>
<li>fixed version is much closed to uniform distribution and has roughly
<code>33.3%</code> <code>0->1</code> and <code>0->2</code> probabilities</li>
</ul>
<p>The same data above in plots:</p>

<h2 id="a-bit-of-arithmetic">a bit of arithmetic</h2>
<p>To get a bit better understanding of the bias let’s get exact probability
value for each element move for 3-element array.</p>
<h3 id="broken-version">broken version</h3>
<p>To recap the implementation we are looking at here is:</p>
<pre class="c"><code>void random_shuffle_array (void) {
  for (size_t i = 0; i < LEN; i++) {
      unsigned int j = rand () % LEN;
      int t = a[i]; a[i] = a[j]; a[j] = t;
    }
}</code></pre>
<p>Let’s start from broken shuffle with <code>1/(N+1)</code> shuffle probability.</p>
<p>Our initial array state is <code>{ 0, 1, 2, }</code> with probability <code>1/1</code>
(or <code>100%</code>) for each already assigned value:</p>
<ul>
<li>probability at index <code>0</code>:
<ul>
<li>value <code>0</code>: <code>1/1</code></li>
<li>value <code>1</code>: <code>0/1</code></li>
<li>value <code>2</code>: <code>0/1</code></li>
</ul></li>
<li>probability at index <code>1</code>:
<ul>
<li>value <code>0</code>: <code>0/1</code></li>
<li>value <code>1</code>: <code>1/1</code></li>
<li>value <code>2</code>: <code>0/1</code></li>
</ul></li>
<li>probability at index <code>2</code>:
<ul>
<li>value <code>0</code>: <code>0/1</code></li>
<li>value <code>1</code>: <code>0/1</code></li>
<li>value <code>2</code>: <code>1/1</code></li>
</ul></li>
</ul>
<p>On each iteration <code>i</code> we perform the actions below:</p>
<ul>
<li>at <code>i</code> position: <code>1/3</code> probability of swapping any of the possible elements</li>
<li>at non-<code>i</code> positions: <code>2/3</code> probability of keeping and old element (and <code>1/3</code>
probability of absorbing value at <code>i</code> position mentioned in the previous bullet)</li>
</ul>
<p>Thus after first shuffle step at <code>i=0</code> our probability state will be:</p>
<ul>
<li>probability at index <code>0</code>:
<ul>
<li>value <code>0</code>: <code>1/3</code> (was <code>1.0</code>)</li>
<li>value <code>1</code>: <code>1/3</code> (was <code>0.0</code>)</li>
<li>value <code>2</code>: <code>1/3</code> (was <code>0.0</code>)</li>
</ul></li>
<li>probability at index <code>1</code>:
<ul>
<li>value <code>0</code>: <code>1/3</code> (was <code>0.0</code>)</li>
<li>value <code>1</code>: <code>2/3</code> (was <code>1.0</code>)</li>
<li>value <code>2</code>: <code>0/3</code> (was <code>0.0</code>)</li>
</ul></li>
<li>probability at index <code>2</code>:
<ul>
<li>value <code>0</code>: <code>1/3</code> (was <code>0.0</code>)</li>
<li>value <code>1</code>: <code>0/3</code> (was <code>0.0</code>)</li>
<li>value <code>2</code>: <code>2/3</code> (was <code>1.0</code>)</li>
</ul></li>
</ul>
<p>So far so good: element <code>0</code> has even probability among all 3 elements,
and elements <code>1</code> and <code>2</code> decreased their initial probabilities from <code>1/1</code>
down to <code>2/3</code>.</p>
<p>Let’s trace through next <code>i=1</code> step. After that the updated state will be:</p>
<ul>
<li>probability at index <code>0</code>:
<ul>
<li>value <code>0</code>: <code>3/9</code> (was <code>1/3</code>)</li>
<li>value <code>1</code>: <code>4/9</code> (was <code>1/3</code>)</li>
<li>value <code>2</code>: <code>2/9</code> (was <code>1/3</code>)</li>
</ul></li>
<li>probability at index <code>1</code>:
<ul>
<li>value <code>0</code>: <code>3/9</code> (was <code>1/3</code>)</li>
<li>value <code>1</code>: <code>3/9</code> (was <code>2/3</code>)</li>
<li>value <code>2</code>: <code>3/9</code> (was <code>0/3</code>)</li>
</ul></li>
<li>probability at index <code>2</code>:
<ul>
<li>value <code>0</code>: <code>3/9</code> (was <code>1/3</code>)</li>
<li>value <code>1</code>: <code>2/9</code> (was <code>0/3</code>)</li>
<li>value <code>2</code>: <code>4/9</code> (was <code>2/3</code>)</li>
</ul></li>
</ul>
<p>Again, magically current (<code>i=1</code>) element got perfect balance. Zero
probabilities are gone by now.</p>
<p>Final <code>i=2</code> step yields this:</p>
<ul>
<li>probability at index <code>0</code>:
<ul>
<li>value <code>0</code>: <code>9/27</code> (was <code>3/9</code>)</li>
<li>value <code>1</code>: <code>10/27</code> (was <code>4/9</code>)</li>
<li>value <code>2</code>: <code>8/27</code> (was <code>2/9</code>)</li>
</ul></li>
<li>probability at index <code>1</code>:
<ul>
<li>value <code>0</code>: <code>9/27</code> (was <code>3/9</code>)</li>
<li>value <code>1</code>: <code>8/27</code> (was <code>3/9</code>)</li>
<li>value <code>2</code>: <code>10/27</code> (was <code>3/9</code>)</li>
</ul></li>
<li>probability at index <code>2</code>:
<ul>
<li>value <code>0</code>: <code>9/27</code> (was <code>3/9</code>)</li>
<li>value <code>1</code>: <code>9/27</code> (was <code>2/9</code>)</li>
<li>value <code>2</code>: <code>9/27</code> (was <code>4/9</code>)</li>
</ul></li>
</ul>
<p>The same state sequence in diagrams:</p>

<p>Note that final probabilities differ slightly: <code>8/27</code>, <code>9/27</code> and <code>10/27</code>
are probabilities where all should have been <code>9/27</code> (or <code>1/3</code>). This
matches observed values above!</p>
<p>The bias comes from the fact that each shuffle step affects probabilities
of all cells, not just immediately picked cells for a particular shuffle.
That was very hard to grasp for me just by glancing at the algorithm!</p>
<h3 id="fixed-version">Fixed version</h3>
<p>To recap the implementation we are looking at here is:</p>
<pre class="c"><code>void random_shuffle_array_fixed (void) {
  for (size_t i = LEN - 1; i >= 1; i--) {
      unsigned int j = rand () % (i + 1);
      int t = a[i]; a[i] = a[j]; a[j] = t;
    }
}</code></pre>
<p>Now let’s look at a shuffle with <code>1/(i+1)</code> probability.
Our initial state is the same <code>{ 0, 1, 2, }</code> with probabilities <code>1/1</code>:</p>
<ul>
<li>probability at index <code>0</code>:
<ul>
<li>value <code>0</code>: <code>1/1</code></li>
<li>value <code>1</code>: <code>0/1</code></li>
<li>value <code>2</code>: <code>0/1</code></li>
</ul></li>
<li>probability at index <code>1</code>:
<ul>
<li>value <code>0</code>: <code>0/1</code></li>
<li>value <code>1</code>: <code>1/1</code></li>
<li>value <code>2</code>: <code>0/1</code></li>
</ul></li>
<li>probability at index <code>2</code>:
<ul>
<li>value <code>0</code>: <code>0/1</code></li>
<li>value <code>1</code>: <code>0/1</code></li>
<li>value <code>2</code>: <code>1/1</code></li>
</ul></li>
</ul>
<p>As the algorithm iterated over the array backwards we start from <code>i=2</code>
(<code>N=3</code>).</p>
<ul>
<li>probability at index <code>0</code>:
<ul>
<li>value <code>0</code>: <code>2/3</code> (was <code>1/1</code>)</li>
<li>value <code>1</code>: <code>0/3</code> (was <code>0/1</code>)</li>
<li>value <code>2</code>: <code>1/3</code> (was <code>0/1</code>)</li>
</ul></li>
<li>probability at index <code>1</code>:
<ul>
<li>value <code>0</code>: <code>0/3</code> (was <code>0/1</code>)</li>
<li>value <code>1</code>: <code>2/3</code> (was <code>1/1</code>)</li>
<li>value <code>2</code>: <code>1/3</code> (was <code>0/1</code>)</li>
</ul></li>
<li>probability at index <code>2</code>:
<ul>
<li>value <code>0</code>: <code>1/3</code> (was <code>0/1</code>)</li>
<li>value <code>1</code>: <code>1/3</code> (was <code>0/1</code>)</li>
<li>value <code>2</code>: <code>1/3</code> (was <code>1/1</code>)</li>
</ul></li>
</ul>
<p>As expected the probabilities are the mirror image of the first step of
the broken implementation.</p>
<p>The next step though is a bit different: <code>i=1</code> (<code>N=2</code>). It effectively
averages probabilities at index <code>0</code> and index <code>1</code>.</p>
<ul>
<li>probability at index <code>0</code>:
<ul>
<li>value <code>0</code>: <code>1/3</code> (was <code>2/3</code>)</li>
<li>value <code>1</code>: <code>1/3</code> (was <code>0/3</code>)</li>
<li>value <code>2</code>: <code>1/3</code> (was <code>1/3</code>)</li>
</ul></li>
<li>probability at index <code>1</code>:
<ul>
<li>value <code>0</code>: <code>1/3</code> (was <code>0/3</code>)</li>
<li>value <code>1</code>: <code>1/3</code> (was <code>2/3</code>)</li>
<li>value <code>2</code>: <code>1/3</code> (was <code>1/3</code>)</li>
</ul></li>
<li>probability at index <code>2</code> (unchanged):
<ul>
<li>value <code>0</code>: <code>1/3</code></li>
<li>value <code>1</code>: <code>1/3</code></li>
<li>value <code>2</code>: <code>1/3</code></li>
</ul></li>
</ul>
<p>Or the same in diagrams:</p>

<p>The series are a lot simpler than the broken version: on each step
handled element always ends up with identical expected probabilities.
Its so much simpler!</p>
<h2 id="element-bonus">30-element bonus</h2>
<p>Let’s look at the probability table for an array of 30-elements. The
only change I did for the program above is to change <code>LEN</code> from <code>3</code> to
<code>30</code>:</p>

<p>This plot shows a curious <code>i == j</code> cut off line where probability changes
drastically:</p>
<ul>
<li><code>15->15</code> (or any <code>i->i</code>) shuffle probability is lowest and is about <code>2.8%</code></li>
<li><code>15->16</code> (or any <code>i->i+1</code>) shuffle probability is highest and is about <code>4.0%</code></li>
</ul>
<h2 id="make---shuffle-bias-fix"><code>make --shuffle</code> bias fix</h2>
<p>I posted Artem’s fix upstream for inclusion as
<a href="https://mail.gnu.org/archive/html/bug-make/2024-06/msg00008.html">this email</a>:</p>
<pre class="diff"><code>--- a/src/shuffle.c
+++ b/src/shuffle.c
@@ -104,12 +104,16 @@ static void
 random_shuffle_array (void **a, size_t len)
 {
   size_t i;
-  for (i = 0; i < len; i++)
+
+  if (len <= 1)
+    return;
+
+  for (i = len - 1; i >= 1; i--)
     {
       void *t;

       /* Pick random element and swap. */
-      unsigned int j = make_rand () % len;
+      unsigned int j = make_rand () % (i + 1);
       if (i == j)
         continue;
</code></pre>
<h2 id="parting-words">parting words</h2>
<p>Artem Klimov found, fixed and explained the bias in <code>make --shuffle</code>
implementation. Thank you, Artem!</p>
<p>Probabilities are hard! I managed to get wrong seemingly very simple
algorithm. The bias is not too bad: <code>make --shuffle</code> is still able to
produce all possible permutations of the targets. But some of them are
slightly less frequent than the others.</p>
<p>The bias has a curious structure:</p>
<ul>
<li>least likely permutations candidate is <code>i->i</code> “identity” shuffle</li>
<li>most likely permutation candidate is <code>i->i+1</code> “right shift” shuffle</li>
</ul>
<p>At least the initial implementation was not completely broken and still
was able to generate all permutations.</p>
<p>With luck <a href="https://mail.gnu.org/archive/html/bug-make/2024-06/msg00008.html">the fix</a>
will be accepted upstream and we will get more fair <code>--shuffle</code> mode.</p>
<p>Have fun!</p>
</article>
<article>
<h1>inline gnuplot</h1>
<p>2024-06-22T00:00:00Z</p>
<p>Time to time I find myself needing to plot histograms and approximations
in occasional posts.
Similar to <a href="https://trofi.github.io/posts/300-inline-graphviz-dot-in-hakyll.html">inline <code>graphviz</code></a>
support today I added <code>gnuplot</code> <code>svg</code> inlining support into this blog.
The trivial example looks this way:</p>

<p>The above is generated using the following <code>.md</code> snippet:</p>
<pre><code>```{render=gnuplot}
plot [-pi:pi] sin(x)
```</code></pre>
<p><code>hakyll</code> <a href="https://github.com/trofi/trofi.github.io.gen/commit/4fb830628c6923873c0b21b2ac444a73d4d47cee">integration</a>
is also straightforward:</p>
<pre class="haskell"><code>inlineGnuplot :: TP.Block -> Compiler TP.Block
inlineGnuplot cb@(TP.CodeBlock (id, classes, namevals) contents)
  | ("render", "gnuplot") `elem` namevals
  = TP.RawBlock (TP.Format "html") . DT.pack <$> (
      unixFilter "gnuplot"
          [ "--default-settings"
          , "-e", "set terminal svg"
          , "-"]
          (DT.unpack contents))
inlineGnuplot x = return x</code></pre>
<p>Here we call <code>gnuplot --default-settings -e "set terminal svg" -</code> and
pass our script over <code>stdin</code>. Easy!
For those who wonder what <code>gnuplot</code> is capable of have a look at
<a href="http://www.gnuplot.info/demo_svg_4.6/"><code>gnuplot.info</code> demo page</a>.
As a bonus here is the time chart of my commits into <code>nixpkgs</code>:</p>

<p>Have fun!</p>
</article>
<article>
<h1>gcc simd intrinsics bug</h1>
<p>2024-06-16T00:00:00Z</p>
<p><code>highway</code> keeps yielding very interesting <code>gcc</code> bugs. Some of them are
so obscure that I don’t even understand <code>gcc</code> developers’ comments on
where the bug lies: in <code>highway</code> or on <code>gcc</code>. In this post I’ll explore
<a href="https://gcc.gnu.org/PR115161"><code>PR115161</code></a> report here as an example of
how <code>gcc</code> handles <code>simd</code> intrinsics.</p>
<h2 id="simplest-xmm-intrinsics-example">simplest <code>xmm</code> intrinsics example</h2>
<p>Let’s start from an example based on another closely related bug:</p>
<pre class="c"><code>#include <emmintrin.h>
#include <stdio.h>
#include <stdint.h>
#include <string.h>

int main(void) {
    const __m128i  iv = _mm_set1_epi32(0x4f000000); // 1
    const __m128   fv = _mm_castsi128_ps(iv);       // 2
    const __m128i riv = _mm_cvttps_epi32(fv);       // 3

    uint32_t r[4];
    memcpy(r, &riv, sizeof(r));
    printf("%#08x %#08x %#08x %#08x\n", r[0], r[1], r[2], r[3]);
}</code></pre>
<p>The above example implements a vectored form of <code>(int)2147483648.0</code>
conversion using following steps:</p>
<ol type="1">
<li>Place 4 identical 32-bit integer <code>0x4f000000</code> values into 128-bit
<code>iv</code> variable (likely an <code>xmm</code> register).</li>
<li>Bit cast <code>4 x 0x4f00000</code> into <code>4 x 2147483648.0</code> of 32-bit <code>floats</code>.</li>
<li>Convert <code>4 x 2147483648.0</code> 32-bit <code>floats</code> into <code>4 x int32_t</code> by
truncating the fractional part and leaving the integer one.</li>
<li>Print the conversion result in hexadecimal form.</li>
</ol>
<p>Or the same in pictures:</p>

<p>Note: <code>2147483648.0</code> is exactly 2<sup>31</sup>. Maximum <code>int32_t</code> can hold is
2<sup>31</sup>-1, or <code>2147483647</code> (one less than our value at hand).</p>
<p><strong>Quick quiz: What should this example return? Does it depend on the
compiler options?</strong></p>
<p>In theory those <code>_mm*()</code> compiler intrinsics are tiny wrappers over
corresponding <code>x86_64</code> instructions.
<a href="https://www.intel.com/content/www/us/en/docs/intrinsics-guide/index.html">Intel guide</a>
says that <code>_mm_cvttps_epi32()</code> is a <code>cvttps2dq</code> instruction.</p>
<p>Running the example:</p>
<pre><code>$ gcc -Wall a.c -o a0 -O0 && ./a0
0x80000000 0x80000000 0x80000000 0x80000000

$ gcc -Wall a.c -o a1 -O1 && ./a1
0x7fffffff 0x7fffffff 0x7fffffff 0x7fffffff</code></pre>
<p>Optimization levels do change the behaviour of the code when
overflow happens: sometimes the result is 2<sup>31</sup> and sometimes it’s
2<sup>31</sup>-1. Uh-oh. Let’s have a peek at the assembly of both cases.</p>
<p><code>-O0</code> case:</p>
<pre><code>$ rizin ./a0
[0x00401050]> aaaa
[0x00401050]> s main
[0x00401136]> pdf
            ; DATA XREF from entry0 @ 0x401068
; int main(int argc, char **argv, char **envp);
; ...
          movl  $0x4f000000, var_8ch
          movl  var_8ch, %eax
; ...
          movl  %eax, var_80h
          movd  var_80h, %xmm1
          punpckldq %xmm1, %xmm0
; ...
          movaps %xmm0, var_48h
          cvttps2dq var_48h, %xmm0
          movaps %xmm0, var_78h
          movq  var_78h, %rax
          movq  var_70h, %rdx
          movq  %rax, var_28h
          movq  %rdx, var_20h
          movl  var_1ch, %esi
          movl  var_20h, %ecx
          movl  var_24h, %edx
          movl  var_28h, %eax
          leaq  str.08x___08x___08x___08x, %rdi      ; 0x402004 ; "%#08x %#08x %#08x %#08x\n" ; const char *format
          movl  %esi, %r8d
          movl  %eax, %esi
          movl  $0, %eax
          callq sym.imp.printf                       ; sym.imp.printf ; int printf(const char *format)
; ...</code></pre>
<p>While it’s a lot of superfluous code we do see there <code>cvttps2dq</code>
instruction and <code>printf()</code> call against its result.</p>
<p><code>-O1</code> case:</p>
<pre><code>$ rizin ./a1
[0x00401040]> aaaa
[0x00401040]> s main
[0x00401126]> pdf
            ; DATA XREF from entry0 @ 0x401058
; int main(int argc, char **argv, char **envp);
          subq  $8, %rsp
          movl  $0x7fffffff, %r9d
          movl  $0x7fffffff, %r8d
          movl  $0x7fffffff, %ecx
          movl  $0x7fffffff, %edx
          leaq  str.08x___08x___08x___08x, %rsi      ; 0x402004 ; "%#08x %#08x %#08x %#08x\n"
          movl  $2, %edi
          movl  $0, %eax
          callq sym.imp.__printf_chk                 ; sym.imp.__printf_chk
          movl  $0, %eax
          addq  $8, %rsp
          retq</code></pre>
<p>Here we don’t see <code>cvttps2dq</code> at all! <code>gcc</code> just puts <code>0x7fffffff</code>
constants into registers and calls <code>printf()</code> directly.
For completeness let’s try to find out the exact optimization pass that
performs this constant folding. Normally I would expect it to be a tree
optimization, and thus <code>-fdump-tree-all</code> would tell me where the magic
happens. Alas:</p>
<pre class="c"><code>// $ gcc a.c -o a -O2 -fdump-tree-all && ./a
// $ cat a.c.265t.optimized

;; Function main (main, funcdef_no=574, decl_uid=6511, cgraph_uid=575, symbol_order=574) (executed once)

int main ()
{
  unsigned int _2;
  vector(4) int _3;
  unsigned int _4;
  unsigned int _5;
  unsigned int _6;

  <bb 2> [local count: 1073741824]:
  _3 = __builtin_ia32_cvttps2dq ({ 2.147483648e+9, 2.147483648e+9, 2.147483648e+9, 2.147483648e+9 });
  _2 = BIT_FIELD_REF <_3, 32, 96>;
  _6 = BIT_FIELD_REF <_3, 32, 64>;
  _4 = BIT_FIELD_REF <_3, 32, 32>;
  _5 = BIT_FIELD_REF <_3, 32, 0>;
  __printf_chk (2, "%#08x %#08x %#08x %#08x\n", _5, _4, _6, _2);
  return 0;

}</code></pre>
<p>Here we see that <code>_mm_set1_epi32()</code> and <code>_mm_castsi128_ps()</code> were
“folded” into a <code>2.147483648e+9</code> successfully, but <code>_mm_cvttps_epi32()</code>
was not. And yet the final assembly does not contain the call. Let’s
look at the <code>RTL</code> passes that usually follow <code>tree</code> ones as part
of the optimization:</p>
<pre><code>$ gcc a.c -o a -O2 -fdump-rtl-all-slim && ./a
$ ls -1 *r.*
a.c.266r.expand
a.c.267r.vregs
a.c.268r.into_cfglayout
a.c.269r.jump
a.c.270r.subreg1
a.c.271r.dfinit
a.c.272r.cse1
a.c.273r.fwprop1
a.c.274r.cprop1
a.c.275r.pre
a.c.277r.cprop2
a.c.280r.ce1
a.c.281r.reginfo
a.c.282r.loop2
a.c.283r.loop2_init
a.c.284r.loop2_invariant
a.c.285r.loop2_unroll
a.c.287r.loop2_done
a.c.290r.cprop3
a.c.291r.stv1
a.c.292r.cse2
a.c.293r.dse1
a.c.294r.fwprop2
a.c.296r.init-regs
a.c.297r.ud_dce
a.c.298r.combine
a.c.300r.stv2
a.c.301r.ce2
a.c.302r.jump_after_combine
a.c.303r.bbpart
a.c.304r.outof_cfglayout
a.c.305r.split1
a.c.306r.subreg3
a.c.308r.mode_sw
a.c.309r.asmcons
a.c.314r.ira
a.c.315r.reload
a.c.316r.postreload
a.c.319r.split2
a.c.320r.ree
a.c.321r.cmpelim
a.c.322r.pro_and_epilogue
a.c.323r.dse2
a.c.324r.csa
a.c.325r.jump2
a.c.326r.compgotos
a.c.328r.peephole2
a.c.329r.ce3
a.c.331r.fold_mem_offsets
a.c.332r.cprop_hardreg
a.c.333r.rtl_dce
a.c.334r.bbro
a.c.335r.split3
a.c.336r.sched2
a.c.338r.stack
a.c.340r.zero_call_used_regs
a.c.341r.alignments
a.c.343r.mach
a.c.344r.barriers
a.c.349r.shorten
a.c.350r.nothrow
a.c.351r.dwarf2
a.c.352r.final
a.c.353r.dfinish</code></pre>
<p>It’s a long list of passes! Let’s look at the first <code>266r.expand</code>:</p>
<pre><code>$ cat a.c.266r.expand
;;
;; Full RTL generated for this function:
;;
    1: NOTE_INSN_DELETED
    3: NOTE_INSN_BASIC_BLOCK 2
    2: NOTE_INSN_FUNCTION_BEG
    5: r106:V4SF=vec_duplicate([`*.LC1'])
    6: r105:V4SF=r106:V4SF
      REG_EQUAL const_vector
    7: r104:V4SI=fix(r105:V4SF)

    8: r99:V4SI=r104:V4SI
    9: r108:V4SI=vec_select(r99:V4SI,parallel)
   10: r107:SI=vec_select(r108:V4SI,parallel)
   11: r110:V4SI=vec_select(vec_concat(r99:V4SI,r99:V4SI),parallel)
   12: r109:SI=vec_select(r110:V4SI,parallel)
   13: r112:V4SI=vec_select(r99:V4SI,parallel)
   14: r111:SI=vec_select(r112:V4SI,parallel)
   15: r113:SI=vec_select(r99:V4SI,parallel)
   16: r114:DI=`*.LC2'
   17: r9:SI=r107:SI
   18: r8:SI=r109:SI
   19: cx:SI=r111:SI
   20: dx:SI=r113:SI
   21: si:DI=r114:DI
   22: di:SI=0x2
   23: ax:QI=0
   24: ax:SI=call [`__printf_chk'] argc:0
      REG_CALL_DECL `__printf_chk'
   25: r103:SI=0
   29: ax:SI=r103:SI
   30: use ax:SI</code></pre>
<p>Here <code>V4SF</code> means the vector type of 4 floats, <code>V4SI</code> is a vector type
of 4 <code>int</code>, <code>SI</code> is an <code>int</code> type, <code>DI</code> is a <code>long</code> type. It looks like
our <code>float->int32_t</code> conversion happens in two early <code>RTL</code> instructions:</p>
<pre><code>    5: r106:V4SF=vec_duplicate([`*.LC1'])
    6: r105:V4SF=r106:V4SF
      REG_EQUAL const_vector
    7: r104:V4SI=fix(r105:V4SF)</code></pre>
<p>The rest of <code>RTL</code> code is extraction of that result as <code>printf()</code>
arguments. It’s a lot of superfluous data moves. Later optimizations
should clean it up and assign “hardware” registers like <code>r9</code> to virtual
registers like <code>r108</code>. For completeness final <code>353r.dfinish</code> looks this
way:</p>
<pre><code>$ cat a.c.353r.dfinish

;; Function main (main, funcdef_no=574, decl_uid=6511, cgraph_uid=575, symbol_order=574) (executed once)

    1: NOTE_INSN_DELETED
    3: NOTE_INSN_BASIC_BLOCK 2
    2: NOTE_INSN_FUNCTION_BEG
   34: {sp:DI=sp:DI-0x8;clobber flags:CC;clobber [scratch];}
      REG_UNUSED flags:CC
      REG_CFA_ADJUST_CFA sp:DI=sp:DI-0x8
   35: NOTE_INSN_PROLOGUE_END
   19: cx:SI=0x7fffffff
   20: dx:SI=0x7fffffff
   44: {ax:DI=0;clobber flags:CC;}
      REG_UNUSED flags:CC
   17: r9:SI=0x7fffffff
   18: r8:SI=0x7fffffff
   22: di:SI=0x2
   32: si:DI=`*.LC2'
      REG_EQUIV `*.LC2'
   24: ax:SI=call [`__printf_chk'] argc:0
      REG_DEAD r9:SI
      REG_DEAD r8:SI
      REG_DEAD di:SI
      REG_DEAD si:DI
      REG_DEAD cx:SI
      REG_DEAD dx:SI
      REG_UNUSED ax:SI
      REG_CALL_DECL `__printf_chk'
   45: {ax:DI=0;clobber flags:CC;}
      REG_UNUSED flags:CC
   46: NOTE_INSN_EPILOGUE_BEG
   37: {sp:DI=sp:DI+0x8;clobber flags:CC;clobber [scratch];}
      REG_UNUSED flags:CC
      REG_CFA_ADJUST_CFA sp:DI=sp:DI+0x8
   30: use ax:SI
   38: simple_return
   41: barrier
   33: NOTE_INSN_DELETED</code></pre>
<p>Here we don’t have <code>fix()</code> calls any more. <code>printf()</code> call already
contains immediate <code>r8:SI=0x7fffffff</code> constants. All registers are
resolved to real register names. Searching for <code>fix()</code> in all the pass
files I found that <code>272r.cse1</code> was the last pass that mentioned it.
<code>a.c.273r.fwprop1</code> already has the constants inlined. Looking at
<code>272r.cse1</code> in <code>-fdump-rtl-all-all</code> we can see that details are inferred
by <code>cse1</code> about the <code>fix()</code> <code>RTL</code> instruction:</p>
<pre><code>(insn 7 6 8 2 (set (reg:V4SI 104)
        (fix:V4SI (reg:V4SF 106))) "...-gcc-15.0.0/lib/gcc/x86_64-unknown-linux-gnu/15.0.0/include/emmintrin.h":863:19 4254 {
fix_truncv4sfv4si2}
     (expr_list:REG_EQUAL (const_vector:V4SI [
                (const_int 2147483647 [0x7fffffff]) repeated x4
            ])
        (expr_list:REG_DEAD (reg:V4SF 105)
            (nil))))</code></pre>
<p><code>fix_truncv4sfv4si2()</code> is the name of function that implements conversion
from <code>fix()</code> call down to the lower level instructions. And it looks
like <code>fix()</code> expansion also derived that the finals result is a constant:
<code>(expr_list:REG_EQUAL (const_vector:V4SI [ (const_int 2147483647 [0x7fffffff]) repeated x4])</code>.
Next <code>fwprop1</code> pass will use that constant value everywhere where <code>r104</code>
is used.</p>
<p><a href="https://gcc.gnu.org/onlinedocs/gccint/Standard-Names.html"><code>gcc</code> internals</a>
documentation says that <code>fix_trunc</code> is a <code>float-to-int</code> conversion. Note
that this conversion does not look specific to our intrinsic. Any
code that casts floats would use the same helper. That explains why
<code>_mm_cvttps_epi32()</code> semantics around the overflow are not honored and
generic floating conversion code it performed by <code>gcc</code> as if it was
written as <code>(int)(2147483648.0f)</code>. Apparently both <code>0x7fffffff</code> and
<code>0x80000000</code> values are correct under that assumption.</p>
<p>The problem is that <code>_mm_cvttps_epi32()</code> is more specific than any valid
<code>float->int</code> conversion. <code>intel</code> manual specifically says that at
<a href="https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sdm.html"><code>CVTTPS2DQ</code> description</a>
in <code>"Intel® 64 and IA-32 Architectures Software Developer’s Manual Combined Volumes: 1, 2A, 2B, 2C, 2D, 3A, 3B, 3C, 3D, and 4"</code>:</p>
<pre><code>Description
...
When a conversion is inexact, a truncated (round toward zero) value is
returned. If a converted result is larger than the maximum signed
doubleword integer, the floating-point invalid exception is raised, and
if this exception is masked, the indefinite integer value (80000000H) is
returned.</code></pre>
<p>Thus, <code>0x80000000</code> would be a correct value here and not <code>0x7fffffff</code>.</p>
<h2 id="avoiding-the-_mm_cvttps_epi32-non-determinism">avoiding the <code>_mm_cvttps_epi32()</code> non-determinism</h2>
<p>OK, <code>gcc</code> decided to treat it as problematic when handling overflow
condition. That should be easy to work around by checking first if our
value is in range first, right? Say, something like the following
pseudocode:</p>
<pre class="c"><code>float v = 2147483648.0f;
int32_t result;
if (v >= 2147483648.0f) {
    result = 0x7fffffff;
} else {
    result = fix(v);
}</code></pre>
<p>In a vectored code writing branching code is problematic, thus one needs
to be creative and use masking. That is what <code>highway</code> did in
<a href="https://github.com/google/highway/commit/9dc6e1ecb0748df78398b037d6a8a89e667702e7"><code>avoid GCC "UB" in truncating cases</code></a>
commit. It’s a lot of code, but it’s idea is to mask away values
calculated against overflows:</p>
<pre class="diff"><code>@@ -10884,7 +10869,11 @@ HWY_API VFromD<D> ConvertInRangeTo(D /*di*/, VFromD<RebindToFloat<D>> v) {
 // F32 to I32 ConvertTo is generic for all vector lengths
 template <class D, HWY_IF_I32_D(D)>
 HWY_API VFromD<D> ConvertTo(D di, VFromD<RebindToFloat<D>> v) {
-  return detail::FixConversionOverflow(di, v, ConvertInRangeTo(di, v));
+  const RebindToFloat<decltype(di)> df;
+  // See comment at the first occurrence of "IfThenElse(overflow,".
+  const MFromD<D> overflow = RebindMask(di, Ge(v, Set(df, 2147483648.0f)));
+  return IfThenElse(overflow, Set(di, LimitsMax<int32_t>()),
+                    ConvertInRangeTo(di, v));
 }</code></pre>
<p>If we amend our original example with this tweak we will get the
following equivalent code:</p>
<pre class="c"><code>// $ cat bug.cc
#include <stdint.h>
#include <string.h>
#include <emmintrin.h>

__attribute__((noipa))
static void assert_eq_p(void * l, void * r) {
    char lb[16];
    char rb[16];

    __builtin_memcpy(lb, l, 16);
    __builtin_memcpy(rb, r, 16);

    if (__builtin_memcmp(lb, rb, 16) != 0) __builtin_trap();
}

#if 0
#include <stdio.h>
__attribute__((noipa))
static void d_i(const char * prefix, __m128i p) {
    uint64_t v[2];
    memcpy(v, &p, 16);

    fprintf(stderr, "%10s(i): %#016lx %#016lx\n", prefix, v[0], v[1]);
}
#endif

__attribute__((noipa))
static void assert_eq(__m128i l, __m128i r) { assert_eq_p(&l, &r); }

int main() {
  const __m128i su = _mm_set1_epi32(0x4f000000);
  const __m128  sf = _mm_castsi128_ps(su);

  const __m128  overflow_mask_f32 = _mm_cmpge_ps(sf, _mm_set1_ps(2147483648.0f));
  const __m128i overflow_mask = _mm_castps_si128(overflow_mask_f32);

  const __m128i conv = _mm_cvttps_epi32(sf);
  const __m128i yes = _mm_set1_epi32(INT32_MAX);

  const __m128i a = _mm_and_si128(overflow_mask, yes);
  const __m128i na = _mm_andnot_si128(overflow_mask, conv);

  const __m128i conv_masked = _mm_or_si128(a, na);

  const __m128i actual = _mm_cmpeq_epi32(conv_masked, _mm_set1_epi32(INT32_MAX));
  const __m128i expected = _mm_set1_epi32(-1);

  assert_eq(expected, actual);
}</code></pre>
<p>Here <code>_mm_and_si128()</code> and <code>_mm_andnot_si128()</code> are used to mask away
converted values larger than <code>2147483648.0f</code>.
If we look at the diagram it looks this way (I collapsed vector values
into <code>... x4</code> form as all the values should be identical):</p>

<p>Here <code>conv -> na</code> green arrow shows where we throw away all the indefinite
values. They all get substituted for <code>yes = 0x7FFFffff x4</code> value.
Thus, the program should finally be deterministic, right? Let’s check:</p>
<pre><code>$ gcc bug.cc -O0 -o a && ./a

$ gcc bug.cc -O2 -o a && ./a
Illegal instruction (core dumped)</code></pre>
<p>It does not. Only <code>-O0</code> case works (just like before). Looking at the
assembly again, just <code>-O2</code> this time:</p>
<pre><code>$ rizin ./a
; [0x004010a0]> aaaa
; [0x004010a0]> s main
; [0x00401040]> pdf
            ; DATA XREF from entry0 @ 0x4010a8
            ;-- section..text:
/ int main(int argc, char **argv, char **envp);
|           ; arg uint64_t arg7 @ xmm0
|                 subq  $8, %rsp                             ; [13] -r-x section size 483 named .text
|                 movss data.00402004, %xmm1                 ; [0x402004:4]=0x4f000000
|                 movss data.00402008, %xmm3                 ; [0x402008:4]=0x7fffffff
|                 shufps $0, %xmm1, %xmm1
|                 movaps %xmm1, %xmm2
|                 cvttps2dq %xmm1, %xmm0
|                 shufps $0, %xmm3, %xmm3
|                 cmpleps %xmm1, %xmm2
|                 movdqa %xmm2, %xmm1
|                 andps %xmm3, %xmm2
|                 pandn %xmm0, %xmm1
|                 por   %xmm2, %xmm1
|                 pcmpeqd %xmm0, %xmm1                       ; arg7
|                 pcmpeqd %xmm0, %xmm0                       ; arg7
|                 callq sym.assert_eq_int64_t___vector_2___int64_t___vector_2 ; sym.assert_eq_int64_t___vector_2___int64_t___vector_2
|                 xorl  %eax, %eax
|                 addq  $8, %rsp
\                 retq</code></pre>
<p>At the first glance <code>cvttps2dq</code> instruction is present, thus <code>gcc</code> was
not able to completely constant fold it away. Thus, it’s not immediately
obvious why it’s incorrect. Let’s have a look at the control flow
diagram reconstructed from the assembly:</p>

<p>In practice <code>pcmpeqd %xmm0, %xmm1</code> instruction that was supposed to
implement <code>_mm_cmpeq_epi32(conv_masked, _mm_set1_epi32(INT32_MAX))</code> gets
<code>INT32_MAX</code> not as a constant (say, from <code>%xmm3</code>), but as a <code>%xmm0</code>
register assuming it already has the expected value. Red line shows
where the assumption is introduced and brown dotted line shows what it
is removing.</p>
<p>The optimizer was not able to constant-fold all the arithmetic operations,
but it was able to fold just enough to introduce the discrepancy between
assumed and actual value of <code>cvttps2dq</code>.</p>
<p>To remove this overly specific assumption <code>gcc-15</code> updated <code>fix()</code> code
not to assume a particular value on overflows using
<a href="https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=b05288d1f1e4b632eddf8830b4369d4659f6c2ff">this patch</a>:</p>
<pre class="diff"><code>--- a/gcc/fold-const.cc
+++ b/gcc/fold-const.cc
@@ -2246,7 +2246,18 @@ fold_convert_const_int_from_real (enum tree_code code, tree type, const_tree arg
   if (! overflow)
     val = real_to_integer (&r, &overflow, TYPE_PRECISION (type));

-  t = force_fit_type (type, val, -1, overflow | TREE_OVERFLOW (arg1));
+  /* According to IEEE standard, for conversions from floating point to
+     integer. When a NaN or infinite operand cannot be represented in the
+     destination format and this cannot otherwise be indicated, the invalid
+     operation exception shall be signaled. When a numeric operand would
+     convert to an integer outside the range of the destination format, the
+     invalid operation exception shall be signaled if this situation cannot
+     otherwise be indicated.  */
+  if (!flag_trapping_math || !overflow)
+    t = force_fit_type (type, val, -1, overflow | TREE_OVERFLOW (arg1));
+  else
+    t = NULL_TREE;
+
   return t;
 }

diff --git a/gcc/simplify-rtx.cc b/gcc/simplify-rtx.cc
index 5caf1dfd957f..f6b4d73b593c 100644
--- a/gcc/simplify-rtx.cc
+++ b/gcc/simplify-rtx.cc
@@ -2256,14 +2256,25 @@ simplify_const_unary_operation (enum rtx_code code, machine_mode mode,
       switch (code)
 	{
 	case FIX:
+	  /* According to IEEE standard, for conversions from floating point to
+	     integer. When a NaN or infinite operand cannot be represented in
+	     the destination format and this cannot otherwise be indicated, the
+	     invalid operation exception shall be signaled. When a numeric
+	     operand would convert to an integer outside the range of the
+	     destination format, the invalid operation exception shall be
+	     signaled if this situation cannot otherwise be indicated.  */
 	  if (REAL_VALUE_ISNAN (*x))
-	    return const0_rtx;
+	    return flag_trapping_math ? NULL_RTX : const0_rtx;
+
+	  if (REAL_VALUE_ISINF (*x) && flag_trapping_math)
+	    return NULL_RTX;

 	  /* Test against the signed upper bound.  */
 	  wmax = wi::max_value (width, SIGNED);
 	  real_from_integer (&t, VOIDmode, wmax, SIGNED);
 	  if (real_less (&t, x))
-	    return immed_wide_int_const (wmax, mode);
+	    return (flag_trapping_math
+		    ? NULL_RTX : immed_wide_int_const (wmax, mode));

 	  /* Test against the signed lower bound.  */
 	  wmin = wi::min_value (width, SIGNED);
@@ -2276,13 +2287,17 @@ simplify_const_unary_operation (enum rtx_code code, machine_mode mode,

 	case UNSIGNED_FIX:
 	  if (REAL_VALUE_ISNAN (*x) || REAL_VALUE_NEGATIVE (*x))
-	    return const0_rtx;
+	    return flag_trapping_math ? NULL_RTX : const0_rtx;
+
+	  if (REAL_VALUE_ISINF (*x) && flag_trapping_math)
+	    return NULL_RTX;

 	  /* Test against the unsigned upper bound.  */
 	  wmax = wi::max_value (width, UNSIGNED);
 	  real_from_integer (&t, VOIDmode, wmax, UNSIGNED);
 	  if (real_less (&t, x))
-	    return immed_wide_int_const (wmax, mode);
+	    return (flag_trapping_math
+		    ? NULL_RTX : immed_wide_int_const (wmax, mode));

 	  return immed_wide_int_const (real_to_integer (x, &fail, width),
 				       mode);</code></pre>
<p>It fixes both tree optimizations of <code>RTL</code> optimizations not to assume a
specific value on known overflows.
After the fix <code>gcc</code> generates something that passes the test at hand:</p>
<pre><code>$ g++ bug.cc -o bug -O2 && ./bug</code></pre>
<p>And the <code>highway</code> test suite.
For completeness the generated code now looks like this:</p>
<pre><code>$ rizin ./a
; [0x004010a0]> aaaa
; [0x004010a0]> s main
; [0x00401040]> pdf
            ; DATA XREF from entry0 @ 0x4010b8
            ;-- section..text:
/ int main(int argc, char **argv, char **envp);
|           ; arg uint64_t arg8 @ xmm1
|                 subq  $8, %rsp                             ; [13] -r-x section size 499 named .text
|                 movss data.00402004, %xmm0                 ; [0x402004:4]=0x4f000000
|                 shufps $0, %xmm0, %xmm0
|                 movaps %xmm0, %xmm2
|                 cmpleps %xmm0, %xmm2
|                 cvttps2dq %xmm0, %xmm0
|                 movdqa %xmm2, %xmm1
|                 pandn %xmm0, %xmm1
|                 movss data.00402008, %xmm0                 ; [0x402008:4]=0x7fffffff
|                 shufps $0, %xmm0, %xmm0
|                 andps %xmm0, %xmm2
|                 pcmpeqd %xmm0, %xmm0
|                 por   %xmm1, %xmm2
|                 pcmpeqd %xmm1, %xmm1                       ; arg8
|                 psrld $1, %xmm1
|                 pcmpeqd %xmm2, %xmm1                       ; arg8
|                 callq sym.assert_eq_int64_t___vector_2___int64_t___vector_2 ; sym.assert_eq_int64_t___vector_2___int64_t___vector_2
|                 xorl  %eax, %eax
|                 addq  $8, %rsp
\                 retq</code></pre>
<p>This code looks slightly closer to originally written <code>C</code> code: <code>%xmm2</code>
collects masked result of <code>cvttps2dq</code> and <code>%xmm1</code> contains <code>0x7FFFffff</code>
value.</p>
<h2 id="parting-words">Parting words</h2>
<p>While not as powerful as tree passes <code>RTL</code> passes are capable of folding
constants, propagating assumed values and removing dead code.</p>
<p><code>highway</code> uncovered an old <code>gcc</code> <a href="https://gcc.gnu.org/PR115161">bug</a> in
a set of <code>float->int</code> conversion <code>x86</code> intrinsics. This bug was not seen
as frequently until <code>gcc</code> implemented more constant folding cases for
intrinsics in <a href="https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=f2449b55fb2d32">this change</a>.</p>
<p><code>gcc</code> still has a few places where it could constant-fold a lot more:</p>
<ul>
<li>handle <code>_mm_cvttps_epi32(constant)</code></li>
<li>eliminate redundant <code>movaps %xmm0, %xmm2; cmpleps %xmm0, %xmm2</code> and
below</li>
</ul>
<p>But <code>gcc</code> does not do it today.</p>
<p>If <code>gcc</code> thinks that some intrinsic returns a value that differs from
reality it’s very hard to reliably convince <code>gcc</code> to assume something
else. Sometimes it’s easier to use inline assembly to get the desired
result as a short term workaround.</p>
<p>Have fun!</p>
</article>
</main></body></html>

linker	`real` (sec)	`user` (sec)	`sys` (sec)
`ld.bfd` (orig)	30.6	24.6	6.4
`ld.bdf` (fixed)	8.7	6.5	2.6
`ld.gold`	5.9	5.5	0.8
`lld`	1.4	1.8	1.5
`mold`	1.2	0.4	0.2

trofi - All posts

sequoia pgp

TL;DR

Story mode

Trying out sq

Other random bits

Introspection: sq introspect and sq dump

Parting words

nixpkgs and repology changes

Tl;DR: nixpkgs changed the way it exports data to repology and many packages need fixing

The bug

How does nixpkgs export data to repology?

Is there a difference introduced?

Why does it happen?

How does repology handle such packages?

Are there any more affected packages?

Parting words

zellij terminal emulator

my tmux setup

a tmux hickup

zellij

nice: zellij retains many Ctrl-b tmux-style keys as is

snag: some keybindings interfere with other applications

nice: Ctrl-g to disable all the zellij bindings

nice: scrollback buffer editing

nice: fast scrolling on copy/paste from the scrollback

nice: modern features

snag: CPU / RAM usage is high

snag: a banner in the status line

snag: no tmux-style mouse drag support

snag: no environment variable clobber support

snag: no support for editing keys in tab editor

parting words

AoC of 2025

Funniest problems

Zero Hydra Failures towards 25.11 NixOS release

an example package fix

parting words

AoC of 2024

Funniest problems

profiling binutils linkers in nixpkgs

background

an ld.gold removal obstacle

linker performance profiles

section count

performance hog clues

testing the patch

bonus: other linkers

parting words

gcc-16 devirtualization changes

A quiz

Running gcc

devirtualization mechanics

Fixes and workarounds

Parting words

nix-build in tmpfs

four years on NixOS

system maintenance

Community support

Home server experience

Local experiments

Parting words

nix and guix for Gentoo in 2025

sort by key in coreutils

The answer

parting words

Zero Hydra Failures towards 25.05 NixOS release

an example package fix

parting words

To chromium

Tl;DR

On firefox

On chrome

On chromium

gcc-15 bugs, pile 2

summary

fun bugs

e2fsprogs bug

mesonlsp bug

histograms

Trying out `sq`

Introspection: `sq introspect` and `sq dump`

Tl;DR: `nixpkgs` changed the way it exports data to `repology` and many packages need fixing

How does `nixpkgs` export data to repology?

my `tmux` setup

a `tmux` hickup

`zellij`

nice: `zellij` retains many `Ctrl-b` `tmux`-style keys as is

nice: `Ctrl-g` to disable all the `zellij` bindings

snag: `CPU` / `RAM` usage is high

snag: no `tmux`-style mouse drag support

an `ld.gold` removal obstacle

Running `gcc`

On `firefox`

On `chrome`

On `chromium`

`e2fsprogs` bug

`mesonlsp` bug

`toml` configuration language

Color themes can be set in `RGB`

a working `sort` example

suspicious `sort` call

`builtins.sort` implementation

`bool`, `true`, and `false` are unconditionally defined now

partially defined `int ()()` function prototypes are just `int ()(void)` now