feat: embed and check githash in .olean

[Kha]

This is an additional safety net on top of #2749: it protects users that circumvent the build system (e.g. with lake env) as well as obviates the need for TOCTOU-like race condition checks in the build system.

The check is activated by CHECK_OLEAN_VERSION=ON, which now defaults to OFF as the sensible default for local development. When activated, USE_GITHASH=ON is also force-enabled for stage 0 in order to make sure that stage 1 can load its own core library.

[leanprover-community-mathlib4-bot]

• 💥 Mathlib branch lean-pr-testing-2766 build failed against this PR. (2023-10-25 18:16:08) View Log
• ❌ Mathlib branch lean-pr-testing-2766 built against this PR, but testing failed. (2023-11-06 14:55:12) View Log
• ❌ Mathlib branch lean-pr-testing-2766 built against this PR, but testing failed. (2023-11-13 10:47:40) View Log
• ❌ Mathlib branch lean-pr-testing-2766 built against this PR, but testing failed. (2023-11-14 03:06:16) View Log
• ❌ Mathlib branch lean-pr-testing-2766 built against this PR, but testing failed. (2023-11-14 05:37:43) View Log
• ✅ Mathlib branch lean-pr-testing-2766 has successfully built against this PR. (2023-11-14 13:19:08) View Log
• ❌ Mathlib branch lean-pr-testing-2766 built against this PR, but testing failed. (2023-11-14 17:20:44) View Log
• ✅ Mathlib branch lean-pr-testing-2766 has successfully built against this PR. (2023-11-15 02:48:28) View Log
• ✅ Mathlib branch lean-pr-testing-2766 has successfully built against this PR. (2023-11-27 21:47:24) View Log
• ✅ Mathlib branch lean-pr-testing-2766 has successfully built against this PR. (2023-11-28 00:28:13) View Log
• 🟡 Mathlib branch lean-pr-testing-2766 build this PR didn't complete normally. (2023-11-28 01:14:31) View Log
• ✅ Mathlib branch lean-pr-testing-2766 has successfully built against this PR. (2023-11-28 02:13:34) View Log
• ✅ Mathlib branch lean-pr-testing-2766 has successfully built against this PR. (2023-11-28 02:33:21) View Log

[kim-em]

Options for a successful PR run:

• rebase this PR onto d126c09 (the commit underlying nightly-2023-10-25), which should give an immediate run.
• wait until nightly-2023-10-26 lands and I have fixed Std+Mathlib for it (approximately +10 hours from now), and then push an empty commit (or anything) to this branch.

[digama0]

Note: this will break leantar / lake exe cache, keep me appraised when it hits mathlib.

[digama0]

While we're changing the olean format, I also have a request: add a version field, pinned to 1 for the time being. We could make it part of the oleanfile header, say using 12 bytes for oleanfile!!! and then a 4 byte version field.

I don't want to start the discussion of ABI versioning yet, but it would be nice if we had a little foresight...

[digama0]

I have a patch for leantar up at https://github.com/digama0/leangz/tree/olean_v1 . It is backward compatible with earlier versions, so I will make a release for it as soon as the new olean format is finalized and this PR is merged.

[digama0]

I'll repeat my request for adding a version field. leantar needs this to detect any ABI breaking change to core data structures, in particular Expr, for which there have been two PRs in the recent past (both from me and not yet accepted, but still) to be able to detect changes. leantar has to work with multiple versions of lean simultaneously, because users can jump between different versions of the toolchain when switching branches, so it is helpful for any changes to the olean format to be accompanied by a version bump. There are generally very few of these, but this PR and the two mentioned ones would involve an olean version bump. Git hashes are not sufficient, they allow detecting that the version is wrong but not whether it is an old version or a new version, and neither git hashes nor toolchain names are easily placed in a linear order.

[Kha]

I added a version field for the .olean header format itself but I don't see how we could realistically version the payload format itself given that any change to a user environment extension can be an ABI change. And even if we restricted ourselves to core, it seems infeasible to me without some automation double-checking the contract.

leantar has to work with multiple versions of lean simultaneously

It doesn't have to, cache could refer to and download an exact leantar version instead of a lower bound. It would be a simpler solution than olean versioning by orders of magnitude.

[digama0]

I added a version field for the .olean header format itself but I don't see how we could realistically version the payload format itself given that any change to a user environment extension can be an ABI change. And even if we restricted ourselves to core, it seems infeasible to me without some automation double-checking the contract.

Thanks. A "good enough" solution is fine for the leantar usecase, as if it gets the format wrong the worst that happens is the compression ratio goes way down. The main idea here is that when we anticipate breakage due to use cases in the wild we have a number we can bump to fix them. For lean itself it makes sense that you would want to use the exact githash.

It doesn't have to, cache could refer to and download an exact leantar version instead of a lower bound. It would be a simpler solution than olean versioning by orders of magnitude.

The problem here is that one would have to know which leantar version to use given an olean, and unless it is being distributed with the toolchain and being released with every commit I don't how to do that. The number of olean version changes that are relevant to leantar that have happened in the last year can be counted on one hand, so it is perfectly feasible to release new leantar versions when needed and have complete backward compatibility to every change made to the format so far. Maybe this won't be the case forever but the changes so far have been quite tame and predictable.

I have some ideas for how to do complete olean versioning using "schema generation" from the lean environment; a lot of this is already implemented in oleandump, which reads lean declarations to determine how to deserialize oleans. That would make it possible to detect and automatically bump the version whenever there is an ABI breaking change. But I'm not proposing that at this time, only a version that is manually bumped to avoid the worst fallout of ABI breaks.

[Kha]

The problem here is that one would have to know which leantar version to use given an olean, and unless it is being distributed with the toolchain and being released with every commit I don't how to do that

Why does my suggestion of hardcoding the leantar version in the cache source code not work for that? As you said it would only have to be adjusted in a rare few lean-toolchain bumps in mathlib.

[digama0]

Why does my suggestion of hardcoding the leantar version in the cache source code not work for that? As you said it would only have to be adjusted in a rare few lean-toolchain bumps in mathlib.

Oh I see, yes that would work, you are saying that the "olean version" would be tracked in the cache source code instead of the lean core source code. This can be done without needing to pin leantar versions too, cache could pass an olean version as a command line argument.

I would go for all of the above: a lean embedded olean version number, a cache version command line arg, and leantar versioned releases. The reason is because these each have slightly different development processes and this gives us flexibility to detect and correct issues caused by any of these places.

[Kha]

(ready for review but I want to do one final test round before merge)

[digama0]

Updated https://github.com/digama0/leangz/tree/olean_v1 , I will make a release once this PR is merged. Fortunately or unfortunately, old leantar versions will detect that these oleans have a funny format and will instead use a generic (and much less efficient) compression format, so if we are not on the ball bumping the leantar version at the right time we will simply have some large cache files. The new leantar is backward compatible though, so I will try to get it merged in advance of this change landing in mathlib, and then hopefully it will not be an issue.

[kim-em]

Mathlib used parts of ProofWidgets in tests, that were not being built by lake build. Hence this had the wrong hash, and lake was not being given the chance to rebuild them. I've added lake build ProofWidgets in the CI test step for Mathlib, and cherry-picked that to lean-pr-testing-2766. Hopefully this will go green again shortly!

[Kha]

@digama0 It's merged!