Use SipHasher rather than SHA-512 for ISLE manifest.

Fixes #3609. It turns out that `sha2` is a nontrivial dependency for
Cranelift in many contexts, partly because it pulls in a number of other
crates as well.

One option is to remove the hash check under certain circumstances, as
implemented in #3616. However, this is undesirable for other reasons:
having different dependency options in Wasmtime in particular for
crates.io vs. local builds is not really possible, and so either we
still have the higher build cost in Wasmtime, or we turn off the checks
by default, which goes against the original intent of ensuring developer
safety (no mysterious stale-source bugs).

This PR uses `SipHash` instead, which is built into the standard
library. `SipHash` is deprecated, but it's fixed and deterministic
(across runs and across Rust versions), which is what we need, unlike
the suggested replacement `std::collections::hash_map::DefaultHasher`.
The result is only 64 bits, and is not cryptographically secure, but we
never needed that; we just need a simple check to indicate when we
forget a `rebuild-isle`.

Cargo.lock

@@ -547,7 +547,6 @@ dependencies = [
  "miette",
  "regalloc",
  "serde",
- "sha2",
  "smallvec",
  "souper-ir",
  "target-lexicon",

cranelift/codegen/Cargo.toml

@@ -37,7 +37,6 @@ criterion = "0.3"
 cranelift-codegen-meta = { path = "meta", version = "0.79.0" }
 cranelift-isle = { path = "../isle/isle", version = "=0.79.0", optional = true }
 miette = { version = "3", features = ["fancy"], optional = true }
-sha2 = "0.9.8"
 
 [features]
 default = ["std", "unwind"]

cranelift/codegen/build.rs

@@ -16,7 +16,6 @@
 
 use cranelift_codegen_meta as meta;
 
-use sha2::{Digest, Sha512};
 use std::env;
 use std::io::Read;
 use std::process;
@@ -163,7 +162,28 @@ impl IsleCompilation {
     /// `<generated_filename>.manifest` and use it to verify that a
     /// rebuild was done if necessary.
     fn compute_manifest(&self) -> Result<String, Box<dyn std::error::Error + 'static>> {
+        // We use the deprecated SipHasher from std::hash in order to verify
+        // that ISLE sources haven't changed since the generated source was
+        // last regenerated.
+        //
+        // We use this instead of a stronger and more usual content hash, like
+        // SHA-{160,256,512}, because it's built into the standard library and
+        // we don't want to pull in a separate crate. We try to keep Cranelift
+        // crate dependencies as intentionally small as possible. In fact, we
+        // used to use the `sha2` crate for SHA-512 and this turns out to be
+        // undesirable for downstream consumers (see #3609).
+        //
+        // Why not the recommended replacement
+        // `std::collections::hash_map::DefaultHasher`? Because we need the
+        // hash to be deterministic, both between runs (i.e., not seeded with
+        // random state) and across Rust versions.
+        //
+        // If `SipHasher` is ever actually removed from `std`, we'll need to
+        // find a new option, either a very small crate or something else
+        // that's built-in.
+        #![allow(deprecated)]
         use std::fmt::Write;
+        use std::hash::{Hasher, SipHasher};
 
         let mut manifest = String::new();
 
@@ -176,11 +196,11 @@ impl IsleCompilation {
             // to `\r\n`; canonicalize the source that we hash to
             // Unix-style (`\n`) so hashes will match.
             let content = content.replace("\r\n", "\n");
-            // One line in the manifest: <filename> <sha-512 hash>.
+            // One line in the manifest: <filename> <siphash>.
-            let mut hasher = Sha512::default();
+            let mut hasher = SipHasher::new_with_keys(0, 0); // fixed keys for determinism
-            hasher.update(content.as_bytes());
+            hasher.write(content.as_bytes());
             let filename = format!("{}", filename.display()).replace("\\", "/");
-            writeln!(&mut manifest, "{} {:x}", filename, hasher.finalize())?;
+            writeln!(&mut manifest, "{} {:x}", filename, hasher.finish())?;
         }
 
         Ok(manifest)

cranelift/codegen/src/isa/aarch64/lower/isle/generated_code.manifest

@@ -1,4 +1,4 @@
-src/clif.isle be1359b4b6b153f378517c1dd95cd80f4a6bed0c7b86eaba11c088fd71b7bfe80a3c868ace245b2da0bfbbd6ded262ea9576c8e0eeacbf89d03c34a17a709602
+src/clif.isle f176ef3bba99365
-src/prelude.isle 15c8dd937171bd0f619179e219422d43af0eb0ef9a6e88f23b2aa55776712e27342309dd3a4441876b2dfec7f16ce7fe13b3a926ace89b25cfc9577e7b1d1578
+src/prelude.isle babc931e5dc5b4cf
-src/isa/aarch64/inst.isle a6921329a85a252b8059657056ee0c4477304dff461bd58c39133a2870666b23a34c911be55e25e7887074cb54b640ff09998730af09b3c1ba792f434309af24
+src/isa/aarch64/inst.isle abbd648f4a0b479a
-src/isa/aarch64/lower.isle 3cc84f8e3907818da7e0cbb4afe7f269da7090f3d504c74ecf02ef57463b281f4a320e52656d9397720ec8e4af98c1ecea05c4ffbe3f0c4126af4ed95d2734cc
+src/isa/aarch64/lower.isle c46d0692df0a9c0d

cranelift/codegen/src/isa/x64/lower/isle/generated_code.manifest

@@ -1,4 +1,4 @@
-src/clif.isle be1359b4b6b153f378517c1dd95cd80f4a6bed0c7b86eaba11c088fd71b7bfe80a3c868ace245b2da0bfbbd6ded262ea9576c8e0eeacbf89d03c34a17a709602
+src/clif.isle f176ef3bba99365
-src/prelude.isle 15c8dd937171bd0f619179e219422d43af0eb0ef9a6e88f23b2aa55776712e27342309dd3a4441876b2dfec7f16ce7fe13b3a926ace89b25cfc9577e7b1d1578
+src/prelude.isle babc931e5dc5b4cf
-src/isa/x64/inst.isle 1a44ccc0c2cad90447762848461fcae714216ef058d42bdba89330a6008061526e92bbf1c17055c465b20fc75d98d1faa34feda8b22fa7ae0504a0f808798b41
+src/isa/x64/inst.isle fb5d3ac8e68c46d2
-src/isa/x64/lower.isle c7943201b32e9eb9726466e8cc417f7e84c4c4052de31e05ab6e0ad7502a587cf1d7d9835703c4ff5a506390f7a0668741e7f3feaa1edda6396571a425949fc9
+src/isa/x64/lower.isle d39e01add89178d5