Minified library classes are not published correctly for inter-project consumption [263197720]

Fixed

Bug

Status Update

No update yet.

Description

tl...@gmail.com

created issue #1

Dec 20, 2022 05:59PM

Consumer ProGuard files should be handled better when a library module is used as a dependency in a multi-module project.

For example my-app/build.gradle contains the following dependency:

implementation project(':my-library')

One of the following should happen.

Let the APK module compile all the code and ignore the AAR Consumer ProGuard settings.
Compile the AAR code in the AAR module and then have the APK module pull in the compiled AAR code and use the Consumer ProGuard file.

Currently a hack workaround needs to be added to the consuming module in order to remove the consumer ProGaurd files.

afterEvaluate {
    // This removes the Consumer ProGuard files from being used.
    // We don't want to use them since we use project references as dependencies
    // and do all the obfuscation ourselves
    tasks.each {task ->
        if (task.name.startsWith("minify") && task.name.endsWith("WithR8")) {
            def filteredConfigurationFiles = task.configurationFiles.filter { file ->
                !file.path.contains("my-library")
            }
            task.configurationFiles.setFrom(filteredConfigurationFiles)
        }
    }
}

Comments

mm...@google.com <mm...@google.com> Dec 22, 2022 08:35PM

Assigned to an...@google.com.

mk...@google.com <mk...@google.com> #2Dec 22, 2022 10:39PM

This was broken by 3bca759a5ff08352de831bb1e9b61b1ec2b3362d.
Fix (pending) is I2c2dc7b600603ee430fd0d91b23d52ea8aa29ca9.

ga...@google.com <ga...@google.com> #3Dec 23, 2022 10:47AM

Almost 2 months later and this is still broken

tl...@gmail.com <tl...@gmail.com> #4Dec 23, 2022 02:13PM

Since there is no progression, I wanted to share our quick-fix for the issue.

#sdkmanager --package_file=${PATH_WORKSPACE}/packages
while read p; do echo "y" | sdkmanager "${p}"; done <${PATH_WORKSPACE}/packages

ga...@google.com <ga...@google.com> #5Dec 23, 2022 03:17PM

jb...@google.com What is the update on this?

tl...@gmail.com <tl...@gmail.com> #6Dec 23, 2022 04:04PM

What is the status of this item?

tl...@gmail.com <tl...@gmail.com> #7Dec 23, 2022 04:19PM

This has been fixed on master today (internal ref: ag/2945015) and will be available in the next SDK release.

ga...@google.com <ga...@google.com> #8Dec 23, 2022 04:57PM

Any ETA on next release?

tl...@gmail.com <tl...@gmail.com> #9Dec 23, 2022 05:42PM

Still broken and not updated? --package_file argument is not usable in it's current form on 26.1.1 straight from the developer site.

tl...@gmail.com <tl...@gmail.com> #10Dec 23, 2022 09:21PM

Comfirmed that this seems to still be broken. Can we have an update please?

```
(15:58:11) C02W513SHTD8:files aso$ /opt/android-sdk-macosx/tools/bin/sdkmanager --version
26.1.1

(15:58:17) C02W513SHTD8:files aso$ /opt/android-sdk-macosx/tools/bin/sdkmanager --install --package_file=package_file
Warning: Unknown argument --package_file=package_file
```

MyApplication.zip

117 KB

Download

tl...@gmail.com <tl...@gmail.com> #11Dec 27, 2022 06:28PM

Hi, is there any update to this issue? Thanks.

ga...@google.com <ga...@google.com> #12Dec 28, 2022 12:02PM

Reassigned to ga...@google.com.

Hi Google. You claim it's been fixed on master, but we haven't had a new release since the broken version 26.1.1. Can you please release the fix?

ze...@google.com <ze...@google.com> #13Jan 2, 2023 09:53AM

Yeah, still not fixed --'

tl...@gmail.com <tl...@gmail.com> #14Jan 3, 2023 03:28PM

Can't believe this still isn't fixed 2 years later for a command line utility that sits on the main dev site.

ga...@google.com <ga...@google.com> Jan 25, 2023 05:29PM

Reassigned to bi...@google.com.

bi...@google.com <bi...@google.com> Jan 25, 2023 05:50PM

Accepted by bi...@google.com.

bi...@google.com <bi...@google.com> #15Jan 26, 2023 01:23AM

Any updates on this? The help for this command clearly states this argument is supported.

je...@google.com <je...@google.com> #16Jan 26, 2023 04:16AM

Has anyone re-tried it? We switched back to RUN sdkmanager --package_file=$ANDROID_HOME/packages.txt in our Dockerfile back in March of 2021.

ga...@google.com <ga...@google.com> #17Jan 26, 2023 10:14AM

For what it's worth, I did a quick test with the latest CLI: 11076708 (https://developer.android.com/studio#downloads) on OSX and tried it with a simple:

./sdkmanager --sdk_root="../sdk" --package_file=deps.txt

Deps.txt:

platform-tools
extras;google;instantapps
build-tools;35.0.0-rc3

So perhaps this is now resolved? I haven't tried it with more packages

bi...@google.com <bi...@google.com> #18Jan 27, 2023 08:08PM

A note to the MinifyLibTest

In debug build our CompilationMode is debug which means obfuscation and optimization are disabled. Tree-shaking is still enabled as it is not affected by this CompilationMode.

So in order to test obfuscation, we need to use release build.

bi...@google.com <bi...@google.com> #19Jan 27, 2023 08:59PM

A question to Ian, I find the class file output by r8 is not being obfuscated. I guess that is not expected, right? The configuration for r8 looks correct to me. I remember there is a way to share all the details of a r8 invocation right? zerny@

Message last modified on Jan 27, 2023 09:00PM

ze...@google.com <ze...@google.com> #20Jan 30, 2023 07:32AM

Regarding debug build, it does indeed disable obfuscation and optimization as both break stack-traces / stepping behavior. Tree shaking is still enabled without explicitly disabling it.

You can generate a compiler input dump with all the inputs to the compiler. (There is also a BaseCompilerCommand.Builder.dumpInputToFile method on the builder, but it is not a public API so you may need to use a non-lib version of R8 to access it).

bi...@google.com <bi...@google.com> #21Mar 29, 2023 10:19PM

I think we should remove this from 8.1 beta blocking release list and probably address it in early canary because 1) it is not a regression, 2) the fix would potentially break some users because they need to add additional keep rules for a library module to make sure the consumer(app or another library) module are able to get those classes from the library module.

je...@google.com <je...@google.com> #22Apr 25, 2023 06:20PM

this should be fixed in one of the canary, so blocking beta only.

bi...@google.com <bi...@google.com> #23Jul 14, 2023 10:15PM

Some updates regarding this issue:

As we want to make consuming a library as project dependency consistent with consuming the same library that has been published to maven, we need to add the local file dependencies when doing the inter-project publishing for library modules.

This becomes a problem because from the consumer side, we also include file dependencies of library modules. It is part of the ArtifactScope.FILE

The challenge is how to exclude transitive file dependencies from library modules.

Option 1. Do not add this to runtimeElements when publishing -> don't seen to work, see https://gradle.slack.com/archives/C10J6STFZ/p1684347966414919

Option 2. Compute transitive file dependencies in the application by subtracting computeLocalFileDependencies -> it works for some cases but not sure it can work for all because computeLocalFileDependencies doesn't support attributes

Option 3. Publish file dependencies from library and use FilterSpec to exclude it in application, similar to packagedDependenciesClasspath -> I feel this might be a proper fix

bi...@google.com <bi...@google.com> #24Jul 18, 2023 09:56PM

Talked with Jerome, the consensus is to remove this from blocking list. The next step is to see if there is a simpler way to support this use case. (e.g. using included build and publish the library to local maven)

ga...@google.com <ga...@google.com> #25Jul 27, 2023 01:02PM

It does make sense to add support for the common use-case (library projects without local file dependencies) and to have a reasonable fallback for the other case (library projects with local file dependencies).

xa...@google.com <xa...@google.com> #26Nov 1, 2023 07:16PM

Stumbled upon this while looking at the list of 8.3 Beta bugs

As an additional note, library apiElements should contain non-minified classes as we'd expect external API surface of the library to be the same before and after minification. This is already the case, and no work is required here.

Is that really always the case? if you publish an AAR with obfuscation, you really want the API jar (<AAR>/api.jar) to contains the obfuscated code. I would think that the inter-project publication should be the same.

ga...@google.com <ga...@google.com> #27Nov 2, 2023 12:50PM

I agree that ideally we'd also compile against obfuscated classes. However, I'm concerned about blocking the compilation of downstream modules on R8.

Also, there is probably a debug variant of the consumer that will see non-obfuscated classes on the compile classpath. The IDE is also not helping as it does not know about obfuscation. So even if we do push for compile classpath to block on R8 and have obfuscated classes, users may still hit issues.

Proper seems to be introduction of api component that allows developers to specify the library API and consumers would compile only against sources in that component.

xa...@google.com <xa...@google.com> #28Nov 2, 2023 02:51PM

That makes sense for inter-project dependencies where the edit-build-deploy cycle would be impacted. I agree the api component would really be useful here.

bi...@google.com <bi...@google.com> #29Dec 1, 2023 12:17AM

Here is the doc I shared with Gradle about this issue https://docs.google.com/document/d/1B4e7N9gGk-DgXHGYtGIQSVJMxwJdvu2cFzzHUcsTLsA/edit (no feedback yet)

jedo@, can you evaluate this ticket again? (this one seems to caused quite a lot efforts but the impact is limited, not sure what is the best way moving forward)

je...@google.com <je...@google.com> #30Dec 1, 2023 05:30AM

since this is not a regression, I am removing this from the 8.3 blockers. we should have enough time to revisit this in 8.4

sg...@google.com <sg...@google.com> #31Dec 8, 2023 08:38AM

I found https://stackoverflow.com/questions/77605786/how-to-run-proguard-r8-on-a-library-before-running-it-on-an-app-as-if-it-was-an - isn't that what this bug is about?

bi...@google.com <bi...@google.com> #32Dec 11, 2023 11:15PM

Soren, that is exactly this bug is about.

xa...@google.com <xa...@google.com> #33Dec 12, 2023 04:19PM

Moving this to P1. We really need to fix this.

pa...@unissey.com <pa...@unissey.com> #34Dec 20, 2023 10:51AM

I'm the person who asked the question Soren referenced in Stack Overflow. I'm taking note that this is a known bug that's gonna get fixed later on, and I'm glad to read that.

In the meantime, I found a workaround that I've described in my answer on SO: https://stackoverflow.com/a/77690962/6527252

bi...@google.com <bi...@google.com> #35Jan 10, 2024 05:27PM

Marked as fixed.

Fixed with I5b773131437720291fe02a2897d4171596e33acd

lo...@gmail.com <lo...@gmail.com> #36Jan 10, 2024 10:13PM

Cool! Thank you!

Is that an AS or an AGP fix? Which version(s) will first get it?

bi...@google.com <bi...@google.com> #37Jan 11, 2024 10:27PM

It is AGP fix and you should be able to get it in AGP 8.4-alpha05

an...@google.com <an...@google.com> #38Jan 12, 2024 05:32PM

Thank you for your patience while our engineering team worked to resolve this issue. A fix for this issue is now available in:

Android Studio Jellyfish | 2023.3.1 Canary 4
Android Gradle Plugin 8.4.0-alpha04

We encourage you to try the latest update.

If you notice further issues or have questions, please file a new bug report.

Thank you for taking the time to submit feedback — we really appreciate it!

lo...@gmail.com <lo...@gmail.com> #39Jan 13, 2024 12:19PM

@comment#37 even as soon as 8.4.0-alpha04, correct?

Message last modified on Jan 13, 2024 12:19PM

ni...@gmail.com <ni...@gmail.com> #40Jan 13, 2024 12:47PM

Comment has been deleted.

Message last modified on Jan 14, 2024 11:39AM

ni...@gmail.com <ni...@gmail.com> #41Jan 13, 2024 01:13PM