2014-07-04 14:34:15 +03:00
|
|
|
#include "json-to-value.hh"
|
libexpr: Support structured error classes
While preparing PRs like #9753, I've had to change error messages in
dozens of code paths. It would be nice if instead of
EvalError("expected 'boolean' but found '%1%'", showType(v))
we could write
TypeError(v, "boolean")
or similar. Then, changing the error message could be a mechanical
refactor with the compiler pointing out places the constructor needs to
be changed, rather than the error-prone process of grepping through the
codebase. Structured errors would also help prevent the "same" error
from having multiple slightly different messages, and could be a first
step towards error codes / an error index.
This PR reworks the exception infrastructure in `libexpr` to
support exception types with different constructor signatures than
`BaseError`. Actually refactoring the exceptions to use structured data
will come in a future PR (this one is big enough already, as it has to
touch every exception in `libexpr`).
The core design is in `eval-error.hh`. Generally, errors like this:
state.error("'%s' is not a string", getAttrPathStr())
.debugThrow<TypeError>()
are transformed like this:
state.error<TypeError>("'%s' is not a string", getAttrPathStr())
.debugThrow()
The type annotation has moved from `ErrorBuilder::debugThrow` to
`EvalState::error`.
2024-01-23 03:08:29 +02:00
|
|
|
#include "value.hh"
|
|
|
|
|
#include "eval.hh"
|
2014-07-04 14:34:15 +03:00
|
|
|
|
language: cleanly ban integer overflows
This also bans various sneaking of negative numbers from the language
into unsuspecting builtins as was exposed while auditing the
consequences of changing the Nix language integer type to a newtype.
It's unlikely that this change comprehensively ensures correctness when
passing integers out of the Nix language and we should probably add a
checked-narrowing function or something similar, but that's out of scope
for the immediate change.
During the development of this I found a few fun facts about the
language:
- You could overflow integers by converting from unsigned JSON values.
- You could overflow unsigned integers by converting negative numbers
into them when going into Nix config, into fetchTree, and into flake
inputs.
The flake inputs and Nix config cannot actually be tested properly
since they both ban thunks, however, we put in checks anyway because
it's possible these could somehow be used to do such shenanigans some
other way.
Note that Lix has banned Nix language integer overflows since the very
first public beta, but threw a SIGILL about them because we run with
-fsanitize=signed-overflow -fsanitize-undefined-trap-on-error in
production builds. Since the Nix language uses signed integers, overflow
was simply undefined behaviour, and since we defined that to trap, it
did.
Trapping on it was a bad UX, but we didn't even entirely notice
that we had done this at all until it was reported as a bug a couple of
months later (which is, to be fair, that flag working as intended), and
it's got enough production time that, aside from code that is IMHO buggy
(and which is, in any case, not in nixpkgs) such as
https://git.lix.systems/lix-project/lix/issues/445, we don't think
anyone doing anything reasonable actually depends on wrapping overflow.
Even for weird use cases such as doing funny bit crimes, it doesn't make
sense IMO to have wrapping behaviour, since two's complement arithmetic
overflow behaviour is so *aggressively* not what you want for *any* kind
of mathematics/algorithms. The Nix language exists for package
management, a domain where bit crimes are already only dubiously in
scope to begin with, and it makes a lot more sense for that domain for
the integers to never lose precision, either by throwing errors if they
would, or by being arbitrary-precision.
Fixes: https://github.com/NixOS/nix/issues/10968
Original-CL: https://gerrit.lix.systems/c/lix/+/1596
Change-Id: I51f253840c4af2ea5422b8a420aa5fafbf8fae75
2024-07-12 17:22:34 +03:00
|
|
|
#include <limits>
|
2020-01-09 18:38:27 +02:00
|
|
|
#include <variant>
|
|
|
|
|
#include <nlohmann/json.hpp>
|
2014-07-04 14:34:15 +03:00
|
|
|
|
2020-01-09 18:38:27 +02:00
|
|
|
using json = nlohmann::json;
|
2014-07-04 14:34:15 +03:00
|
|
|
|
2020-01-09 18:38:27 +02:00
|
|
|
namespace nix {
|
2014-07-04 14:34:15 +03:00
|
|
|
|
2020-01-09 18:38:27 +02:00
|
|
|
// for more information, refer to
|
|
|
|
|
// https://github.com/nlohmann/json/blob/master/include/nlohmann/detail/input/json_sax.hpp
|
|
|
|
|
class JSONSax : nlohmann::json_sax<json> {
|
|
|
|
|
class JSONState {
|
|
|
|
|
protected:
|
2020-04-16 18:28:32 +03:00
|
|
|
std::unique_ptr<JSONState> parent;
|
|
|
|
|
RootValue v;
|
2020-01-09 18:38:27 +02:00
|
|
|
public:
|
2020-04-16 18:28:32 +03:00
|
|
|
virtual std::unique_ptr<JSONState> resolve(EvalState &)
|
2020-01-09 18:38:27 +02:00
|
|
|
{
|
|
|
|
|
throw std::logic_error("tried to close toplevel json parser state");
|
2020-04-16 18:28:32 +03:00
|
|
|
}
|
|
|
|
|
explicit JSONState(std::unique_ptr<JSONState> && p) : parent(std::move(p)) {}
|
|
|
|
|
explicit JSONState(Value * v) : v(allocRootValue(v)) {}
|
|
|
|
|
JSONState(JSONState & p) = delete;
|
|
|
|
|
Value & value(EvalState & state)
|
2020-01-09 18:38:27 +02:00
|
|
|
{
|
2020-04-16 18:28:32 +03:00
|
|
|
if (!v)
|
|
|
|
|
v = allocRootValue(state.allocValue());
|
|
|
|
|
return **v;
|
|
|
|
|
}
|
|
|
|
|
virtual ~JSONState() {}
|
|
|
|
|
virtual void add() {}
|
2020-01-09 18:38:27 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
class JSONObjectState : public JSONState {
|
|
|
|
|
using JSONState::JSONState;
|
2020-04-16 18:28:32 +03:00
|
|
|
ValueMap attrs;
|
|
|
|
|
std::unique_ptr<JSONState> resolve(EvalState & state) override
|
2020-01-09 18:38:27 +02:00
|
|
|
{
|
2022-01-04 21:29:17 +02:00
|
|
|
auto attrs2 = state.buildBindings(attrs.size());
|
2020-01-09 18:38:27 +02:00
|
|
|
for (auto & i : attrs)
|
2022-01-04 21:29:17 +02:00
|
|
|
attrs2.insert(i.first, i.second);
|
2024-06-06 20:32:46 +03:00
|
|
|
parent->value(state).mkAttrs(attrs2);
|
2020-01-09 23:46:41 +02:00
|
|
|
return std::move(parent);
|
2020-01-09 18:38:27 +02:00
|
|
|
}
|
2020-04-16 18:28:32 +03:00
|
|
|
void add() override { v = nullptr; }
|
2020-01-09 18:38:27 +02:00
|
|
|
public:
|
2020-04-16 18:28:32 +03:00
|
|
|
void key(string_t & name, EvalState & state)
|
2020-01-09 18:38:27 +02:00
|
|
|
{
|
2020-04-16 18:28:32 +03:00
|
|
|
attrs.insert_or_assign(state.symbols.create(name), &value(state));
|
2020-01-09 18:38:27 +02:00
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
class JSONListState : public JSONState {
|
2020-04-16 18:28:32 +03:00
|
|
|
ValueVector values;
|
|
|
|
|
std::unique_ptr<JSONState> resolve(EvalState & state) override
|
2020-01-09 18:38:27 +02:00
|
|
|
{
|
2024-03-14 20:10:31 +02:00
|
|
|
auto list = state.buildList(values.size());
|
|
|
|
|
for (const auto & [n, v2] : enumerate(list))
|
|
|
|
|
v2 = values[n];
|
|
|
|
|
parent->value(state).mkList(list);
|
2020-01-09 23:46:41 +02:00
|
|
|
return std::move(parent);
|
2020-01-09 18:38:27 +02:00
|
|
|
}
|
2020-04-16 18:28:32 +03:00
|
|
|
void add() override {
|
|
|
|
|
values.push_back(*v);
|
2020-01-09 18:38:27 +02:00
|
|
|
v = nullptr;
|
2020-04-16 18:28:32 +03:00
|
|
|
}
|
2020-01-09 18:38:27 +02:00
|
|
|
public:
|
2020-04-16 18:28:32 +03:00
|
|
|
JSONListState(std::unique_ptr<JSONState> && p, std::size_t reserve) : JSONState(std::move(p))
|
2020-01-09 18:38:27 +02:00
|
|
|
{
|
|
|
|
|
values.reserve(reserve);
|
|
|
|
|
}
|
|
|
|
|
};
|
2014-07-04 14:34:15 +03:00
|
|
|
|
2020-01-09 18:38:27 +02:00
|
|
|
EvalState & state;
|
2020-04-16 18:28:32 +03:00
|
|
|
std::unique_ptr<JSONState> rs;
|
2020-01-07 01:06:49 +02:00
|
|
|
|
2020-01-09 18:38:27 +02:00
|
|
|
public:
|
|
|
|
|
JSONSax(EvalState & state, Value & v) : state(state), rs(new JSONState(&v)) {};
|
2020-01-07 01:06:49 +02:00
|
|
|
|
2024-07-25 08:32:03 +03:00
|
|
|
bool null() override
|
2020-01-07 01:06:49 +02:00
|
|
|
{
|
2022-01-04 19:40:39 +02:00
|
|
|
rs->value(state).mkNull();
|
|
|
|
|
rs->add();
|
|
|
|
|
return true;
|
2020-01-07 01:06:49 +02:00
|
|
|
}
|
2020-01-09 18:38:27 +02:00
|
|
|
|
2024-07-25 08:32:03 +03:00
|
|
|
bool boolean(bool val) override
|
2020-01-07 01:06:49 +02:00
|
|
|
{
|
2022-01-04 19:40:39 +02:00
|
|
|
rs->value(state).mkBool(val);
|
|
|
|
|
rs->add();
|
|
|
|
|
return true;
|
2020-01-07 01:06:49 +02:00
|
|
|
}
|
2020-01-09 18:38:27 +02:00
|
|
|
|
2024-07-25 08:32:03 +03:00
|
|
|
bool number_integer(number_integer_t val) override
|
2020-01-07 01:06:49 +02:00
|
|
|
{
|
2022-01-04 19:40:39 +02:00
|
|
|
rs->value(state).mkInt(val);
|
|
|
|
|
rs->add();
|
|
|
|
|
return true;
|
2020-01-07 01:06:49 +02:00
|
|
|
}
|
2020-01-09 18:38:27 +02:00
|
|
|
|
language: cleanly ban integer overflows
This also bans various sneaking of negative numbers from the language
into unsuspecting builtins as was exposed while auditing the
consequences of changing the Nix language integer type to a newtype.
It's unlikely that this change comprehensively ensures correctness when
passing integers out of the Nix language and we should probably add a
checked-narrowing function or something similar, but that's out of scope
for the immediate change.
During the development of this I found a few fun facts about the
language:
- You could overflow integers by converting from unsigned JSON values.
- You could overflow unsigned integers by converting negative numbers
into them when going into Nix config, into fetchTree, and into flake
inputs.
The flake inputs and Nix config cannot actually be tested properly
since they both ban thunks, however, we put in checks anyway because
it's possible these could somehow be used to do such shenanigans some
other way.
Note that Lix has banned Nix language integer overflows since the very
first public beta, but threw a SIGILL about them because we run with
-fsanitize=signed-overflow -fsanitize-undefined-trap-on-error in
production builds. Since the Nix language uses signed integers, overflow
was simply undefined behaviour, and since we defined that to trap, it
did.
Trapping on it was a bad UX, but we didn't even entirely notice
that we had done this at all until it was reported as a bug a couple of
months later (which is, to be fair, that flag working as intended), and
it's got enough production time that, aside from code that is IMHO buggy
(and which is, in any case, not in nixpkgs) such as
https://git.lix.systems/lix-project/lix/issues/445, we don't think
anyone doing anything reasonable actually depends on wrapping overflow.
Even for weird use cases such as doing funny bit crimes, it doesn't make
sense IMO to have wrapping behaviour, since two's complement arithmetic
overflow behaviour is so *aggressively* not what you want for *any* kind
of mathematics/algorithms. The Nix language exists for package
management, a domain where bit crimes are already only dubiously in
scope to begin with, and it makes a lot more sense for that domain for
the integers to never lose precision, either by throwing errors if they
would, or by being arbitrary-precision.
Fixes: https://github.com/NixOS/nix/issues/10968
Original-CL: https://gerrit.lix.systems/c/lix/+/1596
Change-Id: I51f253840c4af2ea5422b8a420aa5fafbf8fae75
2024-07-12 17:22:34 +03:00
|
|
|
bool number_unsigned(number_unsigned_t val_) override
|
2020-01-07 01:06:49 +02:00
|
|
|
{
|
language: cleanly ban integer overflows
This also bans various sneaking of negative numbers from the language
into unsuspecting builtins as was exposed while auditing the
consequences of changing the Nix language integer type to a newtype.
It's unlikely that this change comprehensively ensures correctness when
passing integers out of the Nix language and we should probably add a
checked-narrowing function or something similar, but that's out of scope
for the immediate change.
During the development of this I found a few fun facts about the
language:
- You could overflow integers by converting from unsigned JSON values.
- You could overflow unsigned integers by converting negative numbers
into them when going into Nix config, into fetchTree, and into flake
inputs.
The flake inputs and Nix config cannot actually be tested properly
since they both ban thunks, however, we put in checks anyway because
it's possible these could somehow be used to do such shenanigans some
other way.
Note that Lix has banned Nix language integer overflows since the very
first public beta, but threw a SIGILL about them because we run with
-fsanitize=signed-overflow -fsanitize-undefined-trap-on-error in
production builds. Since the Nix language uses signed integers, overflow
was simply undefined behaviour, and since we defined that to trap, it
did.
Trapping on it was a bad UX, but we didn't even entirely notice
that we had done this at all until it was reported as a bug a couple of
months later (which is, to be fair, that flag working as intended), and
it's got enough production time that, aside from code that is IMHO buggy
(and which is, in any case, not in nixpkgs) such as
https://git.lix.systems/lix-project/lix/issues/445, we don't think
anyone doing anything reasonable actually depends on wrapping overflow.
Even for weird use cases such as doing funny bit crimes, it doesn't make
sense IMO to have wrapping behaviour, since two's complement arithmetic
overflow behaviour is so *aggressively* not what you want for *any* kind
of mathematics/algorithms. The Nix language exists for package
management, a domain where bit crimes are already only dubiously in
scope to begin with, and it makes a lot more sense for that domain for
the integers to never lose precision, either by throwing errors if they
would, or by being arbitrary-precision.
Fixes: https://github.com/NixOS/nix/issues/10968
Original-CL: https://gerrit.lix.systems/c/lix/+/1596
Change-Id: I51f253840c4af2ea5422b8a420aa5fafbf8fae75
2024-07-12 17:22:34 +03:00
|
|
|
if (val_ > std::numeric_limits<NixInt::Inner>::max()) {
|
|
|
|
|
throw Error("unsigned json number %1% outside of Nix integer range", val_);
|
|
|
|
|
}
|
|
|
|
|
NixInt::Inner val = val_;
|
2022-01-04 19:40:39 +02:00
|
|
|
rs->value(state).mkInt(val);
|
|
|
|
|
rs->add();
|
|
|
|
|
return true;
|
2020-01-07 01:06:49 +02:00
|
|
|
}
|
|
|
|
|
|
2024-07-25 08:32:03 +03:00
|
|
|
bool number_float(number_float_t val, const string_t & s) override
|
2020-01-09 18:38:27 +02:00
|
|
|
{
|
2022-01-04 19:40:39 +02:00
|
|
|
rs->value(state).mkFloat(val);
|
|
|
|
|
rs->add();
|
|
|
|
|
return true;
|
2014-07-04 14:34:15 +03:00
|
|
|
}
|
|
|
|
|
|
2024-07-25 08:32:03 +03:00
|
|
|
bool string(string_t & val) override
|
2020-01-09 18:38:27 +02:00
|
|
|
{
|
2022-01-04 19:24:42 +02:00
|
|
|
rs->value(state).mkString(val);
|
|
|
|
|
rs->add();
|
|
|
|
|
return true;
|
2014-07-04 14:34:15 +03:00
|
|
|
}
|
2022-01-04 19:24:42 +02:00
|
|
|
|
2020-09-19 17:46:02 +03:00
|
|
|
#if NLOHMANN_JSON_VERSION_MAJOR >= 3 && NLOHMANN_JSON_VERSION_MINOR >= 8
|
2024-07-25 08:32:03 +03:00
|
|
|
bool binary(binary_t&) override
|
2020-09-19 17:46:02 +03:00
|
|
|
{
|
|
|
|
|
// This function ought to be unreachable
|
|
|
|
|
assert(false);
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
2014-07-04 14:34:15 +03:00
|
|
|
|
2024-07-25 08:32:03 +03:00
|
|
|
bool start_object(std::size_t len) override
|
2020-01-09 18:38:27 +02:00
|
|
|
{
|
2020-01-09 23:46:41 +02:00
|
|
|
rs = std::make_unique<JSONObjectState>(std::move(rs));
|
2020-01-09 18:38:27 +02:00
|
|
|
return true;
|
2014-07-04 14:34:15 +03:00
|
|
|
}
|
|
|
|
|
|
2024-07-25 08:32:03 +03:00
|
|
|
bool key(string_t & name) override
|
2020-01-09 18:38:27 +02:00
|
|
|
{
|
2020-01-09 23:46:41 +02:00
|
|
|
dynamic_cast<JSONObjectState*>(rs.get())->key(name, state);
|
2020-01-09 18:38:27 +02:00
|
|
|
return true;
|
2014-07-04 14:34:15 +03:00
|
|
|
}
|
|
|
|
|
|
2024-07-25 08:32:03 +03:00
|
|
|
bool end_object() override {
|
2020-01-09 23:46:41 +02:00
|
|
|
rs = rs->resolve(state);
|
2020-01-09 18:38:27 +02:00
|
|
|
rs->add();
|
|
|
|
|
return true;
|
2014-07-04 14:34:15 +03:00
|
|
|
}
|
|
|
|
|
|
2024-07-25 08:32:03 +03:00
|
|
|
bool end_array() override {
|
2020-01-09 18:38:27 +02:00
|
|
|
return end_object();
|
2014-07-04 14:34:15 +03:00
|
|
|
}
|
|
|
|
|
|
2024-07-25 08:32:03 +03:00
|
|
|
bool start_array(size_t len) override {
|
2020-01-09 23:46:41 +02:00
|
|
|
rs = std::make_unique<JSONListState>(std::move(rs),
|
|
|
|
|
len != std::numeric_limits<size_t>::max() ? len : 128);
|
2020-01-09 18:38:27 +02:00
|
|
|
return true;
|
2014-07-04 14:34:15 +03:00
|
|
|
}
|
|
|
|
|
|
2024-07-25 08:32:03 +03:00
|
|
|
bool parse_error(std::size_t, const std::string&, const nlohmann::detail::exception& ex) override {
|
libexpr: Support structured error classes
While preparing PRs like #9753, I've had to change error messages in
dozens of code paths. It would be nice if instead of
EvalError("expected 'boolean' but found '%1%'", showType(v))
we could write
TypeError(v, "boolean")
or similar. Then, changing the error message could be a mechanical
refactor with the compiler pointing out places the constructor needs to
be changed, rather than the error-prone process of grepping through the
codebase. Structured errors would also help prevent the "same" error
from having multiple slightly different messages, and could be a first
step towards error codes / an error index.
This PR reworks the exception infrastructure in `libexpr` to
support exception types with different constructor signatures than
`BaseError`. Actually refactoring the exceptions to use structured data
will come in a future PR (this one is big enough already, as it has to
touch every exception in `libexpr`).
The core design is in `eval-error.hh`. Generally, errors like this:
state.error("'%s' is not a string", getAttrPathStr())
.debugThrow<TypeError>()
are transformed like this:
state.error<TypeError>("'%s' is not a string", getAttrPathStr())
.debugThrow()
The type annotation has moved from `ErrorBuilder::debugThrow` to
`EvalState::error`.
2024-01-23 03:08:29 +02:00
|
|
|
throw JSONParseError("%s", ex.what());
|
2014-07-04 14:34:15 +03:00
|
|
|
}
|
2020-01-09 18:38:27 +02:00
|
|
|
};
|
2014-07-04 14:34:15 +03:00
|
|
|
|
2022-01-21 15:44:00 +02:00
|
|
|
void parseJSON(EvalState & state, const std::string_view & s_, Value & v)
|
2014-07-04 14:34:15 +03:00
|
|
|
{
|
2020-01-09 18:38:27 +02:00
|
|
|
JSONSax parser(state, v);
|
|
|
|
|
bool res = json::sax_parse(s_, &parser);
|
|
|
|
|
if (!res)
|
|
|
|
|
throw JSONParseError("Invalid JSON Value");
|
2014-07-04 14:34:15 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|