From 5f2eaa1b3596d9354f6111d493be208867594352 Mon Sep 17 00:00:00 2001
From: eldritch horrors <pennae@lix.systems>
Date: Mon, 4 Mar 2024 07:50:02 +0100
Subject: [PATCH] Merge pull request #9662 from
 shlevy/flat-fixed-references-assert

Improve error message for fixed-outputs with references.

(cherry picked from commit ff6de4a9ee6c3862db9ee5f09ff9c3f43ae7a088)
Change-Id: I733c49760b9a3f1b76a6bece3b250b8579cd6cac
---
 src/libstore/store-api.cc  | 5 ++++-
 tests/functional/fixed.nix | 9 +++++++++
 tests/functional/fixed.sh  | 5 +++++
 3 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/src/libstore/store-api.cc b/src/libstore/store-api.cc
index 484a0ca6e..958691256 100644
--- a/src/libstore/store-api.cc
+++ b/src/libstore/store-api.cc
@@ -190,7 +190,10 @@ StorePath Store::makeFixedOutputPath(std::string_view name, const FixedOutputInf
     if (info.hash.type == htSHA256 && info.method == FileIngestionMethod::Recursive) {
         return makeStorePath(makeType(*this, "source", info.references), info.hash, name);
     } else {
-        assert(info.references.size() == 0);
+        if (!info.references.empty()) {
+            throw Error("fixed output derivation '%s' is not allowed to refer to other store paths.\nYou may need to use the 'unsafeDiscardReferences' derivation attribute, see the manual for more details.",
+                name);
+        }
         return makeStorePath("output:out",
             hashString(htSHA256,
                 "fixed:out:"
diff --git a/tests/functional/fixed.nix b/tests/functional/fixed.nix
index babe71504..5bdf79333 100644
--- a/tests/functional/fixed.nix
+++ b/tests/functional/fixed.nix
@@ -48,6 +48,15 @@ rec {
     (f ./fixed.builder1.sh "flat" "md5" "ddd8be4b179a529afa5f2ffae4b9858")
   ];
 
+  badReferences = mkDerivation rec {
+    name = "bad-hash";
+    builder = script;
+    script = builtins.toFile "installer.sh" "echo $script >$out";
+    outputHash = "1ixr6yd3297ciyp9im522dfxpqbkhcw0pylkb2aab915278fqaik";
+    outputHashAlgo = "sha256";
+    outputHashMode = "flat";
+  };
+
   # Test for building two derivations in parallel that produce the
   # same output path because they're fixed-output derivations.
   parallelSame = [
diff --git a/tests/functional/fixed.sh b/tests/functional/fixed.sh
index f1e1ce420..d98d4cd15 100644
--- a/tests/functional/fixed.sh
+++ b/tests/functional/fixed.sh
@@ -26,6 +26,11 @@ nix-build fixed.nix -A good2 --no-out-link
 echo 'testing reallyBad...'
 nix-instantiate fixed.nix -A reallyBad && fail "should fail"
 
+if isDaemonNewer "2.20pre20240108"; then
+    echo 'testing fixed with references...'
+    expectStderr 1 nix-build fixed.nix -A badReferences | grepQuiet "not allowed to refer to other store paths"
+fi
+
 # While we're at it, check attribute selection a bit more.
 echo 'testing attribute selection...'
 test $(nix-instantiate fixed.nix -A good.1 | wc -l) = 1