lix-project/lix
20
58
Fork 31
Code Issues 359 Code Review (Gerrit) Projects 3 Releases Wiki Activity

Segfault when comparing infinite data structures #330

New issue
Open
opened 2024-05-19 01:07:05 +00:00 by gaelan · 11 comments
gaelan commented 2024-05-19 01:07:05 +00:00
Copy link

Describe the bug

When comparing two infinitely nested data structures (and pointer equality doesn't suffice), Lix segfaults.

Steps To Reproduce

let a = rec { foo = [foo]; }; b = rec { foo = [foo]; }; in a == b

Causes Lix to segfault.

Expected behavior

If possible, define a result (I have no idea if there's a sensible argument to be made for either true or false, nor whether there's any way to efficiently determine this result). Otherwise, fail with a nice error instead of segfaulting.

nix --version output

nix (Lix, like Nix) 2.90.0-beta.1-lixpre20240506-b6799ab

Additional context

Inherited from Nix, present since at least 2022.

## Describe the bug When comparing two infinitely nested data structures (and pointer equality doesn't suffice), Lix segfaults. ## Steps To Reproduce ``` let a = rec { foo = [foo]; }; b = rec { foo = [foo]; }; in a == b ``` Causes Lix to segfault. ## Expected behavior If possible, define a result (I have no idea if there's a sensible argument to be made for either true or false, nor whether there's any way to efficiently determine this result). Otherwise, fail with a nice error instead of segfaulting. ## `nix --version` output nix (Lix, like Nix) 2.90.0-beta.1-lixpre20240506-b6799ab ## Additional context Inherited from Nix, present since at least 2022.
gaelan added the
bug
 label 2024-05-19 01:07:05 +00:00
pennae commented 2024-05-23 19:25:33 +00:00
Owner
Copy link

defining a result won't really be possible, but we should definitely limit recursion depth on comparisons (lix already does this for the evaluator itself, but comparisons themselves aren't subject to this yet). reusing the same stack depth limit we already have for eval should be fine, and give an obvious place to tune if anyfew run into this trapping.

defining a result won't really be possible, but we should definitely limit recursion depth on comparisons (lix already does this for the evaluator itself, but comparisons themselves aren't subject to this yet). reusing the same stack depth limit we already have for eval should be fine, and give an obvious place to tune if anyfew run into this trapping.
qyriad added the
Area/evaluator
E/help wanted
 labels 2024-05-24 21:24:19 +00:00
lulu-berlin commented 2024-10-07 04:35:01 +00:00
Copy link

When I run either nix or lix with:

nix eval --expr 'let a = rec { foo = [foo]; }; b = rec { foo = [foo]; }; in a == b'

or do the same in nix repl, I get:

error: stack overflow (possible infinite recursion)

Is this what you mean by segfault?

When I run either `nix` or `lix` with: ```sh nix eval --expr 'let a = rec { foo = [foo]; }; b = rec { foo = [foo]; }; in a == b' ``` or do the same in `nix repl`, I get: ``` error: stack overflow (possible infinite recursion) ``` Is this what you mean by segfault?
jade commented 2024-10-07 04:42:42 +00:00
Owner
Copy link

ah, Darwin not having the stack overflow detector strikes again. so yeah it's segfaulting due to infinite recursion, but it would be reasonably plausible to decide that after 1000 or 100 depth or something, the values are not going to become equal all of a sudden and return false.

as mentioned there is a recursion limit implemented in the evaluator. if you want to find the code i would suggest checking the 2.90 release notes in the manual (https://docs.lix.systems or in rl-2.90.md in the code in doc/manual/release-notes or so), it's mentioned in there with a link to the code change.

ah, Darwin not having the stack overflow detector strikes again. so yeah it's segfaulting due to infinite recursion, but it would be reasonably plausible to decide that after 1000 or 100 depth or something, the values are not going to become equal all of a sudden and return false. as mentioned there is a recursion limit implemented in the evaluator. if you want to find the code i would suggest checking the 2.90 release notes in the manual (https://docs.lix.systems or in rl-2.90.md in the code in doc/manual/release-notes or so), it's mentioned in there with a link to the code change.
pennae commented 2024-10-07 10:39:53 +00:00
Owner
Copy link

it would be reasonably plausible to decide that after 1000 or 100 depth or something, the values are not going to become equal all of a sudden and return false.

big oof, no, if anything we should throw. the recursion limit currently only applies to function calls, not value comparisons; if we applied the recursion limit here too we'd naturally get an exception instead of a crash.

> it would be reasonably plausible to decide that after 1000 or 100 depth or something, the values are not going to become equal all of a sudden and return false. big oof, no, if anything we should throw. the recursion limit currently only applies to function calls, not value comparisons; if we applied the recursion limit here too we'd naturally get an exception instead of a crash.
lulu-berlin commented 2024-10-08 23:31:57 +00:00
Copy link

I read through the code that was mentioned by @jade and found this Nix PR and this CL.

I would like to share my thoughts about how to approach this issue with regards to infinitely nested attrsets and ask for your feedback:

  • This issue affects the evaluation of == and !=. I'm guessing that it's because EvalState::eqValues calls itself recursively if v1 and v2 are both non-derivation attrsets for each attribute that has the same name (line 2510):

    Lines 2495 to 2514 in 0012887
    case nAttrs: {
    /* If both sets denote a derivation (type = "derivation"),
    then compare their outPaths. */
    if (isDerivation(v1) && isDerivation(v2)) {
    Bindings::iterator i = v1.attrs->find(sOutPath);
    Bindings::iterator j = v2.attrs->find(sOutPath);
    if (i != v1.attrs->end() && j != v2.attrs->end())
    return eqValues(*i->value, *j->value, pos, errorCtx);
    }
    if (v1.attrs->size() != v2.attrs->size()) return false;
    /* Otherwise, compare the attributes one by one. */
    Bindings::iterator i, j;
    for (i = v1.attrs->begin(), j = v2.attrs->begin(); i != v1.attrs->end(); ++i, ++j)
    if (i->name != j->name || !eqValues(*i->value, *j->value, pos, errorCtx))
    return false;
    return true;
    }

  • I tried to see if any other attrset operation (like //) has a similar effect and it doesn't seem to be the case.

  • So to follow the same approach of handling infinite recursion in function calls, we should probably have a depth counter in EvalState, maybe attrEqDepth? Then the counter should be incremented every time we reach the case of evaluating the equality of non-derivation attrsets quoted above. Before incrementing it, we can check if attrEqDepth exceeded evalSettings.maxAttrEqDepth and throw an exception ("stack overflow: max-attr-eq-depth exceeded") with a stack trace.

  • This can then be tested with a functional test, just like tests/functional/lang/eval-fail-infinite-recursion-lambda.nix.

What do you think?

I read through the code that was mentioned by @jade and found [this Nix PR](https://github.com/NixOS/nix/pull/9617) and [this CL](https://gerrit.lix.systems/c/lix/+/205). I would like to share my thoughts about how to approach this issue with regards to infinitely nested attrsets and ask for your feedback: - This issue affects the evaluation of `==` and `!=`. I'm guessing that it's because `EvalState::eqValues` calls itself recursively if `v1` and `v2` are both non-derivation attrsets for each attribute that has the same name (line 2510): https://git.lix.systems/lix-project/lix/src/commit/0012887310f24283e8a9ca08e0c2a49219ea4ff5/src/libexpr/eval.cc#L2495-L2514 - I tried to see if any other attrset operation (like `//`) has a similar effect and it doesn't seem to be the case. - So to follow the same approach of handling infinite recursion in function calls, we should probably have a depth counter in `EvalState`, maybe `attrEqDepth`? Then the counter should be incremented every time we reach the case of evaluating the equality of non-derivation attrsets quoted above. Before incrementing it, we can check if `attrEqDepth` exceeded `evalSettings.maxAttrEqDepth` and throw an exception ("stack overflow: max-attr-eq-depth exceeded") with a stack trace. - This can then be tested with a functional test, just like `tests/functional/lang/eval-fail-infinite-recursion-lambda.nix`. What do you think?
jade commented 2024-10-09 01:00:57 +00:00
Owner
Copy link

hmmm. is there a reason why we would have to keep this as part of EvalState rather than as a parameter to eqValues? If it's that it has to conform to some signature we can make it a wrapper over a function that takes it as a parameter. I don't like non-reentrant state where avoidable.

I don't think that equality comparison should ever hit any other parts of the evaluator such that it would have to be passed elsewhere, so it should be possible to make a parameter.

hmmm. is there a reason why we would have to keep this as part of `EvalState` rather than as a parameter to eqValues? If it's that it has to conform to some signature we can make it a wrapper over a function that takes it as a parameter. I don't like non-reentrant state where avoidable. I don't *think* that equality comparison should ever hit any other parts of the evaluator such that it would have to be passed elsewhere, so it *should* be possible to make a parameter.
lulu-berlin commented 2024-10-09 01:20:21 +00:00
Copy link

Good idea! :)
I'm all for it. I'll add a parameter with a default value of 0 for the external callers.

It's probably still good to have an evalSettings.maxAttrEqDepth for setting the boundary, right?

Good idea! :) I'm all for it. I'll add a parameter with a default value of 0 for the external callers. It's probably still good to have an `evalSettings.maxAttrEqDepth` for setting the boundary, right?
lulu-berlin commented 2024-10-09 01:28:38 +00:00
Copy link

Another question is whether I should check the boundary at the beginning of the function or right before the recursive call.

I think that performance-wise, it would be better to make the check before the recursive call so that in most cases it can be skipped.

Another question is whether I should check the boundary at the beginning of the function or right before the recursive call. I think that performance-wise, it would be better to make the check before the recursive call so that in most cases it can be skipped.
jade commented 2024-10-09 01:55:46 +00:00
Owner
Copy link

Good idea! :)
I'm all for it. I'll add a parameter with a default value of 0 for the external callers.

Yup, was my thought. Don't even need any fancy state, just add one to it when you recurse.

It's probably still good to have an evalSettings.maxAttrEqDepth for setting the boundary, right?

I think it's probably reasonable that it uses the same depth limit setting as we use for the rest of the language so there's just one knob.

As to when to check it, it should not cause a perf problem to do it right at the start because branch predictors exist and will ignore it. If you're worried you can probably put an unlikely annotation on the if statement, but I don't think this code is terribly hot to begin with. I think we recurse in a couple of places so it's going to be slightly easier to maintain if we only have one check.

> Good idea! :) > I'm all for it. I'll add a parameter with a default value of 0 for the external callers. Yup, was my thought. Don't even need any fancy state, just add one to it when you recurse. > It's probably still good to have an `evalSettings.maxAttrEqDepth` for setting the boundary, right? I think it's probably reasonable that it uses the same depth limit setting as we use for the rest of the language so there's just one knob. As to when to check it, it should not cause a perf problem to do it right at the start because branch predictors exist and will ignore it. If you're worried you can probably put an unlikely annotation on the if statement, but I don't think this code is terribly hot to begin with. I think we recurse in a couple of places so it's going to be slightly easier to maintain if we only have one check.
lulu-berlin commented 2024-10-09 21:29:26 +00:00
Copy link

I've just tried it with a low hard-coded callDepth boundary of 10:

    // Limit the nesting level depth when comparing attribute sets to avoid infinite recursion.
    if (callDepth > 10uz)
        error<EvalError>("stack overflow; max-call-depth exceeded").atPos(pos).debugThrow();

and while it works with:

nix-repl> a = { a = { a = { a = { a = { a = { a = { a = { a = { a = { a = { a = []; }; }; }; }; }; }; }; }; }; }; }

nix-repl> b = { a = { a = { a = { a = { a = { a = { a = { a = { a = { a = { a = []; }; }; }; }; }; }; }; }; }; }; }

nix-repl> a == b
error: stack overflow; max-call-depth exceeded
       at «string»:1:3:
            1| a == b
             |   ^

it doesn't work with infinitely nested recursive attribute sets, like the example at the top of the issue.

It simply aborts with:

error: stack overflow (possible infinite recursion)

I need to investigate further why it's not working with infinitely nested recursive attribute sets.

I've just tried it with a low hard-coded `callDepth` boundary of `10`: ```cpp // Limit the nesting level depth when comparing attribute sets to avoid infinite recursion. if (callDepth > 10uz) error<EvalError>("stack overflow; max-call-depth exceeded").atPos(pos).debugThrow(); ``` and while it works with: ```nix nix-repl> a = { a = { a = { a = { a = { a = { a = { a = { a = { a = { a = { a = []; }; }; }; }; }; }; }; }; }; }; } nix-repl> b = { a = { a = { a = { a = { a = { a = { a = { a = { a = { a = { a = []; }; }; }; }; }; }; }; }; }; }; } nix-repl> a == b error: stack overflow; max-call-depth exceeded at «string»:1:3: 1| a == b | ^ ``` it doesn't work with infinitely nested recursive attribute sets, like the example at the top of the issue. It simply aborts with: ``` error: stack overflow (possible infinite recursion) ``` I need to investigate further why it's not working with infinitely nested recursive attribute sets.
lulu-berlin commented 2024-10-10 11:32:06 +00:00
Copy link

Ok, this was silly. I figured it out. I only incremented callDepth for nested attributes sets, but not for nested lists... The example had rec { foo = [foo]; } so it's nesting attrset -> list -> attrset -> list -> ...

Ok, this was silly. I figured it out. I only incremented `callDepth` for nested attributes sets, but not for nested lists... The example had `rec { foo = [foo]; }` so it's nesting attrset -> list -> attrset -> list -> ...
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
release-2.91
sb/raito/phantom-referrers-gc
repl-overlay-example
reuse-compliance
release-2.90
git-series/activity-cleanup
sb/tom-hubrecht/primops.cc-v2
sb/bacchanalia/cache-strlen%topic=substr-perf
sb/arcuru/commit-msg
sb/qyriad/beta-1
sb/qyriad/2.90-beta.0
rbt/pre-commit-update
sb/rbt/test-branch
sb/rbt/justfile
sb/rbt/repl-overlays
sb/fuck/what
sb/rbt/pre-commit
sb/rbt/makeflags
sb/pennae/io-rewrite
sb/qyriad/maint-meson
sb/qyriad/maint/meson
sb/puck/meson-c-api
sb/pennae/parser-rewrite
sb/jade/burn-it-all
dependabot/github_actions/zeebe-io/backport-action-2.4.1
dependabot/github_actions/cachix/install-nix-action-25
dependabot/github_actions/actions/labeler-5
dependabot/github_actions/cachix/cachix-action-14
2.91.1
2.91.0
2.90.0
2.90.0-rc1
2.90-beta.1
2.90-beta.0
Labels
Clear labels   
Area/build-packaging

regarding the building or packaging of Lix itself

  
Area/cli

The command line interface of Lix

  
Area/evaluator

libexpr and anything else related to the evaluation of Nix expressions

  
Area/fetching

Fetching sources or other materials from the World Wide Web in Lix

  
Area/flakes

   
Area/language

language design, features, extensions, etc

  
Area/profiles

profiles: nix-env, nix profile, and installer flavors all alike

  
Area/protocol

The protocol, used for communicating between the client and the daemon

  
Area/releng

Release engineering

  
Area/remote-builds

remote builds

  
Area/repl

nix repl

  
Area/store

libstore and anything else relating to the Nix store

  
bug

it's a bug

  
crash 💥

Lix crashes (possibly bad error handling)

  
Cross Compilation

   
devx

development experience issues

  
docs

requires or is about documentation changes

  
Downstream Dependents

regarding an external tool's usage with Lix (e.g. nix-eval-jobs)

  
E/easy

bug is relatively simple and could simply be fixed with some minor effort

  
E/hard

this issue should probably be solved with close involvement of an expert

  
E/help wanted

maintainers may not get to this soon, but we want it fixed

  
E/reproducible

This bug is reproducible and obvious.

  
E/requires rearchitecture

this bug cannot be fixed properly without fixing a known architectural flaw

  
imported

Issue imported from upstream nix (please do not remove this label, it will cause dupes if import is rerun)

  
Needs Langver

We can't get to this until we implement language versioning

  
OS/Linux

Affects specifically Lix on Linux

  
OS/macOS

Affects specifically Lix on macOS

  
performance

make lix go faster

  
regression

This is a regression since some previous version of Lix

  
release-blocker

Blocks public release

  
RFD

Request for discussion

  
stability

Fixing this makes the software more stable

  
Status
blocked
Blocked on something

  
Status
invalid
not our bug, duplicate, similar

  
Status
postponed
closed but should maybe look at later (generally with S-wontfix)

  
Status
wontfix
We chose not to change this (see issue comments for more detail).

  
testing

Tests that should be added

  
testing/flakey

Tests that are unreliable/flakey (not to be confused with flakes that test)

  
ux

makes the user experience better :)

No labels
Area/build-packaging
Area/cli
Area/evaluator
Area/fetching
Area/flakes
Area/language
Area/profiles
Area/protocol
Area/releng
Area/remote-builds
Area/repl
Area/store
bug
crash 💥
Cross Compilation
devx
docs
Downstream Dependents
E/easy
E/hard
E/help wanted
E/reproducible
E/requires rearchitecture
imported
Needs Langver
OS/Linux
OS/macOS
performance
regression
release-blocker
RFD
stability
Status
blocked
Status
invalid
Status
postponed
Status
wontfix
testing
testing/flakey
ux
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
4 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: lix-project/lix#330
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?