Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fromTOML: Assertion in TOML library fails #11972

Open
2 tasks done
msanft opened this issue Nov 26, 2024 · 0 comments
Open
2 tasks done

fromTOML: Assertion in TOML library fails #11972

msanft opened this issue Nov 26, 2024 · 0 comments
Labels
bug

Comments

@msanft
Copy link

msanft commented Nov 26, 2024

Describe the bug

Found by AFL++.

A contrived input to (builtins.)fromTOML can trigger an assertion in the TOML library used within Nix:

ms@ms-nix-test:~/nix-fuzzing/fuzz$ cat toml-size-assertion.nix | ../result/bin/main
main: /nix/store/LHC1WFVZQXWQF62IHRAR5BH8Y7NH89DM-toml11-3.7.1/include/toml/region.hpp:172: virtual std::size_t toml::detail::location::before() const: Assertion `sz >= 0' failed.
Aborted

This results in different symptoms, depending on the evaluation method:

Evaluating the faulty expression through the Nix C bindings (i.e. libexpr) causes the above error.

Evaluating it in a REPL, I'll see the following:

nix-repl> fromTOML '''0000000000000000000000000000000000000'0''
error:
       … while calling the 'fromTOML' builtin
         at «string»:1:1:
            1| fromTOML '''0000000000000000000000000000000000000'0''
             | ^

       error: while parsing TOML: [error] toml::parse_key_value_pair: missing key-value separator `=`
        --> fromTOML
          |
        1 | '0000000000000000000000000000000000000'0
          |                                        ^--- should be `=`

When using nix eval, I get to this:

ms@ms-nix-test:~/nix-fuzzing/fuzz$ nix eval --expr "$(cat toml-size-assertion.nix)"
error:
       … while calling the 'fromTOML' builtin
         at «string»:1:1:
            1| fromTOML '''0000000000000000000000000000000000000'0''
             | ^

       error: while parsing TOML: basic_string::_M_create

Steps To Reproduce

Evaluate the following expression:

fromTOML '''0000000000000000000000000000000000000'0''

Expected behavior

This should not be interpreted as valid TOML in the first case, as in the REPL. All methods should return consistent results.

Metadata

nix (Nix) 2.24.10

Additional context

Stack trace from the libexpr case:

#0  0x00007ffff798da9c in __pthread_kill_implementation () from /nix/store/3bvxjkkmwlymr0fssczhgi39c3aj1l7i-glibc-2.40-36/lib/libc.so.6
#1  0x00007ffff793b576 in raise () from /nix/store/3bvxjkkmwlymr0fssczhgi39c3aj1l7i-glibc-2.40-36/lib/libc.so.6
#2  0x00007ffff7923935 in abort () from /nix/store/3bvxjkkmwlymr0fssczhgi39c3aj1l7i-glibc-2.40-36/lib/libc.so.6
#3  0x00007ffff7923859 in __assert_fail_base.cold () from /nix/store/3bvxjkkmwlymr0fssczhgi39c3aj1l7i-glibc-2.40-36/lib/libc.so.6
#4  0x00007ffff7933a56 in __assert_fail () from /nix/store/3bvxjkkmwlymr0fssczhgi39c3aj1l7i-glibc-2.40-36/lib/libc.so.6
#5  0x00007ffff5bc1bcf in toml::source_location::source_location(toml::detail::location const&) ()
   from /nix/store/b9iby5snmsfvp79j6mby7qrcwdysrjm7-aflxx-nix-2.24.10/lib/libnixexpr.so
#6  0x00007ffff5c52fd6 in toml::detail::parse_literal_string[abi:cxx11](toml::detail::location&) ()
   from /nix/store/b9iby5snmsfvp79j6mby7qrcwdysrjm7-aflxx-nix-2.24.10/lib/libnixexpr.so
#7  0x00007ffff5ca0693 in toml::detail::parse_simple_key[abi:cxx11](toml::detail::location&) ()
   from /nix/store/b9iby5snmsfvp79j6mby7qrcwdysrjm7-aflxx-nix-2.24.10/lib/libnixexpr.so
#8  0x00007ffff5ca72a6 in toml::detail::parse_key[abi:cxx11](toml::detail::location&) ()
   from /nix/store/b9iby5snmsfvp79j6mby7qrcwdysrjm7-aflxx-nix-2.24.10/lib/libnixexpr.so
#9  0x00007ffff5cce776 in toml::result<std::pair<std::pair<std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, toml::detail::region>, toml::basic_value<toml::discard_comments, std::unordered_map, std::vector> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > toml::detail::parse_key_value_pair<toml::basic_value<toml::discard_comments, std::unordered_map, std::vector> >(toml::detail::location&) () from /nix/store/b9iby5snmsfvp79j6mby7qrcwdysrjm7-aflxx-nix-2.24.10/lib/libnixexpr.so
#10 0x00007ffff5ce41d7 in toml::result<toml::basic_value<toml::discard_comments, std::unordered_map, std::vector>::table_type, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > toml::detail::parse_ml_table<toml::basic_value<toml::discard_comments, std::unordered_map, std::vector> >(toml::detail::location&) ()
   from /nix/store/b9iby5snmsfvp79j6mby7qrcwdysrjm7-aflxx-nix-2.24.10/lib/libnixexpr.so
#11 0x00007ffff5ce5eb2 in toml::result<toml::basic_value<toml::discard_comments, std::unordered_map, std::vector>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > toml::detail::parse_toml_file<toml::basic_value<toml::discard_comments, std::unordered_map, std::vector> >(toml::detail::location&) () from /nix/store/b9iby5snmsfvp79j6mby7qrcwdysrjm7-aflxx-nix-2.24.10/lib/libnixexpr.so
#12 0x00007ffff5cea400 in toml::basic_value<toml::discard_comments, std::unordered_map, std::vector> toml::parse<toml::discard_comments, std::unordered_map, std::vector>(std::basic_istream<char, std::char_traits<char> >&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) () from /nix/store/b9iby5snmsfvp79j6mby7qrcwdysrjm7-aflxx-nix-2.24.10/lib/libnixexpr.so
#13 0x00007ffff5b76d94 in nix::prim_fromTOML(nix::EvalState&, nix::PosIdx, nix::Value**, nix::Value&) ()
   from /nix/store/b9iby5snmsfvp79j6mby7qrcwdysrjm7-aflxx-nix-2.24.10/lib/libnixexpr.so
#14 0x00007ffff583c13b in nix::EvalState::callFunction(nix::Value&, unsigned long, nix::Value**, nix::Value&, nix::PosIdx) ()
   from /nix/store/b9iby5snmsfvp79j6mby7qrcwdysrjm7-aflxx-nix-2.24.10/lib/libnixexpr.so
#15 0x00007ffff5840bb3 in nix::ExprCall::eval(nix::EvalState&, nix::Env&, nix::Value&) ()
   from /nix/store/b9iby5snmsfvp79j6mby7qrcwdysrjm7-aflxx-nix-2.24.10/lib/libnixexpr.so
#16 0x00007ffff7f19936 in nix_expr_eval_from_string () from /nix/store/b9iby5snmsfvp79j6mby7qrcwdysrjm7-aflxx-nix-2.24.10/lib/libnixexprc.so
#17 0x0000000000403663 in main ()
#18 0x00007ffff792527e in __libc_start_call_main () from /nix/store/3bvxjkkmwlymr0fssczhgi39c3aj1l7i-glibc-2.40-36/lib/libc.so.6
#19 0x00007ffff7925339 in __libc_start_main_impl () from /nix/store/3bvxjkkmwlymr0fssczhgi39c3aj1l7i-glibc-2.40-36/lib/libc.so.6
#20 0x00000000004038a5 in _start ()

Checklist

Add 👍 to issues you find important.
@msanft msanft added the bug label Nov 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@msanft