Commit Graph

18055 Commits

Author SHA1 Message Date
Jade Lovelace
7b6622d733 language: cleanly ban integer overflows
This also bans various sneaking of negative numbers from the language
into unsuspecting builtins as was exposed while auditing the
consequences of changing the Nix language integer type to a newtype.

It's unlikely that this change comprehensively ensures correctness when
passing integers out of the Nix language and we should probably add a
checked-narrowing function or something similar, but that's out of scope
for the immediate change.

During the development of this I found a few fun facts about the
language:
- You could overflow integers by converting from unsigned JSON values.
- You could overflow unsigned integers by converting negative numbers
  into them when going into Nix config, into fetchTree, and into flake
  inputs.

  The flake inputs and Nix config cannot actually be tested properly
  since they both ban thunks, however, we put in checks anyway because
  it's possible these could somehow be used to do such shenanigans some
  other way.

Note that Lix has banned Nix language integer overflows since the very
first public beta, but threw a SIGILL about them because we run with
-fsanitize=signed-overflow -fsanitize-undefined-trap-on-error in
production builds. Since the Nix language uses signed integers, overflow
was simply undefined behaviour, and since we defined that to trap, it
did.

Trapping on it was a bad UX, but we didn't even entirely notice
that we had done this at all until it was reported as a bug a couple of
months later (which is, to be fair, that flag working as intended), and
it's got enough production time that, aside from code that is IMHO buggy
(and which is, in any case, not in nixpkgs) such as
https://git.lix.systems/lix-project/lix/issues/445, we don't think
anyone doing anything reasonable actually depends on wrapping overflow.

Even for weird use cases such as doing funny bit crimes, it doesn't make
sense IMO to have wrapping behaviour, since two's complement arithmetic
overflow behaviour is so *aggressively* not what you want for *any* kind
of mathematics/algorithms. The Nix language exists for package
management, a domain where bit crimes are already only dubiously in
scope to begin with, and it makes a lot more sense for that domain for
the integers to never lose precision, either by throwing errors if they
would, or by being arbitrary-precision.

Fixes: https://github.com/NixOS/nix/issues/10968
Original-CL: https://gerrit.lix.systems/c/lix/+/1596

Change-Id: I51f253840c4af2ea5422b8a420aa5fafbf8fae75
2024-07-30 18:13:05 -07:00
Jade Lovelace
e28cb67d41 libutil: add checked arithmetic tools
This is in preparation for adding checked arithmetic to the evaluator.

Change-Id: I6e115ce8f5411feda1706624977a4dcd5efd4d13
2024-07-30 18:13:05 -07:00
Jade Lovelace
dd75711895 Use std::strong_ordering for version comparison
The actual motive here is the avoidance of integer overflow if we were
to make these use checked NixInts and retain the subtraction.

However, the actual *intent* of this code is a three-way comparison,
which can be done with operator<=>, so we should just do *that* instead.

Change-Id: I7f9a7da1f3176424b528af6d1b4f1591e4ab26bf
2024-07-30 18:13:05 -07:00
Corbin Simpson
ee86e7f361
doc/command-ref/nix-shell: Shebangs can occur anywhere (#11202)
Co-authored-by: Valentin Gagarin <valentin@gagarin.work>
2024-07-30 12:51:47 +00:00
Eelco Dolstra
c77b671a66
Merge pull request #11221 from pinotree/hurd-fixes
Some fixes for GNU/Hurd
2024-07-30 13:59:19 +02:00
Pino Toscano
a1ccf60613 tests: define fallback PATH_MAX
Few filesystem-related tests rely on PATH_MAX for buffers, and PATH_MAX
is optional in POSIX (and not available on the Hurd). To make them build
and pass, provide a fallback definition of PATH_MAX in case not
available.

Ideally speaking, the tests ought to not unconditionally rely on
PATH_MAX, do alternative strategies (e.g. dynamically allocate buffers,
expand them as needed, etc); OTOH this is test code, so it would be more
work that what it would be worth, so IMHO the define fallback is good
enough.
2024-07-30 05:34:34 +02:00
Pino Toscano
7442f4a161 libutil: use /proc/self/exe on Hurd as well
Rely on the Linux-compatible procfs available on the Hurd to get the
path of the current executable.
2024-07-30 05:31:42 +02:00
Pino Toscano
d7f46cf28e makefiles: recognize GNU/Hurd
Set HOST_HURD & HOST_UNIX for GNU/Hurd in the makefile-based build
system; the latter variable is important as it will include all the
commit Unix bits.
2024-07-30 05:29:32 +02:00
John Ericson
2b78561335
Merge pull request #11219 from obsidiansystems/better-warning-solution
Make sure we use `-isystem` with Meson on some deps
2024-07-29 17:57:36 -05:00
John Ericson
12717325cc Make sure we use -isystem with Meson on some deps
Otherwise we get warnings on external code.
2024-07-29 13:06:26 -04:00
Eelco Dolstra
0b96c586e0
Merge pull request #11195 from DeterminateSystems/tarball-roots
Improve handling of tarballs that don't consist of a single top-level directory
2024-07-29 16:58:59 +02:00
Eelco Dolstra
84243027ec
Merge pull request #11127 from NixOS/issue-10635-c-api-error-enum
C API: Make nix_err an enum
2024-07-29 16:00:58 +02:00
Eelco Dolstra
f9d55b4d51
Merge pull request #11191 from DeterminateSystems/hash-symbol
Use std::unordered_map for ValueMap
2024-07-29 15:30:37 +02:00
Eelco Dolstra
a3171cec54
Update src/libfetchers/git-utils.hh
Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
2024-07-29 15:12:01 +02:00
Eelco Dolstra
e8bf2e74a5 Add release note 2024-07-29 15:09:06 +02:00
Eelco Dolstra
71865dee2d Fix fetchTarball docs 2024-07-29 15:04:55 +02:00
Robert Hensing
6e3bba5e26
Merge pull request #11171 from DeterminateSystems/speed-up-tarball-downloads
Increase download buffer size and improve tarball import logging
2024-07-29 15:02:35 +02:00
Eelco Dolstra
7c18b4d060 Don't dereference top-level regular files
Since this yielded an empty directory as far back as Nix 2.3, we don't
really need special handling for executables vs non-executables.
2024-07-29 14:34:02 +02:00
Eelco Dolstra
e0012b97ab Split tarball-specific logic from GitFileSystemObjectSink 2024-07-29 14:26:25 +02:00
Eelco Dolstra
3c0963487e
Merge pull request #11196 from NixOS/rename-lock-read
Rename SyncBase::read() -> readLock()
2024-07-29 14:10:46 +02:00
Eelco Dolstra
836d24d6e8
Merge pull request #11209 from pinotree/libutil-current-process-includes
libutil: fix/improve includes in current-process.cc
2024-07-29 14:01:02 +02:00
Eelco Dolstra
9e2bed7827
Merge pull request #11206 from tie/getxattr-enotsup
libstore: return ENOTSUP for getxattr functions
2024-07-29 14:00:36 +02:00
Eelco Dolstra
3faa77bb82
Merge pull request #11200 from NixOS/buildNoTests-no-unit-tests
buildNoTests: Disable unit tests
2024-07-29 13:57:23 +02:00
Eelco Dolstra
673f2dcadb
Merge pull request #11203 from pinotree/libutil-ctor-remove-template-id
libutil: remove template id from constructors
2024-07-29 13:56:55 +02:00
Pino Toscano
c34077578e libutil: fix/improve includes in current-process.cc
- move <sys/resource.h> from a __linux__ block to a !_WIN32 block: this
  matches what the actual code does, using getrlimit() & setrlimit() in
  !_WIN32 blocks
- drop <sys/mount.h>, which is not portable, and it is not used
2024-07-28 17:33:24 +02:00
Pino Toscano
96e06b2b06 libutil: remove template id from constructors
This is not allowed in C++20, and GCC 14 warns about it:

../src/libutil/ref.hh:26:20: warning: template-id not allowed for constructor in C++20 [-Wtemplate-id-cdtor]
   26 |     explicit ref<T>(const std::shared_ptr<T> & p)
      |                    ^
../src/libutil/ref.hh:26:20: note: remove the '< >'
../src/libutil/ref.hh:33:21: warning: template-id not allowed for constructor in C++20 [-Wtemplate-id-cdtor]
   33 |     explicit ref<T>(T * p)
      |                     ^
../src/libutil/ref.hh:33:21: note: remove the '< >'
2024-07-28 16:35:09 +02:00
Robert Hensing
0e151bcbf0
Merge pull request #11204 from pinotree/libcmd-editline-helpers
libcmd: do not compile editline helpers when building w/ readline
2024-07-28 16:10:32 +02:00
Valentin Gagarin
933f2c086a
docs: fix link to building instructions (#11207) 2024-07-28 13:34:48 +00:00
Ivan Trubach
1b47748e5a libstore: return ENOTSUP for getxattr functions
This change updates the seccomp profile to return ENOTSUP for getxattr
functions family. This reflects the behavior of filesystems that don’t
support extended attributes (or have an option to disable them), e.g.
ext2.

The current behavior is confusing for some programs because we can read
extended attributes, but only get to know that they are not supported
when setting them. In addition to that, ACLs on Linux are implemented
via extended attributes internally and if we don’t return ENOTSUP, acl
library converts file mode to ACL.
https://git.savannah.nongnu.org/cgit/acl.git/tree/libacl/acl_get_file.c?id=d9bb1759d4dad2f28a6dcc8c1742ff75d16dd10d#n69
2024-07-28 13:28:52 +03:00
Pino Toscano
e0198c513a libcmd: do not compile editline helpers when building w/ readline
The internal "completionCallback" and "listPossibleCallback" helpers
are used only when building with editline; hence, do not build then
when using readline, matching their usage in
"ReadlineLikeInteracter::init()".
2024-07-28 11:40:16 +02:00
Robert Hensing
9f1e73ed37
Merge pull request #11199 from NixOS/troubleshoot-remote-build-tests
Troubleshoot remote build tests
2024-07-27 14:25:10 +02:00
Robert Hensing
cc5b8cdc85 buildNoTests: Disable unit tests
This seems to have been the intent all along.

The odd combination of unit tests, but no functional tests caused a
build error where some data for the unit test was source-filtered out.
Apparently. It's unclear to me why that happened, so I'm proposing this
alternate "fix" to get the buildNoTests to pass.

It would be nice to test more configurations, but this mode of building
is on the way out anyway, so let's just make it pass and see what
configurations make sense to test as part of the meson migration.
2024-07-27 13:42:03 +02:00
Robert Hensing
7c5a0b06a4 tests/nixos/remote-builds: Wait for multi-user
This should make the test more robust, considering the strange hang
in https://hydra.nixos.org/build/267517233/nixlog/8

`builder` seems to have reached `multi-user.target` before the
SSH connection was established, but this seems to be coincidental.
This does tell us that enforcing this has a minimal cost in terms
of runtime.

Waiting for `multi-user.target` on the client is honestly paranoid,
but flaky tests are very bad for productivity.
2024-07-27 13:08:30 +02:00
Robert Hensing
f4464873f5 tests/nixos/remote-builds: Print hello world to stderr
Trying to learn more about enigmatic spurious hang at
https://hydra.nixos.org/build/267517233/nixlog/8
- builder1 seems to have started properly
- ssh connection and session are established
- ssh client doesn't exit or client.succeed does not return
  for some reason.

Seeing the stdout on the console might give a tiny bit more info.
2024-07-27 13:01:56 +02:00
Robert Hensing
04c20dc0c0
Merge pull request #11197 from NixOS/aws-sdk-cpp-like-nixpkgs
dependencies: Centralize aws-sdk-cpp and sync with Nixpkgs
2024-07-27 03:30:39 +02:00
Robert Hensing
17b5d40445 package.nix: Empty build inputs if not doBuild 2024-07-27 02:39:55 +02:00
Robert Hensing
22f943bb1f dependencies: Centralize aws-sdk-cpp and sync with Nixpkgs
By syncing with Nixpkgs, we reuse the same derivation, which is
generally a good idea, and has the benefit that it is transitively
a channel blocker.

Changes:

- https://github.com/NixOS/nixpkgs/pull/163313 (SuperSandro2000)

  > nix: disable big-parallel for aws-sdk-cpp

  > aws-sdk-cpp only takes ~1m52s on a 4 core machine under 50% load
  > which does not justify the requirement on big parallel.

  > Tested with `nix-build -A nixVersions.nix_2_6.aws-sdk-cpp`.

  > I can finally build nix without requiring a big-parallel machine.

- https://github.com/NixOS/nixpkgs/pull/227506 (Artturin)

  > nix: use [ ] instead null to empty requiredSystemFeatures

  > fixes 'error: value is null while a list was expected' with 'nixpkgs.hostPlatform.gcc.arch = "x86_64";'
2024-07-27 02:16:05 +02:00
Robert Hensing
6af40f488a Rename SyncBase::read() -> readLock()
Make it explicit so it's clear what it's about when I and other
contributors read its call sites.
2024-07-27 01:39:13 +02:00
Robert Hensing
95845d92f7
Merge pull request #11192 from DeterminateSystems/store-sharedsync
Store: Use SharedSync
2024-07-27 01:32:13 +02:00
Robert Hensing
861bd102a6
Merge pull request #11167 from NixOS/repl-test-rejiggle
Fix repl test for `buildReadlineNoMarkdown`
2024-07-27 00:55:57 +02:00
Robert Hensing
88e8c9017a
Merge pull request #11187 from Mic92/diff-closure-fix
diff-closures: fix a use after free
2024-07-27 00:52:38 +02:00
Eelco Dolstra
c1f7ba7a98
Merge pull request #11190 from DeterminateSystems/unnecessary-eval-string
nix repl: Remove unnecessary call to evalString
2024-07-26 22:27:51 +02:00
Eelco Dolstra
5e83c0427f Fix test 2024-07-26 20:46:07 +02:00
Eelco Dolstra
b88950ec77 Update fetchTree docs 2024-07-26 20:34:04 +02:00
Eelco Dolstra
06b686b62d Handle tarballs that don't consist of a single top-level directory
Fixes #4785 (top-level directories are no longer merged into one).

Fixes #10983 (top-level non-directories are no longer discarded).
2024-07-26 20:24:58 +02:00
Eelco Dolstra
d9ba2a1634 Fix error message 2024-07-26 19:06:49 +02:00
Eelco Dolstra
ea46264bd3 Store: Use SharedSync for state 2024-07-26 16:14:03 +02:00
Eelco Dolstra
ce663d75e3 LRUCache: Mark size() as const 2024-07-26 16:13:00 +02:00
Eelco Dolstra
6d843ce9fe Provide std::hash<Symbol> 2024-07-26 16:06:09 +02:00
Eelco Dolstra
2141a52ca3 nix repl: Remove unnecessary call to evalString
This crashes with the multithreaded evaluator, which checks against
attempts to finish an already finished value.
2024-07-26 15:40:32 +02:00