Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OPA panics in nested use of every #6790

Closed
anakrish opened this issue Jun 4, 2024 · 3 comments · Fixed by #6832
Closed

OPA panics in nested use of every #6790

anakrish opened this issue Jun 4, 2024 · 3 comments · Fixed by #6832
Labels
bug

Comments

@anakrish
Copy link

anakrish commented Jun 4, 2024
edited
Loading

Short description

opa panics

Steps To Reproduce

The following rego:

package test

import rego.v1

x if {
	every p in [[], 1, 1/3] {
		every q in p {
			q > 0
		}
	}
}

causes OPA to panic

panic: unreachable [recovered]
	panic: unreachable

goroutine 1 [running]:
github.com/open-policy-agent/opa/ast.(*Compiler).compile.func1()
	github.com/open-policy-agent/opa/ast/compile.go:1576 +0x74
panic({0x105d3db80?, 0x105f451e0?})
	runtime/panic.go:770 +0x124
github.com/open-policy-agent/opa/ast.unify1(0x1400000f560, 0x140001d5920, {0x105f51940, 0x1400000f6c8}, 0x1?)
	github.com/open-policy-agent/opa/ast/check.go:593 +0x44c
github.com/open-policy-agent/opa/ast.unify1(0x1400000f560, 0x140001d5980, {0x105f51940, 0x1400000f680}, 0xa8?)
	github.com/open-policy-agent/opa/ast/check.go:531 +0x7c8
github.com/open-policy-agent/opa/ast.unify2Array(0x1400000f560, 0x140001d5980, 0x140001d5710)
	github.com/open-policy-agent/opa/ast/check.go:498 +0xdc
github.com/open-policy-agent/opa/ast.unify2(0x1400000f560, 0x140001d5710, {0x0, 0x0}, 0x140001d5980, {0x105f51a30, 0x140002d8660})
	github.com/open-policy-agent/opa/ast/check.go:476 +0x21c
github.com/open-policy-agent/opa/ast.(*typeChecker).checkExprEq(0x0?, 0x1400000f560, 0x1400055e190)
	github.com/open-policy-agent/opa/ast/check.go:420 +0x494
github.com/open-policy-agent/opa/ast.(*typeChecker).checkExpr(0x1400046c000, 0x1400000f560, 0x1400055e190)
	github.com/open-policy-agent/opa/ast/check.go:335 +0x13c
github.com/open-policy-agent/opa/ast.(*typeChecker).CheckBody.func1(0x1400055e190)
	github.com/open-policy-agent/opa/ast/check.go:139 +0x2f4
github.com/open-policy-agent/opa/ast.WalkExprs.func1({0x105f165a0?, 0x1400055e190?})
	github.com/open-policy-agent/opa/ast/visit.go:221 +0x40
github.com/open-policy-agent/opa/ast.(*GenericVisitor).Walk(0x1400012a3c8, {0x105f165a0, 0x1400055e190})
	github.com/open-policy-agent/opa/ast/visit.go:286 +0x40
github.com/open-policy-agent/opa/ast.(*GenericVisitor).Walk(0x1400012a3c8, {0x105ecddc0, 0x1400000f578})
	github.com/open-policy-agent/opa/ast/visit.go:327 +0x924
github.com/open-policy-agent/opa/ast.WalkExprs({0x105ecddc0, 0x1400000f578}, 0x1400054c800)
	github.com/open-policy-agent/opa/ast/visit.go:225 +0x98
github.com/open-policy-agent/opa/ast.(*typeChecker).CheckBody(0x1400046c000, 0x1400000f500, {0x1400054f220, 0x2, 0x2})
	github.com/open-policy-agent/opa/ast/check.go:122 +0xdc
github.com/open-policy-agent/opa/ast.(*typeChecker).checkRule(0x1400046c000, 0x1400000f4e8, 0x1400055d410, 0x140004ac000)
	github.com/open-policy-agent/opa/ast/check.go:223 +0x420
github.com/open-policy-agent/opa/ast.(*typeChecker).CheckTypes(0x1400046c000, 0x140002d8210?, {0x1400054f260, 0x1, 0x105da7880?}, 0x1400055d410)
	github.com/open-policy-agent/opa/ast/check.go:162 +0x64
github.com/open-policy-agent/opa/ast.(*Compiler).checkTypes(0x14000171b80)
	github.com/open-policy-agent/opa/ast/compile.go:1528 +0x2b4
github.com/open-policy-agent/opa/ast.(*Compiler).runStage(0x1?, {0x10577e3a8?, 0x10576ee8d?}, 0xe?)
	github.com/open-policy-agent/opa/ast/compile.go:1561 +0xbc
github.com/open-policy-agent/opa/ast.(*Compiler).compile(0x14000171b80)
	github.com/open-policy-agent/opa/ast/compile.go:1592 +0x1ac
github.com/open-policy-agent/opa/ast.(*Compiler).Compile(0x14000171b80, 0x1400063dba8)
	github.com/open-policy-agent/opa/ast/compile.go:512 +0x300
github.com/open-policy-agent/opa/bundle.compileModules(0x14000171b80, {0x105f5aca0, 0x140004339e0}, 0x1400035df08, 0x1400035e388, 0x0, {0x0, 0x0, 0x0})
	github.com/open-policy-agent/opa/bundle/store.go:792 +0x2d4
github.com/open-policy-agent/opa/bundle.activateBundles(0x1400063e4d0)
	github.com/open-policy-agent/opa/bundle/store.go:457 +0x68c
github.com/open-policy-agent/opa/bundle.Activate(...)
	github.com/open-policy-agent/opa/bundle/store.go:313
github.com/open-policy-agent/opa/rego.(*Rego).compileModules(0x14000544008, {0x105f54708, 0x1068b61a0}, {0x105f4a300, 0x140005412f0}, {0x105f5aca0, 0x140004339e0})
	github.com/open-policy-agent/opa/rego/rego.go:1977 +0x1b4
github.com/open-policy-agent/opa/rego.(*Rego).prepare(0x14000544008, {0x105f54708, 0x1068b61a0}, 0x0, {0x1400063eea0, 0x1, 0x1})
	github.com/open-policy-agent/opa/rego/rego.go:1754 +0xf8
github.com/open-policy-agent/opa/rego.(*Rego).PrepareForEval(0x14000544008, {0x105f54708, 0x1068b61a0}, {0x0, 0x0, 0x0})
	github.com/open-policy-agent/opa/rego/rego.go:1605 +0x3a4
github.com/open-policy-agent/opa/cmd.evalOnce({0x105f54708, 0x1068b61a0}, 0x14000442600)
	github.com/open-policy-agent/opa/cmd/eval.go:445 +0x1fc
github.com/open-policy-agent/opa/cmd.eval({_, _, _}, {0x140003ebd40, 0x0, 0x0, {0x14000468760, 0x1, 0x1}, {0x1068b61a0, ...}, ...}, ...)
	github.com/open-policy-agent/opa/cmd/eval.go:362 +0x310
github.com/open-policy-agent/opa/cmd.init.5.func2(0x140003bd808?, {0x14000511e60?, 0x4?, 0x1057636e3?})
	github.com/open-policy-agent/opa/cmd/eval.go:281 +0x64
github.com/spf13/cobra.(*Command).execute(0x140003bd808, {0x14000511e00, 0x3, 0x3})
	github.com/spf13/[email protected]/command.go:987 +0x828
github.com/spf13/cobra.(*Command).ExecuteC(0x106834a80)
	github.com/spf13/[email protected]/command.go:1115 +0x344
github.com/spf13/cobra.(*Command).Execute(0x10671ff68?)
	github.com/spf13/[email protected]/command.go:1039 +0x1c
main.main()
	github.com/open-policy-agent/opa/main.go:14 +0x24

Expected behavior

The expected behavior is that it should successfully evaluates the policy.

OPA version: 0.65.0
@anakrish anakrish added the bug label Jun 4, 2024
@anakrish anakrish changed the title OPA raises error in valid use of every OPA panics in nested use of every Jun 4, 2024
@anakrish anakrish mentioned this issue Jun 4, 2024
Closed
@anakrish
Copy link
Author

anakrish commented Jun 4, 2024

The nesting might not be needed.

@johanfylling
Copy link
Contributor

Thank you for reporting this issue @anakrish!

@johanfylling
Copy link
Contributor

Some further information: this is a compile-time issue in the type-checker triggered when the every-domain contains a function call.

package test

import rego.v1

x if {
	every p in [foo(1), 2/2] {
		p == 1
	}
}

foo(x) := x

There might be further triggers.

johanfylling added a commit to johanfylling/opa that referenced this issue Jun 26, 2024
@johanfylling
ast: expanding nested expressions in every domain
0c50f85 
Fixes: open-policy-agent#6790
Signed-off-by: Johan Fylling <[email protected]>
@johanfylling johanfylling mentioned this issue Jun 26, 2024
Merged
@BrewTestBot BrewTestBot mentioned this issue Jun 27, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
Open Policy Agent
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ast: expanding nested expressions in every domain johanfylling/opa
2 participants
@johanfylling @anakrish