evalv2: panic in cuelang.org/go/internal/core/adt.(*Vertex).DerefValue #3570
Description
What version of CUE are you using (cue version)?
reproduces on v0.10.1 and v0.9.2 of cuelang.org/go
Does this issue reproduce with the latest stable release?
yes
What did you do?
This was found via oss-fuzz, and can be locally reproduced with the following go code (edit: made a standalone repro):
env CUE_EXPERIMENT=evalv3=0
go mod tidy
go run .
-- go.mod --
module mod.example
go 1.23.2
require cuelang.org/go v0.11.0
-- main.go --
package main
import (
"encoding/base64"
"fmt"
"cuelang.org/go/cue/cuecontext"
)
const (
evalStr = "383351|4723283283233|44723283233|472328233|44"
jsonB64 = "ODMzNTF8PjcyMzI4MzI1NyYyMjIyMjIyMjIyMjIyMjIyMjMzfDQ0NzIzMjgzMjIyCjU4fDQ3MjMyMzR8KjcwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDI5MjcyMgoKCgoKbnIKCgoKCgoKCgoKOgoKCgoKCgoKCgpucgoKCgoKCgoKCgo6CgoKCgoKCgoKCm9yCgoKb3IKCgoKNDIwNzk4MDU0OTkKCgoKCgoKCgpvcgoKCgoKCgoKCgo6CgoKCgoKCgoKCgoKMjU3JjIyMjIyMjIyMjIyMjIyMjIyMzN8NDQ3MjMyODMyMjIKNTh8NDcyMzIzNHwqNzAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMjkyNzIyCgoKCgpucgoKCgoKCgoKb3IKCgoKCgoKCgoKOgoKCgoKCgoKCgoKCgoKb3IKCgoKCgoKCgpvcgoKCgoKOgoKCgoKCgo4NzA5NTQ5OQoKCgoKCgoKCm5yCgoKCgoKCgoKCjoKCgoKCgoKCgoKbnIKMjMyMjIyMjkyNzczMTk0"
)
func main() {
attBytes, _ := base64.StdEncoding.DecodeString(jsonB64)
cueCtx := cuecontext.New()
cueEvaluator := cueCtx.CompileString(evalStr)
if cueEvaluator.Err() != nil {
fmt.Printf("failed to compile the cue policy with error: %w", cueEvaluator.Err())
return
}
cueAtt := cueCtx.CompileBytes(attBytes) //panics on this call
if cueAtt.Err() != nil {
fmt.Printf("failed to compile the attestation data with error: %w", cueAtt.Err())
return
}
result := cueEvaluator.Unify(cueAtt)
if err := result.Validate(); err != nil {
fmt.Printf("failed to evaluate the policy with error: %w", err)
return
}
}
when running this, the program panics from SIGSEGV with the following stacktrace:
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x38 pc=0x10035c15c]
goroutine 1 [running]:
cuelang.org/go/internal/core/adt.(*Vertex).DerefValue(...)
/Users/bcallaway/go/pkg/mod/cuelang.org/[email protected]/internal/core/adt/share.go:145
cuelang.org/go/internal/core/adt.deref(...)
/Users/bcallaway/go/pkg/mod/cuelang.org/[email protected]/internal/core/adt/composite.go:271
cuelang.org/go/internal/core/adt.(*nodeContext).markCycle(0x140001cac08, 0x140000b1cc0, 0x140001b1060, {0x1007d5fa8, 0x14000091a50}, {0x0, 0x0, 0x0, 0x0, 0x0, ...})
/Users/bcallaway/go/pkg/mod/cuelang.org/[email protected]/internal/core/adt/cycle.go:495 +0x33c
cuelang.org/go/internal/core/adt.(*nodeContext).evalExpr(0x140001cac08, {0x140001b1060, {0x1007d40a8, 0x140001b1040}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...}}, ...)
/Users/bcallaway/go/pkg/mod/cuelang.org/[email protected]/internal/core/adt/eval.go:1673 +0x5dc
cuelang.org/go/internal/core/adt.(*nodeContext).addExprConjunct(0x140001cac08, {0x140001b1060, {0x1007d40a8, 0x140001b1040}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...}}, ...)
/Users/bcallaway/go/pkg/mod/cuelang.org/[email protected]/internal/core/adt/eval.go:1623 +0x464
cuelang.org/go/internal/core/adt.(*nodeContext).addConjunctDynamic(0x140001cac08, {0x140001b1060, {0x1007d40a8, 0x140001b1040}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...}})
/Users/bcallaway/go/pkg/mod/cuelang.org/[email protected]/internal/core/adt/composite.go:1256 +0x150
cuelang.org/go/internal/core/adt.(*nodeContext).insertField(0x140001ca608, 0x21, 0x1?, {0x140001b1060, {0x1007d40a8, 0x140001b1040}, {0x0, 0x0, 0x0, 0x0, ...}})
/Users/bcallaway/go/pkg/mod/cuelang.org/[email protected]/internal/core/adt/eval.go:2146 +0x2ac
cuelang.org/go/internal/core/adt.(*nodeContext).addStruct(0x140001ca608, 0x140001b0ec0, 0x140001c0240, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, {0x0, ...}})
/Users/bcallaway/go/pkg/mod/cuelang.org/[email protected]/internal/core/adt/eval.go:2073 +0x6dc
cuelang.org/go/internal/core/adt.(*nodeContext).addExprConjunct(0x140001ca608, {0x140001b0ec0, {0x1007d4008, 0x140001c0240}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...}}, ...)
/Users/bcallaway/go/pkg/mod/cuelang.org/[email protected]/internal/core/adt/eval.go:1604 +0x408
cuelang.org/go/internal/core/adt.(*nodeContext).insertConjuncts(0x140001ca608, 0xc0?)
/Users/bcallaway/go/pkg/mod/cuelang.org/[email protected]/internal/core/adt/eval.go:413 +0xd4
cuelang.org/go/internal/core/adt.(*OpContext).unify(0x140001c6300, 0x140000b1c20, 0x7fff0405)
/Users/bcallaway/go/pkg/mod/cuelang.org/[email protected]/internal/core/adt/eval.go:247 +0xa1c
cuelang.org/go/internal/core/adt.(*Vertex).Finalize(0x31c58?, 0x140001c6300)
/Users/bcallaway/go/pkg/mod/cuelang.org/[email protected]/internal/core/adt/composite.go:822 +0x58
cuelang.org/go/cue.newVertexRoot(0x140001acc00, 0x100ca05b8?, 0x140000b1c20)
/Users/bcallaway/go/pkg/mod/cuelang.org/[email protected]/cue/types.go:602 +0x2c
cuelang.org/go/cue.newValueRoot(0x0?, 0x14000031d80?, {0x1007d7ae0?, 0x140000b1c20?})
/Users/bcallaway/go/pkg/mod/cuelang.org/[email protected]/cue/types.go:611 +0x3c
cuelang.org/go/cue.(*Context).make(0x140001acc00, 0x140000b1c20)
/Users/bcallaway/go/pkg/mod/cuelang.org/[email protected]/cue/context.go:252 +0x84
cuelang.org/go/cue.(*Context).compile(0x140001acc00?, 0x14000031e08?, 0x100711be0?)
/Users/bcallaway/go/pkg/mod/cuelang.org/[email protected]/cue/context.go:169 +0x3c
cuelang.org/go/cue.(*Context).CompileBytes(0x140001acc00, {0x14000100400, 0x1e6, 0x1e6}, {0x0, 0x0, 0x140000dded8?})
/Users/bcallaway/go/pkg/mod/cuelang.org/[email protected]/cue/context.go:230 +0x104
main.main()
/Users/bcallaway/git/sigstore/cosign/repro.go:24 +0x100
exit status 2What did you expect to see?
error returned from cueCtx.CompileBytes() call instead of panic
What did you see instead?
panic