2.4.2: panic parsing simple policy

[imjasonh]

Before opening, please confirm:

• [X] I have searched for duplicate or closed issues.
• [X] I have read the guide for submitting bug reports.
• [X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

Bug Category

Cedar Parser

Describe the bug

I've built a container image containing the cedar policy CLI. At 2.4.1 parsing a simple example policy works, and at 2.4.2 it doesn't.

When 2.4.2 fails, it fails with a panic and traceback (details below)

Expected behavior

I'd expect both 2.4.2 and 2.4.1 to execute the same policy without a panic

Reproduction steps

$ works=gcr.io/jason-chainguard-public/cedar/cedar@sha256:5502f64b3a37d634e821cf5ae1ec62f88e447b70b4fe1c8396ade7c0d8bca678

$ fails=gcr.io/jason-chainguard-public/cedar/cedar@sha256:7e95ef4d6f7e8fb0990816af612d2edcb0dd7c219a21ab08305009818d3877b9

$ docker run --rm $works --version
cedar-policy-cli 2.4.1

$ docker run --rm $fails --version
cedar-policy-cli 2.4.2

$ cat <<EOF > sample.cedar
permit (
  principal == User::"alice",
  action == Action::"view",
  resource in Album::"jane_vacation"
);
EOF

$ docker run --rm -e RUST_BACKTRACE=full -v "${PWD}:/work" -w /work $works check-parse --policies /work/sample.cedar
$ exit $?
0

$ docker run --rm -e RUST_BACKTRACE=full -v "${PWD}:/work" -w /work $fails check-parse --policies /work/sample.cedar
thread 'main' panicked at /home/build/target/release/build/cedar-policy-core-79fe62be9149043d/out/src/parser/grammar.rs:57330:76:
called `Result::unwrap()` on an `Err` value: BuildError { kind: NFA(BuildError { kind: Syntax(Translate(Error { kind: UnicodeNotAllowed, pattern: "(?:\"((?:(?:\\\\[\0-\t\u{b}-\u{10ffff}])|[\0-!\\#-\\[\\]-\u{10ffff}]))*\")", span: Span(Position(o: 19, l: 1, c: 20), Position(o: 23, l: 1, c: 21)) })) }) }
stack backtrace:
   0:     0xaaaab3edf118 - <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt::hb008196b19462aaf
   1:     0xaaaab3f03014 - core::fmt::write::h89380b3f5e95d814
   2:     0xaaaab3edcbf8 - std::io::Write::write_fmt::h66cd67ab549a428b
   3:     0xaaaab3edef4c - std::sys_common::backtrace::print::h8413e64a7ddde412
   4:     0xaaaab3ee04c8 - std::panicking::default_hook::{{closure}}::h814a4e216fd6a9a3
   5:     0xaaaab3ee01f8 - std::panicking::default_hook::h8c79e5a98e7cd1ba
   6:     0xaaaab3ee0a6c - std::panicking::rust_panic_with_hook::h5bc546e3f2c55754
   7:     0xaaaab3ee0934 - std::panicking::begin_panic_handler::{{closure}}::hf4675ebe58547866
   8:     0xaaaab3edf608 - std::sys_common::backtrace::__rust_end_short_backtrace::h4948338c5b829f48
   9:     0xaaaab3ee0690 - rust_begin_unwind
  10:     0xaaaab3ad54ec - core::panicking::panic_fmt::h8c776b31580005da
  11:     0xaaaab3ad57e4 - core::result::unwrap_failed::h48fc53f916076cff
  12:     0xaaaab3ac5c28 - std::sys_common::once::futex::Once::call::hf57fb9bdd7411438
  13:     0xaaaab3c694dc - cedar_policy_core::parser::text_to_cst::parse_policies::h971108fd9b5760f5
  14:     0xaaaab3cac83c - cedar_policy_core::parser::parse_policyset_and_also_return_policy_text::hca9fd45d7673de5a
  15:     0xaaaab3b83510 - <cedar_policy::api::PolicySet as core::str::traits::FromStr>::from_str::h5bfd305304f9f285
  16:     0xaaaab3ae57e8 - cedar_policy_cli::read_policy_set::hbcc237657bac3a49
  17:     0xaaaab3ae02f4 - cedar_policy_cli::check_parse::h3c600b89602db76f
  18:     0xaaaab3ad68e4 - cedar::main::h233e3c233c5d4ff2
  19:     0xaaaab3ad6e28 - std::sys_common::backtrace::__rust_begin_short_backtrace::h284b8baeadfb5bd7
  20:     0xaaaab3ad862c - std::rt::lang_start::{{closure}}::h9e95956bfbc2ba0e
  21:     0xaaaab3ed79d4 - std::rt::lang_start_internal::h625b854baab91cbf
  22:     0xaaaab3ad6dd0 - main
  23:     0xffffb1e573c0 - __libc_start_call_main
  24:     0xffffb1e57490 - __libc_start_main@@GLIBC_2.34
  25:     0xaaaab3ad5ab0 - _start
  26:                0x0 - <unknown>

Code Snippet

No response

Log output

No response

Additional configuration

Both packages are built using the same process, here: https://wolfi.dev/os/blob/main/cedar.yaml, basically cargo build --release -vv -- no funny business.

The container image contains nothing else in it, which seems fine according to 2.4.1.

Operating System

Linux

Additional information and screenshots

No response

[nicklaswj]

FYI it seems like it was a problem with lalrpop (based on my diff of Cargo.lock in my project). Since 20 or so minutes ago cargo update will fix the problem.

[khieta]

Thanks for opening this. Sorry that we broke you, but awesome to see others using our latest released version! We also ran into this error yesterday: It is indeed an issue with lalrpop. It should be fixed now that they've yanked 0.20.1.

[shaobo-he-aws]

I close this issue since the problematic version of lalrpop is yanked. Please feel free to reopen it if you still encounter any issues.

[imjasonh]

Thanks for the quick feedback! I've rebuilt the package with updated lalrpop, and it looks like that works!