Empty context panic in cedar-policy 3.0.0

[tomtau]

Before opening, please confirm:

• [X] I have searched for duplicate or closed issues.
• [X] I have read the guide for submitting bug reports.
• [X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

Bug Category

Policy Evaluation

Describe the bug

In Cedar 3.0, we suddenly started to get this panic with a confusing error message:

empty set of keys cannot contain a duplicate key: Evaluation(EvaluationError { error_kind: RecursionLimit, advice: None }) thread 'main' panicked at /root/.cargo/registry/src/index.crates.io-6f17d22bba15001f/cedar-policy-core-3.0.0/src/ast/request.rs:198:14:

Expected behavior

Context::empty shouldn't panic based on this safety comment: https://github.com/cedar-policy/cedar/blob/818aefbbc4943c51a411951f5f9c3388df1842a6/cedar-policy-core/src/ast/request.rs#L196

Reproduction steps

As with https://github.com/cedar-policy/cedar/issues/322 , it occurs when executing cedar-policy within a sizeable Axum web application running on AWS Lambda.

Code Snippet

Context::empty()

Log output

empty set of keys cannot contain a duplicate key: Evaluation(EvaluationError { error_kind: RecursionLimit, advice: None })
thread 'main' panicked at /root/.cargo/registry/src/index.crates.io-6f17d22bba15001f/cedar-policy-core-3.0.0/src/ast/request.rs:198:14:

Additional configuration

AWS Lambda (Amazon Linux 2 custom runtime / cargo-lambda)

Operating System

No response

Additional information and screenshots

Similarly to https://github.com/cedar-policy/cedar/issues/322 , the workaround is to wrap the Context::empty call inside stacker::grow.

[tomtau]

(The same behaviour is for a Context with a single pair that shouldn't return an error, given there's only a single pair.)

[cdisselkoen]

Thanks for filing this issue. We are investigating potential fixes.