New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
topdown/eval: Fix key construction for NDBCache. #5097
topdown/eval: Fix key construction for NDBCache. #5097
Conversation
This commit fixes the construction process for keys used to look up entries in the non-deterministic builtins cache. The original cache lookup process could use refs that were not fully-grounded, and this meant that calling a builtin twice with differing parameters could appear identical to the cache if they involved refs as parameters. We now use fully-grounded terms for the cache keys during insertion/lookup, meaning that non-deterministic builtin calls with different parameters are now guaranteed to result in unique cache entries, even if hidden behind a ref. Signed-off-by: Philip Conrad <philipaconrad@gmail.com>
The NDBCache is intended as an opt-in feature, and the initializations present in the `rego` module meant that it was forced on virtually every eval. This commit removes those initializations, so that the only way an NDBCache will ever make it to the evaluator is if it's provided from outside the evaluator. Signed-off-by: Philip Conrad <philipaconrad@gmail.com>
This commit adds a test to ensure that the NDBCache correctly handles iterative calls of a builtin with different input parameters. Signed-off-by: Philip Conrad <philipaconrad@gmail.com>
urls := [ | ||
"https://httpbin.org/headers", | ||
"https://httpbin.org/ip", | ||
"https://httpbin.org/user-agent" | ||
] | ||
|
||
results[response] { | ||
some url in urls | ||
response := http.send({ | ||
"method": "GET", | ||
"url": url | ||
}) | ||
}`), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We're likely to run into test flakes w/ this because it has to reach out to the internet. We would be better off registering a mock built-in function that sets the Nondeterministic bit.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
...or use rand.int_n with a key from a variable...? But agreed let's find a way to do this without the internet.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let’s keep using http.send here, although with a mock server. The impact of breaking http.send vs. rand.int_n makes it valuable, even if the bug affects both in this case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same from me, LGTM except for the call to the outside world 😉
urls := [ | ||
"https://httpbin.org/headers", | ||
"https://httpbin.org/ip", | ||
"https://httpbin.org/user-agent" | ||
] | ||
|
||
results[response] { | ||
some url in urls | ||
response := http.send({ | ||
"method": "GET", | ||
"url": url | ||
}) | ||
}`), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
...or use rand.int_n with a key from a variable...? But agreed let's find a way to do this without the internet.
I'll update the test in a follow-up. Merging. |
Follow-up to #5097 (parent commit). Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>
This commit fixes the construction process for keys used to look up
entries in the non-deterministic builtins cache. The original cache
lookup process could use refs that were not fully-grounded, and this
meant that calling a builtin twice with differing parameters could
appear identical to the cache if they involved refs as parameters.
We now use fully-grounded terms for the cache keys during insertion/lookup,
meaning that non-deterministic builtin calls with different parameters
are now guaranteed to result in unique cache entries, even if hidden
behind a ref.
This commit also fixes a bug that prevented the NDBCache from being opt-in.