From 1800853b2a450b8f80514d2f4acb8ab394a22705 Mon Sep 17 00:00:00 2001
From: Sergei Zimmerman <145775305+xokdvium@users.noreply.github.com>
Date: Thu, 14 Nov 2024 11:03:58 +0300
Subject: [PATCH] fix(libexpr/eval-inline): get rid of references to nullptr
 env

When diagnosing infinite recursion references to nullptr `Env` can be formed.
This happens only with `ExprBlackHole` is evaluated, which always leads to
`InfiniteRecursionError`.

UBSAN log for one such case:

```
../src/libexpr/eval-inline.hh:94:31: runtime error: reference binding to null pointer of type 'Env'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/libexpr/eval-inline.hh:94:31 in
```
---
 src/libexpr/eval-inline.hh | 6 +++++-
 src/libexpr/eval.cc        | 7 +++++--
 src/libexpr/nixexpr.hh     | 1 +
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/libexpr/eval-inline.hh b/src/libexpr/eval-inline.hh
index d5ce238b2..631c0f396 100644
--- a/src/libexpr/eval-inline.hh
+++ b/src/libexpr/eval-inline.hh
@@ -87,11 +87,15 @@ void EvalState::forceValue(Value & v, const PosIdx pos)
 {
     if (v.isThunk()) {
         Env * env = v.payload.thunk.env;
+        assert(env || v.isBlackhole());
         Expr * expr = v.payload.thunk.expr;
         try {
             v.mkBlackhole();
             //checkInterrupt();
-            expr->eval(*this, *env, v);
+            if (env) [[likely]]
+                expr->eval(*this, *env, v);
+            else
+                ExprBlackHole::throwInfiniteRecursionError(*this, v);
         } catch (...) {
             v.mkThunk(env, expr);
             tryFixupBlackHolePos(v, pos);
diff --git a/src/libexpr/eval.cc b/src/libexpr/eval.cc
index 2fe2d5249..05f58957e 100644
--- a/src/libexpr/eval.cc
+++ b/src/libexpr/eval.cc
@@ -2052,9 +2052,12 @@ void ExprPos::eval(EvalState & state, Env & env, Value & v)
     state.mkPos(v, pos);
 }
 
-
-void ExprBlackHole::eval(EvalState & state, Env & env, Value & v)
+void ExprBlackHole::eval(EvalState & state, [[maybe_unused]] Env & env, Value & v)
 {
+    throwInfiniteRecursionError(state, v);
+}
+
+[[gnu::noinline]] [[noreturn]] void ExprBlackHole::throwInfiniteRecursionError(EvalState & state, Value &v) {
     state.error<InfiniteRecursionError>("infinite recursion encountered")
         .atPos(v.determinePos(noPos))
         .debugThrow();
diff --git a/src/libexpr/nixexpr.hh b/src/libexpr/nixexpr.hh
index 948839bd9..2950ff1fd 100644
--- a/src/libexpr/nixexpr.hh
+++ b/src/libexpr/nixexpr.hh
@@ -468,6 +468,7 @@ struct ExprBlackHole : Expr
     void show(const SymbolTable & symbols, std::ostream & str) const override {}
     void eval(EvalState & state, Env & env, Value & v) override;
     void bindVars(EvalState & es, const std::shared_ptr<const StaticEnv> & env) override {}
+    [[noreturn]] static void throwInfiniteRecursionError(EvalState & state, Value & v);
 };
 
 extern ExprBlackHole eBlackHole;