ca-derivations breaks some nix-side store paths manipulations

[thufschmitt]

As stated below, I don’t think this can be solved in a reasonable way. I’m just logging it here for reference

Describe the bug

If foo is a content-addressed derivation (or depends on one), with /nix/store/abc-foo as output path, then builtins.replaceStrings ["-"] ["+"] foo.outPath will be /nix/store/abc-foo rather than /nix/store/abc+foo.

This is because as far as the Nix evaluator is concerned, foo.outPath is a placeholder of the form /123 rather than the actual /nix/store/abc-foo. So the Nix evaluator actually runs builtins.replaceStrings ["-"] ["+"] /123 (which is equal to /123).

Steps To Reproduce

With a default.nix like:

{ ca ? false }:
with import <nixpkgs> {};
let
  foo = runCommand "foo" { __contentAddressed = ca; } "echo foo > $out";
in
runCommand "bar" {} ''
  set -x
  [[ "${builtins.replaceStrings ["-"] ["+"] foo.outPath}" != ${foo.outPath} ]] || exit 1
  touch $out
''

$ nix-build default.nix
# Succeeds
$ nix-build default.nix --arg ca true
# Fails

The same derivation

Expected behavior

Both derivations should build successfully

Additional context

1. I encountered this in “real-life”: openjfx15 has a snippet of the form

   blah | sed 's,${lib.escape ["+"] openjdk11_headless.outPath},,'

   This doesn’t do what it’s supposed to do when openjdk11_headless is content-addressed (because its output path contains a +, which isn’t properly escaped and thus is interpreted by sed as a regex meta-character rather than a litteral +)
2. This can also break the dependency rewriting: Assuming a baseName Nix function, baseName foo.outPath will return 123, which won’t be replaced by /nix/store/abc-foo at build-time
3. All that being said, I don’t think there’s much that can be done about that (except rewriting half on Nix to make the evaluation way lazier than what it is now, but even regardless of the amount of work involved I doubt that’d be a good idea). But It’s worth keeping this issue around − even as a “wontfix”, at least for reference.

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/tweag-nix-dev-update-11/12886/1

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/content-addressed-nix-call-for-testers/12881/80

[dguibert]

builtins.exec also suffers from this.

[dguibert]

Step to reproduce the bug with builtins.exec:

{ ca ? false }:
with import <nixpkgs> {};
let
  foo = runCommand "foo" { __contentAddressed = ca; } ''
    cat > $out <<EOF
      #/bin/sh
      echo '"foo"'
    EOF
    chmod +x $out
  '';
in
  runCommand "bar" {} ''
    set -x
    [[ "${builtins.exec [ foo ]}" != '"foo"' ]] || exit 1
    touch $out
  ''

$ nix-build nix-builtins-exec.nix --arg ca false --option allow-unsafe-native-code-during-evaluation true
# => ok
$ nix-build nix-builtins-exec.nix --arg ca true  --option allow-unsafe-native-code-during-evaluation true
# => fails

[stale]

I marked this as stale due to inactivity. → More info