Reduce use of unchecked indexing in parser code

[anka-213]

This draft is currently just an example of the kind of changes that would be done to the rest of the parser.

Description

By replacing spans[idx] with spans.get(idx) calls, we can guarantee that we won't get any Index Out of Bounds panics, since we get back Option<Span> where we'll need to actually check that it was valid.

Some of the ones I replaced are very obviously checked, but that means that I can replace a check by a pattern match. And the goal is to remove all unchecked indexing in the parser.

• Fixes Syntax-hightlight panics with index out of bounds due to custom function with many arguments #9072 and adds test for it
• Should prevent more errors like Parser crashes when variable name in let expression is missing #10380 from appearing

Further ideas:

• Make a new type for non-empty arrays of spans that guarantees that they are non-empty on construction.

User-Facing Changes

None. Just refactoring and preventing crashes.

Tests + Formatting

• cargo fmt --all -- --check to check standard code formatting (cargo fmt --all applies these changes)
• cargo clippy --workspace -- -D warnings -D clippy::unwrap_used to check that you're using the standard code style
• cargo test --workspace to check that all tests pass (on Windows make sure to enable developer mode)
• cargo run -- -c "use std testing; testing run-tests --path crates/nu-std" to run the tests for the standard library

After Submitting

No user-facing changes

More info

The approach is inspired by the parse don't validate idea, where instead of first having a validation step where we check that the data is valid and then later construct data with implicit assumptions about the data, we combine these two into a single step, where we try to construct the data and if the data was invalid, we get a None back.

[sholderbach]

Thanks for diving into this! Changes like this sound good. I think we need to get some of the resident parser experts at the table, as the long term goal should be that the parser state is correct on top of the invalid acccesses getting handled gracefully (which remains a must for stability).

(I smiled at the initial PR description :) )

[anka-213]

I don't even know exactly what I changed, but when I refactored the function that crashed before to use my new safer primitives, it resolved the issue in #9072. I did however notice that the new error message refers to the wrong index, so that's probably related to the cause of the original issue.

As you can see now the first test says "missing f", which is true. The second test says "missing e", which is clearly a lie, since "e" is the fourth argument.

running 1 test
stdout: 
stderr: Error: nu::parser::missing_positional

  × Missing required positional argument.
   ╭─[]
 1 │ def a [b: bool, c: bool, d: float, e: float, f: float] {}; a true true 1 1
   ·                                                                           ▲
   ·                                                                           ╰── missing f
   ╰────
  help: Usage: a <b> <c> <d> <e> <f>


stdout: 
stderr: Error: nu::parser::missing_positional

  × Missing required positional argument.
   ╭─[]
 1 │ def a [b: bool, c: bool, d: float, e: float, f: float, g: float] {}; a true true 1 1
   ·                                                                                     ▲
   ·                                                                                     ╰── missing e
   ╰────
  help: Usage: a <b> <c> <d> <e> <f> <g>


test tests::test_parser::too_few_arguments ... ok

test result: ok. 1 passed; 0 failed; 0 ignored; 0 measured; 528 filtered out; finished in 3.08s

Well, at least it doesn't crash anymore, even though I haven't found the source of the bug.

[anka-213]

Oh, I see. I hadn't reran all the other tests. Apparently, when I fixed the new test caused 95 other tests to fail.

Edit: Found the off-by-one error. I still have 7 test failures remaining and I don't actually know exactly which part of the change fixed the bug. I just made the bug impossible, I didn't find the cause of it.

[anka-213]

Oh, I figured out part of the original bug, this line

nushell/crates/nu-parser/src/parser.rs

Line 968 in 3a04bd9

if spans[..end].is_empty() || spans_idx == end {

only checks for == end, but in this case we were for some reason looking at two steps from the end. After reading ["true", "true", "1"] at index 2 to get the first float, we try to read ["true", "true"] at index 3 to get the second float, which doesn't make sense.

My change ensures that it actually fails that test and skips to the next step, after which we don't get quite a correct error message, but at least a more sensible one. My guess is that there is a bug in calculate_end_span, maybe it thinks that the bools are keywords requiring a different number of arguments or something.

[sophiajt]

For that area of the code - the use that we're using should be correct, and if there are panics, we want to see them so we can fix them. You can't get a span idx beyond the end of the array, so for the cases where you can, that shows an error in the code rather than a problem with not being defensive in how we handle the input.

[anka-213]

The actual bug was here

nushell/crates/nu-parser/src/parser.rs

Line 590 in 3a04bd9

&& spans.len() > (signature.required_positional.len() - positional_idx)

It should be

 && spans.len() - spans_idx > (signature.required_positional.len() - positional_idx) 

checking there are fewer remaining positional args than remaining args, rather than fewer positional args than total args.

@jntrnr I see your point, but it would still be preferable for the parser to not crash from a user perspective, so maybe printing a warning in unexpected cases or something like that instead? I'd prefer the confusing message "missing e", despite it being "f" that's missing, over just a full crash.

The idea with my changes is not primarily to be more defensive in the code, but more to encode more invariants in the types and so reducing the need for defensive programming down the line. In general, if we can move as much of the finicky index-manipulation out of the main parser code and into generic primitives, we can reduce the risk for tiny bugs like these popping up.

Edit: I've added an assert with the old check in the error case now. This is also an improvement because the panic is closer to the source of the error rather than later down the line where invariants were unsatisfied.

[anka-213]

Now all the tests passes again. I had a mistake in my translation, where I had accidentally changed span.0 into 0

[anka-213]

This is the fix for #9072

[anka-213]

why were we recreating a single span in a complicated way here?

span(&spans[*spans_idx..*spans_idx + 1]),

is equivalent to

spans[*spans_idx]

as far as I can tell

[anka-213]

This is ready for review now. I have some plans to keep refactoring more of the parser in the same style, but I might as well do that in a new PR, since this is self-contained as is.

[anka-213]

Oops, I forgot that subtraction is not a safe operator with unsigned integers. It should work now

[sophiajt]

@anka-213 - if you found where the bugfix should be, that'd be a good one to create a PR for.

We're still pre-1.0. Users who are using Nushell now are helping us test and get it ready for 1.0 (that's why we put the disclaimer in the README). I get that it's annoying as a user to hit issues, but we want folks to file issues. If it's just a warning, I think some people may not even see it as it might be part of a script they're running.

Not saying I want the parser to crash. I just think we need to be hammering it into shape. Finding issues like the one you found, fixing them, and repeating until we can't find any anymore.

[anka-213]

@jntrnr I've extracted the bug fix into #10395 now.

Yeah, I see your point and I have changed the code to as much as possible be a refactor rather than permitting more programs than before (which I accidentally did before). The main difference should be in moving crashes closer to the source, by enforcing invariants on construction, rather than something unrelated crashing later down the line because of the broken invariants.

I would view it as much more of an extension of the "don't use unwrap" guideline than a case of defensive programming. Using .unwrap() quietly assumes that there is an invariant that holds that guarantees the validity, which using a[i] indexing also does. The goal is to make the invariants more explicit and present in the types rather than implicit and relatedly to make the validity checking explicitly connected to the construction of values and so avoiding "boolean blindness". The refactor simplifies the code in the sense that it reduces the amount of implicit invariant tracking, but also sometimes by removing the need for some code.

I was already from the start trying to avoid changing any behaviour (just writing the exact same checks as before using new primitives), but now I see that I shouldn't view crashes as a thing to avoid as long as they only happen if there is a bug. Which also makes the refactor simpler, since now any cases that were missing from the old checks can be replaced by a call to panic, instead of trying to figure out what could cause it to happen and how to handle it.

[anka-213]

Here's a rather silly crash I found by looking at what assumptions indexing operations have and working backwards from that:

alias "export alias" = foo
export alias

as soon as you type the "s" in the final "alias" it crashes with

thread 'main' panicked at 'index out of bounds: the len is 2 but the index is 2', crates/nu-parser/src/parser.rs:241:42

Now, this is probably not something a user should ever do, so this is more of an illustration of broken assumptions than a serious bug.

My goal is to make the code less fragile so it's more difficult have incorrect assumptions without noticing. And also hopefully remove a bunch of the defensive programming that is already present in the code.