Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support rules for negated expressions not generated correctly #2491

Closed
tsandall opened this issue Jun 25, 2020 · 0 comments
Closed

Support rules for negated expressions not generated correctly #2491

tsandall opened this issue Jun 25, 2020 · 0 comments
Assignees
@tsandall
Labels
bug

Comments

@tsandall
Copy link
Member

In some cases, PE has to generate support rules for negated expressions. When it does this, the support rules must be given names. Currently PE uses the outer query ID and the expression index to produce unique names, however, this is not correct when there are multiple solutions. For example:

p { r[x]; not input[x] }
r[1]
r[2]

Assuming the query is p = true then when p is evaluated, the query ID will be 1 (the identifiers are zero-based) and the expression index of the negated expression will be 1 (the indices are also zero-based.) In this case, the current output from PE when support is generated will be something like:

p { not __not1_1__ }
p { not __not1_1__ }
__not1_1__ { input[1] }
__not1_1__ { input[2] }

The problem of course is that this output is incorrect. p should be true if not input[1] OR not input[2].

To resolve this issue we can encode the negated query ID into the support rule name, e.g:

p { not __not_1_1_3__ }
p { not __not_1_1_5__ }
__not1_1_3__ { input[1] }
__not1_1_5__ { input[2] }
@tsandall tsandall added the bug label Jun 25, 2020
@tsandall tsandall self-assigned this Jun 25, 2020
tsandall added a commit to tsandall/opa that referenced this issue Jun 25, 2020
@tsandall
topdown: Fix support rule name suffix for negated expressions
0ee1e11 
Previously OPA was only using the outer query ID and expression index
to namespace support rules. However, this was incorrect if the same
expression was evaluated multiple times due to iteration. This commit
fixes the issue by including the query ID of the complemented
expression in the rule name suffix.

Fixes open-policy-agent#2491

Signed-off-by: Torin Sandall <torinsandall@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tsandall tsandall

Labels
bug
Projects
Open Policy Agent
Archived in project
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tsandall