Cargo audit crashing in CI

suchapalaver · January 26, 2023, 8:26pm

Updates:

I opened an issue where I was advised that my problem looks like an error occurring within the crates-index crate, a (transitive) dependency of cargo-audit and that I should raise the issue there.
I followed that advice and raised the issue and the maintainers of rust-crate-index speedily released v0.19.1 without smartstring.

Aside from the above, installing cargo checkmate via cargo install --git raised some warnings I hadn't seen before and didn't crash CI.

Original post:

Can anyone help me understand why cargo audit is crashing and what I might look at to try to debug my problem, please?

I've been trying for hours now to figure out why cargo audit is crashing during GitHub Actions CI cargo checkmate checks.

My program, locally, passes both cargo checkmate and cargo audit.

But when I push the work I've done I get the following during GitHub Actions CI checks:

Run cargo-checkmate audit
  cargo-checkmate audit
  shell: /usr/bin/bash -e {0}
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 488 security advisories (from /home/runner/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (522 crate dependencies)
The application panicked (crashed).
Message:  assertion failed: len <= MAX_INLINE
Location: /home/runner/.cargo/registry/src/github.com-1ecc6299db9ec823/smartstring-0.2.10/src/inline.rs:41

I've been trying to look through the rustsec cargo-audit source to see what and where smartstring is being called and I haven't figured it out.

Changing my cargo-checkmate.yaml to add RUST_BACKTRACE didn't give me any more information that helped me, but here it is in case it speaks to someone:

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ BACKTRACE ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
                          (8 post panic frames hidden)                          
 8: core::panicking::panic::h341545107301821d
    at /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/core/src/panicking.rs:111
 9: smartstring::inline::InlineString::as_str::h2f436ff3a0499514
    at <unknown source file>
10: <crates_index::Dependency as core::hash::Hash>::hash::h75ca30c41649ca5e
    at <unknown source file>
11: <alloc::sync::Arc<T> as core::hash::Hash>::hash::h18591eafbb654c18
    at <unknown source file>
12: core::hash::BuildHasher::hash_one::h9d15d8789e7bfe25
    at <unknown source file>
13: crates_index::Crate::from_slice::h32a2c259f4ed0e40
    at <unknown source file>
14: crates_index::Index::crate_::hfde629462100dfa9
    at <unknown source file>
15: rustsec::registry::Index::find::h3df6d0baf318d121
    at <unknown source file>
16: cargo_audit::auditor::Auditor::audit::h6bb94a7d7fec80fa
    at <unknown source file>
17: <cargo_audit::commands::audit::AuditCommand as abscissa_core::runnable::Runnable>::run::h82fe50a3d086b018
    at <unknown source file>
18: abscissa_core::application::Application::run::h0fdf1ee0b4a92fc1
    at <unknown source file>
19: cargo_checkmate::subcommands::audit::h7df3941f6cf81858
    at <unknown source file>
20: <cargo_checkmate::options::Options as cargo_checkmate::executable::Executable>::execute::h3db75a3b15cea341
    at <unknown source file>
21: cargo_checkmate::main::h7f36aaf8487f67ac
    at <unknown source file>
22: std::sys_common::backtrace::__rust_begin_short_backtrace::h5795f30236a92ded
    at <unknown source file>
23: std::rt::lang_start::{{closure}}::h2b80b94cf0c22324
    at <unknown source file>
24: core::ops::function::impls::<impl core::ops::function::FnOnce<A> for &F>::call_once::h9ab31282e87f134a
    at /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/core/src/ops/function.rs:606
25: std::panicking::try::do_call::h42ddf5b01d0b4bc7
    at /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/panicking.rs:483
26: std::panicking::try::hfb70320d7386c61a
    at /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/panicking.rs:447
27: std::panic::catch_unwind::h978c9edbad2bb4d4
    at /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/panic.rs:137
28: std::rt::lang_start_internal::{{closure}}::h04ede5bd2f26b553
    at /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/rt.rs:148
29: std::panicking::try::do_call::ha6b9da35a0885c93
    at /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/panicking.rs:483
30: std::panicking::try::h3325520cab3a642e
    at /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/panicking.rs:447
31: std::panic::catch_unwind::h160beec6f047175b
    at /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/panic.rs:137
32: std::rt::lang_start_internal::h79190e3a877a769d
    at /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/rt.rs:148
33: main
    at <unknown source file>
34: __libc_start_main
    at <unknown source file>
35: _start
    at <unknown source file>
Error: Process completed with exit code 101.

Coding-Badly · January 26, 2023, 9:54pm

Is it a 32 bit environment?

suchapalaver · January 26, 2023, 10:14pm

It's running on (runs-on) ubuntu-latest. About GitHub-hosted runners - GitHub Docs

parasyte · January 26, 2023, 10:23pm

I spent a few minutes going over the backtrace, and it appears to be panicking in the old version of smartstring used (transitively) by cargo-checkmate, which itself has a fairly outdated latest release.

The unreleased version of cargo-checkmate in git has updated dependencies, including smartstring, which appears to fix the panic through a combination of completely changing their string layout and by moving the assertion in the len method to a debug_assert!. If you can install it from git in CI, that might workaround the problem. I suspect you probably want to press the maintainer to create a new release, though.

suchapalaver · January 26, 2023, 10:27pm

Thank you! That's really helped me.

But I'm a little confused, having spent some time following up on what you said, because it seems that the latest version of cargo-checkmate is already using the latest version of smartstring:

~/git/cargo-checkmate/cargo-checkmate$ cargo tree | grep smart
│   │   │   └── smartstring v1.0.1

But as you say, cargo-checkmate is crashing while calling smartstring-0.2.10/src/inline.rs:41 ...

CAD97 · January 27, 2023, 2:46am

How are you installing cargo-checkmate in your CI?

The version published to crates-io is v0.1.11 and a year old. 7 months ago merged this PR to update all of the dependencies and fix a bunch of issues. If you cargo install cargo-checkmate you're getting the old version from crates-io, not the version on the main branch on GitHub.

suchapalaver · January 27, 2023, 11:15am

Thank you! Sorry to be dense, if I wanted to run cargo checkmate as part of my GitHub Actions workflow what command should I use to install cargo checkmate from their GitHub repo?

Edit: I should’ve said, I’m using cargo install cargo-checkmate in CI.

CAD97 · January 27, 2023, 1:56pm

You can use cargo install --git https://path/to/crate to install straight from a hosted git repository.

suchapalaver · January 27, 2023, 2:00pm

Thanks!

system · April 27, 2023, 2:00pm

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.

Topic		Replies	Views
Why my cargo panicked? I don't understand it help	10	167	November 20, 2024
Security advisories for April 2020: rustqlite, os_str_bytes, flatbuffers announcements	6	813	August 11, 2020
Did feature unification bit me hard? help	6	148	November 22, 2024
Error when verifying	5	124	November 12, 2024
How to audit an unsafe crate?	4	580	August 18, 2019

Cargo audit crashing in CI

Related topics