Cargo audit crashing in CI


I opened an issue where I was advised that my problem looks like an error occurring within the crates-index crate, a (transitive) dependency of cargo-audit and that I should raise the issue there.
I followed that advice and raised the issue and the maintainers of rust-crate-index speedily released v0.19.1 without smartstring.

Aside from the above, installing cargo checkmate via cargo install --git raised some warnings I hadn't seen before and didn't crash CI.

Original post:

Can anyone help me understand why cargo audit is crashing and what I might look at to try to debug my problem, please?

I've been trying for hours now to figure out why cargo audit is crashing during GitHub Actions CI cargo checkmate checks.

My program, locally, passes both cargo checkmate and cargo audit.

But when I push the work I've done I get the following during GitHub Actions CI checks:

Run cargo-checkmate audit
  cargo-checkmate audit
  shell: /usr/bin/bash -e {0}
    Fetching advisory database from ``
      Loaded 488 security advisories (from /home/runner/.cargo/advisory-db)
    Updating index
    Scanning Cargo.lock for vulnerabilities (522 crate dependencies)
The application panicked (crashed).
Message:  assertion failed: len <= MAX_INLINE
Location: /home/runner/.cargo/registry/src/

I've been trying to look through the rustsec cargo-audit source to see what and where smartstring is being called and I haven't figured it out.

Changing my cargo-checkmate.yaml to add RUST_BACKTRACE didn't give me any more information that helped me, but here it is in case it speaks to someone:

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ BACKTRACE ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
                          (8 post panic frames hidden)                          
 8: core::panicking::panic::h341545107301821d
    at /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/core/src/
 9: smartstring::inline::InlineString::as_str::h2f436ff3a0499514
    at <unknown source file>
10: <crates_index::Dependency as core::hash::Hash>::hash::h75ca30c41649ca5e
    at <unknown source file>
11: <alloc::sync::Arc<T> as core::hash::Hash>::hash::h18591eafbb654c18
    at <unknown source file>
12: core::hash::BuildHasher::hash_one::h9d15d8789e7bfe25
    at <unknown source file>
13: crates_index::Crate::from_slice::h32a2c259f4ed0e40
    at <unknown source file>
14: crates_index::Index::crate_::hfde629462100dfa9
    at <unknown source file>
15: rustsec::registry::Index::find::h3df6d0baf318d121
    at <unknown source file>
16: cargo_audit::auditor::Auditor::audit::h6bb94a7d7fec80fa
    at <unknown source file>
17: <cargo_audit::commands::audit::AuditCommand as abscissa_core::runnable::Runnable>::run::h82fe50a3d086b018
    at <unknown source file>
18: abscissa_core::application::Application::run::h0fdf1ee0b4a92fc1
    at <unknown source file>
19: cargo_checkmate::subcommands::audit::h7df3941f6cf81858
    at <unknown source file>
20: <cargo_checkmate::options::Options as cargo_checkmate::executable::Executable>::execute::h3db75a3b15cea341
    at <unknown source file>
21: cargo_checkmate::main::h7f36aaf8487f67ac
    at <unknown source file>
22: std::sys_common::backtrace::__rust_begin_short_backtrace::h5795f30236a92ded
    at <unknown source file>
23: std::rt::lang_start::{{closure}}::h2b80b94cf0c22324
    at <unknown source file>
24: core::ops::function::impls::<impl core::ops::function::FnOnce<A> for &F>::call_once::h9ab31282e87f134a
    at /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/core/src/ops/
25: std::panicking::try::do_call::h42ddf5b01d0b4bc7
    at /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/
26: std::panicking::try::hfb70320d7386c61a
    at /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/
27: std::panic::catch_unwind::h978c9edbad2bb4d4
    at /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/
28: std::rt::lang_start_internal::{{closure}}::h04ede5bd2f26b553
    at /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/
29: std::panicking::try::do_call::ha6b9da35a0885c93
    at /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/
30: std::panicking::try::h3325520cab3a642e
    at /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/
31: std::panic::catch_unwind::h160beec6f047175b
    at /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/
32: std::rt::lang_start_internal::h79190e3a877a769d
    at /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/std/src/
33: main
    at <unknown source file>
34: __libc_start_main
    at <unknown source file>
35: _start
    at <unknown source file>
Error: Process completed with exit code 101.

Is it a 32 bit environment?

It's running on (runs-on) ubuntu-latest. About GitHub-hosted runners - GitHub Docs

I spent a few minutes going over the backtrace, and it appears to be panicking in the old version of smartstring used (transitively) by cargo-checkmate, which itself has a fairly outdated latest release.

The unreleased version of cargo-checkmate in git has updated dependencies, including smartstring, which appears to fix the panic through a combination of completely changing their string layout and by moving the assertion in the len method to a debug_assert!. If you can install it from git in CI, that might workaround the problem. I suspect you probably want to press the maintainer to create a new release, though.

1 Like

Thank you! That's really helped me.

But I'm a little confused, having spent some time following up on what you said, because it seems that the latest version of cargo-checkmate is already using the latest version of smartstring:

~/git/cargo-checkmate/cargo-checkmate$ cargo tree | grep smart
│   │   │   └── smartstring v1.0.1

But as you say, cargo-checkmate is crashing while calling smartstring-0.2.10/src/ ...

How are you installing cargo-checkmate in your CI?

The version published to crates-io is v0.1.11 and a year old. 7 months ago merged this PR to update all of the dependencies and fix a bunch of issues. If you cargo install cargo-checkmate you're getting the old version from crates-io, not the version on the main branch on GitHub.

1 Like

Thank you! Sorry to be dense, if I wanted to run cargo checkmate as part of my GitHub Actions workflow what command should I use to install cargo checkmate from their GitHub repo?

Edit: I should’ve said, I’m using cargo install cargo-checkmate in CI.

You can use cargo install --git https://path/to/crate to install straight from a hosted git repository.

1 Like