feat(3p/nix): add --trace-file-access to nix-instantiate r/1603

This builds on edef's work with depot-scan by adding a dedicated
flag to the command. We piggyback on upstream's restricted-mode
implementation, the checkSourcePath function.

Change-Id: I52bb613549f40dbca1e8caa036635910c1a3d6d0
Reviewed-on: https://cl.tvl.fyi/c/depot/+/1654
Tested-by: BuildkiteCI
Reviewed-by: glittershark <grfn@gws.fyi>

4 files changed, 49 insertions, 0 deletions

diff --git a/third_party/nix/doc/manual/command-ref/nix-instantiate.xml b/third_party/nix/doc/manual/command-ref/nix-instantiate.xml
index 53f06aed12..3fd2ef2a95 100644
--- a/third_party/nix/doc/manual/command-ref/nix-instantiate.xml
+++ b/third_party/nix/doc/manual/command-ref/nix-instantiate.xml
@@ -39,6 +39,7 @@
     </arg>
     <arg><option>--add-root</option> <replaceable>path</replaceable></arg>
     <arg><option>--indirect</option></arg>
+    <arg><option>--<arg>no</arg>trace-file-access</option></arg>
     <group>
       <arg choice='plain'><option>--expr</option></arg>
       <arg choice='plain'><option>-E</option></arg>
@@ -131,6 +132,13 @@ input.</para>
 
   </varlistentry>
 
+  <varlistentry><term><option>--<arg>no</arg>trace-file-access</option></term>
+    <listitem><para>While instantiating the expression, the evaluator will
+    print the full path to any files it reads with the prefix
+    <envar>trace-file-access: </envar> to the standard error.</para>
+    </listitem>
+  </varlistentry>
+
   <varlistentry><term><option>--json</option></term>
 
     <listitem><para>When used with <option>--eval</option>, print the resulting
@@ -253,6 +261,10 @@ $ nix-instantiate --eval --xml --strict -E 'rec { x = "foo"; y = x; }'
 
 </refsection>
 
+<refsection><title>Conformance</title>
+  <para>The <option>--trace-file-access</option> option is a nonstandard
+  extension added by Tvix in 2020.</para>
+</refsection>
 
 <refsection condition="manpage"><title>Environment variables</title>
 
diff --git a/third_party/nix/src/libexpr/eval.cc b/third_party/nix/src/libexpr/eval.cc
index 5f272b62b8..f068b6ba6a 100644
--- a/third_party/nix/src/libexpr/eval.cc
+++ b/third_party/nix/src/libexpr/eval.cc
@@ -379,6 +379,7 @@ EvalState::EvalState(const Strings& _searchPath, const ref<Store>& store)
 EvalState::~EvalState() = default;
 
 Path EvalState::checkSourcePath(const Path& path_) {
+  TraceFileAccess(path_);
   if (!allowedPaths) {
     return path_;
   }
@@ -1819,6 +1820,20 @@ void EvalState::printStats() {
   }
 }
 
+void EvalState::TraceFileAccess(const Path& realPath) {
+  if (file_access_trace_fn.has_value()) {
+    if (last_traced_file != realPath) {
+      (*file_access_trace_fn)(realPath);
+      // Basic deduplication.
+      last_traced_file = std::string(realPath);
+    }
+  }
+}
+
+void EvalState::EnableFileAccessTracing(std::function<void(const Path&)> fn) {
+  file_access_trace_fn = fn;
+}
+
 size_t valueSize(const Value& v) {
   traceable_flat_hash_set<const Bindings*> seenBindings;
   traceable_flat_hash_set<const Env*> seenEnvs;
diff --git a/third_party/nix/src/libexpr/eval.hh b/third_party/nix/src/libexpr/eval.hh
index e08ec04ef5..c244b6eecc 100644
--- a/third_party/nix/src/libexpr/eval.hh
+++ b/third_party/nix/src/libexpr/eval.hh
@@ -284,6 +284,10 @@ class EvalState : public gc {
 
   void realiseContext(const PathSet& context);
 
+  /* File access tracing. */
+  void TraceFileAccess(const Path& path);
+  void EnableFileAccessTracing(std::function<void(const Path&)> fn);
+
  private:
   unsigned long nrEnvs = 0;
   unsigned long nrValuesInEnvs = 0;
@@ -299,6 +303,10 @@ class EvalState : public gc {
 
   bool countCalls;
 
+  std::optional<std::function<void(const Path&)>> file_access_trace_fn =
+      std::nullopt;
+  Path last_traced_file = "";
+
   typedef std::map<Symbol, size_t> PrimOpCalls;
   PrimOpCalls primOpCalls;
 
diff --git a/third_party/nix/src/nix-instantiate/nix-instantiate.cc b/third_party/nix/src/nix-instantiate/nix-instantiate.cc
index be96943b12..7b8d6dd3d6 100644
--- a/third_party/nix/src/nix-instantiate/nix-instantiate.cc
+++ b/third_party/nix/src/nix-instantiate/nix-instantiate.cc
@@ -96,6 +96,7 @@ static int _main(int argc, char** argv) {
     bool findFile = false;
     bool evalOnly = false;
     bool parseOnly = false;
+    bool traceFileAccess = false;
     OutputKind outputKind = okPlain;
     bool xmlOutputSourceLocation = true;
     bool strict = false;
@@ -143,6 +144,14 @@ static int _main(int argc, char** argv) {
                       repair = Repair;
                     } else if (*arg == "--dry-run") {
                       settings.readOnlyMode = true;
+                    } else if (*arg == "--trace-file-access") {
+                      traceFileAccess = true;
+                    } else if (*arg == "--trace-file-access=true") {
+                      traceFileAccess = true;
+                    } else if (*arg == "--trace-file-access=false") {
+                      traceFileAccess = false;
+                    } else if (*arg == "--notrace-file-access") {
+                      traceFileAccess = false;
                     } else if (*arg != "" && arg->at(0) == '-') {
                       return false;
                     } else {
@@ -161,6 +170,11 @@ static int _main(int argc, char** argv) {
 
     auto state = std::make_unique<EvalState>(myArgs.searchPath, store);
     state->repair = repair;
+    if (traceFileAccess) {
+      state->EnableFileAccessTracing([](const Path& path) {
+        std::cerr << "trace: depot-scan: " << path << "\n";
+      });
+    }
 
     Bindings& autoArgs = *myArgs.getAutoArgs(*state);