Merge branch 'master' into copilot/fix-bugs-in-code

Author: antonmedv

.github/workflows/build.yml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        go-versions: [ '1.18', '1.22', '1.24', '1.25' ]
+        go-versions: [ '1.18', '1.22', '1.24', '1.25', '1.26' ]
         go-arch: [ '386' ]
     steps:
       - uses: actions/checkout@v3

.github/workflows/test.yml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        go-versions: [ '1.18', '1.19', '1.20', '1.21', '1.22', '1.23', '1.24', '1.25' ]
+        go-versions: [ '1.18', '1.19', '1.20', '1.21', '1.22', '1.23', '1.24', '1.25', '1.26' ]
     steps:
       - uses: actions/checkout@v3
       - name: Setup Go ${{ matrix.go-version }}

README.md

@@ -170,6 +170,7 @@ func main() {
 * [WunderGraph Cosmo](https://github.com/wundergraph/cosmo) - GraphQL Federeration Router uses Expr to customize Middleware behaviour
 * [SOLO](https://solo.one) uses Expr interally to allow dynamic code execution with custom defined functions.
 * [Naoma.AI](https://www.naoma.ai) uses Expr as a part of its call scoring engine.
+* [GlassFlow.dev](https://github.com/glassflow/clickhouse-etl) uses Expr to do realtime data transformation in ETL pipelines
 
 [Add your company too](https://github.com/expr-lang/expr/edit/master/README.md)
 

builtin/builtin_test.go

@@ -300,19 +300,13 @@ func TestBuiltin_errors(t *testing.T) {
 	}
 }
 
-// The get() builtin must return an error when called with
-// insufficient arguments at runtime, even if compile-time checks
-// are bypassed (regression test for OSS-Fuzz #479270603).
-func TestBuiltin_get_runtime_args_check(t *testing.T) {
+func TestBuiltin_env_not_callable(t *testing.T) {
 	code := `$env(''matches'i'?t:get().UTC())`
 	env := map[string]any{"t": 1}
 
-	program, err := expr.Compile(code, expr.Env(env))
-	require.NoError(t, err)
-
-	_, err = expr.Run(program, env)
+	_, err := expr.Compile(code, expr.Env(env))
 	require.Error(t, err)
-	assert.Contains(t, err.Error(), "invalid number of arguments")
+	assert.Contains(t, err.Error(), "is not callable")
 }
 
 func TestBuiltin_types(t *testing.T) {

checker/checker.go

@@ -651,6 +651,11 @@ func (v *Checker) callNode(node *ast.CallNode) Nature {
 		return *node.Nature()
 	}
 
+	// $env is not callable.
+	if id, ok := node.Callee.(*ast.IdentifierNode); ok && id.Value == "$env" {
+		return v.error(node, "%s is not callable", v.config.Env.String())
+	}
+
 	nt := v.visit(node.Callee)
 	if nt.IsUnknown(&v.config.NtCache) {
 		return Nature{}

checker/checker_test.go

@@ -681,6 +681,30 @@ invalid operation: > (mismatched types string and int) (1:30)
 invalid operation: + (mismatched types int and bool) (1:6)
  | 1; 2 + true; 3
  | .....^
+`,
+		},
+		{
+			`$env()`,
+			`
+mock.Env is not callable (1:1)
+ | $env()
+ | ^
+`,
+		},
+		{
+			`$env(1)`,
+			`
+mock.Env is not callable (1:1)
+ | $env(1)
+ | ^
+`,
+		},
+		{
+			`$env(abs())`,
+			`
+mock.Env is not callable (1:1)
+ | $env(abs())
+ | ^
 `,
 		},
 	}

parser/parser.go

@@ -575,10 +575,7 @@ func (p *Parser) parseCall(token Token, arguments []Node, checkOverrides bool) N
 	}
 	isOverridden = isOverridden && checkOverrides
 
-	if _, ok := predicates[token.Value]; ok && p.config != nil && p.config.Disabled[token.Value] && !isOverridden {
-		// Disabled predicate without replacement - fail immediately
-		p.error("unknown name %s", token.Value)
-	} else if b, ok := predicates[token.Value]; ok && !isOverridden {
+	if b, ok := predicates[token.Value]; ok && !isOverridden {
 		p.expect(Bracket, "(")
 
 		// In case of the pipe operator, the first argument is the left-hand side
@@ -622,9 +619,6 @@ func (p *Parser) parseCall(token Token, arguments []Node, checkOverrides bool) N
 		if node == nil {
 			return nil
 		}
-	} else if _, ok := builtin.Index[token.Value]; ok && p.config != nil && p.config.Disabled[token.Value] && !isOverridden {
-		// Disabled builtin without replacement - fail immediately
-		p.error("unknown name %s", token.Value)
 	} else if _, ok := builtin.Index[token.Value]; ok && (p.config == nil || !p.config.Disabled[token.Value]) && !isOverridden {
 		node = p.createNode(&BuiltinNode{
 			Name:      token.Value,

test/fuzz/fuzz_test.go

@@ -36,12 +36,14 @@ func FuzzExpr(f *testing.F) {
 		regexp.MustCompile(`unknown time zone`),
 		regexp.MustCompile(`invalid location name`),
 		regexp.MustCompile(`json: unsupported value`),
+		regexp.MustCompile(`json: unsupported type`),
 		regexp.MustCompile(`json: cannot unmarshal .* into Go value of type .*`),
 		regexp.MustCompile(`unexpected end of JSON input`),
 		regexp.MustCompile(`memory budget exceeded`),
 		regexp.MustCompile(`using interface \{} as type .*`),
 		regexp.MustCompile(`reflect.Value.MapIndex: value of type .* is not assignable to type .*`),
 		regexp.MustCompile(`reflect: Call using .* as type .*`),
+		regexp.MustCompile(`reflect: cannot use .* as type .* in .*`),
 		regexp.MustCompile(`reflect: Call with too few input arguments`),
 		regexp.MustCompile(`invalid number of arguments`),
 		regexp.MustCompile(`reflect: call of reflect.Value.Call on .* Value`),

test/issues/924/issue_test.go

@@ -0,0 +1,23 @@
+package issue_test
+
+import (
+	"testing"
+
+	"github.com/expr-lang/expr"
+	"github.com/expr-lang/expr/internal/testify/require"
+)
+
+func TestIssue924_allow_disabling_builtins_and_providing_fn_at_runtime(t *testing.T) {
+	// We disable the builtin "upper", but do not env information,
+	// but we can provide a function at runtime.
+	program, err := expr.Compile(`upper(1)`, expr.DisableBuiltin("upper"))
+	require.NoError(t, err)
+
+	env := map[string]any{
+		"upper": func(a int) int { return a },
+	}
+
+	out, err := expr.Run(program, env)
+	require.NoError(t, err)
+	require.Equal(t, 1, out)
+}

vm/vm_test.go

@@ -1512,20 +1512,44 @@ func TestVM_StackUnderflow(t *testing.T) {
 	}
 }
 
-func TestVM_OpCall_InvalidNumberOfArguments(t *testing.T) {
-	// This test ensures that calling a function with wrong number of arguments
-	// produces a clear error message instead of a panic.
-	// Regression test for clusterfuzz issue with expression:
-	// $env(''matches'  '? :now().UTC(g).d)//
-
+func TestVM_EnvNotCallable(t *testing.T) {
+	// $env is the environment, not a function.
 	env := map[string]any{
 		"ok": true,
 	}
 
 	code := `$env('' matches ' '? : now().UTC(g))`
-	program, err := expr.Compile(code, expr.Env(env))
+	_, err := expr.Compile(code, expr.Env(env))
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "is not callable")
+}
+
+func TestVM_OpCall_InvalidNumberOfArguments(t *testing.T) {
+	// Test that the VM validates argument count at runtime.
+	// Compile without Env() so compiler generates OpCall without type info.
+	program, err := expr.Compile(`fn(1, 2)`)
 	require.NoError(t, err)
 
+	// Run with a function that has different arity
+	env := map[string]any{
+		"fn": func(a int) int { return a },
+	}
+
+	_, err = expr.Run(program, env)
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "invalid number of arguments")
+}
+
+func TestVM_OpCall_InvalidNumberOfArguments_Variadic(t *testing.T) {
+	// Test variadic function with too few arguments.
+	program, err := expr.Compile(`fn()`)
+	require.NoError(t, err)
+
+	// Run with a variadic function that requires at least 1 argument
+	env := map[string]any{
+		"fn": func(first int, rest ...int) int { return first },
+	}
+
 	_, err = expr.Run(program, env)
 	require.Error(t, err)
 	require.Contains(t, err.Error(), "invalid number of arguments")