/cockroach

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

storage: add log.Safe to "impossible" panic #28983

Open
wants to merge 1 commit into
base: master
from

Conversation

Reviewers

@benesch benesch

@tschottdorf tschottdorf

@cockroachdb/core-prs core-prs

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@nvanbenschoten @cockroach-teamcity @benesch @tschottdorf
@nvanbenschoten
Member

nvanbenschoten commented Aug 22, 2018

See #28889.

Release note: None

@nvanbenschoten nvanbenschoten requested a review from cockroachdb/core-prs as a code owner Aug 22, 2018

@cockroach-teamcity

This comment has been minimized.

Show comment
Hide comment
@cockroach-teamcity

cockroach-teamcity Aug 22, 2018

Member

This change is Reviewable
Member

cockroach-teamcity commented Aug 22, 2018

This change is Reviewable
@tschottdorf

tschottdorf requested changes Aug 23, 2018
View changes

What will this error leak? If there are any parts of the key in there, that wouldn't be acceptable. And even if that isn't the case, we're placing blind trust in that not changing out from under us -- I think we need to be more prudent here and extract only the information we can affort to leak from production clusters. For example, grab the key range, extract the sizes of the key, longest common prefix, and stuff like that. Or even better, go into tree.Delete()s impl and let it return Safe (or at least typed) errors (when we know that it's not leaking input).

I know this is a pain, but we've got to do it.

@nvanbenschoten

This comment has been minimized.

Show comment
Hide comment
@nvanbenschoten

nvanbenschoten Oct 12, 2018

Member

The error wouldn't currently have leaked sensitive information because it had to have been either an ErrInvertedRange or an ErrEmptyRange, but I agree with your point about this changing in the future. I reworked this to scope the log.Safe call more closely. An added benefit of this is that we now get this extra introspection into any panics by users of the interval package. PTAL.
Member

nvanbenschoten commented Oct 12, 2018

The error wouldn't currently have leaked sensitive information because it had to have been either an ErrInvertedRange or an ErrEmptyRange, but I agree with your point about this changing in the future. I reworked this to scope the log.Safe call more closely. An added benefit of this is that we now get this extra introspection into any panics by users of the interval package. PTAL.
@tschottdorf

tschottdorf approved these changes Oct 13, 2018
View changes

Thanks!

@nvanbenschoten
storage: add log.Safe to errors in interval package 
Closes #28889.

This doesn't actually fix the issue there, but we've only ever seen
that once, and its currently unactionable past making this change.

Release note: None
Loading status checks…
0d62172
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment