New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/vet: check for http.Error followed by other statements in handler? #15205

Open
dsnet opened this Issue Apr 8, 2016 · 5 comments

Comments

Projects
None yet
5 participants
@dsnet
Member

dsnet commented Apr 8, 2016

Using go1.6

I recently saw code that did the following:

func serveHTTP(resp http.ResponseWriter, req *http.Request) {
    ...

    if err := foo(); err != nil {
        http.Error(resp, err.Error(), http.StatusInternalServerError)
    }

    if err := bar(); err != nil {
        http.Error(resp, err.Error(), http.StatusInternalServerError)
    }
}

The assumption made was that http.Error() terminates the current handler in some magical way. Instead, Error simply sets the headers and writes the body message, and it is the programmer's responsibility to return. We should document this.

@bradfitz bradfitz added this to the Go1.7 milestone Apr 9, 2016

@bradfitz bradfitz self-assigned this Apr 9, 2016

@bradfitz

This comment has been minimized.

Member

bradfitz commented Apr 9, 2016

I also wonder whether we should write a go vet check for this too. But we should only do so if this is a common problem. Is it easy for somebody to AST-grep all public Go source code and look for an http.Error with reachable statements afterwards? (/cc @sqs, @alandonovan)

We can start with documenting this first, of course.

@gopherbot

This comment has been minimized.

gopherbot commented Apr 11, 2016

CL https://golang.org/cl/21836 mentions this issue.

@alandonovan

This comment has been minimized.

Contributor

alandonovan commented Apr 11, 2016

Based on a quick scan of Google's Go code base, I think such a check would find several errors, but not without false positives. Sometimes an http.Error call and its subsequent return statement are separated by logging statements or error-counter increments. We could exempt any function calls with "log" or "Error" (or within Google, "Add") in their names. The false positives are easy to work around by transposing statements.

@gopherbot gopherbot closed this in 00681ee Apr 11, 2016

@bradfitz

This comment has been minimized.

Member

bradfitz commented Apr 11, 2016

Re-opening to consider vet checks.

@bradfitz bradfitz reopened this Apr 11, 2016

@bradfitz bradfitz modified the milestones: Unplanned, Go1.7 Apr 11, 2016

@bradfitz bradfitz removed the Documentation label Apr 11, 2016

@bradfitz bradfitz removed their assignment Apr 11, 2016

@bradfitz bradfitz changed the title from net/http: document that Error() does not terminate the current handler to cmd/vet: check for http.Error followed by other statements in handler? Apr 11, 2016

@dmitshur

This comment has been minimized.

Member

dmitshur commented Apr 12, 2016

Is it easy for somebody to AST-grep all public Go source code and look for an http.Error with reachable statements afterwards?

/cc @dominikh ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment