Fix panic on logVerifier.VerifyRoot when newRoot is nil

[AMarcedone]

Solves #778

[gdbelvin]

Error strings should not be capitalized.

[codingllama]

I'd remove the "." at the end too.

[codingllama]

Actually, sorry for the back and forth here, but since the capitalized string is actually the method name, what you had originally is correct.

We don't capitalize sentences in errors because error chaining is a common practice, so it would look weird, but in this case it works fine.

I'd go with a small change, which is dropping the " error" part: fmt.Errorf("VerifyRoot(): newRoot == nil")

[gdbelvin]

This block can be outdented

[AMarcedone]

Not sure what you mean. Do you want me to take the code out of the else branch, as the else is redundant since when the if branch is taken the function returns?
I wrote it like this as I think it is easier to see that in the else branch newRoot cannot be null, but happy to switch

[AMarcedone]

@gdbelvin I made the switch. Please let me know if this is what you meant.

[codingllama]

Not Gary, but it looks good. :)

Just clarifying, it's somewhat of a general Go-style rule that, if you return inside the if, you omit the else clause.

Eg, we prefer:

if something {
  return fmt.Errorf("...")
}
// code continues here

instead of

if something {
  return fmt.Errorf("...")
} else {
  // code continues here
}

[gdbelvin]

Looks good. Just a few code style comments.

[codingllama]

Hey Antonio, thanks for the contributions.

Could you please add a test for VerifyRoot where newRoot is nil?

[codingllama]

We should add you to contributors, but not authors. It has a different meaning.

[AMarcedone]

From the contributors file:

# When adding J Random Contributor's name to this file,
# either J's name or J's organization's name should be
# added to the AUTHORS file, depending on whether the
# individual or corporate CLA was used.

I signed the individual CLA.

[codingllama]

OK. What got me is that, apparently, we're missing a bunch of people at AUTHORS, so I understood their absence as a sign that we shouldn't do that. A glimpse at another repo quickly showed my error.

Edit: expanded explanation.

[codingllama]

nit: Please move "fmt" to the block of Golang imports (below crypto/sha256)

[codingllama]

nit: Parenthesis aren't usually in Go ifs (unless really needed)

[codingllama]

I'd remove the "." at the end too.

[codingllama]

Is there a reason for the change on the getters here and below?

[AMarcedone]

Yes. If trusted == nil, trusted.TreeSize is a nil pointer dereference panic which causes SEGFAULT when tested. The getter prevents this (if you look at the code, it just adds a nil test).

[codingllama]

Calling VerifyRoot with trusted = nil sounds like a programming error to me. I think we should error out earlier, just as we do if newRoot == nil.

@gdbelvin, what say you?

[gdbelvin]

I would agree. Clients should explicitly create an initial trusted root to work with.
This can easily be a static object with TreeSize == 0 and RootHash = empty root

[codingllama]

Is there a reason for the changes here?

[AMarcedone]

As above, getters prevent nil pointer dereference errors.

[codingllama]

root is not a pointer, you can't really pass nil to this function. (Maybe it should be a pointer, but that's another discussion.)

[codingllama]

Could you edit the PR's title as well, it's too generic and will be ambiguous once in the Git log. I suggest something like "Fix panic on logVerifier.VerifyRoot when newRoot is nil"

[AMarcedone]

@gdbelvin and @codingllama thanks a lot for your reviews!
I made the requested changes. PTAL

[codingllama]

OK. What got me is that, apparently, we're missing a bunch of people at AUTHORS, so I understood their absence as a sign that we shouldn't do that. A glimpse at another repo quickly showed my error.

Edit: expanded explanation.

[codingllama]

Could we move the tests to verifier_test.go?

[codingllama]

go style nit: Could we structure both tests as a single, table-driven test?

func TestVerifyRootErrors(t *testing.T) {
  tests := []struct {
    desc string
    trusted, newRoot *trillian.SignedLogRoot
  }{
    {desc: "newRootNil", trusted: someRoot, newRoot: nil},
    {desc: "trustedNil",trusted: nil, newRoot: someRoot},
    // so on...
  }
  for _, test := range tests {
    if err := verifier.VerifyRoot(test.trusted, test.newRoot); err == nil {
      t.Errorf("%v: VerifyRoot() returned err = nil", test.desc)
    }
  }
}

https://github.com/golang/go/wiki/TableDrivenTests

[codingllama]

nit: Move to the block above

[codingllama]

Calling VerifyRoot with trusted = nil sounds like a programming error to me. I think we should error out earlier, just as we do if newRoot == nil.

@gdbelvin, what say you?

[codingllama]

Ditto here and at VerifyInclusionByHash. I'd rather error out or panic, silently proceeding makes the trusted = nil misstep harder to detect.

Please add a test for VerifyInclusion* methods too, if you decide to touch them.

[AMarcedone]

A panic (SEGFAULT) is bad for gobind integration (the android app hangs) and might cause errors too, so I would go for an error instead.

[codingllama]

root is not a pointer, you can't really pass nil to this function. (Maybe it should be a pointer, but that's another discussion.)

[gdbelvin]

That sounds like the right path. Thanks for taking this on Antonio

…

On Tue, Aug 8, 2017 at 10:41 PM Antonio Marcedone ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In client/verifier.go <#779 (comment)>: > @@ -68,14 +72,14 @@ func (c *logVerifier) VerifyRoot(trusted, newRoot *trillian.SignedLogRoot, // the currently trusted root. The inclusion proof must be requested for Root().TreeSize. func (c *logVerifier) VerifyInclusionAtIndex(trusted *trillian.SignedLogRoot, data []byte, leafIndex int64, proof [][]byte) error { leaf := c.buildLeaf(data) - return c.v.VerifyInclusionProof(leafIndex, trusted.TreeSize, - proof, trusted.RootHash, leaf.MerkleLeafHash) + return c.v.VerifyInclusionProof(leafIndex, trusted.GetTreeSize(), A panic (SEGFAULT) is bad for gobind integration (the android app hangs) and might cause errors too, so I would go for an error instead. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#779 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAMHTni3UXEUZU6Cf9z6M16h1s7sn9qxks5sWNYYgaJpZM4OuWsN> .

[AMarcedone]

Updated after the most recent comments. And thanks for your patience, I am just starting to write in go for this project :)
PTAL

[codingllama]

Thanks for sticking with us, Antonio. I've a few more nits left and a comment asking for auto-formatting, but I think we're close to a merge here.

[codingllama]

nit: Move "strings" above "testing", on the Golang libraries block.

[codingllama]

nit: Technically, Go errors aren't "thrown", that's Java/C++/etc lingo. ;)

Ditto below.

[codingllama]

I'd rather drop the error string check and call VerifyInclusionAtIndex with only trusted = nil, so it's clear what the source of the error is. Error message checking lands too close to change detector tests.

[AMarcedone]

I see your point.
I removed the check and added a comment.

[codingllama]

You're missing a gofmt run here. Try doing scripts/presubmit.sh --fix --no-generate, that should do all the formatting needed.

[codingllama]

nit: As above, I think it's fine to drop this.

[gdbelvin]

this could be rewritten as trillian.SignedLogRoot{} since all the fields have their default values

deferring to codingllama

[AMarcedone]

Updated. PTAL and thanks again :)

[codingllama]

Thanks, Antonio!

@gdbelvin, feel free to squash/merge after you approve.

[codingllama]

Oh, nevermind, I see that it was deferred to me. Merging.