Deliver server protocol violations to the application#212
Merged
SeanTAllen merged 1 commit intomainfrom Apr 14, 2026
Merged
Conversation
SeanTAllen
added
the
changelog - fixed
ponylang-main
added
the
discuss during sync
SeanTAllen
removed
the
changelog - fixed
SeanTAllen
force-pushed
the
deliver-server-protocol-violations-to-application
branch
from
ac4958b to
efea539
Compare
A server can send bytes we can't parse, a wire-legal message that's invalid for the current connection state, or an unexpected byte during SSL negotiation. Any of those used to silently shut the session down — or, worse, crash the client process with an illegal-state panic. Neither is useful to an application trying to understand why its session died. Now all three route through the state's own error path: pre-ready failures fire pg_session_connection_failed(ProtocolViolation) followed by pg_session_shutdown; a logged-in session with a query in flight delivers ProtocolViolation to that query's receiver before the session shuts down. Queries that were merely queued still see SessionClosed, since only the in-flight query directly observed the violation. Also folds in the junk-byte half of #206 (the SSL-negotiation response byte that is neither 'S' nor 'N'). The empty-data branch of #206 remains open — that one is a transport failure, not a protocol violation. Closes #205
SeanTAllen
force-pushed
the
deliver-server-protocol-violations-to-application
branch
from
efea539 to
653711c
Compare
SeanTAllen
deleted the
deliver-server-protocol-violations-to-application
branch
ponylang-main
removed
the
discuss during sync
This was referenced Apr 14, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Server bytes that can't be parsed, wire-legal messages arriving in a state where they're invalid, and unexpected bytes during SSL negotiation used to silently shut the session down or crash the client with an illegal-state panic. None of that was useful to an application trying to understand why its session died.
All three paths now funnel through a new
on_protocol_violationstate-handler method. Pre-ready violations firepg_session_connection_failed(ProtocolViolation)followed bypg_session_shutdown. A logged-in session with a query in flight deliversProtocolViolationto that query's receiver (pg_query_failed/pg_prepare_failed/pg_copy_failed/pg_stream_failed/pg_pipeline_failed) beforepg_session_shutdown. Queries that were merely queued still seeSessionClosed.ProtocolViolationis a single primitive in both theConnectionFailureReasonunion and theClientQueryErrorunion. Carrying no diagnostic payload was a deliberate call — server-supplied bytes or parser state are attack vectors for log injection, DoS amplification, and running code on hostile input during error handling. Easier to add bounded symbolic detail later than to remove it once shipped.Also folds in the junk-byte half of #206 (SSL-negotiation response byte that is neither
'S'nor'N'). The empty-data branch of #206 remains open — that's a transport failure, not a protocol violation, and belongs to a different design decision.Closes #205.