store: correctly remove incomplete layers on load.

[Luap99]

In go one should never modify a slice while also iterating over it at the same time. This causes weird side effects as the underlying array elements are shifted around without the range loop index knowing. So if you delete a element the loop will then actually skip the next one and theoretically access out of bounds on the last element which does not panic but rather return the default zero type, nil here which then causes the panic on layer.Flags == nil.

Here is a simple example to show the behavior:

func main() {
	slice := []int{1, 2, 3, 4, 5, 6, 7, 8, 9}
	for _, num := range slice {
		if num == 5 {
			slice = slices.DeleteFunc(slice, func(n int) bool {
				return n == 5
			})
		}
		fmt.Println(num)
	}
}

The loop will not print 6, but then as last number it prints 0 (the default zero type for an int).

Fixes #2184

[Luap99]

@giuseppe @mtrmac PTAL

Untested at this point as I am not familiar with the storage layout so I am not sure how I can corrupt my storage in such case to trigger this code path.

I have also not yet audited other code paths for a similar issues. I wonder if there is a linter for this thing.

[cgwalters]

Can't resist noting this type of bug can't happen in Rust.

[mtrmac]

Thanks, great find!

[mtrmac]

Untested at this point as I am not familiar with the storage layout so I am not sure how I can corrupt my storage in such case to trigger this code path.

In this case, probably by deleting an image (or a single layer): that marks layers as incomplete and proceeds to delete the layer files. If the deletion is aborted (by panic / reboot / SIGKILL) at that time, the layer remains as incomplete and triggers this late deletion. (It would also be necessary to arrange that the layer being deleted is not the last one in r.layers, or the loop would terminate.)

I don’t think there is a way to write a reliable test for this (using the stable API); the caller would have to trigger deletion of a layer in one thread, and abort the process in another, hoping that it aborts it during the filesystem deletion. (Alternatively, a hack would be to call SetFlag with the incomplete flag explicitly; that should not be too hard to trigger, but it’s not a public API, and it seems to me like a rather specific scenario to write a test for.)

[mtrmac]

/approve

[mtrmac]

/lgtm

[giuseppe]

LGTM

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cgwalters, giuseppe, Luap99, mtrmac

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [giuseppe,mtrmac]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment