Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

exception: make Ipv6Instance and Ipv4Instance not throw and remove some try catch pattern #16122

Merged
merged 35 commits into from
Jun 23, 2021
Merged

exception: make Ipv6Instance and Ipv4Instance not throw and remove some try catch pattern #16122

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
35 commits
Select commit Hold shift + click to select a range
8dba38f
refactor
May 5, 2021
6f8c113
refactor
May 5, 2021
c564998
remove exception from dns_impl
May 5, 2021
99b85ba
clean up
May 7, 2021
85cff42
clean up
May 7, 2021
5b44d5f
use release assert
May 7, 2021
b12f57c
use getAddreOrDie
May 12, 2021
9bfc32e
clean up template in .cc
May 12, 2021
7c73ff8
move error handling to the begining of ctor
May 14, 2021
979079b
refactor
May 16, 2021
77bc948
avoid repeating code
May 17, 2021
d4636ae
add comments
May 17, 2021
42b9817
fix typo
May 17, 2021
e932b99
use ctors that throw in main thread and clean up
May 17, 2021
42c5432
remove dns resolve try
May 17, 2021
b1a2675
refactor pipe instance ctor
May 17, 2021
59c1329
main thread assertion int helper
May 18, 2021
f4b4aac
add comment
May 18, 2021
010fb7c
refactor throw on error
May 20, 2021
33579ac
clean up
May 20, 2021
1f574db
...
May 21, 2021
59224a0
add assertion to OrDie
May 24, 2021
abc66de
assert worker thread for OrDie
Jun 3, 2021
50d1cfe
clean up
Jun 4, 2021
91e6823
resolve conflict
Jun 7, 2021
c32a936
Merge branch 'main' of https://github.com/envoyproxy/envoy into remov…
Jun 11, 2021
6aa0985
clean up
Jun 11, 2021
cc13e11
clean up
Jun 11, 2021
a6b1cab
clean up
Jun 15, 2021
d2dde83
clean up
Jun 15, 2021
f686b73
add comments
Jun 15, 2021
cee9834
reverse raw try
Jun 17, 2021
e564aff
add comment
Jun 18, 2021
83d2b39
add comment
Jun 18, 2021
c498b05
add comment
Jun 21, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion source/common/network/address_impl.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ Address::InstanceConstSharedPtr addressFromSockAddrOrThrow(const sockaddr_storag
socklen_t ss_len, bool v6only) {
// Though we don't have any test coverage where address validation in addressFromSockAddr() fails,
// this code is called in worker thread and can throw in theory. In that case, the program will
// crash due to uncaught exception. In pratice, we don't expect any address validation in
// crash due to uncaught exception. In practice, we don't expect any address validation in
// addressFromSockAddr() to fail in worker thread.
StatusOr<InstanceConstSharedPtr> address = addressFromSockAddr(ss, ss_len, v6only);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add ASSERT(!isMainThread)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you mean ASSERT(isMainThread)?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But this is also called in worker thread. We can use OrDie version in worker thread everywhere, but that would change the behavior of envoy.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah sorry, yes. I meant ASSERT(isMainThread()). We should only be calling something that can throw if we are in the main thread, right?

Now, if this is used in worker thread, it should be a version that cannot throw, rather than this one. That's the main point of this change, right? We may have to propagate errors up stack and change some call-sites.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a comment like:

Note that a throw may in theory occur in a worker thread, as long as it is not caught (and therefore crashes), and we use macros and lint to avoid catching exceptions in the main thread. In practice we do not expect addresses to be validated in a main-thread flow, and thus never reach worker threads.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, comment added.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe I'm missing something here, but it seems we're not improving anything if we're still either throwing or dying on the working thread?

Can you maybe explain the context of this PR so I can understand scope better. I.e. what's the long term game plan here.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there's a lot less throwing and catching done in worker threads now. The only exception I think is the catch in place needed to deal with unexpected issues in the fuzz test.

return throwOnError(address);
Expand Down
2 changes: 2 additions & 0 deletions tools/code_format/check_format.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,8 @@
EXCEPTION_DENYLIST = (
"./source/common/http/http2/codec_impl.h", "./source/common/http/http2/codec_impl.cc")

# Files that are allowed to use try without main thread assertion.
# TODO(chaoqin-li1123): remove try catch pattern in dns_impl.cc.
RAW_TRY_ALLOWLIST = (
"./source/common/common/regex.cc", "./source/common/common/thread.h",
"./source/common/network/utility.cc", "./source/common/network/dns_impl.cc")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I have a slight preference for leaving dns_impl.cc out of this try-allowlist and the TRY_NEEDS_AUDIT there as I think there may be a path forward to fix the issue with the fuzz test.

In any case there is a TODO there.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We already left comment and TODO in dns_impl.cc, explaining why we can't add main thread assertion to the try block there.(Because a filter reuse that code in worker thread.) As long as we don't care about that filter, there is no security issue to fix.

Copy link
Contributor

@jmarantz jmarantz Jun 15, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes I know it works, what you have. But what I makes me uncomfortable is that you are allow-listing a large file. 2 reasons not to love that:

  • other try could be added to this file without triggering lint now
  • having this long list of allow-listed files makes it seem like it's OK to just grow that list.

So I think TRY_NEEDS_AUDIT in this one case is a better state to leave the system in. And hopefully we can address this by cleaning up the fuzz test.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

makes sense.

chaoqin-li1123 marked this conversation as resolved.
Show resolved Hide resolved
Expand Down