funcr: Handle nil Stringer, Marshaler, error #130
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pohly
reviewed
Jan 20, 2022
funcr/funcr.go
Outdated
| @@ -341,6 +341,17 @@ const ( | |||
| flagRawStruct = 0x1 // do not print braces on structs | |||
| ) | |||
|
|
|||
| func isNil(i interface{}) bool { | |||
There was a problem hiding this comment.
Is this faster than wrapping the MarshalLog and String invocations in a function which recovers from a failure inside the called function?
That's how Dims solved it in klog:
kubernetes/klog@125dec9#diff-d11e021bcd662e6127823cd93eeac7a9aec303039137c2f27974cff399142e84
It has two advantages:
- if the interface contains a valid pointer to a struct but the called function then crashes for some other reason (nil access for a field in that struct, for example), then the recovery mechanism catches that, too
- if the function implementation itself handles nil gracefully, then logging keeps using that fallback instead of making up its own
|
It has a distinct disadvantage, too - if the user code panics for ANY
REASON, we'll just eat it and continue. Bad.
The point about valid implementation is apt. Looking at how printf does
it, I guess that is the better answer..
…On Thu, Jan 20, 2022 at 12:17 AM Patrick Ohly ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In funcr/funcr.go
<#130 (comment)>:
> @@ -341,6 +341,17 @@ const (
flagRawStruct = 0x1 // do not print braces on structs
)
+func isNil(i interface{}) bool {
Is this faster than wrapping the MarshalLog and String invocations in a
function which recovers from a failure inside the called function?
That's how Dims solved it in klog:
***@***.***
#diff-d11e021bcd662e6127823cd93eeac7a9aec303039137c2f27974cff399142e84
<kubernetes/klog@125dec9#diff-d11e021bcd662e6127823cd93eeac7a9aec303039137c2f27974cff399142e84>
It has two advantages:
- if the interface contains a valid pointer to a struct but the called
function then crashes for some other reason (nil access for a field in that
struct, for example), then the recovery mechanism catches that, too
- if the function implementation itself handles nil gracefully, then
logging keeps using that fallback instead of making up its own
—
Reply to this email directly, view it on GitHub
<#130 (review)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABKWAVF23T24C6K6NUJOBT3UW7AH5ANCNFSM5MLC2XFQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
Retooled - PTAL |
We could log the panic as an error - that might raise awareness that the code is not as robust as it needs to be. Hiding the problem where it won't be noticed isn't good, but I think it's still better than aborting the program. Log calls are often not as well tested as the rest of the code. Suppose someone bumps up the log level to debug some problem and then the program aborts somewhere else entirely because of a nil pointer exception - they might not be able to fix the problem and are stuck.
It dumps the panic: https://go.dev/play/p/KC2odl1qSZf |
pohly
reviewed
Jan 21, 2022
funcr/funcr.go
Outdated
| if isNil(m) { | ||
| ret = "<nil-logr-marshaler>" | ||
| } else { | ||
| panic(err) |
There was a problem hiding this comment.
I think this should return a string explaining the problem, similar to what fmt.Sprint does.
We could also log an error, to raise awareness.
|
I don't know. I sort of feel like, if the user called `panic()` and we
swallow their panic, we're doing something wrong. I mean, really this is a
very corner-case of a corner-case, but I thought passing the panic() on was
less surprising.
https://go.dev/play/p/NGMzpwFf90I
That's just weird to me
…On Thu, Jan 20, 2022 at 11:43 PM Patrick Ohly ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In funcr/funcr.go
<#130 (comment)>:
> @@ -596,6 +596,56 @@ func isEmpty(v reflect.Value) bool {
return false
}
+func invokeMarshaler(m logr.Marshaler) (ret interface{}) {
+ defer func() {
+ if err := recover(); err != nil {
+ if isNil(m) {
+ ret = "<nil-logr-marshaler>"
+ } else {
+ panic(err)
I think this should return a string explaining the problem, similar to
what fmt.Sprint does.
We could also log an error, to raise awareness.
—
Reply to this email directly, view it on GitHub
<#130 (review)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABKWAVAQ4YWU77CKWCCC6XLUXEFA7ANCNFSM5MLC2XFQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
Tim Hockin ***@***.***> writes:
I don't know. I sort of feel like, if the user called `panic()` and we
swallow their panic, we're doing something wrong.
I guess the more common case will be that user didn't explicitly call
panic, but rather forgot a nil for a field or a bounds check. We may be
able to tell the difference from looking at the error from recover, but
I am not sure whether we should bother.
|
|
Alt model pushed as a new commit, but I am still unsure what is "right".
DO NOT MERGE YET PLEASE :)
…On Fri, Jan 21, 2022 at 5:23 AM Patrick Ohly ***@***.***> wrote:
Tim Hockin ***@***.***> writes:
> I don't know. I sort of feel like, if the user called `panic()` and we
> swallow their panic, we're doing something wrong.
I guess the more common case will be that user didn't explicitly call
panic, but rather forgot a nil for a field or a bounds check. We may be
able to tell the difference from looking at the error from recover, but
I am not sure whether we should bother.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
I put up a Twitter poll and it was almost evenly split between "let the panic happen" and "catch panics and print", with "let them happen" taking a single-digit percentage lead. Thoughts? |
|
I prefer to emulate the behavior of fmt. Besides being consistent (why should |
Produce a maybe-useful error rather than panic when we are in the middle of logging a value (similar to fmt.Printf).
|
OK, I retooled to be similar to fmt. Added it to benchmark, but nothing to report. PTAL |
pohly
approved these changes
Jan 31, 2022
pohly
added a commit
to pohly/zapr
that referenced
this pull request
Feb 15, 2022
The function might panic. The conclusion in go-logr/logr#130 was that the logger should record that. zapr only needs to do that when it calls MarshalLog. Strings and errors are handled by zap. For the sake of simplicity no attempt is made to detect the reason for the panic. As zapr cannot replace the key, it uses the same replacement value as funcr because that stands out a bit more compared to the value used by zap.
pohly
added a commit
to pohly/klog
that referenced
this pull request
Feb 15, 2022
The previous fix only covered fmt.Stringer.String in klog, but not klogr. error.Error and logr.Marshaler.MarshalLog have the same problem. The replacement string now captures the error, which makes it consistent with go-logr/logr#130.
pohly
added a commit
to pohly/zapr
that referenced
this pull request
Feb 16, 2022
The function might panic. The conclusion in go-logr/logr#130 was that the logger should record that. zapr only needs to do that when it calls MarshalLog. Strings and errors are handled by zap. For the sake of simplicity no attempt is made to detect the reason for the panic. In case of a panic, the key is replaced by "<key>Error" and the value with "PANIC=<panic reason>". This is consistent with how zap handles panics.
thockin
pushed a commit
to go-logr/zapr
that referenced
this pull request
Feb 16, 2022
The function might panic. The conclusion in go-logr/logr#130 was that the logger should record that. zapr only needs to do that when it calls MarshalLog. Strings and errors are handled by zap. For the sake of simplicity no attempt is made to detect the reason for the panic. In case of a panic, the key is replaced by "<key>Error" and the value with "PANIC=<panic reason>". This is consistent with how zap handles panics.
pohly
added a commit
to pohly/klog
that referenced
this pull request
Feb 17, 2022
The previous fix only covered fmt.Stringer.String in klog, but not klogr. error.Error and logr.Marshaler.MarshalLog have the same problem. The replacement string now captures the error, which makes it consistent with go-logr/logr#130. Two different corner cases may be handled differently: - panic for a nil object - panic for a valid object Only zapr v1.2.3 handles the panic in MarshalLog.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Produce a useful error rather than panic.
Fixes #125