Prefer safe logging preconditions in more places #6223
Conversation
Generate changelog in
|
| @@ -305,7 +306,7 @@ private void touchMetadataWhileStoringForConflicts() { | |||
| line("StreamMetadata metadata =" | |||
| + " metaTable.getMetadatas(ImmutableSet.of(row)).values().iterator().next();"); | |||
| line("Preconditions.checkState(metadata.getStatus() == Status.STORING, \"This stream is being" | |||
| + " cleaned up while storing blocks: %s\", id);"); | |||
| + " cleaned up while storing blocks\", SafeArg.of(\"id\", id));"); | |||
There was a problem hiding this comment.
Generally these IDs are just opaque identifiers, so I'd lean toward safe, but question for reviewers -- should we consider these safe or unsafe?
There was a problem hiding this comment.
Yeah, this is a timestamp (so it should be safe!)
| line(" SafeArg.of(\"streamId\", e.getKey().getId()),"); | ||
| line(" SafeArg.of(\"status\", metadata.getStatus()));"); |
There was a problem hiding this comment.
similar question as above around safe/unsafe for streamId which should be an opaque identifier, and status is enum so should be safe
There was a problem hiding this comment.
streamId is a timestamp, so safe.
| "Contradictory values found, expected a single common value", UnsafeArg.of("values", values)); | ||
| } else { | ||
| throw new SafeIllegalArgumentException("All Optionals provided were empty, couldn't determine a value."); | ||
| } |
There was a problem hiding this comment.
inlined a bit here to avoid arg allocations in happy paths
| } else { | ||
| throw new SafeIllegalStateException( | ||
| "current > last", SafeArg.of("current", current), SafeArg.of("last", last)); | ||
| } |
There was a problem hiding this comment.
similar inlining to avoid arg allocations on happy paths
| @@ -0,0 +1 @@ | |||
| **/generated/** linguist-generated | |||
There was a problem hiding this comment.
Mark generated files as linguist-generated to hide GitHub PR diff
display by default for generated schema file changes.
See GitHub Docs:
https://docs.github.com/en/repositories/working-with-files/managing-files/customizing-how-changed-files-appear-on-github
https://github.com/github/linguist/blob/master/docs/overrides.md#generated-code
| table.getQualifiedName()); | ||
| "kvs contains tables, but not table", | ||
| UnsafeArg.of("tables", services.getKeyValueService().getAllTableNames()), | ||
| UnsafeArg.of("table", table.getQualifiedName())); |
There was a problem hiding this comment.
Probably worth using LoggingArgs for table-related things: there may be some metadata we can use about which tables are safe or unsafe (e.g. all atlas defined internal tables are safe). In particular LoggingArgs.tableRef(...) or
SafeArg.of(name, LoggingArgs.safeTablesOrPlaceholder(...) might be useful
| line(" SafeArg.of(\"streamId\", e.getKey().getId()),"); | ||
| line(" SafeArg.of(\"status\", metadata.getStatus()));"); |
There was a problem hiding this comment.
streamId is a timestamp, so safe.
| "truststore file not found at %s", | ||
| getTruststorePath().get()); | ||
| "truststore file not found", | ||
| UnsafeArg.of("truststorePath", getTruststorePath().get())); |
There was a problem hiding this comment.
On one hand this should normally come from config and so should normally be safe. There isn't necessarily a guarantee in the code that it does, though, and so I think this is probably a safer decision.
| @@ -305,7 +306,7 @@ private void touchMetadataWhileStoringForConflicts() { | |||
| line("StreamMetadata metadata =" | |||
| + " metaTable.getMetadatas(ImmutableSet.of(row)).values().iterator().next();"); | |||
| line("Preconditions.checkState(metadata.getStatus() == Status.STORING, \"This stream is being" | |||
| + " cleaned up while storing blocks: %s\", id);"); | |||
| + " cleaned up while storing blocks\", SafeArg.of(\"id\", id));"); | |||
There was a problem hiding this comment.
Yeah, this is a timestamp (so it should be safe!)
Mark generated files as linguist-generated to hide GitHub PR diff display by default for generated schema file changes. See GitHub Docs: https://docs.github.com/en/repositories/working-with-files/managing-files/customizing-how-changed-files-appear-on-github https://github.com/github/linguist/blob/master/docs/overrides.md#generated-code
schlosna
force-pushed
the
ds/PreferSafeLoggingPreconditions
branch
from
b63e31d to
2810c38
Compare
General
Before this PR:
Nit comment on #6213 (comment)
After this PR:
==COMMIT_MSG==
Prefer safe logging preconditions in more places
==COMMIT_MSG==
Priority: P2
Concerns / possible downsides (what feedback would you like?):
This only addresses some atlasdb modules' migration of Preconditions from Guava to logsafe, many more (~53) remain.
Is documentation needed?:
Compatibility
Does this PR create any API breaks (e.g. at the Java or HTTP layers) - if so, do we have compatibility?:
Does this PR change the persisted format of any data - if so, do we have forward and backward compatibility?:
The code in this PR may be part of a blue-green deploy. Can upgrades from previous versions safely coexist? (Consider restarts of blue or green nodes.):
Does this PR rely on statements being true about other products at a deployment - if so, do we have correct product dependencies on these products (or other ways of verifying that these statements are true)?:
Does this PR need a schema migration?
Testing and Correctness
What, if any, assumptions are made about the current state of the world? If they change over time, how will we find out?:
What was existing testing like? What have you done to improve it?:
If this PR contains complex concurrent or asynchronous code, is it correct? The onus is on the PR writer to demonstrate this.:
If this PR involves acquiring locks or other shared resources, how do we ensure that these are always released?:
Execution
How would I tell this PR works in production? (Metrics, logs, etc.):
Has the safety of all log arguments been decided correctly?:
Will this change significantly affect our spending on metrics or logs?:
How would I tell that this PR does not work in production? (monitors, etc.):
If this PR does not work as expected, how do I fix that state? Would rollback be straightforward?:
If the above plan is more complex than “recall and rollback”, please tag the support PoC here (if it is the end of the week, tag both the current and next PoC):
Scale
Would this PR be expected to pose a risk at scale? Think of the shopping product at our largest stack.:
Would this PR be expected to perform a large number of database calls, and/or expensive database calls (e.g., row range scans, concurrent CAS)?:
Would this PR ever, with time and scale, become the wrong thing to do - and if so, how would we know that we need to do something differently?:
Development Process
Where should we start reviewing?:
If this PR is in excess of 500 lines excluding versions lock-files, why does it not make sense to split it?:
Please tag any other people who should be aware of this PR:
@jeremyk-91
@sverma30
@raiju