Thread: Range checks of pg_test_fsync --secs-per-test and pg_test_timing --duration
Range checks of pg_test_fsync --secs-per-test and pg_test_timing --duration
From
Michael Paquier
Date:
Hi all, As $subject says, pg_test_fsync and pg_test_timing don't really check the range of option values specified. It is possible for example to make pg_test_fsync run an infinite amount of time, and pg_test_timing does not handle overflows with --duration at all. These are far from being critical issues, but let's fix them at least on HEAD. So, please see the attached, where I have also added some basic TAP tests for both tools. Thanks, -- Michael
Attachment
Re: Range checks of pg_test_fsync --secs-per-test and pg_test_timing --duration
From
Peter Eisentraut
Date:
On 2020-08-06 08:27, Michael Paquier wrote: > As $subject says, pg_test_fsync and pg_test_timing don't really check > the range of option values specified. It is possible for example to > make pg_test_fsync run an infinite amount of time, and pg_test_timing > does not handle overflows with --duration at all. > > These are far from being critical issues, but let's fix them at least > on HEAD. So, please see the attached, where I have also added some > basic TAP tests for both tools. According to the POSIX standard, atoi() is not required to do any error checking, and if you want error checking, you should use strtol(). And if you do that, you might as well change the variables to unsigned and use strtoul(), and then drop the checks for <=0. I would allow 0. It's not very useful, but it's not harmful and could be applicable in testing. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Re: Range checks of pg_test_fsync --secs-per-test and pg_test_timing --duration
From
Michael Paquier
Date:
On Fri, Sep 04, 2020 at 11:24:39PM +0200, Peter Eisentraut wrote: > According to the POSIX standard, atoi() is not required to do any error > checking, and if you want error checking, you should use strtol(). > > And if you do that, you might as well change the variables to unsigned and > use strtoul(), and then drop the checks for <=0. Switching to unsigned makes sense, indeed. > I would allow 0. It's not > very useful, but it's not harmful and could be applicable in testing. Hmm, OK. For pg_test_fsync, 0 means infinity, and for pg_test_timing that means stopping immediately (we currently don't allow that). How does this apply to testing? For pg_test_fsync, using 0 would mean to just remain stuck in the first fsync() pattern, while for pg_test_fsync this means doing no test loops at all, generating a useless log once done. Or do you mean to change the logic of pg_test_fsync so as --secs-per-test=0 means doing one single write? That's something I thought about for this thread, but I am not sure that the extra regression test gain is worth more complexity in this code. -- Michael
Attachment
Re: Range checks of pg_test_fsync --secs-per-test and pg_test_timing --duration
From
Peter Eisentraut
Date:
On 2020-09-06 05:04, Michael Paquier wrote: >> I would allow 0. It's not >> very useful, but it's not harmful and could be applicable in testing. > > Hmm, OK. For pg_test_fsync, 0 means infinity, and for pg_test_timing > that means stopping immediately (we currently don't allow that). How > does this apply to testing? For pg_test_fsync, using 0 would mean to > just remain stuck in the first fsync() pattern, while for > pg_test_fsync this means doing no test loops at all, generating a > useless log once done. Or do you mean to change the logic of > pg_test_fsync so as --secs-per-test=0 means doing one single write? > That's something I thought about for this thread, but I am not sure > that the extra regression test gain is worth more complexity in this > code. I think in general doing something 0 times should be allowed if possible. However, I see that in the case of pg_test_fsync you end up in alarm(0), which does something different, so it's okay in that case to disallow it. I notice that the error checking you introduce is different from the checks for pgbench -t and -T (the latter having no errno checks). I'm not sure which is correct, but it's perhaps worth making them the same. (pgbench -t 0, which is also currently not allowed, is a good example of why this could be useful, because that would allow checking whether the script etc. can be loaded without running an actual test.) -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Re: Range checks of pg_test_fsync --secs-per-test and pg_test_timing --duration
From
Michael Paquier
Date:
On Mon, Sep 07, 2020 at 10:06:57AM +0200, Peter Eisentraut wrote: > However, I see that in the case of pg_test_fsync you end up in alarm(0), > which does something different, so it's okay in that case to disallow it. Yep. > I notice that the error checking you introduce is different from the checks > for pgbench -t and -T (the latter having no errno checks). I'm not sure > which is correct, but it's perhaps worth making them the same. pgbench currently uses atoi() to parse the options of -t and -T. Are you suggesting to switch that to strtoXX() as well or perhaps you are referring to the parsing of the weight in parseScriptWeight()? FWIW, the error handling introduced in this patch is similar to what we do for example in pg_resetwal. This has its own problems as strtoul() would not report ERANGE except for values higher than ULONG_MAX, but the returned results are stored in 32 bits. We could switch to just use uint64 where we could of course, but is that really worth it for such tools? For example, pg_test_timing could overflow the total_timing calculated if using a too high value, but nobody would use such values anyway. So I'd rather just use uint32 and call it a day, for simplicity's sake mainly.. > (pgbench -t 0, which is also currently not allowed, is a good example of why > this could be useful, because that would allow checking whether the script > etc. can be loaded without running an actual test.) Perhaps. That looks like a separate item to me though. -- Michael
Attachment
Re: Range checks of pg_test_fsync --secs-per-test and pg_test_timing --duration
From
Peter Eisentraut
Date:
On 2020-09-10 09:59, Michael Paquier wrote: >> I notice that the error checking you introduce is different from the checks >> for pgbench -t and -T (the latter having no errno checks). I'm not sure >> which is correct, but it's perhaps worth making them the same. > pgbench currently uses atoi() to parse the options of -t and -T. Are > you suggesting to switch that to strtoXX() as well or perhaps you are > referring to the parsing of the weight in parseScriptWeight()? FWIW, > the error handling introduced in this patch is similar to what we do > for example in pg_resetwal. This has its own problems as strtoul() > would not report ERANGE except for values higher than ULONG_MAX, but > the returned results are stored in 32 bits. We could switch to just > use uint64 where we could of course, but is that really worth it for > such tools? For example, pg_test_timing could overflow the > total_timing calculated if using a too high value, but nobody would > use such values anyway. So I'd rather just use uint32 and call it a > day, for simplicity's sake mainly.. The first patch you proposed checks for errno == ERANGE, but pgbench code doesn't do that. So one of them is not correct. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Re: Range checks of pg_test_fsync --secs-per-test and pg_test_timing --duration
From
Michael Paquier
Date:
On Thu, Sep 10, 2020 at 03:59:20PM +0200, Peter Eisentraut wrote: > The first patch you proposed checks for errno == ERANGE, but pgbench code > doesn't do that. So one of them is not correct. Sorry for the confusion, I misunderstood what you were referring to. Yes, the first patch is wrong to add the check on errno. FWIW, I thought about your point to use strtol() but that does not seem worth the complication for those tools. It is not like anybody is going to use high values for these, and using uint64 to make sure that the boundaries are checked just add more checks for bounds. There is one example in pg_test_timing when compiling the total time. -- Michael
Attachment
Re: Range checks of pg_test_fsync --secs-per-test and pg_test_timing --duration
From
Peter Eisentraut
Date:
On 2020-09-11 09:08, Michael Paquier wrote: > On Thu, Sep 10, 2020 at 03:59:20PM +0200, Peter Eisentraut wrote: >> The first patch you proposed checks for errno == ERANGE, but pgbench code >> doesn't do that. So one of them is not correct. > > Sorry for the confusion, I misunderstood what you were referring to. > Yes, the first patch is wrong to add the check on errno. FWIW, I > thought about your point to use strtol() but that does not seem worth > the complication for those tools. It is not like anybody is going to > use high values for these, and using uint64 to make sure that the > boundaries are checked just add more checks for bounds. There is > one example in pg_test_timing when compiling the total time. I didn't mean use strtol() to be able to process larger values, but for the error checking. atoi() cannot detect any errors other than ERANGE. So if you are spending effort on making the option value parsing more robust, relying on atoi() will result in an incomplete solution. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Re: Range checks of pg_test_fsync --secs-per-test and pg_test_timing --duration
From
Michael Paquier
Date:
On Tue, Sep 15, 2020 at 02:39:08PM +0200, Peter Eisentraut wrote: > I didn't mean use strtol() to be able to process larger values, but for the > error checking. atoi() cannot detect any errors other than ERANGE. So if > you are spending effort on making the option value parsing more robust, > relying on atoi() will result in an incomplete solution. Okay, after looking at that, here is v3. This includes range checks as well as errno checks based on strtol(). What do you think? -- Michael
Attachment
Re: Range checks of pg_test_fsync --secs-per-test and pg_test_timing --duration
From
Michael Paquier
Date:
On Fri, Sep 18, 2020 at 05:22:15PM +0900, Michael Paquier wrote: > Okay, after looking at that, here is v3. This includes range checks > as well as errno checks based on strtol(). What do you think? This fails in the CF bot on Linux because of pg_logging_init() returning with errno=ENOTTY in the TAP tests, for which I began a new thread: https://www.postgresql.org/message-id/20200918095713.GA20887@paquier.xyz Not sure if this will lead anywhere, but we can also address the failure by enforcing errno=0 for the new calls of strtol() introduced in this patch. So here is an updated patch doing so. -- Michael
Attachment
Re: Range checks of pg_test_fsync --secs-per-test and pg_test_timing --duration
From
Peter Eisentraut
Date:
On 2020-09-20 05:41, Michael Paquier wrote: > On Fri, Sep 18, 2020 at 05:22:15PM +0900, Michael Paquier wrote: >> Okay, after looking at that, here is v3. This includes range checks >> as well as errno checks based on strtol(). What do you think? > > This fails in the CF bot on Linux because of pg_logging_init() > returning with errno=ENOTTY in the TAP tests, for which I began a new > thread: > https://www.postgresql.org/message-id/20200918095713.GA20887@paquier.xyz > > Not sure if this will lead anywhere, but we can also address the > failure by enforcing errno=0 for the new calls of strtol() introduced > in this patch. So here is an updated patch doing so. I think the error checking is now structurally correct in this patch. However, I still think the integer type use is a bit inconsistent. In both cases, using strtoul() and dealing with unsigned integer types between parsing and final use would be more consistent. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Re: Range checks of pg_test_fsync --secs-per-test and pg_test_timing --duration
From
Michael Paquier
Date:
On Tue, Sep 22, 2020 at 11:45:14PM +0200, Peter Eisentraut wrote: > However, I still think the integer type use is a bit inconsistent. In both > cases, using strtoul() and dealing with unsigned integer types between > parsing and final use would be more consistent. No objections to that either, so changed this way. I kept those variables signed because applying values of 2B~4B is not really going to matter much here ;p -- Michael
Attachment
Re: Range checks of pg_test_fsync --secs-per-test and pg_test_timing --duration
From
Peter Eisentraut
Date:
On 2020-09-23 03:50, Michael Paquier wrote: > On Tue, Sep 22, 2020 at 11:45:14PM +0200, Peter Eisentraut wrote: >> However, I still think the integer type use is a bit inconsistent. In both >> cases, using strtoul() and dealing with unsigned integer types between >> parsing and final use would be more consistent. > > No objections to that either, so changed this way. I kept those > variables signed because applying values of 2B~4B is not really going > to matter much here ;p This patch mixes up unsigned int and uint32 in random ways. The variable is uint32, but the format is %u and the max constant is UINT_MAX. I think just use unsigned int as the variable type. There is no need to use the bit-exact types. Note that the argument of alarm() is of type unsigned int. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Re: Range checks of pg_test_fsync --secs-per-test and pg_test_timing --duration
From
Michael Paquier
Date:
On Wed, Sep 23, 2020 at 08:11:59AM +0200, Peter Eisentraut wrote: > This patch mixes up unsigned int and uint32 in random ways. The variable is > uint32, but the format is %u and the max constant is UINT_MAX. > > I think just use unsigned int as the variable type. There is no need to use > the bit-exact types. Note that the argument of alarm() is of type unsigned > int. Makes sense, thanks. -- Michael
Attachment
Re: Range checks of pg_test_fsync --secs-per-test and pg_test_timing --duration
From
Peter Eisentraut
Date:
On 2020-09-24 09:12, Michael Paquier wrote: > On Wed, Sep 23, 2020 at 08:11:59AM +0200, Peter Eisentraut wrote: >> This patch mixes up unsigned int and uint32 in random ways. The variable is >> uint32, but the format is %u and the max constant is UINT_MAX. >> >> I think just use unsigned int as the variable type. There is no need to use >> the bit-exact types. Note that the argument of alarm() is of type unsigned >> int. > > Makes sense, thanks. looks good to me -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Re: Range checks of pg_test_fsync --secs-per-test and pg_test_timing --duration
From
Michael Paquier
Date:
On Fri, Sep 25, 2020 at 07:52:10AM +0200, Peter Eisentraut wrote: > looks good to me Thanks, applied. -- Michael