GODRIVER-3302 Handle malformatted message length properly.

[qingyang-hu]

GODRIVER-3302

Summary

• Add a sanity check for the message size
• Update the background read logic

Background & Motivation

connection.read has two places that can raise timeout errors, one is in reading the message header, and the other is in reading the remaining body of the message.
The customer has observed an "incomplete read of full message" before the panic. In this scenario, we should not call connection.read directly in the bgRead to start over the reading because the message header with the message size has already been read. Instead, we ought to head towards the message body with the given size.
On the other hand, we need to start over in the bgRead if the header is not read at all, but cease processing if the header is only partially read to reduce the complexity.

[mongodb-drivers-pr-bot]

API Change Report

No changes found!

[prestonvasquez]

ioutil is deprecated, should use io.Discard

Suggested change

	_, err = io.CopyN(ioutil.Discard, conn.nc, int64(size))
	_, err = io.CopyN(io.Discard, conn.nc, int64(size))

[prestonvasquez]

Suggest renaming l to remainingBytes.

[prestonvasquez]

Suggest renaming awaitingResponse to awaitRemainingBytes.

[prestonvasquez]

Suggest making this logic a function that can be used here and in the connection read method:

func readWMSize(r io.Reader) (int32, error) {
	const wireMessageSizePrefix = 4

	var wmSizeBytes [wireMessageSizePrefix]byte
	if _, err := io.ReadFull(r, wmSizeBytes[:]); err != nil {
		return 0, fmt.Errorf("error reading the message size: %w", err)
	}

	size := (int32(wmSizeBytes[0])) |
		(int32(wmSizeBytes[1]) << 8) |
		(int32(wmSizeBytes[2]) << 16) |
		(int32(wmSizeBytes[3]) << 24)

	if size < 4 {
		return 0, fmt.Errorf("malformed message length: %d", size)
	}

	return size, nil
}

[qingyang-hu]

Moved DriverConnectionID down with other public methods.

[qingyang-hu]

Moved transformNetworkError closer to the caller.

[qingyang-hu]

Merged in (initConnection).SupportsStreaming().

[qingyang-hu]

Moved closer to the caller.

[qingyang-hu]

Moved closer with other *connection methods.

[prestonvasquez]

LGTM, great tests!

[blink1073]

drivers-pr-bot please backport to master

[matthewdale]

Optional: Consider a more descriptive name, like isCSOTTimeout.

[matthewdale]

Optional: Use the binary package instead.

Suggested change

	size := (int32(wmSizeBytes[0])) |
	(int32(wmSizeBytes[1]) << 8) |
	(int32(wmSizeBytes[2]) << 16) |
	(int32(wmSizeBytes[3]) << 24)
	size := int32(binary.LittleEndian.Uint32(wmSizeBytes[:]))

[matthewdale]

Ideally we should use TCP sockets to more accurately test the real-world use case of the connection pool. Is it possible to use TCP instead of Unix sockets?

Consider using the bootstrapConnections helper used elsewhere in pool_test.go, which also uses a connection teardown pattern that doesn't require using sleeps at the end of the connection handler.

[matthewdale]

Sharing this logic between all the subtests will make it easy to introduce unintentional interaction between subtests. We should set the callback for each subtest using test-specific channels. We should also set BGReadCallback back to nil at the end of each subtest to prevent interaction between tests.

E.g.

t.Run("subtest", func(t *testing.T) {
	var errCh chan error
	BGReadCallback = func(...) {
		// ...
	}
	t.Cleanup(func() {
		BGReadCallback = nil
	})
	// Make test assertions.
})

[matthewdale]

Optional: This error message is a bit confusing. Consider a clearer error message.

Suggested change

	err = fmt.Errorf("error reading message of %d: %w", size, err)
	err = fmt.Errorf("error discarding %d byte message: %w", size, err)

[matthewdale]

Optional: Consider moving the bgRead subtests to a separate test function to allow de-indenting them one level.

[matthewdale]

I recommend refactoring the subtests in TestBackgroundRead to simplify the assertions and speed up the tests. Here is the general recommended pattern:

cleanup := make(chan struct{})
defer close(cleanup)
addr := bootstrapConnections(t, 1, func(nc net.Conn) {
	defer func() {
		<-cleanup
		_ = nc.Close()
	}()

	// Write to the connection here.
})

// Test logic here.

var bgErr error
select {
case bgErr = <-errCh:
case <-time.After(100 * time.Millisecond):
	t.Fatal("did not receive expected error after waiting for 100ms")
}
assert.EqualError(t, bgErr, "<expected error string>")

p.close(context.Background())

[matthewdale]

This empty func can be removed.

Suggested change

	go func(t *testing.T) {
	}(t)

[matthewdale]

Since this func is only part of this one test, we shouldn't use t.Helper() here because it will obscure the actual error location. That applies for all other anonymous funcs passed to bootstrapConnections in this test.

[matthewdale]

Since we're using all in-process connections, we should be able to reduce the sleeps and timeouts, which will speed up these tests significantly. I recommend a 50ms sleep here and 10ms timeout in csot.MakeTimeoutContext, which is similar to the timeout values in other pool tests.

The same recommendation applies to all subtests in TestBackgroundRead.

[matthewdale]

We can replace the sleep at the end of the connection handler with a "cleanup" signal, which will speed up the tests significantly.

E.g.

cleanup := make(chan struct{})
defer close(cleanup)
addr := bootstrapConnections(t, 1, func(nc net.Conn) {
	defer func() {
		<-cleanup
		_ = nc.Close()
	}()
	var err error
	_, err = nc.Write([]byte{12, 0, 0, 0, 0, 0, 0, 0, 1})
	// ...
})

The same recommendation applies to all subtests in TestBackgroundRead.

[matthewdale]

If we use a "cleanup" channel as previously recommended, this WaitGroup will be unnecessary and can be removed.

[matthewdale]

If we apply the previous recommended changes, we can simplify the assertion logic here.

var bgErr error
select {
case bgErr = <-errCh:
case <-time.After(100 * time.Millisecond):
	t.Fatal("did not receive expected error after waiting for 100ms")
}
assert.EqualError(t, bgErr, "error discarding 3 byte message: EOF")

p.close(context.Background())

[matthewdale]

Optional: Consider printing the regex in the error message to make troubleshooting these failures easier.

This recommendation applies to all similar assertions in the TestBackgroundRead subtests.

Suggested change

	assert.True(t, regex.MatchString(err.Error()), "mismatched err: %v", err)
	assert.True(t, regex.MatchString(err.Error()), "error %q does not match pattern %q", err, regex)

[matthewdale]

What is the point of using newLimitConn here? Is the test trying to create timeout conditions or connection closed conditions?

[qingyang-hu]

You are correct. We no longer need it.

[matthewdale]

This assertion loop will pass if len(bgErrs) == 0, even if wantErrs contains expected error messages. We should fix and simplify the assertion logic.

E.g.

require.Len(t, bgErrs, "expected 1 error")
assert.EqualError(t, bgErrs[0], "error discarding 3 byte message: EOF")

[matthewdale]

This assertion loop will pass if len(bgErrs) == 0, even if wantErrs contains expected error messages. We should fix and simplify the assertion logic.

E.g.

require.Len(t, bgErrs, "expected 1 error")
wantErrPattern := regexp.MustCompile(`^error discarding 6 byte message: read tcp 127.0.0.1:.*->127.0.0.1:.*: i\/o timeout$`)
gotErr := bgErrs[0]
assert.True(t, wantErrPattern.MatchString(gotErr), "error %q does not match pattern %q", gotErr, wantErrPattern)

[matthewdale]

Optional: Since there's no special dialing logic added here, we can pass addr in the poolConfig instead of overriding the dialer.

Suggested change

	p := newPool(
	poolConfig{},
	WithDialer(func(Dialer) Dialer {
	return DialerFunc(func(context.Context, string, string) (net.Conn, error) {
	return net.Dial("tcp", addr.String())
	})
	}),
	)
	p := newPool(poolConfig{
	Address: address.Address(addr.String()),
	})

[matthewdale]

Optional: Since there's no special dialing logic added here, we can pass addr in the poolConfig instead of overriding the dialer.

Suggested change

	p := newPool(
	poolConfig{},
	WithDialer(func(Dialer) Dialer {
	return DialerFunc(func(context.Context, string, string) (net.Conn, error) {
	return net.Dial("tcp", addr.String())
	})
	}),
	)
	p := newPool(poolConfig{
	Address: address.Address(addr.String()),
	})

[matthewdale]

This test seems to cover the scenario where the operation times out while waiting for the header, then bgRead times out waiting for the full message (because not enough bytes are written). We should also test the scenario where the operation times out while waiting for the header, but then bgRead succeeds.

E.g.

t.Run("timeout reading message header, successful background read", func(t *testing.T) {
	// ...
	addr := bootstrapConnections(t, 1, func(nc net.Conn) {
		defer func() {
			<-cleanup
			_ = nc.Close()
		}()

		// Wait until the operation times out, then write the full message
		// length.
		time.Sleep(timeout * 2)
		_, err := nc.Write([]byte{10, 0, 0, 0, 0, 0, 0, 0, 0, 0})
		noerr(t, err)
	})
	// ...
	assert.Len(t, bgErrs, 0, "expected no errors from bgRead")
})

To differentiate it from the existing test, I recommend updating the test description and adding a comment:

t.Run("timeout reading message header, incomplete background read", func(t *testing.T) {
	// ...
	addr := bootstrapConnections(t, 1, func(nc net.Conn) {
		defer func() {
			<-cleanup
			_ = nc.Close()
		}()

		// Wait until the operation times out, then write an incomplete
		// message.
		time.Sleep(timeout * 5)
		_, err := nc.Write([]byte{10, 0, 0, 0, 0, 0, 0, 0})
		noerr(t, err)
	})
	// ...
})

[qingyang-hu]

I will also add cases for "timeout reading message header, incomplete head during background read" and "timeout reading full message, successful background read".

[matthewdale]

Looks good! 👍

[mongodb-drivers-pr-bot]

Sorry, unable to cherry-pick to master, please backport manually. Here are approximate instructions:

1. Checkout backport branch and update it.

git checkout -b cherry-pick-master-be25b9a26aff54fe27210f86d00db5d573452643 master

git fetch origin be25b9a26aff54fe27210f86d00db5d573452643

2. Cherry pick the first parent branch of the this PR on top of the older branch:

git cherry-pick -x -m1 be25b9a26aff54fe27210f86d00db5d573452643

3. You will likely have some merge/cherry-pick conflicts here, fix them and commit:

git commit -am {message}

4. Push to a named branch:

git push origin cherry-pick-master-be25b9a26aff54fe27210f86d00db5d573452643

5. Create a PR against branch master. I would have named this PR:

"GODRIVER-3302 Handle malformatted message length properly. (#1758) [master]"