jsonbuilder: attempt to handle memory allocation errors - v2

[jasonish]

Previous PR: #8847
Ticket: https://redmine.openinfosecfoundation.org/issues/6057

Attempt to handle all "normal" memory allocation errors in JsonBuilder where
the Rust APIs allow us. This primarily means growing the underlying String
buffer as data is added.

As the JsonBuilder already used a Result for most methods, most users of
JsonBuilder already handle errors.

Changes from last PR:

• I think this is complete now.

Things to investigate:

• Box::new failing. This might not be catchable. Box::try_new is an
  experimental API that will allow us to handle this better.

[codecov]

Codecov Report

Merging #8855 (4a8f3e4) into master (9a4231d) will increase coverage by 0.01%.
The diff coverage is 87.30%.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #8855      +/-   ##
==========================================
+ Coverage   82.25%   82.26%   +0.01%     
==========================================
  Files         969      969              
  Lines      273176   273207      +31     
==========================================
+ Hits       224689   224752      +63     
+ Misses      48487    48455      -32     

Flag	Coverage Δ
fuzzcorpus	64.52% <79.08%> (+0.05%)	⬆️
suricata-verify	60.34% <82.35%> (-0.01%)	⬇️
unittests	62.98% <63.95%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

[suricata-qa]

WARNING:

field	baseline	test	%
	SURI_TLPW1_stats_chk
.tcp.rst	113274	144976	127.99%

Pipeline 13706

[catenacyber]

Have you tried running jsonbuilder unit tests with an allocation failure framework ? (ie a LD_PRELOAD overload malloc to fail, running the tests X times, X being the number of allocations, and making each allocation fail)

[jasonish]

Have you tried running jsonbuilder unit tests with an allocation failure framework ? (ie a LD_PRELOAD overload malloc to fail, running the tests X times, X being the number of allocations, and making each allocation fail)

No. Any existing examples of this?

[catenacyber]

Like https://github.com/tavianator/oomify but there may be others (and it is quite easy to recode)

[catenacyber]

Jason, I had created this https://redmine.openinfosecfoundation.org/issues/5851 for your info

[jasonish]

Like https://github.com/tavianator/oomify but there may be others (and it is quite easy to recode)

Will look. I did test in a low memory Docker container, unfortunately the Linux OOM kicks in before Rust is able to detect an allocation error.

So while this may test if the code works OK, I wonder if it would actually ever error out in production on Linux, or just get killed by the kernel anyways.

[jasonish]

Like https://github.com/tavianator/oomify but there may be others (and it is quite easy to recode)

Quick test with oomify does show the reserve calls failing in a catchable way..

[jason@t470 …/suricata/jsonbuilder-alloc/rust]  jsonbuilder-alloc/v3 ❯ oomify -n20 ./target/debug/test-jsonbuilder
size: 1
size: 2
thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: Memory', src/bin/test-jsonbuilder.rs:10:48
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
oomify: alloc 20: ./target/debug/test-jsonbuilder exited with status 101

The panic there is just a result on my unwrap, so that shows that if Rust isn't killed by the kernel, the error is rippled back to the application.

[catenacyber]

Where can I see test-jsonbuilder.rs source ?

[jasonish]

Where can I see test-jsonbuilder.rs source ?

Its just in my working directory, not something suitable to check in, so no PR...

use suricata::jsonbuilder::JsonBuilder;

fn main() {
    let mut size = 1;

    for i in 1..8 {
        println!("size: {}", size);
        let mut jb = JsonBuilder::try_new_object().unwrap();
        let mut buf = vec![0x61; size];
        jb.set_string_from_bytes("test", &buf).unwrap();
        size = size * 2;
    }
}

[catenacyber]

Is it to do in this PR ?

[jasonish]

In a way, that one todo had to be removed, and another way came to mind at the same time.

[catenacyber]

base64 is rather ((val.len()+2)/3)*4 no ?

[catenacyber]

like one byte gets encoded as 4 bytes

[jasonish]

Ah yeah, mines too small. base64 has a function for this, will just use that.

[catenacyber]

Do not you need to check also vec![State::None, State::ObjectFirst] ?

[catenacyber]

And make push_state fallible

[catenacyber]

self.buf.push_str(&val.to_string()); in append_uint seems to be missing as well

[catenacyber]

Some nits to address ;-)

I wonder if some cases should do a big reserve before multiple push_str like open_array doing

        self.push('"')?;
        self.push_str(key)?;
        self.push_str("\":[")?;

[jasonish]

Some nits to address ;-)

I wonder if some cases should do a big reserve before multiple push_str like open_array doing

        self.push('"')?;
        self.push_str(key)?;
        self.push_str("\":[")?;

Maybe. But as the reserve behind these does 4k size, the first that needs it will allocate enough. My first iteration did try to estimate the size and reserve at once, but it did seem a little error prone. But not harm to estimate it, reserve once so the reserve shouldn't be triggered again during the call into jsonbuilder. Not sure if it'll have a noticeable affect other than fail a little earlier if it was going to fail.

[jasonish]

Commented addressed (well most of them) here: #8901