*: use errors.AssertionFailedf for panic format strings across the codebase

Previously, panic messages containing runtime values were being redacted
when surfaced in CockroachDB logs, making it impossible to diagnose
issues from crash reports.

Replace all panic(fmt.Sprintf(...)) calls with
panic(errors.AssertionFailedf(...)) so the panic value is a proper
structured error with stack traces. errors.AssertionFailedf treats
arguments as unsafe by default, so user key data is still redacted in
CockroachDB logs.

Additionally, wrap safe diagnostic arguments (counts, sizes, indices,
reference counts, levels, etc.) with errors.Safe() so they appear in
redacted crash reports. Implement SafeFormatter on several types
(CompactionState, OpType, OpKind, interleavePos, bitmapEncoding,
compactionKind, objID) so their string representations are visible in
redacted output. User key data arguments are intentionally left
unwrapped to remain redacted.

Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com>

Author: annrpom

batch.go

@@ -8,7 +8,6 @@ import (
 	"bytes"
 	"context"
 	"encoding/binary"
-	"fmt"
 	"io"
 	"math"
 	"sort"
@@ -2080,7 +2079,7 @@ func newFlushableBatch(batch *Batch, comparer *Comparer) (*flushableBatch, error
 
 func (b *flushableBatch) setSeqNum(seqNum base.SeqNum) {
 	if b.seqNum != 0 {
-		panic(fmt.Sprintf("pebble: flushableBatch.seqNum already set: %d", b.seqNum))
+		panic(errors.AssertionFailedf("pebble: flushableBatch.seqNum already set: %d", b.seqNum))
 	}
 	b.seqNum = seqNum
 	for i := range b.tombstones {

checkpoint_test.go

@@ -18,6 +18,7 @@ import (
 
 	"github.com/cockroachdb/crlib/testutils/leaktest"
 	"github.com/cockroachdb/datadriven"
+	"github.com/cockroachdb/errors"
 	"github.com/cockroachdb/pebble/internal/base"
 	"github.com/cockroachdb/pebble/internal/testutils"
 	"github.com/cockroachdb/pebble/objstorage/remote"
@@ -271,7 +272,7 @@ func TestCopyCheckpointOptions(t *testing.T) {
 			require.NoError(t, f.Close())
 			return string(newFile)
 		default:
-			panic(fmt.Sprintf("unrecognized command %q", td.Cmd))
+			panic(errors.AssertionFailedf("unrecognized command %q", td.Cmd))
 		}
 	})
 }

cmd/pebble/test.go

@@ -18,6 +18,7 @@ import (
 	"time"
 
 	"github.com/HdrHistogram/hdrhistogram-go"
+	"github.com/cockroachdb/errors"
 	"github.com/cockroachdb/pebble"
 )
 
@@ -141,7 +142,7 @@ func (w *namedHistogram) Record(elapsed time.Duration) {
 		// Note that a histogram only drops recorded values that are out of range,
 		// but we clamp the latency value to the configured range to prevent such
 		// drops. This code path should never happen.
-		panic(fmt.Sprintf(`%s: recording value: %s`, w.name, err))
+		panic(errors.AssertionFailedf(`%s: recording value: %s`, errors.Safe(w.name), err))
 	}
 }
 

cockroachkvs/cockroachkvs.go

@@ -476,7 +476,7 @@ func normalizeVersionForCompare(a []byte) []byte {
 func normalizeEngineSuffixForCompare(a []byte) []byte {
 	// Check sentinel byte.
 	if invariants.Enabled && len(a) != int(a[len(a)-1]) {
-		panic(errors.AssertionFailedf("malformed suffix: %x (length byte is %d; but suffix is %d bytes)", a, a[len(a)-1], len(a)))
+		panic(errors.AssertionFailedf("malformed suffix: %x (length byte is %d; but suffix is %d bytes)", errors.Safe(a), errors.Safe(a[len(a)-1]), errors.Safe(len(a))))
 	}
 	// Strip off sentinel byte.
 	a = a[:len(a)-1]
@@ -659,7 +659,7 @@ func (kw *cockroachKeyWriter) WriteKey(
 	versionLen := int(key[len(key)-1])
 	if (len(key)-versionLen) != int(keyPrefixLen) || key[keyPrefixLen-1] != 0x00 {
 		panic(errors.AssertionFailedf("invalid %d-byte key with %d-byte prefix (%q)",
-			len(key), keyPrefixLen, key))
+			errors.Safe(len(key)), errors.Safe(keyPrefixLen), key))
 	}
 	// TODO(jackson): Avoid copying the previous suffix.
 	kw.prevSuffix = append(kw.prevSuffix[:0], key[keyPrefixLen:]...)
@@ -754,7 +754,7 @@ func (kw *cockroachKeyWriter) Finish(
 	case cockroachColUntypedVersion:
 		return kw.untypedVersions.Finish(0, rows, offset, buf)
 	default:
-		panic(fmt.Sprintf("unknown default key column: %d", col))
+		panic(errors.AssertionFailedf("unknown default key column: %d", errors.Safe(col)))
 	}
 }
 
@@ -793,7 +793,7 @@ func (ks *cockroachKeySeeker) init(
 	header := bd.Header()
 	header = header[:len(header)-colblk.DataBlockCustomHeaderSize]
 	if len(header) != 1 {
-		panic(errors.AssertionFailedf("invalid key schema-specific header %x", header))
+		panic(errors.AssertionFailedf("invalid key schema-specific header %x", errors.Safe(header)))
 	}
 	ks.suffixTypes = suffixTypes(header[0])
 }
@@ -1003,7 +1003,7 @@ func (ks *cockroachKeySeeker) MaterializeUserKey(
 	ki *colblk.PrefixBytesIter, prevRow, row int,
 ) []byte {
 	if invariants.Enabled && (row < 0 || row >= ks.roachKeys.Rows()) {
-		panic(errors.AssertionFailedf("invalid row number %d", row))
+		panic(errors.AssertionFailedf("invalid row number %d", errors.Safe(row)))
 	}
 	if prevRow+1 == row && prevRow >= 0 {
 		ks.roachKeys.SetNext(ki)
@@ -1148,7 +1148,7 @@ func (fk formatKeySuffix) Format(f fmt.State, c rune) {
 			fmt.Fprintf(f, "%d.%09d,%d", wallTime/1e9, wallTime%1e9, logical)
 		}
 	default:
-		panic(errors.AssertionFailedf("invalid suffix length: %d", len(fk)))
+		panic(errors.AssertionFailedf("invalid suffix length: %d", errors.Safe(len(fk))))
 	}
 }
 

cockroachkvs/cockroachkvs_test.go

@@ -20,6 +20,7 @@ import (
 	"github.com/cockroachdb/crlib/testutils/leaktest"
 	"github.com/cockroachdb/crlib/testutils/require"
 	"github.com/cockroachdb/datadriven"
+	"github.com/cockroachdb/errors"
 	"github.com/cockroachdb/pebble"
 	"github.com/cockroachdb/pebble/internal/base"
 	"github.com/cockroachdb/pebble/internal/testutils"
@@ -148,7 +149,7 @@ func TestComparerFuncs(t *testing.T) {
 				}
 				return buf.String()
 			default:
-				panic(fmt.Sprintf("unknown command: %s", td.Cmd))
+				panic(errors.AssertionFailedf("unknown command: %s", td.Cmd))
 			}
 		})
 }
@@ -226,7 +227,7 @@ func TestKeySchema_KeyWriter(t *testing.T) {
 			tbl.Render()
 			return buf.String()
 		default:
-			panic(fmt.Sprintf("unrecognized command %q", td.Cmd))
+			panic(errors.AssertionFailedf("unrecognized command %q", td.Cmd))
 		}
 	})
 }
@@ -322,7 +323,7 @@ func TestKeySchema_KeySeeker(t *testing.T) {
 			}
 			return buf.String()
 		default:
-			panic(fmt.Sprintf("unrecognized command %q", td.Cmd))
+			panic(errors.AssertionFailedf("unrecognized command %q", td.Cmd))
 		}
 	})
 }
@@ -638,7 +639,7 @@ func parseUserKey(userKeyStr string) []byte {
 		var err error
 		roachKey, err = strconv.Unquote(roachKey)
 		if err != nil {
-			panic(fmt.Sprintf("invalid user key string %s: %v", userKeyStr, err))
+			panic(errors.AssertionFailedf("invalid user key string %s: %v", userKeyStr, err))
 		}
 	}
 	k := append(append([]byte(roachKey), 0), parseVersion(versionStr)...)
@@ -664,7 +665,7 @@ func parseVersion(versionStr string) []byte {
 		}
 		ret := AppendTimestamp([]byte{0x00}, wallTime, uint32(logicalTime))
 		if len(ret) != 14 && len(ret) != 10 {
-			panic(fmt.Sprintf("expected 10 or 14-length ret got %d", len(ret)))
+			panic(errors.AssertionFailedf("expected 10 or 14-length ret got %d", len(ret)))
 		}
 		validateEngineKey.MustValidate(ret)
 		// TODO(jackson): Refactor to allow us to generate a suffix without a
@@ -675,7 +676,7 @@ func parseVersion(versionStr string) []byte {
 	// Parse as a hex-encoded version.
 	var version []byte
 	if _, err := fmt.Sscanf(versionStr, "%X", &version); err != nil {
-		panic(fmt.Sprintf("invalid version string %q", versionStr))
+		panic(errors.AssertionFailedf("invalid version string %q", versionStr))
 	}
 	return append(version, byte(len(version)+1))
 }

compaction.go

@@ -188,6 +188,10 @@ func (k compactionKind) String() string {
 	return "?"
 }
 
+func (k compactionKind) SafeFormat(w redact.SafePrinter, _ rune) {
+	w.Print(redact.SafeString(k.String()))
+}
+
 // compactingOrFlushing returns "flushing" if the compaction kind is a flush,
 // otherwise it returns "compacting".
 func (k compactionKind) compactingOrFlushing() string {
@@ -1690,9 +1694,9 @@ func (d *DB) flush1() (bytesFlushed uint64, err error) {
 		for i := 0; i < n; i++ {
 			if logNum := d.mu.mem.queue[i].logNum; logNum >= minUnflushedLogNum {
 				panic(errors.AssertionFailedf("logNum invariant violated: flushing %d items; %d:type=%T,logNum=%d; %d:type=%T,logNum=%d",
-					n,
-					i, d.mu.mem.queue[i].flushable, logNum,
-					n, d.mu.mem.queue[n].flushable, minUnflushedLogNum))
+					errors.Safe(n),
+					errors.Safe(i), errors.Safe(d.mu.mem.queue[i].flushable), logNum,
+					errors.Safe(n), errors.Safe(d.mu.mem.queue[n].flushable), minUnflushedLogNum))
 			}
 		}
 	}
@@ -1837,7 +1841,7 @@ func (d *DB) flush1() (bytesFlushed uint64, err error) {
 	d.clearCompactingState(c, err != nil)
 	if c.UsesBurstConcurrency() {
 		if v := d.mu.compact.burstConcurrency.Add(-1); v < 0 {
-			panic(errors.AssertionFailedf("burst concurrency underflow: %d", v))
+			panic(errors.AssertionFailedf("burst concurrency underflow: %d", errors.Safe(v)))
 		}
 	}
 	delete(d.mu.compact.inProgress, c)
@@ -2101,7 +2105,7 @@ func (d *DB) runPickedCompaction(pc pickedCompaction, grantHandle CompactionGran
 			}
 		}
 		if doneChannel == nil {
-			panic(errors.AssertionFailedf("did not find manual compaction with id %d", pc.ManualID()))
+			panic(errors.AssertionFailedf("did not find manual compaction with id %d", errors.Safe(pc.ManualID())))
 		}
 	}
 
@@ -2267,7 +2271,7 @@ func (d *DB) compact(c compaction, errChannel chan error) {
 			}
 			if c.UsesBurstConcurrency() {
 				if v := d.mu.compact.burstConcurrency.Add(-1); v < 0 {
-					panic(errors.AssertionFailedf("burst concurrency underflow: %d", v))
+					panic(errors.AssertionFailedf("burst concurrency underflow: %d", errors.Safe(v)))
 				}
 			}
 			delete(d.mu.compact.inProgress, c)

compaction_picker.go

@@ -281,8 +281,8 @@ func newPickedTableCompaction(
 		panic("base level cannot be 0")
 	}
 	if startLevel > 0 && startLevel < baseLevel {
-		panic(fmt.Sprintf("invalid compaction: start level %d should not be empty (base level %d)",
-			startLevel, baseLevel))
+		panic(errors.AssertionFailedf("invalid compaction: start level %d should not be empty (base level %d)",
+			errors.Safe(startLevel), errors.Safe(baseLevel)))
 	}
 
 	pc := &pickedTableCompaction{
@@ -514,7 +514,7 @@ func (pc *pickedTableCompaction) maybeGrow(
 func (pc *pickedTableCompaction) maybeGrowL0ForBase(cmp base.Compare, maxExpandedBytes uint64) {
 	if invariants.Enabled {
 		if pc.startLevel.level != 0 {
-			panic(fmt.Sprintf("pc.startLevel.level is %d, expected 0", pc.startLevel.level))
+			panic(errors.AssertionFailedf("pc.startLevel.level is %d, expected 0", errors.Safe(pc.startLevel.level)))
 		}
 	}
 
@@ -1664,7 +1664,7 @@ func (p *compactionPickerByScore) pickedCompactionFromCandidateFile(
 			}
 		}
 		if !found {
-			panic(fmt.Sprintf("file %s not found in level %d as expected", candidate.TableNum, startLevel))
+			panic(errors.AssertionFailedf("file %s not found in level %d as expected", candidate.TableNum, errors.Safe(startLevel)))
 		}
 	}
 

compaction_picker_test.go

@@ -1638,7 +1638,7 @@ func TestCompactionPickerScores(t *testing.T) {
 					}
 				}()
 			default:
-				panic(fmt.Sprintf("unrecognized `wait-for-compaction` value: %q", waitFor))
+				panic(errors.AssertionFailedf("unrecognized `wait-for-compaction` value: %q", waitFor))
 			}
 
 			buf.Reset()

data_test.go

@@ -371,7 +371,7 @@ func printIterState(
 			if iter.Valid() {
 				hasPoint, hasRange := iter.HasPointAndRange()
 				if hasPoint || !hasRange {
-					panic(fmt.Sprintf("pebble: unexpected HasPointAndRange (%t, %t)", hasPoint, hasRange))
+					panic(errors.AssertionFailedf("pebble: unexpected HasPointAndRange (%t, %t)", hasPoint, hasRange))
 				}
 				start, end := iter.RangeBounds()
 				fmt.Fprintf(b, "%s [%s-%s)", iter.Key(), formatASCIIKey(start), formatASCIIKey(end))

db.go

@@ -7,7 +7,6 @@ package pebble // import "github.com/cockroachdb/pebble"
 
 import (
 	"context"
-	"fmt"
 	"io"
 	"reflect"
 	"slices"
@@ -796,7 +795,7 @@ func (d *DB) applyInternal(batch *Batch, opts *WriteOptions, noSyncWait bool) er
 		return ErrReadOnly
 	}
 	if batch.db != nil && batch.db != d {
-		panic(fmt.Sprintf("pebble: batch db mismatch: %p != %p", batch.db, d))
+		panic(errors.AssertionFailedf("pebble: batch db mismatch: %p != %p", errors.Safe(batch.db), errors.Safe(d)))
 	}
 
 	sync := opts.GetSync()
@@ -805,7 +804,7 @@ func (d *DB) applyInternal(batch *Batch, opts *WriteOptions, noSyncWait bool) er
 	}
 
 	if fmv := d.FormatMajorVersion(); fmv < batch.minimumFormatMajorVersion {
-		panic(fmt.Sprintf(
+		panic(errors.AssertionFailedf(
 			"pebble: batch requires at least format major version %d (current: %d)",
 			batch.minimumFormatMajorVersion, fmv,
 		))
@@ -995,7 +994,7 @@ func assertZeroed(v reflect.Value) error {
 		return assertZeroed(v.Elem())
 	case reflect.Slice:
 		if v.Len() > 0 {
-			return errors.AssertionFailedf("%s is not zeroed (%d len): %#v", typ.Name(), v.Len(), v)
+			return errors.AssertionFailedf("%s is not zeroed (%d len): %#v", errors.Safe(typ.Name()), errors.Safe(v.Len()), v)
 		}
 		resliced := v.Slice(0, v.Cap())
 		for i := 0; i < resliced.Len(); i++ {
@@ -1015,7 +1014,7 @@ func assertZeroed(v reflect.Value) error {
 		}
 		return nil
 	}
-	return errors.AssertionFailedf("%s (%s) is not zeroed: %#v", typ.Name(), typ.Kind(), v)
+	return errors.AssertionFailedf("%s (%s) is not zeroed: %#v", errors.Safe(typ.Name()), typ.Kind(), errors.Safe(v))
 }
 
 func newIterAlloc() *iterAlloc {