*: wrap safe diagnostic arguments with errors.Safe() for redacted crash reports

For panic messages using errors.AssertionFailedf, arguments are redacted
by default in CockroachDB crash reports. Wrap safe diagnostic arguments
(internal identifiers, counts, sizes, enum values) with errors.Safe() so
they appear in redacted reports, while leaving user keys and values
unwrapped to prevent PII leaks.

Also add SafeFormat/String implementations for interleavePos, OpKind,
and OpType so these types are self-formatting as safe values.

Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com>

Author: annrpom

cmd/pebble/test.go

@@ -142,7 +142,7 @@ func (w *namedHistogram) Record(elapsed time.Duration) {
 		// Note that a histogram only drops recorded values that are out of range,
 		// but we clamp the latency value to the configured range to prevent such
 		// drops. This code path should never happen.
-		panic(errors.AssertionFailedf(`%s: recording value: %s`, w.name, err))
+		panic(errors.AssertionFailedf(`%s: recording value: %s`, errors.Safe(w.name), err))
 	}
 }
 

cockroachkvs/cockroachkvs.go

@@ -476,7 +476,7 @@ func normalizeVersionForCompare(a []byte) []byte {
 func normalizeEngineSuffixForCompare(a []byte) []byte {
 	// Check sentinel byte.
 	if invariants.Enabled && len(a) != int(a[len(a)-1]) {
-		panic(errors.AssertionFailedf("malformed suffix: %x (length byte is %d; but suffix is %d bytes)", a, a[len(a)-1], len(a)))
+		panic(errors.AssertionFailedf("malformed suffix: %x (length byte is %d; but suffix is %d bytes)", errors.Safe(a), errors.Safe(a[len(a)-1]), errors.Safe(len(a))))
 	}
 	// Strip off sentinel byte.
 	a = a[:len(a)-1]
@@ -659,7 +659,7 @@ func (kw *cockroachKeyWriter) WriteKey(
 	versionLen := int(key[len(key)-1])
 	if (len(key)-versionLen) != int(keyPrefixLen) || key[keyPrefixLen-1] != 0x00 {
 		panic(errors.AssertionFailedf("invalid %d-byte key with %d-byte prefix (%q)",
-			len(key), keyPrefixLen, key))
+			errors.Safe(len(key)), errors.Safe(keyPrefixLen), key))
 	}
 	// TODO(jackson): Avoid copying the previous suffix.
 	kw.prevSuffix = append(kw.prevSuffix[:0], key[keyPrefixLen:]...)
@@ -754,7 +754,7 @@ func (kw *cockroachKeyWriter) Finish(
 	case cockroachColUntypedVersion:
 		return kw.untypedVersions.Finish(0, rows, offset, buf)
 	default:
-		panic(errors.AssertionFailedf("unknown default key column: %d", col))
+		panic(errors.AssertionFailedf("unknown default key column: %d", errors.Safe(col)))
 	}
 }
 
@@ -793,7 +793,7 @@ func (ks *cockroachKeySeeker) init(
 	header := bd.Header()
 	header = header[:len(header)-colblk.DataBlockCustomHeaderSize]
 	if len(header) != 1 {
-		panic(errors.AssertionFailedf("invalid key schema-specific header %x", header))
+		panic(errors.AssertionFailedf("invalid key schema-specific header %x", errors.Safe(header)))
 	}
 	ks.suffixTypes = suffixTypes(header[0])
 }
@@ -1003,7 +1003,7 @@ func (ks *cockroachKeySeeker) MaterializeUserKey(
 	ki *colblk.PrefixBytesIter, prevRow, row int,
 ) []byte {
 	if invariants.Enabled && (row < 0 || row >= ks.roachKeys.Rows()) {
-		panic(errors.AssertionFailedf("invalid row number %d", row))
+		panic(errors.AssertionFailedf("invalid row number %d", errors.Safe(row)))
 	}
 	if prevRow+1 == row && prevRow >= 0 {
 		ks.roachKeys.SetNext(ki)
@@ -1148,7 +1148,7 @@ func (fk formatKeySuffix) Format(f fmt.State, c rune) {
 			fmt.Fprintf(f, "%d.%09d,%d", wallTime/1e9, wallTime%1e9, logical)
 		}
 	default:
-		panic(errors.AssertionFailedf("invalid suffix length: %d", len(fk)))
+		panic(errors.AssertionFailedf("invalid suffix length: %d", errors.Safe(len(fk))))
 	}
 }
 

compaction.go

@@ -188,6 +188,10 @@ func (k compactionKind) String() string {
 	return "?"
 }
 
+func (k compactionKind) SafeFormat(w redact.SafePrinter, _ rune) {
+	w.Print(redact.SafeString(k.String()))
+}
+
 // compactingOrFlushing returns "flushing" if the compaction kind is a flush,
 // otherwise it returns "compacting".
 func (k compactionKind) compactingOrFlushing() string {
@@ -1690,9 +1694,9 @@ func (d *DB) flush1() (bytesFlushed uint64, err error) {
 		for i := 0; i < n; i++ {
 			if logNum := d.mu.mem.queue[i].logNum; logNum >= minUnflushedLogNum {
 				panic(errors.AssertionFailedf("logNum invariant violated: flushing %d items; %d:type=%T,logNum=%d; %d:type=%T,logNum=%d",
-					n,
-					i, d.mu.mem.queue[i].flushable, logNum,
-					n, d.mu.mem.queue[n].flushable, minUnflushedLogNum))
+					errors.Safe(n),
+					errors.Safe(i), errors.Safe(d.mu.mem.queue[i].flushable), logNum,
+					errors.Safe(n), errors.Safe(d.mu.mem.queue[n].flushable), minUnflushedLogNum))
 			}
 		}
 	}
@@ -1837,7 +1841,7 @@ func (d *DB) flush1() (bytesFlushed uint64, err error) {
 	d.clearCompactingState(c, err != nil)
 	if c.UsesBurstConcurrency() {
 		if v := d.mu.compact.burstConcurrency.Add(-1); v < 0 {
-			panic(errors.AssertionFailedf("burst concurrency underflow: %d", v))
+			panic(errors.AssertionFailedf("burst concurrency underflow: %d", errors.Safe(v)))
 		}
 	}
 	delete(d.mu.compact.inProgress, c)
@@ -2101,7 +2105,7 @@ func (d *DB) runPickedCompaction(pc pickedCompaction, grantHandle CompactionGran
 			}
 		}
 		if doneChannel == nil {
-			panic(errors.AssertionFailedf("did not find manual compaction with id %d", pc.ManualID()))
+			panic(errors.AssertionFailedf("did not find manual compaction with id %d", errors.Safe(pc.ManualID())))
 		}
 	}
 
@@ -2267,7 +2271,7 @@ func (d *DB) compact(c compaction, errChannel chan error) {
 			}
 			if c.UsesBurstConcurrency() {
 				if v := d.mu.compact.burstConcurrency.Add(-1); v < 0 {
-					panic(errors.AssertionFailedf("burst concurrency underflow: %d", v))
+					panic(errors.AssertionFailedf("burst concurrency underflow: %d", errors.Safe(v)))
 				}
 			}
 			delete(d.mu.compact.inProgress, c)

compaction_picker.go

@@ -282,7 +282,7 @@ func newPickedTableCompaction(
 	}
 	if startLevel > 0 && startLevel < baseLevel {
 		panic(errors.AssertionFailedf("invalid compaction: start level %d should not be empty (base level %d)",
-			startLevel, baseLevel))
+			errors.Safe(startLevel), errors.Safe(baseLevel)))
 	}
 
 	pc := &pickedTableCompaction{
@@ -514,7 +514,7 @@ func (pc *pickedTableCompaction) maybeGrow(
 func (pc *pickedTableCompaction) maybeGrowL0ForBase(cmp base.Compare, maxExpandedBytes uint64) {
 	if invariants.Enabled {
 		if pc.startLevel.level != 0 {
-			panic(errors.AssertionFailedf("pc.startLevel.level is %d, expected 0", pc.startLevel.level))
+			panic(errors.AssertionFailedf("pc.startLevel.level is %d, expected 0", errors.Safe(pc.startLevel.level)))
 		}
 	}
 
@@ -1664,7 +1664,7 @@ func (p *compactionPickerByScore) pickedCompactionFromCandidateFile(
 			}
 		}
 		if !found {
-			panic(errors.AssertionFailedf("file %s not found in level %d as expected", candidate.TableNum, startLevel))
+			panic(errors.AssertionFailedf("file %s not found in level %d as expected", candidate.TableNum, errors.Safe(startLevel)))
 		}
 	}
 

db.go

@@ -795,7 +795,7 @@ func (d *DB) applyInternal(batch *Batch, opts *WriteOptions, noSyncWait bool) er
 		return ErrReadOnly
 	}
 	if batch.db != nil && batch.db != d {
-		panic(errors.AssertionFailedf("pebble: batch db mismatch: %p != %p", batch.db, d))
+		panic(errors.AssertionFailedf("pebble: batch db mismatch: %p != %p", errors.Safe(batch.db), errors.Safe(d)))
 	}
 
 	sync := opts.GetSync()
@@ -994,7 +994,7 @@ func assertZeroed(v reflect.Value) error {
 		return assertZeroed(v.Elem())
 	case reflect.Slice:
 		if v.Len() > 0 {
-			return errors.AssertionFailedf("%s is not zeroed (%d len): %#v", typ.Name(), v.Len(), v)
+			return errors.AssertionFailedf("%s is not zeroed (%d len): %#v", errors.Safe(typ.Name()), errors.Safe(v.Len()), v)
 		}
 		resliced := v.Slice(0, v.Cap())
 		for i := 0; i < resliced.Len(); i++ {
@@ -1014,7 +1014,7 @@ func assertZeroed(v reflect.Value) error {
 		}
 		return nil
 	}
-	return errors.AssertionFailedf("%s (%s) is not zeroed: %#v", typ.Name(), typ.Kind(), v)
+	return errors.AssertionFailedf("%s (%s) is not zeroed: %#v", errors.Safe(typ.Name()), typ.Kind(), v)
 }
 
 func newIterAlloc() *iterAlloc {

file_cache.go

@@ -291,7 +291,7 @@ func (h *fileCacheHandle) findOrCreateBlob(
 func (h *fileCacheHandle) Evict(fileNum base.DiskFileNum, fileType base.FileType) {
 	defer func() {
 		if p := recover(); p != nil {
-			panic(errors.AssertionFailedf("pebble: evicting in-use file %s(%s): %v", fileNum, fileType, p))
+			panic(errors.AssertionFailedf("pebble: evicting in-use file %s(%s): %v", fileNum, fileType, errors.Safe(p)))
 		}
 	}()
 	h.fileCache.c.Evict(fileCacheKey{handle: h, fileNum: fileNum, fileType: fileType})
@@ -429,7 +429,7 @@ func (c *FileCache) Ref() {
 	// We don't want the reference count to ever go from 0 -> 1,
 	// cause a reference count of 0 implies that we've closed the cache.
 	if v <= 1 {
-		panic(errors.AssertionFailedf("pebble: inconsistent reference count: %d", v))
+		panic(errors.AssertionFailedf("pebble: inconsistent reference count: %d", errors.Safe(v)))
 	}
 }
 
@@ -438,7 +438,7 @@ func (c *FileCache) Unref() {
 	v := c.refs.Add(-1)
 	switch {
 	case v < 0:
-		panic(errors.AssertionFailedf("pebble: inconsistent reference count: %d", v))
+		panic(errors.AssertionFailedf("pebble: inconsistent reference count: %d", errors.Safe(v)))
 	case v == 0:
 		c.c.Close()
 		c.c = genericcache.Cache[fileCacheKey, fileCacheValue, initFileOpts]{}

flushable.go

@@ -121,7 +121,7 @@ type flushableEntry struct {
 func (e *flushableEntry) readerRef() {
 	switch v := e.readerRefs.Add(1); {
 	case v <= 1:
-		panic(errors.AssertionFailedf("pebble: inconsistent reference count: %d", v))
+		panic(errors.AssertionFailedf("pebble: inconsistent reference count: %d", errors.Safe(v)))
 	}
 }
 
@@ -140,7 +140,7 @@ func (e *flushableEntry) readerUnrefHelper(
 ) {
 	switch v := e.readerRefs.Add(-1); {
 	case v < 0:
-		panic(errors.AssertionFailedf("pebble: inconsistent reference count: %d", v))
+		panic(errors.AssertionFailedf("pebble: inconsistent reference count: %d", errors.Safe(v)))
 	case v == 0:
 		if e.releaseMemAccounting == nil {
 			panic("pebble: memtable reservation already released")

ingest.go

@@ -2393,7 +2393,7 @@ func (d *DB) ingestApply(
 			}
 			if isShared && f.Level < sharedLevelsStart {
 				panic(errors.AssertionFailedf("cannot slot a shared file higher than the highest shared level: %d < %d",
-					f.Level, sharedLevelsStart))
+					errors.Safe(f.Level), errors.Safe(sharedLevelsStart)))
 			}
 			f.Meta = m
 			levelMetrics := metrics.level(f.Level)
@@ -2525,7 +2525,7 @@ func (d *DB) ingestApply(
 						d.opts.Comparer.FormatKey(exciseSpan.Start), d.opts.Comparer.FormatKey(exciseSpan.End),
 						exciseSeqNum, d.opts.Comparer.FormatKey(efos.protectedRanges[i].Start),
 						d.opts.Comparer.FormatKey(efos.protectedRanges[i].End), efos.seqNum,
-						efos.hasTransitioned(), efos.isClosed(), d.mu.versions.visibleSeqNum.Load()))
+						errors.Safe(efos.hasTransitioned()), errors.Safe(efos.isClosed()), d.mu.versions.visibleSeqNum.Load()))
 				}
 			}
 		}

internal/arenaskl/arena.go

@@ -47,7 +47,7 @@ const MaxArenaSize = min(math.MaxUint32, math.MaxInt)
 func NewArena(buf []byte) *Arena {
 	if len(buf) > MaxArenaSize {
 		if invariants.Enabled {
-			panic(errors.AssertionFailedf("attempting to create arena of size %d", len(buf)))
+			panic(errors.AssertionFailedf("attempting to create arena of size %d", errors.Safe(len(buf))))
 		}
 		buf = buf[:MaxArenaSize]
 	}
@@ -84,7 +84,7 @@ func (a *Arena) Capacity() uint32 {
 // requested size but don't use those extra bytes).
 func (a *Arena) alloc(size, alignment, overflow uint32) (uint32, error) {
 	if invariants.Enabled && (alignment&(alignment-1)) != 0 {
-		panic(errors.AssertionFailedf("invalid alignment %d", alignment))
+		panic(errors.AssertionFailedf("invalid alignment %d", errors.Safe(alignment)))
 	}
 	// Verify that the arena isn't already full.
 	origSize := a.n.Load()

internal/ascii/table/table.go

@@ -49,7 +49,7 @@ func Define[T any](fields ...Element) Layout[T] {
 	for i := range fields {
 		if f, ok := fields[i].(Field[T]); ok {
 			if h := f.header(); len(h) > f.width() {
-				panic(errors.AssertionFailedf("header %q is too long for column %d", h, i))
+				panic(errors.AssertionFailedf("header %q is too long for column %d", errors.Safe(h), errors.Safe(i)))
 			}
 		}
 	}