Clamp event timestamps to i64::MAX

BigQuery's integer type is a signed 64-bit value, while we collect
unsigned ones.
Timestamps are in milliseconds, so 9223372036854775807 (i64::MAX) ms is
about 4.5 billion years, or roughly 1/15 of the age of earth.
I think we should be fine with that for a little while longer.

So any such value _should_ not happen. But it does in 0.002% of pings
and thus data ends up in `additional_properties` instead of where it
belongs.
By clamping we might reduce that %age further. An event with that
timestamp is most likely still not useful, but maybe the others are?

One more problem is: Should we report this as an issue? If so how? Right
now we don't have the APIs to tie that back to a specific event other
then the one we own. But then our error types don't express the right
things.

Author: badboy

glean-core/src/event_database/mod.rs

@@ -560,6 +560,26 @@ impl EventDatabase {
                 // Let's fix cur_ec up and hope this isn't a sign something big is broken.
                 cur_ec = execution_counter;
             }
+
+            // event timestamp is a `u64`, but BigQuery uses `i64` (signed!) everywhere. Let's clamp the value to make
+            // sure we stay within bounds.
+            if event.event.timestamp > i64::MAX as u64 {
+                record_error(
+                    glean,
+                    // We don't have the info about the actual event here, so we tackle it onto our own event.
+                    // Also none of the error types are expressing what actually happened.
+                    &glean_restarted_meta(store_name).into(),
+                    ErrorType::InvalidState,
+                    format!(
+                        "Calculated event timestamp was too high. Got: {}, max: {}",
+                        event.event.timestamp,
+                        i64::MAX,
+                    ),
+                    None,
+                );
+                event.event.timestamp = event.event.timestamp.clamp(0, i64::MAX as u64);
+            }
+
             if highest_ts > event.event.timestamp {
                 // Even though we sorted everything, something in the
                 // execution_counter or glean.startup.date math went awry.
@@ -1357,4 +1377,60 @@ mod test {
         )
         .is_err());
     }
+
+    #[test]
+    fn normalize_store_clamps_timestamp() {
+        // TODO
+        let (glean, _dir) = new_glean(None);
+
+        let store_name = "store-name";
+        let event = RecordedEvent {
+            category: "category".into(),
+            name: "name".into(),
+            ..Default::default()
+        };
+
+        let timestamps = [
+            0,
+            (i64::MAX / 2) as u64,
+            i64::MAX as _,
+            (i64::MAX as u64) + 1,
+        ];
+        let mut store = timestamps
+            .into_iter()
+            .map(|timestamp| StoredEvent {
+                event: RecordedEvent {
+                    timestamp,
+                    ..event.clone()
+                },
+                execution_counter: None,
+            })
+            .collect();
+
+        let glean_start_time = glean.start_time();
+        glean
+            .event_storage()
+            .normalize_store(&glean, store_name, &mut store, glean_start_time);
+        assert_eq!(4, store.len());
+
+        assert_eq!(0, store[0].event.timestamp);
+        assert_eq!((i64::MAX / 2) as u64, store[1].event.timestamp);
+        assert_eq!((i64::MAX as u64), store[2].event.timestamp);
+        assert_eq!((i64::MAX as u64), store[3].event.timestamp);
+
+        let errors = test_get_num_recorded_errors(
+            &glean,
+            &CommonMetricData {
+                name: "restarted".into(),
+                category: "glean".into(),
+                send_in_pings: vec![store_name.into()],
+                lifetime: Lifetime::Ping,
+                ..Default::default()
+            }
+            .into(),
+            ErrorType::InvalidState,
+        );
+
+        assert_eq!(Ok(1), errors);
+    }
 }