Address review feedback: snapshot safety and correctness fixes

Copilot · bootjp · Copilot · commit a8d99c1074b8 · 2026-03-20T14:46:54.000Z
Co-authored-by: bootjp &lt;1306365+bootjp@users.noreply.github.com&gt;
diff --git a/kv/snapshot_test.go b/kv/snapshot_test.go
@@ -58,6 +58,7 @@ func TestSnapshot(t *testing.T) {
 	var buf bytes.Buffer
 	_, err = kvFSMSnap.snapshot.WriteTo(&buf)
 	assert.NoError(t, err)
+	kvFSMSnap.Release()
 	err = fsm2.Restore(io.NopCloser(bytes.NewReader(buf.Bytes())))
 	assert.NoError(t, err)
 
diff --git a/store/mvcc_store.go b/store/mvcc_store.go
@@ -26,8 +26,11 @@ type VersionedValue struct {
 }
 
 const (
-	checksumSize        = 4
-	mvccSnapshotVersion = uint32(1)
+	checksumSize              = 4
+	mvccSnapshotVersion       = uint32(1)
+	maxSnapshotKeySize        = 1 << 20        // 1 MiB per key
+	maxSnapshotVersionCount   = 1 << 20        // 1M versions per key
+	maxSnapshotValueSize      = 64 << 20       // 64 MiB per value
 )
 
 var mvccSnapshotMagic = [8]byte{'E', 'K', 'V', 'M', 'V', 'C', 'C', '2'}
@@ -606,7 +609,8 @@ func writeMVCCSnapshotHeader(f *os.File) (int64, error) {
 
 func (s *mvccStore) writeSnapshotBody(f *os.File) (uint32, error) {
 	hash := crc32.NewIEEE()
-	w := io.MultiWriter(f, hash)
+	bw := bufio.NewWriter(f)
+	w := io.MultiWriter(bw, hash)
 
 	s.mtx.RLock()
 	defer s.mtx.RUnlock()
@@ -631,6 +635,9 @@ func (s *mvccStore) writeSnapshotBody(f *os.File) (uint32, error) {
 			return 0, err
 		}
 	}
+	if err := bw.Flush(); err != nil {
+		return 0, errors.WithStack(err)
+	}
 	return hash.Sum32(), nil
 }
 
@@ -788,6 +795,9 @@ func readMVCCSnapshotEntry(r io.Reader) ([]byte, []VersionedValue, bool, error)
 		}
 		return nil, nil, false, errors.WithStack(err)
 	}
+	if keyLen > maxSnapshotKeySize {
+		return nil, nil, false, errors.Newf("mvcc snapshot key too large: %d > %d", keyLen, maxSnapshotKeySize)
+	}
 
 	key := make([]byte, keyLen)
 	if _, err := io.ReadFull(r, key); err != nil {
@@ -798,6 +808,9 @@ func readMVCCSnapshotEntry(r io.Reader) ([]byte, []VersionedValue, bool, error)
 	if err := binary.Read(r, binary.LittleEndian, &versionCount); err != nil {
 		return nil, nil, false, errors.WithStack(err)
 	}
+	if versionCount > maxSnapshotVersionCount {
+		return nil, nil, false, errors.Newf("mvcc snapshot version count too large: %d > %d", versionCount, maxSnapshotVersionCount)
+	}
 	versions := make([]VersionedValue, 0, versionCount)
 	for i := uint64(0); i < versionCount; i++ {
 		version, err := readMVCCSnapshotVersion(r)
@@ -829,6 +842,9 @@ func readMVCCSnapshotVersion(r io.Reader) (VersionedValue, error) {
 	if err := binary.Read(r, binary.LittleEndian, &valueLen); err != nil {
 		return VersionedValue{}, errors.WithStack(err)
 	}
+	if valueLen > maxSnapshotValueSize {
+		return VersionedValue{}, errors.Newf("mvcc snapshot value too large: %d > %d", valueLen, maxSnapshotValueSize)
+	}
 	value := make([]byte, valueLen)
 	if _, err := io.ReadFull(r, value); err != nil {
 		return VersionedValue{}, errors.WithStack(err)
diff --git a/store/mvcc_store_snapshot_test.go b/store/mvcc_store_snapshot_test.go
@@ -3,6 +3,9 @@ package store
 import (
 	"bytes"
 	"context"
+	"encoding/binary"
+	"encoding/gob"
+	"hash/crc32"
 	"testing"
 
 	"github.com/stretchr/testify/require"
@@ -81,6 +84,43 @@ func TestMVCCStore_ApplyMutations_UnknownOp(t *testing.T) {
 	require.ErrorIs(t, err, ErrUnknownOp)
 }
 
+func TestMVCCStore_RestoreLegacySnapshot(t *testing.T) {
+	t.Parallel()
+
+	ctx := context.Background()
+
+	// Build a legacy gob+crc32 snapshot payload.
+	legacy := mvccSnapshot{
+		LastCommitTS:  42,
+		MinRetainedTS: 10,
+		Entries: []mvccSnapshotEntry{
+			{
+				Key: []byte("legacy-key"),
+				Versions: []VersionedValue{
+					{TS: 42, Value: []byte("legacy-value"), Tombstone: false, ExpireAt: 0},
+				},
+			},
+		},
+	}
+
+	var payload bytes.Buffer
+	require.NoError(t, gob.NewEncoder(&payload).Encode(legacy))
+
+	checksum := crc32.ChecksumIEEE(payload.Bytes())
+	var cs [4]byte
+	binary.LittleEndian.PutUint32(cs[:], checksum)
+	full := append(payload.Bytes(), cs[:]...)
+
+	dst := newTestMVCCStore(t)
+	require.NoError(t, dst.Restore(bytes.NewReader(full)))
+
+	require.Equal(t, uint64(42), dst.LastCommitTS())
+
+	v, err := dst.GetAt(ctx, []byte("legacy-key"), 100)
+	require.NoError(t, err)
+	require.Equal(t, []byte("legacy-value"), v)
+}
+
 func snapshotBytes(t *testing.T, snap Snapshot) []byte {
 	t.Helper()
 
diff --git a/store/snapshot_pebble.go b/store/snapshot_pebble.go
@@ -70,26 +70,33 @@ func writePebbleSnapshotEntries(snap *pebble.Snapshot, w io.Writer) error {
 	if err != nil {
 		return errors.WithStack(err)
 	}
-	defer iter.Close()
 
 	for iter.First(); iter.Valid(); iter.Next() {
 		k := iter.Key()
 		v := iter.Value()
 
 		if err := binary.Write(w, binary.LittleEndian, uint64(len(k))); err != nil {
+			_ = iter.Close()
 			return errors.WithStack(err)
 		}
 		if _, err := w.Write(k); err != nil {
+			_ = iter.Close()
 			return errors.WithStack(err)
 		}
 		if err := binary.Write(w, binary.LittleEndian, uint64(len(v))); err != nil {
+			_ = iter.Close()
 			return errors.WithStack(err)
 		}
 		if _, err := w.Write(v); err != nil {
+			_ = iter.Close()
 			return errors.WithStack(err)
 		}
 	}
-	return nil
+	if err := iter.Error(); err != nil {
+		_ = iter.Close()
+		return errors.WithStack(err)
+	}
+	return errors.WithStack(iter.Close())
 }
 
 type countingWriter struct {

Original file line number	Diff line number	Diff line change
`@@ -70,26 +70,33 @@ func writePebbleSnapshotEntries(snap *pebble.Snapshot, w io.Writer) error {`
`70`	`70`	`if err != nil {`
`71`	`71`	`return errors.WithStack(err)`
`72`	`72`	`}`
`73`		`- defer iter.Close()`
`74`	`73`
`75`	`74`	`for iter.First(); iter.Valid(); iter.Next() {`
`76`	`75`	`k := iter.Key()`
`77`	`76`	`v := iter.Value()`
`78`	`77`
`79`	`78`	`if err := binary.Write(w, binary.LittleEndian, uint64(len(k))); err != nil {`
	`79`	`+ _ = iter.Close()`
`80`	`80`	`return errors.WithStack(err)`
`81`	`81`	`}`
`82`	`82`	`if _, err := w.Write(k); err != nil {`
	`83`	`+ _ = iter.Close()`
`83`	`84`	`return errors.WithStack(err)`
`84`	`85`	`}`
`85`	`86`	`if err := binary.Write(w, binary.LittleEndian, uint64(len(v))); err != nil {`
	`87`	`+ _ = iter.Close()`
`86`	`88`	`return errors.WithStack(err)`
`87`	`89`	`}`
`88`	`90`	`if _, err := w.Write(v); err != nil {`
	`91`	`+ _ = iter.Close()`
`89`	`92`	`return errors.WithStack(err)`
`90`	`93`	`}`
`91`	`94`	`}`
`92`		`- return nil`
	`95`	`+ if err := iter.Error(); err != nil {`
	`96`	`+ _ = iter.Close()`
	`97`	`+ return errors.WithStack(err)`
	`98`	`+ }`
	`99`	`+ return errors.WithStack(iter.Close())`
`93`	`100`	`}`
`94`	`101`
`95`	`102`	`type countingWriter struct {`