Bloomberg 1© 2024 Bloomberg Finance L.P. All rights reserved. Dependency Injection in C++: A Practical Guide CppCon 2024 September 18, 2024 Pete Muldoon Senior Engineering LeadBloomberg 4 Questions it8 Bloomberg Where will we be going ? • Talk will be about inserting meaningful Dependency Injection in applications • Using various DI methods to achieve functionality swapping / instrumentation (or just giving up) • Talk is rooted in a real-world system not theory9 Bloomberg Dependency Injection : 1. Decreases coupling between functionality blocks 2. Used to make a class/function independent

PingCAP wink@pingcap.com Agenda ● How to build a stable database ○ Schrodinger-test platform ○ Failpoint injection ○ Goroutine-leak detection ● Optimization ○ Chunk vs interface{} ○ Vectorized execution TiDB the Cat is dead, and the Schrodinger will give us a report What is Schrodinger(2/2) Failpoint injection ● Failpoints are used to add code points where errors may be injected ● Why we need failpoints cases func someFunc() string { // gofail: var SomeFuncString string // // this is called when the failpoint is triggered // return SomeFuncString return "default" } About gofail ● An implementation of FreeBSD

It’s complicated! •Unit tests •Integration tests •Fuzz testing •libFuzzer •AFL •Fault injection •Failpoint, https://www.freebsd.org/cgi/man.cgi?query=fail •Jepsen, https://github.com/jepsen-io/jepsen com/jepsen-io/jepsen Tests •A framework for distributed systems verification, with fault injection
 •Found bugs •Redis •etcd •Cassandra
 … 
 Jepsen Jepsen: How does it work? N1 N2 N3 N4 N5 Control TiDB Cluster

Alpha - 408 - 本文档使用 书栈(BookStack.CN) 构建 优化 Coprocessor count (*) 和点查 unique index 的性能 增加更多的 Failpoint 以及稳定性测试 case 解决 PD 和 TiKV 之间重连的问题 增强数据恢复工具 tikv-ctl 的功能 Region 支持按 table 进行分裂 支持 Delete Range

TiDB to cache a large number of Prepared Statements, and executing SQL operations this way has injection security risks. 694 Dynamic SQL Batch Dynamic SQL - foreach To support the automatic rewriting allow multiple queries to be executed in the same COM_QUERY call. • To reduce the impact of SQL injection attacks, TiDB now prevents multiple queries from being executed in the same COM_QUERY call by default error might occur after upgrading from an earlier version of TiDB. To reduce the impact of SQL injection attacks, TiDB now prevents multiple queries from being executed in the same COM_QUERY call by default

TiDB to cache a large number of Prepared Statements, and executing SQL operations this way has injection security risks. Dynamic SQL Batch Dynamic SQL - foreach To support the automatic rewriting of allow multiple queries to be executed in the same COM_QUERY call. • To reduce the impact of SQL injection attacks, TiDB now prevents multiple queries from being executed in the same COM_QUERY call by default error might occur after upgrading from an earlier version of TiDB. To reduce the impact of SQL injection attacks, TiDB now prevents multiple queries from being executed in the same COM_QUERY call by default

TiDB to cache a large number of Prepared Statements, and executing SQL operations this way has injection security risks. Dynamic SQL Batch Dynamic SQL - foreach To support the automatic rewriting of allow multiple queries to be executed in the same COM_QUERY call. • To reduce the impact of SQL injection attacks, TiDB now prevents multiple queries from being executed in the same COM_QUERY call by default error might occur after upgrading from an earlier version of TiDB. To reduce the impact of SQL injection attacks, TiDB now prevents multiple queries from being executed in the same COM_QUERY call by default

annotation resides. You can also use @Param to specify a name different from the parameter for injection. In getPlayerAndLock, an annotation @Lock is used to declare that pessimistic locking is applied of SQL statements: • Security: Because parameters and statements are separated, the risk of SQL injection attacks is avoided. • Performance: Because the statement is parsed in advance on the TiDB server done by concatenating parameters into a SQL statement. However, this method poses a potential SQL Injection risk to the security of the application. To deal with such queries, use a Prepared statement instead

extends JpaRepository { } Then, you can use @Autowired for automatic dependency injection in any class that requires the PlayerRepository. This enables you to directly use CRUD functions performance overhead caused by frequently establishing and destroying connections. • To avoid SQL injection, it is recommended to use prepared statements. • In scenarios where there are not many complex SQL performance overhead caused by frequently establishing and destroying connections. • To avoid SQL injection attacks, it is recommended to use Escaping query values before executing SQL. Note The mysqljs/mysql

. 10CPP INJECTION / SECURITY BREACH CPP INJECTION / SECURITY BREACH 5 . 11CPP INJECTION / SECURITY BREACH CPP INJECTION / SECURITY BREACH 5 . 11CPP INJECTION / SECURITY BREACH CPP INJECTION / SECURITY Password='' 5 . 11CPP INJECTION / SECURITY BREACH CPP INJECTION / SECURITY BREACH CPP INJECTION CPP INJECTION SELECT * FROM Users WHERE Name='' or 1==1--' and Password='' 5 . 11CPP INJECTION / SECURITY BREACH BREACH CPP INJECTION / SECURITY BREACH CPP INJECTION CPP INJECTION SELECT * FROM Users WHERE Name='' or 1==1--' and Password='' int main() { jit<"[]{ std::cout << \""s + std::getenv("USER") + "\"; }">();