Skip to content

Stop using html/template in U2M OAuth callback to restore linker DCE (fixes #343)#390

Merged
vikrantpuppala merged 2 commits into
mainfrom
fix/343-html-template-dce-clean
Jul 8, 2026
Merged

Stop using html/template in U2M OAuth callback to restore linker DCE (fixes #343)#390
vikrantpuppala merged 2 commits into
mainfrom
fix/343-html-template-dce-clean

Conversation

@vikrantpuppala

Copy link
Copy Markdown
Collaborator

Summary

Reachable use of the stdlib html/template in package auth/oauth/u2m disabled the Go linker's public dead-code elimination (DCE) for the entire binary of any application that imports databricks-sql-go. html/template builds on text/template, whose reflection-based field evaluation forces the linker to retain code it would otherwise strip. This bloats consumer binaries — up to ~20% (40 MB) in multi-library binaries like xo/usql, as reported in #343.

This PR rewrites the mostly-static OAuth callback page as plain string building with explicit html.EscapeString on the dynamic fields (the same approach xo/tblfmt used for a similar issue), removing html/template/text/template from the reachable graph. The now-unused embedded templates/simple.html is deleted.

The dynamic fields remain HTML-escaped, so the escaping behavior of the previous html/template implementation is preserved.

Impact

Measured with a minimal main.go that imports the driver (the repro from the issue):

Before After
text/template/html/template symbols (go tool nm) 615 0
Binary size 23.7 MB 14.4 MB (~39% smaller)

The size delta is larger than the driver's own footprint because re-enabling DCE benefits the whole binary, including other libraries.

Test plan

  • Added auth/oauth/u2m/html_template_test.go:
    • TestRenderHTML (table-driven): basic field rendering + escaping of <, >, &, "; the conditional action-link block; the conditional code block; and that each page is a complete, well-formed document.
    • TestInfoHTML: success page title/heading/content, no code block.
    • TestErrorHTML: error page title and that the error message is HTML-escaped (no raw <script> leaks through).
  • go build ./..., go vet ./auth/oauth/u2m/, and gofmt -l are all clean.
  • go test ./auth/oauth/u2m/ passes.
  • Verified via go tool nm on a consumer binary that the template symbols are gone (615 → 0) and the binary shrinks as shown above.

Notes

  • No other html/template or text/template usages exist in the codebase — this was the sole occurrence of the pattern.
  • CHANGELOG updated under an Unreleased section.

Closes #343

This pull request and its description were written by Isaac.

Reachable use of html/template in auth/oauth/u2m disabled the Go linker's
dead-code elimination for the entire binary of any application importing
this driver, significantly increasing binary size (up to ~20% in
multi-library binaries).

Rewrite the mostly-static OAuth callback page as plain string building
with explicit html.EscapeString for the dynamic fields, removing the
html/template (and transitively text/template) dependency from the
reachable graph. In a minimal binary importing the driver this drops
text/template symbols from 615 to 0 and shrinks the binary by ~39%.

Delete the now-unused embedded templates/simple.html and add tests
covering rendering and HTML escaping.

Closes #343

Co-authored-by: Isaac
Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
@vikrantpuppala vikrantpuppala enabled auto-merge (squash) July 8, 2026 11:26
@vikrantpuppala vikrantpuppala merged commit 7295766 into main Jul 8, 2026
8 checks passed
@vikrantpuppala vikrantpuppala deleted the fix/343-html-template-dce-clean branch July 8, 2026 11:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

HTML template in auth/oauth/u2m disables public dead code elimination for the whole application

2 participants