rollback to a consistent state after fsync error

[MrCroxx]

Make PipeLog try to rollback to a consistent state after fsync error.

According to PostgreSQL's fsync() surprise, fsync is not retriable. We must make pipe log rollback to where it last synced.

What's changed?

invariant: non-active log files are always synced and safe.

Updated:

After discussion, the final decisions of this pr are listed below:

1. Panics when there is any fsync error.
2. Truncate active log file when there is write error during buffer writing log file.
3. Panics when there is any error during rotating log file (truncate/sync/create).

Introduce pre_write and post_write for PipeLog to acquire or release a WriteContext, which can be used to track the sync state.

If fsync raises an error, log will rollback to last synced state, and set errors for the writers in the current write group. But if there are bytes rollbacked but in writers in the previous write groups, RaftEngine will panic, because that means some data that the user thinks is safe but lost actually.

new_log_file is devided into 2 phase. First truncate and sync the old log file, then rotate to a new log file. The second phase is safe to retry if sync_dir fails, because the new log will overwrite the failed one.

TODO:

• Unit tests with failpoints.

Signed-off-by: MrCroxx mrcroxx@outlook.com

[codecov]

Codecov Report

Merging #131 (8588698) into master (9f0c313) will increase coverage by 0.33%.
The diff coverage is 98.26%.

@@            Coverage Diff             @@
##           master     #131      +/-   ##
==========================================
+ Coverage   96.69%   97.02%   +0.33%     
==========================================
  Files          22       23       +1     
  Lines        5816     6194     +378     
==========================================
+ Hits         5624     6010     +386     
+ Misses        192      184       -8     

Impacted Files	Coverage Δ
src/errors.rs	100.00% <ø> (ø)
src/pipe_log.rs	93.10% <ø> (ø)
tests/failpoints/mod.rs	100.00% <ø> (ø)
src/engine.rs	96.87% <90.00%> (+0.61%)	⬆️
tests/failpoints/test_io_error.rs	98.13% <98.13%> (ø)
src/file_pipe_log.rs	95.69% <100.00%> (+0.33%)	⬆️
src/log_file.rs	92.15% <100.00%> (+3.92%)	⬆️
src/purge.rs	94.78% <100.00%> (+0.27%)	⬆️
tests/failpoints/test_engine.rs	100.00% <100.00%> (ø)
... and 3 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 9f0c313...8588698. Read the comment docs.

[tabokie]

On a second thought, I think it's risky to silently rollback on buffer write failure. Consider this case:

1. write (r=1, index=1)
2. write (r=1, index=2,3,4) failed, but index 2-3 is written to disk
3. write (r=2, index=1) succeeded, this write overwrite (r=1, index=2), but (r=1, index=3) remains
4. engine restart, the data is inconsistent

This is unsolvable unless we tolerate logical error when recovering tail records. but that's difficult to reason.

I think it would be better to physically truncate file when buffer write fails. This truncate call could fail too, so we must keep track of outstanding dirty writes in a counter (e.g. written_dirty). Next buffer writes must attempt to do the truncate again.

A rough sketch of my thoughts:

buffered_write:
  if written_dirty > written {
    truncate(written)?;
  }
  let r = pwrite(...);
  if r.is_err()  {
    if truncate(written).is_err() {
      written_dirty += len;
    }
  } else {
    written += len;
  }
  return r;

post_write:
  if let Err(e) = fsync() {
    // panic if needed
    if truncate(last_sync).is_err() {
      written_dirty = written;
    }
    written = last_sync;
    return e;
  }
  if needs_rotate {
    // Errors from these calls don't bubble to user.
    if ftruncate(old_file).is_ok() && open(new_file).is_ok() && fsync_dir().is_ok() {
      if let Err(e) = pwrite(header) {
        written_dirty = header.len
      } else {
        written = header.len
      }
    }
  }

[tabokie]

When last_sync == 0, written = LOG_FILE_HEADER_LEN, we should tolerate fsync error.

[MrCroxx]

The impl split rotation to 2 parts, first call truncate_and_sync for the current log, then call rotate to create and move the writer to the new log file. So calling rotate here means the old log file has already been truncated and synced.

[MrCroxx]

On a second thought, I think it's risky to silently rollback on buffer write failure. Consider this case:

1. write (r=1, index=1)
2. write (r=1, index=2,3,4) failed, but index 2-3 is written to disk
3. write (r=2, index=1) succeeded, this write overwrite (r=1, index=2), but (r=1, index=3) remains
4. engine restart, the data is inconsistent

@tabokie Agree with you on the case.

I think it would be better to physically truncate file when buffer write fails. This truncate call could fail too, so we must keep track of outstanding dirty writes in a counter (e.g. written_dirty). Next buffer writes must attempt to do the truncate again.

IMO, I think this method shares the some outcome if the engine restart at the moment that fsync error happens. If we keep written_dirty in memory, when RaftEngine restarts, it still won't know if the tail has been successfully truncated yet, and the case cannot be solved. Maybe RaftEngine should panic if the truncate after fsync error fails is acceptable, which means the disk is highly unreliable.

[tabokie]

It's not needed, written_dirty is only there to block incoming writes (actually a bool variable suffice). If a dirty write isn't overwritten by other writes, then the disk state is still consistent.

And I made a mistake with the case, ideally a log batch can only be atomically written to disk. step 2 is unlikely to happen. So I guess my proposal can be reduced to only physically truncate file for "write group" fsync failure, not buffered write failure.

[tabokie]

Needs unit tests. I've added some IO failpoints in #139, every one of them needs to be tested. You can use catch_unwind_silent to test the panics.

[tabokie]

You are not calling truncate after this failure.

[tabokie]

You should send another PR to move all existing failpoint tests to this folder.

[MrCroxx]

OK. I'd like to move io error test to this folder first in this PR, then send another one to move the existing test.

[tabokie]

Then add a mod.rs for failpoints folder, listing individual test in main Cargo.toml doesn't look good.

[tabokie]

maybe rename it to reset

[tabokie]

I don't particularly like this approach. Could you try using cfg_callback? might be easier.

[tabokie]

Tests are failing.

[tabokie]

Then add a mod.rs for failpoints folder, listing individual test in main Cargo.toml doesn't look good.

[tabokie]

what's the difference between post_err and err? If you want to test file is truncated, a engine restart is needed.

[MrCroxx]

This is for checking if the following appends correctly overwrite the pervious ones.

[MrCroxx]

Tests are failing.

Yep. It works fine with my env and I’m looking for the reason.

[tabokie]

It says this panic is not covered.

[MrCroxx]

I ran the coverage test locally and it said these lines are covered. And I checked manually and made sure that it is covered.

I've also checked the CI script, which seems fine. I'm not sure if it's a bug of the CI coverage test.

[MrCroxx]

Just found where the problem lays, fixing.

[tabokie]

write_tmp_engine seems an overkill.

[MrCroxx]

stress --regions 1000 --write-sync true --time 600

[current]
Throughput(QPS) = 10119.08
Latency(μs) min = 40, avg = 83.03, p50 = 61, p90 = 161, p95 = 187, p99 = 230, p99.9 = 288, max = 24607
Fairness = 100.0%
Write Bandwidth = 7.5MiB/s

[master]
Throughput(QPS) = 10249.05
Latency(μs) min = 42, avg = 80.07, p50 = 59, p90 = 155, p95 = 174, p99 = 214, p99.9 = 265, max = 16639
Fairness = 100.0%
Write Bandwidth = 7.7MiB/s