[MDEV-30753] Possible corruption due to trx_purge_free_segment() Created: 2023-02-28  Updated: 2023-12-01  Resolved: 2023-03-01

Status: Closed
Project: MariaDB Server
Component/s: Storage Engine - InnoDB
Affects Version/s: 10.5, 10.6, 10.7, 10.8, 10.9, 10.10, 10.11, 11.0
Fix Version/s: 10.11.3, 11.0.2, 10.5.20, 10.6.13, 10.7.8, 10.8.8, 10.9.6, 10.10.4

Type: Bug Priority: Critical
Reporter: Marko Mäkelä Assignee: Marko Mäkelä
Resolution: Fixed Votes: 0
Labels: corruption

Issue Links:
Blocks
Problem/Incident
causes MDEV-32049 Deadlock due to log_free_check(), inv... Closed
causes MDEV-32820 Race condition between trx_purge_free... Closed
Relates
relates to MDEV-30671 innodb_undo_log_truncate=ON fails to ... Closed

 Description   

There is a potential problem if the server is killed amid freeing undo log pages:

diff --git a/storage/innobase/trx/trx0purge.cc b/storage/innobase/trx/trx0purge.cc
 
index f273903ef93..e7f61162dcd 100644
 
--- a/storage/innobase/trx/trx0purge.cc
 
+++ b/storage/innobase/trx/trx0purge.cc
 
@@ -365,6 +365,8 @@ void trx_purge_free_segment(mtr_t &mtr, trx_rseg_t* rseg, fil_addr_t hdr_addr)
 
 		       TRX_UNDO_SEG_HDR + TRX_UNDO_FSEG_HEADER
 
 		       + block->frame, &mtr)) {
 
 		mtr.commit();
 
+		log_write_up_to(mtr.commit_lsn(), true);
 
+		abort();
 
 		mtr.start();
 
 
 		rseg_hdr = trx_rsegf_get(rseg->space, rseg->page_no, &mtr);

The following scenario would seem to be possible:

  1. InnoDB is killed between that point and the time when the mini-transaction of a subsequent trx_purge_remove_log_hdr() becomes durable.
  2. InnoDB is restarted, and the pages that were freed above are being allocated for something else (further undo log records, or data located in the system tablespace).
  3. Purge attempts to access an invalid page.

The function trx_purge_free_segment() is also missing calls to log_free_check(), which means that an overrun of the redo log is possible, and the database might become impossible to recover if the server is killed while the function is being executed.

There is a hint in the source code how this could be fixed:

	/* We may free the undo log segment header page; it must be freed
 
	within the same mtr as the undo log header is removed from the
 
	history list: otherwise, in case of a database crash, the segment
 
	could become inaccessible garbage in the file space. */
 
 
 
	trx_purge_remove_log_hdr(rseg_hdr, block, hdr_addr.boffset, &mtr);
 
 
 
	do {
 
 
 
		/* Here we assume that a file segment with just the header
 
		page can be freed in a few steps, so that the buffer pool
 
		is not flooded with bufferfixed pages: see the note in
 
		fsp0fsp.cc. */
 
 
 
	} while (!fseg_free_step(TRX_UNDO_SEG_HDR + TRX_UNDO_FSEG_HEADER
 
				 + block->frame, &mtr));

If we simply call trx_purge_remove_log_hdr() in the first mini-transaction, everything should be safe. Yes, the pages might not be easy to free afterwards, but that is not a problem for those who use multiple innodb_undo_tablespaces and innodb_undo_log_truncate=ON.

We could also try to free everything in a single mini-transaction, provided that there is sufficient capacity in the redo log and the buffer pool.

 Comments   
Comment by Marko Mäkelä [ 2023-04-21 ]

I pushed a follow-up fix to correct an error in buffer pool page restoration after mini-transaction restart. If the buffer pool is tiny and the server is heavily loaded, the buffer page could be replaced between the mtr.commit() and acquiring an exclusive lock on the block. We never reproduced such a failure, but we reproduced a similar error in a development version of MDEV-29593.

Comment by Marko Mäkelä [ 2023-05-10 ]

I looked up the follow-up fix because I was thinking that we might need similar adjustments in order to prevent corruptions like MDEV-30531.

I thought that a buffer-fix does not prevent a buffer block from being evicted or relocated. But, it actually does, because buf_page_t::can_relocate() returns false for buffer-fixed, io-fixed or latched pages. Hence, it looks like the follow-up fix actually added some dead code.

I re-analyzed the rr replay trace for a development version of MDEV-29593. In that trace, the block that was evicted from the buffer pool was not buffer-fixed by the thread that would hit a debug assertion failure later during the trace.

Generated at Thu Feb 08 10:18:38 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.