Merge #114820

114820: storage: assert local single delete safety r=sumeerbhola a=jbowens During intent resolution, examine internal keys when intending to delete an intent using a single delete tombstone to validate that it is indeed safe within the local Engine. This is a safety measure to validate that we do not violate the invariants that make singe deletion deterministic and cause replica divergence. False negatives are possible, since this safety mechanism only examines the local engine state and only the state visible to the open lock table iterator at the time of proposal evaluation. Release note: none Epic: none Informs #114492. Informs #114421. Co-authored-by: Jackson Owens <jackson@cockroachlabs.com>
cockroachdb · Nov 22, 2023 · 4bb5fd1 · 4bb5fd1
2 parents 4314ad5 + 36a2f4c
commit 4bb5fd1
Show file tree

Hide file tree

Showing 7 changed files with 193 additions and 53 deletions.
diff --git a/pkg/kv/kvserver/spanset/batch.go b/pkg/kv/kvserver/spanset/batch.go
@@ -434,6 +434,12 @@ func (i *EngineIterator) Stats() storage.IteratorStats {
 	return i.i.Stats()
 }
 
+// CanDeterministicallySingleDelete is part of the storage.EngineIterator
+// interface.
+func (i *EngineIterator) CanDeterministicallySingleDelete() (bool, error) {
+	return i.i.CanDeterministicallySingleDelete()
+}
+
 type spanSetReader struct {
 	r     storage.Reader
 	spans *SpanSet

diff --git a/pkg/storage/engine.go b/pkg/storage/engine.go
@@ -392,6 +392,22 @@ type EngineIterator interface {
 	PrevEngineKeyWithLimit(limit roachpb.Key) (state pebble.IterValidityState, err error)
 	// Stats returns statistics about the iterator.
 	Stats() IteratorStats
+	// CanDeterministicallySingleDelete is a specific purpose-built method for
+	// determining whether the current key (UnsafeRawEngineKey()/EngineKey())
+	// may be deterministically deleted through a single delete key on the local
+	// engine state. The determination is completely to local to the Engine, and
+	// a true return value does not mean that clearing the key with a single
+	// delete will be deterministic on other replicas on other Engines.
+	//
+	// CanDeterministicallySingleDelete does not change the iterator position
+	// (all subsequent iterator operations should behave as if
+	// CanDeterministicallySingleDelete was never invoked), although it DOES
+	// invalidate the memory associated with the current iterator position's
+	// value.
+	//
+	// CanDeterministicallySingleDelete may only be called when oriented in the
+	// forward direction and only once at a given iterator position.
+	CanDeterministicallySingleDelete() (ok bool, err error)
 }
 
 // CloneContext is an opaque type encapsulating sufficient context to construct

diff --git a/pkg/storage/lock_table_iterator.go b/pkg/storage/lock_table_iterator.go
@@ -480,6 +480,11 @@ func (i *LockTableIterator) Stats() IteratorStats {
 	return i.iter.Stats()
 }
 
+// CanDeterministicallySingleDelete implements the EngineIterator interface.
+func (i *LockTableIterator) CanDeterministicallySingleDelete() (ok bool, err error) {
+	return i.iter.CanDeterministicallySingleDelete()
+}
+
 //gcassert:inline
 func isLockTableKey(key roachpb.Key) bool {
 	return bytes.HasPrefix(key, keys.LocalRangeLockTablePrefix)