VSR: Ping releases

src/config.zig

@@ -142,6 +142,7 @@ const ConfigCluster = struct {
     lsm_batch_multiple: comptime_int = 32,
     lsm_snapshots_max: usize = 32,
     lsm_manifest_compact_extra_blocks: comptime_int = 1,
+    vsr_releases_max: usize = 64,
 
     // Arbitrary value.
     // TODO(batiati): Maybe this constant should be derived from `grid_iops_read_max`,

src/constants.zig

@@ -83,6 +83,17 @@ comptime {
     assert(clients_max >= Config.Cluster.clients_max_min);
 }
 
+/// The maximum number of release versions (upgrade candidates) that can be advertised by a replica
+/// in each ping message body.
+pub const vsr_releases_max = config.cluster.vsr_releases_max;
+
+comptime {
+    assert(vsr_releases_max >= 2);
+    assert(vsr_releases_max * @sizeOf(u16) <= message_body_size_max);
+    // The number of releases is encoded into ping headers as a u16.
+    assert(vsr_releases_max <= std.math.maxInt(u16));
+}
+
 /// The maximum number of nodes required to form a quorum for replication.
 /// Majority quorums are only required across view change and replication phases (not within).
 /// As per Flexible Paxos, provided `quorum_replication + quorum_view_change > replicas`:

src/testing/cluster.zig

@@ -429,6 +429,7 @@ pub fn ClusterType(comptime StateMachineType: anytype) type {
                     // TODO Use "real" release numbers.
                     .release = 1,
                     .release_client_min = 1,
+                    .releases_bundled = vsr.ReleaseList.from_slice(&[_]u16{1}) catch unreachable,
                 },
             );
             assert(replica.cluster == cluster.options.cluster_id);

src/tigerbeetle/main.zig

@@ -183,6 +183,7 @@ const Command = struct {
             // TODO Use real release numbers.
             .release = 1,
             .release_client_min = 1,
+            .releases_bundled = vsr.ReleaseList.from_slice(&[_]u16{1}) catch unreachable,
             .storage_size_limit = args.storage_size_limit,
             .storage = &command.storage,
             .aof = &aof,

src/vsr.zig

@@ -62,6 +62,9 @@ pub const CheckpointTrailerType = @import("vsr/checkpoint_trailer.zig").Checkpoi
 /// For backwards compatibility through breaking changes (e.g. upgrading checksums/ciphers).
 pub const Version: u16 = 0;
 
+/// A ReleaseList is ordered from highest-to-lowest(i.e. newest-to-oldest) version.
+pub const ReleaseList = stdx.BoundedArray(u16, constants.vsr_releases_max);
+
 pub const ProcessType = enum { replica, client };
 
 pub const Zone = enum {
@@ -1044,6 +1047,18 @@ pub fn member_index(members: *const Members, replica_id: u128) ?u8 {
     } else return null;
 }
 
+pub fn verify_release_list(releases: []const u16) void {
+    assert(releases.len >= 1);
+    assert(releases.len <= constants.vsr_releases_max);
+
+    for (
+        releases[0 .. releases.len - 1],
+        releases[1..],
+    ) |release_a, release_b| {
+        assert(release_a > release_b);
+    }
+}
+
 pub const Headers = struct {
     pub const Array = stdx.BoundedArray(Header.Prepare, constants.view_change_headers_max);
     /// The SuperBlock's persisted VSR headers.

src/vsr/replica.zig

@@ -210,6 +210,14 @@ pub fn ReplicaType(
         /// It should never be modified by a running replica.
         release_client_min: u16,
 
+        /// A list of all versions of code that are available in the current binary.
+        /// Includes the current version, newer versions, and older versions.
+        /// Ordered from highest/newest to lowest/oldest.
+        ///
+        /// Note that this is a property (rather than a constant) for the purpose of testing.
+        /// It should never be modified for a running replica.
+        releases_bundled: vsr.ReleaseList,
+
         /// A globally unique integer generated by a crypto rng during replica process startup.
         /// Presently, it is used to detect outdated start view messages in recovering head status.
         nonce: Nonce,
@@ -487,6 +495,7 @@ pub fn ReplicaType(
             grid_cache_blocks_count: u32 = Grid.Cache.value_count_max_multiple,
             release: u16,
             release_client_min: u16,
+            releases_bundled: vsr.ReleaseList,
         };
 
         /// Initializes and opens the provided replica using the options.
@@ -548,6 +557,7 @@ pub fn ReplicaType(
                 .grid_cache_blocks_count = options.grid_cache_blocks_count,
                 .release = options.release,
                 .release_client_min = options.release_client_min,
+                .releases_bundled = options.releases_bundled,
             });
 
             // Disable all dynamic allocation from this point onwards.
@@ -847,6 +857,7 @@ pub fn ReplicaType(
             grid_cache_blocks_count: u32,
             release: u16,
             release_client_min: u16,
+            releases_bundled: vsr.ReleaseList,
         };
 
         /// NOTE: self.superblock must be initialized and opened prior to this call.
@@ -889,6 +900,13 @@ pub fn ReplicaType(
             // Flexible quorums are safe if these two quorums intersect so that this relation holds:
             assert(quorum_replication + quorum_view_change > replica_count);
 
+            vsr.verify_release_list(options.releases_bundled.const_slice());
+            assert(std.mem.indexOfScalar(
+                u16,
+                options.releases_bundled.const_slice(),
+                options.release,
+            ) != null);
+
             self.time = options.time;
 
             // The clock is special-cased for standbys. We want to balance two concerns:
@@ -976,6 +994,7 @@ pub fn ReplicaType(
                 .quorum_majority = quorum_majority,
                 .release = options.release,
                 .release_client_min = options.release_client_min,
+                .releases_bundled = options.releases_bundled,
                 .nonce = options.nonce,
                 // Copy the (already-initialized) time back, to avoid regressing the monotonic
                 // clock guard.