Fix possible data corruption after FileStorage is truncated to roll back a transaction #52
Conversation
|
@jmuchemb Can you please open a separate PR against the 3.10 branch (maybe after responding to review below). @jimfulton This patch looks reasonable to me, but doesn't contain tests that the pooled files have been flushed. Can you suggest a reasonable strategy for such a test? |
|
Well, it should be possible to set up a simple scenario that demonstrates the problem without a stress test:
If you can reproduce the problem without the patch, then you can try it with the patch, and if that fixes it, you have a test. One thing that puzzles me is that when reading, file-storage seeks to the record position of the record read, and IIRC seek flushes before seeking, but perhaps I'm mistaken. |
jmuchemb
force-pushed
the
fs-flush_after_truncate
branch
from
50d0b74
to
5311b51
Compare
|
I added a unit test, and Travis reports the fix only works for Python 2. I need a Python3 setup of ZODB... |
|
Thanks Julien. |
|
@jmuchemb If you have |
|
There's no API in Python 3 to invalidate the read buffer of a file that is open in read-only mode. So we have the choice between:
|
jmuchemb
force-pushed
the
fs-flush_after_truncate
branch
from
5311b51
to
8a3aa0a
Compare
|
I chose the first solution and all tests pass. |
…ack a transaction Multi-threaded IO support, which is new to ZODB 3.10, allows clients to read data (load & loadBefore) even after tpc_vote has started to write a new transaction to disk. This is done by using different 'file' objects. Issues start when a transaction is rolled back after data has been appended (using the writing file object). Truncating is not enough because the FilePool may have been used concurrently to read the end of the last transaction: file objects have their own read buffers which, in this case, may also contain the beginning of the aborted transaction. So a solution is to invalidate read buffers whenever they may contain wrong data. This patch does it on truncation, which happens rarely enough to not affect performance. We discovered this bug in the following conditions: - ZODB splitted in several FileStorage - many conflicts in the first committed DB, but always resolved - unresolved conflict in another DB If the transaction is replayed with success (no more conflict in the other DB), a subsequent load of the object that could be resolved in the first DB may, for example, return a wrong serial (tid of the aborted transaction) if the layout of the committed transaction matches that of the aborted one. The bug usually manifests with POSKeyError & CorruptedDataError exceptions in ZEO logs, for example while trying to resolve a conflict (and restarting the transaction does not help, causing Site Errors in Zope). But theorically, this could also cause silent corruption or unpickling errors at client side.
jmuchemb
force-pushed
the
fs-flush_after_truncate
branch
from
8a3aa0a
to
06df0eb
Compare
Contrary to empty(), I think flush() also needs to use write_lock() for Python 3, so I amended with the following change: --- a/src/ZODB/FileStorage/FileStorage.py
+++ b/src/ZODB/FileStorage/FileStorage.py
@@ -2108,7 +2108,9 @@ def flush(self):
# Unfortunately, Python 3.x has no API to flush read buffers.
if sys.version_info.major > 2:
- flush = empty
+ def flush(self):
+ with self.write_lock():
+ self.empty()
def close(self):
with self._cond:I also did another commit to update the changelog. |
|
Sadly, flushing isn't good enough on Python 2 and mac. Making a new PR to always empty. |
|
Contrary to Python 3, Python 2 uses file functions from the C standard library (here fflush), so it's possible that the optimization only worked with the glibc. |
See the commit message for more information.
I wanted to attach the stress test I wrote to reproduce and understand the issue, but GitHub does not want *.py files. It was already sent to the mailing-list so you can find it there:
http://thread.gmane.org/gmane.comp.web.zope.zodb/12685/focus=12751
I'd like to also apply it on 3.10 branch.
/cc @vpelletier