Changeset 25555 in project

Timestamp:

11/23/11 13:32:16 (9 years ago)

Author:

Alaric Snell-Pym

Message:

ugarit: Many minor improvements to crash safety (see README.txt)

Location:

release/4/ugarit/trunk

Files:

• README.txt (modified) (6 diffs)
• backend-cache.scm (modified) (5 diffs)
• backend-devtools.scm (modified) (3 diffs)
• backend-fs.scm (modified) (3 diffs)
• test.scm (deleted)
• test/run.scm (modified) (2 diffs)
• ugarit-backend.scm (modified) (4 diffs)
• ugarit-core.scm (modified) (7 diffs)

release/4/ugarit/trunk/README.txt

@@ -827 +827 @@
 ## Backends
 
+* Carefully document backend API for other backend authors: in
+  particular note behaviour in crash situations - we assume that after
+  a succesful flush! all previous blocks are safe, but after a flush,
+  if some blocks make it, then all previous blocks must have. Eg,
+  writes are done in order and periodically auto-flushed, in
+  effect. This invariant is required for the file-cache to be safe
+  (see v1.0.2).
+
+* Make splitlog see if writing the block will go over the log file
+  size limit, and if so, start a new file - rather than testing AFTER
+  writing, leading to a potential extra partial block beyond the
+  limit. It'd be nice to make it a hard limit.
+
+* Implement lock-tag! etc. in backend-fs, as a precaution against two
+  concurrent snapshots racing over updating the tag, where concurrent
+  access to the archive is even possible.
+
+* Lock the archive for writing in backend-splitlog, so that two
+  snapshots to the same archive don't collide. Do we lock per `put!`
+  to allow interleaving, or is that too inefficient? In which case, we
+  need to hold a lock that persists for a while, and release it
+  periodically to allow other writers to the same archive to have a
+  chance.
+
+* Make backend-splitlog write the current log file offset as well as
+  number into the metadata on each flush, and on startup, either
+  truncate the file to that position (to remove anything written but
+  not flushed to the metadata) or scan the log onwards from that point
+  to find (complete) blocks that did not get flushed to the metadata.
+
+* Make `lock-tag!` in backend-splitlog actually block until the tag is
+  not already locked! With a timeout and an apologetic error message
+  if it takes too long.
+
 * Extend the backend protocol with a special "admin" command that
   allows for arbitrary backend-specific operations, and write an
@@ -833 +867 @@
   should be an alist which is displayed to the user in a friendly
   manner, as "Key: Value\n" lines.
-
-* Extend the backend protocol with a `flush` command, such that
-  operations performed without a subsequent `flush` might not "stick" in
-  failure cases (make `close!` have an implicit `flush`, of
-  course). Use this to force an immediate commit in backends that use
-  sqlite, as well as the current practice of committing at close, tag
-  operations, and whenever it seems like a while has passed since the
-  last time. Make the frontend flush at crucial points.
 
 * Implement "info" admin commands for all backends, that list any
@@ -932 +958 @@
 ## Core
 
+* Make `fold-archive-node`'s listing of tags at the top level report
+  the lock status of the tags.
+
+* More stats. Log bytes written AFTER compression and encryption in
+  `archive-put!`. Log snapshot start and end times in the snapshot
+  object.
+
 * SIGINFO support. Add a SIGINFO handler that sets a flag, and make
   the `store-file!` and `store-directory!` main loops look for the
@@ -992 +1025 @@
   ACLs/streams, FAT attributes, etc... Ben says to look at Box Backup
   for some code to do that sort of thing.
-
-* Implement lock-tag! etc. in backend-fs, as a precaution against two
-  concurrent snapshots racing over updating the tag, where concurrent
-  access to the archive is even possible.
 
 * Deletion support - letting you remove snapshots. Perhaps you might
@@ -1053 +1082 @@
 ## Front-end
 
+* Add a command to force removing a tag lock.
+
+* Add a command to list all the tags (with a * next to locked tags)
+
 * Better error messages
 
@@ -1173 +1206 @@
   metadata. Switched to the `posix-extras` egg and ditched our own
   `posixextras.scm` wrappers. Used the `parley` egg in the `ugarit
-  explore` CLI for line editing.
+  explore` CLI for line editing. BUGFIX: Made file cache check the
+  file hashes it finds in the cache actually exist in the archive, to
+  protect against the case where a crash of some kind has caused
+  unflushed changes to be lost; the file cache may well have committed
+  changes that the backend hasn't, leading to references to
+  nonexistant blocks. Note that we assume that archives are
+  sequentially safe, eg if the final indirect block of a large file
+  made it, all the partial blocks must have made it too. BUGFIX: Added
+  an explicit `flush!` command to the backend protocol, and put
+  explicit flushes at critical points in higher layers
+  (`backend-cache`, the archive abstraction in the Ugarit core, and
+  when tagging a snapshot) so that we ensure the blocks we point at
+  are flushed before committing references to them in the
+  `backend-cache` or file caches, or into tags, to ensure crash safety.
 
 * 1.0.1: Consistency check on read blocks by default. Removed warning

release/4/ugarit/trunk/backend-cache.scm

@@ -24 +24 @@
    (define *updates-since-last-commit* 0)
    (define (flush!)
-     (exec (sql *db* "COMMIT;"))
-     (exec (sql *db* "BEGIN;"))
-     (set! *updates-since-last-commit* 0))
+     (when (> *updates-since-last-commit* 0)
+      (exec (sql *db* "COMMIT;"))
+      (exec (sql *db* "BEGIN;"))
+      (set! *updates-since-last-commit* 0)))
    (define (maybe-flush!)
      (inc! *updates-since-last-commit*)
      (when (> *updates-since-last-commit* commit-interval)
+           ((storage-flush! be))
            (flush!)))
 
@@ -59 +61 @@
             (cache-set! key type)
             (void)))
+      (lambda ()                        ; flush!
+        (begin
+          ((storage-flush! be))
+          (flush!)
+          (void)))
       (lambda (key) ; exists?
          (or
@@ -76 +83 @@
       (lambda (tag key) ; set-tag!
         ((storage-set-tag! be) tag key)
+        ((storage-flush! be))
         (flush!))
       (lambda (tag) ; tag
@@ -83 +91 @@
       (lambda (tag) ; remove-tag!
          ((storage-remove-tag! be) tag)
+         ((storage-flush! be))
          (flush!))
       (lambda (tag) ; lock-tag!
          ((storage-lock-tag! be) tag)
+         ((storage-flush! be))
          (flush!))
       (lambda (tag) ; tag-locked?
@@ -91 +101 @@
       (lambda (tag) ; unlock-tag!
          ((storage-unlock-tag! be) tag)
-         (flush!))
+          ((storage-flush! be))
+          (flush!))
       (lambda () ; close!
-         ((begin
-            (exec (sql *db* "COMMIT;"))
-            (close-database *db*)
-            (storage-close! be))))))
+        (begin
+          ((storage-close! be))
+          (exec (sql *db* "COMMIT;"))
+          (close-database *db*)))))
 
 

release/4/ugarit/trunk/backend-devtools.scm

@@ -6 +6 @@
       (lambda (key data type) ; put!
          ((storage-put! be) key data type))
+      (lambda () ; flush!
+        ((storage-flush! be)))
       (lambda (key) ; exists?
          ((storage-exists? be) key))
@@ -38 +40 @@
       (lambda (key data type) ; put!
          ((storage-put! be) key data type))
+      (lambda () ; flush!
+        ((storage-flush! be)))
       (lambda (key) ; exists?
          ((storage-exists? be) key))
@@ -72 +76 @@
             (printf "~A: (put! ~A ~A ~A)\n" name key data type)
             ((storage-put! be) key data type)))
+
+      (lambda () ; flush!
+        (begin
+          (printf "~A: (flush!)\n" name)
+          ((storage-flush! be))))
+
       (lambda (key) ; exists?
          (let ((result ((storage-exists? be) key)))

release/4/ugarit/trunk/backend-fs.scm

@@ -76 +76 @@
                (rename-file (make-name key ".type~") (make-name key ".type"))
                (void))))
+      (lambda () (void)) ; flush! - a no-op for us
       (lambda (key) ; exists?
          (if (file-read-access? (make-name key ".data"))
@@ -211 +212 @@
          (*updates-since-last-commit* 0)
          (flush! (lambda ()
-                   (set-metadata "current-logfile" (number->string *logcount*))
-                   (exec (sql *db* "COMMIT;"))
-                   (exec (sql *db* "BEGIN;"))
-                   (set! *updates-since-last-commit* 0)))
+                   (when (> *updates-since-last-commit* 0)
+                    (set-metadata "current-logfile" (number->string *logcount*))
+                    (exec (sql *db* "COMMIT;"))
+                    (exec (sql *db* "BEGIN;"))
+                    (set! *updates-since-last-commit* 0))))
          (maybe-flush! (lambda ()
                          (inc! *updates-since-last-commit*)
@@ -286 +288 @@
              (set-block-data! key type *logcount* (+ (string-length header) posn) (u8vector-length data))
              (void)))
+
+         (lambda ()                     ; flush!
+           (flush!)
+           (void))
 
          (lambda (key) ; exists?

release/4/ugarit/trunk/test/run.scm

@@ -478 +478 @@
                                                      (cons snapshot acc))
                                                    '()))
-                 (pp result)
                  (test-assert "History has expected form"
                               (match result
@@ -505 +504 @@
                  (test-define-values "Walk the history of tag 'Test' with fold-archive-node" (tag)
                                      (fold-archive-node a '(tag . "Test") (lambda (name dirent acc) (cons (cons name dirent) acc)) '()))
-                 (pp tag)
                  (test-assert "Tag history has expected form"
                               (match tag

release/4/ugarit/trunk/ugarit-backend.scm

@@ -6 +6 @@
          storage-unlinkable?
          storage-put!
+         storage-flush!
          storage-exists?
          storage-get
@@ -36 +37 @@
   writable? ; Boolean: Can we call put!, link!, unlink!, set-tag!, lock-tag!, unlock-tag!?
   unlinkable? ; Boolean: Can we call unlink?
-  put! ; Procedure: (put key data type) - stores the data (u8vector) under the key (string) with the given type tag (symbol) and a refcount of 1. Does nothing of the key is already in use.
+  put! ; Procedure: (put! key data type) - stores the data (u8vector) under the key (string) with the given type tag (symbol) and a refcount of 1. Does nothing of the key is already in use.
+  flush! ; Procedure: (flush!) - all previous changes must be flushed to disk by the time the continuation is applied.
   exists? ; Procedure: (exists? key) - returns the type of the block with the given key if it exists, or #f otherwise
   get ; Procedure: (get key) - returns the contents (u8vector) of the block with the given key (string) if it exists, or #f otherwise
@@ -99 +101 @@
                (write #t)))
             (loop))
+
+           (('flush!)
+            (with-error-reporting
+             ((storage-flush! storage))
+             (write #t))
+            (loop))
 
            (('exists? key)
@@ -229 +237 @@
               (void))
 
+            (lambda ()                  ; flush!
+              (if debug (printf "~a: flush!" command-line))
+              (write `(flush!) commands)
+              (read-response responses)
+              (void))
+
             (lambda (key)               ; exists?
               (if debug (printf "~a: exists?" command-line))

release/4/ugarit/trunk/ugarit-core.scm

@@ -15 +15 @@
          archive-get
          archive-put!
+         archive-flush!
          archive-remove-tag!
          archive-set-tag!
@@ -55 +56 @@
          extract-directory!
          extract-object!
+         ; FIXME: These two will be useful in future
+         ;verify-directory!
+         ;verify-object!
          snapshot-directory-tree!
          tag-snapshot!
@@ -146 +150 @@
 (define (file-cache-put! archive file-path mtime size key)
   (when (> file-cache-commit-interval (archive-file-cache-updates-uncommitted archive))
+        ((storage-flush! (archive-storage archive))) ; Flush the storage before we commit our cache, for crash safety
         (exec (sql (archive-file-cache archive) "commit;"))
         (exec (sql (archive-file-cache archive) "begin;"))
@@ -358 +363 @@
   (void))
 
+(define (archive-flush! archive)
+  ((storage-flush! (archive-storage archive))) ; Flush the storage first, to ensure crash safety
+  (when (archive-file-cache archive)
+        (exec (sql (archive-file-cache archive) "commit;"))
+        (exec (sql (archive-file-cache archive) "begin;"))
+        (set! (archive-file-cache-updates-uncommitted archive) 0)))
+
 (define (archive-exists? archive key)
   ((storage-exists? (archive-storage archive)) key))
@@ -412 +424 @@
 
 (define (archive-close! archive)
+  ((storage-close! (archive-storage archive))) ;; This flushes the backend before we flush the file cache, for crash safety
   (when (archive-file-cache archive)
         (exec (sql (archive-file-cache archive) "commit;"))
         (close-database (archive-file-cache archive)))
-  ((storage-close! (archive-storage archive))))
+  (void))
 
 ;;
@@ -626 +639 @@
                (size (vector-ref file-stat 5))
                (cache-result (file-cache-get archive file-path mtime size)))
-          (if cache-result ;; FIXME: This assumes that the cached file IS in the archive. Give a configurable option to make it check this, making the file-cache a file hash cache rather than also being an archive presence cache like backend-cache as well, for safety.
+          (if (and cache-result (archive-exists? archive cache-result))
               (begin
                 (inc! (archive-file-cache-hits archive))
@@ -1085 +1098 @@
     (let-values (((snapshot-key snapshot-reused?)
                   (store-sexpr! archive snapshot 'snapshot keys)))
-      (archive-set-tag! archive tag snapshot-key)
+      (archive-flush! archive) ; After this point we can be sure that the snapshot and all blocks it refers to are stably stored
+      (archive-set-tag! archive tag snapshot-key) ; Therefore, we can be confident in saving it in a tag.
       (archive-unlock-tag! archive tag)
       snapshot-key)))