MDEV-34529 Shrink the system tablespace when system tablespace contains MDEV-30671 leaked undo pages

[Thirunarayanan]

• The Jira issue number for this PR is: MDEV-34529

Description

• InnoDB fails to shrink the system tablespace when it contains
  the leaked undo log pages caused by MDEV-30671.

• InnoDB does free the unused segment in system tablespace
  before shrinking the tablespace.

inode_info: Structure to store the inode page and offsets.

fil_space_t::garbage_collect():
Frees the system tablespace unused segment

fsp_free_unused_seg(): Frees the unused segment

fsp_get_sys_used_segment(): Iterates through all default
file segment and index segment present in system tablespace.

How can this PR be tested?

Added the test case innodb.undo_leak which basically leaks the undo segment by purge thread.

Basing the PR against the correct MariaDB version

• This is a new feature or a refactoring, and the PR is based against the latest MariaDB development branch.
• This is a bug fix, and the PR is based against the earliest maintained branch in which the bug can be reproduced.

PR quality check

• I checked the [CODING_STANDARDS.md](https://github.com/MariaDB/server/blob/-/CODING_STANDARD- (https://github.com/MariaDB/server/blob/-/CODING_STANDARDS.md) file and my PR conforms to this where appropriate.
• For any trivial modifications to the PR, I am ok with the reviewer making the changes themselves.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[dr-m]

As far as I understand it, the current version of this change is tweaking the shrinking of the system tablespace so that any pages that do not belong to index trees that are declared in SYS_INDEXES will be ignored when determining the maximum allocated page number within the system tablespace.

This seems to be both wrong and insufficient.

1. Some pages of SYS_TABLES, SYS_INDEXES, SYS_COLUMNS and SYS_FIELDS could actually be stored in an area that the current patch would deem safe for truncation.
2. There could also be other objects that are allocated in the system tablespace, such as undo log pages that are reachable via the TRX_SYS page. (I think that the TRX_SYS page itself as well as the empty change buffer tree would not cause a problem.)
3. We fail to mark any leaked pages that are below the tweaked upper limit as free.

I think that for development and debugging, it would be good to implement something that pretty-prints the allocated page bitmap, possibly using different characters for representing allocated pages in different roles. For example, `'0' + (index_id & 63)`` for index pages, and some characters in the 0x21 to 0x2f range for anything else. And 0x20 (space) for pages that are marked as free. This should nicely illustrate the page leaks due to MDEV-31234 and allow us to understand if we have missed anything.

I think that it would be better to implement an isolated step that would mark as freed any leaked pages in the system tablespace. It could be independent of the shrinking logic.

[dr-m]

There is no diagnostic in case an error was reported, and no suggestion how to resolve the corruption (such as displaying the name of the problematic index and table that had been created with innodb_file_per_table=0). We wouldn’t even attempting a normal truncation in this case.

[dr-m]

It could be good to display the page number in hexadecimal at the start of each line.

[dr-m]

It would be good to add a comment that we can’t trust the FIL_PAGE_TYPE field unless space->full_crc32() holds. For other system tablespaces, the contents can be any garbage. The only guarantee is that if the page belongs to a B-tree, then the FIL_PAGE_TYPE will contain FIL_PAGE_INDEX. The opposite is not guaranteed.

[dr-m]

There is nothing formatted in the output; therefore we could as well use fputs or putc.

I was hoping that we would display something like 'A' + ((index_id - 10) % ('~' - 'A' + 1)) for pages that look like index pages. That would help identify them. This would leave the ASCII range ' ' to '?' (0x20 to 0x3f) available for displaying other leaked pages.

Compressed pages can’t exist in the system tablespace, neither page_compressed nor ROW_FORMAT=COMPRESSED.

[dr-m]

Some quick comments. I don’t think that an additional configuration parameter for enabling this is absolutely necessary.

[dr-m]

The @param does not match the parameter name.

[dr-m]

The logic looks good to me. My comments are mainly about coding style or API efficiency.

[dr-m]

Thank you, this looks mostly OK. I have a few nitpicks.

[dr-m]

Can you add a comment that says which existing function this is mimicing?

[Thirunarayanan]

This change is wrong. we shouldn't reset the rseg undo slots. Because undo object has already constructed
before this function. If we do that, we need to remove the respective undo objects. I think that is un-necessary.

[dr-m]

Could we latch all these pages before making any changes? In that way, we would not do anything irreversible before trying to make sure that the operation can succeed?

[dr-m]

At the start of this function, the operator[] call already inserted a nullptr to the std::map. We could have saved a reference to that, e.g.,

buf_block_t *&old= m_old_inode_entry[page_no];
if (old)
  return DB_SUCCESS;
//…
old= buf_LRU_get_free_block(have_no_mutex_soft);
return old ? DB_OUT_OF_MEMORY : DB_SUCCESS;

However, I do not quite understand the need for storing a copy of the page. Logic like this would make sense when we are shrinking the system tablespace and we expect to free most pages, rewriting only a few surviving pages of the system tablespace. In that case we wanted to minimize the amount of redo log written, so that everything can be done in a single atomic mini-transaction, with at most 2 MiB of log records.

Here we are handling a special case and we are allowed to use as many mini-transactions as it takes.

Can we structure the mini-transactions in such a way that we free only one leaked page per mini-transaction, after performing all necessary consistency checks? In that way, there should be no need to allocate any shadow pages. Yes, we may be modifying the same pages over and over again, but the buffer pool will cache the write-backs. Yes, we may write a lot of log records, but this is a very rarely executed clean-up of corrupted data, and it will not be executed by default.

[dr-m]

Can we split fseg_free_extent() to two separate: checking the consistency, and modifying the data? We should first only check the consistency.

[dr-m]

Can we first execute a loop that checks that all pages that we are going to free have been marked as allocated? And only after all consistency checks have passed, execute the modification?

[dr-m]

There seems to be a simpler approach:

• We would execute this extra freeing of leaked pages only on startup (not on shutdown) if the :autoshrink attribute is set on the system tablespace.
• We will structure the mini-transactions normally, with no special low-level error handling.
• If we notice any error, then we will:
  1. display an error message saying that :autoshrink is being ignored due to an error
  2. invoke log_buffer_flush_to_disk()
  3. execute InnoDB shutdown as if innodb_fast_shutdown=2 had been set
  4. pretend that :autoshrink was not set
  5. restart InnoDB

In this way, all changes right before the current mini-transaction will be recovered, and the server should start up without corrupting a corrupted system tablespace too much further.

[dr-m]

I do not quite understand the purpose of the old_insert_entry.insert() calls here. Are they really needed? If they are, why are we ignoring the return value?

[dr-m]

This is really close to completion. I did not debug the test case yet, but will do so on my final review.

[dr-m]

This is getting better, but some error handling could improved further.

[dr-m]

The error handling is almost there. I’d like to see some clarifying source code comments still.

[dr-m]

We could replace if (fseg_free_step_low(…) != DB_SUCCESS_LOCKED_REC) with

	return fseg_free_step_low(…) != DB_SUCCESS_LOCKED_REC;

But, is that what we really want here? Wouldn’t we want == DB_SUCCESS instead? That is, our caller should keep freeing as long there was no corruption and we have not freed everything yet? Our callers are btr_free_but_not_root(), which is followed by btr_free_root(), and trx_purge_free_segment(). I’d suggest to carefully review the logic in both. A source code comment could be useful here.

On a related note, I see that fseg_inode_free() is checking for DB_SUCCESS_LOCKED_REC. It seems to be the right course of action there.

[Thirunarayanan]

If the fseg_free_step_low() returns any error code other than DB_SUCCESS_LOCKED_REC then InnoDB
faced corruption or freed the segment successfully. So I think this condition is correct.

[dr-m]

I reviewed the test execution in a bit more detail. I think that we need to cover the existence of XA PREPARE transactions and improve some error handling and code coverage.

[dr-m]

Sorry, this still needs some minor refinement.

[dr-m]

How can undo_cached possibly contain any XA PREPARE transaction, or when can we have anything else than undo->state == TRX_UNDO_CACHED? As far as I can tell, the elements in undo_cached must have undo->size==1 and must carry the state TRX_UNDO_CACHED at offset TRX_UNDO_SEG_HDR + TRX_UNDO_STATE of that single page.

Can you replace the condition with undo->state != TRX_UNDO_CACHED and a debug assertion that would catch this failure?

[Thirunarayanan]

Yes, I was wrong. undo_cached must carry the state TRX_UNDO_CACHED and state has been changed during trx_purge_add_undo_to_history() . So we should check only for rseg.undo_list