libroach: timebound iterator metadata doesn't consider intents

[danhhz]

Note: I haven't confirmed this behavior in practice, it's currently theoretical from reading code. Holding off on the severity label until it's confirmed. The fix will need to be backported into 2.0

When computing which timestamps are present in an sstable for the time bound iterator performance optimization, all keys without a timestamp are ignored, which includes intents. This means that certain (probably unlikely) compactions will result in a situation where a time bounded iterator reading from [t1,t2] will miss an intent at t2.

cockroach/c-deps/libroach/timebound.cc

Lines 38 to 53 in 8b684ff

	rocksdb::Status AddUserKey(const rocksdb::Slice& user_key, const rocksdb::Slice& value,
	rocksdb::EntryType type, rocksdb::SequenceNumber seq,
	uint64_t file_size) override {
	rocksdb::Slice unused;
	rocksdb::Slice ts;
	if (SplitKey(user_key, &unused, &ts) && !ts.empty()) {
	ts.remove_prefix(1); // The NUL prefix.
	if (ts_max_.empty() || ts.compare(ts_max_) > 0) {
	ts_max_.assign(ts.data(), ts.size());
	}
	if (ts_min_.empty() || ts.compare(ts_min_) < 0) {
	ts_min_.assign(ts.data(), ts.size());
	}
	}
	return rocksdb::Status::OK();
	}

Backup uses timebounded iterators and does a read at a certain timestamp until all intents below that timestamp have been resolved one way or another. This bug means that backup could incorrectly proceed with an unresolved intent. If this intent is later rolled back, the backup would contain a value that was never committed.

CDC will have similar correctness issues.

Several fixes are possible with various performance tradeoffs. An partial list:

• Include intents in the time bound metadata. This requires unmarshalling every mvcc metadata proto in the sst and is probably too expensive, especially for inline values like timeseries.
• Disable time bound metadata for any sstable containing intents. This will cause the time bound iterator to always look in the file, so will be correct but a performance pessimization.
• Some combination of the two based on how many intents are in the file or where in the keyspace it is.

[benesch]

Backup uses timebounded iterators and does a read at a certain timestamp until all intents below that timestamp have been resolved one way or another. This bug means that backup could incorrectly proceed with an unresolved intent. If this intent is later rolled back, the backup would contain a value that was never committed.

I don't think this exact scenario is possible. If the time bound iterator accidentally excludes a lingering intent from an aborted transaction, it's no problem, as the backup wasn't supposed to contain that intent anyway. The problem, as far as I can see, arises when the iterator excludes a lingering intent from a committed transaction; that intent needed to be promoted to a write, but the backup will not include that write.

[nvb]

When an intent is laid down, we write two keys: the MVCCMetadata key at ts=0 that indicates that an intent exists and the provisional value at ts=value_ts that holds the intent's value. When we commit an intent, we actually just delete the MVCCMetadata key, effectively "revealing" the provisional value as committed.

I think the issue here is that if an intent's MVCCMetadata key is split in a different sst from its provisional value key, it's possible that a timebound iterator scans only over the sst with the provisional value key. In that case, the value will look committed even though it's not! I think the hazard arises when the intent is either aborted or pushed before being committed. If this happens, the backup would contain a value that was never committed or was committed at a later timestamp.

[benesch]

Gah! My understanding was still subtly wrong. Thanks for the clarification, @nvanbenschoten.

There's now two other solutions, though I'm not sure how well supported by RocksDB they are. One is to simply disallow splitting a metadata key from its actual values. The other is to only look at the last key in an SST. If it's a metadata key, then we need to look in and see if there's an intent. Only in that case do we need to erase the timestamp bounds on the SST.

[benesch]

Also, no wonder we haven't seen this in practice.

[benesch]

I'm upgrading this to S-1 to hopefully get more visibility. I think this needs to get fixed for v2.1. We haven't seen this in practice, but that's the nature of this bug: you would never notice when it happened.

@petermattis putting this on your radar. Is there anyone who can take a look at this?