filetable: fix corruption caused by internal executor behavior leading to missing constraints

[ajwerner]

Describe the problem

Part of the schema change protocol requires a pre-commit hook where a bunch of stuff happens related to descriptor management and safety. When you use the internal executor API with a non-nil transaction, it bypasses the lifecycle
and state management which normally happens for SQL transactions. In particular, the deferred creation of jobs and
the checking of the two version invariant.

In the case of filetable, we see just that:

cockroach/pkg/cloud/userfile/filetable/file_table_read_writer.go

Lines 847 to 855 in 7f3bbf6

	addFKQuery := fmt.Sprintf(`ALTER TABLE %s ADD CONSTRAINT file_id_fk FOREIGN KEY (
	file_id) REFERENCES %s (file_id)`, f.GetFQPayloadTableName(), f.GetFQFileTableName())
	_, err = ie.ExecEx(ctx, "create-payload-table", txn,
	sessiondata.InternalExecutorOverride{User: f.username},
	addFKQuery)
	if err != nil {
	return errors.Wrap(err, "failed to add FK constraint to the payload table file_id column")
	}

The intention here is good, but the outcome is dramatically bad. The end result is that the table does not have the foreign key that was intended and the descriptor is corrupt in that it references a job which was never created.

To Reproduce

---

Update as of 2022-09-20: 3c44cad fixes the bug that allowed the corruption to occur, but this issue should remain open to track work to fix any corruption that exists out in the wild.

---

CREATE DATABASE to_backup;
CREATE DATABASE backups;
BACKUP DATABASE to_backup INTO 'userfile://backups.public.userfiles_$user/data';
SELECT * FROM backups.crdb_internal.invalid_objects;

  id  | database_name | schema_name |            obj_name            |                     error
------+---------------+-------------+--------------------------------+-------------------------------------------------
  118 | backups       | public      | userfiles_$user_upload_payload | mutation job 737535981478510593: job not found

SELECT t->'mutationJobs', t->'mutations'
  FROM (
        SELECT crdb_internal.pb_to_json('desc', descriptor)->'table' AS t
          FROM system.descriptor
         WHERE id = '"userfiles_$user_upload_payload"'::REGCLASS
       );

[{"jobId": "737535981478510593", "mutationId": 1}]
[
  {
    "constraint": {
      "check": {
        "constraintId": 3
      },
      "constraintType": "FOREIGN_KEY",
      "foreignKey": {
        "constraintId": 3,
        "name": "file_id_fk",
        "originColumnIds": [
          1
        ],
        "originTableId": 118,
        "referencedColumnIds": [
          2
        ],
        "referencedTableId": 117,
        "validity": "Validating"
      },
      "name": "file_id_fk",
      "uniqueWithoutIndexConstraint": {
        "constraintId": 3
      }
    },
    "direction": "ADD",
    "mutationId": 1,
    "state": "DELETE_ONLY"
  }
]

Jira issue: CRDB-13265

[blathers-crl]

cc @cockroachdb/bulk-io

[ajwerner]

Nominally I'm assigning this bug to @cockroachdb/bulk-io but there's badness about the internal executor. I really did think we were going to do things about it this release, but guess not.

[ajwerner]

my 2c is we should consider putting out a migration while we still can for 22.1.

[dt]

This looks like an internal executor bug... right?

[ajwerner]

Sure, yes, I mean, no, in that it's been this way for a long time and nobody said you could use it for schema changes and it has no contract because it's a hot pile, but also, yes, absolutely.

[ajwerner]

Or, let me put it differently, the root cause here is an internal executor bug. There are issues open about it and I feel like I even remember learning this fact at some point long ago. I'll see if I can dig up a paper trail. We should definitely do various things about it including detect and return errors if not outright fix the situation. However, there remains the fact that we have this problem right now and we have potentially corrupt descriptors out there in the wild because of it. That's what this issue tracks. I'll file another issue about the internal executor.

[dt]

but we absolutely can and do say you use it for schema changes in that most migrations do exactly that? but then this one schema change -- add fk -- fails? that smells like a bug in the executor, not misuse

[ajwerner]

When you use the internal executor API with a non-nil transaction

Emphasis added on with a non-nil transaction

[ajwerner]

The way the internal executor works is that when it manages the txn lifecycle (i.e. you pass it nil), then it runs the whole state machine. When you don't you just get this weirdness where you it moves itself to the open state with totally bogus extraTxnState and then when the statement finishes, throws that bogus extraTxnState away.

[ajwerner]

#71467 and #69495 and https://cockroachlabs.slack.com/archives/C0168LW5THS/p1611947857055600 and really most closely https://cockroachlabs.slack.com/archives/CARM0PTK4/p1599052027188000 (from 2020) come really close to calling out this problem directly, but the lack of investment in doing something about those issues and the myriad other issues which come from the untamed abomination that is the internal executor is what has allowed this wound to fester.

[dt]

Ooof, so we almost certainly have some existing broken tables out there too now don't we?

Adding sql-exp as IE's owners (right?) to see how they think we should proceed here.