LogFile_STD (LogFileImpl) fails to recover from getting out of space

[jviki]

Expected behavior

When there is no space on disk, the LogFileImpl::writeImpl should throw exception. If some space on the disk is freed, the LogFileImpl::writeImpl should recover and write normally to the log file.

Actual behavior

When there is no space on disk, the LogFileImpl::writeImpl should throw exception. If some space on the disk is freed, the LogFileImpl::writeImpl still throws an exception and does not recover. The reason is that the stream flags are never cleared. Thus the check

if (!_str.good()) throw WriteFileException(_path);

always throws the exception and the writes do not work because the stream is not in a good state.

Steps to reproduce the problem

• create a small loop device with some reserved space, eg.

dd if=/dev/zero of=test.loop bs=1024 count=56
sudo mkfs.fat test.loop
mkdir -p mnt-test
uid=`id -u`
gid=`id -g`
sudo mount -o loop,rw,uid=$uid,gid=$gid test.loop mnt-test
echo "reserve some space in the file system for testing" > mnt-test/reserve
df -h mnt-test

• setup logger and fill it with logs until the disk is full and Logger::log throws WriteFileException
• remove the reserved space (rm mnt-test/reserve)
• continue logging with the same logger instance, log a short message
• an exception is thrown however, it should not be...

void log(Logger &logger, int i)
{
        string text = 
                "abcdef0123456789abcdef0123456789"
                "abcdef0123456789abcdef0123456789"
                "abcdef0123456789abcdef0123456789";

        try {
                logger.critical(text + " %d", i); 
        }
        catch (const Exception &e) {
                logger.log(e); // here WriteFileException is thrown on no space
        }
}

int main(int argc, char **argv)
{
        unlink("mnt-test/test.log");

        Logger &logger = Logger::get("");

        // prepare channels to see progress in console while writing to the test.log file
        SplitterChannel *c = new SplitterChannel;
        ConsoleChannel *console = new ConsoleChannel;
        FileChannel *file = new FileChannel("mnt-test/test.log");
        c->addChannel(console);
        c->addChannel(file);
        logger.setChannel(c);

        for (int i = 0; ; ++i) {
                try {
                        log(logger, i); 
                }
                catch (...) {
                        break; // no more space, get out
                }
        }

        unlink("mnt-test/reserve"); // free the reserved space
        system("df -h mnt-test"); // check status of the testing file system

        try {
                logger.critical("unlinked reserve, try again"); // should be logged properly
        }
        catch (const Exception &e) {
                logger.log(e); // here, we fail when not recovered
        }
}

POCO version

any version

Compiler and version

g++ (GCC) 7.2.1

Operating system and version

Linux 4.9.67-1-lts

Other relevant information

I think that the LogFile_Win32 does not suffer from this issue because it does not work with the C++ streams.

The issue was discovered on a running system not with the provided testing code. It is a real problem, we have lost many hours of logs.

[aleks-f]

apparently, #1676 fix never made it back to 1.x

[aleks-f]

ah, looks like this is an additional problem - not handling well the recovery process after space is freed.

@jviki, I'm a bit busy to reproduce it now, can you please quick test if (in addition to fix in #1676) this takes care of it:

--- a/Foundation/src/LogFile_STD.cpp
+++ b/Foundation/src/LogFile_STD.cpp
@@ -43,7 +43,11 @@ void LogFileImpl::writeImpl(const std::string& text, bool flush)
                _str << std::endl;
        else
                _str << "\n";
-       if (!_str.good()) throw WriteFileException(_path);
+       if (!_str.good())
+       {
+               _str.clear();
+               throw WriteFileException(_path);
+       }
        _size = (UInt64) _str.tellp();
 }

[jviki]

Unfortunately, it is not entirely right. We do not loose log record anymore, that is better. But the failure on the stream does not always occur at boundary of the given text to log. I tested by the principle given above. The logging was recovered this time but with inconsistent log contents. The result before unlinking the reserve:

abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789 364
abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789 365

The result after the reserve was deleted (we have more space so continue...):

abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789 364
abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789 365
abcdef01abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789 366

But expected:

abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789 364
abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789 365
abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789 366

I suppose, the solution is:

• record the current position in the output file
• if failed: clear flags and seek back to the recorded position

I doubt this can be easily done via C++ streams.

[aleks-f]

To alleviate a temporary log file unavailability (for any reason) the portion that could not be written would have to be buffered in memory and then written to file when it becomes available; this is not a trivial change because the amount of data we are willing to buffer should be configurable through a property. If you are inclined to give it a try, send a pull, but it would have to be done for all supported platforms

[jviki]

Is seems that I've misleaded you out of the topic a bit. Please, reconsider the previous example without the "loose any log record", I wrote it in a wrong way...

I believe that there are 2 points to fix this issue:

1. Recover from a stream failure - this is solved by _str.clear()
2. Write whole text or nothing (transactional behaviour) - this requires to call ostream::tellp() and ostream::seekp() (I was wrong previously, it is possible to be done)

Only then the issue is solved. Yes, it can loose log records but the ones written successfully would be consistent.

And only after those two points are met (in all LogFile implementations), it might be possible to write some BufferingChannel to handle loosing of data issue when the output is broken temporarily. It can buffer logs driven by catching WriteFileExceptions. But this is out of the scope of this issue.

[aleks-f]

Yes, I agree; this can be achieved by modifying LogFileImpl::writeImpl() to write all or nothing and always maintains proper file position. LogFile::write() should have (an optional pointer) MemoryStream member for redirection when WriteFileException is caught. When there is no memory stream, or when its size is exceeded, WriteFileException should be propagated back to the caller.

[aleks-f]

Or something along these lines, I'm writing off the top of my head.
/cc @obiltschnig

[jviki]

I don't think that you need to maintain position globally. Just locally inside writeImpl(). Something like this:

const auto pos = _str.tellp();
...do write...
if (!_str) {
    _str.clear();
    _str.seekp(pos);
    throw WriteFileException("not written anything, try again");
}

No MemoryStream, nothing like that. The method writeImpl() would just write all or nothing with throwing the WriteFileException. Ok, more precisely, it would possibly write a fragment but rewrite it next time when it is possible. To write really "nothing", the file would have to be truncated in some way... but is it needed?

Any buffering can be done outside. The writeImpl() would not know about that, it does not need to.

Or am I missing something?

[aleks-f]

Just locally inside writeImpl()

Yes, that's what I meant - stream position is maintained in LogFileImpl::writeImpl(), the MemoryStream would be a pointer-member in LogFile, enabled only via non-default property setting, lazily created and used in LogFile::write(), when writeImpl() throws.