kvnemesis: add crash operation support for fault injection testing

dodeca12 · dodeca12 · commit 0b2a65887d94 · 2026-01-02T14:03:25.000-05:00
Previously, `kvnemesis` could only simulate graceful node stops and restarts, which limited its ability to test crash recovery scenarios. This was inadequate because real-world failures often involve abrupt crashes of nodes, leaving data in an inconsistent state that must be recovered on restart. To address this, this patch adds crash operation support to `kvnemesis`. It extends `testcluster.TestCluster` with a `CrashServer` method that emulates a crash by stopping a server and creating a snapshot of its in-memory filesystems at the last sync point using `vfs.MemFS.CrashClone`. This simulates what would persist on disk after a real crash. The method also isolates the crashed node from peers by tripping circuit breakers, simulating network partition behavior. Circuit breakers automatically reset when the node restarts and connections are re-established. The patch adds `CrashNodeOperation` to the kvnemesis protobuf schema, integrates it into the generator to randomly crash nodes during test runs, implements crash application in the applier, and updates the validator to handle crash scenarios. The generator now tracks crashed nodes separately from stopped nodes. Release note: None Informs: #64828
diff --git a/pkg/kv/kvnemesis/applier.go b/pkg/kv/kvnemesis/applier.go
@@ -190,6 +190,11 @@ func (a *Applier) applyOp(ctx context.Context, db *kv.DB, op *Operation) {
 		err := a.env.ServerController.RestartServer(serverID)
 		a.nodes.setRunning(int(o.NodeId))
 		o.Result = resultInit(ctx, err)
+	case *CrashNodeOperation:
+		serverID := int(o.NodeId) - 1
+		a.env.ServerController.CrashNode(serverID)
+		a.nodes.setCrashed(int(o.NodeId))
+		o.Result = resultInit(ctx, nil)
 	case *ClosureTxnOperation:
 		// Use a backoff loop to avoid thrashing on txn aborts. Don't wait between
 		// epochs of the same transaction to avoid waiting while holding locks.
diff --git a/pkg/kv/kvnemesis/env.go b/pkg/kv/kvnemesis/env.go
@@ -30,6 +30,7 @@ type Logger interface {
 type ServerController interface {
 	StopServer(idx int)
 	RestartServer(idx int) error
+	CrashNode(idx int)
 }
 
 // Env manipulates the environment (cluster settings, zone configurations) that
diff --git a/pkg/kv/kvnemesis/generator.go b/pkg/kv/kvnemesis/generator.go
@@ -423,6 +423,8 @@ type FaultConfig struct {
 	StopNode int
 	// RestartNode is an operation that restarts a randomly chosen node.
 	RestartNode int
+	// CrashNode is an operation that crashes a randomly chosen node.
+	CrashNode int
 	// Disk stalls and other faults belong here.
 }
 
@@ -554,6 +556,7 @@ func newAllOperationsConfig() GeneratorConfig {
 			RemoveNetworkPartition: 1,
 			StopNode:               1,
 			RestartNode:            1,
+			CrashNode:              1,
 		},
 	}}
 }
@@ -654,6 +657,7 @@ func NewDefaultConfig() GeneratorConfig {
 	config.Ops.Fault.RemoveNetworkPartition = 0
 	config.Ops.Fault.StopNode = 0
 	config.Ops.Fault.RestartNode = 0
+	config.Ops.Fault.CrashNode = 0
 	return config
 }
 
@@ -811,6 +815,7 @@ type nodes struct {
 	mu      syncutil.RWMutex
 	running map[int]struct{}
 	stopped map[int]struct{}
+	crashed map[int]struct{}
 }
 
 func randNodeFromMap(m map[int]struct{}, rng *rand.Rand) int {
@@ -825,11 +830,26 @@ func (n *nodes) removeRandRunning(rng *rand.Rand) int {
 	return nodeID
 }
 
-func (n *nodes) removeRandStopped(rng *rand.Rand) int {
+// removeRandStoppedOrCrashed randomly picks a node from either the stopped or
+// crashed sets with uniform probability across all nodes.
+func (n *nodes) removeRandStoppedOrCrashed(rng *rand.Rand) int {
 	n.mu.Lock()
 	defer n.mu.Unlock()
-	nodeID := randNodeFromMap(n.stopped, rng)
-	delete(n.stopped, nodeID)
+	stopped := len(n.stopped)
+	crashed := len(n.crashed)
+
+	if stopped == 0 && crashed == 0 {
+		panic("no stopped or crashed nodes available")
+	}
+
+	var nodeID int
+	if rng.Intn(stopped+crashed) < stopped {
+		nodeID = randNodeFromMap(n.stopped, rng)
+		delete(n.stopped, nodeID)
+	} else {
+		nodeID = randNodeFromMap(n.crashed, rng)
+		delete(n.crashed, nodeID)
+	}
 	return nodeID
 }
 
@@ -845,6 +865,12 @@ func (n *nodes) setStopped(nodeID int) {
 	n.stopped[nodeID] = struct{}{}
 }
 
+func (n *nodes) setCrashed(nodeID int) {
+	n.mu.Lock()
+	defer n.mu.Unlock()
+	n.crashed[nodeID] = struct{}{}
+}
+
 // RandStep returns a single randomly generated next operation to execute.
 //
 // RandStep is not concurrency safe.
@@ -929,9 +955,12 @@ func (g *generator) RandStep(rng *rand.Rand) Step {
 	if len(g.nodes.running) > 0 {
 		addOpGen(&allowed, stopRandNode, g.Config.Ops.Fault.StopNode)
 	}
-	if len(g.nodes.stopped) > 0 {
+	if len(g.nodes.stopped) > 0 || len(g.nodes.crashed) > 0 {
 		addOpGen(&allowed, restartRandNode, g.Config.Ops.Fault.RestartNode)
 	}
+	if len(g.nodes.running) > 0 {
+		addOpGen(&allowed, crashRandNode, g.Config.Ops.Fault.CrashNode)
+	}
 
 	return step(g.selectOp(rng, allowed))
 }
@@ -1877,10 +1906,15 @@ func stopRandNode(g *generator, rng *rand.Rand) Operation {
 }
 
 func restartRandNode(g *generator, rng *rand.Rand) Operation {
-	randNode := g.nodes.removeRandStopped(rng)
+	randNode := g.nodes.removeRandStoppedOrCrashed(rng)
 	return restartNode(randNode)
 }
 
+func crashRandNode(g *generator, rng *rand.Rand) Operation {
+	randNode := g.nodes.removeRandRunning(rng)
+	return crashNode(randNode)
+}
+
 func isFollowerReadEligibleOp(op Operation) bool {
 	if op.Get != nil && op.Get.FollowerReadEligible {
 		return true
@@ -2529,6 +2563,10 @@ func restartNode(nodeID int) Operation {
 	return Operation{RestartNode: &RestartNodeOperation{NodeId: int32(nodeID)}}
 }
 
+func crashNode(nodeID int) Operation {
+	return Operation{CrashNode: &CrashNodeOperation{NodeId: int32(nodeID)}}
+}
+
 type countingRandSource struct {
 	count atomic.Uint64
 	inner rand.Source64
diff --git a/pkg/kv/kvnemesis/generator_test.go b/pkg/kv/kvnemesis/generator_test.go
@@ -80,6 +80,7 @@ func TestRandStep(t *testing.T) {
 	n := nodes{
 		running: map[int]struct{}{1: {}, 2: {}, 3: {}},
 		stopped: make(map[int]struct{}),
+		crashed: make(map[int]struct{}),
 	}
 	g, err := MakeGenerator(config, getReplicasFn, 0, &n)
 	require.NoError(t, err)
@@ -444,6 +445,11 @@ func TestRandStep(t *testing.T) {
 			n.mu.Lock()
 			n.running[int(o.NodeId)] = struct{}{}
 			n.mu.Unlock()
+		case *CrashNodeOperation:
+			counts.Fault.CrashNode++
+			n.mu.Lock()
+			n.crashed[int(o.NodeId)] = struct{}{}
+			n.mu.Unlock()
 		default:
 			t.Fatalf("%T", o)
 		}
diff --git a/pkg/kv/kvnemesis/kvnemesis.go b/pkg/kv/kvnemesis/kvnemesis.go
@@ -109,6 +109,7 @@ func RunNemesis(
 	n := nodes{
 		running: make(map[int]struct{}),
 		stopped: make(map[int]struct{}),
+		crashed: make(map[int]struct{}),
 	}
 	for i := 1; i <= config.NumNodes; i++ {
 		// In liveness mode, we don't allow stopping and restarting the two
diff --git a/pkg/kv/kvnemesis/kvnemesis_test.go b/pkg/kv/kvnemesis/kvnemesis_test.go
@@ -270,7 +270,7 @@ func (cfg kvnemesisTestCfg) testClusterArgs(
 		}
 	}
 
-	reg := fs.NewStickyRegistry()
+	reg := fs.NewStickyRegistry(fs.UseStrictMemFS)
 	lisReg := listenerutil.NewListenerRegistry()
 	args := base.TestClusterArgs{
 		ReusableListenerReg: lisReg,
@@ -583,6 +583,47 @@ func TestKVNemesisMultiNode_Restart_Liveness(t *testing.T) {
 	})
 }
 
+func TestKVNemesisMultiNode_Crash(t *testing.T) {
+	defer leaktest.AfterTest(t)()
+	defer log.Scope(t).Close(t)
+
+	testKVNemesisImpl(t, kvnemesisTestCfg{
+		numNodes:                     4,
+		numSteps:                     defaultNumSteps,
+		concurrency:                  5,
+		seedOverride:                 0,
+		invalidLeaseAppliedIndexProb: 0.2,
+		injectReproposalErrorProb:    0.2,
+		// assertRaftApply is disabled because the asserter assumes no node
+		// restarts (see asserter.go:29).
+		//
+		// Crashing nodes violates this assumption since node crashes differ
+		// from graceful restarts (abrupt stop vs a graceful shutdown).
+		//
+		// There's a race condition in crash simulation where
+		// CrashNode/CrashClone() can run while the server is still active, so
+		// WAL syncs and Raft applies can complete between the snapshot and
+		// stopServerLocked(). When assertRaftApply is true, the Asserter may
+		// record applies that aren't in the crash snapshot; after restart, the
+		// replica recovers from an earlier snapshot and re-applies, causing the
+		// Asserter to flag a false regression. This is a bug in the crash
+		// simulation code, not a bug in the database logic.
+		// TODO(dodeca12): resolve crash simulation bug for kvnemesis crashes for
+		// when assertRaftApply is true.
+		assertRaftApply: false,
+		mode:            Liveness,
+		testGeneratorConfig: func(cfg *GeneratorConfig) {
+			cfg.Ops.Fault.CrashNode = 1
+			cfg.Ops.Fault.RestartNode = 1
+
+			// Disallow replica changes because they interfere with the zone config
+			// constraints (at least one replica on nodes 1 and 2).
+			cfg.Ops.ChangeReplicas = ChangeReplicasConfig{}
+		},
+	},
+	)
+}
+
 func TestKVNemesisMultiNode(t *testing.T) {
 	defer leaktest.AfterTest(t)()
 	defer log.Scope(t).Close(t)
diff --git a/pkg/kv/kvnemesis/operations.go b/pkg/kv/kvnemesis/operations.go
@@ -74,6 +74,8 @@ func (op Operation) Result() *Result {
 		return &o.Result
 	case *RestartNodeOperation:
 		return &o.Result
+	case *CrashNodeOperation:
+		return &o.Result
 	default:
 		panic(errors.AssertionFailedf(`unknown operation: %T %v`, o, o))
 	}
@@ -254,6 +256,8 @@ func (op Operation) format(w *strings.Builder, fctx formatCtx) {
 		o.format(w, fctx)
 	case *RestartNodeOperation:
 		o.format(w, fctx)
+	case *CrashNodeOperation:
+		o.format(w, fctx)
 	default:
 		fmt.Fprintf(w, "%v", op.GetValue())
 	}
@@ -526,12 +530,17 @@ func (op RemoveNetworkPartitionOperation) format(w *strings.Builder, fctx format
 }
 
 func (op StopNodeOperation) format(w *strings.Builder, fctx formatCtx) {
-	fmt.Fprintf(w, `env.Restarter.StopNode(%d)`, int(op.NodeId))
+	fmt.Fprintf(w, `env.ServerController.StopNode(%d)`, int(op.NodeId))
 	op.Result.format(w)
 }
 
 func (op RestartNodeOperation) format(w *strings.Builder, fctx formatCtx) {
-	fmt.Fprintf(w, `env.Restarter.RestartNode(%d)`, int(op.NodeId))
+	fmt.Fprintf(w, `env.ServerController.RestartNode(%d)`, int(op.NodeId))
+	op.Result.format(w)
+}
+
+func (op CrashNodeOperation) format(w *strings.Builder, fctx formatCtx) {
+	fmt.Fprintf(w, `env.ServerController.CrashNode(%d)`, int(op.NodeId))
 	op.Result.format(w)
 }
 
diff --git a/pkg/kv/kvnemesis/operations.proto b/pkg/kv/kvnemesis/operations.proto
@@ -206,6 +206,11 @@ message RestartNodeOperation {
   Result result = 2 [(gogoproto.nullable) = false];
 }
 
+message CrashNodeOperation {
+  int32 node_id = 1;
+  Result result = 2 [(gogoproto.nullable) = false];
+}
+
 message Operation {
   option (gogoproto.goproto_stringer) = false;
   option (gogoproto.onlyone) = true;
@@ -242,6 +247,7 @@ message Operation {
   RemoveNetworkPartitionOperation removeNetworkPartition = 28;
   StopNodeOperation stopNode = 29;
   RestartNodeOperation restartNode = 30;
+  CrashNodeOperation crashNode = 31;
 }
 
 enum ResultType {
diff --git a/pkg/kv/kvnemesis/validator.go b/pkg/kv/kvnemesis/validator.go
@@ -1024,6 +1024,9 @@ func (v *validator) processOp(op Operation) {
 	case *RestartNodeOperation:
 		execTimestampStrictlyOptional = true
 		v.checkError(op, t.Result)
+	case *CrashNodeOperation:
+		execTimestampStrictlyOptional = true
+		v.checkError(op, t.Result)
 	default:
 		panic(errors.AssertionFailedf(`unknown operation type: %T %v`, t, t))
 	}
diff --git a/pkg/testutils/testcluster/BUILD.bazel b/pkg/testutils/testcluster/BUILD.bazel
@@ -48,6 +48,7 @@ go_library(
         "//pkg/util/tracing/tracingpb",
         "@com_github_cockroachdb_errors//:errors",
         "@com_github_cockroachdb_logtags//:logtags",
+        "@com_github_cockroachdb_pebble//vfs",
         "@com_github_stretchr_testify//require",
     ],
 )
diff --git a/pkg/testutils/testcluster/testcluster.go b/pkg/testutils/testcluster/testcluster.go
@@ -61,6 +61,7 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/util/tracing/tracingpb"
 	"github.com/cockroachdb/errors"
 	"github.com/cockroachdb/logtags"
+	"github.com/cockroachdb/pebble/vfs"
 	"github.com/stretchr/testify/require"
 )
 
@@ -2056,6 +2057,91 @@ func (tc *TestCluster) RestartServerWithInspect(
 		})
 }
 
+// isolateNodeFromPeers trips circuit breakers on the crashed node's dialer to
+// isolate it from all peer nodes. This simulates network partition behavior
+// during a crash. The circuit breakers will automatically reset when the node
+// is restarted and connections are successfully re-established via the
+// background `AsyncProbe` mechanism; manual undo is not needed.
+func (tc *TestCluster) isolateNodeFromPeers(idx int) {
+	nodeDialer, ok := tc.Servers[idx].NodeDialer().(*nodedialer.Dialer)
+	if !ok {
+		return
+	}
+	for peerIdx := range tc.Servers {
+		if peerIdx == idx {
+			continue
+		}
+		peerNodeID := tc.Servers[peerIdx].NodeID()
+		for c := 0; c < rpcbase.NumConnectionClasses; c++ {
+			if brk, found := nodeDialer.GetCircuitBreaker(
+				peerNodeID,
+				rpcbase.ConnectionClass(c),
+			); found {
+				brk.Report(errors.New("connection terminated by crash emulation"))
+			}
+		}
+	}
+}
+
+// CrashNode emulates a crash of the server at the given index by stopping it
+// and creating a snapshot of its in-memory filesystems (capturing state at the
+// last sync point). This allows testing crash recovery scenarios. Requires all
+// stores to use sticky VFS with in-memory storage. Also reports connection
+// failures to peer nodes' circuit breakers to simulate network disconnection.
+func (tc *TestCluster) CrashNode(idx int) {
+	tc.mu.Lock()
+	defer tc.mu.Unlock()
+
+	if tc.mu.serverStoppers[idx] == nil {
+		tc.t.Fatalf("server %d is already stopped", idx)
+	}
+
+	serverArgs := tc.serverArgs[idx]
+
+	serverKnobs, ok := serverArgs.Knobs.Server.(*server.TestingKnobs)
+	if !ok || serverKnobs.StickyVFSRegistry == nil {
+		tc.t.Fatalf(
+			"server %d does not have sticky VFS registry; crash emulation requires sticky VFS", idx)
+	}
+
+	// Isolate the crashed node from its peers by tripping circuit breakers.
+	// This simulates network partition behavior during a crash. Circuit breakers
+	// will automatically reset when the node is restarted and connections are
+	// successfully re-established (via background probe mechanisms), so no manual
+	// undo is needed.
+	//
+	// This step is first because we want to prevent any message sent after the
+	// CrashClone of the VFS. Otherwise it would be able to leak false durability
+	// signal into the cluster, such as with raft messages like
+	// MsgVoteResp / MsgAppResp.
+	tc.isolateNodeFromPeers(idx)
+
+	crashedVFSesMap := make(map[string]*vfs.MemFS)
+	for i, spec := range serverArgs.StoreSpecs {
+		if !spec.InMemory || spec.StickyVFSID == "" {
+			tc.t.Fatalf(
+				"crash emulation requires all stores to be in-memory with sticky VFS IDs; "+
+					"store %d on server %d does not meet requirements", i, idx)
+		}
+
+		// Get the current in-memory filesystem for this store and create a crash
+		// snapshot. CrashClone captures the filesystem state at the last sync point,
+		// simulating what would be on disk after a crash (only synced data survives).
+		currentVFS := serverKnobs.StickyVFSRegistry.Get(spec.StickyVFSID)
+		crashedVFSesMap[spec.StickyVFSID] = currentVFS.CrashClone(vfs.CrashCloneCfg{})
+	}
+
+	tc.stopServerLocked(idx)
+
+	// Replace the filesystems in the registry with the crash snapshots. When the
+	// server is restarted, it will see the filesystem state as it was at the last
+	// sync point (the crash snapshot), not the current state. This simulates a
+	// real crash where only synced data persists.
+	for stickyID, crashFS := range crashedVFSesMap {
+		serverKnobs.StickyVFSRegistry.Set(stickyID, crashFS)
+	}
+}
+
 // ServerStopped determines if a server has been explicitly
 // stopped by StopServer(s).
 func (tc *TestCluster) ServerStopped(idx int) bool {

Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,7 @@ type Logger interface {`
`30`	`30`	`type ServerController interface {`
`31`	`31`	`StopServer(idx int)`
`32`	`32`	`RestartServer(idx int) error`
	`33`	`+ CrashNode(idx int)`
`33`	`34`	`}`
`34`	`35`
`35`	`36`	`// Env manipulates the environment (cluster settings, zone configurations) that`
Original file line number	Diff line number	Diff line change
`@@ -109,6 +109,7 @@ func RunNemesis(`
`109`	`109`	`n := nodes{`
`110`	`110`	`running: make(map[int]struct{}),`
`111`	`111`	`stopped: make(map[int]struct{}),`
	`112`	`+ crashed: make(map[int]struct{}),`
`112`	`113`	`}`
`113`	`114`	`for i := 1; i <= config.NumNodes; i++ {`
`114`	`115`	`// In liveness mode, we don't allow stopping and restarting the two`
Original file line number	Diff line number	Diff line change
`@@ -48,6 +48,7 @@ go_library(`
`48`	`48`	`"//pkg/util/tracing/tracingpb",`
`49`	`49`	`"@com_github_cockroachdb_errors//:errors",`
`50`	`50`	`"@com_github_cockroachdb_logtags//:logtags",`
	`51`	`+ "@com_github_cockroachdb_pebble//vfs",`
`51`	`52`	`"@com_github_stretchr_testify//require",`
`52`	`53`	`],`
`53`	`54`	`)`