MB-59518: Stop PassiveStream from processing commit against active VB

jimwwalker · jimwwalker · commit 0e6003c6239a · 2023-11-15T15:15:23.000Z
Add VBucket state checks to processCommit so that the commit is not processed against an active vbucket. Without the state check a buffered commit could be processed concurrently with a replica->active state change. A unit test is added which reproduced the issue by buffering a commit and using a test hook to change state whilst the buffered data is processed. Note this bug extends to: * abort * mutation, deletion, system-event * snapshot marker Subsequent patches address these operations. Change-Id: Ifb5e1c7703d7fe2af0b92b699dffb091dea0b235 Reviewed-on: https://review.couchbase.org/c/kv_engine/+/200568 Reviewed-by: Dave Rigby <daver@couchbase.com> Tested-by: Jim Walker <jim@couchbase.com> Well-Formed: Restriction Checker
diff --git a/engines/ep/src/dcp/passive_stream.cc b/engines/ep/src/dcp/passive_stream.cc
@@ -818,6 +818,10 @@ cb::engine_errc PassiveStream::processCommit(
     if (!vb) {
         return cb::engine_errc::not_my_vbucket;
     }
+    folly::SharedMutex::ReadHolder rlh(vb->getStateLock());
+    if (!permittedVBStates.test(vb->getState())) {
+        return cb::engine_errc::not_my_vbucket;
+    }
 
     auto rv = vb->commit(commit.getKey(),
                          commit.getPreparedSeqno(),
diff --git a/engines/ep/src/dcp/passive_stream.h b/engines/ep/src/dcp/passive_stream.h
@@ -11,6 +11,7 @@
 #pragma once
 
 #include "dcp/stream.h"
+#include "permitted_vb_states.h"
 #include "spdlog/common.h"
 #include "utilities/testing_hook.h"
 #include "vbucket_fwd.h"
@@ -434,4 +435,9 @@ class PassiveStream : public Stream {
 
     // True if the consumer/producer enabled FlatBuffers
     bool flatBuffersSystemEventsEnabled{false};
+
+    // Set of states that the vbucket must match for a PassiveStream to attempt
+    // processing messages.
+    const PermittedVBStates permittedVBStates{vbucket_state_replica,
+                                              vbucket_state_pending};
 };
diff --git a/engines/ep/tests/module_tests/dcp_durability_stream_test.cc b/engines/ep/tests/module_tests/dcp_durability_stream_test.cc
@@ -4551,6 +4551,92 @@ TEST_P(DurabilityPassiveStreamPersistentTest, BufferDcpAbort) {
     EXPECT_EQ(ackBytes, consumer->getFlowControl().getFreedBytes());
 }
 
+// MB-59518 is an issue where a DCP passive-stream processed a commit against
+// an active vbucket resulting in a duplicate commit (and failure). The issue
+// occurred because it was possible to reach the VBucket::commit function
+// during a replica->active state change provided that operations are buffered.
+// The fix was to put strong VBucket state checks in the PassiveStream commit
+// path.
+TEST_P(DurabilityPassiveStreamPersistentTest, ReplicaToActiveBufferedCommit) {
+    // Begin by pushing a mutation. Only to get away from seqno:0
+    auto key = makeStoredDocKey("key");
+    EXPECT_EQ(cb::engine_errc::success,
+              snapshot(*consumer, stream->getOpaque(), 1, 1));
+    EXPECT_EQ(cb::engine_errc::success,
+              mutation(*consumer, stream->getOpaque(), key, 1));
+    flushVBucketToDiskIfPersistent(vbid);
+
+    // Now push a prepare onto the replica.
+    auto durableKey = makeStoredDocKey("durable");
+    EXPECT_EQ(cb::engine_errc::success,
+              snapshot(*consumer, stream->getOpaque(), 2, 2));
+    EXPECT_EQ(cb::engine_errc::success,
+              prepare(*consumer, stream->getOpaque(), durableKey, 2));
+    flushVBucketToDiskIfPersistent(vbid);
+
+    // Now begin buffering.
+    auto& stats = engine->getEpStats();
+    stats.replicationThrottleThreshold = 0;
+    const size_t size = stats.getMaxDataSize();
+    engine->setMaxDataSize(1);
+    ASSERT_EQ(ReplicationThrottle::Status::Pause,
+              engine->getReplicationThrottle().getStatus());
+
+    auto vb = engine->getVBucket(vbid);
+
+    // Buffer the commit of the prepare
+    EXPECT_EQ(cb::engine_errc::success,
+              snapshot(*consumer, stream->getOpaque(), 3, 3));
+    EXPECT_EQ(cb::engine_errc::success,
+              commit(*consumer, stream->getOpaque(), durableKey, 2, 3));
+    EXPECT_EQ(2, vb->getHighSeqno());
+
+    std::function<void()> hook = [this]() {
+        // Change the vbucket state using the hook. This will happen whilst the
+        // consumer buffering "thread" has a stream pointer.
+        setVBucketState(vbid,
+                        vbucket_state_active,
+                        nlohmann::json::parse(R"({"topology":[["active"]]})"),
+                        TransferVB::No);
+    };
+    stream->setProcessBufferedMessages_postFront_Hook(hook);
+
+    // And process the buffered commit. This commit should be rejected. Prior
+    // to the fix it would be processed against the active.
+    stats.replicationThrottleThreshold = 99;
+    engine->setMaxDataSize(size);
+    ASSERT_EQ(ReplicationThrottle::Status::Process,
+              engine->getReplicationThrottle().getStatus());
+    EXPECT_EQ(more_to_process, consumer->processBufferedItems());
+    EXPECT_EQ(all_processed, consumer->processBufferedItems());
+
+    // Before fixing high-seqno would be at 3 (commit)
+    EXPECT_EQ(2, vb->getHighSeqno());
+
+    setVBucketState(
+            vbid,
+            vbucket_state_active,
+            nlohmann::json::parse(
+                    R"({"topology":[["active"],["active","replica"]]})"));
+
+    // In MB-59518 it's not clear exactly what sequence of ACKS permit the
+    // tracked write to resolve (in the next step), but this is enough for a
+    // reproduction of the crash.
+    vb->seqnoAcknowledged(folly::SharedMutex::ReadHolder(vb->getStateLock()),
+                          "replica",
+                          2 /*prepareSeqno*/);
+
+    // And fail. With MB-59518 an error is logged about a failure to find the
+    // prepare, this function would throw because the commit is not successful
+    try {
+        vb->processResolvedSyncWrites();
+    } catch (const std::exception& e) {
+        FAIL() << "processResolvedSyncWrites exception:" << e.what();
+    }
+    EXPECT_EQ(3, vb->getHighSeqno());
+    flushVBucketToDiskIfPersistent(vbid);
+}
+
 void DurabilityPromotionStreamTest::SetUp() {
     // Set up as a replica
     DurabilityPassiveStreamTest::SetUp();
diff --git a/engines/ep/tests/module_tests/evp_store_single_threaded_test.cc b/engines/ep/tests/module_tests/evp_store_single_threaded_test.cc
@@ -1065,6 +1065,68 @@ cb::engine_errc STParameterizedBucketTest::addItem(Item& itm,
     return rc;
 }
 
+cb::engine_errc STParameterizedBucketTest::snapshot(DcpConsumer& consumer,
+                                                    uint32_t opaque,
+                                                    uint64_t start,
+                                                    uint64_t end) {
+    return consumer.snapshotMarker(opaque,
+                                   vbid,
+                                   start,
+                                   end,
+                                   MARKER_FLAG_MEMORY | MARKER_FLAG_CHK,
+                                   0,
+                                   0);
+}
+
+cb::engine_errc STParameterizedBucketTest::mutation(DcpConsumer& consumer,
+                                                    uint32_t opaque,
+                                                    const DocKey& key,
+                                                    uint64_t seqno) {
+    return consumer.mutation(opaque,
+                             key,
+                             cb::const_byte_buffer(),
+                             /*priv_bytes*/ 0,
+                             PROTOCOL_BINARY_DATATYPE_JSON,
+                             /*cas*/ 1,
+                             vbid,
+                             /*flags*/ 0,
+                             /*bySeqno*/ seqno,
+                             /*revSeqno*/ 0,
+                             /*expTime*/ 0,
+                             /*lock_time*/ 0,
+                             /*meta*/ cb::const_byte_buffer(),
+                             /*nru*/ 0);
+}
+
+cb::engine_errc STParameterizedBucketTest::prepare(DcpConsumer& consumer,
+                                                   uint32_t opaque,
+                                                   const DocKey& key,
+                                                   uint64_t seqno) {
+    return consumer.prepare(opaque,
+                            key,
+                            cb::const_byte_buffer(),
+                            /*priv_bytes*/ 0,
+                            PROTOCOL_BINARY_DATATYPE_JSON,
+                            /*cas*/ 1,
+                            vbid,
+                            /*flags*/ 0,
+                            /*bySeqno*/ seqno,
+                            /*revSeqno*/ 0,
+                            /*expTime*/ 0,
+                            /*lock_time*/ 0,
+                            0,
+                            DocumentState::Alive,
+                            cb::durability::Level::Majority);
+}
+
+cb::engine_errc STParameterizedBucketTest::commit(DcpConsumer& consumer,
+                                                  uint32_t opaque,
+                                                  const DocKey& key,
+                                                  uint64_t prepareSeqno,
+                                                  uint64_t seqno) {
+    return consumer.commit(opaque, vbid, key, prepareSeqno, seqno);
+}
+
 /*
  * MB-31175
  * The following test checks to see that when we call handleSlowStream in an
diff --git a/engines/ep/tests/module_tests/evp_store_single_threaded_test.h b/engines/ep/tests/module_tests/evp_store_single_threaded_test.h
@@ -827,6 +827,26 @@ class STParameterizedBucketTest
         return expected;
     }
 
+    // A set of basic helper functions to reduce the size of tests which are
+    // driving a DCPConsumer
+    cb::engine_errc snapshot(DcpConsumer& consumer,
+                             uint32_t opaque,
+                             uint64_t start,
+                             uint64_t end);
+    cb::engine_errc mutation(DcpConsumer& consumer,
+                             uint32_t opaque,
+                             const DocKey& key,
+                             uint64_t seqno);
+    cb::engine_errc prepare(DcpConsumer& consumer,
+                            uint32_t opaque,
+                            const DocKey& key,
+                            uint64_t seqno);
+    cb::engine_errc commit(DcpConsumer& consumer,
+                           uint32_t opaque,
+                           const DocKey& key,
+                           uint64_t prepareSeqno,
+                           uint64_t seqno);
+
 protected:
     void SetUp() override;
 
