From f1d6b9d0096e18c9f187914d3722ba8675bc964d Mon Sep 17 00:00:00 2001 From: nkey Date: Sat, 23 Nov 2024 13:14:40 +0100 Subject: [PATCH v3 1/2] Fix possible lost tuples in non-MVCC index scans using SnapshotDirty In certain scenarios, non-MVCC index scans using SnapshotDirty can miss tuples that are deleted and re-inserted concurrently during the scan. This issue arises because the scan might skip over deleted tuples and fail to see newly inserted ones if the page content is cached. To address this, we modify the SnapshotDirty mechanism to track the maximum xmax (the highest transaction ID of deleting transactions) encountered during the scan. If this xmax is newer than the latest completed transaction ID at the start of the scan, we retry the index scan to ensure all relevant tuples are observed. Key changes include: * Updated HeapTupleSatisfiesDirty to record the maximum xmax seen. * Modified InitDirtySnapshot to accept an optional parameter for tracking xmax. * Added logic in index uniqueness checks (_bt_check_unique) and replication tuple searches (RelationFindReplTupleByIndex) to retry scans based on the tracked xmax. * Introduced a new function ReadLastCompletedFullTransactionId to obtain the latest completed transaction ID. * Updated documentation in nbtree/README to explain the issue and the solution. * Added a regression test to cover this edge case. This fix ensures that non-MVCC index scans are more robust in the face of concurrent data modifications, preventing potential data inconsistencies. --- contrib/pgstattuple/pgstattuple.c | 2 +- src/backend/access/heap/heapam_handler.c | 2 +- src/backend/access/heap/heapam_visibility.c | 20 +++++++- src/backend/access/nbtree/README | 10 ++++ src/backend/access/nbtree/nbtinsert.c | 2 +- src/backend/access/transam/varsup.c | 11 +++++ src/backend/executor/execIndexing.c | 29 +++++++++++- src/backend/executor/execReplication.c | 26 +++++++++- src/backend/replication/logical/origin.c | 2 +- src/include/access/transam.h | 16 +++++++ src/include/utils/snapmgr.h | 8 +++- src/include/utils/snapshot.h | 5 +- src/test/modules/test_misc/meson.build | 1 + .../test_misc/t/007_dirty_index_scan.pl | 47 +++++++++++++++++++ 14 files changed, 169 insertions(+), 12 deletions(-) create mode 100644 src/test/modules/test_misc/t/007_dirty_index_scan.pl diff --git a/contrib/pgstattuple/pgstattuple.c b/contrib/pgstattuple/pgstattuple.c index 48cb8f59c4f..bc310fcb332 100644 --- a/contrib/pgstattuple/pgstattuple.c +++ b/contrib/pgstattuple/pgstattuple.c @@ -335,7 +335,7 @@ pgstat_heap(Relation rel, FunctionCallInfo fcinfo) scan = table_beginscan_strat(rel, SnapshotAny, 0, NULL, true, false); hscan = (HeapScanDesc) scan; - InitDirtySnapshot(SnapshotDirty); + InitDirtySnapshot(SnapshotDirty, NULL); nblocks = hscan->rs_nblocks; /* # blocks to be scanned */ diff --git a/src/backend/access/heap/heapam_handler.c b/src/backend/access/heap/heapam_handler.c index a8d95e0f1c1..4e99ea61c6e 100644 --- a/src/backend/access/heap/heapam_handler.c +++ b/src/backend/access/heap/heapam_handler.c @@ -402,7 +402,7 @@ tuple_lock_retry: * * Loop here to deal with updated or busy tuples */ - InitDirtySnapshot(SnapshotDirty); + InitDirtySnapshot(SnapshotDirty, NULL); for (;;) { if (ItemPointerIndicatesMovedPartitions(tid)) diff --git a/src/backend/access/heap/heapam_visibility.c b/src/backend/access/heap/heapam_visibility.c index 9243feed01f..9001ce4362c 100644 --- a/src/backend/access/heap/heapam_visibility.c +++ b/src/backend/access/heap/heapam_visibility.c @@ -719,6 +719,12 @@ HeapTupleSatisfiesUpdate(HeapTuple htup, CommandId curcid, return TM_Deleted; /* deleted by other */ } +static void UpdateDirtyMaxXmax(Snapshot snapshot, TransactionId xmax) +{ + if (snapshot->xip != NULL) + snapshot->xip[0] = TransactionIdNewer(xmax, snapshot->xip[0]); +} + /* * HeapTupleSatisfiesDirty * True iff heap tuple is valid including effects of open transactions. @@ -737,7 +743,9 @@ HeapTupleSatisfiesUpdate(HeapTuple htup, CommandId curcid, * Similarly for snapshot->xmax and the tuple's xmax. If the tuple was * inserted speculatively, meaning that the inserter might still back down * on the insertion without aborting the whole transaction, the associated - * token is also returned in snapshot->speculativeToken. + * token is also returned in snapshot->speculativeToken. If xip is != NULL + * xip[0] may be set to xid of deleter if it newer than previously store + * value. */ static bool HeapTupleSatisfiesDirty(HeapTuple htup, Snapshot snapshot, @@ -750,6 +758,10 @@ HeapTupleSatisfiesDirty(HeapTuple htup, Snapshot snapshot, snapshot->xmin = snapshot->xmax = InvalidTransactionId; snapshot->speculativeToken = 0; + /* + * We intentionally keep snapshot->xip values unchanged as they should + * be reset by logic out of the single heap fetch. + */ if (!HeapTupleHeaderXminCommitted(tuple)) { @@ -870,6 +882,7 @@ HeapTupleSatisfiesDirty(HeapTuple htup, Snapshot snapshot, { if (HEAP_XMAX_IS_LOCKED_ONLY(tuple->t_infomask)) return true; + UpdateDirtyMaxXmax(snapshot, HeapTupleHeaderGetRawXmax(tuple)); return false; /* updated by other */ } @@ -893,7 +906,10 @@ HeapTupleSatisfiesDirty(HeapTuple htup, Snapshot snapshot, return true; } if (TransactionIdDidCommit(xmax)) + { + UpdateDirtyMaxXmax(snapshot, xmax); return false; + } /* it must have aborted or crashed */ return true; } @@ -902,6 +918,7 @@ HeapTupleSatisfiesDirty(HeapTuple htup, Snapshot snapshot, { if (HEAP_XMAX_IS_LOCKED_ONLY(tuple->t_infomask)) return true; + UpdateDirtyMaxXmax(snapshot, HeapTupleHeaderGetRawXmax(tuple)); return false; } @@ -931,6 +948,7 @@ HeapTupleSatisfiesDirty(HeapTuple htup, Snapshot snapshot, SetHintBits(tuple, buffer, HEAP_XMAX_COMMITTED, HeapTupleHeaderGetRawXmax(tuple)); + UpdateDirtyMaxXmax(snapshot, HeapTupleHeaderGetRawXmax(tuple)); return false; /* updated by other */ } diff --git a/src/backend/access/nbtree/README b/src/backend/access/nbtree/README index 52e646c7f75..6de72a29ca0 100644 --- a/src/backend/access/nbtree/README +++ b/src/backend/access/nbtree/README @@ -489,6 +489,16 @@ on the leaf page at all when the page's LSN has changed. (That won't work with an unlogged index, so for now we don't ever apply the "don't hold onto pin" optimization there.) +Despite the locking protocol in place, it is still possible to receive an +incorrect result during non-MVCC scans. This issue can occur if a concurrent +transaction deletes a tuple and inserts a new tuple with a new TID in the +same page. If the scan has already visited the page and cached its content +in the buffer cache, it might skip the old tuple due to deletion and miss +the new tuple because of the cache. This is a known limitation of the +SnapshotDirty and SnapshotAny non-MVCC scans. However, for SnapshotDirty, +it is possible to work around this limitation by using the returned max(xmax) +to compare it with the latest committed transaction before the scan started. + Fastpath For Index Insertion ---------------------------- diff --git a/src/backend/access/nbtree/nbtinsert.c b/src/backend/access/nbtree/nbtinsert.c index 99043da8412..ef63d62778e 100644 --- a/src/backend/access/nbtree/nbtinsert.c +++ b/src/backend/access/nbtree/nbtinsert.c @@ -427,7 +427,7 @@ _bt_check_unique(Relation rel, BTInsertState insertstate, Relation heapRel, /* Assume unique until we find a duplicate */ *is_unique = true; - InitDirtySnapshot(SnapshotDirty); + InitDirtySnapshot(SnapshotDirty, NULL); page = BufferGetPage(insertstate->buf); opaque = BTPageGetOpaque(page); diff --git a/src/backend/access/transam/varsup.c b/src/backend/access/transam/varsup.c index cfe8c6cf8dc..43026e58406 100644 --- a/src/backend/access/transam/varsup.c +++ b/src/backend/access/transam/varsup.c @@ -296,6 +296,17 @@ ReadNextFullTransactionId(void) return fullXid; } +FullTransactionId ReadLastCompletedFullTransactionId(void) +{ + FullTransactionId fullXid; + + LWLockAcquire(XidGenLock, LW_SHARED); + fullXid = TransamVariables->latestCompletedXid; + LWLockRelease(XidGenLock); + + return fullXid; +} + /* * Advance nextXid to the value after a given xid. The epoch is inferred. * This must only be called during recovery or from two-phase start-up code. diff --git a/src/backend/executor/execIndexing.c b/src/backend/executor/execIndexing.c index f9a2fac79e4..34e09dee17f 100644 --- a/src/backend/executor/execIndexing.c +++ b/src/backend/executor/execIndexing.c @@ -117,6 +117,7 @@ #include "utils/multirangetypes.h" #include "utils/rangetypes.h" #include "utils/snapmgr.h" +#include "utils/injection_point.h" /* waitMode argument to check_exclusion_or_unique_constraint() */ typedef enum @@ -711,6 +712,8 @@ check_exclusion_or_unique_constraint(Relation heap, Relation index, IndexScanDesc index_scan; ScanKeyData scankeys[INDEX_MAX_KEYS]; SnapshotData DirtySnapshot; + TransactionId maxXmax, + latestCompletedXid; int i; bool conflict; bool found_self; @@ -773,9 +776,10 @@ check_exclusion_or_unique_constraint(Relation heap, Relation index, /* * Search the tuples that are in the index for any violations, including - * tuples that aren't visible yet. + * tuples that aren't visible yet. Also, detect cases index scan skip the + * tuple in case of parallel update after index page content was cached. */ - InitDirtySnapshot(DirtySnapshot); + InitDirtySnapshot(DirtySnapshot, &maxXmax); for (i = 0; i < indnkeyatts; i++) { @@ -809,6 +813,12 @@ check_exclusion_or_unique_constraint(Relation heap, Relation index, retry: conflict = false; found_self = false; + /* + * Each time we retry - remember last completed transaction before start + * of the scan. Aso reset maxXmax. + */ + latestCompletedXid = XidFromFullTransactionId(ReadLastCompletedFullTransactionId()); + maxXmax = InvalidTransactionId; index_scan = index_beginscan(heap, index, &DirtySnapshot, indnkeyatts, 0); index_rescan(index_scan, scankeys, indnkeyatts, NULL, 0); @@ -924,6 +934,19 @@ retry: } index_endscan(index_scan); + /* + * Check for the case when index scan fetched records before some other + * transaction deleted tuple and inserted a new one. + */ + if (!conflict && TransactionIdIsValid(maxXmax) && !TransactionIdIsCurrentTransactionId(maxXmax)) + { + /* + * If we have skipped some tuple because it was deleted, but deletion happened after + * start of the index scan - retry to be sure. + */ + if (TransactionIdPrecedes(latestCompletedXid, maxXmax)) + goto retry; + } /* * Ordinarily, at this point the search should have found the originally @@ -937,6 +960,8 @@ retry: ExecDropSingleTupleTableSlot(existing_slot); + if (!conflict) + INJECTION_POINT("check_exclusion_or_unique_constraint_no_conflict"); return !conflict; } diff --git a/src/backend/executor/execReplication.c b/src/backend/executor/execReplication.c index 54025c9f150..cf8e847262a 100644 --- a/src/backend/executor/execReplication.c +++ b/src/backend/executor/execReplication.c @@ -229,6 +229,8 @@ RelationFindReplTupleByIndex(Relation rel, Oid idxoid, IndexScanDesc scan; SnapshotData snap; TransactionId xwait; + TransactionId maxXmax, + latestCompletedXid; Relation idxrel; bool found; TypeCacheEntry **eq = NULL; @@ -239,7 +241,7 @@ RelationFindReplTupleByIndex(Relation rel, Oid idxoid, isIdxSafeToSkipDuplicates = (GetRelationIdentityOrPK(rel) == idxoid); - InitDirtySnapshot(snap); + InitDirtySnapshot(snap, &maxXmax); /* Build scan key. */ skey_attoff = build_replindex_scan_key(skey, rel, idxrel, searchslot); @@ -249,6 +251,12 @@ RelationFindReplTupleByIndex(Relation rel, Oid idxoid, retry: found = false; + /* + * Each time we retry - remember last completed transaction before start + * of the scan. Aso reset maxXmax. + */ + maxXmax = InvalidTransactionId; + latestCompletedXid = XidFromFullTransactionId(ReadLastCompletedFullTransactionId()); index_rescan(scan, skey, skey_attoff, NULL, 0); @@ -288,6 +296,20 @@ retry: break; } + /* + * Check for the case when index scan fetched records before some other + * transaction deleted tuple and inserted a new one. + */ + if (!found && TransactionIdIsValid(maxXmax) && !TransactionIdIsCurrentTransactionId(maxXmax)) + { + /* + * If we have skipped some tuple because it was deleted, but deletion happened after + * start of the index scan - retry to be sure. + */ + if (TransactionIdPrecedes(latestCompletedXid, maxXmax)) + goto retry; + } + /* Found tuple, try to lock it in the lockmode. */ if (found) { @@ -411,7 +433,7 @@ RelationFindReplTupleSeq(Relation rel, LockTupleMode lockmode, eq = palloc0(sizeof(*eq) * outslot->tts_tupleDescriptor->natts); /* Start a heap scan. */ - InitDirtySnapshot(snap); + InitDirtySnapshot(snap, NULL); scan = table_beginscan(rel, &snap, 0, NULL); scanslot = table_slot_create(rel, NULL); diff --git a/src/backend/replication/logical/origin.c b/src/backend/replication/logical/origin.c index baf696d8e68..e1e52c639d1 100644 --- a/src/backend/replication/logical/origin.c +++ b/src/backend/replication/logical/origin.c @@ -282,7 +282,7 @@ replorigin_create(const char *roname) * to the exclusive lock there's no danger that new rows can appear while * we're checking. */ - InitDirtySnapshot(SnapshotDirty); + InitDirtySnapshot(SnapshotDirty, NULL); rel = table_open(ReplicationOriginRelationId, ExclusiveLock); diff --git a/src/include/access/transam.h b/src/include/access/transam.h index 28a2d287fd5..aae0ad90c2e 100644 --- a/src/include/access/transam.h +++ b/src/include/access/transam.h @@ -288,6 +288,7 @@ extern void VarsupShmemInit(void); extern FullTransactionId GetNewTransactionId(bool isSubXact); extern void AdvanceNextFullTransactionIdPastXid(TransactionId xid); extern FullTransactionId ReadNextFullTransactionId(void); +extern FullTransactionId ReadLastCompletedFullTransactionId(void); extern void SetTransactionIdLimit(TransactionId oldest_datfrozenxid, Oid oldest_datoid); extern void AdvanceOldestClogXid(TransactionId oldest_datfrozenxid); @@ -344,6 +345,21 @@ TransactionIdOlder(TransactionId a, TransactionId b) return b; } +/* return the newer of the two IDs */ +static inline TransactionId +TransactionIdNewer(TransactionId a, TransactionId b) +{ + if (!TransactionIdIsValid(a)) + return b; + + if (!TransactionIdIsValid(b)) + return a; + + if (TransactionIdPrecedes(a, b)) + return b; + return a; +} + /* return the older of the two IDs, assuming they're both normal */ static inline TransactionId NormalTransactionIdOlder(TransactionId a, TransactionId b) diff --git a/src/include/utils/snapmgr.h b/src/include/utils/snapmgr.h index 9398a84051c..5e6f3a7e76a 100644 --- a/src/include/utils/snapmgr.h +++ b/src/include/utils/snapmgr.h @@ -36,9 +36,13 @@ extern PGDLLIMPORT SnapshotData CatalogSnapshotData; * We don't provide a static SnapshotDirty variable because it would be * non-reentrant. Instead, users of that snapshot type should declare a * local variable of type SnapshotData, and initialize it with this macro. + * pxid is optional and can be NULL. If it is not NULL, pxid[0] will be set + * to the transaction ID of deleting transaction if the tuple is deleted + * and it newer than pxid[0]. */ -#define InitDirtySnapshot(snapshotdata) \ - ((snapshotdata).snapshot_type = SNAPSHOT_DIRTY) +#define InitDirtySnapshot(snapshotdata, pxid) \ + ((snapshotdata).snapshot_type = SNAPSHOT_DIRTY, \ + (snapshotdata).xip = (pxid)) /* * Similarly, some initialization is required for a NonVacuumable snapshot. diff --git a/src/include/utils/snapshot.h b/src/include/utils/snapshot.h index 8d1e31e888e..a68114e500f 100644 --- a/src/include/utils/snapshot.h +++ b/src/include/utils/snapshot.h @@ -96,7 +96,10 @@ typedef enum SnapshotType * xmax. If the tuple was inserted speculatively, meaning that the * inserter might still back down on the insertion without aborting the * whole transaction, the associated token is also returned in - * snapshot->speculativeToken. See also InitDirtySnapshot(). + * snapshot->speculativeToken. If xip is non-NULL, the xid of the + * deleting transaction is stored into xip[0] if it newer than existing + * xip[0] value. + * See also InitDirtySnapshot(). * ------------------------------------------------------------------------- */ SNAPSHOT_DIRTY, diff --git a/src/test/modules/test_misc/meson.build b/src/test/modules/test_misc/meson.build index 283ffa751aa..68d291336e1 100644 --- a/src/test/modules/test_misc/meson.build +++ b/src/test/modules/test_misc/meson.build @@ -15,6 +15,7 @@ tests += { 't/004_io_direct.pl', 't/005_timeouts.pl', 't/006_signal_autovacuum.pl', + 't/007_dirty_index_scan.pl', ], }, } diff --git a/src/test/modules/test_misc/t/007_dirty_index_scan.pl b/src/test/modules/test_misc/t/007_dirty_index_scan.pl new file mode 100644 index 00000000000..4d116e659e7 --- /dev/null +++ b/src/test/modules/test_misc/t/007_dirty_index_scan.pl @@ -0,0 +1,47 @@ + +# Copyright (c) 2024, PostgreSQL Global Development Group + +# Test issue with lost tuple in case of DirtySnapshot index scans +use strict; +use warnings; + +use Config; +use Errno; + +use PostgreSQL::Test::Cluster; +use PostgreSQL::Test::Utils; +use Test::More; + +if ($ENV{enable_injection_points} ne 'yes') +{ + plan skip_all => 'Injection points not supported by this build'; +} + +my ($node, $result); +$node = PostgreSQL::Test::Cluster->new('DirtyScan_test'); +$node->init; +$node->append_conf('postgresql.conf', 'fsync = off'); +$node->append_conf('postgresql.conf', 'autovacuum = off'); +$node->start; +$node->safe_psql('postgres', q(CREATE EXTENSION injection_points)); +$node->safe_psql('postgres', q(CREATE TABLE tbl(i int primary key, n int))); + +$node->safe_psql('postgres', q(INSERT INTO tbl VALUES(42,1))); +$node->safe_psql('postgres', q(SELECT injection_points_attach('check_exclusion_or_unique_constraint_no_conflict', 'error'))); + +$node->pgbench( + '--no-vacuum --client=40 --transactions=1000', + 0, + [qr{actually processed}], + [qr{^$}], + 'concurrent UPSERT', + { + 'on_conflicts' => q( + INSERT INTO tbl VALUES(42,1) on conflict(i) do update set n = EXCLUDED.n + 1; + ) + }); + +$node->safe_psql('postgres', q(SELECT injection_points_detach('check_exclusion_or_unique_constraint_no_conflict'))); + +$node->stop; +done_testing(); \ No newline at end of file -- 2.43.0