Torturing Databases for Fun and Profit

Size: px

Start display at page:

Download "Torturing Databases for Fun and Profit"

Bonnie Todd
5 years ago
Views:

1 Torturing Databases for Fun and Profit Mai Zheng, Joseph Tucek, Dachuan Huang, Feng Qin, Mark Lillibridge Elizabeth S Yang, Bill W Zhao, Shashank Singh The Ohio State University HP Labs

2 2

3 database 3

4 ACID: atomicity, consistency, isolation, and durability - even under failures 4

5 List of databases survived 5

6 Everything is broken under simulated power faults Database TokyoCabinet MariaDB LightningDB SQLite KVS-A SQL-A File System Workload W-1 W-2 W-3 W-4.1 W-4.2 W-4.3 ext3 D D D ACD ACD ACD XFS -- D D ACD D ACD ext3 D D D D D D XFS D D D D D D ext D XFS ext3 D D -- D D D XFS D D D D ext Hang XFS ext3 D D D D D D XFS D D D D D D ext3 D D CD CD CD CD SQL-B XFS CD D CD CD CD CD SQL-C NTFS D D D D D D 6

7 Power faults cannot happen nowadays, right? 7

8 2013: POWER OUTAGE during Super Bowl because a RELAY DEVICE MALFUNCTIONED. 8

2014: Internap Data Center OUTAGE Takes Down Livestream, StackExchange 2014: Data Center FIRE Leads to OUTAGE 2014: ELECTRICAL

POWER OUTAGE is being blamed for Visa downtime 2013: A POWER OUTAGE at a key New Jersey data center 2013: POWER OUTAGE during

2012: HUNAM ERROR was responsible for a data center POWER OUTAGE 2012: POWER OUTAGE Hits London Data Center 2012: Amazon Data

9 2014: Internap Data Center OUTAGE Takes Down Livestream, StackExchange 2014: Data Center FIRE Leads to OUTAGE 2014: ELECTRICAL FIRE took down primary data center ALL POWER was OFF 2013: POWER OUTAGE knocks DreamHost customers offline 2013: A data center POWER OUTAGE is being blamed for Visa downtime 2013: A POWER OUTAGE at a key New Jersey data center 2013: POWER OUTAGE during Super Bowl because a RELAY DEVICE MALFUNCTIONED. 2012: HUNAM ERROR was responsible for a data center POWER OUTAGE 2012: POWER OUTAGE Hits London Data Center 2012: Amazon Data Center LOSES POWER During STORM 2011: Colocation provider Colo4 experienced a POWER OUTAGE 2010: About 3,000 servers at Montreal web host iweb experienced an OUTAGE 2010: CAR CRASH Triggers Amazon POWER OUTAGE 9

10 Database Torture 101

11 Fault Model: Clean termination of I/O stream database on-the-fly I/O blocks minimum atomic transfer unit (e.g., 512B/4KB) blocks transferred to durable media 11

12 Fault Model: Clean termination of I/O stream database on-the-fly I/O blocks blocks transferred to durable media blocks after the fault have no effect a fault happens blocks before the fault are NOT corrupted/ dropped/reordered 12

13 Why not introduce corruption/dropping/reordering? Unreasonable to require databases to handle arbitrary bad behavior introduced in the lower layers Simulated bad behavior w/o verification by real failures may be unrealistic - I/O path in kernel & device puts constraints on failure states 13

14 How do we test DBs on multiple OSes w/ high fidelity? No disturbance on thread scheduling database No disturbance on interactions among DB, memory manager, FS, volume manager, I/O scheduler, 14

15 How do we test DBs on multiple OSes w/ high fidelity? iscsi initiator decouple via iscsi iscsi target database SCSI commands over network torturing framework 15

16 How do we test DBs on multiple OSes w/ high fidelity? iscsi initiator decouple via iscsi iscsi target database SCSI commands over network torturing framework 16

17 Framework Overview Worker & Checker ❶ ❸ database SCSI cmds ❷ Record & Replayer 17

18 Framework Overview Worker & Checker ❶ ❸ database SCSI cmds ❷ Record & Replayer 18

19 Workload Example meta rows work rows key value THR-1-TXN-1 v-init-thr-1-txn-1 THR-1-TXN-2 v-init-thr-1-txn-2 THR-2-TXN-1 v-init-thr-2-txn-1 THR-2-TXN-2 v-init-thr-2-txn-2 k-1 v-init-1 k-2 v-init-2 k-3 v-init-3 k-4 v-init-4 k-5 v-init-5 k-6 v-init-6 k-7 v-init-7 k-8 v-init-8 DB table 19

20 Workload Example key value two parts meta rows work rows THR-1-TXN-1 v-init-thr-1-txn-1 THR-1-TXN-2 v-init-thr-1-txn-2 THR-2-TXN-1 v-init-thr-2-txn-1 THR-2-TXN-2 v-init-thr-2-txn-2 k-1 v-init-1 k-2 v-init-2 k-3 v-init-3 k-4 v-init-4 k-5 v-init-5 2 threads, 2 transactions per thread k-6 v-init-6 k-7 v-init-7 k-8 v-init-8 DB table 20

21 Has known initial state meta rows work rows key value THR-1-TXN-1 v-init-thr-1-txn-1 THR-1-TXN-2 v-init-thr-1-txn-2 THR-2-TXN-1 v-init-thr-2-txn-1 THR-2-TXN-2 v-init-thr-2-txn-2 k-1 v-init-1 k-2 v-init-2 k-3 v-init-3 k-4 v-init-4 k-5 v-init-5 k-6 v-init-6 k-7 v-init-7 k-8 v-init-8 DB table 21

22 Each transaction updates N random work rows + 1 meta row meta rows work rows key value THR-1-TXN-1 v-init-thr-1-txn-1 THR-1-TXN-2 v-init-thr-1-txn-2 THR-2-TXN-1 v-init-thr-2-txn-1 THR-2-TXN-2 v-init-thr-2-txn-2 k-1 v-init-1 k-2 v-init-2 k-3 v-init-3 k-4 v-init-4 k-5 v-init-5 k-6 v-init-6 k-7 v-init-7 k-8 v-init-8 DB table 22

23 Each transaction updates N random work rows + 1 meta row meta rows work rows key value THR-1-TXN-1 v-init-thr-1-txn-1 THR-1-TXN-2 v-init-thr-1-txn-2 THR-2-TXN-1 v-init-thr-2-txn-1 THR-2-TXN-2 v-init-thr-2-txn-2 k-1 v-init-1 k-2 v-init-2 k-3 v-init-3 k-4 v-init-4 k-5 v-init-5 k-6 v-init-6 k-7 v-init-7 k-8 v-init-8 DB table THR-1-TXN-1 23

24 Each transaction updates N random work rows + 1 meta row meta rows work rows key value THR-1-TXN-1 v-init-thr-1-txn-1 THR-1-TXN-2 v-init-thr-1-txn-2 THR-2-TXN-1 v-init-thr-2-txn-1 THR-2-TXN-2 v-init-thr-2-txn-2 k-1 v-init-1 k-2 v-thr-1-txn-1 k-3 v-init-3 k-4 v-init-4 k-5 v-thr-1-txn-1 k-6 v-init-6 k-7 v-init-7 k-8 v-init-8 DB table THR-1-TXN-1 save transaction ID 24

25 Each transaction updates N random work rows + 1 meta row meta rows work rows key value THR-1-TXN-1 k-2-k-5-ts-00:01 THR-1-TXN-2 v-init-thr-1-txn-2 THR-2-TXN-1 v-init-thr-2-txn-1 THR-2-TXN-2 v-init-thr-2-txn-2 k-1 v-init-1 k-2 v-thr-1-txn-1 k-3 v-init-3 k-4 v-init-4 k-5 v-thr-1-txn-1 k-6 v-init-6 k-7 v-init-7 k-8 v-init-8 DB table save work-row keys & timestamp right before commit THR-1-TXN-1 save transaction ID 25

26 Fully exercise concurrency control meta rows work rows key value THR-1-TXN-1 k-2-k-5-ts-00:01 THR-1-TXN-2 v-init-thr-1-txn-2 THR-2-TXN-1 v-init-thr-2-txn-1 THR-2-TXN-2 v-init-thr-2-txn-2 k-1 v-init-1 k-2 v-thr-1-txn-1 k-3 v-init-3 k-4 v-init-4 k-5 v-thr-1-txn-1 k-6 v-init-6 k-7 v-init-7 k-8 v-init-8 DB table THR-1-TXN-1 26

27 Fully exercise concurrency control meta rows work rows key value THR-1-TXN-1 k-2-k-5-ts-00:01 THR-1-TXN-2 v-init-thr-1-txn-2 THR-2-TXN-1 k-7-k-6-ts-00:03 THR-2-TXN-2 v-init-thr-2-txn-2 k-1 v-init-1 k-2 v-thr-1-txn-1 k-3 v-init-3 k-4 v-init-4 k-5 v-thr-1-txn-1 k-6 v-thr-2-txn-1 k-7 v-thr-2-txn-1 k-8 v-init-8 DB table THR-2-TXN-1 27

28 Fully exercise concurrency control meta rows work rows key value THR-1-TXN-1 k-2-k-5-ts-00:01 THR-1-TXN-2 k-6-k-8-ts-00:13 THR-2-TXN-1 k-7-k-6-ts-00:03 THR-2-TXN-2 v-init-thr-2-txn-2 k-1 v-init-1 k-2 v-thr-1-txn-1 k-3 v-init-3 k-4 v-init-4 k-5 v-thr-1-txn-1 k-6 v-thr-1-txn-2 k-7 v-thr-2-txn-1 k-8 v-thr-1-txn-2 DB table THR-1-TXN-2 28

29 Fully exercise concurrency control meta rows work rows key value THR-1-TXN-1 k-2-k-5-ts-00:01 THR-1-TXN-2 k-6-k-8-ts-00:13 THR-2-TXN-1 k-7-k-6-ts-00:03 THR-2-TXN-2 k-3-k-7-ts-00:14 k-1 v-init-1 k-2 v-thr-1-txn-1 k-3 v-thr-2-txn-2 k-4 v-init-4 k-5 v-thr-1-txn-1 k-6 v-thr-1-txn-2 k-7 v-thr-2-txn-2 k-8 v-thr-1-txn-2 DB table THR-2-TXN-2 29

30 30

31 A power fault just happened during our workload 31

32 Is there any ACID violation after recovery? meta rows work rows key value THR-1-TXN-1 k-2-k-5-ts-00:01 THR-1-TXN-2 k-6-k-8-ts-00:13 THR-2-TXN-1 k-7-k-6-ts-00:03 THR-2-TXN-2 v-init-thr-2-txn-2 k-1 v-init-1 k-2 v-thr-1-txn-1 k-3 v-thr-2-txn-2 k-4 v-init-4 k-5 v-thr-1-txn-1 k-6 v-thr-1-txn-2 k-7 v-thr-2-txn-2 k-8 v-thr-1-txn-2 recovered DB table 32

33 Is there any ACID violation after recovery? meta rows work rows key value THR-1-TXN-1 k-2-k-5-ts-00:01 THR-1-TXN-2 k-6-k-8-ts-00:13 THR-2-TXN-1 k-7-k-6-ts-00:03 THR-2-TXN-2 v-init-thr-2-txn-2 k-1 v-init-1 k-2 v-thr-1-txn-1 k-3 v-thr-2-txn-2 k-4 v-init-4 k-5 v-thr-1-txn-1 k-6 v-thr-1-txn-2 k-7 v-thr-2-txn-2 k-8 v-thr-1-txn-2 recovered DB table 33

34 Is there any ACID violation after recovery? meta rows work rows key value THR-1-TXN-1 k-2-k-5-ts-00:01 THR-1-TXN-2 k-6-k-8-ts-00:13 THR-2-TXN-1 k-7-k-6-ts-00:03 THR-2-TXN-2 v-init-thr-2-txn-2 k-1 v-init-1 k-2 v-thr-1-txn-1 k-3 v-thr-2-txn-2 k-4 v-init-4 k-5 v-thr-1-txn-1 k-6 v-thr-1-txn-2 k-7 v-thr-2-txn-2 k-8 v-thr-1-txn-2 recovered DB table 34

35 Is there any ACID violation after recovery? meta rows work rows key value THR-1-TXN-1 k-2-k-5-ts-00:01 THR-1-TXN-2 k-6-k-8-ts-00:13 THR-2-TXN-1 k-7-k-6-ts-00:03 THR-2-TXN-2 v-init-thr-2-txn-2 k-1 v-init-1 k-2 v-thr-1-txn-1 k-3 v-thr-2-txn-2 k-4 v-init-4 k-5 v-thr-1-txn-1 k-6 v-thr-1-txn-2 k-7 v-thr-2-txn-2 k-8 v-thr-1-txn-2 recovered DB table 35

36 Is there any ACID violation after recovery? meta rows work rows key value THR-1-TXN-1 k-2-k-5-ts-00:01 THR-1-TXN-2 k-6-k-8-ts-00:13 THR-2-TXN-1 k-7-k-6-ts-00:03 THR-2-TXN-2 v-init-thr-2-txn-2 k-1 v-init-1 k-2 v-thr-1-txn-1 k-3 v-thr-2-txn-2 k-4 v-init-4 k-5 v-thr-1-txn-1 k-6 v-thr-1-txn-2 k-7 v-thr-2-txn-2 k-8 v-thr-1-txn-2 recovered DB table Atomicity violation! should have been updated w/ work rows 36

37 Is there any ACID violation after recovery? meta rows work rows key value THR-1-TXN-1 k-2-k-5-ts-00:01 THR-1-TXN-2 k-6-k-8-ts-00:13 THR-2-TXN-1 k-7-k-6-ts-00:03 THR-2-TXN-2 v-init-thr-2-txn-2 k-1 v-init-1 k-2 v-thr-1-txn-1 k-3 v-thr-2-txn-2 k-4 v-init-4 k-5 v-thr-1-txn-1 k-6 v-thr-1-txn-2 k-7 v-thr-2-txn-2 k-8 v-thr-1-txn-2 recovered DB table allow checking time & order related properties 37

38 Is there any ACID violation after recovery? meta rows work rows key value THR-1-TXN-1 k-2-k-5-ts-00:01 THR-1-TXN-2 k-6-k-8-ts-00:13 THR-2-TXN-1 k-7-k-6-ts-00:03 THR-2-TXN-2 v-init-thr-2-txn-2 k-1 v-init-1 k-2 v-thr-1-txn-1 k-3 v-thr-2-txn-2 k-4 v-init-4 k-5 v-thr-1-txn-1 k-6 v-thr-1-txn-2 k-7 v-thr-2-txn-2 k-8 v-thr-1-txn-2 recovered DB table More workloads & ACID checking in the paper 38

39 Framework Overview Worker & Checker ❶ ❸ database SCSI cmds ❷ Record & Replayer 39

40 Framework Overview Worker & Checker ❶ ❸ database SCSI cmds ❷ Record & Replayer 40

41 Capturing I/O trace without kernel modification target daemon Worker SCSI cmds file system backing store 41

42 Capturing I/O trace without kernel modification 4 target daemon 3 Worker SCSI Tracer Worker s block trace 2 1 file system SCSI cmds minimum atomic block-transfer operations (mini ops) backing store 42

43 Constructing a post-fault disk image 4 target daemon SCSI Tracer Worker s block trace SCSI cmds Replayer file system backing store clean image 43

44 Constructing a post-fault disk image 4 target daemon 3 SCSI Tracer Worker s block trace 2 1 fault point SCSI cmds Replayer file system backing store 1 failure image 44

45 Checking the post-fault DB 4 target daemon 3 Checker SCSI Tracer Worker s block trace 2 1 fault point SCSI cmds Replayer file system 1 failure image 45

46 Checking the post-fault DB 4 check log target daemon 3 Checker SCSI Tracer Worker s block trace 2 1 fault point autorecovery SCSI cmds Replayer fsck file system 1 failure image 46

47 Testing different fault points easily 4 target daemon 3 Checker SCSI Tracer Worker s block trace 2 1 fault point SCSI cmds Replayer file system backing store clean image 47

48 Testing different fault points easily 4 Checker target daemon SCSI Tracer Worker s block trace fault point SCSI cmds Replayer file system 1 2 backing store failure image 48

49 Testing different fault points easily target daemon 4 3 fault point Checker SCSI Tracer Worker s block trace 2 1 SCSI cmds Replayer file system backing store failure image 49

50 The framework is not good enough Sometimes need several days - too many mini operations, too many potential fault points 50

51 The framework is not good enough Sometimes need several days - too many mini operations, too many potential fault points We tried sampling - but only a few fault points trigger ACID violations 51

52 The framework is not good enough Sometimes need several days - too many mini operations, too many potential fault points We tried sampling - but only a few fault points trigger ACID violations Don t know why 52

53 Enhanced Design

54 Framework Overview Worker & Checker ❶ ❸ Multi-layer Tracer database SCSI cmds ❷ Record & Replayer 54

55 Framework Overview Worker & Checker ❶ ❸ Multi-layer Tracer database SCSI cmds ❷ Record & Replayer 55

56 Original trace provides little semantics op# content LBA 1 0a a bc target daemon Worker SCSI Tracer Worker s block trace SCSI file system backing store 56

57 Enhancing w/ more context op# content LBA timestamp SCSI cmd# file syscall 1 0a x.db msync(x.db) 2 0a x.log fsync(x.log) bc fs-j fsync(x.log) fs-j fsync(x.log) target daemon Worker SCSI Tracer Worker s multi-layer trace SCSI multi-layer tracer file system backing store 57

58 What makes some fault points special? Checking result Worker s multi-layer trace op# content LBA ts cmd# file syscall anything special? 58

59 5 patterns found from 2 databases MMAP p : unintended update to mmap ed blocks op# LBA file syscall x.db fsync(x.log) x.db msync(x.db) 59

60 5 patterns found from 2 databases MMAP p : unintended update to mmap ed blocks op# LBA file syscall x.db fsync(x.log) x.db msync(x.db) 60

61 5 patterns found from 2 databases MMAP p : unintended update to mmap ed blocks op# LBA file syscall x.db fsync(x.log) x.db msync(x.db) intended 61

62 5 patterns found from 2 databases MMAP p : unintended update to mmap ed blocks op# LBA file syscall x.db fsync(x.log) x.db msync(x.db) intended 62

63 5 patterns found from 2 databases MMAP p : unintended update to mmap ed blocks op# LBA file syscall x.db fsync(x.log) x.db msync(x.db) unintended intended implicit flush of dirty blocks by kernel or FS under heavy transactions 63

64 5 patterns found from 2 databases MMAP p : unintended update to mmap ed blocks op# LBA file syscall x.db fsync(x.log) x.db msync(x.db) unintended special! intended 64

65 5 patterns found from 2 databases MMAP p : unintended update to mmap ed blocks op# LBA file syscall x.db fsync(x.log) x.db msync(x.db) unintended special! intended Four more patterns: REP p, JUMP p, HEAD p, TRAN p 65

66 Add fault injection policy to determine where to inject faults check log Checker target daemon SCSI Tracer Worker s blk trace SCSI Replayer Fault Injection Policy file system backing store 66

67 Alternative to Exhaustive: Pattern-based Ranking Worker s multi-layer trace op# LBA cmd# file syscall x.db msyc(x.db) x.log fsync(x.log) x.log fsync(x.log) x.log fsync(x.log) x.log fsync(x.log) x.log fsync(x.log) x.db fsync(x.log) fs-j fsync(x.log) Scoreboard MMAP p REP p JUMP p HEAD p TRAN p total score 67

68 Alternative to Exhaustive: Pattern-based Ranking Worker s multi-layer trace op# LBA cmd# file syscall x.db msyc(x.db) x.log fsync(x.log) x.log fsync(x.log) x.log fsync(x.log) x.log fsync(x.log) x.log fsync(x.log) x.db fsync(x.log) fs-j fsync(x.log) MMAP p REP p JUMP p HEAD p TRAN p Scoreboard total score 68

69 Alternative to Exhaustive: Pattern-based Ranking Worker s multi-layer trace op# LBA cmd# file syscall x.db msyc(x.db) x.log fsync(x.log) x.log fsync(x.log) x.log fsync(x.log) x.log fsync(x.log) x.log fsync(x.log) x.db fsync(x.log) fs-j fsync(x.log) MMAP p REP p JUMP p HEAD p TRAN p Scoreboard total score 69

70 Alternative to Exhaustive: Pattern-based Ranking Worker s multi-layer trace op# LBA cmd# file syscall x.db msyc(x.db) x.log fsync(x.log) x.log fsync(x.log) x.log fsync(x.log) x.log fsync(x.log) x.log fsync(x.log) x.db fsync(x.log) fs-j fsync(x.log) MMAP p REP p JUMP p HEAD p TRAN p Scoreboard total score 70

71 Alternative to Exhaustive: Pattern-based Ranking Worker s multi-layer trace op# LBA cmd# file syscall x.db msyc(x.db) x.log fsync(x.log) x.log fsync(x.log) x.log fsync(x.log) x.log fsync(x.log) x.log fsync(x.log) x.db fsync(x.log) fs-j fsync(x.log) Scoreboard MMAP p REP p JUMP p HEAD p TRAN p total score 71

72 Alternative to Exhaustive: Pattern-based Ranking Worker s multi-layer trace op# LBA cmd# file syscall x.db msyc(x.db) x.log fsync(x.log) x.log fsync(x.log) x.log fsync(x.log) x.log fsync(x.log) x.log fsync(x.log) x.db fsync(x.log) fs-j fsync(x.log) Scoreboard MMAP p REP p JUMP p HEAD p TRAN p total score 72

73 Alternative to Exhaustive: Pattern-based Ranking Worker s multi-layer trace op# LBA cmd# file syscall x.db msyc(x.db) x.log fsync(x.log) x.log fsync(x.log) x.log fsync(x.log) x.log fsync(x.log) x.log fsync(x.log) x.db fsync(x.log) fs-j fsync(x.log) Scoreboard MMAP p REP p JUMP p HEAD p TRAN p total score

74 Alternative to Exhaustive: Pattern-based Ranking Worker s multi-layer trace op# LBA cmd# file syscall x.db msyc(x.db) x.log fsync(x.log) x.log fsync(x.log) x.log fsync(x.log) x.log fsync(x.log) x.log fsync(x.log) x.db fsync(x.log) fs-j fsync(x.log) Scoreboard MMAP p REP p JUMP p HEAD p TRAN p total score st -rank: 2 nd -rank: 3 rd -rank: 4 th -rank: predicted most error-prone

75 Alternative to Exhaustive: Pattern-based Ranking st -rank: 2 nd -rank: 3 rd -rank: 4 th -rank: predicted most error-prone

76 Alternative to Exhaustive: Pattern-based Ranking st -rank: 2 nd -rank: 3 rd -rank: 4 th -rank: predicted most error-prone

77 Diagnosis Support

78 Worker s multi-layer trace helps understand what happened at fault time Worker SCSI target daemon SCSI Tracer multi-layer tracer Worker s multi-layer trace: op#, content, LBA, timestamp, SCSI cmd#, file, syscall, file system backing store 78

79 Add function-call tracing to disclose more semantics for diagnosis Worker file system SCSI target daemon SCSI Tracer backing store multi-layer tracer Worker s multi-layer trace: op#, content, LBA, timestamp, SCSI cmd#, file, syscall, function call 79

Enable same tracing during checking to see why recovery didn t work check log Checker target daemon SCSI Tracer Worker s block trace 4 3 2 1 a fault point triggering

80 Enable same tracing during checking to see why recovery didn t work check log Checker target daemon SCSI Tracer Worker s block trace a fault point triggering ACID violation SCSI Replayer Checker s multi-layer trace: file system 1 2 multi-layer tracer op#, content, LBA, timestamp, SCSI cmd#, file, syscall, function call 80

81 Results

82 8 databases - Open-source: TokyoCabinet, MariaDB, LightningDB, SQLite - Commercial: KVS-A, SQL-A, SQL-B, SQL-C 4 workloads 3 file systems - ext3, XFS, NTFS Several operating systems - Linux: RHEL 6, Debian6, Ubuntu 12 LTS - Windows 7 Enterprise Experimental Environment 82

83 Not a single DB can survive all tests DB FS W-1 W-2 W-3 W-4.1 W-4.2 W-4.3 A C I D TokyoCabinet ext3 D D D ACD ACD ACD 0.15% 0.14% % XFS -- D D ACD D ACD <0.01% 0.01% % MariaDB ext3 D D D D D D % XFS D D D D D D % LightningDB ext D % XFS SQLite ext3 D D -- D D D % XFS D D D D % KVS-A ext Hang XFS SQL-A ext3 D D D D D D % XFS D D D D D D % SQL-B ext3 D D CD CD CD CD % % XFS CD D CD CD CD CD % % SQL-C NTFS D D D D D D % 83

84 Durability violation is most common DB FS W-1 W-2 W-3 W-4.1 W-4.2 W-4.3 A C I D TokyoCabinet ext3 D D D ACD ACD ACD 0.15% 0.14% % XFS -- D D ACD D ACD <0.01% 0.01% % MariaDB ext3 D D D D D D % XFS D D D D D D % LightningDB ext D % XFS SQLite ext3 D D -- D D D % XFS D D D D % KVS-A ext Hang XFS SQL-A ext3 D D D D D D % XFS D D D D D D % SQL-B ext3 D D CD CD CD CD % % XFS CD D CD CD CD CD % % SQL-C NTFS D D D D D D % 84

85 Some violations are difficult to trigger DB FS W-1 W-2 W-3 W-4.1 W-4.2 W-4.3 A C I D TokyoCabinet ext3 D D D ACD ACD ACD 0.15% 0.14% % XFS -- D D ACD D ACD <0.01% 0.01% % MariaDB ext3 D D D D D D % XFS D D D D D D % LightningDB ext D % XFS SQLite ext3 D D -- D D D % XFS D D D D % KVS-A ext Hang XFS SQL-A ext3 D D D D D D % XFS D D D D D D % SQL-B ext3 D D CD CD CD CD % % XFS CD D CD CD CD CD % % SQL-C NTFS D D D D D D % 85

86 Some violations are difficult to trigger DB FS W-1 W-2 W-3 W-4.1 W-4.2 W-4.3 A C I D TokyoCabinet ext3 D D D ACD ACD ACD 0.15% 0.14% % XFS -- D D ACD D ACD <0.01% 0.01% % MariaDB ext3 D D D D D D % XFS D D D D D D % LightningDB ext D % XFS SQLite ext3 D D -- D D D % XFS D D D D % KVS-A ext Hang XFS SQL-A ext3 D D D D D D % XFS D D D D D D % SQL-B ext3 D D CD CD CD CD % % XFS CD D CD CD CD CD % % SQL-C NTFS D D D D D D % 86

87 Case Study: A TokyoCabinet Bug Failure symptoms faults injected in a region of operations cause: - A violation: a transaction is partially committed - D violation: some rows are irretrievable - C violation: retrievable rows by range query and point queries are different 87

88 Case Study: A TokyoCabinet Bug Why recovery didn t work? tchdbopenimpl(x.tcb) open(x.tcb) = 3 read(x.tcb) = 256 //op#, LBA, content, file op#1, 480, 100, x.tcb tcbdbget() Checker s trace when ACID violations were found tchdbopenimpl(x.tcb) open(x.tcb) = 3 read(x.tcb) = 256 //op#, LBA, content, file op#1, 480, 101, x.tcb tchdbwalrestore() tcbdbget() Checker s trace when no violation was found 88 Delta Debugging [Zeller, SIGSOFT 02/FSE-10]

89 Case Study: A TokyoCabinet Bug Why recovery didn t work? tchdbopenimpl(x.tcb) open(x.tcb) = 3 read(x.tcb) = 256 //op#, LBA, content, file op#1, 480, 100, x.tcb //no tchdbwalrestore() tcbdbget() Checker s trace when ACID violations were found tchdbopenimpl(x.tcb) open(x.tcb) = 3 read(x.tcb) = 256 //op#, LBA, content, file op#1, 480, 101, x.tcb tchdbwalrestore() tcbdbget() Checker s trace when no violation was found 89 Delta Debugging [Zeller, SIGSOFT 02/FSE-10]

90 Case Study: A TokyoCabinet Bug Why recovery didn t work? tchdbopenimpl(x.tcb) open(x.tcb) = 3 read(x.tcb) = 256 //op#, LBA, content, file op#1, 480, 100, x.tcb //no tchdbwalrestore() tcbdbget() Checker s trace when ACID violations were found tchdbopenimpl(x.tcb) open(x.tcb) = 3 read(x.tcb) = 256 //op#, LBA, content, file op#1, 480, 101, x.tcb tchdbwalrestore() tcbdbget() Checker s trace when no violation was found 90 Delta Debugging [Zeller, SIGSOFT 02/FSE-10]

91 What happened at fault time? Worker s trace around the bug-triggering fault points op#30 #90 mmap(8192, x.tcb, 0) fsync(x.tcb.wal) //op#, LBA, content, file, Case Study: A TokyoCabinet Bug syscall op#26, 630,, x.tcb.wal, fsync(x.tcb.wal) op#27, 960,, fs-j, fsync(x.tcb.wal) op#28, 964,, fs-j, fsync(x.tcb.wal) op#29, 480, 100, x.tcb, fsync(x.tcb.wal) msync(x.tcb) //op#, LBA, content, file, syscall op#91, 480, 101, x.tcb, msync(x.tcb) tchdbopenimpl(x.tcb) open(x.tcb) = 3 read(x.tcb) = 256 //op#, LBA, content, file op#1, 480, 100, x.tcb //no tchdbwalrestore() tcbdbget() 91 Why recovery didn t work? tchdbopenimpl(x.tcb) open(x.tcb) = 3 read(x.tcb) = 256 //op#, LBA, content, file op#1, 480, 101, x.tcb tchdbwalrestore() tcbdbget()

92 What happened at fault time? Worker s trace around the bug-triggering fault points op#30 #90 mmap(8192, x.tcb, 0) fsync(x.tcb.wal) //op#, LBA, content, file, Case Study: A TokyoCabinet Bug syscall op#26, 630,, x.tcb.wal, fsync(x.tcb.wal) op#27, 960,, fs-j, fsync(x.tcb.wal) op#28, 964,, fs-j, fsync(x.tcb.wal) op#29, 480, 100, x.tcb, fsync(x.tcb.wal) msync(x.tcb) //op#, LBA, content, file, syscall op#91, 480, 101, x.tcb, msync(x.tcb) tchdbopenimpl(x.tcb) open(x.tcb) = 3 read(x.tcb) = 256 //op#, LBA, content, file op#1, 480, 100, x.tcb //no tchdbwalrestore() tcbdbget() 92 Why recovery didn t work? tchdbopenimpl(x.tcb) open(x.tcb) = 3 read(x.tcb) = 256 //op#, LBA, content, file op#1, 480, 101, x.tcb tchdbwalrestore() tcbdbget()

93 What happened at fault time? Worker s trace around the bug-triggering fault points op#30 #90 mmap(8192, x.tcb, 0) fsync(x.tcb.wal) //op#, LBA, content, file, Case Study: A TokyoCabinet Bug syscall op#26, 630,, x.tcb.wal, fsync(x.tcb.wal) op#27, 960,, fs-j, fsync(x.tcb.wal) op#28, 964,, fs-j, fsync(x.tcb.wal) op#29, 480, 100, x.tcb, fsync(x.tcb.wal) msync(x.tcb) //op#, LBA, content, file, syscall op#91, 480, 101, x.tcb, msync(x.tcb) tchdbopenimpl(x.tcb) open(x.tcb) = 3 read(x.tcb) = 256 //op#, LBA, content, file op#1, 480, 100, x.tcb //no tchdbwalrestore() tcbdbget() 93 Why recovery didn t work? Intended update tchdbopenimpl(x.tcb) open(x.tcb) = 3 read(x.tcb) = 256 //op#, LBA, content, file op#1, 480, 101, x.tcb tchdbwalrestore() tcbdbget()

94 What happened at fault time? Worker s trace around the bug-triggering fault points op#30 #90 mmap(8192, x.tcb, 0) fsync(x.tcb.wal) //op#, LBA, content, file, Case Study: A TokyoCabinet Bug syscall op#26, 630,, x.tcb.wal, fsync(x.tcb.wal) op#27, 960,, fs-j, fsync(x.tcb.wal) op#28, 964,, fs-j, fsync(x.tcb.wal) op#29, 480, 100, x.tcb, fsync(x.tcb.wal) msync(x.tcb) //op#, LBA, content, file, syscall op#91, 480, 101, x.tcb, msync(x.tcb) tchdbopenimpl(x.tcb) open(x.tcb) = 3 read(x.tcb) = 256 //op#, LBA, content, file op#1, 480, 100, x.tcb //no tchdbwalrestore() tcbdbget() 94 Why recovery didn t work? Intended update tchdbopenimpl(x.tcb) open(x.tcb) = 3 read(x.tcb) = 256 //op#, LBA, content, file op#1, 480, 101, x.tcb tchdbwalrestore() tcbdbget()

95 What happened at fault time? Worker s trace around the bug-triggering fault points op#30 #90 mmap(8192, x.tcb, 0) fsync(x.tcb.wal) //op#, LBA, content, file, Case Study: A TokyoCabinet Bug syscall op#26, 630,, x.tcb.wal, fsync(x.tcb.wal) op#27, 960,, fs-j, fsync(x.tcb.wal) op#28, 964,, fs-j, fsync(x.tcb.wal) op#29, 480, 100, x.tcb, fsync(x.tcb.wal) msync(x.tcb) //op#, LBA, content, file, syscall op#91, 480, 101, x.tcb, msync(x.tcb) tchdbopenimpl(x.tcb) open(x.tcb) = 3 read(x.tcb) = 256 //op#, LBA, content, file op#1, 480, 100, x.tcb //no tchdbwalrestore() tcbdbget() 95 Why recovery didn t work? Unintended update! Intended update tchdbopenimpl(x.tcb) open(x.tcb) = 3 read(x.tcb) = 256 //op#, LBA, content, file op#1, 480, 101, x.tcb tchdbwalrestore() tcbdbget()

96 What happened at fault time? Worker s trace around the bug-triggering fault points op#30 #90 mmap(8192, x.tcb, 0) fsync(x.tcb.wal) //op#, LBA, content, file, Case Study: A TokyoCabinet Bug syscall op#26, 630,, x.tcb.wal, fsync(x.tcb.wal) op#27, 960,, fs-j, fsync(x.tcb.wal) op#28, 964,, fs-j, fsync(x.tcb.wal) op#29, 480, 100, x.tcb, fsync(x.tcb.wal) msync(x.tcb) //op#, LBA, content, file, syscall op#91, 480, 101, x.tcb, msync(x.tcb) tchdbopenimpl(x.tcb) open(x.tcb) = 3 read(x.tcb) = 256 //op#, LBA, content, file op#1, 480, 100, x.tcb //no tchdbwalrestore() tcbdbget() 96 Why recovery didn t work? tchdbopenimpl(x.tcb) open(x.tcb) = 3 read(x.tcb) = 256 //op#, LBA, content, file op#1, 480, 101, x.tcb tchdbwalrestore() tcbdbget() One solution: Failure-atomic msync() [Park et.al., EuroSys 13]

97 Patterns reduce required test points greatly while achieving similar coverage SQL-C MariaDB KVS-A LightningDB SQL-B SQL-A SQLite TokyoCabinet reduction factor = 97

98 Patterns reduce required test points greatly while achieving similar coverage SQL-C MariaDB KVS-A LightningDB SQL-B SQL-A SQLite TokyoCabinet the 2 databases from which patterns are extracted reduction factor = 98

99 Patterns reduce required test points greatly while achieving similar coverage SQL-C 157 MariaDB 72 KVS-A 61 LightningDB SQL-B SQL-A SQLite reduce testing time from > 2 months to < 3 days! TokyoCabinet 6 reduction factor = 99

100 A wake-up call Conclusions & Future Work - traditional testing methodology may not be enough for today s complex storage systems - thorough testing requires purpose-built workloads and intelligent fault injection techniques 100

101 A wake-up call Conclusions & Future Work - traditional testing methodology may not be enough for today s complex storage systems - thorough testing requires purpose-built workloads and intelligent fault injection techniques Different layers in OS can help in different ways - iscsi: fault injection w/ high portability & high fidelity - LBA & syscall: generic behavior patterns - combined multi-layer info: clear whole picture of complicated scenarios 101

102 Conclusions & Future Work We should bridge the gaps of understanding/assumptions! between DB & OS between User & DB 102

103 Conclusions & Future Work We should bridge the gaps of understanding/assumptions! between DB & OS between User & DB Pop Quiz: true or false? mmap'ed files are not updated until msync() file-length update are persistent after fdatasync() durability is provided by the default configuration transactions are durable after COMMIT 103

104 Conclusions & Future Work We should bridge the gaps of understanding/assumptions! between DB & OS between User & DB Pop Quiz: true or false? mmap'ed files are not updated until msync() file-length update are persistent after fdatasync() durability is provided by the default configuration transactions are durable after COMMIT false 104

105 Conclusions & Future Work We should bridge the gaps of understanding/assumptions! between DB & OS between User & DB Pop Quiz: true or false? mmap'ed files are not updated until msync() file-length update are persistent after fdatasync() durability is provided by the default configuration transactions are durable after COMMIT false depends! depends! depends! 105

106 Conclusions & Future Work We should bridge the gaps of understanding/assumptions! between DB & OS between User & DB Pop Quiz: true or false? mmap'ed files are not updated until msync() file-length update are persistent after fdatasync() durability is provided by the default configuration transactions are durable after COMMIT false depends! depends! depends! Thank you! 106

TxFS: Leveraging File-System Crash Consistency to Provide ACID Transactions

TxFS: Leveraging File-System Crash Consistency to Provide ACID Transactions Yige Hu, Zhiting Zhu, Ian Neal, Youngjin Kwon, Tianyu Chen, Vijay Chidambaram, Emmett Witchel The University of Texas at Austin