commit c2718152b0e6d00dba8d791cf3866c7315418a85

Author: Andrei Elkin <[email protected]>
Date:   Fri Nov 25 15:17:17 2016 +0200

    WL#9175 Correct recovery of DDL statements/transactions by binary log

    The patch consists of two parts implementing the WL agenda which is
    is to provide crash-safety for DDL.
    That is a server (a general one, master or slave) must be able to recover
    from crash to commit or rollback every DDL command that was in progress
    on the eve of crash.

    The Commit decision is done to commands that had reached
    Engine-prepared status and got successfully logged into binary log.
    Otherwise they are rolled back.

    In order to achieve the goal some refinements are done to the binlogging
    mechanism, minor addition is done to the server recovery module and some changes
    applied to the slave side.

    The binary log part includes Query-log-event which is made to contain xid
    that is a key item at server recovery. The recovery now is concern with it along
    with its standard location in Xid_log_event.

    The first part deals with the ACL DDL sub-class and
    TRIGGER related queries are fully 2pc-capable. It constructs
    the WL's framework which is proved on these subclasses.
    It also specifies how to cover the rest of DDLs by the WL's framework.
    For those not 2pc-ready DDL cases, sometimes "stub" tests are prepared
    to be refined by responsible worklogs.

    Take a few notes to the low-level details of implementation.

    Note #1.

    Tagging by xid number is done to the exact 2pc-capable DDL subclass.
    For DDL:s that will be ready for xiding in future, there is a tech specification
    how to do so.

    Note #2.

    By virtue of existing mechanisms, the slave applier augments the DDL
    transaction incorporating the slave info table update and the
    Gtid-executed table (either one optionally) at time of the DDL is
    ready for the final commit.
    When for filtering reason the DDL skips committing at its regular
    time, the augmented transaction would still be not empty consisting of
    only the added statements, and it would have to be committed by
    top-level slave specific functions through Log_event::do_update_pos().

    To aid this process Query_log_event::has_committed is introduced.

    Note #3 (QA, please read this.)

    Replication System_table interface that is employed by handler of TABLE type slave info
    had to be refined in few places.

    Note #4 (runtime code).

    While trying to lessen the footprint to the runtime server code few
    concessions had to be conceded. These include changes to
    ha_commit_trans()
    to invoke new pre_commit() and post_commit(), and post_rollback() hooks
    due to the slave extra statement.

    -------------------------------------------------------------------

    The 2nd part patch extends the basic framework,
    xidifies the rest of DDL commands that are
    (at least) committable at recovery. At the moment those include
    all Data Definition Statements except ones related to
    VIEWs, STORED Functions and Procedures.

    DDL Query is recoverable for these subclasses when it has been
    recorded into the binary log and was discovered there at the server
    restart, quite compatible with the DML algorithm.
    However a clean automatic rollback can't be provided for some
    of the commands and the user would have to complete recovery
    manually.

Author: Andrei Elkin

libbinlogevents/include/binlog_event.h

@@ -127,7 +127,9 @@
                                    1U + (MAX_DBS_IN_EVENT_MTS * (1 + NAME_LEN)) + \
                                    3U +            /* type, microseconds */ + \
                                    1U + 32*3 + 1 + 60 \
-                                   /* type, user_len, user, host_len, host */)
+                                   /* type, user_len, user, host_len, host */ + \
+                                   1U + 1          /* type, explicit_def..ts*/+ \
+                                   1U + 8          /* type, xid of DDL */)
 
 
 /**

libbinlogevents/include/statement_events.h

@@ -33,6 +33,11 @@
 
 namespace binary_log
 {
+/**
+  The following constant represents the maximum of MYSQL_XID domain.
+  The maximum XID value practically is never supposed to grow beyond UINT64 range.
+*/
+const uint64_t INVALID_XID= -1ULL;
 
 /**
   @class Query_event
@@ -391,12 +396,18 @@ namespace binary_log
     </td>
   </tr>
   <tr>
-    <td>commit_seq_no</td>
-    <td>Q_COMMIT_TS</td>
+    <td>explicit_defaults_ts</td>
+    <td>Q_EXPLICIT_DEFAULTS_FOR_TIMESTAMP</td>
+    <td>1 byte boolean</td>
+    <td>Stores master connection @@session.explicit_defaults_for_timestamp when
+        CREATE and ALTER operate on a table with a TIMESTAMP column. </td>
+  </tr>
+  <tr>
+    <td>ddl_xid</td>
+    <td>Q_DDL_LOGGED_WITH_XID</td>
     <td>8 byte integer</td>
-    <td>Stores the logical timestamp when the transaction
-        entered the commit phase. This wll be used to apply transactions
-        in parallel on the slave.  </td>
+    <td>Stores variable carrying xid info of 2pc-aware (recoverable) DDL
+        queries. </td>
   </tr>
   </table>
 
@@ -472,7 +483,8 @@ class Query_event: public Binary_log_event
    */
     Q_COMMIT_TS,
     /*
-     A code for Query_log_event status, similar to G_COMMIT_TS2.
+     An old (unused after migration to Gtid_event) code for
+     Query_log_event status, similar to G_COMMIT_TS2.
    */
     Q_COMMIT_TS2,
     /*
@@ -481,7 +493,11 @@ class Query_event: public Binary_log_event
       a TIMESTAMP column, that are dependent on that feature.
       For pre-WL6292 master's the associated with this code value is zero.
     */
-    Q_EXPLICIT_DEFAULTS_FOR_TIMESTAMP
+    Q_EXPLICIT_DEFAULTS_FOR_TIMESTAMP,
+    /*
+      The variable carries xid info of 2pc-aware (recoverable) DDL queries.
+    */
+    Q_DDL_LOGGED_WITH_XID
   };
   const char* query;
   const char* db;
@@ -602,7 +618,8 @@ class Query_event: public Binary_log_event
   */
   unsigned char mts_accessed_dbs;
   char mts_accessed_db_names[MAX_DBS_IN_EVENT_MTS][NAME_LEN];
-
+  /* XID value when the event is a 2pc-capable DDL */
+  uint64_t ddl_xid;
   /**
     The constructor will be used while creating a Query_event, to be
     written to the binary log.

libbinlogevents/src/statement_events.cpp

@@ -61,7 +61,7 @@ Query_event::Query_event(const char* query_arg, const char* catalog_arg,
   charset_database_number(0),
   table_map_for_update(table_map_for_update_arg),
   master_data_written(0), explicit_defaults_ts(TERNARY_UNSET),
-  mts_accessed_dbs(0)
+  mts_accessed_dbs(0), ddl_xid(INVALID_XID)
 {
 }
 
@@ -117,7 +117,7 @@ Query_event::Query_event(const char* buf, unsigned int event_len,
   time_zone_len(0), catalog_len(0), lc_time_names_number(0),
   charset_database_number(0), table_map_for_update(0), master_data_written(0),
   explicit_defaults_ts(TERNARY_UNSET),
-  mts_accessed_dbs(OVER_MAX_DBS_IN_EVENT_MTS)
+  mts_accessed_dbs(OVER_MAX_DBS_IN_EVENT_MTS), ddl_xid(INVALID_XID)
 {
   //buf is advanced in Binary_log_event constructor to point to
   //beginning of post-header
@@ -363,6 +363,16 @@ break;
       explicit_defaults_ts= *pos++ == 0 ? TERNARY_OFF : TERNARY_ON;
       break;
     }
+    case Q_DDL_LOGGED_WITH_XID:
+      CHECK_SPACE(pos, end, 8);
+      /*
+        Like in Xid_log_event case, the xid value is not used on the slave
+        so the number does not really need to respect endiness.
+      */
+      memcpy((char*) &ddl_xid, pos, 8);
+      ddl_xid= le64toh(ddl_xid);
+      pos+= 8;
+      break;
     default:
       /* That's why you must write status vars in growing order of code */
       pos= (const unsigned char*) end;         // Break loop

mysql-test/extra/binlog_tests/binlog_crash_safe_ddl.inc

@@ -0,0 +1,203 @@
+#
+# The macro processes a DDL statement while its handling is
+# interrupted by simulated crashes at time of the query
+# has not yet been logged and upon that.
+# The first, pre-binlog crash happens right after prepare in SEs
+# (storage engines), before binary log event for the statement is
+# flushed to the disk.  In this case statement should be correctly
+# rolled back by recovery.  The second, post-binlog crash to the
+# repeated statement occurs after binary log event is flushed to the
+# disk, before commit in the SEs.
+# The query results must be found committed upon the server restart.
+# The binlog is rotated at the beginning of either crash simulation
+# and its resulted file is memorized to optionally print out
+# its events which must contain a new XID field.
+#
+# Another purpose of the macro to run simply as a load
+# generator e.g for a slave server without crash simulations
+# ($do_only_regular_logging).
+#
+# The macro increments
+#       $count_ddl_queries
+# per its invocation which serves as a counter for the number of
+# processed queries.
+#
+# Usage, e.g:
+#
+# --let $do_pre_binlog=1
+# --let $do_post_binlog=1
+# --let $do_only_regular_logging=1 # run only query no crash simulation
+# --let $ddl_query=CREATE USER user1
+# --let $pre_binlog_crash_check= [SELECT count(*) = 0 FROM mysql.user WHERE user = 'user1']
+# --let $post_binlog_crash_check= [SELECT count(*) = 1 FROM mysql.user WHERE user = 'user1']
+#
+# --let $do_show_binlog_events=1 # invoke show-binlog-events at the
+#                                # end of query execution
+# --let $do_count_queries  # When set the processed queries are counted in $count_ddl_queries
+# --let $master_log_table  # DDL query and post-recovery checks can be logged in a table
+# --let $master_log_db     # The database of the log table
+#
+# here a value in [] can be just empty to indicate no check after
+# the corresponding crash is done.
+#
+
+if ($do_count_queries)
+{
+  --inc $count_ddl_queries
+}
+
+--disable_query_log
+if ($master_log_table)
+{
+  --let $save_curr_db=`SELECT database()`
+  if ($master_log_db)
+  {
+    --eval USE $master_log_db
+  }
+  --eval INSERT INTO $master_log_table SET id= NULL, ddl_query= "$ddl_query", pre_binlog_check= "$pre_binlog_crash_check", post_binlog_check= "$post_binlog_crash_check"
+ --eval USE $save_curr_db
+}
+--enable_query_log
+
+# $do_only_regular_logging is incompatible with crash simulating $do:s.
+if ($do_only_regular_logging)
+{
+  if ($do_pre_binlog)
+  {
+    --echo *** Wrong option combination! ***
+    --die
+  }
+  if ($do_post_binlog)
+  {
+    --echo *** Wrong option combination! ***
+    --die
+  }
+}
+
+--source include/gtid_step_reset.inc
+
+if ($do_pre_binlog)
+{
+  FLUSH LOGS;
+  --let $binlog_file= query_get_value("SHOW MASTER STATUS", File, 1)
+
+  #
+  # prepare, the first CRASH,  /* log,  commit */
+  #
+  --echo *** Crash right after '$ddl_query'  has been prepared in the engine before being logged ***
+  --source include/expect_crash.inc
+
+  SET @@SESSION.debug="+d,crash_commit_before_log";
+  --disable_query_log
+  if ($manual_gtid_next)
+  {
+    --eval $manual_gtid_next
+  }
+  --enable_query_log
+  --error 2013
+  --eval $ddl_query
+
+  #
+  # restart the server
+  #
+  --source include/start_mysqld.inc
+
+  if ($pre_binlog_crash_check)
+  {
+    if (!`$pre_binlog_crash_check`)
+    {
+      --echo *** State check upon recovery after pre-binlog crash fails ***
+      --die
+    }
+  }
+
+  if ($do_show_binlog_events)
+  {
+    --let $keep_ddl_xid=1
+    --let $show_binlog_events_mask_columns=1,2,4,5
+    --source include/show_binlog_events.inc
+  }
+
+  # The Gtid check, when its mode ON.
+  # After rollback-recovery of this branch Gtid executed must
+  # remain as was before the query execution.
+  --let $gtid_step_count=0
+  --source include/gtid_step_assert.inc
+
+} # end of $do_pre_binlog
+
+if ($do_post_binlog)
+{
+  FLUSH LOGS;
+  --let $binlog_file= query_get_value("SHOW MASTER STATUS", File, 1)
+
+  #
+  # prepare, log, the 2nd CRASH, /* commit */
+  #
+  --echo *** Crash right after '$ddl_query' has been binary-logged before committed in the engine ***
+  --source include/expect_crash.inc
+
+  SET @@SESSION.debug="+d,crash_commit_after_log";
+  # End of Debug
+  --disable_query_log
+  if ($manual_gtid_next)
+  {
+    --eval $manual_gtid_next
+  }
+  --enable_query_log
+  --error 2013
+  --eval $ddl_query
+
+  #
+  # restart the server
+  #
+  --source include/start_mysqld.inc
+
+  if ($post_binlog_crash_check)
+  {
+    if (!`$post_binlog_crash_check`)
+    {
+      --echo *** State check upon recovery after pre-commit crash fails ***
+      --die
+    }
+  }
+  if ($do_show_binlog_events)
+  {
+    --let $keep_ddl_xid=1
+    --let $show_binlog_events_mask_columns=1,2,4,5
+    --source include/show_binlog_events.inc
+  }
+
+  # The Gtid check, when its mode ON.
+  # After commit-recovery of this branch Gtid executed must
+  # receive a new gtid item of the current DDL transaction.
+
+  --let $gtid_step_count=1
+  --source include/gtid_step_assert.inc
+
+} # end of $do_post_binlog
+
+if ($do_only_regular_logging)
+{
+  FLUSH LOGS;
+  --eval $ddl_query
+  if ($do_show_binlog_events)
+  {
+    --let $keep_ddl_xid=1
+    --let $show_binlog_events_mask_columns=1,2,4,5
+    --source include/show_binlog_events.inc
+  }
+
+  # The Gtid check, when its mode ON.
+  # After commit-recovery of this branch Gtid executed must
+  # receive a new gtid item of the current DDL transaction.
+
+  --let $gtid_step_count=1
+  --source include/gtid_step_assert.inc
+}
+
+#
+# Cleanup
+#
+--let $keep_ddl_xid=
+--let $show_binlog_events_mask_columns=