MDEV-37949: Implement innodb_log_archive, innodb_log_recovery_start, innodb_log_recovery_target, …

[dr-m]

• The Jira issue number for this PR is: MDEV-37949

Description

MDEV-37949: Implement innodb_log_archive

The InnoDB write-ahead log file in the old innodb_log_archive=OFF format is named ib_logfile0, pre-allocated to innodb_log_file_size and written as a ring buffer. This is good for write performance and space management, but unsuitable for arbitrary point-in-time recovery or for facilitating efficient incremental backup.

innodb_log_archive=ON: A new format where InnoDB will create and preallocate files ib_%016x.log, instead of writing a circular file ib_logfile0. Each file will be pre-allocated to innodb_log_file_size (between 4M and 4G; we impose a stricter upper limit of 4 GiB for innodb_log_archive=ON). Once a log fills up, we will create and pre-allocate another log file, to which log records will be written. Upon the completion of the first log checkpoint in a recently created log file, the old log file will be marked read-only, signaling that there will be no further writes to that file, and that the file may safely be moved to long-term storage.

The file name includes the log sequence number (LSN) at file offset 12288 (log_t::START_OFFSET). Limiting the file size to 4 GiB allows us to identify each checkpoint by storing a 32-bit big-endian offset into the optional FILE_MODIFY and the mandatory FILE_CHECKPOINT records, between 12288 and the end of the file.

The innodb_encrypt_log format is identified by storing the encryption information at the start of the log file. The first 32-bit value will be 1, which is an invalid checkpoint offset. Each innodb_log_archive=ON log must use the same encryption parameters. Changing innodb_encrypt_log or related parameters is only possible by setting innodb_log_archive=OFF and restarting the server, which will permanently lose the history of the archived log.

The maximum number of log checkpoints that the innodb_log_archive=ON file header can represent is limited to 12288/4=3072 when using innodb_encrypt_log=OFF. If we run out of slots in a log file, each subsequently completed checkpoint in that log file will overwrite the last slot in the checkpoint header, until we switch to the next log.

innodb_log_recovery_start: The checkpoint LSN to start recovery from. This will be useful when recovering from an archived log. This is useful for restoring an incremental backup (applying InnoDB log files that were copied since the previous restore).

innodb_log_recovery_target: The requested LSN to end recovery at. When this is set, all persistent InnoDB tables will be read-only, and no writes to the log are allowed. The intended purpose of this setting is to prepare an incremental backup, as well as to allow data retrieval as of a particular logical point of time.

Setting innodb_log_recovery_target>0 is much like setting innodb_read_only=ON, with the exception that the data files may be written to by crash recovery, and locking reads will conflict with any incomplete transactions as necessary, and all transaction isolation levels will work normally (not hard-wired to READ UNCOMMITTED).

The status variable innodb_lsn_archived will reflect the LSN since when a complete InnoDB log archive is available. Its initial value will be that of the new parameter innodb_log_archive_start. If that variable is 0 (the default), the innodb_lsn_archived will be recovered from the available log files. If innodb_log_archive=OFF, innodb_lsn_archived will be adjusted to the latest checkpoint every time a log checkpoint is executed. If innodb_log_archive=ON, the value
should not change.

Statements like

SET GLOBAL innodb_log_archive=!@@GLOBAL.innodb_log_archive;

will take effect as soon as possible, possibly after a log checkpoint has been completed. The log file will be renamed between ib_logfile0 and ib_%016x.log as appropriate.

When innodb_log_archive=ON, the setting SET GLOBAL innodb_log_file_size will affect subsequently created log files when the file that is being currently written is running out. If we are switching log files exactly at the same time, then a somewhat misleading error message "innodb_log_file_size change is already in progress" will be issued.

When innodb_read_only=ON, innodb_log_recovery_target will be set to the current LSN. This ensures that it suffices to check only one of these variables when blocking writes to persistent tables.

See the commit message for a more detailed description of the changed data structures and functions.

Release Notes

See the previous section.

How can this PR be tested?

mysql-test/mtr --parallel=auto --force --big-test --mysqld=--loose-innodb-log-archive --skip-test=mariabackup
mysql-test/mtr --parallel=auto --force --big-test --mysqld=--loose-innodb-log-archive --mysqld=--loose-innodb-log-recovery-start=12288 --skip-test=mariabackup
mysql-test/mtr --parallel=auto --force --big-test --mysqld=--loose-innodb-log-archive --mysqld=--loose-innodb-log-recovery-start=12288 --mysqld=--loose-inodb-log-file-mmap=OFF --skip-test=mariabackup
mysql-test/mtr --parallel=auto --force --big-test --mysqld=--loose-innodb-log-archive --mysqld=--loose-innodb-log-recovery-start=12288 --mysqld=--loose-inodb-log-file-mmap=ON --skip-test=mariabackup

The mariabackup suite must be skipped when setting innodb_log_archive=ON, because the mariadb-backup tool will only support the old innodb_log_archive=OFF format (copying from ib_logfile0).

Unfortunately, all --suite=encryption tests that use innodb_encrypt_log must be skipped when using innodb_log_archive. This is because the server would have to be reinitialized; we do not allow changing the format of an archived log on startup (such as adding or removing encryption). This combination is covered by the test innodb.log_file_size_online,encrypted.

no_checkpoint_prepare.inc: A new file, to prepare for subsequent inclusion of no_checkpoint_end.inc. We will invoke the server to parse the log and to determine the latest checkpoint.

A number of tests that would fail when the parameter innodb_log_recovery_start=12288 is present, which is forcing
recovery to start from the beginning of the history (the database creation), have been adjusted with
explicit --innodb-log-recovery-start=0 to override that:

1. Some injected corruption may be "healed" by replaying the log from the beginning. Some tests expect an empty buffer pool after a restart, with no page I/O due to crash recovery.
2. Any test that sets innodb_read_only=ON would fail with an error message that the setting prevents crash recovery, unless innodb_log_recovery_start=0.
3. Any test that changes innodb_undo_tablespaces would fail in crash recovery, because crash recovery assumes that the undo tablespace ID that is available from the undo* files corresponds with the start of the log. This is an unforunate design bug which we cannot fix easily.

Basing the PR against the correct MariaDB version

• This is a new feature or a refactoring, and the PR is based against the main branch.
• This is a bug fix, and the PR is based against the earliest maintained branch in which the bug can be reproduced.

This is a new feature, but for now based on the 11.4 branch so that any unrelated errors that may be found during testing can be fixed rather quickly. Merges to the main branch may be blocked for weeks at a time.

PR quality check

• I checked the CODING_STANDARDS.md file and my PR conforms to this where appropriate.
• For any trivial modifications to the PR, I am ok with the reviewer making the changes themselves.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[mariadb-SaahilAlam]

Noticing a silent crash, please check if it's related

origin/MDEV-37949 218b238d6f3918c028bb595dac06c03ca5b4ea5e

Error log shows
InnoDB: Starting crash recovery from checkpoint LSN=95653039
InnoDB: End of log at LSN=95698132
Then the server silently disappears - no assertion, no error message

Please take a look
RR trace is present on SDP:-
/data/results/1772438757/Silent_crash

[dr-m]

It looks like there was a possible anomaly at rr record time, possibly affecting the pread64 system call. In my rr replay attempt I got the following:

2026-03-02  0:30:25 0 [Note] InnoDB: End of log at LSN=95698132
[FATAL src/ReplaySession.cc:755:check_pending_sig()] 
 (task 125299 (rec:1049701) at time 3447)
 -> Assertion `false' failed to hold. Replaying `SIGNAL: SIGSEGV(det)': expecting tracee signal or trap, but instead at `pread64' (ticks: 7914513)

When I attach GDB to the crashed rr replay I can see that it occurred deep inside the following:

#21 0x00005e20ebf7f5a1 in buf_read_page (page_id=page_id@entry={m_id = 0x3}, err=err@entry=0x7ffc1851501c, chain=@0x5e20ef0cc060: {first = 0x79e096001520}, unzip=unzip@entry=0x1)
    at /data/Server/MDEV-37949A/storage/innobase/buf/buf0rea.cc:540
#22 0x00005e20ebf63909 in buf_page_get_gen (page_id={m_id = 0x3}, zip_size=zip_size@entry=0x0, rw_latch=rw_latch@entry=RW_NO_LATCH, guess=guess@entry=0x0, mode=mode@entry=0x9, 
    mtr=mtr@entry=0x7ffc18515020, err=0x7ffc1851501c) at /data/Server/MDEV-37949A/storage/innobase/buf/buf0buf.cc:2781
#23 0x00005e20ebddf6c0 in recv_sys_t::recover (this=<optimized out>, page_id=page_id@entry={m_id = 0x3}, mtr=mtr@entry=0x7ffc18515020, err=err@entry=0x7ffc1851501c)
    at /data/Server/MDEV-37949A/storage/innobase/log/log0recv.cc:4518
#24 0x00005e20ec015dd7 in ibuf_upgrade_needed () at /data/Server/MDEV-37949A/storage/innobase/ibuf/ibuf0ibuf.cc:1029
#25 0x00005e20ebee9e1e in srv_start (create_new_db=<optimized out>) at /data/Server/MDEV-37949A/storage/innobase/srv/srv0start.cc:1594
#26 0x00005e20ebd4a2b6 in innodb_init (p=<optimized out>) at /data/Server/MDEV-37949A/storage/innobase/handler/ha_innodb.cc:4187

No buffer page access code path should be changed in this pull request, so in any case it should not be related to these changes.

This could be a bug in the underlying Linux kernel or in the way how rr instruments system calls.

[mariadb-SaahilAlam]

shall we open a seperate MDEV for this issue?

[dr-m]

If you can reproduce and diagnose the problem, you could file a bug against https://github.com/rr-debugger/rr/. It could be a race condition between ptrace and signal handling, something similar to https://lkml.org/lkml/2021/10/31/311 perhaps. It definitely is not something that https://jira.mariadb.org is tracking.

[Thirunarayanan]

SHOW GLOBAL STATUS access this variable without any mutex. Won't have torn read in case of 32 bit platform?

[dr-m]

You are right, we should borrow the trx_t::max_inactive_id_atomic trick from #3668. On -march=i686 it actually is possible to perform 64-bit loads and stores by using floating-point operations. Already the Intel Pentium had a 64-bit data bus.

[dr-m]

Sorry, I realized that using Atomic_relaxed<lsn_t> would not help, because the read would be via the following:

  {"lsn_archived", &log_sys.archived_lsn, SHOW_ULONGLONG},

I will check the generated code for the actual read. We could add export_vars indirection for 32-bit systems. srv_export_innodb_status() is already reading some fields while holding exclusive log_sys.latch.

[Thirunarayanan]

1. Writes the checkpoint slot at buf[0] with offset value
2. persists buf[0...64)
3. zero all buf[64..start_offset)
4. persists buf[0..start_offset)

Why (4) persists which was already persist in (2)? Can we avoid this one?

[dr-m]

We could, but I don’t think it is significant. SET GLOBAL innodb_log_archive should be a very rare operation, and PMEM is rarely available. Depending on the implementation of the underlying instruction, it could be that the extra flush is a no-op. For the clflush and clflushopt it isn’t, but modern AMD64 implementations should support clwb.

This is why I optimized for size here. A much bigger performance issue is that we are hogging log_sys.latch when durably changing innodb_log_archive, even more so in the non-PMEM code path. I don’t think we have any other practical choice.

[Thirunarayanan]

If checkpoint_pending and wait_lsn == 0 then we could be releasing and acquiring log_t::latch. Is this acceptable?

[dr-m]

In that scenario, we really have no other choice than to release and reacquire log_sys.latch in order to allow our "competitor" to get past the following in log_t::write_checkpoint():

    checkpoint_pending= true;
    latch.wr_unlock();
    log_write_and_flush_prepare();

[Thirunarayanan]

In innodb_log_file_size_update(), we do the following:

    switch (log_sys.resize_start(*static_cast<const ulonglong*>(save), thd)) {
    case log_t::RESIZE_NO_CHANGE:
      break;

Should this return a new status (kind of deferred). so the handler
can inform the user that the size will apply to the next archive file?

[dr-m]

SET GLOBAL has not actually designed to return any status after the initial validate step. The error reporting and the entire logic should some day be improved in the following:
MDEV-36828 SET GLOBAL cannot be atomic when inter-parameter constraints exist

We are reporting errors only when we really have to. As you can see in log_file_size_online.result it is pretty ugly:

SET GLOBAL innodb_log_file_size=4294971392;
ERROR HY000: Failed to create specific handler file

[Thirunarayanan]

why 4k? innodb_log_write_ahead_size can be 512kb.
Should the alignment check use write_size - 1 instead?

[dr-m]

The allocation unit of innodb_log_file_size is 4096 bytes:

static MYSQL_SYSVAR_ULONGLONG(log_file_size, srv_log_file_size,
  PLUGIN_VAR_RQCMDARG,
  "Desired log file size in bytes",
  nullptr, innodb_log_file_size_update,
  96 << 20, log_t::FILE_SIZE_MIN, std::numeric_limits<ulonglong>::max(), 4096);

In the innodb_log_archive=ON format, the file size must be a multiple of 4096 bytes. In innodb_log_archive=OFF we allow arbitrary file sizes above 12288+16 bytes, because that is the minimum-size ib_logfile0 that mariadb-backup can produce.

[Thirunarayanan]

If the gap is found then all the files before gap are erased. Shouldn't we add message about it?

[dr-m]

We should already refuse to start up InnoDB if innodb_log_recovery_start is before the first available log file. See the test innodb.log_archive:

--let $restart_parameters= --innodb-read-only --innodb-log-recovery-start=12288
--source include/start_mysqld.inc
SELECT variable_name, variable_value FROM information_schema.global_status
WHERE variable_name LIKE 'INNODB_LSN%';

let SEARCH_FILE = $MYSQLTEST_VARDIR/log/mysqld.1.err;
let SEARCH_PATTERN = InnoDB: No matching file found for innodb_log_recovery_start=12288;
--source include/search_pattern_in_file.inc

We must not allow any gaps between the first accepted file and the last found log file. We can only apply changes that reside within the available contiguous logs.

Note: It is possible that a DBA has moved some archived log to remote storage. This handling will allow us to recover if the archived log is restored.

Normally, when no innodb_log_recovery_start has been specified, we should start recovery from one of the last 2 log files.

[Thirunarayanan]

Is this case where archived file name contains circular log format?

[dr-m]

If the server is killed in the middle of log_t::set_archive(), we may end up with a file ib_*.log whose contents is actually in the innodb_log_archive=OFF format. This is being exercised in the test innodb.log_archive by some injection in Perl. In 218b238 a sql_print_information message was added so that users will be able to recover from a situation where a crash during SET GLOBAL innodb_log_archive=OFF corrupts the log header.

[Thirunarayanan]

This one reads 4-byte checkpoint offsets sequentially. If a crash occurred while
writing a checkpoint slot (partial write), d could be a garbage value that happens
to be >= START_OFFSET and < file_size. How would handle this case?

[dr-m]

Garbage values will be validated in the loop body by invoking recv_scan_log(false, parser) and by checking if recv_sys.file_checkpoint had been set. If not, we encountered something else than a valid FILE_CHECKPOINT record optionally preceded by FILE_MODIFY records. We silently ignore such invalid records. We will only be loud if no valid checkpoint is found and no valid innodb_log_recovery_start has been specified.

This is the reason why I believe that it is OK to write the checkpoint headers without any CRC-32C protection. Even if we crashed with completely invalid header in a log file, we should be able to recover from the start of a preceding log file.

[mariadb-SaahilAlam]

Another assertion found:-

origin/MDEV-37949 d9664ddec78e23d517887df6311204bd00044240

# 2026-03-02T13:49:16 [1000110] | mariadbd: /data/Server/MDEV-37949B/storage/innobase/buf/buf0flu.cc:1827: void log_t::write_checkpoint(lsn_t): Assertion `this->end_lsn <= end_lsn' failed.

Only core dump available on SDP :-

/data/results/1772479413/TBR-2379-MDEV-37949B

[dr-m]

log_sys.end_lsn is 0x18a bytes ahead of end_lsn, that is, a checkpoint has apparently been written out of order. Both these LSN are after the start of the file (log_sys.first_lsn). I see that the file is in innodb_log_archive=OFF format. In that format, the old value of end_lsn should not play much role at all.

I’d like to see an rr replay trace of this, if possible.