sql/recovery.h - Issue 1832173002: [sql] Database recovery system for Shortcuts.

Side by Side Diff: sql/recovery.h

Issue 1832173002: [sql] Database recovery system for Shortcuts. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Address review comments from #9 and #10. Created 4 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright 2013 The Chromium Authors. All rights reserved.	1 // Copyright 2013 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #ifndef SQL_RECOVERY_H_	5 #ifndef SQL_RECOVERY_H_

6 #define SQL_RECOVERY_H_	6 #define SQL_RECOVERY_H_

7	7

8 #include <stddef.h>	8 #include <stddef.h>

9	9

10 #include <memory>	10 #include <memory>

11	11

12 #include "base/macros.h"	12 #include "base/macros.h"

13 #include "sql/connection.h"	13 #include "sql/connection.h"

14	14

15 namespace base {	15 namespace base {

16 class FilePath;	16 class FilePath;

17 }	17 }

18	18

19 namespace sql {	19 namespace sql {

20	20

21 // Recovery module for sql/. The basic idea is to create a fresh	21 // Recovery module for sql/. The basic idea is to create a fresh database and

22 // database and populate it with the recovered contents of the	22 // populate it with the recovered contents of the original database. If

23 // original database. If recovery is successful, the recovered	23 // recovery is successful, the recovered database is backed up over the original

24 // database is backed up over the original database. If recovery is	24 // database. If recovery is not successful, the original database is razed. In

25 // not successful, the original database is razed. In either case,	25 // either case, the original handle is poisoned so that operations on the stack

26 // the original handle is poisoned so that operations on the stack do	26 // do not accidentally disrupt the restored data.

27 // not accidentally disrupt the restored data.	27 //

	28 // RecoverDatabaseOrRaze() automates this, including recoverying the schema of

	29 // from the suspect database. If a database requires special handling, such as

	30 // recovering between different schema, or tables requiring post-processing,

	31 // then the module can be used manually like:

28 //	32 //

29 // {	33 // {

30 // std::unique_ptr<sql::Recovery> r =	34 // std::unique_ptr<sql::Recovery> r =

31 // sql::Recovery::Begin(orig_db, orig_db_path);	35 // sql::Recovery::Begin(orig_db, orig_db_path);

32 // if (r) {	36 // if (r) {

33 // // Create the schema to recover to. On failure, clear the	37 // // Create the schema to recover to. On failure, clear the

34 // // database.	38 // // database.

35 // if (!r.db()->Execute(kCreateSchemaSql)) {	39 // if (!r.db()->Execute(kCreateSchemaSql)) {

36 // sql::Recovery::Unrecoverable(std::move(r));	40 // sql::Recovery::Unrecoverable(std::move(r));

37 // return;	41 // return;

(...skipping 37 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
75 // and attach the existing database to it at "corrupt". To prevent	79 // and attach the existing database to it at "corrupt". To prevent

76 // deadlock, all transactions on \|connection\| are rolled back.	80 // deadlock, all transactions on \|connection\| are rolled back.

77 //	81 //

78 // Returns NULL in case of failure, with no cleanup done on the	82 // Returns NULL in case of failure, with no cleanup done on the

79 // original connection (except for breaking the transactions). The	83 // original connection (except for breaking the transactions). The

80 // caller should Raze() or otherwise cleanup as appropriate.	84 // caller should Raze() or otherwise cleanup as appropriate.

81 //	85 //

82 // TODO(shess): Later versions of SQLite allow extracting the path	86 // TODO(shess): Later versions of SQLite allow extracting the path

83 // from the connection.	87 // from the connection.

84 // TODO(shess): Allow specifying the connection point?	88 // TODO(shess): Allow specifying the connection point?

85 static std::unique_ptr<Recovery> Begin(Connection* connection,	89 static std::unique_ptr<Recovery> Begin(Connection* connection,
	Mark P 2016/04/19 23:34:28 I'm surprised that you're changing the type of thi I'm surprised that you're changing the type of this function and the ones below it and don't need to add additional files to this changelist. Scott Hess - ex-Googler 2016/05/13 21:24:36 The change from base::scoped_ptr<> to std::unique_ Show quoted text On 2016/04/19 23:34:28, Mark P wrote: > I'm surprised that you're changing the type of this function and the ones below > it and don't need to add additional files to this changelist. The change from base::scoped_ptr<> to std::unique_ptr<> happened since the CL was originally posted. So any changes you see there are probably just the rebase, and wouldn't show in a diff from trunk (except any new code following the conversion, of course).
86 const base::FilePath& db_path)	90 const base::FilePath& db_path)

87 WARN_UNUSED_RESULT;	91 WARN_UNUSED_RESULT;

88	92

89 // Mark recovery completed by replicating the recovery database over	93 // Mark recovery completed by replicating the recovery database over

90 // the original database, then closing the recovery database. The	94 // the original database, then closing the recovery database. The

91 // original database handle is poisoned, causing future calls	95 // original database handle is poisoned, causing future calls

92 // against it to fail.	96 // against it to fail.

93 //	97 //

94 // If Recovered() is not called, the destructor will call	98 // If Recovered() is not called, the destructor will call

95 // Unrecoverable().	99 // Unrecoverable().

(...skipping 48 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
144 // table as needed.	148 // table as needed.

145 bool SetupMeta();	149 bool SetupMeta();

146	150

147 // Fetch the version number from temp.recover_meta. Returns false	151 // Fetch the version number from temp.recover_meta. Returns false

148 // if the query fails, or if there is no version row. Otherwise	152 // if the query fails, or if there is no version row. Otherwise

149 // returns true, with the version in \|*version_number\|.	153 // returns true, with the version in \|*version_number\|.

150 //	154 //

151 // Only valid to call after successful SetupMeta().	155 // Only valid to call after successful SetupMeta().

152 bool GetMetaVersionNumber(int* version_number);	156 bool GetMetaVersionNumber(int* version_number);

153	157

	158 // Attempt to recover the database by creating a new database with schema from

	159 // \|db\|, then copying over as much data as possible. If the database is

	160 // entirely unreadable, the new database will be empty. After this call, the

	161 // \|db\| handle will be poisoned so that future calls will return errors until

	162 // the handle is re-opened.

	163 //

	164 // The "OrRaze" portion means that if recovery fails due to errors, the

	165 // database can be razed or deleted. The goal is for this function to make

	166 // every possible effort to leave behind a correctly operating database file.

	167 //

	168 // If a corrupt database contains tables without unique indices, the resulting

	169 // table may contain duplication. If this is not acceptable, the client

	170 // should use the manual process as described in the example at the top of the

	171 // file, cleaning up data at the appropriate points.

	172 static void RecoverDatabaseOrRaze(Connection* db,
	Mark P 2016/04/19 23:34:28 Thanks for the long response. Fundamentally, my c Show quoted text On 2016/04/15 00:38:15, Scott Hess wrote: > On 2016/04/07 23:09:44, Mark P wrote: > > Uh, did you mean "will be", not "can be"? And will the result be razed (i.e., > > deleted) or an empty database? > > If you didn't mean that, then how will the caller know whether the recovery > > failed and the database is okay to be razed? This function has no return > value. > > If you're intentionally vague because you plan to change this from > > leave-corrupt-database-around to something else, just give it the right name > for > > now. Later when you make the intended change, you can rename the function. > > I'm not sure how to answer! > > Right now, it only applies the safe cases. It either thinks it recovered the > database, or it rolls things back. But I've seen results from the fleet which > make me believe that running recovery to success didn't actually work (possibly > because of shenanigans in the system, like malware or profile's being > overwritten or something). The intention is to monitor the histograms to see if > any of the failure outcomes is due to a broken assumption rather than broken > user data. If the failures cases look weirdly high, I'll instrument to debug > the fleet, but if they look sensible, I'll switch them over from Rollback() to > Unrecoverable() (leading to Raze()). > > sql::Connection::Raze() means that it overwrites the database with a single-page > empty database. The delete language is because if the Raze() doesn't work, then > what? Probably attempt to Delete(). I'm nervous about landing either of those > up front, though, on the off chance that I write a bug which works right in my > tests but in the field blows away a bunch of data. > > Anyhow, my intention with this function is that it consumes the database handle > in all cases, while making a best effort to recover the data, and failing that a > best effort to clear the database of data, and failing that a best effort to > delete the database. On next run the database should either be a valid > data-containing SQLite database (doesn't throw SQLITE_CORRUPT), or it should be > a valid empty SQLite database, or it should be missing (SQLite would create the > database empty). > > Raze() versus Delete() is because Raze() works using SQLite locking and I/O. It > can clear the database in cases where Delete() won't work. Likewise, Delete() > may work in cases where Raze() does not. Thanks for the long response. Fundamentally, my complaint is that the comment above and indeed the function name doesn't correspond with what the function does. There is no razing going on here. Why not just call it RecoverDatabase()? And remove comments that are entirely wrong such as "If the database is entirely unreadable, the new database will be empty.", and, for that matter, the whole second paragraph (each sentence in it is currently wrong). You can add your raze or delete language back into the function name and comments once you actually switch the code from doing Rollback to Unrecoverable. And at that time add comments about the goal of the function (leaving a working database, even if empty) at that time. That's not the goal at this time. Scott Hess - ex-Googler 2016/05/13 21:24:36 Done. Show quoted text On 2016/04/19 23:34:28, Mark P wrote: > On 2016/04/15 00:38:15, Scott Hess wrote: > > On 2016/04/07 23:09:44, Mark P wrote: > > > Uh, did you mean "will be", not "can be"? And will the result be razed > (i.e., > > > deleted) or an empty database? > > > If you didn't mean that, then how will the caller know whether the recovery > > > failed and the database is okay to be razed? This function has no return > > value. > > > If you're intentionally vague because you plan to change this from > > > leave-corrupt-database-around to something else, just give it the right name > > for > > > now. Later when you make the intended change, you can rename the function. > > > > I'm not sure how to answer! > > > > Right now, it only applies the safe cases. It either thinks it recovered the > > database, or it rolls things back. But I've seen results from the fleet which > > make me believe that running recovery to success didn't actually work > (possibly > > because of shenanigans in the system, like malware or profile's being > > overwritten or something). The intention is to monitor the histograms to see > if > > any of the failure outcomes is due to a broken assumption rather than broken > > user data. If the failures cases look weirdly high, I'll instrument to debug > > the fleet, but if they look sensible, I'll switch them over from Rollback() to > > Unrecoverable() (leading to Raze()). > > > > sql::Connection::Raze() means that it overwrites the database with a > single-page > > empty database. The delete language is because if the Raze() doesn't work, > then > > what? Probably attempt to Delete(). I'm nervous about landing either of > those > > up front, though, on the off chance that I write a bug which works right in my > > tests but in the field blows away a bunch of data. > > > > Anyhow, my intention with this function is that it consumes the database > handle > > in all cases, while making a best effort to recover the data, and failing that > a > > best effort to clear the database of data, and failing that a best effort to > > delete the database. On next run the database should either be a valid > > data-containing SQLite database (doesn't throw SQLITE_CORRUPT), or it should > be > > a valid empty SQLite database, or it should be missing (SQLite would create > the > > database empty). > > > > Raze() versus Delete() is because Raze() works using SQLite locking and I/O. > It > > can clear the database in cases where Delete() won't work. Likewise, Delete() > > may work in cases where Raze() does not. > > Thanks for the long response. Fundamentally, my complaint is that the comment > above and indeed the function name doesn't correspond with what the function > does. There is no razing going on here. > > Why not just call it RecoverDatabase()? And remove comments that are entirely > wrong such as "If the database is entirely unreadable, the new database will be > empty.", and, for that matter, the whole second paragraph (each sentence in it > is currently wrong). > > You can add your raze or delete language back into the function name and > comments once you actually switch the code from doing Rollback to Unrecoverable. > And at that time add comments about the goal of the function (leaving a working > database, even if empty) at that time. That's not the goal at this time. > > Done.
	173 const base::FilePath& db_path);

	174

	175 // Returns true for SQLite errors which RecoverDatabaseOrRaze() can recover,

	176 // or which cannot plausibly be recovered (and should be razed). This does
	Mark P 2016/04/19 23:34:28 nit: or which -> versus You don't mean "or", at le nit: or which -> versus You don't mean "or", at least in the boolean sense. Consider making a similar change to the function name. Scott Hess - ex-Googler 2016/05/13 21:24:36 Just removed the comparison clause entirely. Show quoted text On 2016/04/19 23:34:28, Mark P wrote: > nit: or which -> versus > You don't mean "or", at least in the boolean sense. > Consider making a similar change to the function name. Just removed the comparison clause entirely.
	177 // not guarantee that RecoverDatabaseOrRaze() will successfully recover any

	178 // data. Returning false means the error is not related to the contents of

	179 // the database (such as SQLITE_BUSY or SQLITE_MISUSE), or is not verified to

	180 // be handled correctly (such as SQLITE_IOERR or SQLITE_FULL).

	181 static bool ShouldRecoverOrRaze(int extended_error);

	182

154 private:	183 private:

155 explicit Recovery(Connection* connection);	184 explicit Recovery(Connection* connection);

156	185

157 // Setup the recovery database handle for Begin(). Returns false in	186 // Setup the recovery database handle for Begin(). Returns false in

158 // case anything failed.	187 // case anything failed.

159 bool Init(const base::FilePath& db_path) WARN_UNUSED_RESULT;	188 bool Init(const base::FilePath& db_path) WARN_UNUSED_RESULT;

160	189

161 // Copy the recovered database over the original database.	190 // Copy the recovered database over the original database.

162 bool Backup() WARN_UNUSED_RESULT;	191 bool Backup() WARN_UNUSED_RESULT;

163	192

164 // Close the recovery database, and poison the original handle.	193 // Close the recovery database, and poison the original handle.

165 // \|raze\| controls whether the original database is razed or just	194 // \|raze\| controls whether the original database is razed or just

166 // poisoned.	195 // poisoned.

167 enum Disposition {	196 enum Disposition {

168 RAZE_AND_POISON,	197 RAZE_AND_POISON,

169 POISON,	198 POISON,

170 };	199 };

171 void Shutdown(Disposition raze);	200 void Shutdown(Disposition raze);

172	201

173 Connection* db_; // Original database connection.	202 Connection* db_; // Original database connection.

174 Connection recover_db_; // Recovery connection.	203 Connection recover_db_; // Recovery connection.

175	204

176 DISALLOW_COPY_AND_ASSIGN(Recovery);	205 DISALLOW_COPY_AND_ASSIGN(Recovery);

177 };	206 };

178	207

179 } // namespace sql	208 } // namespace sql

180	209

181 #endif // SQL_RECOVERY_H_	210 #endif // SQL_RECOVERY_H_

OLD	NEW

« components/omnibox/browser/shortcuts_database_unittest.cc ('K') | « sql/connection.cc ('k') | sql/recovery.cc » ('j') | sql/recovery.cc » ('J')