Only call emptyData after RDB validation

[ChiliPaneer]

Addresses: #2588

Overview

Previously we call emptyData() during a fullSync before validating the RDB version is compatible.

This change adds an rdb flag that allows us to flush the database from within rdbLoadRioWithLoadingCtx. THhis provides the option to only flush the data if the rdb has a valid version and signature. In the case where we do have an invalid version and signature, we don't emptyData, so if a full sync fails for that reason a replica can still serve stale data instead of clients experiencing cache misses.

Changes

• Added a new flag RDBFLAGS_EMPTY_DATA that signals to flush the database after rdb validation
• Added logic to call emptyData in rdbLoadRioWithLoadingCtx in rdb.c
• Added logic to not clear data if the RDB validation fails in replication.c using new return type RDB_INCOMPATIBLE
• Modified the signature of rdbLoadRioWithLoadingCtx to return RDB success codes and updated all calling sites.

Testing

It's difficult to test that the data is NOT emptied in the tcl testing framework because we need a full sync with a corrupted rdb, and the rdb's for full sync are loaded from another node. To test this locally, I compiled a version that creates RDBs with a bad magic string "BADKEY" instead of "VALKEY" and forced a full sync on a replica with config set repl-backlog-size 1. The result is in the screenshot below.

We can see that we avoided flushing the data when the RDB wasn't compatible.

A test already exists that checks that the data is flushed: https://github.com/valkey-io/valkey/blob/unstable/tests/integration/replication.tcl#L1504

[KarthikSubbarao]

You can look at rdb.tcl / replication.tcl to add integration tests

[ChiliPaneer]

Discussed above, but testing this is challenging with the TCL framework. I've reproducible demo of the fix, and there exist tests that cover the code paths already. If anyone has any ideas for covering an incompatible RDB load during a full sync, I'd be open to suggesitons.

[ChiliPaneer]

Will look into adding a change to debug.c that allows us to hit this code path.

[zuiderkwast]

We hit this code path also when loading an RDB from a file? Then we can test this instead of a full sync. We can copy a file into the right place and then call DEBUG RELOAD NOSAVE to load it. If the load fails because of bad signature or future version, we shouldn't flush the databases. Is this right?

There are some RDB files here, for example one with the hyptetical future RDB version 987: https://github.com/valkey-io/valkey/tree/unstable/tests/assets

[KarthikSubbarao]

Can we update the comment here? Just don't want this (terminate gracefully ) to be misinterpreted as a shutdown

[KarthikSubbarao]

Nit: This is more of a RDB signature and version validation. It does not check for full compatibility since unknown Module data types may exist in an RDB with valid signature & version.

[hpatro]

Nice work @ChiliPaneer, with this change we are ensuring data flush happens only on verification of RDB compatibility.

Let's add a test case with incompatible RDB and verify old data is preserved after the failure of data loading. Thanks.

[hpatro]

nit:

Suggested change

	void replicationEmptyDbCallback(hashtable *d);
	void replicationEmptyDbCallback(hashtable *ht);

[hpatro]

Suggested change

	* - RDB_INCOMPATIBLE If the RDB is has an invalid signature or version
	* - RDB_INCOMPATIBLE If the RDB has an invalid signature or version

[hpatro]

This seems duplicate of the above. We could maybe mention in all other failure cases.

[hpatro]

Suggested change

	serverLog(LL_NOTICE, "PRIMARY <-> REPLICA sync: No data was loaded, skipping discard step");
	serverLog(LL_NOTICE, "PRIMARY <-> REPLICA sync: RDB version incompatible, preserving old data");

[hpatro]

Is this formatted correctly? Seems like a space should be followed after the end of the macro.

[hpatro]

Do we need to define it here as well ?

[ChiliPaneer]

No, will remove

[codecov]

Codecov Report

❌ Patch coverage is 78.12500% with 7 lines in your changes missing coverage. Please review.
✅ Project coverage is 72.24%. Comparing base (3213f48) to head (68950b5).
⚠️ Report is 5 commits behind head on unstable.

Files with missing lines	Patch %	Lines
src/replication.c	61.53%	5 Missing ⚠️
src/rdb.c	87.50%	2 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##           unstable    #2600      +/-   ##
============================================
+ Coverage     72.22%   72.24%   +0.01%     
============================================
  Files           127      127              
  Lines         70777    70827      +50     
============================================
+ Hits          51119    51166      +47     
- Misses        19658    19661       +3     

Files with missing lines	Coverage Δ
src/aof.c	81.10% <100.00%> (ø)
src/debug.c	53.94% <100.00%> (+0.04%)	⬆️
src/module.c	9.79% <ø> (+0.09%)	⬆️
src/rdb.h	100.00% <ø> (ø)
src/server.h	100.00% <ø> (ø)
src/rdb.c	76.98% <87.50%> (-0.14%)	⬇️
src/replication.c	86.85% <61.53%> (+0.05%)	⬆️

... and 15 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[hpatro]

Code looks LGTM. Let's figure out a mechanism to add test to verify flush data doesn't cause cleanup of data.

[hpatro]

@zuiderkwast / @enjoy-binbin Please take a look.

[zuiderkwast]

Looks good in general.

[zuiderkwast]

This bracket is mis-indented.

[zuiderkwast]

Does this logic look simpler if we use a flags variable and conditionally add the EMPTY_DATA flag to it? I think so...

Suggested change

	int empty_data_flag = server.repl_diskless_load != REPL_DISKLESS_LOAD_SWAPDB ? RDBFLAGS_EMPTY_DATA : RDBFLAGS_NONE;
	int retval = rdbLoadRioWithLoadingCtxScopedRdb(&rdb, RDBFLAGS_REPLICATION | empty_data_flag, rsi, &loadingCtx);
	int flags = RDBFLAGS_REPLICATION;
	if (server.repl_diskless_load != REPL_DISKLESS_LOAD_SWAPDB) flags |= RDBFLAGS_EMPTY_DATA;
	int retval = rdbLoadRioWithLoadingCtxScopedRdb(&rdb, flags, rsi, &loadingCtx);