tigerbeetle-node 0.10.0 → 0.11.1

package/src/tigerbeetle/src/message_pool.zig

@@ -23,7 +23,7 @@ pub const messages_max_replica = messages_max: {
     var sum: usize = 0;
 
     sum += config.io_depth_read + config.io_depth_write; // Journal I/O
-    sum += config.clients_max; // Replica.client_table
+    sum += config.clients_max; // SuperBlock.client_table
     sum += 1; // Replica.loopback_queue
     sum += config.pipeline_max; // Replica.pipeline
     sum += 1; // Replica.commit_prepare
@@ -37,7 +37,6 @@ pub const messages_max_replica = messages_max: {
     // Handle Replica.commit_op's reply:
     // (This is separate from the burst +1 because they may occur concurrently).
     sum += 1;
-    sum += 20; // TODO Our network simulator allows up to 20 messages for path_capacity_max.
 
     break :messages_max sum;
 };
@@ -51,7 +50,6 @@ pub const messages_max_client = messages_max: {
     sum += config.client_request_queue_max; // Client.request_queue
     // Handle bursts (e.g. Connection.parse_message, or sending a ping when the send queue is full).
     sum += 1;
-    sum += 20; // TODO Our network simulator allows up to 20 messages for path_capacity_max.
 
     break :messages_max sum;
 };
@@ -68,9 +66,7 @@ pub const MessagePool = struct {
     pub const Message = struct {
         // TODO: replace this with a header() function to save memory
         header: *Header,
-        /// This buffer is aligned to config.sector_size and casting to that alignment in order
-        /// to perform Direct I/O is safe.
-        buffer: []u8,
+        buffer: []align(config.sector_size) u8,
         references: u32 = 0,
         next: ?*Message,
 
@@ -80,25 +76,27 @@ pub const MessagePool = struct {
             return message;
         }
 
-        pub fn body(message: *Message) []align(@alignOf(Header)) u8 {
-            return @alignCast(
-                @alignOf(Header),
-                message.buffer[@sizeOf(Header)..message.header.size],
-            );
+        pub fn body(message: *const Message) []align(@sizeOf(Header)) u8 {
+            return message.buffer[@sizeOf(Header)..message.header.size];
         }
     };
 
-    /// List of currently unused messages of message_size_max_padded
+    /// List of currently unused messages.
     free_list: ?*Message,
 
+    messages_max: usize,
+
     pub fn init(allocator: mem.Allocator, process_type: vsr.ProcessType) error{OutOfMemory}!MessagePool {
-        const messages_max: usize = switch (process_type) {
+        return MessagePool.init_capacity(allocator, switch (process_type) {
             .replica => messages_max_replica,
             .client => messages_max_client,
-        };
+        });
+    }
 
-        var ret: MessagePool = .{
+    pub fn init_capacity(allocator: mem.Allocator, messages_max: usize) error{OutOfMemory}!MessagePool {
+        var pool: MessagePool = .{
             .free_list = null,
+            .messages_max = messages_max,
         };
         {
             var i: usize = 0;
@@ -113,22 +111,27 @@ pub const MessagePool = struct {
                 message.* = .{
                     .header = mem.bytesAsValue(Header, buffer[0..@sizeOf(Header)]),
                     .buffer = buffer,
-                    .next = ret.free_list,
+                    .next = pool.free_list,
                 };
-                ret.free_list = message;
+                pool.free_list = message;
             }
         }
 
-        return ret;
+        return pool;
     }
-    
+
     /// Frees all messages that were unused or returned to the pool via unref().
     pub fn deinit(pool: *MessagePool, allocator: mem.Allocator) void {
+        var free_count: usize = 0;
         while (pool.free_list) |message| {
             pool.free_list = message.next;
             allocator.free(message.buffer);
             allocator.destroy(message);
+            free_count += 1;
         }
+        // If the MessagePool is being deinitialized, all messages should have already been
+        // released to the pool.
+        assert(free_count == pool.messages_max);
     }
 
     /// Get an unused message with a buffer of config.message_size_max.

package/src/tigerbeetle/src/ring_buffer.zig

@@ -3,15 +3,19 @@ const assert = std.debug.assert;
 const math = std.math;
 const mem = std.mem;
 
+const util = @import("util.zig");
+
 /// A First In, First Out ring buffer holding at most `count_max` elements.
 pub fn RingBuffer(
     comptime T: type,
-    comptime count_max: usize,
+    comptime count_max_: usize,
     comptime buffer_type: enum { array, pointer },
 ) type {
     return struct {
         const Self = @This();
 
+        pub const count_max = count_max_;
+
         buffer: switch (buffer_type) {
             .array => [count_max]T,
             .pointer => *[count_max]T,
@@ -145,8 +149,8 @@ pub fn RingBuffer(
             const pre_wrap_count = math.min(items.len, self.buffer.len - pre_wrap_start);
             const post_wrap_count = items.len - pre_wrap_count;
 
-            mem.copy(T, self.buffer[pre_wrap_start..], items[0..pre_wrap_count]);
-            mem.copy(T, self.buffer[0..post_wrap_count], items[pre_wrap_count..]);
+            util.copy_disjoint(.inexact, T, self.buffer[pre_wrap_start..], items[0..pre_wrap_count]);
+            util.copy_disjoint(.exact, T, self.buffer[0..post_wrap_count], items[pre_wrap_count..]);
 
             self.count += items.len;
         }

package/src/tigerbeetle/src/simulator.zig

@@ -3,16 +3,24 @@ const builtin = @import("builtin");
 const assert = std.debug.assert;
 const mem = std.mem;
 
+const tb = @import("tigerbeetle.zig");
 const config = @import("config.zig");
+const vsr = @import("vsr.zig");
+const Header = vsr.Header;
 
 const Client = @import("test/cluster.zig").Client;
 const Cluster = @import("test/cluster.zig").Cluster;
 const ClusterOptions = @import("test/cluster.zig").ClusterOptions;
-const Header = @import("vsr.zig").Header;
 const Replica = @import("test/cluster.zig").Replica;
-const StateChecker = @import("test/state_checker.zig").StateChecker;
 const StateMachine = @import("test/cluster.zig").StateMachine;
+const StateChecker = @import("test/state_checker.zig").StateChecker;
+const StorageChecker = @import("test/storage_checker.zig").StorageChecker;
 const PartitionMode = @import("test/packet_simulator.zig").PartitionMode;
+const MessageBus = @import("test/message_bus.zig").MessageBus;
+const auditor = @import("test/accounting/auditor.zig");
+const Workload = @import("test/accounting/workload.zig").WorkloadType(StateMachine);
+const Conductor = @import("test/conductor.zig").ConductorType(Client, MessageBus, StateMachine, Workload);
+const IdPermutation = @import("test/id.zig").IdPermutation;
 
 /// The `log` namespace in this root file is required to implement our custom `log` function.
 const output = std.log.scoped(.state_checker);
@@ -21,21 +29,25 @@ const output = std.log.scoped(.state_checker);
 /// This will run much slower but will trace all logic across the cluster.
 const log_state_transitions_only = builtin.mode != .Debug;
 
-const log_health = std.log.scoped(.health);
-const log_faults = std.log.scoped(.faults);
+const log_simulator = std.log.scoped(.simulator);
 
 /// You can fine tune your log levels even further (debug/info/notice/warn/err/crit/alert/emerg):
 pub const log_level: std.log.Level = if (log_state_transitions_only) .info else .debug;
 
 /// Modifies compile-time constants on "config.zig".
 pub const deployment_environment = .simulation;
-comptime {
-    assert(config.deployment_environment == .simulation);
-}
+
+const cluster_id = 0;
 
 var cluster: *Cluster = undefined;
+var state_checker: *StateChecker = undefined;
+var storage_checker: *StorageChecker = undefined;
 
 pub fn main() !void {
+    comptime {
+        assert(config.deployment_environment == .simulation);
+    }
+
     // This must be initialized at runtime as stderr is not comptime known on e.g. Windows.
     log_buffer.unbuffered_writer = std.io.getStdErr().writer();
 
@@ -76,17 +88,25 @@ pub fn main() !void {
     const client_count = 1 + random.uintLessThan(u8, config.clients_max);
     const node_count = replica_count + client_count;
 
-    const ticks_max = 100_000_000;
+    const ticks_max = 50_000_000;
     const request_probability = 1 + random.uintLessThan(u8, 99);
     const idle_on_probability = random.uintLessThan(u8, 20);
     const idle_off_probability = 10 + random.uintLessThan(u8, 10);
 
+    // TODO: When block recovery and state transfer are implemented, remove this flag to allow
+    // crashes to coexist with WAL wraps.
+    const requests_committed_max: usize = config.journal_slot_count * 3;
+
     const cluster_options: ClusterOptions = .{
-        .cluster = 0,
+        .cluster = cluster_id,
         .replica_count = replica_count,
         .client_count = client_count,
+        // TODO Compute an upper-bound for this based on requests_committed_max.
+        .grid_size_max = 1024 * 1024 * 256,
         .seed = random.int(u64),
-        .on_change_state = on_change_replica,
+        .on_change_state = on_replica_change_state,
+        .on_compact = on_replica_compact,
+        .on_checkpoint = on_replica_checkpoint,
         .network_options = .{
             .packet_simulator_options = .{
                 .replica_count = replica_count,
@@ -117,21 +137,75 @@ pub fn main() !void {
             .write_latency_mean = 3 + random.uintLessThan(u16, 100),
             .read_fault_probability = random.uintLessThan(u8, 10),
             .write_fault_probability = random.uintLessThan(u8, 10),
+            // TODO Allow WAL faults on crash when replica_count=1 when redundant-header-repair
+            // is implemented after recovering with decision=fix. Otherwise we can end up with
+            // multiple crashes faulting first a redundant headers, then a prepare, upgrading
+            // a decision=fix to decision=vsr.
+            .crash_fault_probability = if (replica_count == 1) 0 else 80 + random.uintLessThan(u8, 21),
+            .faulty_superblock = true,
         },
         .health_options = .{
-            .crash_probability = 0.0001,
+            .crash_probability = 0.000001,
             .crash_stability = random.uintLessThan(u32, 1_000),
-            .restart_probability = 0.01,
+            .restart_probability = 0.0001,
             .restart_stability = random.uintLessThan(u32, 1_000),
         },
         .state_machine_options = .{
-            .seed = random.int(u64),
-            .prefetch_mean = 5 + random.uintLessThan(u64, 10),
-            .compact_mean = 5 + random.uintLessThan(u64, 10),
-            .checkpoint_mean = 5 + random.uintLessThan(u64, 10),
+            // TODO What should these fields be set to? Can they be randomized (and with what constraints)?
+            .lsm_forest_node_count = 4096,
+            .cache_entries_accounts = 2048,
+            .cache_entries_transfers = 2048,
+            .cache_entries_posted = 2048,
         },
     };
 
+    const workload_options: Workload.Options = .{
+        .auditor_options = .{
+            .accounts_max = 2 + random.uintLessThan(usize, 128),
+            .account_id_permutation = random_id_permutation(random),
+            .client_count = client_count,
+            .transfers_pending_max = 256,
+            .in_flight_max = Conductor.stalled_queue_capacity,
+        },
+        .transfer_id_permutation = random_id_permutation(random),
+        .operations = .{
+            .create_accounts = 1 + random.uintLessThan(usize, 10),
+            .create_transfers = 1 + random.uintLessThan(usize, 100),
+            .lookup_accounts = 1 + random.uintLessThan(usize, 20),
+            .lookup_transfers = 1 + random.uintLessThan(usize, 20),
+        },
+        .create_account_invalid_probability = 1,
+        .create_transfer_invalid_probability = 1,
+        .create_transfer_limit_probability = random.uintLessThan(u8, 101),
+        .create_transfer_pending_probability = 1 + random.uintLessThan(u8, 100),
+        .create_transfer_post_probability = 1 + random.uintLessThan(u8, 50),
+        .create_transfer_void_probability = 1 + random.uintLessThan(u8, 50),
+        .lookup_account_invalid_probability = 1,
+        .lookup_transfer = .{
+            .delivered = 1 + random.uintLessThan(usize, 10),
+            .sending = 1 + random.uintLessThan(usize, 10),
+        },
+        .lookup_transfer_span_mean = 10 + random.uintLessThan(usize, 1000),
+        .account_limit_probability = random.uintLessThan(u8, 80),
+        .linked_valid_probability = random.uintLessThan(u8, 101),
+        // 100% chance because this only applies to consecutive invalid transfers, which are rare.
+        .linked_invalid_probability = 100,
+        // TODO(Timeouts): When timeouts are implemented in the StateMachine, change this to the
+        // (commented out) value so that timeouts can actually trigger.
+        .pending_timeout_mean = std.math.maxInt(u64) / 2,
+        // .pending_timeout_mean = 1 + random.uintLessThan(usize, 1_000_000_000 / 4),
+        .accounts_batch_size_min = 0,
+        .accounts_batch_size_span = 1 + random.uintLessThan(
+            usize,
+            StateMachine.constants.batch_max.create_accounts,
+        ),
+        .transfers_batch_size_min = 0,
+        .transfers_batch_size_span = 1 + random.uintLessThan(
+            usize,
+            StateMachine.constants.batch_max.create_transfers,
+        ),
+    };
+
     output.info(
         \\
         \\          SEED={}
@@ -163,10 +237,6 @@ pub fn main() !void {
         \\          crash_stability={} ticks
         \\          restart_probability={d}%
         \\          restart_stability={} ticks
-        \\          prefetch_mean={} ticks
-        \\          compact_mean={} ticks
-        \\          checkpoint_mean={} ticks
-        \\
     , .{
         seed,
         replica_count,
@@ -196,19 +266,46 @@ pub fn main() !void {
         cluster_options.health_options.crash_stability,
         cluster_options.health_options.restart_probability * 100,
         cluster_options.health_options.restart_stability,
-        cluster_options.state_machine_options.prefetch_mean,
-        cluster_options.state_machine_options.compact_mean,
-        cluster_options.state_machine_options.checkpoint_mean,
     });
 
     cluster = try Cluster.create(allocator, random, cluster_options);
     defer cluster.destroy();
 
-    cluster.state_checker = try StateChecker.init(allocator, cluster);
-    defer cluster.state_checker.deinit();
+    var workload = try Workload.init(allocator, random, workload_options);
+    defer workload.deinit(allocator);
 
-    var requests_sent: u64 = 0;
-    var idle = false;
+    var conductor = try Conductor.init(allocator, random, &workload, .{
+        .cluster = cluster_id,
+        .replica_count = replica_count,
+        .client_count = client_count,
+        .message_bus_options = .{ .network = &cluster.network },
+        .requests_max = requests_committed_max,
+        .request_probability = request_probability,
+        .idle_on_probability = idle_on_probability,
+        .idle_off_probability = idle_off_probability,
+    });
+    defer conductor.deinit(allocator);
+
+    for (conductor.clients) |*client| {
+        cluster.network.link(client.message_bus.process, &client.message_bus);
+    }
+
+    state_checker = try allocator.create(StateChecker);
+    defer allocator.destroy(state_checker);
+
+    state_checker.* = try StateChecker.init(
+        allocator,
+        cluster_id,
+        cluster.replicas,
+        conductor.clients,
+    );
+    defer state_checker.deinit();
+
+    storage_checker = try allocator.create(StorageChecker);
+    defer allocator.destroy(storage_checker);
+
+    storage_checker.* = StorageChecker.init(allocator);
+    defer storage_checker.deinit();
 
     // The minimum number of healthy replicas required for a crashed replica to be able to recover.
     const replica_normal_min = replicas: {
@@ -226,8 +323,9 @@ pub fn main() !void {
         storage.faulty = replica_normal_min <= i;
     }
 
+    // The maximum number of transitions from calling `client.request()`, not including
+    // `register` messages.
     // TODO When storage is supported, run more transitions than fit in the journal.
-    const transitions_max = config.journal_slot_count / 2;
     var tick: u64 = 0;
     while (tick < ticks_max) : (tick += 1) {
         const health_options = &cluster.options.health_options;
@@ -247,27 +345,30 @@ pub fn main() !void {
                 // complete the VSR recovery protocol either.
                 if (cluster.health[replica] == .up and crashes == 0) {
                     if (storage.faulty) {
-                        log_faults.debug("{}: disable storage faults", .{replica});
+                        log_simulator.debug("{}: disable storage faults", .{replica});
                         storage.faulty = false;
                     }
                 } else {
                     // When a journal recovers for the first time, enable its storage faults.
                     // Future crashes will recover in the presence of faults.
                     if (!storage.faulty) {
-                        log_faults.debug("{}: enable storage faults", .{replica});
+                        log_simulator.debug("{}: enable storage faults", .{replica});
                         storage.faulty = true;
                     }
                 }
             }
-            storage.tick();
         }
 
-        for (cluster.replicas) |*replica| {
+        for (cluster.replicas) |*replica, index| {
             switch (cluster.health[replica.replica]) {
                 .up => |*ticks| {
                     ticks.* -|= 1;
                     replica.tick();
-                    cluster.state_checker.check_state(replica.replica);
+                    cluster.storages[index].tick();
+
+                    state_checker.check_state(replica.replica) catch |err| {
+                        fatal(.correctness, "state checker error: {}", .{err});
+                    };
 
                     if (ticks.* != 0) continue;
                     if (crashes == 0) continue;
@@ -278,7 +379,7 @@ pub fn main() !void {
                     }
 
                     if (!try cluster.crash_replica(replica.replica)) continue;
-                    log_health.debug("{}: crash replica", .{replica.replica});
+                    log_simulator.debug("{}: crash replica", .{replica.replica});
                     crashes -= 1;
                 },
                 .down => |*ticks| {
@@ -289,59 +390,48 @@ pub fn main() !void {
                     assert(replica.status == .recovering);
                     if (ticks.* == 0 and chance_f64(random, health_options.restart_probability)) {
                         cluster.health[replica.replica] = .{ .up = health_options.restart_stability };
-                        log_health.debug("{}: restart replica", .{replica.replica});
+                        log_simulator.debug("{}: restart replica", .{replica.replica});
                     }
                 },
             }
         }
 
         cluster.network.packet_simulator.tick(cluster.health);
+        conductor.tick();
 
-        for (cluster.clients) |*client| client.tick();
-
-        if (cluster.state_checker.transitions == transitions_max) {
-            if (cluster.state_checker.convergence() and
-                cluster.replica_up_count() == replica_count)
-            {
-                break;
-            }
-            continue;
-        } else {
-            assert(cluster.state_checker.transitions < transitions_max);
+        if (state_checker.convergence() and conductor.done() and
+            cluster.replica_up_count() == replica_count)
+        {
+            break;
         }
-
-        if (requests_sent < transitions_max) {
-            if (idle) {
-                if (chance(random, idle_off_probability)) idle = false;
-            } else {
-                if (chance(random, request_probability)) {
-                    if (send_request(random)) requests_sent += 1;
-                }
-                if (chance(random, idle_on_probability)) idle = true;
-            }
-        }
-    }
-
-    if (cluster.state_checker.transitions < transitions_max) {
+    } else {
         output.err("you can reproduce this failure with seed={}", .{seed});
-        @panic("unable to complete transitions_max before ticks_max");
+        fatal(.liveness, "unable to complete requests_committed_max before ticks_max", .{});
     }
 
-    assert(cluster.state_checker.convergence());
+    assert(state_checker.convergence());
+    assert(conductor.done());
 
     output.info("\n          PASSED ({} ticks)", .{tick});
 }
 
-/// Returns true, `p` percent of the time, else false.
-fn chance(random: std.rand.Random, p: u8) bool {
-    assert(p <= 100);
-    return random.uintLessThan(u8, 100) < p;
+pub const ExitCode = enum(u8) {
+    ok = 0,
+    crash = 127, // Any assertion crash will be given an exit code of 127 by default.
+    liveness = 128,
+    correctness = 129,
+};
+
+/// Print an error message and then exit with an exit code.
+fn fatal(exit_code: ExitCode, comptime fmt_string: []const u8, args: anytype) noreturn {
+    output.err(fmt_string, args);
+    std.os.exit(@enumToInt(exit_code));
 }
 
 /// Returns true, `p` percent of the time, else false.
 fn chance_f64(random: std.rand.Random, p: f64) bool {
     assert(p <= 100.0);
-    return random.float(f64) < p;
+    return random.float(f64) * 100.0 < p;
 }
 
 /// Returns the next argument for the simulator or null (if none available)
@@ -350,62 +440,22 @@ fn args_next(args: *std.process.ArgIterator, allocator: std.mem.Allocator) ?[:0]
     return err_or_bytes catch @panic("Unable to extract next value from args");
 }
 
-fn on_change_replica(replica: *Replica) void {
-    cluster.state_checker.check_state(replica.replica);
+fn on_replica_change_state(replica: *const Replica) void {
+    state_checker.check_state(replica.replica) catch |err| {
+        fatal(.correctness, "state checker error: {}", .{err});
+    };
 }
 
-fn send_request(random: std.rand.Random) bool {
-    const client_index = random.uintLessThan(u8, cluster.options.client_count);
-
-    const client = &cluster.clients[client_index];
-    const checker_request_queue = &cluster.state_checker.client_requests[client_index];
-
-    // Ensure that we don't shortchange testing of the full client request queue length:
-    assert(client.request_queue.buffer.len <= checker_request_queue.buffer.len);
-    if (client.request_queue.full()) return false;
-    if (checker_request_queue.full()) return false;
-
-    const message = client.get_message();
-    defer client.unref(message);
-
-    const body_size_max = config.message_size_max - @sizeOf(Header);
-    const body_size: u32 = switch (random.uintLessThan(u8, 100)) {
-        0...10 => 0,
-        11...89 => random.uintLessThan(u32, body_size_max),
-        90...99 => body_size_max,
-        else => unreachable,
+fn on_replica_compact(replica: *const Replica) void {
+    storage_checker.replica_compact(replica) catch |err| {
+        fatal(.correctness, "storage checker error: {}", .{err});
     };
-
-    const body = message.buffer[@sizeOf(Header)..][0..body_size];
-    if (chance(random, 10)) {
-        std.mem.set(u8, body, 0);
-    } else {
-        random.bytes(body);
-    }
-
-    // While hashing the client ID with the request body prevents input collisions across clients,
-    // it's still possible for the same client to generate the same body, and therefore input hash.
-    const client_input = StateMachine.hash(client.id, body);
-    checker_request_queue.push_assume_capacity(client_input);
-    std.log.scoped(.test_client).debug("client {} sending input={x}", .{
-        client_index,
-        client_input,
-    });
-
-    client.request(0, client_callback, .hash, message, body_size);
-
-    return true;
 }
 
-fn client_callback(
-    user_data: u128,
-    operation: StateMachine.Operation,
-    results: Client.Error![]const u8,
-) void {
-    _ = operation;
-    _ = results catch unreachable;
-
-    assert(user_data == 0);
+fn on_replica_checkpoint(replica: *const Replica) void {
+    storage_checker.replica_checkpoint(replica) catch |err| {
+        fatal(.correctness, "storage checker error: {}", .{err});
+    };
 }
 
 /// Returns a random partitioning mode, excluding .custom
@@ -416,7 +466,17 @@ fn random_partition_mode(random: std.rand.Random) PartitionMode {
     return @intToEnum(PartitionMode, enumAsInt);
 }
 
-fn parse_seed(bytes: []const u8) u64 {
+fn random_id_permutation(random: std.rand.Random) IdPermutation {
+    return switch (random.uintLessThan(usize, 4)) {
+        0 => .{ .identity = {} },
+        1 => .{ .inversion = {} },
+        2 => .{ .zigzag = {} },
+        3 => .{ .random = random.int(u64) },
+        else => unreachable,
+    };
+}
+
+pub fn parse_seed(bytes: []const u8) u64 {
     return std.fmt.parseUnsigned(u64, bytes, 10) catch |err| switch (err) {
         error.Overflow => @panic("seed exceeds a 64-bit unsigned integer"),
         error.InvalidCharacter => @panic("seed contains an invalid character"),