Feat/336/wal-recover

[xiao-77]

• Add syncNotifyWalTruncated interface in sync module
• Call notification after three-replica recovery
• Enable Raft to detect and sync missing logs

Description

Issue(s)

• Close/close/Fix/fix/Resolve/resolve: Issue Link

Checklist

Please check the items in the checklist if applicable.

• Is the user manual updated?
• Are the test cases passed and automated?
• Is there no significant decrease in test coverage?

[gemini-code-assist]

Code Review

This pull request introduces a WAL recovery policy and enhances corruption handling by incorporating replica counts into the WAL opening process. Key changes include the addition of the tsWalRecoveryPolicy configuration and a notification mechanism for the sync module when WAL truncation occurs. Review feedback identifies critical issues where the notification logic is unreachable due to early returns and the recovery logic is overly specific to three-replica setups. Improvements are also suggested regarding the use of header files instead of extern declarations and the need for a more functional implementation of the sync notification to properly handle log synchronization after truncation.

[gemini-code-assist]

There are two issues here:

1. The notification to the sync module (intended at line 680) is unreachable because this block either returns via TAOS_RETURN or jumps to _exit before reaching the end of the function.
2. For multi-replica setups, the log at line 620 claims auto-recovery is enabled, but the actual recovery is still gated by tsWalDeleteOnCorruption (which defaults to false). If recovery is intended to be automatic for clusters, this guard should be adjusted.

        if (shouldRecover && (tsWalDeleteOnCorruption || replica > 1)) {
          if (replica > 1) {
            syncNotifyWalTruncated(pWal->cfg.vgId, truncatedVer);
          }
          TAOS_RETURN(walRenameCorruptedDir(pWal));
        }
        goto _exit;

[gemini-code-assist]

This block is unreachable when walTruncated is true. As noted in the previous comment, any path that detects corruption and sets walTruncated = true results in an early exit from the function. The notification logic should be moved into the recovery block where the actual truncation/renaming occurs.

[gemini-code-assist]

Instead of using an extern declaration inside a source file, it is better practice to include the header file where the function is declared. This ensures type safety and a single source of truth for the function signature.

#include "sync.h"

[gemini-code-assist]

The check for replica == 3 is too specific. TDengine supports other replica counts (e.g., 2 or 5). It is better to check if the node is part of a multi-replica group.

        if (replica > 1) {

[gemini-code-assist]

The implementation of syncNotifyWalTruncated currently only logs a message. To fulfill the PR's objective of 'Enabling Raft to detect and sync missing logs', this function should update the state of the corresponding sync node (e.g., resetting its applied index or marking it as needing a snapshot/sync).

[Copilot]

Pull request overview

This PR extends WAL open/repair behavior with replica-aware recovery handling and introduces a sync-module notification hook intended to let Raft detect/sync missing logs after WAL truncation during recovery.

Changes:

• Extend walOpen() / walCheckAndRepairMeta() to take a replica count and use it to decide corruption recovery behavior.
• Add walRecoveryPolicy server config to control single-replica corruption recovery behavior.
• Add syncNotifyWalTruncated() API and invoke it from WAL repair logic (replica=3 path).

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
source/libs/wal/src/walMgmt.c	Extends walOpen() to accept replica count and passes it into meta repair.
source/libs/wal/src/walMeta.c	Adds replica-aware corruption handling and calls syncNotifyWalTruncated() after truncation.
source/libs/wal/inc/walInt.h	Updates internal prototype for walCheckAndRepairMeta().
include/libs/wal/wal.h	Updates public walOpen() signature to include replica count.
source/dnode/vnode/src/vnd/vnodeOpen.c	Passes vnode replica count into walOpen().
source/dnode/mnode/impl/src/mndMain.c	Passes mnode replica count into walOpen().
source/common/src/tglobal.c	Adds walRecoveryPolicy global + config plumbing.
include/common/tglobal.h	Exposes tsWalRecoveryPolicy with documentation.
source/libs/sync/src/syncMain.c	Adds syncNotifyWalTruncated() implementation (currently logs only).
source/libs/sync/inc/syncInt.h	Declares internal syncNotifyWalTruncated() symbol.
include/libs/sync/sync.h	Exposes syncNotifyWalTruncated() in public sync API.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The new "auto-recovery enabled for replica=3" path is inconsistent: when replica==3 and WAL scan fails, the code only recovers if tsWalDeleteOnCorruption is enabled; otherwise it falls through to _exit with an error code, causing walOpen() to fail despite logging that auto-recovery is enabled. Either perform the recovery action unconditionally for replica==3 (still preserving the corrupted dir), or make the log/error handling reflect the actual required config and set a deterministic return code.

Suggested change

	if (shouldRecover && tsWalDeleteOnCorruption) {
	if (replica == 3 || (shouldRecover && tsWalDeleteOnCorruption)) {

[Copilot]

When recovery triggers TAOS_RETURN(walRenameCorruptedDir(pWal)), the function returns before reaching the later syncNotifyWalTruncated() block, so the sync module is never notified in the main recovery path. If notification is required for replica=3 recovery, move the notification before the early return (or avoid returning early).

Suggested change

	TAOS_RETURN(walRenameCorruptedDir(pWal));
	code = walRenameCorruptedDir(pWal);

[Copilot]

Header comment says walRecoveryPolicy "only affects single replica", but the new logic checks it for all replica != 3 cases (so it would also affect replica=2 if that configuration exists). Please align the comment (and possibly the config semantics) with actual behavior to avoid misconfiguration.

Suggested change

	// WAL recovery policy (only affects single replica)
	// WAL recovery policy (applies when replica count is not 3, including single-replica deployments)

[Copilot]

walCheckAndRepairMeta() now calls syncNotifyWalTruncated(), but the wal static library does not link against sync (and sync already links against wal), so this introduces a circular/undefined-symbol risk (e.g. walTest links wal without sync). Replace this direct call with a decoupled mechanism such as a callback function pointer registered by sync at runtime, or a weak/no-op default implementation compiled into wal.

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 7 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

walTruncated and truncatedVer are declared but never used, which is dead code and can trigger -Wunused-variable warnings in some build configurations. Either remove them or use them for the intended truncation notification/metadata tracking (e.g., record truncatedVer and propagate it to the sync module).

Suggested change

	bool walTruncated = false;
	int64_t truncatedVer = -1;

[Copilot]

In the lastVer<0 && code!=TSDB_CODE_WAL_LOG_NOT_EXIST branch, walTruncateCorruptedFiles() mutates pWal->fileInfoSet (removes entries starting at fileIdx). After that, pFileInfo still points to the removed element, but the code can still enter the update block and write pFileInfo->lastVer / use pFileInfo->fileSize, which becomes invalid memory access. Also, totSize may already include sizes of files that just got deleted. After truncation, avoid using the old pFileInfo pointer and recompute totSize/versions from the remaining fileInfoSet (e.g., restart the scan or break and rebuild totals).

[Copilot]

syncNotifyWalTruncated() is added to public headers, but there are no call sites in the repo. If the intent is to notify Raft after WAL truncation/recovery, wire this into the WAL recovery path (e.g., after walTruncateCorruptedFiles succeeds) and pass the actual truncated version; otherwise keep the symbol internal or remove it to avoid exposing an unused API surface.

Suggested change

	int32_t syncNotifyWalTruncated(int32_t vgId, int64_t truncatedVer) {
	sInfo("vgId:%d, notified sync module: WAL truncated to ver:%" PRId64, vgId, truncatedVer);
	return TSDB_CODE_SUCCESS;
	}

[Copilot]

Typo in log message: "snaphot" should be "snapshot".

Suggested change

	", snaphot index:%" PRId64 ", fileIdx:%d",
	", snapshot index:%" PRId64 ", fileIdx:%d",

[Copilot]

walTruncateCorruptedFiles() doesn't validate fileIdx before calling taosArrayGet(pWal->fileInfoSet, fileIdx) and before computing the remove batch length (size - fileIdx). If fileIdx is negative or >= array size, this can lead to invalid memory access or a huge batch removal due to underflow. Add defensive checks at the start of this function and return an appropriate error when fileIdx is out of range.

[Copilot]

walTruncateCorruptedFiles() assumes fileIdx is a valid index into pWal->fileInfoSet (taosArrayGet/taosArrayRemoveBatch). In walLogEntriesComplete(), fileIdx can become == sz when the loop completes without breaking, which would make taosArrayGet out-of-bounds and can crash. Add explicit range checks (fileIdx >= 0 && fileIdx < taosArrayGetSize(...)) before using fileIdx, and decide a safe truncation point (or return an error) when the inconsistency is only in meta/vers rather than a specific corrupted file.

Suggested change

	TAOS_RETURN(walTruncateCorruptedFiles(pWal, fileIdx, replica));
	if (fileIdx >= 0 && fileIdx < sz) {
	TAOS_RETURN(walTruncateCorruptedFiles(pWal, fileIdx, replica));
	}
	wError("vgId:%d, WAL metadata/version inconsistency detected without a valid corrupted file index, "
	"skip truncation, fileCnt:%d, fileIdx:%d",
	pWal->cfg.vgId, sz, fileIdx);
	TAOS_RETURN(TSDB_CODE_WAL_FILE_CORRUPTED);

[Copilot]

Pull request overview

Copilot reviewed 16 out of 16 changed files in this pull request and generated 14 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

walOpen signature now requires a replica argument, but there are still call sites in the repo (e.g. source/libs/sync/test/*.cpp) using the old 2-arg form. This will break compilation; please update all remaining callers (or provide a backward-compatible wrapper/default) so the tree builds cleanly.

[Copilot]

This test mutates the global tsWalRecoveryPolicy and only restores it after assertions. If an ASSERT_* fails, the function aborts early and the global policy remains modified, which can cascade failures into subsequent tests. Prefer a scope guard/RAII restore or make the assertions non-fatal so the restore always runs.

[Copilot]

walTruncateCorruptedFiles() assumes the corrupted file itself has already been truncated by walScanLogGetLastVer, but walScanLogGetLastVer() intentionally skips truncation when fileIdx == sz - 1 (last file). That means corruption in the last WAL segment may not actually be removed, and the node may keep re-entering repair logic (or fail later) even though walTruncateCorruptedFiles() returns success. Consider truncating the corrupted file here as well (or adjusting walScanLogGetLastVer/repair flow) so last-segment corruption is recoverable under the intended policy/replica behavior.

[Copilot]

This test mutates the global tsWalRecoveryPolicy and only restores it after assertions. If an ASSERT_* fails, the function aborts early and the global policy remains modified, which can cascade failures into subsequent tests. Please ensure restore happens even on failure (scope guard/RAII or non-fatal assertions).

[Copilot]

This test claims to verify that a single-replica node refuses to start on WAL corruption, but it never asserts any failure condition (it only logs show dnodes output). As written, it can pass even if the dnode starts successfully. Add an explicit assertion (e.g., check the dnode/vnode status is offline/error, or that queries against the affected vnode fail) so the test actually validates the policy.

Suggested change

	# Dnode should fail to bring vnode online; vnode status should be offline/error
	tdSql.query("show dnodes")
	tdLog.info(f"dnode status after corrupted WAL start: {tdSql.queryResult}")
	tdSql.execute("drop database if exists test_refuse")
	try:
	# Dnode should fail to bring vnode online; log status for debugging
	tdSql.query("show dnodes")
	tdLog.info(f"dnode status after corrupted WAL start: {tdSql.queryResult}")
	# Explicitly verify the affected single-replica vnode is not usable.
	# If the query succeeds, the dnode/vnode came online despite WAL corruption.
	query_failed = False
	try:
	tdSql.query("select count(*) from t1")
	except Exception as err:
	query_failed = True
	tdLog.info(f"Query failed as expected after corrupted WAL restart: {err}")
	assert query_failed, (
	"Expected queries against test_refuse.t1 to fail after restarting with "
	"corrupted WAL and walRecoveryPolicy=0, but the query succeeded."
	)
	finally:
	tdSql.execute("drop database if exists test_refuse")

[Copilot]

This file uses std::sort (and other algorithms) but does not include <algorithm>. Relying on transitive includes is non-portable and can fail to compile on some toolchains; please add the proper header include.

[Copilot]

After switching the corruption path to walTruncateCorruptedFiles(), the old static helper walRenameCorruptedDir() is no longer referenced anywhere in this file. If the build enables -Wunused-function (or treats warnings as errors), this will cause a build break. Consider removing it or gating it behind the same feature/ifdef as any remaining users.

Suggested change

	static int32_t walRenameCorruptedDir(SWal* pWal) __attribute__((unused));

[Copilot]

Typo in log message: snaphot index should be snapshot index for consistency/searchability in logs.

Suggested change

	", snaphot index:%" PRId64 ", fileIdx:%d",
	", snapshot index:%" PRId64 ", fileIdx:%d",

[Copilot]

This test mutates the global tsWalRecoveryPolicy and only restores it after assertions. If an ASSERT_* fails, the function aborts early and the global policy remains modified, which can cascade failures into subsequent tests. Use EXPECT_* plus unconditional restore, or a scope guard/RAII helper to restore tsWalRecoveryPolicy in all exit paths.

[Copilot]

This test mutates the global tsWalRecoveryPolicy and restores it only at the end. If any ASSERT_* fails before the restore, later tests may observe the wrong policy value. Please restore via a scope guard/RAII or use non-fatal expectations so the cleanup always runs.

[Copilot]

Pull request overview

Copilot reviewed 10 out of 11 changed files in this pull request and generated 7 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

walTruncateCorruptedFiles() currently deletes files starting at fileIdx + 1, but it’s also called from walLogEntriesComplete() when a non-consecutive firstVer is detected. In that gap/mismatch case, keeping the fileIdx file leaves the WAL still inconsistent (the gap remains). Consider deleting from fileIdx (or otherwise handling the gap case separately) and then recomputing vers.lastVer/writeCur to reflect the remaining prefix.

[Copilot]

After walLogEntriesComplete() calls walTruncateCorruptedFiles(), the code returns success without updating pWal->vers/totSize or persisting meta. If any files are removed, the in-memory and on-disk meta can remain stale, and subsequent components may observe an incorrect lastVer. Ensure the truncation path recomputes versions and saves meta (or returns a code that forces the caller to persist the repaired meta).

[Copilot]

PR description mentions notifying sync/Raft after three-replica recovery, but walTruncateCorruptedFiles() (the new truncation/recovery path) does not call syncNotifyWalTruncated() or any equivalent hook when replica >= 3. If Raft relies on this notification to resync missing logs, add the call here (or in the caller) at the point where truncation is committed.

[Copilot]

These tests mutate the global tsWalRecoveryPolicy and restore it at the end, but any failing ASSERT_* after the mutation will early-return and skip the restore, polluting global state for later tests. Use a guard/RAII helper or move the restore into TearDown() so it always runs (even on assertion failures).

[Copilot]

Config key walDeleteOnCorruption is removed and replaced with walRecoveryPolicy, which is a breaking change for existing deployments/config files and docs. If backward compatibility is required, consider continuing to accept walDeleteOnCorruption as an alias (or at least emit a clear warning) and update documentation accordingly.

Suggested change

	TAOS_CHECK_RETURN(cfgAddInt32(pCfg, "walRecoveryPolicy", tsWalRecoveryPolicy, 0, 1, CFG_SCOPE_SERVER, CFG_DYN_NONE, CFG_CATEGORY_LOCAL));
	TAOS_CHECK_RETURN(cfgAddInt32(pCfg, "walRecoveryPolicy", tsWalRecoveryPolicy, 0, 1, CFG_SCOPE_SERVER, CFG_DYN_NONE, CFG_CATEGORY_LOCAL));
	TAOS_CHECK_RETURN(cfgAddInt32(pCfg, "walDeleteOnCorruption", tsWalRecoveryPolicy, 0, 1, CFG_SCOPE_SERVER, CFG_DYN_NONE, CFG_CATEGORY_LOCAL));

[Copilot]

syncNotifyWalTruncated is declared in the public sync header, but there is no implementation in the repo (no definition found under source/libs/sync/src). Any new call site will fail to link, and the interface addition is incomplete as-is. Add the corresponding implementation (and ensure it’s exported from the sync library) or remove the declaration until it’s implemented.

Suggested change

int32_t syncNotifyWalTruncated(int32_t vgId, int64_t truncatedVer);

[Copilot]

In walCheckAndRepairMeta(), pFileInfo->lastVer is only updated when lastVer >= 0. For an empty first log file where firstVer == 0, the computed lastVer becomes -1 and this branch is skipped, leaving pFileInfo->lastVer potentially stale. Update pFileInfo->lastVer for the empty-file case as well (even when lastVer < 0).

Suggested change

	if (code == TSDB_CODE_SUCCESS && lastVer >= 0) {
	wInfo("vgId:%d, repaired file %s, last index:%" PRId64 ", fileSize:%" PRId64 ", fileSize in meta:%" PRId64,
	pWal->cfg.vgId, fnameStr, lastVer, fileSize, pFileInfo->fileSize);
	// update lastVer
	if (code == TSDB_CODE_SUCCESS) {
	if (lastVer >= 0) {
	wInfo("vgId:%d, repaired file %s, last index:%" PRId64 ", fileSize:%" PRId64 ", fileSize in meta:%" PRId64,
	pWal->cfg.vgId, fnameStr, lastVer, fileSize, pFileInfo->fileSize);
	}
	// update lastVer, including the empty-file case where lastVer == firstVer - 1