Test find_end_of_wal_segment and fix its contrecord handling

[yeputons]

Related to #544: fixes some troubles with handling WAL records that cross a segment boundary.

This PR starts fixing them:

• Add a separate library/binary for carefully crafting weird WALs using a Postgres server. Right now it can craft three kinds of WAL: simple, one ending in a record that crosses segment boundary, and a similar one with a small message appended.
  • The latter two were not handled correctly, and prior to Create timeline on safekeepers explicitly #1280 (or somewhere around), it was even possible to crash Safekeeper. It is harder now because it starts find_end_of_wal from commit lsn.
• Add lots of tracing to find_end_of_wal_segment. It's called on Safekeeper startup only, so should not yield a big performance penalty.
• Fix find_end_of_wal_segment's bug: it worked incorrectly when the first record in the last segment is a contrecord. The old logic was to crash, new logic is to skip this record and find at least one full valid record in the segment.

I think it's better to get the barebones in first, but there are some todos left:

• Handle corner cases in find_end_of_wal_segment marked as TODO in this PR. I believe they never happen in our tests.
• Backtrack if there is no full valid record in the last segment file. This test is currently #[ignore]d.

[antons-antons]

I was looking at #932 and had a similar change to yours, but you have beaten me to the CR and have tests, wanna link the issue with this PR?

Also, what about the case when there're no Log Records in the segment? it's certainly a corner case but nonetheless possible (e.g. with xact_commit, or with logical)

[antons-antons]

Should we validate here that

1. start_offset is < wal_seg_size?
2. wal_seg_size is a power of 2 and between 1Mb and 1Gb?

[antons-antons]

we're handling the first page in the segment with XLP_FIRST_IS_CONTRECORD while it's possible that a page in the middle of the segment with this flag, should we handle it?

[antons-antons]

I find this function has unnecessary nesting, do you think we can simplify this?

[antons-antons]

I think we should handle the case of xl_tot_len < XLOG_SIZE_OF_XLOG_RECORD and at least warn about this.

[antons-antons]

In addition to the crc validation we can check if xl_prev points to last_valid_rec_pos (with the only exception of the first log record received by SK)

[yeputons]

Removing complex WAL generation logic from 891d052 in favor of a simpler strategy: emit necessary logical message, flush it to the disk via neon_xlogflush from neondatabase/postgres#160, kill the server. No COMMIT record.

Disabling autovacuum just in case on Anton's suggestion. Maybe some other stuff needs to be disabled as well.

[yeputons]

Will rebase 8e5562bf2c2f419482bd75cfda995f03568823db onto main and squash all commits, so it's ready to merge after review.

[yeputons]

Code is rebased, ready for review and rebase-merge. One can review commit-by-commit or everything at once.

I think @antons-antons' concerns are valid but are better addressed in a separate PR. I prefer to focus this one on adding a test framework and fixing the issue I already know how to reproduce. After all, the find_end_of_wal_segment function will probably need some re-thinking to handle all these cases and support trailing multi-segment records and avoid failing because of invalid data like in #932 (incorrect length caused integer overflow and panic).

[yeputons]

There is a popular static_assertions crate, but it wasn't updated for a while.

[yeputons]

Wow, it's a real flaky failure introduced (or reproduced?) by this PR in test_restarts_frequent_checkpoints! Investigating. Does not reproduce locally. Logs of a single Safekeeper:

2022-05-20T17:11:33.180580Z ERROR {tid=8}: query handler for 'START_WAL_PUSH postgresql://no_user:@localhost:18106' failed: failed to restore shared state

Caused by:
    Condition failed: `rec_offs + n <= XLOG_RECORD_CRC_OFFS` (23 vs 20)

Stack backtrace:
   0: anyhow::ensure::render
             at /home/circleci/.cargo/registry/src/github.com-1ecc6299db9ec823/anyhow-1.0.53/src/ensure.rs:97:20
   1: <(A,B) as anyhow::ensure::BothDebug>::__dispatch_ensure
             at /home/circleci/.cargo/registry/src/github.com-1ecc6299db9ec823/anyhow-1.0.53/src/ensure.rs:20:9
      postgres_ffi::xlog_utils::find_end_of_wal_segment
             at /home/circleci/project/libs/postgres_ffi/src/xlog_utils.rs:331:17
      postgres_ffi::xlog_utils::find_end_of_wal
             at /home/circleci/project/libs/postgres_ffi/src/xlog_utils.rs:439:25
   2: <safekeeper::wal_storage::PhysicalStorage as safekeeper::wal_storage::Storage>::init_storage
             at /home/circleci/project/safekeeper/src/wal_storage.rs:329:17
   3: safekeeper::safekeeper::SafeKeeper<CTRL,WAL>::new
             at /home/circleci/project/safekeeper/src/safekeeper.rs:554:9
   4: safekeeper::timeline::SharedState::restore
             at /home/circleci/project/safekeeper/src/timeline.rs:130:17
      safekeeper::timeline::GlobalTimelines::get
             at /home/circleci/project/safekeeper/src/timeline.rs:598:21
   5: <core::option::Option<alloc::sync::Arc<safekeeper::timeline::Timeline>> as safekeeper::timeline::TimelineTools>::set
             at /home/circleci/project/safekeeper/src/timeline.rs:513:22
      <safekeeper::handler::SafekeeperPostgresHandler as utils::postgres_backend::Handler>::process_query
             at /home/circleci/project/safekeeper/src/handler.rs:108:13
   6: utils::postgres_backend::PostgresBackend::process_message
             at /home/circleci/project/libs/utils/src/postgres_backend.rs:431:33
   7: utils::postgres_backend::PostgresBackend::run_message_loop
             at /home/circleci/project/libs/utils/src/postgres_backend.rs:283:31
      utils::postgres_backend::PostgresBackend::run
             at /home/circleci/project/libs/utils/src/postgres_backend.rs:265:19
   8: safekeeper::wal_service::handle_socket
             at /home/circleci/project/safekeeper/src/wal_service.rs:55:5
   9: safekeeper::wal_service::thread_main::{{closure}}
             at /home/circleci/project/safekeeper/src/wal_service.rs:26:43
      std::sys_common::backtrace::__rust_begin_short_backtrace
             at /rustc/db9d1b20bba1968c1ec1fc49616d4742c1725b4b/library/std/src/sys_common/backtrace.rs:123:18
  10: std::thread::Builder::spawn_unchecked::{{closure}}::{{closure}}
             at /rustc/db9d1b20bba1968c1ec1fc49616d4742c1725b4b/library/std/src/thread/mod.rs:484:17
      <core::panic::unwind_safe::AssertUnwindSafe<F> as core::ops::function::FnOnce<()>>::call_once
             at /rustc/db9d1b20bba1968c1ec1fc49616d4742c1725b4b/library/core/src/panic/unwind_safe.rs:271:9
      std::panicking::try::do_call
             at /rustc/db9d1b20bba1968c1ec1fc49616d4742c1725b4b/library/std/src/panicking.rs:406:40
      std::panicking::try
             at /rustc/db9d1b20bba1968c1ec1fc49616d4742c1725b4b/library/std/src/panicking.rs:370:19
      std::panic::catch_unwind
             at /rustc/db9d1b20bba1968c1ec1fc49616d4742c1725b4b/library/std/src/panic.rs:133:14
      std::thread::Builder::spawn_unchecked::{{closure}}
             at /rustc/db9d1b20bba1968c1ec1fc49616d4742c1725b4b/library/std/src/thread/mod.rs:483:30
      core::ops::function::FnOnce::call_once{{vtable.shim}}
             at /rustc/db9d1b20bba1968c1ec1fc49616d4742c1725b4b/library/core/src/ops/function.rs:227:5
  11: <alloc::boxed::Box<F,A> as core::ops::function::FnOnce<Args>>::call_once
             at /rustc/db9d1b20bba1968c1ec1fc49616d4742c1725b4b/library/alloc/src/boxed.rs:1694:9
      <alloc::boxed::Box<F,A> as core::ops::function::FnOnce<Args>>::call_once
             at /rustc/db9d1b20bba1968c1ec1fc49616d4742c1725b4b/library/alloc/src/boxed.rs:1694:9
      std::sys::unix::thread::Thread::new::thread_start
             at /rustc/db9d1b20bba1968c1ec1fc49616d4742c1725b4b/library/std/src/sys/unix/thread.rs:106:17
  12: start_thread
  13: clone
2022-05-20T17:11:33.444770Z  INFO Got SIGQUIT. Terminating in immediate shutdown mode

[yeputons]

Gosh, I love programming. No sarcasm.

1. Unable to reproduce locally.
2. Re-running the test in CI made it pass, so it's flaky, and I got fortunate it failed the first time. Another test failed, though: test_replace_safekeeper, and for the same reason. After another re-run the latter just hang.
3. Compiling with --release and running the test multiple times got me the local reproduction.

So, the corner case: if a record gets split between two segments, find_end_of_wal_segment does not care and still reads the second half of the record as if it was a correct record with a header, CRC, and stuff, but just does not check it. However, that behavior changed in my last commit: I ensured that the record never stops inside the xl_crc field. That would be correct for if we were reading a valid record, but we are reading a tail of a record. Hence the failure.

Nice coincidence, IMHO:

1. A record got split between two pages; and
2. Its second half has a length of either 21, 22, or 23 bytes exactly; and
3. It got caught by a completely unrelated test in or CI which actually provided useful logs suggesting that this PR is the reason.

Quick fix (amended the last commit): check less when skipping the first contrecord. A probably cleaner one would to clearly specify the current state of find_end_of_wal_segment (e.g. "skipping the first cont record", "reading the header", "reading the record body"), but I'd leave it for a separate PR, see #544 (comment)

[arssher]

IOW, rec_offs is unknown in case of record split between segments.