Hello Thomas,

Disclaimer: I am not familiar at all with the internals of H2 (neither
PageStore nor MVStore). I just looked a bit at the code, but nothing too
fancy. Anything I write here might therefore be entirely wrong :-).
I wonder how such reordered writes are coped with in PageStore. In a
traditional "write-ahead log + main storage area" setting, I would expect
that – for each "operation", e.g., an insertion into a table plus the
corresponding changes to indexes etc – first the log is written, before any
of the corresponding changes to the main storage area are written. Then, a
"write barrier" is inserted to make sure that the log writes get to the
platter before any of the corresponding main storage area writes get to the
platter (hopefully disk drives don't violate this order too much, as
consumer-grade drives supposedly do), and only then the writes to the main
storage area are performed. If such a write barrier is not used, the OS is
very likely to reorder the writes, *especially* if the blocks of the
write-ahead log and the main storage area are intermingled in the same file
(are they in H2?).

I would not know how to insert a write barrier in Java, except by fsync'ing
the log after writing to it, and only then starting to issue the writes to
the main storage area. But as H2 seems to put the log in the same file as
the main storage area, either a "partial file fsync" would be needed (of
the form "only fsync at least bytes X to Y of this file", where bytes X to
Y is the location of the part of the log that was just written; I think
Java doesn't support such an API?), or the whole file needs to be fsync'ed.
The latter would be very bad for performance, as all previously issued
writes to the main storage area (which are typically spread out rather
randomly) would need to be performed by the OS (and in principle drive)
before the call could return.

Even fsync'ing only the log after each "operation" would be bad for
performance (severely limiting the number of operations per second), but
that could be coped with by delaying fsync'ing the log until a COMMIT
happens or main storage area writes are needed because of memory pressure.
Any main storage area writes (that correspond to the operations whose log
parts are not fsync'ed yet) must then of course be delayed until the
corresponding log writes are fsync'ed. It seems that H2 is already
implemented like this (except for the write barrier/fsync part); I assume
that the writing happens on a separate thread, so that having to wait for
fsync'ing would not prevent the SQL-performing code from just continuing
while the fsync is in flight (unless reading uses the same thread)?

As I wrote before, if this "write barrier" stuff (or the equivalent "fsync"
stuff) is not performed, then the OS can reoder writes in any order it
wants before sending it to the drive (I think?). When a power failure
occurs, some writes to the main storage area will probably already have
occurred before all corresponding writes to the log have occurred, which
would then likely result in a corrupt database.

Could you please shed some light onto how H2 tries to cope with this
potential problem? By following the code, I could see that H2 makes sure
that the log is written ("sent to the OS" in FileUtils.writeFully) before
the corresponding changes to the main storage area are, but I could not
find anything that would prevent the OS from reordering the writes. If that
problem does indeed exist and is not solved by H2, I might take a jab at
getting into the code and try to figure out what would be needed to
implement such a solution. No guarantees of course, as I have lots of other
stuff to do as well; I just think/hope it would be easier to fix H2 than to
switch to another DBMS :-).

Assuming that the problem exists, the following would seem to be needed:

* Either find a way to fsync only a part of a file in Java, or (more
likely),
* Put the log in a separate file (probably right next to the main storage
area file).

→ The second solution introduces a problem where a user could
accidentally mix a log file and a main file that don't belong together, but
the resulting problems (corrupting the whole DB when replaying the log
file) could be avoided by storing some kind of random ID in both files and
complaining if they are not the same. Also, a user could mix an old log
file and a new main file, which would also result in corrupting the DB when
replaying it. A solution for this would be a bit more complex. But then, I
don't think that these are scenarios that would need to be protected
against in a first implementation.

I think that a similar problem would need solving for MVStore too, but I
know too little about MVStore and I haven't given it enough thought (yet)
to be able to give you any useful advice.

Greetings,

Nicolas [ works for the same company as Rob ]

Hi Thomas,

Thanx for your initial reply. We would really like to get to the bottom of
this and find out what's wrong.

I still have two questions:

1. Is there any way to know for sure a database is consistent? Eg. By
running Recover with -trace and -transactionLog? Will this check all
internal indexes etc? It is important for us to be able to identify whether
a database was corrupted in some way (note that that is different from
knowing that there is no corruption left after an export (using Recover)
and an import into a new DB).
2. We have a (new) corrupted database from a machine that isn't
suffering from unexpected reboots (no critical errors according to the
Windows logs) and didn't experience an out-of-memory (that we know of)...
and we are looking at external factors: eg. Maybe the shadow copy (Windows
Restore Checkpoint) has interfered somehow with the DB, or maybe Windows
Restore has restored a corrupted snapshot, etc etc ... If you have any
ideas that we might want to check out, they are very welcome. It is a
customer with multiple computers, and this particular computer has had a
corrupted database 4 times in about two months. One of his other computers
had a corruption once, all other computers haven't had corruptions while
they are used by the same staff randomly. The DB is 8 GB in size.

Kind regards,
Rob.

Hi Thomas and list,

After investigating another corruption yesterday, we noticed something
strange: a few minutes before the DB was found corrupt there was a Volume
Shadow Copy created for the drive where our H2 files are located.

Apparantly there are multiple reports on the internet that suspect DB's can
get corrupted during a Volume Shadow copy creation (thus the original DB
gets corrupted, not just the copy), though most are unconfirmed and just
suspicions:
IBM ClearCase VOB:
http://www-01.ibm.com/support/docview.wss?uid=swg21268722
Firebird:
https://www.mail-archive.com/firebird-***@yahoogroups.com/msg10672.html
https://groups.yahoo.com/neo/groups/firebird-support/conversations/messages/83269
C-tree:
http://optiable.com/pclaw-vss-causes-data-loss/
Access:
http://www.pcreview.co.uk/threads/volume-shadow-copy-access-corruption.1094172/

Could that also possibly lead to a problem in H2?

I'll include the corruption stacktrace from right after the Volume Shadow
Copy. H2 was trying to do a commit. This was on a Windows 8.1 6.3 amd64
machine running Java 1.7.0_60 64.

We have also checked several instances of H2 corruptions (5) for Volume
Shadow copy creations while our application was running:

- 2 had a Volume Shadow copy taken previously that day
- 1 had it taken 2 days before
- 1 had it taken 2 weeks before
- 1 didn't appear to have had a shadow copy taken while our application
was running


Regards,
Rob.