Commit Graph

4043 Commits

Author SHA1 Message Date
antirez
5b9ba26403 Fix created->created typo in expire.c 2016-12-13 12:21:15 +01:00
antirez
04542cff92 Replication: fix the infamous key leakage of writable slaves + EXPIRE.
BACKGROUND AND USE CASEj

Redis slaves are normally write only, however the supprot a "writable"
mode which is very handy when scaling reads on slaves, that actually
need write operations in order to access data. For instance imagine
having slaves replicating certain Sets keys from the master. When
accessing the data on the slave, we want to peform intersections between
such Sets values. However we don't want to intersect each time: to cache
the intersection for some time often is a good idea.

To do so, it is possible to setup a slave as a writable slave, and
perform the intersection on the slave side, perhaps setting a TTL on the
resulting key so that it will expire after some time.

THE BUG

Problem: in order to have a consistent replication, expiring of keys in
Redis replication is up to the master, that synthesize DEL operations to
send in the replication stream. However slaves logically expire keys
by hiding them from read attempts from clients so that if the master did
not promptly sent a DEL, the client still see logically expired keys
as non existing.

Because slaves don't actively expire keys by actually evicting them but
just masking from the POV of read operations, if a key is created in a
writable slave, and an expire is set, the key will be leaked forever:

1. No DEL will be received from the master, which does not know about
such a key at all.

2. No eviction will be performed by the slave, since it needs to disable
eviction because it's up to masters, otherwise consistency of data is
lost.

THE FIX

In order to fix the problem, the slave should be able to tag keys that
were created in the slave side and have an expire set in some way.

My solution involved using an unique additional dictionary created by
the writable slave only if needed. The dictionary is obviously keyed by
the key name that we need to track: all the keys that are set with an
expire directly by a client writing to the slave are tracked.

The value in the dictionary is a bitmap of all the DBs where such a key
name need to be tracked, so that we can use a single dictionary to track
keys in all the DBs used by the slave (actually this limits the solution
to the first 64 DBs, but the default with Redis is to use 16 DBs).

This solution allows to pay both a small complexity and CPU penalty,
which is zero when the feature is not used, actually. The slave-side
eviction is encapsulated in code which is not coupled with the rest of
the Redis core, if not for the hook to track the keys.

TODO

I'm doing the first smoke tests to see if the feature works as expected:
so far so good. Unit tests should be added before merging into the
4.0 branch.
2016-12-13 10:59:54 +01:00
Yossi Gottlieb
b6ab4d04b6 Fix redis-cli rare crash.
This happens if the server (mysteriously) returns an unexpected response
to the COMMAND command.
2016-12-12 20:18:40 +02:00
Jan-Erik Rediger
2a32f0371e Reset the ttl for additional keys
Before, if a previous key had a TTL set but the current one didn't, the
TTL was reused and thus resulted in wrong expirations set.

This behaviour was experienced, when `MigrateDefaultPipeline` in
redis-trib was set to >1

Fixes #3655
2016-12-08 14:27:21 +01:00
wangshaonan
2d91fce970 Add '\n' to MEMORY DOCTOR command output message when num_reports
is 0 or empty is 1
2016-12-06 03:11:27 +00:00
itamar
94fe98666c Corrects a couple of omissions in the modules docs 2016-12-05 18:34:38 +02:00
antirez
16cce320c4 Modules: types doc updated to new API. 2016-12-05 14:40:51 +01:00
antirez
37b6e16ae1 Modules: API doc updated (auto generated). 2016-12-05 14:40:43 +01:00
antirez
3c85a88888 Merge branch 'unstable' of github.com:/antirez/redis into unstable 2016-12-05 14:17:11 +01:00
antirez
001138aec3 Geo: fix computation of bounding box.
A bug was reported in the context in issue #3631. The root cause of the
bug was that certain neighbor boxes were zeroed after the "inside the
bounding box or not" check, simply because the bounding box computation
function was wrong.

A few debugging infos where enhanced and moved in other parts of the
code. A check to avoid steps=0 was added, but is unrelated to this
issue and I did not verified it was an actual bug in practice.
2016-12-05 14:02:32 +01:00
Itamar Haber
5dc4fe1529 Verify pairs are provided after subcommands
Fixes https://github.com/antirez/redis/issues/3639
2016-12-02 18:19:36 +02:00
antirez
434e6b2da3 PSYNC2: Do not accept WAIT in slave instances.
No longer makes sense since writable slaves only do local writes now:
writes are no longer passed to sub-slaves in the stream.
2016-12-02 10:21:20 +01:00
Chris Lamb
6eb0c52d4c src/rdb.c: Correct "whenver" -> "whenever" typo. 2016-12-01 13:16:30 +01:00
Yossi Gottlieb
5f5b4f1508 Fix typo in RedisModuleTypeMethods declaration. 2016-11-30 22:05:59 +02:00
Salvatore Sanfilippo
3c4fe59e09 Merge pull request #3648 from dvirsky/fix_reply_crash
fix memory corruption on RM_FreeCallReply
2016-11-30 11:21:10 +01:00
antirez
71e8d15e49 Modules: change type registration API to use a struct of methods. 2016-11-30 11:14:01 +01:00
Dvir Volk
8521cde570 fix memory corruption on RM_FreeCallReply 2016-11-30 11:49:49 +02:00
antirez
6eb720ff2d PSYNC2: Minor memory leak reading -NOMASTERLINK master reply fixed. 2016-11-29 10:25:00 +01:00
andyli
8abf9729f0 Modify MIN->MAX 2016-11-29 16:34:41 +08:00
antirez
eab865a0a1 PSYNC2: stop sending newlines to sub-slaves when master is down.
This actually includes two changes:

1) No newlines to take the master-slave link up when the upstream master
is down. Doing this is dangerous because the sub-slave often is received
replication protocol for an half-command, so can't receive newlines
without desyncing the replication link, even with the code in order to
cancel out the bytes that PSYNC2 was using. Moreover this is probably
also not needed/sane, because anyway the slave can keep serving
requests, and because if it's configured to don't serve stale data, it's
a good idea, actually, to break the link.

2) When a +CONTINUE with a different ID is received, we now break
connection with the sub-slaves: they need to be notified as well. This
was part of the original specification but for some reason it was not
implemented in the code, and was alter found as a PSYNC2 bug in the
integration testing.
2016-11-28 17:54:04 +01:00
antirez
790310d894 Better protocol errors logging. 2016-11-25 10:55:16 +01:00
antirez
e09e31b12e PSYNC2: on transient error jump to error, not write_error. 2016-11-24 15:48:18 +01:00
antirez
1f55170b9c Modules: fix client blocking calls access to invalid struct field.
We already have reference to the client pointer, no need to access the
already freed structure.

Close #3634.
2016-11-24 11:05:19 +01:00
antirez
5b7d42fff3 PSYNC2: bugfixing pre release.
1. Master replication offset was cleared after switching configuration
to some other slave, since it was assumed you can't PSYNC after a
switch. Note the case anymore and when we successfully PSYNC we need to
have our offset untouched.

2. Secondary replication ID was not reset to "000..." pattern at
startup.

3. Master in error state replying -LOADING or other transient errors
forced the slave to discard the cached master and full resync. This is
now fixed.

4. Better logging of what's happening on failed PSYNCs.
2016-11-23 17:36:45 +01:00
Salvatore Sanfilippo
5b83fa482c Merge pull request #3612 from deep011/unstable
fix a possible bug for 'replconf getack'
2016-11-18 10:45:09 +01:00
antirez
8fb3ad2444 Merge branch 'psync2' into unstable 2016-11-17 09:37:03 +01:00
oranagra
e3a61950a2 when a slave loads an RDB, stop an AOFRW fork before flusing db and parsing rdb file, to avoid a CoW disaster. 2016-11-16 21:30:59 +02:00
antirez
cfdb3a2214 Cluster: handle zero bytes at the end of nodes.conf. 2016-11-16 14:13:18 +01:00
deep011
13a92a5bb1 fix a possible bug for 'replconf getack' 2016-11-16 11:04:33 +08:00
hylepo
dbb6cb442a Update redis-benchmark.c
Fixing typo in the usage of redis-benchmark
2016-11-11 10:33:48 +08:00
oranagra
a1a07225b3 fix unsigned int overflow in adjustOpenFilesLimit 2016-11-10 16:59:52 +02:00
antirez
28c96d73b2 PSYNC2: Save replication ID/offset on RDB file.
This means that stopping a slave and restarting it will still make it
able to PSYNC with the master. Moreover the master itself will retain
its ID/offset, in case it gets turned into a slave, or if a slave will
try to PSYNC with it with an exactly updated offset (otherwise there is
no backlog).

This change was possible thanks to PSYNC v2 that makes saving the current
replication state much simpler.
2016-11-10 12:35:29 +01:00
antirez
4e5e366ed2 PSYNC2: Wrap debugging code with if(0) 2016-11-09 15:37:15 +01:00
antirez
2669fb8364 PSYNC2: different improvements to Redis replication.
The gist of the changes is that now, partial resynchronizations between
slaves and masters (without the need of a full resync with RDB transfer
and so forth), work in a number of cases when it was impossible
in the past. For instance:

1. When a slave is promoted to mastrer, the slaves of the old master can
partially resynchronize with the new master.

2. Chained slalves (slaves of slaves) can be moved to replicate to other
slaves or the master itsef, without requiring a full resync.

3. The master itself, after being turned into a slave, is able to
partially resynchronize with the new master, when it joins replication
again.

In order to obtain this, the following main changes were operated:

* Slaves also take a replication backlog, not just masters.

* Same stream replication for all the slaves and sub slaves. The
replication stream is identical from the top level master to its slaves
and is also the same from the slaves to their sub-slaves and so forth.
This means that if a slave is later promoted to master, it has the
same replication backlong, and can partially resynchronize with its
slaves (that were previously slaves of the old master).

* A given replication history is no longer identified by the `runid` of
a Redis node. There is instead a `replication ID` which changes every
time the instance has a new history no longer coherent with the past
one. So, for example, slaves publish the same replication history of
their master, however when they are turned into masters, they publish
a new replication ID, but still remember the old ID, so that they are
able to partially resynchronize with slaves of the old master (up to a
given offset).

* The replication protocol was slightly modified so that a new extended
+CONTINUE reply from the master is able to inform the slave of a
replication ID change.

* REPLCONF CAPA is used in order to notify masters that a slave is able
to understand the new +CONTINUE reply.

* The RDB file was extended with an auxiliary field that is able to
select a given DB after loading in the slave, so that the slave can
continue receiving the replication stream from the point it was
disconnected without requiring the master to insert "SELECT" statements.
This is useful in order to guarantee the "same stream" property, because
the slave must be able to accumulate an identical backlog.

* Slave pings to sub-slaves are now sent in a special form, when the
top-level master is disconnected, in order to don't interfer with the
replication stream. We just use out of band "\n" bytes as in other parts
of the Redis protocol.

An old design document is available here:

https://gist.github.com/antirez/ae068f95c0d084891305

However the implementation is not identical to the description because
during the work to implement it, different changes were needed in order
to make things working well.
2016-11-09 15:37:15 +01:00
antirez
18d32c7e1c redis-cli typo fixed: perferences -> preferences.
Thanks to @qiaodaimadelaowang for signaling the issue.
Close #3585.
2016-11-02 15:15:49 +01:00
Salvatore Sanfilippo
fa2dc4b60c Merge pull request #3514 from charsyam/feature/simple-refactoring
Simple change just using slaves instead of server.slaves
2016-11-02 11:04:52 +01:00
Salvatore Sanfilippo
25811bc983 Merge pull request #3547 from yyoshiki41/refactor/redis-trib
Refactor redis-trib.rb
2016-11-02 11:02:32 +01:00
Salvatore Sanfilippo
b3e707339d Merge pull request #3575 from deep011/unstable
fix a bug for quicklistDup() function
2016-11-02 11:00:24 +01:00
Dvir Volk
ec8fd6e5e4 fixed sizeof in allocating io RedisModuleCtx* 2016-10-31 18:48:16 +02:00
Salvatore Sanfilippo
77b1abf185 Merge pull request #3565 from sunheehnus/bitfield-fix-highest_write_offset
bitops.c/bitfieldCommand: update higest_write_offset with check
2016-10-31 15:40:46 +01:00
Salvatore Sanfilippo
f48ca5581e Merge pull request #3573 from jybaek/module-io-context
Add missing fclose()
2016-10-31 15:36:38 +01:00
Guy Benoish
8b070b5d12 Fixed wrong sizeof(client) in object.c 2016-10-31 15:08:17 +02:00
deep
7f1bb22ef3 fix a bug for quicklistDup() function 2016-10-28 19:47:29 +08:00
jybaek
a06d59b583 Add missing fclose() 2016-10-28 10:42:54 +09:00
sunhe
949a274817 bitops.c/bitfieldCommand: update higest_write_offset with check 2016-10-22 01:54:46 +08:00
antirez
f39e7d4d7e Remove "Hey!" warning... 2016-10-19 10:43:40 +02:00
antirez
a9f50a389b Better target MacOS on __atomic macros conditional compilation. 2016-10-17 16:41:39 +02:00
Pedro Melo
2000abc86f Fixes compilation on MacOS 10.8.5, Clang tags/Apple/clang-421.0.57
Redis fails to compile on MacOS 10.8.5 with Clang 4, version 421.0.57
(based on LLVM 3.1svn).

When compiling zmalloc.c, we get these warnings:

        CC zmalloc.o
    zmalloc.c:109:5: warning: implicit declaration of function '__atomic_add_fetch' is invalid in C99 [-Wimplicit-function-declaration]
        update_zmalloc_stat_alloc(zmalloc_size(ptr));
        ^
    zmalloc.c:75:9: note: expanded from macro 'update_zmalloc_stat_alloc'
            atomicIncr(used_memory,__n,used_memory_mutex); \
            ^
    ./atomicvar.h:57:37: note: expanded from macro 'atomicIncr'
    #define atomicIncr(var,count,mutex) __atomic_add_fetch(&var,(count),__ATOMIC_RELAXED)
                                        ^
    zmalloc.c:145:5: warning: implicit declaration of function '__atomic_sub_fetch' is invalid in C99 [-Wimplicit-function-declaration]
        update_zmalloc_stat_free(oldsize);
        ^
    zmalloc.c:85:9: note: expanded from macro 'update_zmalloc_stat_free'
            atomicDecr(used_memory,__n,used_memory_mutex); \
            ^
    ./atomicvar.h:58:37: note: expanded from macro 'atomicDecr'
    #define atomicDecr(var,count,mutex) __atomic_sub_fetch(&var,(count),__ATOMIC_RELAXED)
                                        ^
    zmalloc.c:205:9: warning: implicit declaration of function '__atomic_load_n' is invalid in C99 [-Wimplicit-function-declaration]
            atomicGet(used_memory,um,used_memory_mutex);
            ^
    ./atomicvar.h:60:14: note: expanded from macro 'atomicGet'
        dstvar = __atomic_load_n(&var,__ATOMIC_RELAXED); \
                 ^
    3 warnings generated.

Also on lazyfree.c:

        CC lazyfree.o
    lazyfree.c:68:13: warning: implicit declaration of function '__atomic_add_fetch' is invalid in C99 [-Wimplicit-function-declaration]
                atomicIncr(lazyfree_objects,1,lazyfree_objects_mutex);
                ^
    ./atomicvar.h:57:37: note: expanded from macro 'atomicIncr'
    #define atomicIncr(var,count,mutex) __atomic_add_fetch(&var,(count),__ATOMIC_RELAXED)
                                        ^
    lazyfree.c:111:5: warning: implicit declaration of function '__atomic_sub_fetch' is invalid in C99 [-Wimplicit-function-declaration]
        atomicDecr(lazyfree_objects,1,lazyfree_objects_mutex);
        ^
    ./atomicvar.h:58:37: note: expanded from macro 'atomicDecr'
    #define atomicDecr(var,count,mutex) __atomic_sub_fetch(&var,(count),__ATOMIC_RELAXED)
                                        ^
    2 warnings generated.

Then in the linking stage:

        LINK redis-server
    Undefined symbols for architecture x86_64:
      "___atomic_add_fetch", referenced from:
          _zmalloc in zmalloc.o
          _zcalloc in zmalloc.o
          _zrealloc in zmalloc.o
          _dbAsyncDelete in lazyfree.o
          _emptyDbAsync in lazyfree.o
          _slotToKeyFlushAsync in lazyfree.o
      "___atomic_load_n", referenced from:
          _zmalloc_used_memory in zmalloc.o
          _zmalloc_get_fragmentation_ratio in zmalloc.o
      "___atomic_sub_fetch", referenced from:
          _zrealloc in zmalloc.o
          _zfree in zmalloc.o
          _lazyfreeFreeObjectFromBioThread in lazyfree.o
          _lazyfreeFreeDatabaseFromBioThread in lazyfree.o
          _lazyfreeFreeSlotsMapFromBioThread in lazyfree.o
    ld: symbol(s) not found for architecture x86_64
    clang: error: linker command failed with exit code 1 (use -v to see invocation)
    make[1]: *** [redis-server] Error 1
    make: *** [all] Error 2

With this patch, the compilation is sucessful, no warnings.

Running `make test` we get a almost clean bill of health. Test pass with
one exception:

    [err]: Check for memory leaks (pid 52793) in tests/unit/dump.tcl
    [err]: Check for memory leaks (pid 53103) in tests/unit/auth.tcl
    [err]: Check for memory leaks (pid 53117) in tests/unit/auth.tcl
    [err]: Check for memory leaks (pid 53131) in tests/unit/protocol.tcl
    [err]: Check for memory leaks (pid 53145) in tests/unit/protocol.tcl
    [ok]: Check for memory leaks (pid 53160)
    [err]: Check for memory leaks (pid 53175) in tests/unit/scan.tcl
    [ok]: Check for memory leaks (pid 53189)
    [err]: Check for memory leaks (pid 53221) in tests/unit/type/incr.tcl
    .
    .
    .

Full debug log (289MB, uncompressed) available at
https://dl.dropboxusercontent.com/u/75548/logs/redis-debug-log-macos-10.8.5.log.xz

Most if not all of the memory leak tests fail. Not sure if this is
related. They are the only ones that fail. I belive they are not related,
but just the memory leak detector is not working properly on 10.8.5.

Signed-off-by: Pedro Melo <melo@simplicidade.org>
2016-10-17 14:58:23 +01:00
antirez
c7a4e694ad SWAPDB command.
This new command swaps two Redis databases, so that immediately all the
clients connected to a given DB will see the data of the other DB, and
the other way around. Example:

    SWAPDB 0 1

This will swap DB 0 with DB 1. All the clients connected with DB 0 will
immediately see the new data, exactly like all the clients connected
with DB 1 will see the data that was formerly of DB 0.

MOTIVATION AND HISTORY
---

The command was recently demanded by Pedro Melo, but was suggested in
the past multiple times, and always refused by me.

The reason why it was asked: Imagine you have clients operating in DB 0.
At the same time, you create a new version of the dataset in DB 1.
When the new version of the dataset is available, you immediately want
to swap the two views, so that the clients will transparently use the
new version of the data. At the same time you'll likely destroy the
DB 1 dataset (that contains the old data) and start to build a new
version, to repeat the process.

This is an interesting pattern, but the reason why I always opposed to
implement this, was that FLUSHDB was a blocking command in Redis before
Redis 4.0 improvements. Now we have FLUSHDB ASYNC that releases the
old data in O(1) from the point of view of the client, to reclaim memory
incrementally in a different thread.

At this point, the pattern can really be supported without latency
spikes, so I'm providing this implementation for the users to comment.
In case a very compelling argument will be made against this new command
it may be removed.

BEHAVIOR WITH BLOCKING OPERATIONS
---

If a client is blocking for a list in a given DB, after the swap it will
still be blocked in the same DB ID, since this is the most logical thing
to do: if I was blocked for a list push to list "foo", even after the
swap I want still a LPUSH to reach the key "foo" in the same DB in order
to unblock.

However an interesting thing happens when a client is, for instance,
blocked waiting for new elements in list "foo" of DB 0. Then the DB
0 and 1 are swapped with SWAPDB. However the DB 1 happened to have
a list called "foo" containing elements. When this happens, this
implementation can correctly unblock the client.

It is possible that there are subtle corner cases that are not covered
in the implementation, but since the command is self-contained from the
POV of the implementation and the Redis core, it cannot cause anything
bad if not used.

Tests and documentation are yet to be provided.
2016-10-14 15:28:04 +02:00
antirez
a3b3ca7c21 Modules: use RedisModule_AbortBlock() in the example. 2016-10-13 17:00:45 +02:00
antirez
95c17c0cb2 Modules: AbortBlock() API implemented. 2016-10-13 16:57:40 +02:00
antirez
58601c8f7d Modules: blocking API documented. 2016-10-13 16:57:28 +02:00
antirez
553aa0e259 module.c: trim comment to 80 cols. 2016-10-13 12:48:36 +02:00
antirez
870274bea8 Example modules: remove warnings about types and not used args. 2016-10-13 12:43:18 +02:00
yyoshiki41
16f65068b0 Refactor redis-trib.rb 2016-10-10 01:13:20 +09:00
antirez
7dde8bf3ab Modules: blocking command example added. 2016-10-07 16:35:06 +02:00
antirez
34599691b3 Modules: fixes to the blocking commands API: examples now works. 2016-10-07 16:34:40 +02:00
antirez
f156038db8 Modules: RM_Milliseconds() API added. 2016-10-07 16:34:19 +02:00
antirez
ffb00fbcbe Modules: blocking commands WIP: API exported, a first example. 2016-10-07 13:48:14 +02:00
antirez
3aa816e61a Modules: introduce warning suppression macro for unused args. 2016-10-07 13:10:31 +02:00
antirez
3879923db8 Enable warning in example modules Makefile. 2016-10-07 13:07:13 +02:00
antirez
8fadfe52a2 Module: API to block clients with threading support.
Just a draft to align the main ideas, never executed code. Compiles.
2016-10-07 11:55:35 +02:00
antirez
a5998d1fda Fix typos in GetContextFromIO API declaration. 2016-10-06 18:26:04 +02:00
antirez
799208de85 Fix name of mispelled function. 2016-10-06 17:10:47 +02:00
antirez
152c1b6802 Module: Ability to get context from IO context.
It was noted by @dvirsky that it is not possible to use string functions
when writing the AOF file. This sometimes is critical since the command
rewriting may need to be built in the context of the AOF callback, and
without access to the context, and the limited types that the AOF
production functions will accept, this can be an issue.

Moreover there are other needs that we can't anticipate regarding the
ability to use Redis Modules APIs using the context in order to build
representations to emit AOF / RDB.

Because of this a new API was added that allows the user to get a
temporary context from the IO context. The context is auto released
if obtained when the RDB / AOF callback returns.

Calling multiple time the function to get the context, always returns
the same one, since it is invalid to have more than a single context.
2016-10-06 17:09:26 +02:00
antirez
72279e3ea4 Copyright notice added to module.c. 2016-10-06 08:48:21 +02:00
antirez
3dc84c5300 Modules: API to save/load single precision floating point numbers.
When double precision is not needed, to take 2x space in the
serialization is not good.
2016-10-03 00:08:35 +02:00
antirez
a1b1fd4f39 Modules: API to log from module I/O callbacks. 2016-10-02 16:51:37 +02:00
antirez
4674efdee2 Merge branch 'unstable' of github.com:/antirez/redis into unstable 2016-10-02 16:50:37 +02:00
antirez
0d9febf6a0 Add compiler optimizations to example module makefile. 2016-10-02 11:01:36 +02:00
antirez
6782e774f1 debug.c: include dlfcn.h regardless of BACKTRACE support. 2016-09-27 00:29:47 +02:00
antirez
2564031a15 Merge branch 'unstable' of github.com:/antirez/redis into unstable 2016-09-26 09:10:52 +02:00
antirez
6d9f8e2462 Security: CONFIG SET client-output-buffer-limit overflow fixed.
This commit fixes a vunlerability reported by Cory Duplantis
of Cisco Talos, see TALOS-2016-0206 for reference.

CONFIG SET client-output-buffer-limit accepts as client class "master"
which is actually only used to implement CLIENT KILL. The "master" class
has ID 3. What happens is that the global structure:

    server.client_obuf_limits[class]

Is accessed with class = 3. However it is a 3 elements array, so writing
the 4th element means to write up to 24 bytes of memory *after* the end
of the array, since the structure is defined as:

    typedef struct clientBufferLimitsConfig {
        unsigned long long hard_limit_bytes;
        unsigned long long soft_limit_bytes;
        time_t soft_limit_seconds;
    } clientBufferLimitsConfig;

EVALUATION OF IMPACT:

Checking what's past the boundaries of the array in the global
'server' structure, we find AOF state fields:

    clientBufferLimitsConfig client_obuf_limits[CLIENT_TYPE_OBUF_COUNT];
    /* AOF persistence */
    int aof_state;                  /* AOF_(ON|OFF|WAIT_REWRITE) */
    int aof_fsync;                  /* Kind of fsync() policy */
    char *aof_filename;             /* Name of the AOF file */
    int aof_no_fsync_on_rewrite;    /* Don't fsync if a rewrite is in prog. */
    int aof_rewrite_perc;           /* Rewrite AOF if % growth is > M and... */
    off_t aof_rewrite_min_size;     /* the AOF file is at least N bytes. */
    off_t aof_rewrite_base_size;    /* AOF size on latest startup or rewrite. */
    off_t aof_current_size;         /* AOF current size. */

Writing to most of these fields should be harmless and only cause problems in
Redis persistence that should not escalate to security problems.
However unfortunately writing to "aof_filename" could be potentially a
security issue depending on the access pattern.

Searching for "aof.filename" accesses in the source code returns many different
usages of the field, including using it as input for open(), logging to the
Redis log file or syslog, and calling the rename() syscall.

It looks possible that attacks could lead at least to informations
disclosure of the state and data inside Redis. However note that the
attacker must already have access to the server. But, worse than that,
it looks possible that being able to change the AOF filename can be used
to mount more powerful attacks: like overwriting random files with AOF
data (easily a potential security issue as demostrated here:
http://antirez.com/news/96), or even more subtle attacks where the
AOF filename is changed to a path were a malicious AOF file is loaded
in order to exploit other potential issues when the AOF parser is fed
with untrusted input (no known issue known currently).

The fix checks the places where the 'master' class is specifiedf in
order to access configuration data structures, and return an error in
this cases.

WHO IS AT RISK?

The "master" client class was introduced in Redis in Jul 28 2015.
Every Redis instance released past this date is not vulnerable
while all the releases after this date are. Notably:

    Redis 3.0.x is NOT vunlerable.
    Redis 3.2.x IS vulnerable.
    Redis unstable is vulnerable.

In order for the instance to be at risk, at least one of the following
conditions must be true:

    1. The attacker can access Redis remotely and is able to send
       the CONFIG SET command (often banned in managed Redis instances).

    2. The attacker is able to control the "redis.conf" file and
       can wait or trigger a server restart.

The problem was fixed 26th September 2016 in all the releases affected.
2016-09-26 08:47:52 +02:00
charsyam
ca6fc4f031 Simple change just using slaves instead of server.slaves 2016-09-24 15:53:57 +09:00
Dvir Volk
a91650fc57 added RM_CreateStringPrintf 2016-09-21 12:30:38 +03:00
antirez
670586715a dict.c: fix dictGenericDelete() return ASAP condition.
Recently we moved the "return ASAP" condition for the Delete() function
from checking .size to checking .used, which is smarter, however while
testing the first table alone always works to ensure the dict is totally
emtpy, when we test the .size field, testing .used requires testing both
T0 and T1, since a rehashing could be in progress.
2016-09-20 17:22:30 +02:00
antirez
e9d861ec69 Clear child data when opening the pipes.
This is important both to reset the magic to 0, so that it will not
match if the structure is not explicitly set, and to initialize other
things we may add like counters and such.
2016-09-19 14:11:17 +02:00
antirez
e565632e59 Child -> Parent pipe for COW info transferring. 2016-09-19 13:45:20 +02:00
antirez
e1eccf9a6b zmalloc: Make fp var non local to fix build. 2016-09-19 10:34:39 +02:00
antirez
945a2f948e zmalloc: zmalloc_get_smap_bytes_by_field() modified to work for any PID.
The goal is to get copy-on-write amount of the child from the parent.
2016-09-19 10:28:42 +02:00
antirez
b13759e90a redis-cli: "allocator-stats" -> "malloc-stats".
It was changed in Redis but not in redis-cli.
Thanks to @oranagra for signaling.
2016-09-19 09:47:35 +02:00
antirez
4263b12147 Typo fixed from MEMORY DOCTOR output. 2016-09-16 16:52:00 +02:00
antirez
8a00ffc0e6 Surround allocator name with quotes in MEMORY DOCTOR output. 2016-09-16 16:40:25 +02:00
antirez
44e714a59c MEMORY DOCTOR initial implementation. 2016-09-16 16:36:53 +02:00
antirez
d9325ac6c8 Provide percentage of memory peak used info. 2016-09-16 10:43:19 +02:00
oranagra
309c2bcd1b add zmalloc used mem to DEBUG SDSLEN 2016-09-16 10:29:27 +02:00
antirez
78f35f8d2c Memory related subcommands of DEBUG moved to MEMORY. 2016-09-16 10:26:23 +02:00
antirez
123891dbbf Group MEMORY command related APIs together in the source code. 2016-09-16 10:12:04 +02:00
antirez
adcfb77b5b objectComputeSize(): skiplist nodes have different sizes.
The size of the node depends on the node level, however it is not stored
into the node itself, is an implicit information, so we use
zmalloc_size() in order to compute the sorted set size.
2016-09-15 17:43:13 +02:00
antirez
e9629e148b MEMORY command: HELP + dataset percentage (like in INFO). 2016-09-15 17:33:16 +02:00
antirez
5443726d4d MEMORY USAGE: SAMPLES option added + fixes to size computation.
The new SAMPLES option is added, defaulting to 5, and with 0 being a
special value to scan the whole set of elements.

Fixes to the object size computation were made since the original PR
assumed data structures still contaning robj structures, while now after
the lazyfree changes, are all SDS strings.
2016-09-15 15:25:14 +02:00
antirez
7229af3898 INFO: new memory reporting fields added. 2016-09-15 10:33:23 +02:00
antirez
bf2624ea99 C struct memoh renamed redisMemOverhead. API prototypes added. 2016-09-15 09:44:07 +02:00
antirez
be5439bde3 MEMORY OVERHEAD refactored into a generic API. 2016-09-15 09:37:55 +02:00
antirez
09a50d34a2 dict.c: dictReplaceRaw() -> dictAddOrFind().
What they say about "naming things" in programming?
2016-09-14 16:43:38 +02:00
antirez
041ab04419 Trim comment to 80 cols. 2016-09-14 16:41:05 +02:00
antirez
a636aeac07 Apply the new dictUnlink() where possible.
Optimizations suggested and originally implemented by @oranagra.
Re-applied by @antirez using the modified API.
2016-09-14 16:37:53 +02:00
oranagra
afcbcc0e58 dict.c: introduce dictUnlink().
Notes by @antirez:

This patch was picked from a larger commit by Oran and adapted to change
the API a bit. The basic idea is to avoid double lookups when there is
to use the value of the deleted entry.

BEFORE:

    entry = dictFind( ... ); /* 1st lookup. */
    /* Do somethjing with the entry. */
    dictDelete(...);         /* 2nd lookup. */

AFTER:

    entry = dictUnlink( ... ); /* 1st lookup. */
    /* Do somethjing with the entry. */
    dictFreeUnlinkedEntry(entry); /* No lookups!. */
2016-09-14 12:18:59 +02:00
antirez
8c84c962cf MEMORY OVERHEAD implemented (using Oran Agra initial implementation).
This code was extracted from @oranagra PR #3223 and modified in order
to provide only certain amounts of information compared to the original
code. It was also moved from DEBUG to the newly introduced MEMORY
command. Thanks to Oran for the implementation and the PR.

It implements detailed memory usage stats that can be useful in both
provisioning and troubleshooting memory usage in Redis.
2016-09-13 17:39:25 +02:00
antirez
89dec6921d objectComputeSize(): estimate collections sampling N elements.
For most tasks, we need the memory estimation to be O(1) by default.
This commit also implements an initial MEMORY command.
Note that objectComputeSize() takes the number of samples to check as
argument, so MEMORY should be able to get the sample size as option
to make precision VS CPU tradeoff tunable.

Related to: PR #3223.
2016-09-13 10:28:23 +02:00
oranagra
8c24325f8f Adding objectComputeSize() function. 2016-09-12 16:36:59 +02:00
oranagra
68bf45fa1e Optimize repeated keyname hashing.
(Change cherry-picked and modified by @antirez from a larger commit
provided by @oranagra in PR #3223).
2016-09-12 13:19:05 +02:00
Salvatore Sanfilippo
d680eb6dbd Merge pull request #3492 from wyxustcsa09/fix-memory
fix memory error on module unload
2016-09-09 16:05:06 +02:00
antirez
c6dc8d5288 Merge branch 'unstable' of github.com:antirez/redis into unstable 2016-09-09 16:01:43 +02:00
antirez
56dba3adcc Example modules: Add C99 standard to cflags. 2016-09-09 16:01:29 +02:00
antirez
3793afa0ba Merge branch 'aofrdb' into unstable 2016-09-09 15:03:21 +02:00
antirez
f9624813af fix the fix for the TCP binding.
This commit attempts to fix a problem with PR #3467.
2016-09-09 14:59:48 +02:00
oranagra
92038286e8 fix tcp binding when IPv6 is unsupported 2016-09-09 14:59:21 +02:00
antirez
d35deb2327 debug.c: no need to define _GNU_SOURCE, is defined in fmacros.h. 2016-09-09 11:15:10 +02:00
antirez
6211e77ab6 crash log - improve code dump with more info and called symbols. 2016-09-09 11:00:19 +02:00
wyx
f9c9b4bf4c fix memory error on module unload 2016-09-09 10:22:57 +08:00
oranagra
24811fcb1b crash log - add hex dump of function code 2016-09-08 14:14:57 +02:00
antirez
0d179d17ba dict.c benchmark minor improvements. 2016-09-07 15:28:40 +02:00
antirez
bd6c4cade6 dict.c benchmark: mixed del/insert benchmark. 2016-09-07 12:34:53 +02:00
antirez
0f708ab2a9 dict.c benchmark: finish rehashing before testing lookups. 2016-09-07 11:06:03 +02:00
antirez
ed6a4517f5 dict.c benchmark improvements. 2016-09-07 10:53:47 +02:00
antirez
1074f73629 dict.c benchmark: take optional count argument. 2016-09-07 10:44:29 +02:00
antirez
91a59e03a8 dict.c benchmark. 2016-09-07 10:33:15 +02:00
antirez
57a0db9495 Fix rdb.c var types when calling rdbLoadLen().
Technically as soon as Redis 64 bit gets proper support for loading
collections and/or DBs with more than 2^32 elements, the 32 bit version
should be modified in order to check if what we read from rdbLoadLen()
overflows. This would only apply to huge RDB files created with a 64 bit
instance and later loaded into a 32 bit instance.
2016-09-01 11:08:44 +02:00
antirez
9f76d82689 sds: don't check for impossible string size in 32 bit systems. 2016-09-01 11:04:22 +02:00
antirez
543e25efa6 RDB AOF preamble: WIP 4 (Mixed RDB/AOF loading). 2016-08-11 15:42:28 +02:00
antirez
f1c32f0dcb RDB AOF preamble: WIP 3 (RDB loading refactoring). 2016-08-11 15:27:29 +02:00
antirez
feda52381d RDB AOF preamble: WIP 2. 2016-08-09 16:41:40 +02:00
antirez
4426cb11e2 RDB AOF preamble: WIP 1. 2016-08-09 11:07:32 +02:00
Salvatore Sanfilippo
9f779b33b5 Merge pull request #3340 from rojingeorge/unstable
Display the nodes' proper summary once the cluster is created using redis-trib
2016-08-05 15:10:41 +02:00
Guo Xiao
4bd72ab729 Use the standard predefined identifier __func__ (since C99)
Fix warning: ISO C does not support '__FUNCTION__' predefined identifier
[-Wpedantic]
2016-08-04 15:12:12 +08:00
antirez
e7f1798179 Modules: basic call/reply tests in test module. 2016-08-03 18:10:11 +02:00
antirez
13f18d2b17 Modules: handle NULL replies more gracefully.
After all crashing at every API misuse makes everybody's life more
complex.
2016-08-03 18:09:36 +02:00
antirez
a81a92ca2c Security: Cross Protocol Scripting protection.
This is an attempt at mitigating problems due to cross protocol
scripting, an attack targeting services using line oriented protocols
like Redis that can accept HTTP requests as valid protocol, by
discarding the invalid parts and accepting the payloads sent, for
example, via a POST request.

For this to be effective, when we detect POST and Host: and terminate
the connection asynchronously, the networking code was modified in order
to never process further input. It was later verified that in a
pipelined request containing a POST command, the successive commands are
not executed.
2016-08-03 11:12:32 +02:00
antirez
ede6e22cd3 Fix comment over 80 cols. 2016-08-03 10:56:26 +02:00
antirez
04340e1ff1 Modules: initial draft for a testing module. 2016-08-03 10:23:03 +02:00
antirez
7829e4ed2c Modules: StringAppendBuffer() and ability to retain strings.
RedisModule_StringRetain() allows, when automatic memory management is
on, to keep string objects living after the callback returns. Can also
be used in order to use Redis reference counting of objects inside
modules.

The reason why this is useful is that sometimes when implementing new
data types we want to reference RedisModuleString objects inside the
module private data structures, so those string objects must be valid
after the callback returns even if not referenced inside the Redis key
space.
2016-08-02 15:29:04 +02:00
Qu Chen
d982f44372 Fix a bug to delay bgsave while AOF rewrite in progress for replication 2016-08-02 10:44:33 +02:00
antirez
9424fe4580 Remove extra "-" from ASCII horizontal bar in comment. 2016-08-02 10:32:44 +02:00
antirez
55385f99de Ability of slave to announce arbitrary ip/port to master.
This feature is useful, especially in deployments using Sentinel in
order to setup Redis HA, where the slave is executed with NAT or port
forwarding, so that the auto-detected port/ip addresses, as listed in
the "INFO replication" output of the master, or as provided by the
"ROLE" command, don't match the real addresses at which the slave is
reachable for connections.
2016-07-27 17:32:15 +02:00
antirez
356a6304ec Multiple GEORADIUS bugs fixed.
By grepping the continuous integration errors log a number of GEORADIUS
tests failures were detected.

Fortunately when a GEORADIUS failure happens, the test suite logs enough
information in order to reproduce the problem: the PRNG seed,
coordinates and radius of the query.

By reproducing the issues, three different bugs were discovered and
fixed in this commit. This commit also improves the already good
reporting of the fuzzer and adds the failure vectors as regression
tests.

The issues found:

1. We need larger squares around the poles in order to cover the area
requested by the user. There were already checks in order to use a
smaller step (larger squares) but the limit set (+/- 67 degrees) is not
enough in certain edge cases, so 66 is used now.

2. Even near the equator, when the search area center is very near the
edge of the square, the north, south, west or ovest square may not be
able to fully cover the specified radius. Now a test is performed at the
edge of the initial guessed search area, and larger squares are used in
case the test fails.

3. Because of rounding errors between Redis and Tcl, sometimes the test
signaled false positives. This is now addressed.

Whenever possible the original code was improved a bit in other ways. A
debugging example stanza was added in order to make the next debugging
session simpler when the next bug is found.
2016-07-27 11:34:25 +02:00
antirez
03f5b508e5 Replication: when possible start RDB saving ASAP.
In a previous commit the replication code was changed in order to
centralize the BGSAVE for replication trigger in replicationCron(),
however after further testings, the 1 second delay imposed by this
change is not acceptable.

So now the BGSAVE is only delayed if the AOF rewriting process is
active. However past comments made sure that replicationCron() is always
able to trigger the BGSAVE when needed, making the code generally more
robust.

The new code is more similar to the initial @oranagra patch where the
BGSAVE was delayed only if an AOF rewrite was in progress.

Trivia: delaying the BGSAVE uncovered a minor Sentinel issue that is now
fixed.
2016-07-22 17:03:18 +02:00
antirez
3e9ce38b0a Sentinel: check Slave INFO state more often when disconnected.
During the initial handshake with the master a slave will report to have
a very high disconnection time from its master (since technically it was
disconnected since forever, so the current UNIX time in seconds is
reported).

However when the slave is connected again the Sentinel may re-scan the
INFO output again only after 10 seconds, which is a long time. During
this time Sentinels will consider this instance unable to failover, so
a useless delay is introduced.

Actaully this hardly happened in the practice because when a slave's
master is down, the INFO period for slaves changes to 1 second. However
when a manual failover is attempted immediately after adding slaves
(like in the case of the Sentinel unit test), this problem may happen.

This commit changes the INFO period to 1 second even in the case the
slave's master is not down, but the slave reported to be disconnected
from the master (by publishing, last time we checked, a master
disconnection time field in INFO).

This change is required as a result of an unrelated change in the
replication code that adds a small delay in the master-slave first
synchronization.
2016-07-22 10:51:25 +02:00
antirez
0a628e5102 Avoid simultaneous RDB and AOF child process.
This patch, written in collaboration with Oran Agra (@oranagra) is a companion
to 780a8b1. Together the two patches should avoid that the AOF and RDB saving
processes can be spawned at the same time. Previously conditions that
could lead to two saving processes at the same time were:

1. When AOF is enabled via CONFIG SET and an RDB saving process is
   already active.

2. When the SYNC command decides to start an RDB saving process ASAP in
   order to serve a new slave that cannot partially resynchronize (but
   only if we have a disk target for replication, for diskless
   replication there is not such a problem).

Condition "1" is not very severe but "2" can happen often and is
definitely good at degrading Redis performances in an unexpected way.

The two commits have the effect of always spawning RDB savings for
replication in replicationCron() instead of attempting to start an RDB
save synchronously. Moreover when a BGSAVE or AOF rewrite must be
performed, they are instead just postponed using flags that will try to
perform such operations ASAP.

Finally the BGSAVE command was modified in order to accept a SCHEDULE
option so that if an AOF rewrite is in progress, when this option is
given, the command no longer returns an error, but instead schedules an
RDB rewrite operation for when it will be possible to start it.
2016-07-21 18:35:01 +02:00
antirez
780a8b1d76 Replication: start BGSAVE for replication always in replicationCron().
This makes the replication code conceptually simpler by removing the
synchronous BGSAVE trigger in syncCommand(). This also means that
socket and disk BGSAVE targets are handled by the same code.
2016-07-21 12:10:56 +02:00
antirez
e0582b3598 Fix maxmemory shared integer check bug introduced with LFU. 2016-07-21 11:14:18 +02:00
antirez
2d5eb1f1a0 Volatile-ttl eviction policy implemented in terms of the pool.
Precision of the eviction improved sensibly. Also this allows us to have
a single code path for most eviction types.
2016-07-20 19:54:12 +02:00
antirez
6854c7b9ee LFU: make counter log factor and decay time configurable. 2016-07-20 15:00:35 +02:00
antirez
6416ab19d0 LFU: Use the LRU pool for the LFU algorithm.
Verified to have better real world performances with power-law access
patterns because of the data accumulated across calls.
2016-07-18 18:17:59 +02:00
antirez
dbce190ad0 LFU: Fix bugs in frequency decay code. 2016-07-18 14:19:38 +02:00
antirez
a8e2d0849e LFU: Initial naive eviction cycle.
It is possible to get better results by using the pool like in the LRU
case. Also from tests during the morning I believe the current
implementation has issues in the frequency decay function that should
decrease the counter at periodic intervals.
2016-07-18 13:50:19 +02:00
antirez
24dd4a8f04 redis-cli LRU test mode: randomize value of key when setting.
This way it is possible from an observer to tell when the key is
replaced with a new one having the same name.
2016-07-18 10:56:47 +02:00
antirez
b8450d7cc5 redis-cli LRU test mode: remove newline from key names. 2016-07-18 10:53:02 +02:00
antirez
5d07984c5d LFU: Redis object level implementation.
Implementation of LFU maxmemory policy for anything related to Redis
objects. Still no actual eviction implemented.
2016-07-15 12:12:58 +02:00
antirez
e423f76e75 LRU: Make cross-database choices for eviction.
The LRU eviction code used to make local choices: for each DB visited it
selected the best key to evict. This was repeated for each DB. However
this means that there could be DBs with very frequently accessed keys
that are targeted by the LRU algorithm while there were other DBs with
many better candidates to expire.

This commit attempts to fix this problem for the LRU policy. However the
TTL policy is still not fixed by this commit. The TTL policy will be
fixed in a successive commit.

This is an initial (partial because of TTL policy) fix for issue #2647.
2016-07-13 13:12:30 +02:00