btree/pager: make it way more difficult to mutate non-dirty pages #4233
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jussisaurio
changed the title
![turso-bot[bot]](https://avatars.githubusercontent.com/in/2434523?s=60&v=4){kind=small}
pereman2
approved these changes
Dec 17, 2025
pereman2
approved these changes
Dec 17, 2025
pereman2
approved these changes
Dec 17, 2025
This PR is entirely motivated by corruption bugs caused by marking pages as dirty after they had already been modified, causing the subjournal to restore dirty content upon rollback. For examples of this see #4231 and #4232. Changes: 1. Change add_dirty() to return PageWriteGuard<'a> instead of Result<()> 2. Make get_contents_mut() only accessible through PageWriteGuard::contents_mut() 3. Added get_contents_mut_for_test() with #[cfg(test)] so that tests are less annoying 4. Make Page::get() private, and expose things like pin count and flags through separate methods. 5. Poke mutable holes for emptying or replacing page contents entirely for internals to use (i.e. this doesn't require going through add_dirty() because it doesn't make sense in those contexts, e.g. inside page cache)
jussisaurio
force-pushed
the
safer-page-access-api
branch
from
d5b4040 to
5d64197
Compare
LeMikaelF
reviewed
Dec 17, 2025
| } | ||
|
|
||
| pub fn overwrite_content(page: &PageRef, dest_offset: usize, new_payload: &[u8]) -> Result<()> { | ||
| turso_assert!(page.is_loaded(), "page should be loaded"); |
Collaborator
There was a problem hiding this comment.
is this assertion not required anymore? I'm working on a test that triggers this error (#4168, still a draft).
Collaborator
Author
There was a problem hiding this comment.
I brought it back. Didn't notice claude removed it for some reason even though I reviewed this multiple times :]
LeMikaelF
approved these changes
Dec 17, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Beef
This PR is entirely motivated by corruption bugs caused by marking pages as dirty after they had already been modified, causing the subjournal to restore dirty content upon rollback. For examples of this see #4231 and #4232.
Major change 1: Return a
PageWriteGuardfromadd_dirty()and&mut PageContentis only accessible through that wrapperMajor change 2: Make a LOT of the
PageContentmethods require a mutable referencePageContent::as_ptr()that gets a mutable reference to the underlying buffer from an immutable.&PageContent, and replace it with regularas_sliceandas_mut_slicewrite_rightmost_ptr()require&mutget_contents_mut_for_test()from the first commit ->get_contents_mut_unsafe_dont_use()- should be only used in tests or places where subjournaling is never required OR the caller has manually verified that the page is dirty