Subscribe to the tracking issue #2231 to receive notifications about breaking changes!
Released: 2024-10-28
-
Make
Grid.reserve()
abort rather than returning null. WhenGrid.reserve()
aborts, that indicates that the data file size limit would be exceeded by the reservation. We were already panicking in this case by unwrapping the result, but now it has a useful error message. -
Improve availability and performance by sending
start_view
message earlier in the new-primary recovery – as soon as the journal headers are repaired. -
Refactor compaction to clarify the scheduling logic, schedule more aggressively, and make it easier to run multiple compactions concurrently. This also improved the benchmark performance.
-
Support multiversion (non-automatic) upgrades when the replica is started with
--development
or--experimental
.
-
Allow a release's Git tag and
config.process.release
to differ. This simplifies the release process for hotfixes, when the Git tag is bumped but theconfig.process.release
is unchanged.
Released: 2024-10-21
-
Improve performance & availability during view change by ensuring a replica only repairs the portion of the WAL that is required to become primary, instead of repairing it in its entirety.
-
Add a unit test for Zig's stdlib sort.
Stable sort is critical for compaction correctness. Zig stdlib does have a sort fuzz test, but it doesn't cover the presorted subarray case, and doesn't check arrays much larger than the sort algorithm's on-stack cache.
-
Fix a bug in the MessageBus wherein connections weren't being terminated during client teardown.
-
Fix a bug in the benchmark wherein the usage of
--account-count-hot
was broken when used in conjunction with theuniform
distribution. -
Revamp the
core_missing_prepares
liveness-mode check to correctly check for the prepares that a replica should repair (after #2414).
Released: 2024-10-15
-
TigerBeetle clients internally batch operations for improved performance. Fix a bug where an unclosed link chain could be batched before another linked chain, causing them to be treated as one long linked chain. Additionally, prevent non-batchable requests from sharing packets entirely.
-
AMOUNT_MAX
is used as a sentinel value for things like balancing transfers to specify moving as much as possible. Correct and fix its value in the Java client. Thanks @tKe!
-
Improve the benchmark by adding Zipfian distributed random numbers, to better simulate realistic conditions and as a precursor to approximating YCSB.
-
Previously, TigerBeetle's clients disallowed empty batches locally, before the request was even sent to the cluster. However, this is actually a valid protocol message - even if it's not used by the current state machine - so allow empty batches to be sent from clients.
-
Revamp client documentation so that each snippet is self-contained, and standardize it across all languages.
-
Give the DevHub a fresh coat of paint, and fix passing seeds being blue in dark mode.
-
#2408, #2400, #2391, #2399, #2402, #2385
Improve VOPR logging and fix a few failing seeds.
Released: 2024-10-07
-
Significantly reduced P100 latency by incrementally spreading the mutable table's sort during compaction. This leverages the optimization of sort algorithms for processing sequences of already sorted sub-arrays.
-
Improve the workload generator to support concurrent tests with different ledgers.
-
Fix VOPR seeds. For more awesome details about the backstory and solutions to these issues, please refer to the PR.
-
Update the REPL to support representing the maximum integer value as
-0
, serving as theAMOUNT_MAX
sentinel. Additionally, other negative values such as-1
can be used to representmaxInt - 1
.Also, include support for hexadecimal numbers for more convenient inputting of GUID/UUID literals (e.g.
0xa1a2a3a4_b1b2_c1c2_d1d2_e1e2e3e4e5e6
).Allow the
timestamp
field to be set, enabling the REPL to be used forimported
events.
-
Use
zig fetch
as a replacement for downloading files, removing dependence on external tools. -
Port of Rust's
dbg!
macro to Zig, and the corresponding CI validation to prevent code using it from being merged intomain
! 😎 -
Verify the release versions included in the multiversion binary pack at build time (not only during runtime) and improve the
tigerbeetle version --verbose
command'smultiversion
output. -
Fix a multiversioning issue where the binary size exceeded the read buffer, failing to parse the executable header.
-
Consistently use
transient_error
instead oftransient_failure
and cleanup the StateMachine code. -
Add missing links to the operations
query_accounts
andquery_transfers
in the documentation and include the declaration forQueryFilter
andQueryFilterFlags
in thetb_client.h
header. -
Clearer error message when the replica crashes due to a data file being too large, instructing the operator to increase the memory allocated for the manifest log.
Released: 2024-10-04
Note: this is an extra release to correct an availability issue in the upgrade path for 0.16.4
.
Specifically, the combination of tigerbeetle 0.16.4
and a client at 0.16.3
can lead to an
assertion failure and a server crash. No data is lost, but the server becomes unavailable.
It is recommended to upgrade to 0.16.7
, but this is only required if you are running older
clients. To upgrade, replace the binary on disk, and manually restart the replica.
Note that although the release is tagged at 0.16.7
, the binary advertises itself as 0.16.4
.
-
Fix an assertion which was incorrect when a pre-transient-error client retried a transient error, and that transient error condition since disappeared. This mirrors #2345 which handles the case when it is still failing.
Released: 2024-10-04
Note: this is an extra release to correct a potential issue in the upgrade path for 0.16.4
.
Specifically, the combination of tigerbeetle 0.16.2
and newer, and any client before 0.16.2
can
lead to an assertion failure and a server crash. No data is lost, but the server becomes
unavailable.
It is recommended to upgrade to 0.16.6
, but this is only required if you are running older
clients. To upgrade, replace the binary on disk, and manually restart the replica.
Note that although the release is tagged at 0.16.6
, the binary advertises itself as 0.16.4
.
-
Correctly parse AccountFilter from pre
0.16.2
clients.
Released: 2024-10-03
Note: this is an extra release to correct an availability issue in the upgrade path for 0.16.4
.
Specifically, the combination of tigerbeetle 0.16.4
and a client at 0.16.3
can lead to an
assertion failure and a server crash. No data is lost, but the server becomes unavailable.
It is recommended to upgrade to 0.16.5
, but this is only required if you are running older
clients. To upgrade, replace the binary on disk, and manually restart the replica.
Note that although the release is tagged at 0.16.5
, the binary advertises itself as 0.16.4
.
-
Fix an assertion which was incorrect when a pre-transient-error client retried a transient error.
Released: 2024-09-30
This release introduces "transient errors": error codes for create_transfers
which depend on the
state of the database (e.g. exceeds_credits
). Going forward, a transfer that fails with a
transient error will not succeed if retried.
See the API tracking issue and the documentation for more details.
-
Reduce chance of
recovering_head
status by recovering from torn writes in the WAL. This improves the availability of the cluster, asrecovering_head
replicas cannot participate in consensus until after they repair.
-
Ensure idempotence for
create_transfers
' "transient errors" with new result codeid_already_failed
. In particular, this guards against surprising behavior when the client is running in a stateless API service.
Released: 2024-09-23
-
Improve cluster availability by more aggressive recovery for crashes that happen while a replica is checkpointing.
-
Add a more efficient recipe for balance-conditional transfers. A balance-conditional transfer is a transfer that succeeds only if the source account has more than a threshold amount of funds in it.
-
Add a new recipe for enforcing
debits_must_not_exceed_credits
on some subset of transfers (this is a special case of a balance-conditional transfer, with the threshold value being equal to transferred amount).
-
Add
triaged
issue label to prevent newly opened issues from slipping through the cracks. -
Add CI check for dead code.
-
Cleanup the source tree by removing top-level
tools
directory. -
Make sure that process-spawning API used for build-time "scripting" consistently reports errors when the subprocess fails or hangs.
Released: 2024-09-16
-
Tighten up the VSR assertions so the transition to
.recovering_head
can only be called from the.recovering
status. -
Make the primary abdicate if it is unable to process requests due to a broken clock.
-
Smoke integration test using the real multiversion binary.
-
Workload generator based on the Java client to be used in integration tests (i.e. Antithesis).
-
#2298, #2307, #2304, #2309, #2321
Remove
Tracy
integration and dependencies. Add JSON traces for events with multiple running instances, such as IO, lookups, and scans. -
Add the ability to filter by
user_data_{128,64,32}
andcode
inget_account_transfers
andget_account_balances
.
-
Mute the log on stderr when building client libraries. Reduce the log's severity of some entries logged as
.err
to.warn
for less noise when running withlog_level = .err
. -
Document and explain how time works in TigerBeetle ⏱️.
-
Refactor
Forest.compact
and remove some dead code. -
Rewrite
commit_dispatch
, a chain of asynchronous stages calling each other, as a state machine implementation that resembles linear control flow that is much easier to read. -
Fix the Node.js example that was using an incorrect enum flag. Thanks for the heads up @jorispz!
-
Update outdated scripts in
HACKING.md
. -
Use git timestamps to build Docker images. This is a requirement for being deterministic in CI.
-
Devhub link to pending code reviews.
Released: 2024-09-09
-
Improve view change efficiency; new heuristic for lagging replicas to forfeit view change.
A lagging replicas first gives a more up-to-date replica a chance to become primary by forfeiting view change. If the more up-to-date replica cannot step up as primary, the lagging replica attempts to step up as primary.
-
Complete rollout of the new state sync protocol.
Remove in-code remnants of the old state sync protocol. Replicas now panic if they receive messages belonging to the old protocol.
-
Improve log warnings for client eviction due to its version being too low/high.
-
Fix VOPR false positive wherein checkpoint was being updated twice in the upgrade path.
-
Fix typos found using codespell.
-
Document example for debiting multiple accounts and crediting a single account wherein the total amount to transfer to the credit account is known, but the balances of the individual debit accounts are not known.
-
Document the behavior of
user_data_128/user_data_64/user_data_32
in the presence of pending transfers. -
Inline Dockerfile in the release code, removing tools/docker/Dockerfile.
-
Add support for tracing IO & CPU events. This allows for coarse-grained performance analysis, for example collectively profiling IO and CPU performance (as opposed to IO or CPU in isolation).
-
Remove explicit header sector locks, using a common locking path for prepare and header sectors.
-
Change CliArgs -> CLIArgs in accordance with TigerStyle.
-
Vendor
llvm-objcopy
in the dependencies repository in accordance with our "no dependencies" policy. This ensures users don't have to manually install LLVM. -
Assign correct date to the release binary date; it was earlier set to the epoch ("Jan 1 1970").
-
Introduce fatal errors for crashing the replica process in the face of uncorrectable errors (for example, insufficient memory/storage).
-
Add formatting check in the CI for the Go client.
-
Reduce dimensionality of configuration modes.
Removes the development configuration which was used to run the replica with asserts enabled, enabling asserts for the production configuration instead. Additionally, removes the -Dconfig CLI option, making production configuration the default.
Released: 2024-09-02
This release is 0.16.0 as it includes a new breaking API change around zero amount transfers, as well as the behavior around posting a full pending transfer amount or balancing as much as possible. These are all gated by the client's release version.
If you're running a client older than 0.16.0, you'll see the old behavior where zero amount transfers are disallowed, but on newer clients these are supported and will create a transfer with an amount of 0.
Additionally, the sentinel value to representing posting the full amount of a pending transfer, or
doing a balancing transfer for as much as possible has changed. It's no longer 0, but instead
AMOUNT_MAX
.
See the tracking issue for more details.
-
Change how replicas that haven't finished syncing send a
prepare_ok
message, preventing them from falsely contributing to the durability of a checkpoint, which could potentially cause liveness issues in the event of storage faults. -
The new state sync protocol regressed the behavior where the replica would try to repair the WAL before switching to state sync, and this puts the old behavior back in.
WAL repair is used when the lagging replica's log still intersects with the cluster's current log, while state sync is used when when the logs no longer intersect.
-
Try to repair (but not commit) prepares, even if we don't have all the headers between checkpoint and head.
This makes things consistent between the normal and repair paths, and improves concurrency while repairing.
-
Reject prepares on the primary if its view isn't durable, much like solo clusters.
This solves a failing VOPR seed wherein a primary accepting prepares before making its log_view durable exposes a break in its hash chain.
-
A few
sysctl
s and security frameworks (eg, seccomp) might block io_uring. Print out a more helpful error message, rather than a generic "permission denied" or "system outdated".
-
Add the new
imported
flag to allow user-defined timestamps when creatingAccount
s andTransfer
s from historical events. -
Allow
Transfer
s withamount=0
and change behavior for balancing and post-pending transfers, introducing the constantAMOUNT_MAX
to replace the use of the zero sentinel when representing the maximum/original value in such cases. Note that this is a breaking change.Also, explicitly define optional indexes, which previously were determined simply by not indexing zeroed values.
-
Introduce a new flag,
Account.flags.closed
, which causes an account to reject any further transfers, except for voiding two-phase transfers that are still pending.The account flag can be set during creation or through a closing transfer. In the latter case, closed account can be re-opened by voiding or expiring the closing transfer.
-
Deprecates the old state sync protocol, no longer supporting both protocols simultaneously. As planned for this release, it only ignores old messages, allowing replicas to upgrade normally. In the next release, replicas would panic if they receive an old message.
-
Move multiversion build logic into
build.zig
fromrelease.zig
. This makes it much easier to build multiversion binaries as part of a regularzig build
, without having to invoke CI or release process specific code that's normally part ofrelease.zig
.It also makes it possible to build multiversion binaries on platforms that aren't x86_64 Linux.
-
Refactor the Multiversion API, bringing it in line with pre-existing code patterns.
-
Previously, TigerBeetle release numbers were based on a finicky conversion of GitHub's internal action run number to a version number.
This was error prone, and difficult to reason about before hand (what would the given version number for a release be?). Instead, make it so this very changelog is the source of truth for the version number which is explicitly set.
-
Change
init
function signatures to allow for in-place initialization. This addresses the silent stack growth caused by intermediate copy/move allocations during the initialization of large objects.Specifically, the
Forest
struct can grow indefinitely depending on the number ofGrooves
/IndexTrees
needed to support the StateMachine's custom logic, causing TigerBeetle to crash during startup due to stack-overflow. -
Don't cancel in-progress GitHub actions on the main branch. In particular, this ensures that the devhub records the benchmark measurements for every merge to main, even if those merges occur in quick succession.
-
Make the experimental feature
aof
(append-only file) a runtime flag instead of a build-time setting. This simplifies operations, allowing the use of the same standard release binary in environments that requireaof
. -
Renames the LSM constant
lsm_batch_multiple
tolsm_compaction_ops
, providing clearer meaning on how it relates to the pace at which LSM tree compaction is triggered. -
Add support for indexing flags, namely the new
imported
flag.
Released: 2024-08-19
-
Add new state sync protocol, fixing a couple of liveness issues. State sync is now performed as part of the view change.
-
Major state sync performance improvements.
-
Ensure
u128
(and related type) consistency across client implementations. -
Fix multiversioning builds for aarch64 macOS.
-
Automatically include oldest supported releases in release notes.
-
Refactor
build.zig
to break up the biggest function in the codebase. -
Minor improvements to zig install scripts.
Released: 2024-08-12
Highlight of this release is fully rolled-out support for multiversion binaries. This means that,
from now on, the upgrade procedure is going to be as simple as dropping the new version of
tigerbeetle
binary onto the servers. TigerBeetle will take care of restarting the cluster at the
new version when it is appropriate. See https://docs.tigerbeetle.com/operating/upgrading for
reference documentation.
Note that the upgrade procedure from 0.15.3
and 0.15.4
is a bit more involved.
- When upgrading from
0.15.3
, you'll need to stop and restarttigerbeetle
binary manually. - When upgrading from
0.15.4
, the binary will stop automatically by hitting anassert
. You should restart it after that.
-
Test client eviction in the VOPR.
-
Add integration tests for upgrades.
-
Add more hardening parameters to the suggested systemd unit definition.
-
Make the root directory smaller by getting rid of
scripts
and.gitattributes
entries. Root directory is the first thing you see when opening the repository, this space shouldn't be wasted! -
Complete the integration of multiversion binaries with the release infrastructure. From now on, the upgrade procedure is as simple as replacing the binary on disk with a new version. TigerBeetle will take care of safely and seamlessly restarting the cluster when appropriate itself.
-
Prepare to rollout the new state sync protocol. Stay tuned for the next release!
-
Simplify iteration over an LSM tree during scans.
-
Fix addresses logging in the client regressed by #2164.
-
Modernize scripts to generate client bindings to follow modern idioms for
build.zig
. -
Fix typo in the currency exchange example.
-
Past release checksums are further validated when printing multi-version information.
-
Write Ahead Log (WAL) appending was decoupled from WAL replication, tightening asserts.
-
VSR eviction edge cases receive more hardening.
-
Fix account overflows when doing a balance transfer for remaining funds (
amount=0
). -
Command line argument parsing no longer dynamically allocates and handles error handling paths more explicitly.
-
Golang's tests for the CI were re-enabled for ARM64 macOS.
-
This is a CHANGELOG entry about fixing a previous CHANGELOG entry.
-
Fix a bug where MessageBus sees block/reply messages (due to state sync or repair) and peer_type says they are always from replica 0 (since Header.Block.replica == 0 always). So, if they are being sent by a non-R0 replica, it drops the messages with "message from unexpected peer".
This leads to a replica being stuck in state sync and unable to progress.
-
It was possible for a prepare to exist in a mixture of WALs and checkpoints, which could compromise physical durability under storage fault conditions, since the data is present across a commit-quorum of replicas in different forms.
Rather, ensure a prepare in the WAL is only overwritten if it belongs to a commit-quorum of checkpoints.
-
A few CI changes: run tests in CI for x86_64 macOS, add in client tests on macOS and run the benchmark with
--validate
in CI. -
TigerBeetle reserves the most significant bit of the timestamp as the tombstone flag, so indicate and assert that timestamp_max is a
maxInt(u63)
. -
Internally, TigerBeetle uses AEGIS-128L for checksumming - hardware AES is a prerequisite for performance. Due to a build system bug, releases being built with a specified (
-Dtarget=
) target would only be built with baseline CPU features, and thus use the software AES implementation.Enforce at comptime that hardware acceleration is available, fix the build system bug, log checksum performance on our devhub and build client libraries with hardware acceleration too.
-
TigerBeetle would wait until all repairable headers are fixed before trying to commits prepares, but if all the headers after the checkpoint are present then we can start committing even if some headers from before the checkpoint are missing.
-
Clarify that the order of replicas in
--addresses
is important. Currently, the order of replicas as specified has a direct impact on how messages are routed between them. Having a differing order leads to significantly degraded performance. -
The state machine depended on
prepare_timestamp
to evaluatepulse()
, but in an idle cluster,prepare_timestamp
would only be set if pulse returned true! Thanks @ikolomiets for reporting. -
Add a fuzzer for scans.
-
Fuzz
storage.zig
, by using a mocked IO layer.
-
Certain workloads (for example, sending in tiny batches) can cause high amounts of space amplification in TigerBeetle, leading to data file sizes that are much larger than optimal.
This introduces a stopgap fix, greedily coalescing tables in level 0 of the LSM, which improves space amplification dramatically.
-
Add a data file inspector tool to the TigerBeetle CLI, handy for development and debugging alike. You can run it with
tigerbeetle inspect --help
. -
TigerBeetle clusters can now be upgraded!
-
Add a custom formatter for displaying units in error messages. Thanks @tensorush!
-
Allows for language clients to manage their own
Packet
memory, removing the need for tb_client to do so and thus removing the concepts of acquire/release_packet and concurrency_max. -
Add function length limits to our internal tidy tests.
-
#2116, #2114, #2111, #2132, #2131, #2124
Lots of small CFO improvements.
-
Fix an incorrect
assert
that was too tight, crashing the replica after state sync, when the replica's operation number lags behind checkpoint. -
Fixes and improvements to tests and simulator.
-
Improve the benchmark to verify the state after execution and enable tests in Windows CI!
-
Call
fs_sync
on macOS/Darwin after each write to properly deal with Darwin'sO_DSYNC
which doesn't behave likeO_DSYNC
on Linux.
-
New operations
query accounts
andquery transfers
as a stopgap API to add some degree of user-defined query capabilities. This is an experimental feature meant to be replaced by a proper querying API.
-
Simplify the comptime configuration by merging
config.test_min
andconfig.fuzz_min
. -
Fixed many typos and misspellings, thanks to Jora Troosh.
-
#2099, #2097, #2098, #2100, #2092, #2094, #2089, #2073, #2087, #2086, #2083, #2085
Multiple and varied changes to conform all line lengths to not more than 100 columns, according to TigerStyle!
-
Run
kcov
during CI as a code coverage sanity check. No automated action is taken regarding the results. We're not focused on tracking the quantitative coverage metric, but rather on surfacing blind spots qualitatively.
-
Strengthen LSM assertions.
-
Use flexible quorums for clock synchronization.
-
Improve and clarify balancing transfer
amount
validation.
-
Add chaitanyabhandari to the list of release managers.
-
Update TigerStyle with advice for splitting long functions.
-
Fix flaky tests.
-
Add
--security-opt seccomp=unconfined
to Docker commands in docs, since newer versions of Docker block access to io_uring. -
Clean up github actions workflows.
-
Make cfo supervisor robust to network errors.
-
tigerbeetle benchmark
command can now simulate few "hot" accounts which account for most of transfers, the distribution expected in a typical deployment.
-
Add a recipe for accounts with bounded balance
-
Rewrite
build.zig
to introduce a more regular naming scheme for top-level steps. -
Our internal dashboard, devhub now has dark mode 😎.
-
Ensure that the generated
tb_client.h
C header is in sync with Zig code.
-
Fuzzer Fixing For Fun! Particularly around random number generation and number sequences.
-
Add simulator coverage for
get_account_transfers
andget_account_balances
.
-
Reduce the default
--limit-pipeline-requests
value, dropping RSS memory consumption.
-
Build system simplifications.
-
#2026, #2020, #2030, #2031, #2008
Tidying up (now) unused symbols and functionality.
-
Rename docs section from "Develop" to "Coding".
-
Fix a case where an early return could result in a partially inserted transfer persisting.
-
Big improvements to allowing TigerBeetle to run with less memory! You can now run TigerBeetle in
--development
mode by default with an RSS of under 1GB. Most of these gains came from #1981 which allows running with a smaller runtime request size. -
Devhub improvements - make it harder to miss failures due to visualization bugs, show the PR author in fuzzer table and color canary "failures" as success.
-
Add
--account-batch-size
to the benchmark, mirroring--transfer-batch-size
. -
Rename the Deploy section to Operating, add a new correcting transfer recipe, and note that
lookup_accounts
shouldn't be used before creating transfers to avoid potential TOCTOUs.
-
⚡ Update Zig from 0.11.0 to 0.13.0! As part of this, replace non-mutated
var
s withconst
. -
Similar to #1991, adds the async
io_uring_prep_statx
syscall for Linux's IO implementation, allowing non-blockingstatx()
s while serving requests - to determine when the binary on disk has changed.
-
Refactor an internal iterator to expose a mutable pointer instead of calling
@constCast
on it. There was a comment justifying the operation's safety, but it turned out to be safer to expose it as a mutable pointer (avoiding misusage from the origin) rather than performing an unsound mutation over a constant pointer. -
Implement a random Grid/Scrubber tour origin, where each replica starts scrubbing the local storage in a different place, covering more blocks across the entire cluster.
-
Model and calculate the probability of data loss in terms of the Grid/Scrubber cycle interval, allowing to reduce the read bandwidth dedicated for scrubbing.
-
Fix a simulator bug where all the WAL sectors get corrupted when a replica crashes while writing them simultaneously.
-
As part of multiversioning binaries, adds the async
io_uring_prep_openat
syscall for Linux's IO implementation, allowing non-blockingopen()
s while serving requests (which will be necessary during upgrade checks). -
Require the
--experimental
flag when starting TigerBeetle with flags that aren't considered stable, that is, flags not explicitly documented in the help message, limiting the surface area for future compatibility.
-
Fix crash when upgrading solo replica.
-
Pin points crossing Go client FFI boundary to prevent memory corruption.
-
Build our .NET client for .NET 8, the current LTS version. Thanks @woksin!
-
Document recovery case
@L
in VSR. -
We implicitly supported underscores in numerical CLI flags. Add tests to make this explicit.
-
Add the size of an empty data file to devhub, tweak the benchmark to always generate the same sized batches, and speed up loading the devhub itself.
-
Ease restriction which guarded against unnecessary pulses.
-
Docs fixes and cleanup.
-
Fix determinism bug in test workload checker.
-
Expose
ticks_max
as runtime CLI argument. -
Devhub/benchmark improvements.
-
#1918, #1916, #1913, #1921, #1922, #1920, #1945, #1941, #1934, #1927
Lots of CFO enhancements - the CFO can now do simple minimization, fuzz PRs and orchestrate the VOPR directly. See the output on our devhub!
-
Fix a bug in the VOPR, add simple minimization, and remove the voprhub code. Previously, the voprhub is what took care of running the VOPR. Now, it's handled by the CFO and treated much the same as other fuzzers.
-
Prevent time-travel in our replica test code.
-
Fix a fuzzer bug around checkpoint / commit ratios.
-
Add the ability to limit the VSR pipeline size at runtime to save memory.
-
Fix path handling on Windows by switching to
NtCreateFile
. Before, TigerBeetle would silently treat all paths as relative on Windows. -
In preparation for multiversion binaries, make
release_client_min
a parameter, set byrelease.zig
. This allows us to ensure backwards compatibility with older clients. -
Add some additional asserts around block lifetimes in compaction.
-
Fix parsing of multiple CLI positional fields.
-
Remove
main_pkg_path = src/
early, to help us be compatible with Zig 0.12. -
Docs organization and link fixes.
-
#1906, #1904, #1903, #1901, #1899, #1886
Fixes and performance improvements to fuzzers.
-
Reduces cache size for the
--development
flag, which was originally created to bypass direct I/O requirements but can also aggregate other convenient options for non-production environments. -
Reduction in memory footprint, calculating the maximum number of messages from runtime-known configurations.
-
Removes the
bootstrap.{sh,bat}
scripts, replacing them with a more transparent instruction for downloading the binary release or building from source. -
Nicely handles "illegal instruction" crashes, printing a friendly message when the CPU running a binary release is too old and does not support some modern instructions such as AES-NI and AVX2.
-
Include micro-benchmarks as part of the unit tests, so there's no need for a special case in the CI while we still compile and check them.
-
A TigerStyle addition on "why prefer a explicitly sized integer over
usize
". -
Rename "Getting Started" to "Quick Start" for better organization and clarifications.
-
While TigerBeetle builds are deterministic, Zip files include a timestamp that makes the build output non-deterministic! This PR sets an explicit timestamp for entirely reproducible releases.
-
Extracts the zig compiler path into a
ZIG_EXE
environment variable, allowing easier sharing of the same compiler across multiple git work trees.
-
Move message allocation farther down into the
tigerbeetle start
code path.tigerbeetle format
is now faster, since it no longer allocates these messages. -
Reduce the connection limit, which was unnecessarily high.
-
Implement zig-zag merge join for merging index scans. (Note that this functionality is not yet exposed to TigerBeetle's API.)
-
Print memory usage more accurately during
tigerbeetle start
.
-
Fix blob-size CI check with respect to shallow clones.
-
Add more fuzzers to CFO (Continuous Fuzzing Orchestrator).
-
Improve fuzzer performance.
-
On the devhub, show at most one failing seed per fuzzer.
-
#1820, #1867, #1877, #1873, #1853, #1872, #1845, #1871
Documentation improvements.
-
Implement grid scrubbing --- a background job that periodically reads the entire data file, verifies its correctness and repairs any corrupted blocks.
-
Turn on continuous fuzzing and integrate it with devhub.
-
Improve navigation on the docs website.
A very special song from our friend MEGAHIT!
-
Incrementally recompute the number values to compact in the storage engine. This smooths out I/O latency, giving a nice bump to transaction throughput under load.
-
Add
--development
flag toformat
andstart
commands in production binaries to downgrade lack of Direct I/O support from a hard error to a warning.TigerBeetle uses Direct I/O for certain safety guarantees, but this feature is not available on all development environments due to varying file systems. This serves as a compromise between providing a separate development release binary and strictly requiring Direct I/O to be present.
-
Add fixed upper bound to loop in the StorageChecker.
-
Orchestrate continuous fuzzing of tigerbeetle components straight from the build system! This gives us some flexibility on configuring our set of machines which test and report errors.
-
Styling updates and fixes.
-
Fix a case the VOPR found where a replica recovers into
recovering_head
unexpectedly.
-
Improve CLI errors around sizing by providing human readable (1057MiB vs 1108344832) values.
-
#1818, #1831, #1829, #1817, #1826, #1825
Documentation improvements.
-
Additional LSM compaction comments and assertions.
-
Clarify some scan internals and add additional assertions.
-
Some of our comments had duplicate words - thanks @divdeploy for for noticing!
-
Reject incoming client requests that have an unexpected message length.
-
Fix message alignment.
-
StorageChecker
now verifies grid determinism at bar boundaries. -
Fix VOPR liveness false positive when standby misses an op.
-
Assert that the type-erased LSM block metadata matches the comptime one, specialized over
Tree
. -
Use a FIFO as a block_pool instead of trying to slice arrays during compaction.
-
Implement
get_account_transfers
andget_account_balances
in the REPL. -
#1781, #1784, #1765, #1816, #1808, #1802, #1798, #1793, #1805
Documentation improvements.
-
Improve Docker experience by handling
SIGTERM
through tini. -
For reproducible benchmarks, allow setting
--seed
on the CLI.
-
Move
request_queue
outside ofvsr.Client
. -
Extract
CompactionPipeline
to a dedicated function. -
Replace compaction interface with comptime dispatch.
-
Remove the duplicated
CompactionInfo
value stored inPipelineSlot
, referencing it from theCompaction
by its coordinates. -
CLI output improvements.
-
Improvements in the client libraries CI.
-
Metrics adjustments for Devhub and Nyrkio integration.
-
Various bug fixes in the build script and removal of the "Do not use in production" warning.
- Bump version to 0.15.x
- Starting with 0.15.x, TigerBeetle is ready for production use, preserves durability and provides a forward upgrade path through storage stability.
-
Set TigerBeetle's block size to 512KB.
Previously, we used to have a block size of 1MB to help with approximate pacing. Now that pacing can be tuned independently of block size, reduce this value (but not too much - make the roads wider than you think) to help with read amplification on queries.
-
Implement compaction pacing: traditionally LSM databases run compaction on a background thread. In contrast compaction in tigerbeetle is deterministically interleaved with normal execution process, to get predictable latencies and to guarantee that ingress can never outrun compaction.
In this PR, this "deterministic scheduling" is greatly improved, slicing compaction work into smaller bites which are more evenly distributed across a bar of batched requests.
-
Include information about tigerbeetle version into the VSR protocol and the data file.
-
#1732, #1743, #1742, #1720, #1719, #1705, #1708, #1707, #1723, #1706, #1700, #1696, #1686.
Many availability issues found by the simulator fixed!
-
Fix a buffer leak when
get_account_balances
is called on an invalid account.
-
#1671, #1713, #1709, #1688, #1691, #1690.
Many improvements to the documentation!
-
Rename
get_account_history
toget_account_balances
. -
Automatically expire pending transfers.
-
Implement in-place upgrades, so that the version of tigerbeetle binary can be updated without recreating the data file from scratch.
-
Consistently use
MiB
rather thanMB
in the CLI interface. -
Mark
--standby
andbenchmark
CLI arguments as experimental.
-
Unify PostedGroove and the index pending_status.
-
Include an entire header into checkpoint state to ease recovery after state sync.
-
Fetching account history and transfers now has unit tests, helping detect and fix a reported bug with posting and voiding transfers.
-
#1656, #1659, #1666, #1667, #1667
Preparation for in-place upgrade support.
-
#1633, #1661, #1652, #1647, #1637, #1638, #1655
Documentation has received some very welcome organizational and clarity changes. Go check them out!
-
#1584 Lower our memory usage by removing a redundant stash and not requiring a non-zero object cache size for Grooves.
The object cache is designed to help things like Account lookups, where the positive case can skip all the prefetch machinery, but it doesn't make as much sense for other Grooves.
-
Hook nyrkiö up to our CI! You can find our dashboard here in addition to our devhub.
-
#1635 #1634 #1623 #1619 #1609 #1608 #1595
Lots of small VSR changes, including a VOPR crash fix.
-
Fix a VOPR failure where state sync would cause a break in the hash chain.
-
Use Expand-Archive over unzip in PowerShell - thanks @felipevalerio for reporting!
-
Implement explicit coverage marks.
-
#1621 #1625 #1622 #1600 #1605 #1618 #1606
Minor doc fixups.
-
Default the VOPR to short log, and fix a false assertion in the liveness checker.
-
Fix a memory leak in our Java tests.
-
Rework the log repair logic to never repair beyond a "confirmed" checkpoint, fixing a liveness issue where it was impossible for the primary to repair its entire log, even with a quorum of replicas at a recent checkpoint.
-
Some Java unit tests created native client instances without the proper deinitialization, causing an
OutOfMemoryError
during CI. -
Fix Vopr's false alarms.
-
Document how assertions should be used, especially those with complexity O(n) under the
constants.verify
conditional. -
Harmonize and automate the logging pattern by using the
@src
built-in to retrieve the function name. -
Include the benchmark smoke as part of the
zig build test
command rather than a special case during CI. -
Remove unused code coverage metrics from the CI.
-
Re-enable Windows CI 🎉.
-
DVCs implicitly nack missing prepares from old log-views.
(This partially addresses a liveness issue in the view change.)
-
When a replica joins a view by receiving an SV message, some of the SV's headers may be too far ahead to insert into the journal. (That is, they are beyond the replica's checkpoint trigger.)
During a view change, those headers are now eligible to be DVC headers.
(This partially addresses a liveness issue in the view change.)
-
Fixes a bug in the C client that wasn't handling
error.TooManyOutstanding
correctly.
-
Bring back Windows tests for .Net client in CI.
-
Add script to scaffold changelog updates.
-
Improve CI/test error reporting.
-
Draw devhub graph as line graph.
-
Simplify command to run a single test.
-
Add client batching integration tests.
-
Format default values into the CLI help message.
-
Track commit timestamp to enable retrospective benchmarking in the devhub.
-
Improve CI/test performance.
-
Guarantee that the test runner correctly reports "zero tests run" when run with a filter that matches no tests.
-
(Hat tip to iofthetiger!)
-
Reduce checkpoint latency by checkpointing the grid concurrently with other trailers.
-
Fix a logical race condition (which was caught by an assert) when reading and writing client replies concurrently.
-
Double check that both checksum and request number match between a request and the corresponding reply.
-
Optimize fields with zero value by not adding them to an index.
-
Introduce
get_account_history
operation for querying the historical balances of a given account. -
Add helper function for generating approximately monotonic IDs to various language clients.
-
Harden VSR against edge cases.
-
Allows VSR to perform checkpoint steps concurrently to reduce latency spikes.
-
Removed unused indexes on account balances for a nice bump in throughput and lower memory usage.
-
Only zero-out the parts necessary for correctness of fresh storage buffers. "Defense in Depth" without sacrificing performance!
-
TigerBeetle's dev workbench now also tracks memory usage (RSS), throughput, and latency benchmarks over time!
-
Simplify assertions and tests for VSR and Replica.
-
.NET CI fixups
-
Spring Cleaning
-
Panic on checkpoint divergence. Previously, if a replica's state on disk diverged, we'd use state sync to bring it in line. Now, we don't allow any storage engine nondeterminism (mixed version clusters are forbidden) and panic if we encounter any.
-
Fix a liveness issues when starting a view across checkpoints in an idle cluster.
-
Stop an isolated replica from locking a standby out of a cluster.
-
Change
get_account_transfers
to usetimestamp_min
andtimestamp_max
to allow filtering by timestamp ranges. -
Allow setting
--addresses=0
when starting TigerBeetle to enable a mode helpful for integration tests:- A free port will be picked automatically.
- The port, and only the port, will be printed to stdout which will then be closed.
- TigerBeetle will exit when its stdin is closed.
-
TigerBeetle now has a dev workbench! Currently we track our build times and executable size over time.
-
tigerbeetle client ...
is nowtigerbeetle repl ...
.
-
Deprecate support and testing for Node 16, which is EOL.
-
#1477, #1469, #1475, #1457, #1452.
Improve VOPR & VSR logging, docs, assertions and tests.
-
Improve integration tests around Node and
pending_transfer_expired
- thanks to our friends at Rafiki for reporting!
-
Avoid an extra copy of data when encoding the superblock during checkpoint.
-
Use more precise upper bounds for static memory allocation, reducing memory usage by about 200MiB.
-
When reading data past the end of the file, defensively zero-out the result buffer.
-
Upgrade C# client API to use
Span<T>
. -
Add ID generation function to the Java client. TigerBeetle doesn't assign any meaning to IDs and can use anything as long as it is unique. However, for optimal performance it is best if these client-generated IDs are approximately monotonic. This can be achieved by, for example, using client's current timestamp for high order bits of an ID. The new helper does just that.
-
Rewrite git history to remove large files accidentally added to the repository during early quick prototyping phase. To make this durable, add CI checks for unwanted files. The original history is available at:
-
New tips for the style guide:
Welcome to 2024!
-
#1425, #1412, #1410, #1408, #1395.
Run more fuzzers directly in CI as a part of not rocket science package.
-
Formalize some ad-hoc testing practices as proper integration tests (that is, tests that interact with a
tigerbeetle
binary through IPC). -
Add a lint check for unused Zig files.
-
Improve cluster availability by including conservative information about the current view into ping-pong messages. In particular, prevent the cluster from getting stuck when all replicas become primaries for different views.
-
Test both the latest and the oldest supported Java version on CI.
-
Fix a data race on close in the Java client.
-
Make binaries on Linux about six times smaller (12MiB -> 2MiB). Turns
tigerbeetle
was accidentally including 10 megabytes worth of debug info! Note that unfortunately stripping all debug info also prevents getting a nice stack trace in case of a crash. We are working on finding the minimum amount of debug information required to get just the stack traces. -
Cleanup error handling API for Java client to never surface internal errors as checked exceptions.
-
Add example for setting up TigerBeetle as a systemd service.
-
Drop support for .Net Standard 2.1.
-
Don't exit repl on
help
command.
-
Overhaul documentation-testing infrastructure to reduce code duplication.
-
Don't test NodeJS client on platforms for which there are no simple upstream installation scripts.
-
Use histogram in the benchmark script to reduce memory usage.
“The exception confirms the rule in cases not excepted." ― Cicero.
Due to significant commits we had this last week, we decided to make an exception in our release schedule and cut one more release in 2023!
Still, the TigerBeetle team wishes everyone happy holidays! 🎁
-
Some CI-related stuff plus the
-Drelease
flag, which will bring back the joy of using the compiler from the command line 🤓. -
Added value count to
TableInfo
, allowing future optimizations for paced compaction.
-
The simulator found a failure when the WAL gets corrupted near a checkpoint boundary, leading us to also consider scenarios where corrupted blocks in the grid end up "intersecting" with corruption in the WAL, making the state unrecoverable where it should be. We fixed it by extending the durability of "prepares", evicting them from the WAL only when there's a quorum of checkpoints covering this "prepare".
-
Fix a unit test that regressed after we changed an undesirable behavior that allowed
prefetch
to invoke its callback synchronously. -
Relaxed a simulator's verification, allowing replicas of the core cluster to be missing some prepares, as long as they are from a past checkpoint.
-
A highly anticipated feature lands on TigerBeetle: it's now possible to retrieve the transfers involved with a given account by using the new operation
get_account_transfers
.Note that this feature itself is an ad-hoc API intended to be replaced once we have a proper Querying API. The real improvement of this PR is the implementation of range queries, enabling us to land exciting new features on the next releases.
-
Bump the client's maximum limit and the default value of
concurrency_max
to fully take advantage of the batching logic.
As the last release of the year 2023, the TigerBeetle team wishes everyone happy holidays! 🎁
-
We've established a rotation between the team for handling releases. As the one writing these release notes, I am now quite aware.
-
Fix panic in JVM unit test on Java 21. We test JNI functions even if they're not used by the Java client and the semantics have changed a bit since Java 11.
-
Move client sessions from the Superblock (database metadata) into the Grid (general storage). This simplifies control flow for various sub-components like Superblock checkpointing and Replica state sync.
-
An optimization for removes on secondary indexes makes a return. Now tombstone values in the LSM can avoid being compacted all the way down to the lowest level if they can be cancelled out by inserts.
-
Clients automatically batch pending similar requests 🎉! If a tigerbeetle client submits a request, and one with the same operation is currently in-flight, they will be grouped and processed together where possible (currently, only for
CreateAccount
andCreateTransfers
). This should greatly improve the performance of workloads which submit a single operation at a time.
-
Defense in depth: add checkpoint ID to prepare messages. Checkpoint ID is a hash that covers, via hash chaining, the entire state stored in the data file. Verifying that checkpoint IDs match provides a direct strong cryptographic guarantee that the state is the same across replicas, on top of existing guarantee that the sequence of events leading to the state is identical.
-
Gate the main branch on more checks: unit-tests for NodeJS and even more fuzzers.
-
Code cleanups after removal of storage size limit.
-
Fix free set index. The free set is a bitset of free blocks in the grid. To speed up block allocation, the free set also maintains an index --- a coarser-grained bitset where a single bit corresponds to 1024 blocks. Maintaining consistency between a data structure and its index is hard, and thorough assertions are crucial. When moving free set to the grid, we discovered that, in fact, we don't have enough assertions in this area and, as a result, even have a bug! Assertions added, bug removed!
-
LSM tree fuzzer found a couple of bugs in its own code.
-
Remove format-time limit on the size of the data file. Before, the maximum size of the data file affected the layout of the superblock, and there wasn't any good way to increase this limit, short of recreating the cluster from scratch. Now, this limit only applies to the in-memory data structures: when a data files grows large, it is sufficient to just restart its replica with a larger amount of RAM.
-
We finally have the "installation" page in our docs!
-
Use Zig's new
if (@inComptime())
builtin to compute checksum of an empty byte slice at compile time. -
Fix unit tests for the Go client and add them to not rocket science set of checks.
-
When validating our releases, use the
release
branch instead ofmain
to ensure everything is in sync, and give the Java validation some retry logic to allow for delays in publishing to Central. -
Pad storage checksums from 128-bit to 256-bit. These are currently unused, but we're reserving the space for AEAD tags in future.
-
Remove a trailing comma in our Java client sample code.
-
Switch
bootstrap.sh
to use spaces only for indentation and ensure it's checked by our shellcheck lint. -
Update our
DESIGN.md
to better reflect storage fault probabilities and add in a reference. -
Add
CHANGELOG.md
validation to our tidy lint script. We now check line length limits and trailing whitespace. -
In keeping with TigerStyle rename
reserved_nonce
tononce_reserved
. -
Note in TigerStyle that callbacks go last in the list of parameters.
-
Add an exception for line length limits if there's a link in said line.
-
Recursively check for padding in structs used for data serialization, ensuring that no uninitialized bytes can be stored or transmitted over the network. Previously, we checked only if the struct had no padding, but not its fields.
-
Minor adjustments in the release process, making it easier to track updates in the documentation website when a new version is released, even if there are no changes in the documentation itself.
-
Fix outdated documentation regarding 128-bit balances.
-
Fix a bug discovered and reported during the Hackathon 2023, where the Node.js client's error messages were truncated due to an incorrect string concatenation adding a null byte
0x00
in the middle of the string. -
Update the Node.js samples instructions, guiding the user to install all dependencies before the sample project.
-
We've doubled the
Header
s size to 256 bytes, paving the way for future improvements that will require extra space. Concurrently, this change also refactors a great deal of code. Some of theHeader
's fields are shared by all messages, however, eachCommand
also requires specific pieces of information that are only used by its kind of message, and it was necessary to repurpose and reinterpret fields so that the same header could hold different data depending on the context. Now, commands have their own specialized data type containing the fields that are only pertinent to the context, making the API much safer and intent-clear. -
With larger headers (see #1295) we have enough room to make the cluster ID a 128-bit integer, allowing operators to generate random cluster IDs without the cost of having a centralized ID coordinator. Also updates the documentation and sample programs to reflect the new maximum batch size, which was reduced from 8191 to 8190 items after we doubled the header.
-
Implement last-mile release artifact verification in CI.
-
Bump the simulator's safety phase max-ticks to avoid false positives from the liveness check.
-
Fix a crash caused by a race between a commit and a repair acquiring a client-reply
Write
. -
Fix a crash caused by a race between state (table) sync and a move-table compaction.
Both bugs didn't stand a chance in the Line of Fire of our deterministic simulator!
-
Specify which CPU features are supported in builds.
-
Improve
shell.zig
's directory handling, to guard against mistakes with respect to the current working directory. -
Interpret a git hash as a VOPR seed, to enable reproducible simulator smoke tests in CI.
-
Explicitly target glibc 2.7 when building client libraries, to make sure TigerBeetle clients are compatible with older distributions.
-
Revive the TigerBeetle VOPRHub! Some previous changes left it on it's Last Stand, but the bot is back in business finding liveness bugs: #1266
-
Set the latest Docker image to track the latest release. Avoids language clients going out of sync with your default docker replica installations.
-
Move website doc generation for https://docs.tigerbeetle.com/ into the main repo.
-
Addressed some release quirks with the .NET and Go client builds.
-
Prove a tighter upper bound for the size of manifest log. With this new bound, manifest log is guaranteed to fit in allocated memory and is smaller. Additionally, manifest log compaction is paced depending on the current length of the log, balancing throughput and time-to-recovery.
-
Recommend using ULID for event IDs. ULIDs are approximately sorted, which significantly improves common-case performance.
-
Rewrite Node.js client implementation to use the common C client underneath. While clients for other languages already use the underlying C library, the Node.js client duplicated some code for historical reasons, but now we can leave that duplication in the past. This Is A Photograph.
-
Increase block size to reduce latencies due to compaction work. Today, we use a simplistic schedule for compaction, which causes latency spikes at the end of the bar. While the future solution will implement a smarter compaction pacing to distribute the work more evenly, we can get a quick win by tweaking the block and the bar size, which naturally evens out latency spikes.
-
The new release process changed the names of the published artifacts (the version is no longer included in the name). This broke our quick start scripts, which we have fixed. Note that we are in the process of rolling out the new release process, so some unexpected breakage is expected.
-
Speed up secondary index maintenance by statically distinguishing between insertions and updates. Faster than the speed of night!
-
Include Docker images in the release.
-
Simplify superblock layout by using a linked list of blocks for manifest log, so that the superblock needs to store only two block references.
P.S. Note the PR number!
This is the start of the changelog. A lot happened before this point and is lost in the mist of git history, but any notable change from this point on shall be captured by this document.
-
Remove bloom filters. TigerBeetle implements more targeted optimizations for both positive and negative lookups, making bloom filters a net loss.
-
Increase alignment of data blocks to 128KiB (from 512 bytes). Larger alignment gives operators better control over physical layout of data on disk.
-
Overhaul of CI and release infrastructure. CI and releases are now driven by Zig code. The main branch is gated on integration tests for all clients.
This is done in preparation for the first TigerBeetle release.
For archeological inquiries, check out the state of the repository at the time of the first changelog: