proxysql

Commit Graph

Author	SHA1	Message	Date
René Cannaò	aa4a078988	Merge pull request #5700 from sysown/fix/test-mysqlx-plugin-load-phase-b fix(test): test_mysqlx_plugin_load-t needs Phase B between load and init	3 weeks ago
Rene Cannao	7de1ae3dcd	test(mysqlx): address PR-#5700 review feedback Two reviewers flagged the same area in the previous commit (ec0c5... oh wait wrong sha — `eebfbde2b`). Both findings legitimate and applied. # CodeRabbit nitpick: BAIL_OUT on Phase B failure If invoke_register_schemas_phase() returns false, every subsequent assertion in this test depends on tables(kind) state populated by Phase B. They would all spuriously fail as "not ok" and obscure the root cause (the same logic the existing load() guard already uses on line 41 — bail on the prerequisite, don't drown the operator in downstream noise). # Gemini: capture return value explicitly + drop redundant err.clear() Verified Gemini's claim by reading lib/ProxySQL_PluginManager.cpp: - invoke_register_schemas_phase clears err at line 417 (entry). - init_all clears err at line 489 (entry). So the previous commit's err.clear() between the two calls was dead code; removing it. And since reading err after a successful return is meaningless (it's empty by contract), the success/failure check should go through the bool return, not err.empty(). Matches the load() pattern at line 37 ("const bool loaded = mgr.load(...)") for consistency. # Verified locally $ ./test_mysqlx_plugin_load-t 1..7 ok 1 - load mysqlx plugin succeeds ok 2 - invoke_register_schemas_phase registers mysqlx schema ok 3 - init_all completes after schema registration ok 4 - mysqlx_users registered in admin_db ok 5 - mysqlx_users registered in config_db ok 6 - mysqlx_users admin schema includes allowed_auth_methods ok 7 - mysqlx_users config schema includes backend_auth_mode	3 weeks ago
Rene Cannao	eebfbde2b3	fix(test): test_mysqlx_plugin_load-t needs Phase B between load and init Pre-existing test bug surfaced by CI-unit-tests-asan-coverage on plugin-chassis (run 25202654334, head `bb199c6c`). 4 of 6 assertions failed: not ok 3 - mysqlx_users registered in admin_db not ok 4 - mysqlx_users registered in config_db not ok 5 - mysqlx_users admin schema includes allowed_auth_methods not ok 6 - mysqlx_users config schema includes backend_auth_mode Root cause: the mysqlx plugin (ABI 2+) registers its admin tables in register_schemas() — Phase B of the four-phase lifecycle — not in init() / Phase D. The test only does load() + init_all(), skipping Phase B entirely, so mgr.tables(admin_db) and mgr.tables(config_db) return empty vectors and find_table() returns nullptr for every table-existence assertion. The test was written before the four-phase lifecycle was finalised; when mysqlx_register_admin_schema moved into Phase B (the Phase B mysqlx_register_schemas wraps it; init_all() no longer touches the admin-table-registration path), this test was not updated. # Fix Insert mgr.invoke_register_schemas_phase(err) between load() and init_all(). For ABI-1 plugins that don't declare register_schemas the call is a no-op (returns true with err empty). The plan goes from 6 to 7 to cover the new assertion. Verified locally: $ ./test_mysqlx_plugin_load-t 1..7 ok 1 - load mysqlx plugin succeeds ok 2 - invoke_register_schemas_phase registers mysqlx schema ok 3 - init_all completes after schema registration ok 4 - mysqlx_users registered in admin_db ok 5 - mysqlx_users registered in config_db ok 6 - mysqlx_users admin schema includes allowed_auth_methods ok 7 - mysqlx_users config schema includes backend_auth_mode # Why now This wasn't caught earlier because the same plugin-load assertions were partially covered by sibling tests (test_mysqlx_admin_tables-t, plugin_manager_unit-t) that drove the full Phase A→B→D lifecycle. test_mysqlx_plugin_load-t was the only test with the load+init-only shortcut. CI-unit-tests-asan-coverage on plugin-chassis is the specific job that runs every *-t binary in test/tap/tests/unit (the file lives in test/tap/tests/, not unit/, but groups.json registers it with @proxysql_min_version:4.0 so the chassis gates are right).	3 weeks ago
Rene Cannao	ef32d9df87	ci: register plugin_runtime_views_unit-t in groups.json Lint failure surfaced on PR #5690's CI run (job 73893199128) — the chassis runtime-view test added in PR #5688 was never registered in test/tap/groups/groups.json, and check_groups.py treats any unlisted TAP source as a lint error. Same group entry as the sibling plugin-chassis tests (plugin_dispatch _unit-t, plugin_manager_unit-t, etc.): "plugin_runtime_views_unit-t" : [ "unit-tests-g1","@proxysql_min_version:4.0" ] unit-tests-g1 is the standard host-only TAP group (no docker backend required); the @proxysql_min_version:4.0 attribute keeps it from running against pre-chassis builds. Trivial fix that belongs on the same PR as the doc updates because the lint failure is what surfaces on every PR opened against plugin-chassis until this lands.	3 weeks ago
Rene Cannao	becbf09ffa	fix(mysqlx): plugin_descriptor visibility + admin_tables test + dead decl Three issues code-review caught. # Plugin-descriptor visibility plugins/mysqlx/Makefile builds the .so with -fvisibility=hidden. The loader resolves proxysql_plugin_descriptor_v1 via dlsym(); without an explicit visibility-default override on this single exported function, the symbol stays hidden and ProxySQL_PluginManager::load() fails with "undefined symbol: proxysql_plugin_descriptor_v1". Add the __attribute__((visibility("default"))) override so the .so exports exactly one symbol — the descriptor entry point — and no others. Latent regression unblocked here (test_mysqlx_plugin_load-t was also affected). # test_mysqlx_admin_tables-t.cpp rewrite This integration-style TAP test (registered as unit-tests-g1, @proxysql_min_version:4.0) used to assert on runtime_mysqlx_<X> contents after each LOAD/SAVE call: mgr.dispatch_admin_command(ctx, "LOAD MYSQLX USERS TO RUNTIME", result); ok(admin_db.return_one_int("SELECT COUNT(*) FROM runtime_mysqlx_users") == 1, ...); Under the new architecture, LOAD updates MysqlxConfigStore and never writes runtime_mysqlx_users. The runtime view is repopulated only via the chassis pre-SELECT hook in ProxySQL_Admin::GenericRefreshStatistics — a path the test bypasses by reaching admin_db directly. The test also seeded only mysqlx_users without seeding runtime_mysql_users, so the cross-module-join in install_users_from_admin would silently drop every user. And the SAVE-after-modifying-runtime tests were asserting on a no-op (SAVE no longer reads runtime_mysqlx_users). Rewrite: - LOAD assertions now go via rows_affected from the callback and DELETE editable + SAVE roundtrip to confirm the in-memory store really held the rows. If SAVE re-materialises the rows the operator deleted from the editable table, they came from the store — exactly the contract LOAD is meant to install. - Cross-module canonical tables seeded explicitly: helper seed_canonical_tables creates runtime_mysql_users + runtime_mysql_servers via the canonical ADMIN_SQLITE_RUNTIME_MYSQL_USERS / ADMIN_SQLITE_TABLE_RUNTIME _MYSQL_SERVERS DDL. - SAVE-after-runtime-mutation tests (lines 263+) rewritten: instead of "modify runtime_mysqlx_users, then SAVE, expect change in mysqlx_users", they affirmatively assert the new contract — runtime-view edits do NOT propagate to mysqlx_users on SAVE. - backend_auth_mode values normalised to canonical enum values (service_account, pass_through, mapped) since mysqlx_backend_auth_mode_from_string collapses unknowns to `mapped` and would have hidden any round-trip bug otherwise. 45 / 0 asserts after rewrite. # Dead declaration MysqlxConfigStore::rebuild_hostgroup_endpoints_locked() declared in the header but never defined or called. Drop it. Code review found this in the same pass.	4 weeks ago
Rene Cannao	90e888e1d0	fix(chassis): runtime-view dispatch fires unconditionally on admin Doc-accuracy review found that proxysql_refresh_configured_plugin_ runtime_views was unreachable for plugin-registered tables. The call was placed inside if (refresh==true) { // ProxySQL_Admin.cpp:1637 ... if (admin) { // existing core runtime_* refreshes proxysql_refresh_configured_plugin_runtime_views(...) } } `refresh` only gets set to true by hardcoded substring matches against core's own table names (lines 1358-1634: runtime_mysql_users, runtime_mysql_servers, runtime_mysql_query_rules, etc.). None of those substrings match runtime_mysqlx_* (or any other plugin- registered view), so on a bare SELECT * FROM runtime_mysqlx_users the gate was false, my dispatch was skipped, the table was empty (or stale from a previous query that DID match a core substring), and the SELECT returned wrong data. The whole "on-demand projection" mechanism the previous commits documented was broken for the entry case. Issue #5687 / PR #5688. The fix is one-line structurally: hoist the dispatch out of the `if (refresh==true)` block and place it right after the substring- detection section, gated only on `if (admin)`. The chassis dispatcher itself (refresh_runtime_views_for_query in ProxySQL_PluginManager.cpp) already does its own per-view substring match against query_no_space, so a query that touches no registered view is a cheap no-op (one shared lock + N substring scans, N == registered-view count). Calling unconditionally on every admin query is therefore both correct and cheap. Test: new plugin_runtime_views_unit-t (20 ok asserts) drives ProxySQL_PluginManager::register_runtime_view + refresh_runtime_views_for_query directly. Covers: - register_runtime_view rejects null callback / empty name / case-insensitive duplicate. - Per-query dispatch fan-out: only matching callbacks fire, join queries fire all referenced views, unrelated queries fire nothing, case-insensitive match works, backtick-quoted identifiers match. - Whole-identifier boundary: longer-suffix overlap (runtime_ mysqlx_users_extra), left-prefix overlap (stats_runtime_ mysqlx_users), embedded-in-string-literal — none falsely match. Boundary cases (start of string, end of string) do match. This is the test the PR-#5688 review pass identified as the chassis- hook coverage gap. Builds standalone (no fake-plugin loader needed) since it drives the manager directly.	4 weeks ago
Rene Cannao	b4127156ed	fix(mysqlx): listener reconciler reads MysqlxConfigStore, not runtime view Code-review finding on PR #5688. mysqlx_reconcile_listeners_impl in plugins/mysqlx/src/mysqlx_listener_reconcile.cpp was still issuing a SELECT against runtime_mysqlx_routes to build its desired route set: SELECT name, bind FROM runtime_mysqlx_routes WHERE active=1 After the previous commit decoupled module state from the runtime_mysqlx_<X> projection, that table is empty until an admin SELECT triggers the projection callback. The reconciler runs from two non-admin paths: - mysqlx_plugin.cpp::mysqlx_start() at process startup, after install_routes_from_admin populates the store - load_routes_to_runtime() admin command, after install_routes_from_admin populates the store Both paths fire BEFORE any admin SELECT has projected the runtime view, so the reconciler would see ZERO desired routes. Net effect in production: no mysqlx listeners bind on startup, and LOAD MYSQLX ROUTES TO RUNTIME silently removes any listeners that were already mapped (the reconciler treats every mapped route as "no longer desired"). The unit tests didn't catch this because the weak symbol mysqlx_reconcile_listeners is null in unit-test binaries (the listener-reconcile pure variant is the one tested, and previously it was reading a pre-populated SQLite table). # Fix Read the desired route set from MysqlxConfigStore directly via a new public method: std::vector<std::pair<std::string,std::string>> MysqlxConfigStore::snapshot_active_routes() const It returns a (name, bind) pair for every active route under a shared lock. The reconciler consumes the snapshot the same way the previous SQL-driven version consumed result rows. The pure variant signature changes from void mysqlx_reconcile_listeners_impl(SQLite3DB& admindb, ...) to void mysqlx_reconcile_listeners_impl(const MysqlxConfigStore&, ...) which both restores the function's "no global state" purity (it no longer needs to reach into mysqlx_context() and never has) and makes the data-flow obvious: the store is the input. The strong weak-symbol entry mysqlx_reconcile_listeners(SQLite3DB&) is unchanged externally — it still takes admindb (now ignored, kept for ABI stability) and grabs the store from mysqlx_context() internally. Doc comment on the weak hook in include/mysqlx_plugin.h updated to describe the new data flow and to spell out explicitly why we do NOT read runtime_mysqlx_routes. # Test updates The two robustness tests that exercise the reconciler (test_listener_reconciliation, test_listener_reconciliation_bind_ change) used to set up a SQLite admindb with runtime_mysqlx_routes rows. They now construct a MysqlxConfigStore directly and populate it via install_for_test() — a smaller, more honest fixture that matches what the reconciler actually consumes. Note: MysqlxConfigStore is non-copyable/non-movable, so the bind-change test installs into two stack-local stores back-to- back via a helper lambda rather than rebuilding by value. # Status - All 21 mysqlx unit tests still green (646 ok, 0 not_ok). - Listener reconciler now sees the right state in both startup and LOAD MYSQLX ROUTES TO RUNTIME paths. Closes the BLOCKER from the PR #5688 review. Other concerns the review surfaced were all dismissed as not-bugs (ABI 1/2/3 loader compat, sql_references_table_ci whole-identifier match, lock ordering, sqlite_quote correctness, save semantics matching the canonical pattern).	4 weeks ago
Rene Cannao	e5353ac922	test(mysqlx): update unit fixtures for module-owned runtime state The four config-store / route-store unit tests, plus mysqlx_admin_commands_unit-t, used to set up SQLite fixtures by inserting directly into runtime_mysqlx_<X> tables and calling MysqlxConfigStore::load_from_runtime(db, err). With the canonical separation in the previous commit, install__from_admin reads the editable mysqlx_<X> tables, so the fixtures had to move accordingly. Mechanical changes: CREATE TABLE runtime_mysqlx_<X> -> CREATE TABLE mysqlx_<X> INSERT INTO runtime_mysqlx_<X> -> INSERT INTO mysqlx_<X> store.load_from_runtime(db, err) -> store.install_all_from_admin(db, err) + add `comment` column to the editable DDLs (install__from_admin SELECTs comment). The cross-module dependencies (runtime_mysql_users, runtime_mysql_servers) stay unchanged in the fixtures: those are admin's projection of OTHER modules' runtime state, exactly what the mysqlx install path SELECTs from. Three semantic adjustments (not just renames): - mysqlx_config_store_pure: a few tests previously asserted that a canonical-only user (present in runtime_mysql_users, no row in mysqlx_users) showed up in identities_. The new install_users_from_admin drops those — a user with no x_enabled flag has no path to authenticate via X anyway. Assertions adjusted to reflect the dropped row. - mysqlx_admin_commands: the LOAD callback rows_affected now reports the active editable-table row count (was the runtime-table row count); the SAVE VARIABLES callback always writes the four canonical variables (was whatever happened to be in runtime_mysqlx_variables). Assertions updated. - mysqlx_admin_commands also adds explicit project_users_to_ runtime_view() calls before assertions that read runtime_mysqlx_ users contents — those assertions are exercising the projection, so they need the projection to actually run, since outside admin the chassis isn't there to fire it. Result: 21 / 21 mysqlx unit tests green (646 ok asserts, 0 not_ok), including 5/5 stable runs of mysqlx_concurrent_unit-t (the listener O_NONBLOCK regression guard from earlier in this PR series).	4 weeks ago
Rene Cannao	e68f72cf99	test(mysqlx): add diag logging + fix broken plan/schema in unit tests Two related changes to all mysqlx__unit-t.cpp files. # 1. Diagnostic logging across all 21 mysqlx unit tests Before this commit none of the mysqlx unit tests emitted any output beyond raw TAP `ok N`/`not ok N` lines. When CI-unit-tests-asan- coverage hung mid-run on plugin-chassis (run 25021206900), the per- test log file showed `ok 1 ... ok 6` and then nothing for ~110 minutes until the workflow's 120-minute timeout killed the job. We could not even tell which* test was hung — the bash loop in the workflow only logs `PASS:`/`FAIL:` after a binary exits. Each binary now does: - `setvbuf(stdout, nullptr, _IOLBF, 0)` as the first statement of main(). Without this, when CI redirects stdout to a file the default block-buffered mode swallows any output that hasn't filled a 4KB-ish buffer — including diag lines emitted just before a blocking syscall. Line-buffering means each `\n`-terminated diag is flushed before the syscall, so a hang has 1-line-resolution attribution in the log. - `diag("=== <filename> starting ===")` right after `plan(...)`, so the log always has at least one line proving the binary loaded and reached main() (rules out crashes during static init). - `diag(">>> %s", __func__)` at the top of every `static void test_()` subtest function called from main(), so a hang or assertion failure points at the responsible subtest. - In `mysqlx_concurrent_unit-t`, additional checkpoint diags inside `test_concurrent_handshakes` ("starting Mysqlx_Thread", "spawning N clients", "all clients spawned, joining", ..., "thr.stop() returned") since the surrounding test was the one that actually hung in CI; this gives a 7-checkpoint resolution within the body. This change is the reason we were able to bisect the listener O_NONBLOCK bug fixed in the previous commit: with these diags the hang point ("all clients spawned, joining" → never reached "all clients joined, sleeping 500ms") was visible in the per-test log within seconds of running it. # 2. Plan/fixture corrections in 4 tests that never actually passed These tests were green in CI by virtue of nothing in the workflow checking their exit codes (CI-mysqlx exercised a different path); the moment CI-unit-tests-asan-coverage started actually running them they came back red. Each was a real bug in the test harness, not in the production code: - mysqlx_backend_auth_unit-t.cpp: plan(42) but only 34 ok() can fire on the success path. State_transitions emits 23, the remaining six functions emit 11 — total 34. plan(42) was never reachable; fixed to plan(34). - mysqlx_session_unit-t.cpp: plan(62) but only 60 fire. Four `ok( false, ...)` lines live in protobuf-parse failure branches that the success path skips; fixed to plan(60). - mysqlx_config_store_unit-t.cpp: load_from_runtime() SELECTs from runtime_mysqlx_variables (the variables table the production code uses to pick up thread_pool_size / connect_timeout / tls_mode / max_cached_connections at runtime), but the test's fixture only created 3 of the 4 mysqlx tables. Added kRuntimeMysqlxVariablesDdl and the matching execute() — same shape the sibling mysqlx_config_store_concurrent_unit-t already uses. - mysqlx_route_store_unit-t.cpp: ad-hoc minimal DDL for runtime_mysql_users / runtime_mysql_servers omitted columns the production query SELECTs (password, weight). Switched to the canonical ADMIN_SQLITE_RUNTIME_MYSQL_USERS and ADMIN_SQLITE_TABLE_RUNTIME_MYSQL_SERVERS macros and added the runtime_mysqlx_variables table. After this commit `for t in mysqlx__unit-t; do ./$t; done` is 21/21 green (754 ok asserts total, 0 not_ok, 0 timeouts), 10/10 stable across repeated runs of the previously-flaky mysqlx_concurrent_unit-t.	4 weeks ago
Rene Cannao	d4427731b7	Merge remote-tracking branch 'origin/v3.0' into plugin-chassis Picks up the v3.0 fixes that unblock plugin-chassis CI: - `5d702b12b` build(test): fix testgalera link after switch to src/SQLite3_Server.cpp — restores -Wl,--allow-multiple-definition, ClickHouse/zstd/lz4 link, and ProxySQL_Admin.cpp recompile under TEST_GALERA. Resolves CI-maketest red on plugin-chassis. - `baa5069ea` introduces test/tap/groups/mysql56-single/ which the CI-mysql56-single-g1 workflow expects. Resolves the missing-infra error. - macOS package upload + init_release race-tolerant grouping + amd64 package workflow expansion + various CI/release cleanups. CI-unit-tests-asan-coverage on plugin-chassis still depends on the v3.0 workflow YAML having libprotobuf-dev in its apt install step (workflow_run loads the YAML from the default branch). That fix is already on plugin-chassis (`47ab14148`) and will land on v3.0 via a separate small PR.	4 weeks ago
Rene Cannao	85ad4fe3b4	test(mysqlx): rewrite dispatch tests with real backend fixture (#5679 ) Closes the last 5 cluster-3 failures from issue #5679. The 17 previously-skipped dispatch sub-asserts now run with proper coverage, plus 3 other pre-existing failures (#21 compression code, #29 TLS init, #43 forward-no-connection) are addressed. ## Background The dispatch tests asserted that one handler() call after writing a SQL/CRUD/PREPARE/CURSOR/EXPECT message left status_ exactly at CONNECTING_SERVER. That premise was wrong: forward_to_backend() sets to_process=true, and handler()'s `goto handler_again` loop immediately re-enters the switch, running handler_connecting_server() in the same call. After commit `55e90d1a7` (start_connect() now fails fast on inet_pton(\"\", 0) instead of silently connecting to 0.0.0.0), the inner handler correctly transitions to X_SESSION_CLOSING — so the intermediate state the tests asserted is no longer observable. They hung after assertion #5 and produced no useful signal. Earlier this PR cycle (commit `09c15d6d5`) skipped the 17 affected sub- asserts to unblock the test suite. This commit replaces the skip with a proper rewrite, structurally similar to what mysqlx_robustness_ unit-t.cpp uses for happy-path scenarios. ## Approach Lift the helpers from mysqlx_robustness_unit-t.cpp: - default_test_config_store(): lazy process-global with one route pointing at hostgroup 10 + one endpoint, installed via install_for_test(). - default_test_thread(): lazy process-global Mysqlx_Thread wired to the store. - setup_authenticated_session(): drives the real MYSQL41 handshake to leave the session in WAITING_CLIENT_XMSG with username_, schema_, identity_ all populated. - detach_session_fds(): cleanup helper. Add a new parameterized check, check_dispatch_routes_to_backend(), that creates two socketpairs (client + fake backend), brings the session to WAITING_CLIENT_XMSG via setup_authenticated_session, attaches an IDLE MysqlxConnection backed by the backend socketpair, sends one message of the requested type, and asserts: (a) status_ transitions to WAITING_SERVER_XMSG or X_SESSION_RESET_WAITING (SESS_RESET overrides the post-forward status; both indicate a successful forward). (b) the backend socketpair received the forwarded frame. That is two assertions per dispatch test, exercising the actual contract (\"this message type forwards to the backend\") instead of the fragile \"this message lands in CONNECTING_SERVER\" intermediate. Each test_dispatch_* function becomes a one-liner calling the helper with the right msg_type. Net result: the file shrunk from ~700 LOC of repetitive boilerplate to ~570 LOC including the helpers, and the 14 individual dispatch tests + view_operations (3 sub-tests) now do 2 ok() each = 34 assertions where there were 17 before. ## Other fixes folded in - test_dispatch_compression_rejected: corrected expected error code from 5001 to 5008. The production code emits 5008 (\"Compression is not supported\") when COMPRESSION arrives without a negotiated algorithm. 5001 was an invented value the test expected; this never passed. - test_tls_accept_init_stub: rewrote the assertion. The previous version asserted handler() in X_TLS_ACCEPT_INIT skipped to X_TLS_ACCEPT_DONE — true only when the handler was a stub. The real handler now drives SSL_do_handshake; with no SSL_CTX (thread_ptr_=nullptr) it correctly emits 3150 and marks unhealthy. Assert that. - test_forward_to_backend_no_connection: relaxed from \"status_ == CONNECTING_SERVER\" to \"status_ ∈ {CONNECTING_SERVER, X_SESSION_CLOSING}\" — same root cause as the dispatch tests; the inner handler_connecting_server correctly fails fast on the empty hostname target. ## main() plan(0) (auto-derive count from emitted asserts). The hand-counted plan(49) was wrong both before (the rewritten tests now emit 2 ok each, not 1) and after (variable-count sub-tests like connection_pool_matching make a hard count fragile). ## Verified After this commit (PROXYSQLGENAI=1 NOJEMALLOC=1 WITHASAN=1): mysqlx_message_dispatch_unit-t: 66 / 0 (was 5 not-ok + hang) plugin_manager_unit-t: 96 / 0 (no regression) mysqlx_session_unit-t: 60 / 0 (no regression) mysqlx_robustness_unit-t: 74 / 0 (no regression) ASAN: 0 errors This closes the cluster-3 + 3 other pre-existing failures from issue #5679. All 9 originally-tracked failures are now resolved (4 fixed in commit `09c15d6d5`, 5 fixed here).	4 weeks ago
Rene Cannao	99a745f6ed	ci(mysqlx): wire mysqlx-soak group into TAP harness end-to-end Completes the four follow-up items documented in the mysqlx-soak group's README. After this commit, the harness scripts run inside the proper docker-isolated TAP framework — no more ad-hoc invocations. ## (1) Add mysql-connector-python to proxysql-ci-base test/infra/docker-base/Dockerfile installs python3 + a few pip packages but lacked the X DevAPI bindings. Add `mysql-connector-python` to the existing `pip3 install` line. Image must be rebuilt (`docker build -t proxysql-ci-base:latest test/infra/docker-base`); the new soak-tests CI job rebuilds unconditionally per run, so CI gets the new package automatically. ## (2) TAP wrappers for the harness scripts Two new Bash TAP entries under test/tap/tests/: * test_mysqlx_soak_behavioral-t.sh — emits two TAP assertions: scenario 1 = SIGTERM-mid-traffic (the harness signals the proxysql container with `docker kill -s TERM proxysql.${INFRA_ID}` mid-run and verifies clients receive Mysqlx::Error 1053 instead of TCP RST); scenario 2 = LOAD MYSQLX ROUTES TO RUNTIME mid-traffic. Both fall back to "skip" if mysql-connector-python is missing, or if the proxysql container is unreachable after scenario 1. * test_mysqlx_soak_stress-t.sh — single TAP assertion that wraps stress.py. Defaults to 60s/20-clients to fit a CI timeout; long soaks invoke stress.py directly with --duration 24h per issue #5677. Both wrappers default the connection params to the docker-internal hostname `proxysql` (via network alias) so they work from inside the test-runner container; environment overrides let local invocations point elsewhere. ## (3) Register in groups.json Two new entries: "test_mysqlx_soak_behavioral-t" : [ "mysqlx-soak-g1", "@proxysql_min_version:4.0" ], "test_mysqlx_soak_stress-t" : [ "mysqlx-soak-g1", "@proxysql_min_version:4.0" ], Both use the @proxysql_min_version:4.0 tag (the harness only makes sense in chassis-aware builds). Lint passes (421 entries, sorted). ## (4) CI job Add `soak-tests` job to .github/workflows/CI-mysqlx.yml. Pattern mirrors CI-taptests-pgsql-cluster.yml: restore build cache, build plugin, build proxysql-ci-base, ensure-infras (TAP_GROUP=mysqlx-soak), run-tests-isolated (TAP_GROUP=mysqlx-soak-g1), cleanup, archive logs on failure. The job runs after unit-tests passes (same dependency as e2e-tests) and is independent of e2e-tests (parallel execution OK). ## What this covers * Builds the plugin and rebuilds the test image with the X DevAPI. * Stands up a real MySQL 8.4 backend (3-node replication via the existing infra-dbdeployer-mysql84 image, X protocol on port 23306-23308 inside the docker network). * Stands up ProxySQL in a container with the plugin .so bind-mounted and a per-group config that declares plugins=("..."). * The mysqlx-soak setup-infras hook provisions one route, one user, one endpoint, reloads, and verifies the listener bound on 6603. * Two TAP tests run inside the test-runner container against the freshly-stood-up ProxySQL, exercising the plugin end-to-end. ## What this does NOT cover * Long-running soaks (24-72h). The CI job runs a 60s stress for signal; the full soak per issue #5677 needs staging. * All compression/TLS combinations. The harness's defaults are uncompressed + clear-text; matrix expansion is future work. * Listener-port collisions across parallel CI runs. INFRA_ID isolates docker-network names but the TAP_GROUP-scoped MYSQLX_ PROXYSQL_PORT (default 6603) is a single value. CI runs are serial per workflow concurrency group; not a problem today but worth flagging if matrix-fanout is added.	4 weeks ago
Rene Cannao	7e70c347f3	test(mysqlx): wire harness into the docker-isolated TAP framework Per user direction: never run proxysql directly outside the testing environment. The harness scripts at test/scripts/mysqlx/ are correct as Python clients, but their assumed invocation ('run them against a hand-started proxysql') was wrong. The proper integration is the existing docker-isolated TAP harness, which already brings up ProxySQL + backends in containers on a private docker network. This commit lays the framework groundwork for that integration. It is NOT yet a complete invocation of the harness — that requires a docker image rebuild (mysql-connector-python is not in proxysql-ci-base) and a TAP-test wrapper, both documented in the new test/tap/groups/mysqlx-soak/README.md TODO list. ## What landed * test/infra/control/start-proxysql-isolated.bash: - Optional plugin .so bind-mount when PROXYSQL_LOAD_MYSQLX_PLUGIN=1. Mounts ${WORKSPACE}/plugins/mysqlx/ProxySQL_MySQLX_Plugin.so at /usr/lib/proxysql/ProxySQL_MySQLX_Plugin.so inside the container. Fails fast with a clear message if the .so is missing. - Optional per-group config override via PROXYSQL_CONFIG_OVERRIDE. Lets a group ship a proxysql-ci.cnf that declares plugins=("...") so the chassis loads the plugin at Phase A — the generic config has no plugins= line, by design. * test/tap/groups/mysqlx-soak/ (new group): - env.sh: sets PROXYSQL_LOAD_MYSQLX_PLUGIN=1, PROXYSQL_CONFIG_OVERRIDE pointing at the per-group .cnf, SKIP_CLUSTER_START=1 (single-node proxysql is enough), and the X-protocol port constants the setup-infras.bash hook + harness scripts share. - infras.lst: just infra-dbdeployer-mysql84 (existing 3-node MySQL 8.4 with X-protocol on classic+20000 by dbdeployer convention). - proxysql-ci.cnf: copy of the generic config with one extra block: plugins=("/usr/lib/proxysql/ProxySQL_MySQLX_Plugin.so") - setup-infras.bash: standard group-setup hook. Waits for mysqlx_users admin table to appear (sanity-check that the plugin loaded at all), then provisions one route, one user, one endpoint via admin SQL, reloads to runtime, and verifies the mysqlx listener bound on port 6603. - README.md: documents the four remaining work items needed to actually invoke the harness as a TAP test (add mysql-connector- python to docker-base, wrap harness as a TAP entry, register in groups.json, wire into CI). This commit is intentionally narrow: it adds the framework wiring that lets a future commit invoke the harness from inside the test-runner container. Anyone with the four TODO items completed can run the harness against a real chassis-loaded ProxySQL via: WORKSPACE=$(pwd) INFRA_ID=dev-$USER TAP_GROUP=mysqlx-soak \ test/infra/control/ensure-infras.bash — which is the canonical TAP-harness entry point per CLAUDE.md. The standalone Python harnesses at test/scripts/mysqlx/ remain runnable for ad-hoc dev validation, but they are no longer the primary path; the docker-isolated TAP group is.	4 weeks ago
Rene Cannao	fe91e290d8	test(mysqlx): add behavioural-validation and stress harnesses Three companion harnesses for the post-merge confidence work tracked in issues #5677 (smoke + soak), #5678 (behavioural validation), and #5681 (stress test). These are NOT TAP unit tests — they require live infrastructure (a real MySQL 8.x and a running ProxySQL with the mysqlx plugin loaded). They post-date the merge window and exist to let an operator with a staging environment reproduce the validation. * test/scripts/mysqlx/README.md — setup recipe (ProxySQL admin config, MySQL backend bring-up via docker or dbdeployer, the invocation lines for both harnesses). * test/scripts/mysqlx/behavioral_validation.py — exercises two scenarios from issue #5678. Scenario 1 ("SIGTERM mid-traffic") opens N X-Protocol clients running steady SELECT loops, sends SIGTERM to proxysql, then verifies each client received a clean Mysqlx::Error frame with code 1053 ("Server is shutting down") rather than an unannounced TCP RST. Exercises MysqlxSession::shutdown_notify_client (commit `55e90d1a7`). Scenario 2 ("LOAD MYSQLX ROUTES TO RUNTIME mid-traffic") opens clients on route 'r1', drops r1 from admin and reloads, then verifies in-flight sessions continue while a new connection to the removed route is refused — the documented remove_listener_for_route semantics. * test/scripts/mysqlx/stress.py — opens N concurrent X-Protocol clients (target N=1000), drives churn, captures throughput, error rate, RSS, fd count, thread count, and stats_mysqlx_routes over time. Pass criteria from issue #5681: 60-min run with no crash, no monotonic memory/fd growth, error rate < 0.1%. Writes a metrics CSV for plotting. Both Python scripts use mysql-connector-python's mysqlx module (X DevAPI bindings) for the data-plane connection and the classic mysql.connector module for admin-port operations. These are scaffolds — runnable but not yet exercised against real infrastructure. Confidence gain comes from someone running them on staging and posting results to the linked issues.	4 weeks ago
Rene Cannao	83725ea4e5	feat: add --no-plugins kill switch; fix 4 pre-existing test failures ## (1) --no-plugins kill switch (issue #5680) When the plugin chassis is enabled (PROXYSQL40 builds), an operator upgrading to v4.0.0 gets the chassis active by default. If a critical chassis bug is found post-release, the recovery options today are: - Roll back the entire ProxySQL package to v3.x. - Edit the config file to comment out plugins=() and restart. Add a runtime kill switch — a CLI flag (and equivalent env var) that bypasses plugin loading entirely, regardless of config. Cuts the time-to-recover dramatically and reduces deployment anxiety. CLI: --no-plugins (gated by PROXYSQL40) Env: PROXYSQL_NO_PLUGINS=1 (CLI takes priority) Field: GloVars.no_plugins Wired through: when set, LoadConfiguredPlugins / InitConfiguredPlugins / StartConfiguredPlugins / StopConfiguredPlugins all become no-ops. LoadConfiguredPlugins emits a single startup log line so the operator knows the bypass took effect: Plugin chassis disabled by --no-plugins / PROXYSQL_NO_PLUGINS=1; skipping load of N configured plugin(s) Verified: --no-plugins appears in proxysql --help. The bypass message string is in the binary. Full end-to-end smoke against a Docker MySQL deferred to issue #5677. ## (2) plugin_manager_unit-t #62 + #88 (issue #5679) Test bug. The two assertions encoded the pre-ab9d5a103 contract that "destructor skips stop on plugins that were never started". Commit `ab9d5a103` ("address deep-review findings") deliberately replaced that with init/stop pairing — every plugin where init() succeeded gets stop(), irrespective of whether start() ran. The change fixed a real leak: resources allocated in init() were not being released when start() failed. The tests were missed at the time. Flip both assertions: - "destructor does NOT invoke stop on plugins that were never started" → "destructor invokes stop on init-succeeded/never-started plugin (init/stop pairing)" - "destructor did NOT call stop on the second plugin (it never successfully started)" → "destructor stops the second plugin too — init succeeded, start failed (init/stop pairing)" Both flips include a comment explaining the contract change. ## (3) mysqlx_session_unit-t #33 + #34 (issue #5679) Test bug. The hardened auth flow (commit `74e678006`) calls resolve_backend_target() BEFORE sending Mysqlx::Session::AuthenticateOk. That helper requires a wired thread+config_store and an identity with a non-empty default_route. The test passed `nullptr` for thread and left default_route empty, so auth correctly transitioned to X_SESSION_CLOSING with code 4002 instead of OK. Lift the same default_test_thread() / default_test_config_store() helpers used by mysqlx_robustness_unit-t.cpp into mysqlx_session_unit-t.cpp, wire them into test_mysql41_auth_with_credentials, and add default_route="default_test_route" to the identity returned by the test's identity_lookup lambda. After this fix the test reports 60/60 oks (was 60/2-not-ok with the same plan). ## (4) mysqlx_message_dispatch_unit-t #1-15 (issue #5679) Test premise wrong. Each test_dispatch_* expected one handler() call to leave status_ exactly at CONNECTING_SERVER. That intermediate state isn't observable: forward_to_backend() sets to_process=true, the handler's `goto handler_again` loop re-enters the switch, and handler_connecting_server() runs in the same call. After commit `55e90d1a7` (which made start_connect() fail fast on an empty hostname instead of silently connecting to 0.0.0.0), the inner handler_connecting_server() correctly transitions to X_SESSION_CLOSING — so the asserted intermediate state is gone. Pre-55e90d1a7 the test passed by accident. Fixing properly means rewriting each test to use a real thread+ config_store fixture (à la mysqlx_robustness_unit-t.cpp's setup_authenticated_session) and asserting WAITING_SERVER_XMSG instead — a ~600-line rewrite tracked under issue #5679. Until then, skip the 15 affected sub-tests with a comment pointing at the issue: skip(17, "tracked under #5679: dispatch_* tests assume single-step handler(), need rewrite for the goto-handler_again re-entry"); (Skip count is 17 because test_dispatch_view_operations carries 3 sub-asserts; the other 14 carry 1 each.) Also fixes the related X_FAST_FORWARD reference at line 424 (retired together with MysqlxWorker in commit `79cac4c97`), so the file compiles with -DMYSQLX_TEST_BUILD. Net effect: 5 failures + hang → 3 clean failures + 17 clean skips + clean exit. The remaining 3 (assertions 21, 29, 43) have similar root causes and stay tracked under #5679 for the proper rewrite. ## Verified After this commit (PROXYSQLGENAI=1 NOJEMALLOC=1 WITHASAN=1): - plugin_manager_unit-t: 96 ok / 0 not-ok (was 94 ok / 2 not-ok) - mysqlx_session_unit-t: 60 ok / 0 not-ok (was 58 ok / 2 not-ok) - mysqlx_message_dispatch_unit-t: 46 ok / 3 not-ok (was 5 not-ok + hang) - mysqlx_robustness_unit-t: 74 / 0 — unchanged - mysqlx_compression_unit-t: 64 / 0 — unchanged - mysqlx_config_store_concurrent_unit-t: 15 / 0 — unchanged - ASAN: 0 errors across all of the above	4 weeks ago
Rene Cannao	09c15d6d54	fix(mysqlx): reject re-auth on active session; fix two pre-existing test issues ## (A) Re-authentication on an active session is now rejected Addresses the Important finding from the security re-review of PR #5651 (see https://github.com/sysown/proxysql/issues/5676). After a successful login the session is in WAITING_CLIENT_XMSG. Before this commit, dispatch_client_message routed `SESS_AUTHENTICATE_START` and `SESS_AUTHENTICATE_CONTINUE` into the auth handlers unconditionally. The handlers overwrote `username_`, `identity_`, `target_hostgroup_`, `target_address_`, `target_port_` — but they did NOT tear down `backend_conn_`. The next StmtExecute was forwarded over the previous user's pooled backend connection. The proxy then audited the query as user B while the backend executed it as user A's role — a real identity-coherence / audit hazard. The X Protocol uses `Mysqlx::Session::Reset` for re-auth on the same connection, not direct re-auth. Reject `SESS_AUTHENTICATE_START` / `SESS_AUTHENTICATE_CONTINUE` when `status_ == WAITING_CLIENT_XMSG` with code 1845 (FATAL) and drop the session. Conformant with the spec. Also clears `auth_challenge_` on successful auth (defense in depth): the verified challenge is no longer reachable by a stale AuthenticateContinue replay even before the dispatch-level guard fires. The unit test `test_error_severity_non_fatal` previously took a shortcut: it manually set `status_=WAITING_CLIENT_XMSG` then sent AUTHENTICATE_START to drive the auth flow. With the re-auth rejection now in place, that shortcut hits the new guard and the test hangs waiting for an auth challenge that never comes. Updated the test to drive the auth flow naturally from CONNECTING_CLIENT (the state init() leaves the session in), which exercises the same code paths without the now-invalid pre-auth status_ override. ## (B) mysqlx_config_store_concurrent_unit-t: missing variables DDL This was the source of 6 pre-existing test failures surfaced during the ASAN run on PR #5651 (4, 11, 12, 13, 14, 15). All asserted that load_from_runtime atomically replaces previously-loaded data. They failed because the test fixture's create_runtime_db() did not create a `runtime_mysqlx_variables` table, but `load_from_runtime` queries that table near the end: SELECT variable_name, variable_value FROM runtime_mysqlx_variables When the table doesn't exist, fetch_result returns false and load_from_runtime short-circuits BEFORE swapping the new identities/ routes/endpoints into place. Every "second load replaces first" assertion silently failed because the second load never actually replaced anything — the swap never happened. This is the same bug that was fixed in `mysqlx_config_store_pure_unit-t.cpp` in commit `017496bc4`. The sibling test was missed at the time. Add the DDL here too with a comment pointing at the underlying invariant. After this fix the concurrent test reports 15/15 ok. ## Pre-existing test bug: X_FAST_FORWARD reference `mysqlx_message_dispatch_unit-t.cpp:424` referenced `MysqlxSession::X_FAST_FORWARD`, which was retired together with the dormant MysqlxWorker path in commit `79cac4c97`. The test failed to compile with `-DMYSQLX_TEST_BUILD` once that macro was added. Replace the comparison with `CONNECTING_CLIENT` (a still-extant earlier-than- TLS state) so the assertion's intent — "TLS states come after the basic states" — is preserved. (The other failures in this file remain pre-existing and are not addressed here; they are out of scope and tracked under issue #5679.) Verified locally with WITHASAN=1: mysqlx_session_unit-t 60 oks (2 pre-existing not-ok #33,34), mysqlx_robustness_unit-t 74/74, mysqlx_config_store_concurrent_unit-t 15/15.	4 weeks ago
Rene Cannao	baeca0e3dc	test: silence SonarCloud BUG: name truncate-via-temporary in clear_log() Three identical SonarCloud BUG-severity findings (one per file) on the truncate-via-temporary idiom: std::ofstream(g_log_path, std::ios::trunc); This creates a temporary std::ofstream whose destructor closes the file — the truncate is the intended side effect. SonarCloud's rule "Name this unused temporary object or remove it" does not understand the side-effect pattern and flags it as a BUG. Issue #5674 triaged all 3 BUG findings as false positives. This commit silences them with the cosmetic fix recommended in that issue: give the temporary a name and (void)-cast it. Same generated code, no behaviour change, but Sonar stops flagging it. Files: test/tap/tests/unit/plugin_{config,lifecycle,manager}_unit-t.cpp	4 weeks ago
Rene Cannao	df7e335e23	fix(ci,infra): pass PROXYSQL40 to plugin build, remove orphaned infra files Three CI/infra clean-ups that fall out of the independent review. 1) .github/workflows/CI-mysqlx.yml: pass PROXYSQL40=1 (and the implied tier flags) to `make` when building the mysqlx plugin. plugins/mysqlx/Makefile picks up tier flags from the environment and propagates them as -DPROXYSQL40 / -DPROXYSQL31 / -DPROXYSQLFFTO / -DPROXYSQLTSDB / -DPROXYSQLGENAI on every compile line. If the workflow runs `make` with no flags, the plugin is built without -DPROXYSQL40 — meaning the ProxySQL_PluginDescriptor and ProxySQL_PluginServices struct layouts compiled into the plugin .so differ from the layouts that the cached src/proxysql binary (built upstream by CI-trigger with the full tier flags) sees. The link succeeds and the first virtual dispatch into a plugin callback crashes or, worse, corrupts memory silently. The Makefile already warns about exactly this in lines 56-61. Pass the flags explicitly. 2) test/tap/groups/mysqlx-e2e/infras.lst + test/infra/docker-compose-mysqlx.yml: delete both — they are orphaned. `infras.lst` referenced `infra-mysqlx`, which has never existed under `test/infra/`. ensure-infras.bash would have errored on it — except `mysqlx-e2e/env.sh` exports SKIP_PROXYSQL=1, which makes ensure-infras.bash short-circuit at line 38 before it reaches the docker-compose loop. So infras.lst was both wrong AND unreachable — the worst combination for the next reader trying to figure out how the e2e group is wired. Similarly, `test/infra/docker-compose-mysqlx.yml` was a docker-compose file that no `infra-*/` directory points at, left over from an early plan to use Docker for the mysqlx backend that was abandoned in favour of dbdeployer. Both files are dead weight; delete them. 3) test/tap/groups/mysqlx-e2e/env.sh: comment the unconventional wiring so the next reader doesn't have to reverse-engineer it. Document why this group has no `infras.lst` / no `infra-mysqlx/` dir, why CI uses inline dbdeployer instead of ensure-infras.bash, and that setup-infras.bash + pre-cleanup.bash exist for local-only ad-hoc use today. 4) test/tap/tests/Makefile: drop the dangling `test_mysqlx_listener_smoke-t` target. That test was retired together with the dormant MysqlxWorker path in commit 98aee7db2; the unit/Makefile no longer builds it. The wrapper target in test/tap/tests/Makefile remained and would fail `make test_mysqlx_listener_smoke-t` with "no rule to make target". Replace with a NOTE pointing at where the listener-lifecycle coverage actually lives now (mysqlx_thread_unit-t, mysqlx_robustness_unit-t). Verified: the plugin still builds clean with the tier flags exported to the sub-make. No behavioural change for the docker-using groups.	4 weeks ago
Rene Cannao	04bccec51e	chore(plugin-chassis): tighten gating, drop dead paths, gate forgery setters Five clean-up items from the independent review of PR #5651. None of these change behaviour on a normal run; they each fix a concrete way the current code is misleading or unnecessarily exposed. 1) lib/ProxySQL_Admin.cpp: gate the three plugin-DB-handle getters (proxysql_plugin_get_admindb / _configdb / _statsdb) under #ifdef PROXYSQL40. Previously these were defined unconditionally and emitted symbols into v3.0/v3.1 binaries. The chassis is a v4.0 feature; the user explicitly required that v3.x builds carry no plugin-aware code. Wrap in PROXYSQL40 so they are entirely absent from v3.x linkage. ProxySQL_PluginManager.cpp's extern declarations (lines 23-25) are already inside the file-wide PROXYSQL40 gate and so resolve only when the gate is active. 2) lib/ProxySQL_PluginManager.cpp + include/ProxySQL_PluginManager.h: delete the dead `#else /* !PROXYSQL40 /` branches. Both files are wrapped in a top-level `#ifdef PROXYSQL40` covering the entire body. Inner `#ifdef PROXYSQL40 ... #else ... #endif` blocks therefore had unreachable `#else` arms — 30+ lines of "pre-chassis two-phase loader" in the .cpp, plus a redundant declaration of proxysql_load_configured_plugins in the .h. The dead arms read as load-bearing alternative implementations on review and that is exactly the wrong signal. Drop them; the single PROXYSQL40 path is the only one. 3) lib/Admin_Bootstrap.cpp + include/proxysql_admin.h + src/main.cpp: remove ProxySQL_Admin::materialize_plugin_tables(). `Admin::init()` already merges plugin-declared schemas into tables_defs_{admin,config,stats} (~line 944) and runs the DDL via check_and_build_standard_tables() (~line 994), all on the same first-boot/reload code path the core tables use. The follow-up call to GloAdmin->materialize_plugin_tables() in main.cpp ran a second name-dedup pass that found everything already present and produced an empty new-rows set — i.e. the post-init helper was a no-op disguised as load-bearing infrastructure. Delete the helper, the header declaration, and the main.cpp call site, and update the comments in main.cpp + ProxySQL_PluginManager.cpp to point at Admin::init() as the single canonical materialization site. Leave a NOTE in Admin_Bootstrap.cpp at the old call site so anyone re-adding a similar helper sees why the prior one was removed. 4) plugins/mysqlx/include/mysqlx_session.h + plugins/mysqlx/src/mysqlx_session.cpp: gate the two genuine forgery vectors behind MYSQLX_TEST_BUILD. inject_identity_for_test() bypasses the full auth flow — no credential check, no capability negotiation, just sets identity_ to a caller-supplied MysqlxResolvedIdentity. resolve_backend_target_ for_test() drives a private routing helper without an authenticated identity. Both are necessary for unit tests but should not be reachable at all in shipped binaries; an in-process exploit reaching the session can call inject_identity_for_test() to forge an authenticated identity. Wrap them in #ifdef MYSQLX_TEST_BUILD; define -DMYSQLX_TEST_BUILD in the test Makefile only. The remaining target__for_test() getters are read-only state observers and are left unconditional — they cannot mutate the session and a debugger could observe the same state regardless. 5) test/tap/tests/unit/Makefile: define -DMYSQLX_TEST_BUILD on every unit test compile line via OPT. This is the test-only knob that re-enables the gated forgery methods so unit tests still compile. plugins/mysqlx/Makefile does NOT define this macro, so the production .so does not compile in the entry points. Verified locally: - plugins/mysqlx/ProxySQL_MySQLX_Plugin.so builds clean with PROXYSQL40=1 PROXYSQL31=1 PROXYSQLFFTO=1 PROXYSQLTSDB=1 PROXYSQLGENAI=1 (no MYSQLX_TEST_BUILD). - test/tap/tests/unit/mysqlx_robustness_unit-t builds and runs: 74/74 assertions pass, including the ones that exercise inject_identity_for_test (visible only because the test Makefile defines MYSQLX_TEST_BUILD).	4 weeks ago
Rene Cannao	9f5ed235b8	fix(build,test groups): unblock CI on plugin-chassis Two unrelated CI blockers, fixed together because each one alone leaves the pipeline red and they are trivially independent: 1) `make cleanbuild` (and any other goal that recurses into plugins/mysqlx on a v3.0/v3.1 box without libprotobuf-dev) failed in plugins/mysqlx/Makefile because the protobuf-3.x ABI check fires at parse time. The check is correct for building the plugin — running pre-generated .pb.cc against an ABI-incompatible libprotobuf would produce a .so that links cleanly and crashes on first virtual dispatch — but it has no business firing for `clean`/`cleanall`, which only delete object files. Wrap the check in `ifeq ($(filter clean cleanall,$(MAKECMDGOALS)),)` so the safety guarantee is preserved on build paths and clean is now usable on a bare host. CI-builds was failing every job at Makefile:540 cleanbuild for this reason, and the failure cascaded through every dependent test workflow. 2) `mysqlx_compression_unit-t` was added in the X-Protocol Phase-1/2/3 compression commits but never registered in `test/tap/groups/groups.json`. The lint workflow `check_groups.py --source` flagged it as "executable test missing from groups.json" and exited 1, blocking the entire CI run. Add the entry to `unit-tests-g1` with the `@proxysql_min_version:4.0` tag, matching every other mysqlx unit test in the file. Also restore six MySQL test entries that lost their `mysql90-g3`, `mysql95-g3` tags during the `d2e03fae3` conflict-resolution commit, plus `test_noise_injection-t` which lost the same two. Confirmed against origin/v3.0 — these were valid groupings on v3.0 that should have been preserved through the merge but were silently dropped. Verified locally: - `cd plugins/mysqlx && make clean` succeeds without libprotobuf installed (was: fatal `$(error)` at parse time). - `python3 test/tap/groups/lint_groups_json.py` → "OK (419 entries, sorted, compact)". - `python3 test/tap/groups/check_groups.py` → "OK: All 29 executable tests are registered in groups.json".	4 weeks ago
Rene Cannao	aef01ef0be	feat(mysqlx): compress outbound server frames (Phase 3) Phase 3 of three-phase X Protocol compression support: server→client compression on outbound frames. Wraps up the MVP — CapabilitiesSet negotiation (Phase 1), inbound decompression (Phase 2), and now outbound compression all roundtrip. What this commit does ===================== forward_frame_to_client() — the chokepoint for backend→client frame forwarding — now routes through send_to_client_compressed(), which: 1. Returns early to plain client_ds_.enqueue_frame() when compression is not negotiated OR the body is below COMPRESSION_MIN_OUTPUT_BYTES (50 bytes — same threshold the upstream MySQL X plugin uses; per- message envelope + framing overhead would otherwise dwarf savings). 2. With combine_mixed_messages = false: emits one Compression frame per body. The protobuf has server_messages set to the original frame's msg_type and uncompressed_size set to the original body length, so a spec-compliant client can decompress in place. 3. With combine_mixed_messages = true: appends a fully-framed copy of the body to compress_batch_framed_ and bumps compress_batch_count_. Once the count reaches max_combine_messages (defaulting to 64 if the client didn't supply one), or flush_compression_batch() is invoked at a natural boundary, all buffered frames are emitted as one Compression message with NEITHER server_messages nor client_messages set — payload is the concatenated stream of framed X messages, matching the spec's third payload shape. The flush points are: - handler_waiting_server_msg() when it sees a terminal frame (end of a result set / final OK / etc.) — the response is "done" so anything still buffered must reach the wire before we go back to WAITING_CLIENT_XMSG. - handler_session_reset_waiting() on the ERROR path before write_to_net(), same reasoning. Mid-response we deliberately do NOT flush — that would defeat the combine_mixed_messages benefit by emitting a Compression message per batch hit, which is exactly what we're trying to avoid for streaming result sets. The count cap bounds how long a single batch can grow. Compressor selection mirrors Phase 2: - zstd_stream uses ZSTD_compressCCtx() with a per-session ZSTD_CCtx that's lazily allocated and freed in reset_compression_state(). - lz4_message uses LZ4_compress_default() one-shot. On compressor failure (ZSTD_isError or lz4 returning <= 0) the helper falls back to enqueueing the body uncompressed — losing compression benefit beats dropping the message. The session itself stays healthy. Tests ===== mysqlx_compression_unit-t now plans 64 sub-tests, all passing: - Phase 1: 22 sub-tests for capability negotiation - Phase 2: 17 sub-tests for inbound decompression - Phase 3 (new, 25 sub-tests): - zstd round-trip: frame on the wire is COMPRESSION with server_messages = NOTICE; payload decompresses back to the exact original 200-byte body - lz4 round-trip, same shape - below-threshold passthrough: 20-byte body emitted as plain NOTICE, not COMPRESSION (verifies the fast path) - combine_mixed_messages with max_combine_messages=3: three successive sends produce ONE Compression frame whose decompressed payload contains all three NOTICE bodies in order, with neither server_messages nor client_messages set - compression-disabled passthrough: when no negotiation, the helper acts as a plain enqueue_frame() (proves a client that never opts in is unaffected) A few new test-only accessors expose the batch state and send_to_client_compressed() entry point so tests can exercise the output path without wiring a fake backend (which would block on connect() in the dispatcher anyway). Verification ============ Top-level `PROXYSQLGENAI=1 make` builds cleanly. mysqlx_compression_unit-t passes 64/64. plugin_lifecycle_unit-t (26/26) passes unchanged. mysqlx_session_unit-t still has its two pre-existing failures at sub-tests 33-34 (auth flow), unrelated to compression and present on this branch before the Phase 1 commit.	4 weeks ago
Rene Cannao	b1fd6b31fc	feat(mysqlx): decompress incoming Compression messages (Phase 2) Phase 2 of three-phase X Protocol compression support: client→server decompression. Compression on the server→client path (Phase 3) still goes out uncompressed; CapabilitiesSet stores the negotiation in Phase 1 and this commit consumes it. What this commit does ===================== When the client sends a Mysqlx.Connection.Compression message AND compression has been negotiated, we now: 1. Parse the Compression protobuf — payload bytes, optional uncompressed_size hint, optional client_messages tag. 2. Decompress the payload using the negotiated algorithm: - zstd_stream: streaming decompression via a ZSTD_DCtx that persists across messages on the same session (per spec — successive Compression frames may continue a single zstd stream, so we cannot recreate the context per frame). - lz4_message: one-shot LZ4_decompress_safe. The X spec defines lz4_message as one independent frame per message, so no persistent context is needed. 3. Feed the decompressed bytes back into client_ds_.feed_bytes() so the existing frame parser picks them up. Two payload shapes per spec are handled: - client_messages set: payload is one decompressed body of that type — we re-frame with a 5-byte X header in front. - neither set: payload is already a sequence of fully-framed X messages — fed verbatim. 4. The dispatch loop re-enters on the same handler tick (to_process set), so a Compression-wrapped StmtExecute runs end-to-end without an extra network roundtrip. If client_messages is unset and server_messages IS set, the message is rejected (5008): server_messages on the c→s path is always wrong. Anti-bomb / bounds ================== COMPRESSION_MAX_DECOMPRESSED_BYTES = 16 MiB caps how much output a single Compression message can produce, mirroring MysqlxDataStream's existing on-the-wire X_MAX_PAYLOAD_SIZE so a Compression frame never expands beyond what the rest of the data plane can handle anyway. If the client provides an uncompressed_size hint smaller than 16 MiB we honor that as the tighter bound. Hint of 0 with non-empty payload is treated as malformed. For zstd, the decompression loop re-checks the cap before each ZSTD_decompressStream call and bails (with 5008) the moment the output buffer would exceed it. A no-progress condition (zout.pos == 0 with input remaining) also bails — that catches malformed streams that would otherwise spin forever. For lz4, LZ4_decompress_safe(dstCapacity = cap) naturally enforces the limit: the decompressor refuses to write past dstCapacity and returns an error code we map to 5008. Linkage / build =============== The plugin .so is dlopen'd with RTLD_LOCAL, so symbols from libzstd / liblz4 that the proxysql binary may already pull in are NOT visible to the plugin. This commit links the static deps/zstd/zstd/lib/libzstd.a + deps/lz4/lz4/lib/liblz4.a archives directly into the .so so the plugin is self-contained. The session header forward-declares ZSTD_DCtx / ZSTD_CCtx so the zstd headers don't leak through include/mysqlx_session.h into other translation units. Tests ===== mysqlx_compression_unit-t now covers Phase 2 end-to-end (39 sub- tests total, all passing): - Phase 1: capability negotiation (22 sub-tests, unchanged) - decompress zstd_stream client_messages=SQL_STMT_EXECUTE, inner StmtExecute reaches dispatch (no 5008, session moves past WAITING_CLIENT_XMSG) - same for lz4_message - oversize bomb attempt: lie about uncompressed_size, send a 1 MiB-of-zeros payload — rejected with 5008 - garbage compressed payload: rejected with 5008 - sanity: COMPRESSION before negotiation still 5008 Verification ============ Top-level `PROXYSQLGENAI=1 make` builds cleanly; the plugin .so links against the static zstd + lz4 archives. plugin_lifecycle_unit-t (26/26) passes unchanged. mysqlx_session_unit-t still has its two pre-existing failures at sub-tests 33-34, identical to behavior before this commit (verified by stashing only the Phase 2 edits to plugins/mysqlx/{src,include}/* + Makefile and rebuilding). The mysqlx_thread_unit-t / mysqlx_concurrent_unit-t hangs are also pre-existing and reproduce on the unmodified branch.	4 weeks ago
Rene Cannao	f19be5f3a0	feat(mysqlx): negotiate X Protocol compression capability (Phase 1) Phase 1 of three-phase X Protocol compression support: capability negotiation only. The COMPRESSION message itself is still rejected with error 5008 in dispatch_client_message(); Phase 2 wires up decompression on input and Phase 3 wires up compression on output. What this commit does ===================== - send_capabilities() now advertises a `compression` capability listing the algorithms the plugin can support: zstd_stream and lz4_message. Both libraries (libzstd, liblz4) are already statically linked into libproxysql.a / pulled into the unit-test link line, so this does not introduce any new runtime dependency. - handler_capabilities_set() detects when a client sets the `compression` capability and parses the OBJECT value's sub-keys: - `algorithm` (required string) — must match an advertised value; anything else is rejected with X-Protocol error 5052 (the capability-prepare-failed code per the spec). - `server_combine_mixed_messages` / `combine_mixed_messages` (bool) - `server_max_combine_messages` / `max_combine_messages` (uint) Both spelling variants are accepted because mysql-connector-python emits the short form while libmysqlclient emits the spec form, and the upstream MySQL server tolerates both. - Negotiation outcome is stored on MysqlxSession via three new members (compression_algo_, compression_combine_mixed_messages_, compression_max_combine_messages_). Phase 2 / Phase 3 will read these to drive (de)compression. They are reset by both init() and reset() so a session reuse does not inherit stale negotiation. - Unsupported algorithms (e.g. deflate_stream) and structurally malformed values (wrong protobuf type, missing algorithm field) are rejected with a non-fatal X-Protocol Error frame — the session remains healthy so the client can either retry CapabilitiesSet or proceed without compression. Why 5052 (non-fatal) and not 5008 --------------------------------- 5008 is the runtime "compression message arrived but compression is disabled" error and stays in dispatch_client_message() for now. 5052 is the spec-defined "capability prepare failed" status used during the CapabilitiesSet handshake; treating an unknown algorithm as a capability error matches the upstream MySQL X plugin's behavior and lets compliant clients downgrade to no-compression on the same connection. Tests ===== New unit test: test/tap/tests/unit/mysqlx_compression_unit-t.cpp (22 sub-tests, all passing). Covers: - CapGet response advertises `compression` with both algorithms - CapSet zstd_stream + combine hints accepted, stored on session - CapSet lz4_message accepted, stored on session - CapSet deflate_stream rejected with 5052 (non-fatal), session remains healthy with no algorithm set - CapSet with wrong-shape compression value (scalar instead of object) rejected with 5052 Existing mysqlx_session_unit-t / plugin_lifecycle_unit-t still pass (the two pre-existing failures in mysqlx_session_unit-t at sub-tests 33-34, "auth succeeded for correct password" and "session in WAITING_CLIENT_XMSG after auth", are present on this branch before this commit and unrelated to compression — verified by stashing only the mysqlx_session.{cpp,h} edits and re-running). Build infra fix piggy-backed on this commit ------------------------------------------- test/tap/tests/unit/Makefile referenced $(SQLITE3_LDIR)/../libsqlite_rembed.a in the GenAI-tier link line, but that .a is no longer produced on this branch (it was the artifact of the now-removed sqlite-rembed Rust extension). Without removing this stale reference, no plugin/mysqlx unit test can link, which blocks verifying the new compression test alongside the existing mysqlx tests required by the task. Mirrors the upstream fix that already landed on sibling branches as commit `44a6c9d58` ("build(test): drop libsqlite_rembed.a from TAP and rag test link order"). Phase 2 (decompression) and Phase 3 (compression on output) will follow as separate commits; the COMPRESSION dispatch handler still emits 5008 until Phase 2 lands.	4 weeks ago
Rene Cannao	ae88c07089	Fix GTID range validation	1 month ago
René Cannaò	7ca0d153cc	Merge pull request #5654 from sysown/fix/pgsql-active-tx-on-broken-conn fix(pgsql): surface mid-transaction backend errors instead of silently replaying	1 month ago
Rene Cannao	5d702b12bf	build(test): fix testgalera link after switch to src/SQLite3_Server.cpp CI-maketest / builds (testgalera) has been red on every branch since commit `a3883a880` (2026-04-12) which replaced the galera rules' use of the stub test/tap/tap/SQLite3_Server.cpp with the real src/SQLite3_Server.cpp. The stub was a type-inconsistency hazard, but the real source pulls in three new link-time problems that the galera Makefile rules did not accommodate: 1. Symbol collisions. src/SQLite3_Server.cpp has test-variant definitions of init_galera_ifaces_string() and populate_galera_table() gated by #ifdef TEST_GALERA (lines 1323 and 1424), while galera_1_timeout_count.cpp and galera_2_timeout_no_count.cpp provide their own versions of the same symbols plus SQLite3_Server_session_handler. Both land in the link and ld rejects with "multiple definition". Fix: -Wl,--allow-multiple-definition. The sibling anomaly_detection-t rule already uses this. 2. ClickHouse typeinfo. libproxysql.a pulls in ClickHouse_Server.oo, which references typeinfo for clickhouse::Column*. The galera rules do not link libclickhouse-cpp-lib.a, libzstdstatic.a, liblz4.a, and they do not add -I$(CLICKHOUSE_CPP_IDIR) / the corresponding -L paths. Copy the incantation from anomaly_detection-t. 3. Missing ProxySQL_Admin::enable_galera_testing(). This method is also #ifdef TEST_GALERA-gated (lib/ProxySQL_Admin.cpp:9305). libproxysql.a is built without TEST_GALERA, so the method is not in the archive. src/SQLite3_Server.cpp:1848 calls it under its own TEST_GALERA guard — linker error. Compile lib/ProxySQL_Admin.cpp fresh with -DTEST_GALERA alongside the galera test and SQLite3_Server.cpp. --allow-multiple-definition above handles the symbol overlap with libproxysql.a. Add -I$(COREDUMPER_IDIR) for ProxySQL_Admin.cpp's transitive include of coredumper/coredumper.h. Verified locally: make testgalera from scratch, rc=0, both binaries produced (124 MB each).	1 month ago
Rene Cannao	f776af5487	test(pgsql): harden tx_poisoned tests after review Driven by the test-coverage review findings. Seven substantive changes across both test files: 1. NoticeResponse payload is now inspected (review 1.1/1.2). Install PQsetNoticeReceiver with a NoticeBag collector. Assert the poison NoticeResponse has severity=WARNING, sqlstate=01000, and non-empty message; and that NO notice carries sqlstate 57P01 (backend-leak) or 00000 (wrong pre-fix code). Without this, the no-57P01-leak invariant called out in issue #5658 was unverified. 2. COMMIT-on-poisoned notice payload is inspected (review 1.4 / 3.3). Case B now asserts the 25P01 "there is no transaction in progress" notice is emitted alongside the synthesized ROLLBACK command tag — the other half of the PG-native parity contract. 3. ROLLBACK TO SAVEPOINT, AND CHAIN, multi-statement, and ROLLBACKET word-boundary are exercised (review 1.3/1.14). Added as a batch alongside SELECT 42 and RELEASE SAVEPOINT, each asserted to return 25P02 and stay poisoned. 4. Autocommit-no-poison (case C) + admin-off-no-counter-move (case D) are now explicit (review 1.8 / 2.4). Pre-fix behavior: a non-tx statement killed mid-flight bumped the total counter because the feature used IsActiveTransaction() (polluted by the disconnect heuristic). Case C confirms the is_in_transaction() tightening. Case D confirms that toggling the admin var off truly disables the feature (no counter movement), not just preserves client termination. 5. Counter deltas are EXACT (==), not >= (review 2.1). Recovery test's +1/+1/+6 and ext-query test's +3 are all equality-checked. A bug that over-counts (e.g. regressed to per-wire-packet accounting) would be caught. 6. Flakiness-resistance (review 4.1/4.2/4.3/4.4/5.3). The killer no longer sleeps 500 ms blindly; it polls pg_stat_activity up to 6 s for the marker backend and reports a clean diag-plus-skip if the kill didn't fire. This is the same pattern used by the sibling retry_guard test. kill_delivered is now surfaced on the return struct so the caller can distinguish "feature regressed" from "CI infra flaked". 7. Admin-variable hygiene (review 5.1/6.4). - RAII-scoped RestorePreserveClientAdminVar: restore to default (=true) on every exit path including failure. - UPDATE now uses the full 'pgsql-<name>' prefix on variable_name; the previous WHERE clause matched zero rows and silently left the runtime value unchanged (which is how the pre-fix case D appeared to pass PQstatus checks while counters still moved). - After LOAD PGSQL VARIABLES TO RUNTIME, open a burst of short- lived PGconns to trigger activity on every PgSQL worker, guaranteeing each thread's next poll() wake-up picks up the new __thread-local admin-var value. Eliminates the up-to-2s refresh lag (pgsql-poll_timeout) that otherwise leaves stale worker state when case D runs. Severity / severity (ext-query test only): the rejected_25P02_as_error() predicate now also checks severity=="ERROR", catching a regression that might emit FATAL 25P02 (libpq would close the socket on FATAL despite the 25P02 code). Verified: both tests pass 17/17 and 11/11 against a live legacy-g2 infra. Case D cleanly shows counters unchanged when admin is off; case C cleanly shows counters unchanged for an autocommit kill.	1 month ago
Rene Cannao	100e417179	test(pgsql): extended-query coverage for tx_poisoned behavior New sibling to pgsql-tx_poisoned_recovery-t, plus a one-line semantics fix in the extended-query poison gate. Semantics fix (lib/PgSQL_Session.cpp): Before, the pgsql_tx_poisoned_rejected_statements_total counter was incremented on EVERY swallowed ext-query wire packet — one per Parse / Bind / Describe / Close / Execute / Sync. That made a single logical PQexecParams call count as 4+, inconsistent with the simple-query path where a 'Q' packet bumps it exactly once. Now P/B/D/C/E are silently swallowed (no counter bump), and Sync is the single accounting point — the counter value matches the number of client-visible "rejected statements" regardless of protocol. New test pgsql-tx_poisoned_extended_query-t (plan(11)): * Poison the session via a simple-query pg_sleep + mid-tx kill. * While poisoned: - PQexecParams("SELECT 42", 0 params) returns 25P02. - PQprepare("stmt_poisoned", "SELECT 43") returns 25P02. - PQexecPrepared on that name returns 25P02. * The rejected counter increments by exactly 3 (one per logical ext-query call), not by the 8-11 wire packets that libpq actually sends. This assertion IS the mechanical proof that the semantics fix above took effect. * Simple-query ROLLBACK recovers the session. * Post-recovery PQexecParams and PQprepare+PQexecPrepared both execute cleanly and return rows. Registered alongside the simple-query sibling in legacy-g2. Verified against a live legacy-g2 infra: both tests pass (11/11 and 15/15), counter deltas exactly match expected per-statement semantics.	1 month ago
Rene Cannao	eec1a07d9c	test(pgsql): fix tx_poisoned-recovery test against a live infra Two small fixes caught by running the test against the local legacy-g2 infra: 1. Connect to ProxySQL admin via the PgSQL-protocol admin port (cl.pgsql_admin_host / cl.pgsql_admin_port = 6132), not the MySQL-protocol admin port (6032). libpq on 6032 gets back the MySQL server greeting byte and fails with "expected authentication request from server, but received J". All three counter reads and the admin-variable toggles go through the same helper, so this single flip fixes both flows. 2. plan(15), not plan(16). The test has 15 distinct ok() assertions; the prior plan(16) left one slot unfilled and the TAP runner reported the test as failed even when every assertion passed. With both fixes, the test now passes 15/15 against the live legacy-g2 infra (PgSQL 16 single-node). counters before/after the ROLLBACK path: total 6->7 , recovered 4->5 , rejected 6->8 (two rejects = one for SELECT 42 while poisoned, one for RELEASE SAVEPOINT while poisoned).	1 month ago
Rene Cannao	f1135ad453	test(pgsql): acceptance test for tx_poisoned recovery feature pgsql-tx_poisoned_recovery-t covers the whole UX flow added by the preceding commit and the admin-var-off fallback: Case A — ROLLBACK recovery path * Mid-tx backend kill produces ErrorResponse severity=ERROR sqlstate=25P02 (asserts no leak of the original FATAL / 57P01). * PQstatus stays CONNECTION_OK, PQtransactionStatus is PQTRANS_INERROR. * Any non-end-of-tx statement while poisoned returns 25P02. * RELEASE SAVEPOINT while poisoned returns 25P02 (matches PG native). * ROLLBACK returns PGRES_COMMAND_OK and the session goes to PQTRANS_IDLE. * A subsequent SELECT 1 succeeds on a different backend pid than the one that died (discovered via pg_stat_activity from a direct superuser connection, since pg_backend_pid() via ProxySQL returns thread_session_id, not the real backend pid — see the sibling pgsql-retry_guard_in_txn_on_broken_backend-t). * The three new stats counters (pgsql_tx_poisoned_total, pgsql_tx_poisoned_recovered_total, pgsql_tx_poisoned_rejected_statements_total) are read from stats_pgsql_global via the admin port and asserted to have incremented. Case B — COMMIT recovery path * COMMIT inside a poisoned tx returns PGRES_COMMAND_OK with command tag 'ROLLBACK' (matches PG native — PG itself rolls back on COMMIT inside an aborted tx). Case C — admin variable off * Toggle pgsql-preserve_client_on_broken_backend_in_tx=false, repeat the mid-tx kill, assert the client session is terminated (pre- feature fallback behavior preserved). The admin variable is restored to true at test exit so subsequent tests in the group see the default. Registered in legacy-g2 alongside its sibling regression guard so both run together on the same infra. Related: issue #5658.	1 month ago
Wazir Ahmed	abda5410ea	chore(CI): Remove regular mysql56-single infra Signed-off-by: Wazir Ahmed <wazir@proxysql.com>	1 month ago
Rene Cannao	8857543c4d	test(pgsql): identify backend via pg_stat_activity instead of pg_backend_pid() The first CI run of pgsql-retry_guard_in_txn_on_broken_backend-t (now registered in legacy-g2) failed at "pg_terminate_backend signalled successfully" because ProxySQL intercepts pg_backend_pid() and returns its own thread_session_id (see PgSQL_Protocol.cpp:1398), not the real backend PID. Postgres server log from the failing run made this unambiguous: [239] LOG: statement: BEGIN [239] LOG: statement: SELECT pg_sleep(3) [240] LOG: statement: SELECT pg_terminate_backend(22) [240] WARNING: PID 22 is not a PostgreSQL backend process [239] LOG: statement: ROLLBACK Real backend is PID 239. "22" came from ProxySQL's fake-PID response, so the kill went nowhere, pg_sleep(3) ran to completion, and the post- fix FATAL_ERROR assertion never had a chance to be exercised — the regression guard was trivially passing the bug through. Replace the pg_backend_pid() probe with a pg_stat_activity lookup issued from the direct superuser connection: - embed a unique literal marker ("retry_guard_marker_<time>_<pid>") in the sleep query so the backend running it is trivially identifiable; - do the find + terminate in one PQexecParams round-trip against pg_stat_activity, so the pid can't change between lookup and kill. plan() drops from 6 to 5 because we no longer have a separate "got a pid" assertion. On a build that includes `68c76eb42` all 5 pass; on a build without the fix the FATAL_ERROR assertion still fails as before.	1 month ago
Rene Cannao	e24ac092f6	test(mysql): enlarge grace close binlog to ~50 MB to un-flake target>8s iterations fast_forward_grace_close-t writes a binlog, then for each target_time in {0..7, 20, 30, 60} reads it via a throttled client and asserts that target_time <= 8s reaches EOF and target_time > 8s does not (because the 8s grace_close_ms should cut the session before the binlog is drained). The >8s iterations have been flaky on GitHub runners. Analysis of the actual CI logs (proxysql.log timestamps vs test TAP output) shows what goes wrong: during the 8s grace window, ProxySQL keeps pushing bytes into the client's kernel recv buffer as fast as the buffer accepts them. If the whole binlog — including the empty-event EOF marker — fits into "what the client has already read" + "what is sitting in the client's recv buffer" by t=8s, grace_close does fire and cut the session, but the client's next mysql_binlog_fetch just returns the already-buffered EOF event and reports reached_EOF=TRUE. The test then fails the "Expected FALSE" assertion. With total_bytes = N and client recv-buffer capacity R, the test is only robust when N > ~1.7*R. Prior bumps (3 events -> 50 events, 2026-04-13) lifted N from 150 KB to 2.5 MB, which is enough on dbdeployer but too close to the margin on GH runners whose TCP recv autotune can grow past a couple of MB. 1000 x 50 KB = ~50 MB puts N well above any realistic R (kernels cap autotune around a few MB), so the grace close always fires while there is still many MB of undelivered binlog sitting in ProxySQL's output queue — the client cannot reach EOF. Side effects on other tests: none. The only other binlog-reading test in the same group, fast_forward_switch_replication_deprecate_eof-t, is already incidentally reading grace_close's binlog (it picks the first file from SHOW BINARY LOGS, which ends up being grace_close's rotated file). It reads at full speed and only asserts reached_EOF==true, which stays correct — it just reports ~50 MB instead of ~2.5 MB in its informational TAP message. Full-speed read of 50 MB over the Docker bridge is sub-second per config (4 configs -> ~1-2 s added). Data generation cost at test start is ~1-2 s for the extra INSERTs.	1 month ago
Rene Cannao	51c44d10b2	TAP: parameterize session_track_variables helpers; add time_zone and sql_mode coverage Context ------- The four session_track_variables TAP tests previously hard-coded a single variable, 'innodb_lock_wait_timeout', for their round-trip assertion. That only exercised the integer path in 'MySQL_Session::handler_rc0_Process_Variables', leaving the string-value path (and the character-set special case elsewhere in the same function) untested. The stored-procedure helper was also named generically ('set_session_variable') while its body was pinned to InnoDB's lock wait timeout -- confusing for readers. Changes ------- * test/tap/tests/session_track_variables.h: - Introduce 'struct tracked_var_spec { name, set_expr; }' so the helpers can exercise arbitrary session variables from a single spec-driven code path. - 'set_session_variable()' now takes a spec, builds a per-variable stored procedure name ('test.set_session_track_<name>') so multiple specs can coexist without stepping on each other, and guarantees that the CALL is the last statement on the connection before the tracker is read (any query in between would reset the session tracker state). - Add 'drop_session_variable_proc()' for optional teardown. Kept separate from the set path so tests that need to preserve the CALL as the last statement can skip cleanup. - Switch the whole value surface from 'int' to 'std::string': 'extract_sess_var_mysql_pkt', 'select_sess_var_value', and 'extract_sess_var_proxy_internal' all return strings, which is how session tracking delivers values on the wire and matches both integer and string variables without encoding assumptions. - Provide a default set, 'session_track_default_vars', with three representative cases: * 'innodb_lock_wait_timeout' (integer; original coverage) * 'time_zone' (string, portable small value-space) * 'sql_mode' (string, representative of production usage) All three 'set_expr' values are pure server-side SQL (no client-side randomization), so a CALL alone produces a fresh value per run. * test/tap/tests/mysql-session_track_variables_optional-t.cpp, test/tap/tests/mysql-session_track_variables_enforced-t.cpp, test/tap/tests/mysql-session_track_variables_ff-t.cpp, test/tap/tests/mysql-session_track_variables_ff_mysql56-t.cpp: - Iterate over 'session_track_default_vars' and emit one TAP 'ok' per (spec[, mode]) combination. - Adjust plans accordingly. The ENFORCED-on-5.6 case still emits a single 'ok' because the backend is rejected before any per-variable tracking is attempted, so multiplying by the spec count there would be misleading. - Compare values as strings using the new string-returning helpers. The broadened coverage does not change what 'handler_rc0_Process_Variables' or 'handle_session_track_capabilities' do; it only exercises more of their existing behavior, notably the non-integer value path and the 'proxysql_find_charset_*' branches that activate for character-set variables (not exercised by these three specs but now reachable through the same harness for follow-up tests).	1 month ago
Rene Cannao	8da7a71a44	build(test): link ezoption_parser_unit-t / mysql_resolution_unit-t with WASAN obj/tap.o is compiled with $(OPT), which includes $(WASAN) = -fsanitize=address when WITHASAN=1. Every other unit test binary goes through the pattern rule on line 333 which re-applies $(OPT) on the link line, pulling in libasan. The two explicit rules for ezoption_parser_unit-t and mysql_resolution_unit-t were written without $(OPT) on the link step (they avoid linking libproxysql.a since they are standalone header-only tests), but they also dropped $(WASAN) — so the linker sees ASAN-instrumented tap.o and nothing to resolve __asan_report_, __asan_init, __asan_handle_no_return, etc. against: /usr/bin/ld: obj/tap.o: undefined reference to `__asan_report_load8' ... (hundreds more) ... collect2: error: ld returned 1 exit status make[1]: ** [Makefile:321: ezoption_parser_unit-t] Error 1 Put $(WASAN) back on both link commands. CI-unit-tests-asan-coverage has been red on every branch (including v3.0 itself) since at least 2026-04-12 because of this.	1 month ago
Rene Cannao	c2200e472d	ci(lint): catch TAP tests missing from groups.json on every PR Previously CI-lint-groups-json only triggered when groups.json itself was edited and only checked formatting. That can't catch the "author added a new test source but forgot to register it" case (which is exactly what happened with pgsql-retry_guard_in_txn_on_broken_backend-t before this series). - Drop the paths filter so the workflow runs on every pull_request/push. - Add a --source mode to check_groups.py that scans test/tap/tests* for *-t.{cpp,sh,py,php} (and extension-less -t scripts) and flags any source file not registered in groups.json as an ERROR. Requires no build — runs in seconds. - The reverse direction (entry in groups.json with no matching source) is a NOTE in source mode, because a handful of binaries are built from differently-named sources via explicit Makefile targets (e.g. mysql_reconnect_libmariadb-t from mysql_reconnect.cpp). - Executable mode behavior is unchanged; run-multi-group.bash keeps calling check_groups.py with no flag.	1 month ago
Rene Cannao	292f6f6bae	test(pgsql): register retry_guard_in_txn_on_broken_backend in groups.json The test added in `8e509d371` was not registered in groups.json, so no TAP group was running it. Register it under legacy-g2.	1 month ago
Rene Cannao	8e509d3711	test(pgsql): regression guard for silent in-transaction retry fix Reproduces the bug fixed in the preceding commit: while a client is in an explicit transaction, terminating the backend mid-query (simulated via pg_terminate_backend from a separate superuser connection) must surface a fatal error to the client. Pre-fix ProxySQL silently retried the in-flight statement on a fresh backend as autocommit, so the expected PGRES_FATAL_ERROR came back as PGRES_TUPLES_OK and the next COMMIT landed on a connection with no open transaction. The test also asserts the client<->ProxySQL connection stays open and that ROLLBACK + a follow-up SELECT 1 recover the session cleanly.	1 month ago
Wazir Ahmed	8d94919b22	fix: preserve EOF capability in enforced mode - Keep `CLIENT_DEPRECATE_EOF` enabled during frontend handshake when `session_track_variables=ENFORCED`. - Avoid unsafe mysql_error() calls in session-track TAP tests. Signed-off-by: Wazir Ahmed <wazir@proxysql.com>	1 month ago
Rene Cannao	c723ede0cf	Merge remote-tracking branch 'origin/plugin-chassis' into ProtocolX-rebased # Conflicts: # lib/ProxySQL_PluginManager.cpp # plugins/mysqlx/Makefile # plugins/mysqlx/include/mysqlx_plugin.h # plugins/mysqlx/include/mysqlx_session.h # test/tap/groups/groups.json # test/tap/tests/test_mysqlx_listener_smoke-t.cpp # test/tap/tests/unit/Makefile	1 month ago
Rene Cannao	b3d4de0bc8	Merge remote-tracking branch 'origin/v3.0' into plugin-chassis # Conflicts: # test/tap/groups/groups.json	1 month ago
Rene Cannao	d2e03fae36	fix(test groups): resolve groups.json conflict + tag plugin tests for v4.0 The `test/tap/groups/groups.json` on `origin/v3.0` was reformatted and expanded (mysql95 targets added, legacy-g1..g5 merged into mysql84-g1..g5, etc.) in commits that landed after `plugin-chassis` branched. Merging `plugin-chassis -> v3.0` therefore produced a content conflict in this file. Resolve by taking `origin/v3.0`'s current `groups.json` as the base and re-adding every plugin-chassis and mysqlx-plugin test entry on top, each tagged with `@proxysql_min_version:4.0` per the existing tier convention (`test_mcp_static_harvest-t`, `anomaly_detection-t`, etc. already use this pattern). Tests tagged v4.0: * Plugin-chassis unit tests (7): plugin_config_unit-t, plugin_dispatch_unit-t, plugin_manager_unit-t, plugin_registry_unit-t, plugin_query_hook_unit-t, plugin_prometheus_unit-t, plugin_lifecycle_unit-t * Mysqlx-plugin unit tests (22): test_mysqlx_plugin_load-t, test_mysqlx_admin_tables-t, test_mysqlx_listener_smoke-t, mysqlx_config_store_unit-t, mysqlx_config_store_concurrent_unit-t, mysqlx_config_store_pure_unit-t, mysqlx_protocol_unit-t, mysqlx_protocol_socket_unit-t, mysqlx_route_store_unit-t, mysqlx_stats_unit-t, mysqlx_admin_schema_unit-t, mysqlx_admin_commands_unit-t, mysqlx_admin_disk_commands_unit-t, mysqlx_data_stream_unit-t, mysqlx_connection_unit-t, mysqlx_session_unit-t, mysqlx_thread_unit-t, mysqlx_message_dispatch_unit-t, mysqlx_concurrent_unit-t, mysqlx_backend_auth_unit-t, mysqlx_credential_verify_unit-t, mysqlx_robustness_unit-t, mysqlx_tls_unit-t * Mysqlx E2E tests (2, group `mysqlx-e2e-g1`): test_mysqlx_e2e_handshake-t, test_mysqlx_e2e_routing-t Formatting is preserved from v3.0 (one entry per line, alphabetically sorted, 2-space indent). Entries that existed only on plugin-chassis under the old per-line layout and were never in v3.0 are now inserted in the correct alphabetical position.	1 month ago
Rene Cannao	e20876a451	fix(tests): repair pre-existing mysqlx test build breakage Under `export PROXYSQLGENAI=1 && export PROXYSQL40=1 && make debug -j && make build_tap_test_debug -j` the tap build failed with ~78 errors spread across several mysqlx tests. None were caused by the chassis work; they are drift between test code and current APIs that no plain build had ever exercised (unit builds tried PROXYSQL40 without DEBUG; the debug path uncovers them). Changes: * test/tap/tests/unit/mysqlx_route_store_unit-t.cpp (19 sites), test/tap/tests/unit/mysqlx_stats_unit-t.cpp (7 sites), test/tap/tests/unit/mysqlx_admin_commands_unit-t.cpp (1 site), test/tap/tests/unit/mysqlx_admin_disk_commands_unit-t.cpp (2 sites): the `// NOSONAR:` comment was placed BEFORE the closing `)` of `SQLite3DB::open(..., FLAGS);`, commenting out both the flags and the closing paren. Move the NOSONAR comment to end of line and restore the flags argument. * test/tap/tests/unit/mysqlx_stats_unit-t.cpp (28 sites): `record_conn_ok/err/used` added a second argument (destination hostgroup) in `cd94ac2b1` but the tests still passed one arg. Pass `0` as the hostgroup for existing assertions (they only read back via route name anyway). * test/tap/tests/test_mysqlx_listener_smoke-t.cpp: add missing stub `record_conn_used`, `route_hostgroup`, and `~Mysqlx_Thread` definitions. The context-destructor path was generating `unique_ptr<Mysqlx_Thread>::operator delete` which couldn't find the real destructor (mysqlx_thread.cpp isn't linked into this test). * test/tap/tests/Makefile: add dedicated recipe for test_mysqlx_listener_smoke-t that defers to unit/ (matching test_mysqlx_plugin_load-t / test_mysqlx_admin_tables-t pattern). Without it the generic `%-t: %-t.cpp` rule built the test without `-I.../plugins/mysqlx/include` and failed on `mysqlx_config_store.h: No such file or directory`. * test/tap/tests/Makefile: add `-lcpp_dotenv -lcurl -lmariadbclient` to the link line for test_mysqlx_e2e_handshake-t and test_mysqlx_e2e_routing-t. libtap pulls those in transitively but the `-Wl,--no-as-needed` propagated from $(OPT) requires explicit references. * test/tap/tests/test_mysqlx_e2e_handshake-t.cpp and test/tap/tests/test_mysqlx_e2e_routing-t.cpp: The protobuf API changed (Array::add_value() returns Any, not Scalar; Capability::value is Any, not Array; AuthenticateStart/ Continue::auth_data is bytes, not Scalar). Wrap the MYSQL41 capability array element in an Any, and pass auth_data as raw bytes directly. Also fix `plan(skip_all, "...")` → `skip_all("...")` (TAP `plan()` now takes a single int). * test/tap/tests/unit/Makefile: add $(PROXYSQL_PATH)/plugins/mysqlx/src/mysqlx_config_store.cpp to the deps + compile line of every test that already links mysqlx_thread.cpp (mysqlx_thread_unit-t, mysqlx_session_unit-t, mysqlx_message_dispatch_unit-t, mysqlx_concurrent_unit-t, mysqlx_robustness_unit-t). mysqlx_thread.cpp calls MysqlxConfigStore::resolve_identity which was added recently and is defined in mysqlx_config_store.cpp. Verification: * `unset PROXYSQLGENAI && unset PROXYSQL40 && make cleanall && make debug -j && make build_tap_test_debug -j` — 0 errors. * `export PROXYSQLGENAI=1 && export PROXYSQL40=1 && make cleanall && make debug -j && make build_tap_test_debug -j` — 0 errors.	1 month ago
Rene Cannao	f34dc4573a	fix(tap tests): gate test_mysqlx_-t under PROXYSQL40 test/tap/tests/Makefile's tests-cpp target uses `$(wildcard -t.cpp)` to pick up all test sources. test_mysqlx_e2e_handshake-t.cpp, test_mysqlx_e2e_routing-t.cpp, test_mysqlx_listener_smoke-t.cpp, test_mysqlx_admin_tables-t.cpp and test_mysqlx_plugin_load-t.cpp all reference chassis types (ProxySQL_PluginServices, mysqlx_config_store.h) that only exist in the public headers under -DPROXYSQL40. Under a plain v3.0 build (`unset PROXYSQLGENAI && unset PROXYSQL40 && make debug -j && make build_tap_test_debug -j`), the wildcard still matched them, and the generic `%-t: %-t.cpp` recipe tried to compile them -- producing 130+ `error:` lines (mysqlx_config_store.h not found, Mysqlx::Datatypes::* conversion failures, ProxySQL_PluginServices undeclared, etc.). Reported by the user. Fix: autodetect PROXYSQL40 via `nm libproxysql.a \| grep -c invoke_register_schemas_phase` (same probe the unit Makefile uses) and filter out `test_mysqlx_` from the wildcard when the chassis symbol is absent. Under PROXYSQL40 the wildcard is unmodified and all mysqlx tests are built as before. Verification: `unset PROXYSQLGENAI && unset PROXYSQL40 && make debug -j && make build_tap_test_debug -j` -> 0 errors, builds complete. - proxysql binary built (122 MB) - ProxySQL_MySQLX_Plugin.so NOT built (skipped by top-level Makefile) - 51 unit tests built, 0 plugin/mysqlx unit tests, 0 mysqlx tests/ tests -> chassis is completely invisible to v3.0.	1 month ago
Wazir Ahmed	99494b015d	chore(tap): Fix lint errors in groups.json Signed-off-by: Wazir Ahmed <wazir@proxysql.com>	1 month ago
Rene Cannao	b65ba99118	fix(unit tests): gate plugin + mysqlx tests behind PROXYSQL40 After the previous commit made the plugin chassis invisible in v3.x builds (no ProxySQL_PluginManager, no ProxySQL_PluginServices types available from public headers), the unit-test Makefile still listed all plugin/mysqlx tests in the unconditional UNIT_TESTS base list. `make build_tap_test_debug` (no PROXYSQL40) then attempted to compile: * test/tap/test_helpers/fake_plugin.cpp — uses ProxySQL_PluginServices, ProxySQL_PluginCommandResult, ProxySQL_PluginDescriptor at file scope; none of these exist under !PROXYSQL40. * test/tap/tests/unit/plugin_{config,dispatch,manager,registry}_unit-t — reference ProxySQL_PluginManager's public API. * test/tap/tests/unit/mysqlx__unit-t + test_mysqlx_-t — include plugins/mysqlx/include/mysqlx_.h which transitively include ProxySQL_Plugin.h and use chassis types. Reported by user with a `make debug && make build_tap_test_debug` invocation that produced 121 `error:` lines and failed to link. Move every plugin-chassis and mysqlx-plugin unit test out of the base UNIT_TESTS list and into the existing `ifeq ($(PROXYSQL40),1)` block. v3.x builds now build 23 core unit tests (smoke, query_cache, query processor, protocol, auth, hostgroups, FFTO, etc.) and zero chassis artifacts; PROXYSQL40 builds add the 31 plugin/mysqlx tests on top. Verification: `unset PROXYSQLGENAI && unset PROXYSQL40 && make debug -j && make build_tap_test_debug -j` — 0 errors, 23 unit tests built, fake_plugin.so not even attempted. * `PROXYSQLGENAI=1 make debug -j && PROXYSQLGENAI=1 make build_tap_test_debug -j` — 0 errors, full chassis + mysqlx test suite builds (54 unit tests).	1 month ago
Wazir Ahmed	baa5069eaf	CI: Add `mysql56-single` test infra Signed-off-by: Wazir Ahmed <wazir@proxysql.com>	1 month ago
Rene Cannao	3ba92815f8	fix(plugin-chassis): make chassis fully invisible in v3.x builds Review feedback identified that the chassis was leaking into the v3.0 stable build via unfenced references in core code: * Admin_Bootstrap.cpp had `if (auto* m = proxysql_get_plugin_manager())` and a full materialize_plugin_tables() implementation outside any PROXYSQL40 fence * proxysql_admin.h declared materialize_plugin_tables() * proxysql_glovars.hpp held GloVars.plugin_modules and proxysql_load_plugin_modules_from_config() * ProxySQL_GloVars.cpp had three unfenced .clear()/use sites * ProxySQL_Admin.cpp::dispatch_plugin_admin_command (template + two instantiations) was unfenced * src/main.cpp's GloPluginManager, LoadConfiguredPlugins, InitConfiguredPlugins, StartConfiguredPlugins, StopConfiguredPlugins, UnloadPlugins teardown, the four-phase orchestration block, and the proxysql_load_plugin_modules_from_config call were all unfenced Separately, Admin_Handler.cpp held 16 hardcoded MYSQLX alias vectors (LOAD_MYSQLX_USERS_FROM_MEMORY, etc.) and a 16-deep if-ladder that called resolve_admin_alias_to_canonical(). This embedded plugin-specific knowledge in core code -- core should know nothing about any specific plugin's commands. The agreed architecture: v3.0/v3.1 builds have NO plugin loader at all; the entire plugin chassis (including its public manager surface, its loader, and its dispatch helpers) only exists under PROXYSQL40. v3.0 core code therefore holds zero plugin-related code paths. Changes: * include/ProxySQL_Plugin.h, include/ProxySQL_PluginManager.h, lib/ProxySQL_PluginManager.cpp: wrap entire file body in `#ifdef PROXYSQL40 ... #endif`. Including the header from a v3.x translation unit yields nothing; the .cpp compiles to an empty object file. Removed redundant inner PROXYSQL40 fences inside the now-empty v3.x body of Plugin.h (kept the few that are inside the file-wide outer for clarity). PROXYSQL_PLUGIN_ABI_VERSION is now unconditionally 2 (the macro is no longer reachable from a v3.x compile, so the PROXYSQL40-vs-1 split is moot). * include/proxysql_glovars.hpp, lib/ProxySQL_GloVars.cpp: gate GloVars.plugin_modules field, all .clear() sites, the proxysql_load_plugin_modules_from_config declaration + definition. * include/proxysql_admin.h: gate materialize_plugin_tables and dispatch_plugin_admin_command<S> declarations. * lib/Admin_Bootstrap.cpp: gate `#include "ProxySQL_PluginManager.h"`, the `if (auto* m = proxysql_get_plugin_manager())` merge block, and the materialize_plugin_tables definition. * lib/Admin_Handler.cpp: delete the 16 LOAD_/SAVE_MYSQLX_* const std::vector<std::string> declarations entirely. Delete the helper resolve_admin_alias_to_canonical(). Delete the 16-deep if-ladder + the !PROXYSQL40 fallback dispatch branch. The remaining plugin dispatch is one generic call to proxysql_resolve_configured_plugin_admin_alias() inside an #ifdef PROXYSQL40 block; v3.x compiles it out entirely. Core now holds no plugin-specific knowledge of any kind. * lib/ProxySQL_Admin.cpp: gate dispatch_plugin_admin_command template body + both explicit instantiations. * src/main.cpp: gate `#include "ProxySQL_PluginManager.h"`, GloPluginManager declaration, all four wrapper functions (LoadConfiguredPlugins / InitConfiguredPlugins / StartConfiguredPlugins / StopConfiguredPlugins), the StopConfiguredPlugins call inside UnloadPlugins, the four-phase orchestration in ProxySQL_Main_init_phase2___not_started, the GloVars.plugin_modules.clear() and the proxysql_load_plugin_modules_from_config call in ProxySQL_Main_process_global_variables. v3.x builds reduce that whole block to a single ProxySQL_Main_init_Admin_module call. * plugins/mysqlx/src/mysqlx_plugin.cpp, plugins/mysqlx/src/mysqlx_admin_schema.cpp: drop the !PROXYSQL40 fallback paths. The plugin only loads under PROXYSQL40 now (no loader exists in v3.x), so the legacy combined-init code path and the 16 fallback register_command() calls were dead code. The descriptor unconditionally wires register_schemas; mysqlx_init holds only context setup. * Makefile (top-level): the four build_src_* recipes that recurse into plugins/mysqlx are wrapped in `$(if $(filter 1,$(PROXYSQL40)),...)`. v3.x builds emit "[skip] mysqlx plugin (PROXYSQL40 not set)" instead of building the .so. Clean targets stay unconditional. * test/tap/tests/unit/mysqlx_admin_alias_resolution_unit-t.cpp: delete the test (it covered resolve_admin_alias_to_canonical, which is itself deleted). Remove from unit Makefile UNIT_TESTS list. Verification: * v3.0 stable build (`make`, no flags): - Produces 147 MB src/proxysql binary - `nm src/proxysql \| grep -cE 'invoke_register_schemas_phase\|GloPluginManager\|materialize_plugin_tables'` -> 0 - mysqlx plugin .so is correctly skipped: "[skip] mysqlx plugin (PROXYSQL40 not set)" * PROXYSQLGENAI=1 build (cascades PROXYSQL40/31/FFTO/TSDB): - Produces 200 MB src/proxysql binary with chassis symbols - mysqlx plugin .so built (9.2 MB), contains mysqlx_register_schemas * All 5 plugin unit tests pass under PROXYSQL40: plugin_config_unit-t 48/48 plugin_dispatch_unit-t 52/52 plugin_lifecycle_unit-t 26/26 plugin_query_hook_unit-t 46/46 plugin_prometheus_unit-t 10/10	1 month ago
Wazir Ahmed	885712c679	Merge branch 'v3.0' into session-track-system-variable	1 month ago
Rene Cannao	ab9d5a1036	fix(plugin-chassis): address deep-review findings Follow-up to `cd48c5613` (PROXYSQL40 gating commit). Multiple reviewers reported issues ranging from descriptor-layout UB to test false-positives; this commit resolves all of them. Showstoppers fixed: * plugins/mysqlx/Makefile: PROXYSQL40 (and all feature-tier flags) are now propagated from the top-level Makefile and converted to -DPROXYSQL40 in CXXFLAGS. Before this, PROXYSQL40=1 built a v4 core that dlopen'd a 6-field v3 mysqlx descriptor, and the loader then read past the end of the plugin's static struct. Top-level Makefile's four plugins/mysqlx recursive-make invocations now pass PROXYSQL40=$(PROXYSQL40); the test/tap/tests/unit mysqlx_plugin_build rule does the same. * ABI version gating (S2/S3): add PROXYSQL_PLUGIN_ABI_VERSION macro to ProxySQL_Plugin.h (1 without PROXYSQL40, 2 with). Plugins set descriptor.abi_version from this macro. Loader rejects abi_version < 1 or > PROXYSQL_PLUGIN_ABI_VERSION_MAX. The register_schemas field is only read when abi_version >= 2 -- a v1 plugin's 6-field descriptor is no longer dereferenced past its own layout even when loaded by a v4 core. ScopedRegistryTarget RAII guard replaces the inline g_registry_target = this / = nullptr pairs so exceptions from plugin callbacks can't leave the globals dirty. * Admin_Handler TOCTOU: proxysql_resolve_configured_plugin_admin_alias now returns std::string by value instead of const char. The previous signature borrowed a c_str() from inside commands_ under the plugin manager lock; callers then released the lock before dispatch, and a concurrent reload between the two calls could dangle the pointer. Returning by value copies the canonical SQL out while the lock is still held. test_phase_b_db_handles_are_null was a false-positive trap: it logged "null" whenever the getter pointer was null OR returned null, so a regression to get_admindb = nullptr would have silently passed. The fake plugin now emits three distinct markers (phase_b_getter_null vs phase_b_handles_null vs phase_b_handles_live); the test asserts the exact contract (non-null function pointer that returns nullptr). * Snapshot stubs contract: the header claimed Phase D services are "every field LIVE", but get_mysql_users_snapshot et al. point to a nullptr-returning stub in every phase. Header now explicitly documents that snapshot getters are not yet implemented and plugins MUST treat null return as "not available" across every phase. * stop() teardown symmetry: stop_all() previously skipped plugins that succeeded init() but failed start(). Resources allocated in init would leak. Now stop_all() runs stop() for every plugin where initialized=true, irrespective of started. proxysql_plugin_stop_cb's header docstring documents this: stop pairs with init, not start. * register_schemas partial-failure rollback: if a plugin's register_schemas registered some tables/commands and then returned false, the registry kept the partial registrations. A retry (same plugin, bug fixed) would then duplicate-fail. Both invoke_register_schemas_phase and init_all now snapshot the registration counts before invoking the plugin callback and truncate back on failure. Tightened / documented: * alias normalization delta (PROXYSQL40 collapses whitespace and trims trailing ';', !PROXYSQL40 is length-strict) is documented in canonicalize_plugin_command's docstring as an intentional UX improvement for the chassis tier, not a regression. * init-after-publish ordering invariant documented at both the publish site (proxysql_load_configured_plugins Phase-B branch) and at proxysql_init_configured_plugins. Phase D writes to commands_ / mysql_query_hook_ / pgsql_query_hook_ on the already-published manager; safe today because ProxySQL_Main_init_phase3___start_all runs strictly after Phase D, so no thread ever observes the manager during its Phase-D mutations. * Phase-D failure path documented: treated as fatal startup error (exit(EXIT_FAILURE) in main.cpp). Plugins that succeeded init() are still torn down via stop_all() during process teardown, now that stop pairs with init. Runtime reload is out of scope for this iteration. * Admin_Bootstrap.cpp materialize_plugin_tables(): removed duplicate ATTACH DATABASE calls for "disk" and "stats". init_sqlite3db() in the same startup flow attaches them first; a duplicate ATTACH errors out in SQLite. * test/tap/tests/unit/Makefile PROXYSQL31 autodetection: previously used the same probe symbol (MySQLFFTO) as PSQLFFTO, which collapsed PROXYSQL31 onto PROXYSQLFFTO. Now PROXYSQL31 is set when either PROXYSQLFFTO or PROXYSQLTSDB is detected (matching the top-level cascade's PROXYSQL31 => FFTO && TSDB). Tests added (all under PROXYSQL40 only): * plugin_lifecycle_unit-t: - test_phase_b_partial_failure_rolls_back: plugin registers a table then returns false; rollback verified by retrying the same plugin with the failure toggle cleared -- succeeds. - test_stop_runs_when_start_fails: exercises the init-success / start-failure path and asserts stop() marker in log. - test_bogus_abi_version_rejected: loads a descriptor with abi_version=99; loader rejects with "unsupported plugin ABI version" and init is not called. - plan(26), up from plan(14). * plugin_dispatch_unit-t: - test_cross_plugin_command_collision: loads both fake_plugin and fake_plugin2 as real .so's, both registering the same admin-command SQL; init fails with a message naming the collision. Complements the same-manager API-level collision test already present. - plan(52), up from plan(50). * plugin_query_hook_unit-t: - test_embedded_nul_in_query_text: dispatch with an embedded NUL in query_text asserts the full length_len byte range reaches the hook intact (not strlen-truncated). - test_reentrant_dispatch_across_protocols: mysql-hook callback re-enters dispatch_query_hook(pgsql). Asserts no deadlock and correct inner-hook invocation count. - plan(46), up from plan(41). Total plugin unit tests: 48 (config) + 52 (dispatch) + 26 (lifecycle) + 41 (prometheus) + 46 (query_hook) = 213 under PROXYSQL40; 47 + 32 = 79 under v3.1 non-chassis.	1 month ago

1 2 3 4 5 ...

2537 Commits (6d8dff293973edd1be9cc67be03aac400e85cb4c)