Enforce that a prepared transaction's durable timestamp is greater than its prepare timestamp

XMLWordPrintableJSON

    • Type: Task
    • Resolution: Unresolved
    • Priority: Major - P3
    • None
    • Affects Version/s: None
    • Component/s: Timestamps
    • None
    • Storage Engines - Transactions
    • 876.849
    • SE Transactions - 2026-06-19
    • 3

      Problem

      WiredTiger's timestamp ordering rules require:

      prepare_timestamp <= commit_timestamp <= durable_timestamp

      However, the durable timestamp and the prepare timestamp share a stricter semantic relationship that is not currently validated: the durable timestamp must be strictly greater than the prepare timestamp. A durable timestamp equal to the prepare timestamp is logically unsound because:

      • The prepare timestamp marks the point at which the transaction entered the prepared state and is tentative — its effects are not yet committed or durable.
      • The durable timestamp marks the point at which the transaction's effects are guaranteed to survive a crash. Having durable_ts == prepare_ts conflates these two distinct moments and makes it impossible to distinguish, during recovery or MVCC reads, whether a given timestamp refers to a tentative prepare or a committed-and-durable value.
      • History store readers and the visibility logic rely on this gap to correctly handle prepared but not-yet-committed updates. Collapsing it can lead to incorrect reads or assertions in diagnostic builds.

      Proposed Fix

      In the timestamp validation path for commit/durable timestamp setting (__wt_txn_set_timestamp and its helpers in src/txn/txn_timestamp.c), add an explicit check:

      if (durable_ts <= prepare_ts)
    WT_RET_MSG(..., WT_EINVAL,
        "durable timestamp %s must be greater than the prepare timestamp %s");

      This should fire when WT_TXN_TS_DURABLE is being set on a transaction that already has a prepare timestamp recorded (WT_TXN_PREPARE flag set and prepare_timestamp populated).

      Acceptance Criteria

      • Setting a durable timestamp equal to or less than the prepare timestamp on a prepared transaction returns WT_EINVAL with a descriptive message.
      • Setting a valid durable timestamp (strictly greater than prepare timestamp) continues to work without error.
      • A new test (Python suite or csuite) explicitly covers the rejected equal-timestamp case and the accepted strictly-greater case.
      • Any existing tests that inadvertently used equal timestamps are updated to use a valid ordering.

            Assignee:
            [DO NOT USE] Backlog - Storage Engines Team
            Reporter:
            Chenhao Qu
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: