[release-line-0.4] Don't rollback update history after migration (#2790)

* Don't rollback update history after migration

backport from #2674

We technically only need the change to the export format on 0.4 but
seems safer to backport the whole PR.

[ci]

---------

Signed-off-by: Oriol Muñoz <oriol.munoz@digitalasset.com>
Signed-off-by: Moritz Kiefer <moritz.kiefer@purelyfunctional.org>

---------

Signed-off-by: Moritz Kiefer <moritz.kiefer@purelyfunctional.org>
Signed-off-by: Oriol Muñoz <oriol.munoz@digitalasset.com>
Co-authored-by: Moritz Kiefer <moritz.kiefer@purelyfunctional.org>
Co-authored-by: Oriol Muñoz <oriol.munoz@digitalasset.com>
Signed-off-by: Moritz Kiefer <moritz.kiefer@purelyfunctional.org>

* Sneak in release notes

[ci]

Signed-off-by: Moritz Kiefer <moritz.kiefer@purelyfunctional.org>

---------

Signed-off-by: Moritz Kiefer <moritz.kiefer@purelyfunctional.org>
Signed-off-by: Oriol Muñoz <oriol.munoz@digitalasset.com>
Co-authored-by: Moritz Kiefer <moritz.kiefer@purelyfunctional.org>
Co-authored-by: Oriol Muñoz <oriol.munoz@digitalasset.com>

Author: 3 people

apps/common/src/main/scala/org/lfdecentralizedtrust/splice/migration/DomainMigrationInfo.scala

@@ -16,13 +16,20 @@ import scala.concurrent.{ExecutionContext, Future}
 /** Holds information about a hard domain migration
   *
   * @param currentMigrationId  The migration id of the current incarnation of the global domain.
-  * @param acsRecordTime       The record time at which the ACS snapshot was taken on the previous
-  *                            incarnation of the global domain.
-  *                            None if this is the first incarnation of the global domain.
   */
 final case class DomainMigrationInfo(
     currentMigrationId: Long,
-    acsRecordTime: Option[CantonTimestamp],
+    migrationTimeInfo: Option[MigrationTimeInfo],
+)
+
+/** @param acsRecordTime       The record time at which the ACS snapshot was taken on the previous
+  *                            incarnation of the global domain.
+  *                            None if this is the first incarnation of the global domain.
+  * @param synchronizerWasPaused True when we ran through a proper migration, false for disaster recovery
+  */
+final case class MigrationTimeInfo(
+    acsRecordTime: CantonTimestamp,
+    synchronizerWasPaused: Boolean,
 )
 
 object DomainMigrationInfo {
@@ -34,9 +41,13 @@ object DomainMigrationInfo {
     connection.ensureUserMetadataAnnotation(
       user,
       Map(
-        BaseLedgerConnection.DOMAIN_MIGRATION_ACS_RECORD_TIME_METADATA_KEY -> info.acsRecordTime
+        BaseLedgerConnection.DOMAIN_MIGRATION_ACS_RECORD_TIME_METADATA_KEY -> info.migrationTimeInfo
+          .map(_.acsRecordTime)
           .fold("*")(_.toProtoPrimitive.toString),
         BaseLedgerConnection.DOMAIN_MIGRATION_CURRENT_MIGRATION_ID_METADATA_KEY -> info.currentMigrationId.toString,
+        BaseLedgerConnection.DOMAIN_MIGRATION_DOMAIN_WAS_PAUSED_KEY -> info.migrationTimeInfo
+          .map(_.synchronizerWasPaused)
+          .fold("*")(_.toString),
       ),
       RetryFor.WaitingOnInitDependency,
     )
@@ -68,9 +79,22 @@ object DomainMigrationInfo {
           BaseLedgerConnection.DOMAIN_MIGRATION_CURRENT_MIGRATION_ID_METADATA_KEY,
         )
         .map(_.toLong)
+      synchronizerWasPaused <- connection
+        .waitForUserMetadata(
+          user,
+          BaseLedgerConnection.DOMAIN_MIGRATION_DOMAIN_WAS_PAUSED_KEY,
+        )
+        .map {
+          case "*" => None
+          case s =>
+            Some(s.toBoolean)
+        }
     } yield DomainMigrationInfo(
       currentMigrationId = currentMigrationId,
-      acsRecordTime = acsRecordTime,
+      migrationTimeInfo = for {
+        recordTime <- acsRecordTime
+        wasPaused <- synchronizerWasPaused
+      } yield MigrationTimeInfo(recordTime, wasPaused),
     )
   }
 }

apps/common/src/main/scala/org/lfdecentralizedtrust/splice/store/UpdateHistory.scala

@@ -743,18 +743,82 @@ class UpdateHistory(
       historyId: Long
   )(implicit tc: TraceContext): Future[Unit] = {
     val previousMigrationId = domainMigrationInfo.currentMigrationId - 1
-    domainMigrationInfo.acsRecordTime match {
-      case Some(acsRecordTime) =>
+    domainMigrationInfo.migrationTimeInfo match {
+      case Some(info) =>
         for {
-          _ <- deleteAcsSnapshotsAfter(historyId, previousMigrationId, acsRecordTime)
-          _ <- deleteRolledBackUpdateHistory(historyId, previousMigrationId, acsRecordTime)
+          _ <-
+            if (info.synchronizerWasPaused) {
+              for {
+                _ <- verifyNoRolledBackAcsSnapshots(
+                  historyId,
+                  previousMigrationId,
+                  info.acsRecordTime,
+                )
+                _ <- verifyNoRolledBackData(historyId, previousMigrationId, info.acsRecordTime)
+              } yield ()
+            } else {
+              for {
+                _ <- deleteAcsSnapshotsAfter(historyId, previousMigrationId, info.acsRecordTime)
+                _ <- deleteRolledBackUpdateHistory(
+                  historyId,
+                  previousMigrationId,
+                  info.acsRecordTime,
+                )
+              } yield ()
+            }
         } yield ()
       case _ =>
         logger.debug("No previous domain migration, not checking or deleting updates")
         Future.unit
     }
   }
 
+  private[this] def verifyNoRolledBackData(
+      historyId: Long, // Not using the storeId from the state, as the state might not be updated yet
+      migrationId: Long,
+      recordTime: CantonTimestamp,
+  )(implicit tc: TraceContext): Future[Unit] = {
+    val action = DBIO
+      .sequence(
+        Seq(
+          sql"""
+            select count(*) from update_history_creates
+            where history_id = $historyId and migration_id = $migrationId and record_time > $recordTime
+          """.as[Long].head,
+          sql"""
+            select count(*) from update_history_exercises
+            where history_id = $historyId and migration_id = $migrationId and record_time > $recordTime
+          """.as[Long].head,
+          sql"""
+            select count(*) from update_history_transactions
+            where history_id = $historyId and migration_id = $migrationId and record_time > $recordTime
+          """.as[Long].head,
+          sql"""
+            select count(*) from update_history_assignments
+            where history_id = $historyId and migration_id = $migrationId and record_time > $recordTime
+          """.as[Long].head,
+          sql"""
+            select count(*) from update_history_unassignments
+            where history_id = $historyId and migration_id = $migrationId and record_time > $recordTime
+          """.as[Long].head,
+        )
+      )
+      .map(rows =>
+        if (rows.sum > 0) {
+          throw new IllegalStateException(
+            s"Found $rows rows for $updateStreamParty where migration_id = $migrationId and record_time > $recordTime, " +
+              "but the configuration says the domain was paused during the migration. " +
+              "Check the domain migration configuration and the content of the update history database."
+          )
+        } else {
+          logger.debug(
+            s"No updates found for $updateStreamParty where migration_id = $migrationId and record_time > $recordTime"
+          )
+        }
+      )
+    storage.query(action, "verifyNoRolledBackData")
+  }
+
   private[this] def deleteRolledBackUpdateHistory(
       historyId: Long, // Not using the storeId from the state, as the state might not be updated yet
       migrationId: Long,
@@ -849,6 +913,37 @@ class UpdateHistory(
       )
   }
 
+  def verifyNoRolledBackAcsSnapshots(
+      historyId: Long,
+      migrationId: Long,
+      recordTime: CantonTimestamp,
+  )(implicit tc: TraceContext): Future[Unit] = {
+    val action = sql"""
+          select snapshot_record_time from acs_snapshot
+          where history_id = $historyId and migration_id = $migrationId and snapshot_record_time > $recordTime
+        """
+      .as[CantonTimestamp]
+      .map(times =>
+        if (times.length > 0) {
+          throw new IllegalStateException(
+            s"Found acs snapshots at $times for $updateStreamParty where migration_id = $migrationId and record_time > $recordTime, " +
+              "but the configuration says the domain was paused during the migration. " +
+              "Check the domain migration configuration and the content of the update history database"
+          )
+        } else {
+          logger.debug(
+            s"No updates found for $updateStreamParty where migration_id = $migrationId and record_time > $recordTime"
+          )
+        }
+      )
+
+    storage
+      .query(
+        action,
+        "verifyNoRolledBackAcsSnapshots",
+      )
+  }
+
   /** Deletes all updates on the given domain with a record time before the given time.
     */
   def deleteUpdatesBefore(

apps/common/src/main/scala/org/lfdecentralizedtrust/splice/store/db/DbMultiDomainAcsStore.scala

@@ -1909,16 +1909,48 @@ final class DbMultiDomainAcsStore[TXE](
   )(implicit tc: TraceContext): Future[Unit] = {
     txLogTableNameOpt.fold(Future.unit) { _ =>
       val previousMigrationId = domainMigrationInfo.currentMigrationId - 1
-      domainMigrationInfo.acsRecordTime match {
-        case Some(acsRecordTime) =>
-          deleteRolledBackTxLogEntries(txLogStoreId, previousMigrationId, acsRecordTime)
+      domainMigrationInfo.migrationTimeInfo match {
+        case Some(info) =>
+          if (info.synchronizerWasPaused) {
+            verifyNoRolledBackData(txLogStoreId, previousMigrationId, info.acsRecordTime)
+          } else {
+            deleteRolledBackTxLogEntries(txLogStoreId, previousMigrationId, info.acsRecordTime)
+          }
         case _ =>
           logger.debug("No previous domain migration, not checking or deleting txlog entries")
           Future.unit
       }
     }
   }
 
+  private[this] def verifyNoRolledBackData(
+      txLogStoreId: TxLogStoreId, // Not using the storeId from the state, as the state might not be updated yet
+      migrationId: Long,
+      recordTime: CantonTimestamp,
+  )(implicit tc: TraceContext) = {
+    val action =
+      sql"""
+            select count(*) from #$txLogTableName
+            where store_id = $txLogStoreId and migration_id = $migrationId and record_time > $recordTime
+          """
+        .as[Long]
+        .head
+        .map(rows =>
+          if (rows > 0) {
+            throw new IllegalStateException(
+              s"Found $rows rows for $txLogStoreDescriptor where migration_id = $migrationId and record_time > $recordTime, " +
+                "but the configuration says the domain was paused during the migration. " +
+                "Check the domain migration configuration and the content of the txlog database."
+            )
+          } else {
+            logger.debug(
+              s"No txlog entries found for $txLogStoreDescriptor where migration_id = $migrationId and record_time > $recordTime"
+            )
+          }
+        )
+    storage.query(action, "verifyNoRolledBackData")
+  }
+
   private[this] def deleteRolledBackTxLogEntries(
       txLogStoreId: TxLogStoreId, // Not using the storeId from the state, as the state might not be updated yet
       migrationId: Long,

apps/common/src/test/scala/org/lfdecentralizedtrust/splice/store/MultiDomainAcsStoreTest.scala

@@ -28,6 +28,7 @@ import org.lfdecentralizedtrust.splice.codegen.java.splice.api.token.{
 }
 import org.lfdecentralizedtrust.splice.codegen.java.splice.api.token.test.dummyholding.DummyHolding
 import org.lfdecentralizedtrust.splice.codegen.java.splice.api.token.test.dummytwointerfaces.DummyTwoInterfaces
+import org.lfdecentralizedtrust.splice.migration.MigrationTimeInfo
 
 import java.time.Instant
 import java.util.concurrent.atomic.AtomicReference
@@ -104,6 +105,7 @@ abstract class MultiDomainAcsStoreTest[
         GenericAcsRowData,
         GenericInterfaceRowData,
       ] = defaultContractFilter,
+      migrationTimeInfo: Option[MigrationTimeInfo] = None,
   ): Store
 
   protected type Store = S

apps/common/src/test/scala/org/lfdecentralizedtrust/splice/store/UpdateHistoryTest.scala

@@ -20,6 +20,7 @@ import org.lfdecentralizedtrust.splice.environment.ledger.api.{
   TransactionTreeUpdate,
   TreeUpdateOrOffsetCheckpoint,
 }
+import org.lfdecentralizedtrust.splice.migration.MigrationTimeInfo
 import org.lfdecentralizedtrust.splice.util.DomainRecordTimeRange
 
 import java.time.Instant
@@ -614,6 +615,83 @@ class UpdateHistoryTest extends UpdateHistoryTestBase {
         } yield succeed
       }
 
+      "tx rollbacks after migrations are handled correctly" in {
+        val t0 = time(1)
+        val t1 = time(2)
+        val store1 = mkStore(party1, migration1, participant1)
+        val store2TimeTooEarly = mkStore(
+          party1,
+          migration2,
+          participant1,
+          migrationTimeInfo = Some(MigrationTimeInfo(t0, synchronizerWasPaused = true)),
+        )
+        val store2TimeCorrect = mkStore(
+          party1,
+          migration2,
+          participant1,
+          migrationTimeInfo = Some(MigrationTimeInfo(t1, synchronizerWasPaused = true)),
+        )
+        for {
+          _ <- initStore(store1)
+          _ <- create(domain1, cid1, offset1, party1, store1, t0)
+          _ <- create(domain1, cid2, offset2, party1, store1, t1)
+          updates1 <- updates(store1)
+          ex <- recoverToExceptionIf[IllegalStateException](initStore(store2TimeTooEarly))
+          _ = ex.getMessage should include("Found List(1, 0, 1, 0, 0) rows")
+          _ <- initStore(store2TimeCorrect)
+          updates2 <- updates(store2TimeCorrect)
+        } yield {
+          checkUpdates(
+            updates1,
+            Seq(
+              ExpectedCreate(cid1, domain1),
+              ExpectedCreate(cid2, domain1),
+            ),
+          )
+          checkUpdates(
+            updates2,
+            Seq(
+              ExpectedCreate(cid1, domain1),
+              ExpectedCreate(cid2, domain1),
+            ),
+          )
+        }
+      }
+
+      "tx rollbacks after DR are handled correctly" in {
+        val t0 = time(1)
+        val t1 = time(2)
+        val store1 = mkStore(party1, migration1, participant1)
+        val store2TimeTooEarly = mkStore(
+          party1,
+          migration2,
+          participant1,
+          migrationTimeInfo = Some(MigrationTimeInfo(t0, synchronizerWasPaused = false)),
+        )
+        for {
+          _ <- initStore(store1)
+          _ <- create(domain1, cid1, offset1, party1, store1, t0)
+          _ <- create(domain1, cid2, offset2, party1, store1, t1)
+          updates1 <- updates(store1)
+          _ <- initStore(store2TimeTooEarly)
+          updates2 <- updates(store2TimeTooEarly)
+        } yield {
+          checkUpdates(
+            updates1,
+            Seq(
+              ExpectedCreate(cid1, domain1),
+              ExpectedCreate(cid2, domain1),
+            ),
+          )
+          checkUpdates(
+            updates2,
+            Seq(
+              ExpectedCreate(cid1, domain1)
+            ),
+          )
+        }
+      }
+
     }
 
     "getImportUpdates" should {

apps/common/src/test/scala/org/lfdecentralizedtrust/splice/store/UpdateHistoryTestBase.scala

@@ -9,7 +9,7 @@ import org.lfdecentralizedtrust.splice.environment.ledger.api.{
   ReassignmentUpdate,
   TransactionTreeUpdate,
 }
-import org.lfdecentralizedtrust.splice.migration.DomainMigrationInfo
+import org.lfdecentralizedtrust.splice.migration.{DomainMigrationInfo, MigrationTimeInfo}
 import org.lfdecentralizedtrust.splice.store.db.{AcsJdbcTypes, AcsTables, SplicePostgresTest}
 import com.digitalasset.canton.data.CantonTimestamp
 import com.digitalasset.canton.lifecycle.FutureUnlessShutdown
@@ -239,12 +239,13 @@ abstract class UpdateHistoryTestBase
       participantId: ParticipantId = participant1,
       storeName: String = storeName1,
       backfillingRequired: BackfillingRequirement = BackfillingRequirement.NeedsBackfilling,
+      migrationTimeInfo: Option[MigrationTimeInfo] = None,
   ): UpdateHistory = {
     new UpdateHistory(
       storage,
       DomainMigrationInfo(
         domainMigrationId,
-        None,
+        migrationTimeInfo,
       ),
       storeName,
       participantId,