reset-replication: refuse Mode B (live data-file corruption)

sle-c · sle-c · commit e157523f194c · 2026-04-22T02:04:00.000-04:00
If the pre-teardown checkpoint fails with a DatabaseCorrupt / malformed
error, the live data file itself is corrupt. Rebuilding the wallog from
corrupt data would just propagate the corruption AND leave the namespace
in a broken state (the destroy-then-make sequence fails halfway, leaving
NamespaceDoesntExist).

Now the endpoint returns 500 with an explicit error message pointing the
operator to a restore-from-backup path, without destroying the in-memory
namespace first. The namespace stays loaded and returns the underlying
corruption error to subsequent reads — a true observability signal.

Verified with /tmp/test_mode_b.sh: before fix, namespace went to 404
after reset; after fix, namespace stays loaded with 'malformed database
schema' error. Mode A happy path (wallog corruption, live data OK)
unchanged: 1135ms p95 over 3 reps, 100% data preserved.
diff --git a/libsql-server/src/namespace/store.rs b/libsql-server/src/namespace/store.rs
@@ -256,9 +256,34 @@ impl NamespaceStore {
 
         // (1) Checkpoint before we tear down in-memory state so the data
         //     file has everything the WAL was holding.
+        //
+        //     If checkpoint fails with a `DatabaseCorrupt` / `malformed`
+        //     error, the live data file itself is corrupt. Rebuilding the
+        //     wallog from a corrupt data file would just propagate the
+        //     corruption — so bail out BEFORE we destroy the in-memory
+        //     namespace. The caller should fall back to a restore-from-
+        //     backup path (Mode B), not this endpoint.
         if let Some(ns) = lock.as_ref() {
-            if let Err(e) = ns.checkpoint().await {
-                tracing::warn!("reset_replication: checkpoint failed: {e}; proceeding anyway");
+            match ns.checkpoint().await {
+                Ok(()) => {}
+                Err(e) => {
+                    let msg = e.to_string();
+                    let is_live_db_corrupt = msg.contains("malformed")
+                        || msg.contains("DatabaseCorrupt")
+                        || msg.contains("database disk image")
+                        || msg.contains("file is not a database");
+                    if is_live_db_corrupt {
+                        return Err(Error::Internal(format!(
+                            "reset_replication: live data file appears corrupt \
+                             (checkpoint failed: {e}); refusing to rebuild \
+                             replication log from corrupt data. Use a \
+                             restore-from-backup procedure instead."
+                        )));
+                    }
+                    tracing::warn!(
+                        "reset_replication: checkpoint failed: {e}; proceeding anyway"
+                    );
+                }
             }
         }
 
