Fix data loss when inserting duplicate values during a migration

[ggilder]

Related issue: #1636

Description

This PR fixes a critical data loss bug in gh-ost's --panic-on-warnings mode that could silently delete rows when adding unique indexes to columns with duplicate values during binlog replay.

Problem

gh-ost could silently lose data when migrations add unique indexes to columns, even with --panic-on-warnings enabled. This occurred due to the use of REPLACE INTO for binlog event replay, which silently deletes conflicting rows instead of generating warnings.

Example Scenario

Migration: Add unique index to email column

Original table: id (PRIMARY KEY), email (no unique constraint)
Ghost table: id (PRIMARY KEY), email (UNIQUE - being added)

Initial state (after bulk copy):

Ghost table:
  (id=1, email='bob@example.com')
  (id=2, email='alice@example.com')

During postponed cutover:

• INSERT (id=3, email='bob@example.com') into original table
• Binlog replay applies to ghost table: REPLACE INTO ghost_table VALUES (3, 'bob@example.com')
• Duplicate email='bob@example.com' conflicts with existing row id=1
• Row with id=1 silently deleted → DATA LOSS

Root Cause

The REPLACE statement behavior:

• Deletes conflicting rows on ANY unique index violation
• Does NOT generate warnings or errors

Solution

Replace REPLACE with INSERT IGNORE + Warning Detection

Changed DML replay from:

REPLACE INTO ghost_table (id, email) VALUES (3, 'bob@example.com');

To:

INSERT IGNORE INTO ghost_table (id, email) VALUES (3, 'bob@example.com');

INSERT IGNORE behavior:

• Skips insert on ANY unique index violation
• Generates WARNING (detectable by PanicOnWarnings)
• Does NOT delete existing rows

Added warning detection in ApplyDMLEventQueries() when PanicOnWarnings is enabled:

1. Executes SHOW WARNINGS after batch execution
2. Ignores duplicates on migration unique key (expected - row already copied in bulk phase)
3. Fails migration for duplicates on other unique indexes
4. Transaction rollback ensures no partial state

• contributed code is using same conventions as original code
• script/cibuild returns with no formatting errors, build errors or unit test errors.

(edited to remove references to Fatale/panic behavior, this will be tackled in a separate PR)

[Copilot]

Pull request overview

This PR addresses a critical correctness issue in gh-ost binlog replay when adding unique indexes by switching DML replay semantics to avoid REPLACE-driven row deletion, and adds warning-based failure behavior for PanicOnWarnings during replay (plus a change intended to make panic-aborts recoverable for library usage).

Changes:

• Switch DML insert replay from REPLACE to INSERT IGNORE (SQL builder + tests).
• Add SHOW WARNINGS detection in ApplyDMLEventQueries() to fail migrations on unexpected warnings when PanicOnWarnings is enabled.
• Change panic-abort handling from os.Exit-style fatal logging to panic(err) and add regression tests for duplicate/warning scenarios.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
go/sql/builder.go	Updates generated DML insert statement from REPLACE to INSERT IGNORE.
go/sql/builder_test.go	Updates expectations for the new insert statement form.
go/logic/applier.go	Adds warning detection/rollback path for replay when PanicOnWarnings is enabled.
go/logic/applier_test.go	Adds integration test ensuring duplicate on non-migration unique index triggers failure without data loss.
go/logic/applier_delete_insert_test.go	Adds integration tests around UPDATE→DELETE+INSERT behavior with INSERT IGNORE + warnings.
go/logic/migrator.go	Changes panic-abort handler from fatal exit to panic(err).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

rows.Err() is checked before iterating, but errors that occur during iteration will only surface after the loop. Add a rows.Err() check after the for rows.Next() loop so iteration errors don't get ignored in PanicOnWarnings mode.

[ggilder]

Also copied from existing code — may be worth fixing in both places

[meiji163]

Thanks for the PR @ggilder. This was a known issue when @grodowski introduced --panic-on-warnings. Unfortunately we can't use INSERT IGNORE instead of REPLACE INTO because the binlog applier must overwrite rows that were copied to the ghost table. The binlog applier is responsible for inserting the latest version of the row, while INSERT IGNORE would keep the old one

[ggilder]

@meiji163 I'm not sure I understand the problem with INSERT IGNORE, can you elaborate with an example scenario where INSERT IGNORE would be incorrect? My reading of the code is that, with both bulk copy and binlog replay using INSERT IGNORE, we would have correct handling of inserts and updates that occur during the migration:

Scenario 1: Binlog event first, then bulk copy
T1: INSERT id=1, 'Alice' → binlog event
T2: Binlog replay: INSERT IGNORE id=1, 'Alice' → inserts
T3: Bulk copy: INSERT IGNORE (SELECT id=1, 'Alice' ...) → skips
Result: 'Alice'

Scenario 2: Bulk copy first, then binlog event
T1: INSERT id=1, 'Alice' → binlog event captured
T2: Bulk copy: INSERT IGNORE (SELECT id=1, 'Alice' ...) → inserts
T3: Binlog replay: INSERT IGNORE id=1, 'Alice' → skips
Result: 'Alice'

Scenario 3: With updates
T1: INSERT id=1, 'Alice' → binlog Q1
T2: UPDATE id=1 to 'Bob' → binlog Q2
T3: Bulk copy sees current state: INSERT IGNORE id=1, 'Bob' → inserts
T4: Binlog replay Q1: INSERT IGNORE id=1, 'Alice' → skips (id=1 exists)
T5: Binlog replay Q2: UPDATE id=1 to 'Bob' → no-op (already 'Bob')
Result: 'Bob'

[ggilder]

I'm removing the code changes to replace Fatale with panic since they weren't quite correct and are not related to the data loss issue. Will tackle that in a separate PR.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

SHOW WARNINGS only reports warnings for the most recently executed statement. Since the DML batch is executed as a single multi-statement, warnings generated by earlier statements in the batch can be missed, which undermines PanicOnWarnings and can reintroduce silent data loss. Consider disabling multi-statement batching when PanicOnWarnings is enabled (execute each statement and check warnings after each), or otherwise capture warning counts per statement.

[Copilot]

On rows.Scan failure, this logs and continues, which can cause real warnings to be ignored and the transaction to commit even though PanicOnWarnings is enabled. It’s safer to treat scan errors as fatal here (rollback/return error) so warning handling can’t silently degrade.

Suggested change

	this.migrationContext.Log.Warningf("Failed to read SHOW WARNINGS row")
	continue
	return rollback(err)

[ggilder]

Copied from existing code; will consider fixing in both places

[ggilder]

@meiji163 I've pushed up some commits to address Copilot feedback. I still need to make changes to address the issues around SHOW WARNINGS with a batch of inserts, but first I'd like to understand your comment about INSERT IGNORE — please let me know what you think of #1633 (comment)

[meiji163]

@ggilder Scenario such as this

T0: INSERT INTO table id=1, name='Alice'
T1: Row copier: INSERT IGNORE INTO _table_gho id=1, name='Alice'
T2: UPDATE table SET name='Bob' WHERE id=1
T3: Binlog applier: INSERT IGNORE INTO _table_gho id=1, name='Bob'

Therefore the update is ignored by binlog applier

[ggilder]

@meiji163 I don't think T3 in your example would be an INSERT IGNORE though. The Applier would see an UpdateDML event (source), which would be handled by NewDMLUpdateQueryBuilder, generating an UPDATE statement (source).

[meiji163]

@ggilder Aha I forgot that, then it does seem OK. I will do a few internal tests