Undo Phase in ARIES Recovery

Consider a troubling scenario: the database system crashes during the undo phase of recovery. You were halfway through rolling back three incomplete transactions when power failed. What happens when the system restarts?

Without special precautions, you'd face a dilemma: some undo operations succeeded, some pages have been reverted, but there's no record of this progress. Do you restart undo from the beginning? That could apply before-images twice, corrupting data. Do you skip what was already done? But how do you know what was done?

Compensation Log Records (CLRs) solve this problem elegantly. They are special log records that document undo operations, making them durable and allowing recovery to "repeat history" for undos just as it does for regular operations.

Before diving into CLR structure, let's thoroughly understand the problem they solve. Imagine we're undoing a transaction T1 that made three updates:

T1's Log Records:

• LSN 100: T1 updates page P1 (A→B)
• LSN 200: T1 updates page P2 (X→Y)
• LSN 300: T1 updates page P3 (M→N)
• [CRASH - no commit record]

During recovery's undo phase:

1. We undo LSN 300: restore P3 to M
2. We undo LSN 200: restore P2 to X
3. [CRASH DURING UNDO]

Now the system restarts again. What state are we in?

The Key Insight:

CLRs turn undo operations into regular logged operations that follow the same rules as everything else:

• They're written to the log before the page modification is considered durable
• They're replayed during redo just like regular updates
• They contain enough information to re-apply the undo if needed

This elegantly reuses the existing redo machinery to handle crash-during-undo scenarios, without requiring any special case logic.

A Compensation Log Record has a specific structure designed to support both redo (during recovery) and undo-chain management. Let's examine each field:

Standard Log Record Fields: Like all log records, CLRs have an LSN, transaction ID, and PrevLSN. These enable the CLR to be part of the transaction's log chain.

CLR-Specific Fields:

• UndoNextLSN: Points to the next log record that needs to be undone (crucial for skipping)
• Redo Information: Contains the action that the CLR records (the undo operation itself)
• Type identifier: Marks this as a CLR rather than a regular update

The UndoNextLSN Field Explained:

This is the most important field in a CLR. Understanding it is key to understanding how ARIES handles crash-during-undo:

1. When we undo a log record at LSN X, that record has a PrevLSN field
2. The CLR's undoNextLSN = that PrevLSN value
3. This tells future undo phases: "The next record to undo is at this LSN"
4. If the original record had PrevLSN = null, undoNextLSN = null, meaning "undo complete"

This creates a shortcut chain: during undo, when we encounter a CLR, we jump directly to undoNextLSN instead of walking through all the intermediate records.

A fundamental property of CLRs is that they are never undone. This might seem strange at first—if we can undo regular updates, why can't we undo CLRs? The answer lies in what it would mean to undo an undo.

The Logical Contradiction:

Suppose transaction T1 updated page P, changing value A to B:

• Original update: A → B (logged at LSN 100)
• Undo (CLR): B → A (logged at LSN 500, undoNextLSN = null)

If we "undid" the CLR, we would be:

• Reversing the CLR: A → B ???

But wait—this would re-apply the original change! We'd be putting T1's uncommitted change back into the database. This completely defeats the purpose of undo.

The ARIES Solution:

ARIES makes a clean design choice: CLRs are redo-only. They have no "undo" information because the concept doesn't make sense. During undo processing:

• Regular updates: undo them, write CLR
• CLRs: follow undoNextLSN, don't undo

Mathematical Perspective:

If we denote the original operation as O (with inverse O⁻¹), then:

• The update log record represents O
• The CLR represents O⁻¹

Undoing the CLR would be (O⁻¹)⁻¹ = O, which brings us back to the original operation. But we're trying to remove the effects of O! The only sensible approach is to treat CLRs as facts about the undo process, not as reversible operations.

The Practical Implication:

Because CLRs are redo-only, they're simpler than regular update records. They don't need a "before-before-image" (what the data was before the undo). They only need enough information to redo the undo if there's another crash. This is why CLRs can be smaller than the original update records in some cases.

CLRs form a chain through their undoNextLSN pointers that provides efficient navigation during undo. This chain is separate from (but connected to) the regular PrevLSN chain that links all records for a transaction.

Two Interleaved Chains:

1. PrevLSN Chain: Links all log records for a transaction chronologically (updates and CLRs)
2. UndoNextLSN Chain: Provides shortcuts through the undo progress, skipping what's already done

Let's visualize this with a concrete example:

In the diagram above:

• Teal boxes are original UPDATE records from T1
• Yellow boxes are CLRs written during undo
• Red markers indicate crash points
• Solid arrows show the PrevLSN chain (chronological order)
• Dotted arrows show the undoNextLSN chain (undo progress)

Walking Through the Scenario:

1. T1 makes three updates (LSN 100, 200, 300), then crashes
2. Recovery #1: Undo starts with LSN 300, writes CLR at 450 (undoNextLSN=200)
3. Undo continues with LSN 200, writes CLR at 500 (undoNextLSN=100)
4. Crash #2 occurs before completing
5. Recovery #2: Redo replays CLR 450 and 500
6. Undo sees T1 in table with lastLSN=500 (the last CLR)
7. Read CLR at 500, follow undoNextLSN to 100
8. Undo LSN 100, write CLR at 600 (undoNextLSN=null)
9. Write END record—T1 is fully rolled back

When a CLR is written for an undo operation, the affected page's PageLSN is updated to the CLR's LSN. This has important implications for the redo phase.

Why Update PageLSN?

The PageLSN on a page indicates: "This page reflects all log records up to and including this LSN." By setting PageLSN to the CLR's LSN:

1. Future redo phases know the undo is already applied to this page
2. The page is correctly marked as modified (dirty)
3. Crash during undo won't cause the undo operation to be lost

The Redo Phase Check:

During redo, for each log record (including CLRs), we check:

if (logRecord.lsn > page.pageLSN) {
    // Redo this operation - it wasn't persisted
    applyOperation(logRecord);
    page.pageLSN = logRecord.lsn;
} else {
    // Page already reflects this operation - skip
}

Timing Considerations:

The order of operations matters:

1. Latch the page first (exclusive access)
2. Apply the change to the page in memory
3. Write the CLR to the log (WAL protocol)
4. Update PageLSN to the CLR's LSN
5. Release latch (page may remain in buffer as dirty)

The WAL protocol requirement is critical: the CLR must be on stable storage before we consider the undo complete. In practice, systems often batch log writes, so the CLR might sit in the log buffer briefly. But before the page can be written to disk, the log must be forced to at least that CLR's LSN.

One of ARIES's most impressive properties is its ability to handle any number of crashes during recovery without losing progress or corrupting data. This is entirely due to the CLR mechanism.

Invariant: Progress is Always Preserved

No matter when a crash occurs:

• All completed undos are recorded as CLRs
• Redo will replay those CLRs, restoring the undo work
• Undo will see the CLRs and skip to undoNextLSN
• Only remaining work is done, never repeated work

Let's trace through a worst-case scenario with many crashes:

Key Observations:

1. Each crash loses zero progress: Every completed undo remains as a CLR in the log
2. Redo recreates undo state: The CLRs are replayed, putting pages in the right state
3. Undo skips completed work: undoNextLSN jumps past what's already done
4. Bounded work per recovery: We only undo records that weren't undone before

Theoretical Guarantee:

If a transaction has N updates to undo, the total work across any number of recoveries is still O(N). Each update is undone exactly once, and its CLR is potentially redone multiple times (on each recovery), but redo is cheap compared to undo.

CLRs add overhead to the log. For every update that gets undone, there's a corresponding CLR. This has implications for log space and performance.

Space Analysis:

• Each CLR is roughly the same size as the original update record
• In the worst case, rolling back a transaction doubles its log footprint
• For transactions that abort frequently, this can be significant
• However, log space is generally cheaper than the alternatives

Why Accept This Overhead?

The alternative approaches have their own costs:

Optimizations for CLR Size:

Some implementations reduce CLR overhead:

1. Compressed CLRs: Store only essential information; derive redo info from original record
2. CLR chaining: Batch multiple undos into fewer CLRs when safe
3. Logical undos: For some operations, a smaller logical representation suffices
4. Early log truncation: Once a transaction's END is written, its CLRs can be removed

Log Truncation:

CLRs are candidates for log truncation once:

• The transaction's END record is written and forced
• The CLR's LSN is less than the oldest checkpoint's begin LSN
• No active transaction needs to see these records

In practice, aggressive log truncation keeps log size manageable despite CLR overhead.

Compensation Log Records are the mechanism that makes ARIES's undo phase crash-recoverable. They represent a elegant solution to a subtle problem. Let's consolidate the key concepts:

What's Next:

With CLRs understood, we can explore the backward scan mechanism in detail on the next page. We'll see how ARIES efficiently processes the log in reverse order, using the ToUndo set and undoNextLSN pointers to minimize I/O while undoing multiple transactions in parallel.