From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from [87.239.111.99] (localhost [127.0.0.1]) by dev.tarantool.org (Postfix) with ESMTP id CBA506EC40; Thu, 12 Aug 2021 19:59:38 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org CBA506EC40 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tarantool.org; s=dev; t=1628787578; bh=BY+omM/TznP1Td51Kx5vRPgv+abwZyaNbJa4m9xt4z8=; h=To:References:Date:In-Reply-To:Subject:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=jvJSndFCo01z2Xae1GudDVv0TmOW04jOtl9VP/bLksf127Hz4SdqBPB7svJPRJIMa am8nRQ9Fe/1UvmI/8gW6MZ8Wv7KA1Q4tEILd7yvfZ/4anzuUCx7PMwbiJdPYmSsnFb mela/UAD5bGem7EXzZT3fh0mr9vnvUIuu9CBTswo= Received: from smtp41.i.mail.ru (smtp41.i.mail.ru [94.100.177.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dev.tarantool.org (Postfix) with ESMTPS id 56F446EC40 for ; Thu, 12 Aug 2021 19:59:37 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 56F446EC40 Received: by smtp41.i.mail.ru with esmtpa (envelope-from ) id 1mEE3L-0004eQ-QR; Thu, 12 Aug 2021 19:59:37 +0300 To: Cyrill Gorcunov References: <20210804190752.488147-1-gorcunov@gmail.com> <20210804190752.488147-4-gorcunov@gmail.com> <7e881b83-478c-6bc0-615d-ade811da8471@tarantool.org> <2f3274e6-80c4-1d07-b739-c8d758447fe1@tarantool.org> Message-ID: <16ea63fc-cd91-6622-6cf4-d3be54fcbac7@tarantool.org> Date: Thu, 12 Aug 2021 19:59:31 +0300 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.12.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-4EC0790: 10 X-7564579A: 646B95376F6C166E X-77F55803: 4F1203BC0FB41BD92087353F0EC44DD972FF4A7D76DB5E242D14FEF1BD8BF4AC182A05F538085040AF49ACB6EDE07A202C0886B41CD871D9D7D2CA7F42A31C6869AFB9A36EB47E3D X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE70312E9A300D47E3BEA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F7900637369CDFF96C7994428638F802B75D45FF36EB9D2243A4F8B5A6FCA7DBDB1FC311F39EFFDF887939037866D6147AF826D8B4B69604EB2F023C1844570EA3561AA1117882F4460429724CE54428C33FAD305F5C1EE8F4F765FC55B19328CBC4F849A471835C12D1D9774AD6D5ED66289B52BA9C0B312567BB23117882F44604297287769387670735201E561CDFBCA1751FE5D25F19253116ADD2E47CDBA5A96583BA9C0B312567BB2376E601842F6C81A19E625A9149C048EE437C869540D2AB0FB341D7040ADD27A2D8FC6C240DEA7642DBF02ECDB25306B2B78CF848AE20165D0A6AB1C7CE11FEE3A7DFDF579AB090EFBA3038C0950A5D36B5C8C57E37DE458B0BC6067A898B09E46D1867E19FE14079C09775C1D3CA48CF3D321E7403792E342EB15956EA79C166A417C69337E82CC275ECD9A6C639B01B78DA827A17800CE74ABCC139FF3F849B731C566533BA786AA5CC5B56E945C8DA X-C1DE0DAB: 0D63561A33F958A5DD6E717C8282AE8D42448FA6528828161DC16544AB38208FD59269BC5F550898D99A6476B3ADF6B47008B74DF8BB9EF7333BD3B22AA88B938A852937E12ACA75A130F49D908D5024410CA545F18667F91A7EA1CDA0B5A7A0 X-C8649E89: 4E36BF7865823D7055A7F0CF078B5EC49A30900B95165D3482189E76C6218D8FDFDF14BE9265CE1438BD79DECA2912D58536AD594B7A45048F3102A8FDDC6BF31D7E09C32AA3244CC12E0BE496A40D5E8D813A9223F1F588A95CA90A1D8AC565FACE5A9C96DEB163 X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu530nj6fImhcD4MUrOEAnl0W826KZ9Q+tr5ycPtXkTV4k65bRjmOUUP8cvGozZ33TWg5HZplvhhXbhDGzqmQDTd6OAevLeAnq3Ra9uf7zvY2zzsIhlcp/Y7m53TZgf2aB4JOg4gkr2biojKW4rnL99YhIs4yIP6TSjrg== X-Mailru-Sender: DCB18673505F245B5D9D3B35E842BD3C7345F12F8485F9C6626D87D7FEF12BC2EC924B4D5A5E1CC3841FB911095AA09146E8006E22572C39C920B61C43410E8717BDA556287159EE9437F6177E88F7363CDA0F3B3F5B9367 X-Mras: Ok Subject: Re: [Tarantool-patches] [PATCH v10 3/4] limbo: filter incoming synchro requests X-BeenThere: tarantool-patches@dev.tarantool.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Tarantool development patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Vladislav Shpilevoy via Tarantool-patches Reply-To: Vladislav Shpilevoy Cc: tml Errors-To: tarantool-patches-bounces@dev.tarantool.org Sender: "Tarantool-patches" On 10.08.2021 17:36, Cyrill Gorcunov wrote: > On Tue, Aug 10, 2021 at 03:31:04PM +0300, Vladislav Shpilevoy wrote: >>> >>> | I could add some operations here but not sure if it worth it. >>> >>> Letme state it clear then - I could add this assert() if you insist >>> but I think we aready spread too many assertions all over the code, >>> and if it is possible I would be glad not to add new ones. After all >>> either we should add this assert() to each filter chain or not add >>> at all, otherwise there will be kind of code imbalance. >> >> What is wrong with the assertions that you don't like adding them? >> You add panics quite often, and they cost some perf. But asserts >> just help to catch bugs and cost nothing in Release build. > > I personally think that either some particular condition is critical > so that you can't continue execution if it failed and because of this > it must be tested even in release builds. And here panic() is needed. > Or it is not critical and we don't need assert(). In particular for filtering > case if we ocasionally called it where should not then it might trigger a > false positive error breaking the replication but not corrupting data, > and in such case it is ok and no assertion is needed. In reverse case, > say enabling filtering in wrong place would cause data corruption then > we need a panic not assert. So I don't see much point in assert calls > at all. Surely I can add it if you prefer. Simply don't like. > > You know, we've been talking with Serge today about enabling filtering > all the time because this looks pretty fishy that I do turn it on/off. > So I'm working on removing this code and the question with assert will > disappear on its own. Assertions help to catch tons of rubbish during tests. Like they do quite often. Just grep by 'assert' in our github tickets. So please, add them in all the non-trivial places. It is easier to drop trivial ones on a review than try to spot places lacking the asserts. >>>>>>> +static int >>>>>>> +filter_confirm_rollback(struct txn_limbo *limbo, >>>>>>> + const struct synchro_request *req) >>>>>>> +{ >>>>>>> + /* >>>>>>> + * When limbo is empty we have nothing to >>>>>>> + * confirm/commit and if this request comes >>>>>>> + * in it means the split brain has happened. >>>>>>> + */ >>>>>>> + if (!txn_limbo_is_empty(limbo)) >>>>>>> + return 0; >>>>>> >>>>>> 9. What if rollback is for LSN > limbo's last LSN? It >>>>>> also means nothing to do. The same for confirm LSN < limbo's >>>>>> first LSN. >>>>> >>>>> static void >>>>> txn_limbo_read_rollback(struct txn_limbo *limbo, int64_t lsn) >>>>> { >>>>> --> assert(limbo->owner_id != REPLICA_ID_NIL || txn_limbo_is_empty(limbo)); >>>>> >>>>> txn_limbo_read_confirm(struct txn_limbo *limbo, int64_t lsn) >>>>> { >>>>> --> assert(limbo->owner_id != REPLICA_ID_NIL || txn_limbo_is_empty(limbo)); >>>>> >>>>> Currently we're allowed to process empty limbo if only owner is not nil, >>>>> I think I should add this case here. >>>> >>>> My question is not about the owner ID. I asked what if rollback/confirm >>>> try to cover a range not present in the limbo while it is not empty. If >>>> it is not empty, it has an owner obviously. But it does not matter. >>>> What if it has an owner, has transactions, but you got ROLLBACK/CONFIRM >>>> for data out of the LSN range present in the limbo? >>> >>> Since the terms are matching I think such scenarion should be fine, right? >>> IOW, some old replica has been stopped for some reason and been living out >>> of quorum for some time thus such requests should be considered as OK to >>> pass and when filter accepts them the will reach txn_limbo_read_confirm >>> or txn_limbo_read_rollback where they will be simply ignored as far as I >>> unrestand. IOW, such requests are valid, no? >> >> If a replica is outdated, it should not matter. It will receive the needed >> data in order anyway. Like if the data was just sent. Hence, it seems >> irrelevant whether it is outdated. And still looks the same as the thing >> you are trying to filter out (when the limbo is empty = confirm/rollback >> do not cover anything too). > > Wait, Vlad, I don't understand. When packet comes in we verify for terms > matching, if it doesn't match then we drop the request with error. Now > assume the term is valid and we get confirm/rollback over already processed > entry. Initially I though it is an error due to split-brain because there > is no data in limbo which we can compare against. Then I looked into > txn_limbo_read_confirm and the code silently passes if queue is empty > so I presumed that I simply need to convert the assert() above into > the real verification condition. And after your reply I confused again. > > Assume I'm a replica and have no data in limbo, if I obtain some > confirm/rollback it means the master node did some transactions behind my > back so I should refuse to proceed and refetch all data again, right? > > Another scenario is that I'm the leader node sent some transactions > then gathered the quorum and make limbo empty, at some moment the > replica will send me confirm packet back and I should simply advance > the vclock and ignore this packet, correct? You have an answer in your question - why a valid replica would send you a confirm on its own? Only your own confirms are valid since you are the leader from now on. If you are talking about the replica sending you your own confirm - it can't happen. Your own data is not sent back to you. Sometimes it can be delivered indirectly, but it is simply filtered out as already applied in the applier and never reaches spaces, limbo, wal or anything else.