storage: update the tscache appropriately after a merge #28793

benesch · 2018-08-18T18:04:50Z

@nvanbenschoten I figured this was in your wheelhouse but feel free to defer the review to @tschottdorf!

When applying a merge, teach the leaseholder of the LHS range to update
its timestamp cache for the keyspace previously owned by the RHS range
appropriately.

Release note: None

cockroach-teamcity · 2018-08-18T18:04:55Z

This change is

benesch

Reviewable status: complete! 0 of 0 LGTMs obtained

pkg/storage/store.go, line 2473 at r1 (raw file):

		// difficult.
		s.tsCache.SetLowWater(rightDesc.StartKey.AsRawKey(), rightDesc.EndKey.AsRawKey(), s.Clock().Now())
	}

I'm kind of unsure about all of this. Leases are finicky; is looking at r.mu.state.Lease like I do here correct? Is my statement about the chain of causality correct? And (as mentioned in the TODO) would it be better to thread the RHS's timestamp at the moment it executed the GetSnapshotForMerge request?

nvanbenschoten

Reviewable status: complete! 0 of 0 LGTMs obtained

pkg/storage/store.go, line 2473 at r1 (raw file):

Previously, benesch (Nikhil Benesch) wrote…

I'm kind of unsure about all of this. Leases are finicky; is looking at r.mu.state.Lease like I do here correct? Is my statement about the chain of causality correct? And (as mentioned in the TODO) would it be better to thread the RHS's timestamp at the moment it executed the GetSnapshotForMerge request?

The code here looks good based on my understanding of merges, but I'd like to understand the interactions a little better before signing off. What invariants does GetSnapshotForMerge place on requests on the RHS of the merge? I'm pretty sure it blocks all concurrent reads and writes (even those at larger timestamps?), but does it check the tscache or somehow ensure that no reads or writes have been performed earlier at larger timestamp? If not then I think we'll need to do what we're doing here. Also, it's not possible for a Range frozen by a GetSnapshotForMerge to transfer its lease without aborting the entire merge, right?

There's also an interesting optimization that you alluded to where we don't need to touch the tscache if the RHS replica on the same store also had the lease. I'm not sure whether this would be worth it or not.

benesch

Reviewable status: complete! 0 of 0 LGTMs obtained

pkg/storage/store.go, line 2473 at r1 (raw file):

What invariants does GetSnapshotForMerge place on requests on the RHS of the merge? I'm pretty sure it blocks all concurrent reads and writes (even those at larger timestamps?), but does it check the tscache or somehow ensure that no reads or writes have been performed earlier at larger timestamp?

So it declares that it reads and writes every key in the range to flush out the command queue before it executes. That flushes out even those commands that are executing at higher timestamps, if I'm understanding things correctly. It doesn't look at the tscache at all, though.

Also, it's not possible for a Range frozen by a GetSnapshotForMerge to transfer its lease without aborting the entire merge, right?

Right, it's not possible for the RHS to transfer its lease away after it's executed a GetSnapshotForMerge unless the merge is aborted. It is, however, possible for its lease to expire, and then another range can come along and acquire the lease. (See TestStoreRangeMergeRHSLeaseExpiration if you're curious.) But upon applying this lease, the new leaseholder will notice that a merge was initiated and refuse to serve any commands.

To summarize, I think the following is a true statement: after a GetSnapshotForMerge begins executing, the RHS's tscache will never be updated again unless the merge commits.

tbg

Reviewed 2 of 2 files at r1.
Reviewable status: complete! 0 of 0 LGTMs obtained

pkg/storage/store.go, line 2473 at r1 (raw file):

Previously, benesch (Nikhil Benesch) wrote…

What invariants does GetSnapshotForMerge place on requests on the RHS of the merge? I'm pretty sure it blocks all concurrent reads and writes (even those at larger timestamps?), but does it check the tscache or somehow ensure that no reads or writes have been performed earlier at larger timestamp?

So it declares that it reads and writes every key in the range to flush out the command queue before it executes. That flushes out even those commands that are executing at higher timestamps, if I'm understanding things correctly. It doesn't look at the tscache at all, though.

Also, it's not possible for a Range frozen by a GetSnapshotForMerge to transfer its lease without aborting the entire merge, right?

Right, it's not possible for the RHS to transfer its lease away after it's executed a GetSnapshotForMerge unless the merge is aborted. It is, however, possible for its lease to expire, and then another range can come along and acquire the lease. (See TestStoreRangeMergeRHSLeaseExpiration if you're curious.) But upon applying this lease, the new leaseholder will notice that a merge was initiated and refuse to serve any commands.

To summarize, I think the following is a true statement: after a GetSnapshotForMerge begins executing, the RHS's tscache will never be updated again unless the merge commits.

If the RHS leaseholder is not colocated with the LHS and served a read at, say, 100 while the LHS leaseholder's clock bumbles around at 90, what makes sure the 100 is absorbed by the LHS' clock first? I think you're saying that we necessarily absorb a timestamp >= 100 when we send the GetSnapshotForMergeRequest (which btw we should probably rename) because the br.Timestamp will be set to the read timestamp (which will necessarily contain all read timestamps because of having declared all keys).

This seems reasonable, but the test doesn't seem to exercise it because (I think) the mtc shares the clocks across all nodes, so please add a test for this that exercises it more directly (or do anything else that establishes confidence).
I think the comment about causality could also be a little more specific. We've rarely relied on br.Timestamp for anything, let alone anything critical :-)
Another option is to return the batch timestamp as data from the GetSnapshotForMerge request, to make matters more explicit.

benesch

Reviewable status: complete! 0 of 0 LGTMs obtained

pkg/storage/store.go, line 2473 at r1 (raw file):

If the RHS leaseholder is not colocated with the LHS and served a read at, say, 100 while the LHS leaseholder's clock bumbles around at 90, what makes sure the 100 is absorbed by the LHS' clock first? I think you're saying that we necessarily absorb a timestamp >= 100 when we send the GetSnapshotForMergeRequest (which btw we should probably rename) because the br.Timestamp will be set to the read timestamp (which will necessarily contain all read timestamps because of having declared all keys).

Yep, this is about what I was thinking. I left the comment vague in the hopes that someone else could re-derive it without being led astray by subtle flaws in whatever reasoning I laid out.

because the br.Timestamp will be set to the read timestamp (which will necessarily contain all read timestamps because of having declared all keys).

AFAICT it's actually br.Now that distSender uses to update its clock. But the same reasoning applies.

Another option is to return the batch timestamp as data from the GetSnapshotForMerge request, to make matters more explicit.

Yeah, I'm not sold on this approach, but I was trying to follow what we do for lease transfers, which implicitly rely on causality. If we want to pass timestamps around explicitly, I think we can do better than using the batch timestamp of the GetSnapshotForMerge: we can use max(tscache.GetMaxRead(RHS), tscache.GetMaxWrite(RHS)), which is easy to compute when GetSnapshotForMerge executes.

Thoughts?

And yeah, to your parenthetical: I've got a PR prepared to rename it to SubsumeRequest.

tbg

Reviewable status: complete! 0 of 0 LGTMs obtained

pkg/storage/store.go, line 2473 at r1 (raw file):

we can use max(tscache.GetMaxRead(RHS), tscache.GetMaxWrite(RHS))

But that won't work if the RHS' leaseholder isn't colocated with the LHS', right?

I'm fine relying on the same mechanism we use for leases (do we really only rely on br.Now there?) but I'd like to see it tested end-to-end (i.e. one that fails if you disable that mechanism, which I don't think the one here will). This test could only test that specific mechanism. Or am I missing some existing test coverage here? You could reference another test that does it. (It's a shame that mtc doesn't let you use individual clocks).

Let's make the comment explicit.

benesch · 2018-08-19T19:06:43Z

But that won't work if the RHS' leaseholder isn't colocated with the LHS', right?

I meant that we could send that value along in the response to GetSnapshotForMerge. In which case it’s fine if they’re not collocated. AFAICT. For leases we rely on ba.Timestamp because the old leaseholder sends the lease to the new leaseholder. Here we need br.Now because the new leaseholder (LHS) is requesting the lease from the old leaseholder (RHS). So yeah, a little scary to rely on that, I guess. Definitely agree this needs a test. Just want to decide what approach to take in the implementation before I write the test.

…

On Sun, Aug 19, 2018 at 2:05 PM Tobias Schottdorf ***@***.***> wrote: ***@***.**** approved this pull request. *Reviewable <https://reviewable.io/reviews/cockroachdb/cockroach/28793>* status: [image:

] complete! 0 of 0 LGTMs obtained ------------------------------ *pkg/storage/store.go, line 2473 at r1 <https://reviewable.io/reviews/cockroachdb/cockroach/28793#-LKDCgkj5KMtIidylpup:-LKIFUd2BzM303udzmwQ:br05a4q> (raw file <https://github.com/cockroachdb/cockroach/blob/404eebce2093bffaddfe8619daf6478ac14aa6a2/pkg/storage/store.go#L2473>):* we can use max(tscache.GetMaxRead(RHS), tscache.GetMaxWrite(RHS)) But that won't work if the RHS' leaseholder isn't colocated with the LHS', right? I'm fine relying on the same mechanism we use for leases (do we really only rely on br.Now there?) but I'd like to see it tested end-to-end (i.e. one that fails if you disable that mechanism, which I don't think the one here will). This test could only test that specific mechanism. Or am I missing some existing test coverage here? You could reference another test that does it. (It's a shame that mtc doesn't let you use individual clocks). Let's make the comment explicit. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#28793 (review)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AA15IEgTJXvmEjPUyQbrp7cUXO4Pq4OBks5uSakFgaJpZM4WCqfC> .

benesch · 2018-08-19T19:07:37Z

Pretty sure mtc will allow you to specify multiple clocks! At least there is a comment claiming it is supported. On Sun, Aug 19, 2018 at 3:06 PM Nikhil Benesch <[email protected]> wrote:

…

> But that won't work if the RHS' leaseholder isn't colocated with the LHS', right? I meant that we could send that value along in the response to GetSnapshotForMerge. In which case it’s fine if they’re not collocated. AFAICT. For leases we rely on ba.Timestamp because the old leaseholder sends the lease to the new leaseholder. Here we need br.Now because the new leaseholder (LHS) is requesting the lease from the old leaseholder (RHS). So yeah, a little scary to rely on that, I guess. Definitely agree this needs a test. Just want to decide what approach to take in the implementation before I write the test. On Sun, Aug 19, 2018 at 2:05 PM Tobias Schottdorf < ***@***.***> wrote: > ***@***.**** approved this pull request. > > *Reviewable <https://reviewable.io/reviews/cockroachdb/cockroach/28793>* > status: [image:

] complete! 0 of 0 LGTMs obtained > > ------------------------------ > > *pkg/storage/store.go, line 2473 at r1 > <https://reviewable.io/reviews/cockroachdb/cockroach/28793#-LKDCgkj5KMtIidylpup:-LKIFUd2BzM303udzmwQ:br05a4q> > (raw file > <https://github.com/cockroachdb/cockroach/blob/404eebce2093bffaddfe8619daf6478ac14aa6a2/pkg/storage/store.go#L2473>):* > > we can use max(tscache.GetMaxRead(RHS), tscache.GetMaxWrite(RHS)) > > But that won't work if the RHS' leaseholder isn't colocated with the > LHS', right? > > I'm fine relying on the same mechanism we use for leases (do we really > only rely on br.Now there?) but I'd like to see it tested end-to-end > (i.e. one that fails if you disable that mechanism, which I don't think the > one here will). This test could only test that specific mechanism. Or am I > missing some existing test coverage here? You could reference another test > that does it. (It's a shame that mtc doesn't let you use individual clocks). > > Let's make the comment explicit. > > — > You are receiving this because you authored the thread. > Reply to this email directly, view it on GitHub > <#28793 (review)>, > or mute the thread > <https://github.com/notifications/unsubscribe-auth/AA15IEgTJXvmEjPUyQbrp7cUXO4Pq4OBks5uSakFgaJpZM4WCqfC> > . >

tbg

I meant that we could send that value along in the response to GetSnapshotForMerge. In which case it’s fine if they’re not collocated. AFAICT.

Oh, yeah, this works and it's more transparent than taking clock values and relying on some ordering. I like the explicitness of that and it's easy enough to change in the future.

Pretty sure mtc will allow you to specify multiple clocks!

Oh, good!

Reviewable status: complete! 0 of 0 LGTMs obtained

nvanbenschoten · 2018-08-19T22:28:23Z

I like the idea of making the timestamp explicit in the response for GetSnapshotForMerge and not relying on br.Now, but do we need to pull the time from the timestamp cache directly? That's not a particularly efficient operation. Can't we just return GetSnapshotForMergeResponse{Now: hlc.Now()}, which will necessarily be larger than any previous operations performed on the old leaseholder?

benesch · 2018-08-20T01:31:17Z

How expensive? Merges are already extremely expensive; my intuition suggests a few in-memory ops are unlikely to make much of a difference. But yeah, your proposal is exactly the middle ground I had in mind.

…

On Sun, Aug 19, 2018 at 6:28 PM Nathan VanBenschoten < ***@***.***> wrote: I like the idea of making the timestamp explicit in the response for GetSnapshotForMerge and not relying on br.Now, but do we need to pull the time from the timestamp cache directly? That's not a particularly efficient operation. Can't we just return GetSnapshotForMergeResponse{Now: hlc.Now()}, which will necessarily be larger than any previous operations performed on the old leaseholder? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#28793 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AA15IIzbiW6DwqYVchWQJKjQfl6dYgCwks5uSeaWgaJpZM4WCqfC> .

tbg · 2018-08-20T15:39:32Z

Works for me. On Mon, Aug 20, 2018 at 3:31 AM Nikhil Benesch <[email protected]> wrote:

How expensive? Merges are already extremely expensive; my intuition suggests a few in-memory ops are unlikely to make much of a difference. But yeah, your proposal is exactly the middle ground I had in mind. On Sun, Aug 19, 2018 at 6:28 PM Nathan VanBenschoten < ***@***.***> wrote: > I like the idea of making the timestamp explicit in the response for > GetSnapshotForMerge and not relying on br.Now, but do we need to pull the > time from the timestamp cache directly? That's not a particularly efficient > operation. Can't we just return GetSnapshotForMergeResponse{Now: > hlc.Now()}, which will necessarily be larger than any previous operations > performed on the old leaseholder? > > — > You are receiving this because you authored the thread. > Reply to this email directly, view it on GitHub > < #28793 (comment) >, > or mute the thread > < https://github.com/notifications/unsubscribe-auth/AA15IIzbiW6DwqYVchWQJKjQfl6dYgCwks5uSeaWgaJpZM4WCqfC > > . > — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#28793 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AE135JDq8hpbkj2KGDa5bwPk0JRG8ui3ks5uShFzgaJpZM4WCqfC> .

--

…

-- Tobias

nvanbenschoten · 2018-08-20T16:08:28Z

How expensive? Merges are already extremely expensive; my intuition
suggests a few in-memory ops are unlikely to make much of a difference.

On the order of O(# reads on range in last 10 seconds). But yeah you're almost certainly right.

benesch

Ok, I went with threading the value of Clock.Now() during GetSnapshotForMerge execution through the merge trigger per @nvanbenschoten's suggestion. I also managed to concoct a convoluted scenario that verified that clocks are updated properly; see the megacomment on the new test.

FYI I rebased on top of #28865 to avoid some merge skew.

Reviewable status: complete! 0 of 0 LGTMs obtained

tbg

We'd ideally adjust replica changes to operate the same way.
Unfortunately the updated descriptor is not currently included in the
ChangeReplicasTrigger, so the migration is rather involved.

Doesn't seem that involved, but at the same time I'd rather not have you drive-by it. We'd add a new field and only populate it when the version is set. At the receiving end we'd use the field if set and fall back to the old code otherwise.

Reviewed 2 of 2 files at r2, 5 of 5 files at r3, 5 of 5 files at r4, 11 of 11 files at r5.
Reviewable status: complete! 0 of 0 LGTMs obtained

pkg/roachpb/api.proto, line 1294 at r5 (raw file):

  uint64 lease_applied_index = 4;

  // FreezeStart is the time at which the receiving replica promised to stop

Perhaps make this more concrete: FreezeStart is a timestamp that is guaranteed to be greater than the timestamps at which any requests were serviced by the responding replica before it stopped responding to requests altogether (in anticipation of being subsumed). It is suitable ...

pkg/roachpb/data.proto, line 144 at r5 (raw file):

  ];

  // FreezeStart is the time at which the right-hand range promised to stop

Ditto.

pkg/settings/cluster/cockroach_versions.go, line 270 at r4 (raw file):

	},
	{
		// VersionRangeMerges is XXX,

You can fill this in now.

pkg/storage/client_merge_test.go, line 472 at r5 (raw file):

// causality information is not communicated through the normal channels.
// Suppose two adjacent ranges, A and B, are collocated on S2, S3, and S4. (S1
// is omitted is for consistency with the store numbering in the test itself.)

is omitted is

pkg/storage/client_merge_test.go, line 502 at r5 (raw file):
Great test.

Importantly, S3 must also update its clock from T1 to T3.

This would also lead to inconsistencies without merges, right? The new leaseholder might accept a conflicting write.

pkg/storage/store.go, line 2954 at r5 (raw file):

		// reject it now before we reach that point.
		var err error
		log.Errorf(ctx, "updating to %v", ba.Timestamp)

Remove

pkg/storage/store.go, line 2996 at r5 (raw file):

				// (if timestamp has been forwarded).
				if ba.Timestamp.Less(br.Timestamp) {
					log.Errorf(ctx, "updating to %v", br.Timestamp)

Remove

benesch

Reviewable status: complete! 0 of 0 LGTMs obtained

pkg/roachpb/api.proto, line 1294 at r5 (raw file):