[TimeLock Corruption] | Implement progress tracker

[sudiksha27]

Goals (and why):
Adds a ProgressTracker to keep track of last verified sequence numbers + update last verified one history till that point is loaded from all servers.

Implementation Description (bullets):

• Add a ProgressTracker to maintain local cache, get lastVerified seq numbers and update lastVerified

• Maintain local cache of (lastVerifiedSeq, greatestSeqNumberToBeVerified) for each (namespace, useCase) pair

• Init state => lastVerifiedSeq = -1, greatestSeqNumberToBeVerified = latest learned value for respective (namespace, useCase) pair

• Each iteration will do two things -

  • get seq bounds [lowerInclusive, upperInclusive] to load logs for corruption verification. If the lastVerifiedSeq > greatestSeqNumberToBeVerified, reset to init state

  • update the lastVerified with upperInclusive after logs have been loaded

Testing (What was existing testing like? What have you done to improve it?):
Added tests

Concerns (what feedback would you like?):
Did I miss any edge cases in the ProgressTracker?

• No batching while making DB calls

• No mechanism for detecting inactive series. In the worst case, inactive series can get their progressState refreshed on each iteration.

Where should we start reviewing?:
PaxosLogHistoryProgressTracker.java

Priority (whenever / two weeks / yesterday):
ASAP 🏃‍♀️

[Jolyon-S]

Drive-by of a few things; didn't review in-depth semantics as I don't have full context on what's going on here.

[Jolyon-S]

IntelliJ is telling me many things in this class don't have to be public - can you make those package-private or private?

[Jolyon-S]

replace with method reference

[Jolyon-S]

As far as I can tell, you only ever put or get from this cache (i.e. never delete). I don't have full context on this piece of work, but I wonder if it is possible to OOM yourself? How many entries do you expect to be present in this cache?

[jeremyk-91]

The size would be bounded by |NamespaceAndUseCase| which would generally be around 1000, so I think this is fine. (Good flag though!)

[Jolyon-S]

I think these immutables are fine, but if you really want to avoid crossed wires, you can try a staged builder: https://immutables.github.io/immutable.html#staged-builder

(I appreciate not everyone likes them, but I do!)

[Jolyon-S]

I'm not a huge fan - KeyedStream.of(historyQueries).mapKeys(...).map(...) gets you most of the way, although I'll confess that I'm not sure how to do the merging resolution in KeyedStream (although you can always collect to multimap).

[sudiksha27]

I think what we have now is more readable

[Jolyon-S]

Speaking of sanity checks, is this:

(100 - lastVerified) + 1
OR
100 - (lastVerified + 1)?

I assume the latter, although I'm never certain on how it determines this - so maybe bracket it?

[jeremyk-91]

The structure makes sense, but I have some concerns around readability. Specifically, you use lastVerifiedSequence throughout most of the code, but associate it with an exclusive upper bound in SequenceBounds which means that the "last verified sequence" isn't actually verified. I'd suggest using inclusive bounds throughout.

I think this also leads to a strange edge case in PaxosLogHistoryProgressTracker: as written I think the tracker spins infinitely on an inactive series, because you're comparing an inclusive bound with an exclusive bound.

[jeremyk-91]

nit: could we have docs on what this means?

[jeremyk-91]

nit: let's give this a more descriptive name? minimalLowerBoundResolver or something like that?

[jeremyk-91]

can we reference this 500 constant somewhere?

[jeremyk-91]

actually, see later comment: would prefer this to have a factory for generating unbounded ends

[jeremyk-91]

Maybe just have an unbounded end factory in HistoryQuery, it looks like this is causing a lot of friction

[jeremyk-91]

I'd recommend being explicit about the edges of the range here: lowerInclusive but upperExclusive?

[jeremyk-91]

Actually, I would strongly prefer for us to use inclusive ranges. A lot of the lastVerified stuff is misleading because upper() is not actually verified.

[jeremyk-91]

I'd name this differently, maybe ProgressState or something like that?

[jeremyk-91]

lastVerifiedSeq? This makes it sound similar to the Paxos constructs when it's really not

[jeremyk-91]

See discussion elsewhere: I think I'd have a strong preference for having inclusive ranges here, because we've used terminology like latestVerified through many other parts of the code, which are not strictly correct when the upper bound has actually not been verified.

[jeremyk-91]

This is an exclusive bound, so it is not the last verified sequence (see comment on my thoughts on SequenceBound).

[jeremyk-91]

This doesn't behave the way I think is intended: your seeding of the bound in getLatestSequence is inclusive, however your use of value here is exclusive. This means that even if there are no new entries, the validation task will repeatedly cycle over the entries (e.g. of an inactive client), which I doubt is intended.

[jeremyk-91]

I'd suggest having as integration tests (maybe not in this PR, but before the workstream is complete):

• verifying a sequence with over 500 entries (so that it needs to be verified in batches) works correctly
• an invalid sequence at entry 499 and 500 are caught
• inactive sequence does not get verified more than once.

[sudiksha27]

I agree, I'll add some ETE tests in a separate PR.

[sudiksha27]

I think what we have now is more readable

[jeremyk-91]

🕐 1:00

Thanks for adding more comprehensive tests and changing the interval queries to operate on closed intervals; I think the PR looks correct now.

I'm afraid I think there are still some issues, largely around readability:

• I'm uncertain of the decomp: I don't understand the point of SequenceBounds when HistoryQuery already exists. I'd kill it if possible, and if not, given that you have a constant in the class and a factory that strongly suggest it is intended only for history queries, I would suggest naming it accordingly.
• Some variable names, in particular around the form of Map<T, SequenceBounds> lastVerifiedSequences need to be changed - in particular, they often refer to the bounds on queries that need to be made (while previously there was only a lower bound, so lastVerifiedSequences was correct).
• I would urge you to use method names indicating the intention behind your methods as opposed to just what the methods do. For example, getBoundsSinceLastVerified(long lastVerified) doesn't say much, and I'd argue the most natural interpretation of that is [lastVerified + 1, inf) - while if you describe it as getBoundsForNextHistoryQuery(long lastVerified) a reader will understand what it's for, and is more likely to have assumptions in line with what you're intending.

[jeremyk-91]

sanity check: this has never been wired up right?

[sudiksha27]

This will break since #5071 merged, my bad, I will fix this.

[jeremyk-91]

I'd suggest maintaining lowerBoundInclusive and upperBoundInclusive through the parameters in the call stack when making these queries

[jeremyk-91]

This variable name is misleading. These bounds are not verified at the time this call is made - they are the candidates you want to verify. In the previous model it was correct (because that's where you start the query from).

[jeremyk-91]

The name is no longer correct.

[jeremyk-91]

nit: The name of this method is no longer correct though. As a user who's not familiar, how do I know what the elements of SequenceBounds are?

[jeremyk-91]

What does this mean?

I might be missing something, but I'm starting to be convinced that this class has no reason to exist: we should just operate on HistoryQuery objects.

[jeremyk-91]

What does this method name mean? (It gets the bounds for the next history query; is there a reason the progress tracker shouldn't be creating history queries in and of itself?)

[jeremyk-91]

It feels kind of dubious that this is here; it seems this is just a history query without a namespace and use case. If possible I'd urge you to try and kill this class altogether, but if that's not possible I would strongly prefer naming this class so that it's obvious that it is specific to history queries (e.g. HistoryQuerySequenceRange).

[jeremyk-91]

nit: the standard form for factory classes of this kind is the plural of the class name i.e. HistoryQueries

[jeremyk-91]

👍 Checkpointing of multiple values can be messy, but discussed offline - we think it's not unreasonable to remove it and use in memory state for remembering when we should reset.

There is a degenerate condition where you might never verify old entries if the server is restarted extremely frequently, so that there is always one paxos round in between the verification task reading the bound and processing a batch, but I don't think we need to worry about that.

[changelog-app]

Generate changelog in changelog/@unreleased

Type

• Feature
• Improvement
• Fix
• Break
• Deprecation
• Manual task
• Migration

Description

Adds a ProgressTracker to keep track of last verified sequence numbers for respective (namespace, useCase) pairs for TimeLock corruption checks. This ensures that TimeLock will resume corruption checks from after the lastVerifiedSequence if the node is bounced.

Check the box to generate changelog(s)

• Generate changelog entry