Issue 1476: LedgerEntry is recycled twice at ReadLastConfirmedAndEntryOp

[infodog]

Descriptions of the changes in this PR:

The issue #1476 is caused by peculative reads with object recycling, same request object will be added to the CompletionObjects multiple times with different txnid. In fact the logic of process the request already take this into account, only on place inside ReadLastConfirmedAndEntryOp.requestComplete forget to check requestComplete before calling submitCallback which in turn call request.close.

Motivation

to fix #1476

Changes

check requestComplete before submitCallback in ReadLastConfirmedAndEntryOp.requestComplete

Master Issue: #1476

---

In order to uphold a high standard for quality for code contributions, Apache BookKeeper runs various precommit
checks for pull requests. A pull request can only be merged when it passes precommit checks. However running all
the precommit checks can take a long time, some trivial changes don't need to run all the precommit checks. You
can check following list to skip the tests that don't need to run for your pull request. Leave them unchecked if
you are not sure, committers will help you:

• [skip bookkeeper-server bookie tests]: skip testing org.apache.bookkeeper.bookie in bookkeeper-server module.
• [skip bookkeeper-server client tests]: skip testing org.apache.bookkeeper.client in bookkeeper-server module.
• [skip bookkeeper-server replication tests]: skip testing org.apache.bookkeeper.replication in bookkeeper-server module.
• [skip bookkeeper-server tls tests]: skip testing org.apache.bookkeeper.tls in bookkeeper-server module.
• [skip bookkeeper-server remaining tests]: skip testing all other tests in bookkeeper-server module.
• [skip integration tests]: skip docker based integration tests. if you make java code changes, you shouldn't skip integration tests.
• [skip build java8]: skip build on java8. ONLY skip this when ONLY changing files under documentation under site.
• [skip build java9]: skip build on java9. ONLY skip this when ONLY changing files under documentation under site.

---

---

Be sure to do all of the following to help us incorporate your contribution
quickly and easily:

If this PR is a BookKeeper Proposal (BP):

• Make sure the PR title is formatted like:
  <BP-#>: Description of bookkeeper proposal
e.g. BP-1: 64 bits ledger is support
• Attach the master issue link in the description of this PR.
• Attach the google doc link if the BP is written in Google Doc.

Otherwise:

• Make sure the PR title is formatted like:
  <Issue #>: Description of pull request
e.g. Issue 123: Description ...
• Make sure tests pass via mvn clean apache-rat:check install spotbugs:check.
• Replace <Issue #> in the title with the actual Issue number.

---

[eolivelli]

Thank you @infodog for looking into this.

How can you prove the fix addresses the problem?
Is there any test case we can add in order ensure wr won't fall into this problem in the future?

[infodog]

@eolivelli
I setup a bookkeeper cluster with 3 bookie server, and then setup two clients read the logs , the client code is as following:

void downloadLog() throws IOException {
        long nextTxId = getLocalLastTxId();
        long lastShardTxId = 0;
        try {
            lastShardTxId = dlm.getLastTxId();

        } catch (Throwable t) {
            //当日志为空的时候，dlm.getLastTxId会出异常，所以需要try住
            //do nothing
        }
        LogReader reader = dlm.getInputStream(nextTxId);

        while (true) {
            try {

                while (true) {
                    try {
                        LogRecord record = reader.readNext(false);
                        if (record == null) {
                            break;
                        }
                        System.out.println("read record, txid=" + record.getTransactionId() + ", lastShardId=" + lastShardTxId);
                        if (record.getTransactionId() > getLocalLastTxId()) {
                            updateLocalLog(record);
                        }
                        // read next record
                    } catch (LogEmptyException t) {
                        //没事
                        System.out.println("no record in log.");
                    } catch (Throwable ioe) {
                        // handle the exception
                        nextTxId = getLocalLastTxId();
                        reader = dlm.getInputStream(nextTxId);
                    }

                }


                if (isSwitchingToMaster) {
                    return;
                }
                synchronized (downloadThreadMonitor) {
                    downloadThreadMonitor.wait(100);
                }
                if (isSwitchingToMaster) {
                    return;
                }
            } catch (Throwable e) {
                e.printStackTrace();
            }
        }
    }

when I start a writer write to the bookkeeper server, after serveral thoundsand writes, the client will throw the exception saying that object recycled , then the client will not receive any new data. In fact I start 2 clients in the same time to read from the server,and always one client fails, randomly.

After apply the fix, my client will run and always get the updated data. So I think the fix addressed the problem.

Maybe we can create a test case like this? But I dont know how to do that. I think to repoduce the problem the key point is multiple bookies. The problem will arise when the response from the bookie with data comes after the response of the bookie without data.

By the way, When I debug the problem, I add some log statements to the code, and the logs shows there is still some problem hiding. Still shows something I can't understand. Maybe I am not look carefully enough :

the following is my log,you can see there is still error, but i think it's another problem and this will not cause data lose, so I think the problem is addressed.

2018-06-10 09:25:26 [ BookKeeperClientWorker-OrderedExecutor-0-0:49040066 ] - [ WARN ] --- ledgerId=206,entryId=2083, length=-1, handler=395656841,entryImpl.hashCode=609480430 org.apache.bookkeeper.client.impl.LedgerEntryImpl.close(LedgerEntryImpl.java:167)
2018-06-10 09:25:26 [ BookKeeperClientWorker-OrderedExecutor-0-0:49040066 ] - [ WARN ] ReadLastConfirmedAndEntryOp ledgerId=206,preEntryId=2082 org.apache.bookkeeper.client.ReadLastConfirmedAndEntryOp.(ReadLastConfirmedAndEntryOp.java:461)
2018-06-10 09:25:26 [ BookKeeperClientWorker-OrderedExecutor-0-0:49040066 ] - [ WARN ] +++ledgerId=206, entryId=2083, handler=395656841,entryImpl.hashCode=609480430 org.apache.bookkeeper.client.impl.LedgerEntryImpl.create(LedgerEntryImpl.java:55)
2018-06-10 09:25:26 [ BookKeeperClientWorker-OrderedExecutor-0-0:49040066 ] - [ WARN ] initiate request.hashCode=926536875,ledgerId=206,preEntryId=2082,parallelRead=false org.apache.bookkeeper.client.ReadLastConfirmedAndEntryOp.initiate(ReadLastConfirmedAndEntryOp.java:500)
2018-06-10 09:25:26 [ BookKeeperClientWorker-OrderedExecutor-0-0:49040066 ] - [ WARN ] txid->cb,txid=97404, cb.hashCode=940171436 org.apache.bookkeeper.proto.PerChannelBookieClient.readEntryInternal(PerChannelBookieClient.java:744)
2018-06-10 09:25:27 [ DL-io-2:49040901 ] - [ WARN ] readV3Response get ledgerId=50,entryId=-1,txnid=97403 org.apache.bookkeeper.proto.PerChannelBookieClient.readV3Response(PerChannelBookieClient.java:1243)
2018-06-10 09:25:27 [ DL-io-2:49040901 ] - [ WARN ] readV3Response remove ledgerId=50,entryId=-1,txnid=97403 org.apache.bookkeeper.proto.PerChannelBookieClient.readV3Response(PerChannelBookieClient.java:1264)
2018-06-10 09:25:27 [ BookKeeperClientWorker-OrderedExecutor-0-0:49040901 ] - [ WARN ] calling submitCallback,completeRequest hasValidResponse,request=617824970,ledgerId=50,entryId=49 org.apache.bookkeeper.client.ReadLastConfirmedAndEntryOp.completeRequest(ReadLastConfirmedAndEntryOp.java:640)
2018-06-10 09:25:27 [ BookKeeperClientWorker-OrderedExecutor-0-0:49040902 ] - [ WARN ] request close request.hash=617824970request.entryImpl handle=2003401814 , ledgerId=50,entryId=49 org.apache.bookkeeper.client.ReadLastConfirmedAndEntryOp.submitCallback(ReadLastConfirmedAndEntryOp.java:549)
2018-06-10 09:25:27 [ BookKeeperClientWorker-OrderedExecutor-0-0:49040902 ] - [ WARN ] --- ledgerId=50,entryId=49, length=-1, handler=1827103622,entryImpl.hashCode=2003401814 org.apache.bookkeeper.client.impl.LedgerEntryImpl.close(LedgerEntryImpl.java:167)
2018-06-10 09:25:27 [ DL-io-1:49041072 ] - [ WARN ] readV3Response get ledgerId=206,entryId=-1,txnid=97404 org.apache.bookkeeper.proto.PerChannelBookieClient.readV3Response(PerChannelBookieClient.java:1243)
2018-06-10 09:25:44 [ DL-io-1:49057519 ] - [ ERROR ] readV3Response remove v==null, txnid=97404, op=READ_ENTRY org.apache.bookkeeper.proto.PerChannelBookieClient.readV3Response(PerChannelBookieClient.java:1261)
2018-06-10 09:25:44 [ BookKeeperClientWorker-OrderedExecutor-0-0:49057519 ] - [ WARN ] ReadLastConfirmedAndEntryOp ledgerId=50,preEntryId=48 org.apache.bookkeeper.client.ReadLastConfirmedAndEntryOp.(ReadLastConfirmedAndEntryOp.java:461)
2018-06

[eolivelli]

@infodog I see your description.
It is better to fix the first known issue with your current work, then you will create a follow up issue if this is no enough.

@sijie I don't know DL codebase very much and I am not using long-poll so I can't be very helpful here.
Don't we have some "tailing reader" test case ?
Or maybe existing tests are too narrow that does not make the problem happen.

[sijie]

@eolivelli I think the problem only happened when speculations happen. also it is not just on long poll reads, I think it will impact normal reads. those tests around speculations might end before real problems show up.

[eolivelli]

So @sijie you are saying that we have some code path not covered by test cases.

It would be good to have minimal coverage of this change, just by using mockito.
How does it sounds to you?

[sijie]

@eolivelli - sure, we need to add test cases for this. however I don't think the fix address the root cause. still looking ...

[eolivelli]

@sijie sure, go ahead.

[sijie]

@infodog :

your fix is correct. however, it can be simplified with changing using submitCallback to use completeRequest. this would guarantee a request only being completed once.

I created a PR to your branch to improve it and also added a unit test to reproduce the problem and ensure your changes fix the problem: infodog#1 if you merged it, the changes will be applied to your branch and showed up here.

then we should be ready to merge your fix.

[sijie]

@eolivelli - changes in infodog#1 include the unit test.

@jiazhai @yzang please review this PR as well, since it is dlog related.

[infodog]

@sijie I think the fix of infodog#1 may have problem.

because
request.complete(rCtx.getBookieIndex(), bookie, buffer, entryId) will be called even the request is already closed.

In request.complete

entryImpl.setLength(buffer.getLong(DigestManager.METADATA_LENGTH - 8));
entryImpl.setEntryBuf(content);

the entryImpl may already recycled and owned by another request, so this will ruin another request's data?

Maybe should move

writeSet.recycle();
orderedEnsemble.recycle();

from request.complete to request.close, and when we found thre requested is closed, we dont call request.complete?

[sijie]

@infodog - https://github.com/apache/bookkeeper/blob/master/bookkeeper-server/src/main/java/org/apache/bookkeeper/client/ReadLastConfirmedAndEntryOp.java#L127 use an atomic boolean to guarantee it only executed once. so the problem you described won't happen.

[infodog]

@sijie but in https://github.com/apache/bookkeeper/blob/master/bookkeeper-server/src/main/java/org/apache/bookkeeper/client/ReadLastConfirmedAndEntryOp.java#L615 use requestComplete to guarantee request is only close once, while https://github.com/apache/bookkeeper/blob/master/bookkeeper-server/src/main/java/org/apache/bookkeeper/client/ReadLastConfirmedAndEntryOp.java#L127 use complete to guarantee ,they are two diff variables. So it's possible after the request is closed at the same time entryImpl is recycled, the https://github.com/apache/bookkeeper/blob/master/bookkeeper-server/src/main/java/org/apache/bookkeeper/client/ReadLastConfirmedAndEntryOp.java#L127 code will be executed, and the data maybe ruined.

[sijie]

@infodog I see your point now. let me try to explain:

1. yes. there are two flags, the completed flag in request is to checking if the request itself is completed or not, the requestComplete flag is in the ReadLacOp is to checking if the op itself is completed or not. in some sense, we need these two different flags, since one op can potentially contain multiple requests. it might be a bit strange in this class, since in this case, one operation only have one request.

2. are there any race conditions between these two flags? the answer is no. because the request callback can only happen on one thread. so if a request successfully completed with a valid entry, request.complete returns true and then it will submit the callback, which will set requestComplete to true. so any future callback will not try to complete the request or submit callback again, this prevents the race condition you described.

3. just for your information, in bookkeeper client, the operations/callbacks for same ledger will be executed in same thread.

Hope this explains why the change in infodog#1 work.

[infodog]

@sijie it's possible that compleRequest() come before request.complte(), such as https://github.com/apache/bookkeeper/blob/master/bookkeeper-server/src/main/java/org/apache/bookkeeper/client/ReadLastConfirmedAndEntryOp.java#L589, this will happen when the response without piggyback data comes before the response with data.

In this case, the request will be closed in completeRequest() by the submitCallback() in it, the entryImpl will be recycled. Because completeRequest() does not set comlete to true, later when request.complete being called,

writeSet.recycle();
orderedEnsemble.recycle(); 

will be executed,and although this time request.close will not be called. Since entryImpl is already recycled , if entryImpl is resued by other request, then data will be ruined even the operation is executed in the same thread.

[sijie]

@infodog you are correct! I will revert infodog#1 to your original fix, I will update the unit test to ensure verify the case your described.

[sijie]

@infodog I've updated infodog#1 with your original fix and updated the unit test to add validations to make sure recycled entry will not be mutated by any subsequent callbacks. please take a look and let me know if it makes sense to you.

[infodog]

@sijie I still have questions,

1. Although the fix will solve the object recycle problem, but the response with valid data is ignored. Will this case cause problem to the application using dl as a replication service? How the application using the dl client shoud do to handle this situation?
   Is there any retry mechanism embeded by the bookkeeper client? I think as a quick fix, if this happed the client should throw a exception to the application, so that the application can implement its own retry mechanism. Maybe we should not treat this situation ( the response with valid data come after response withoud data situation) as an error one.When we receive an empty reponse, we should not close the request? Or we should impletement a retry mechanism after this situation happend?

2. back to the fix detail, if request.complete is not called, then on https://github.com/apache/bookkeeper/blob/master/bookkeeper-server/src/main/java/org/apache/bookkeeper/client/ReadLastConfirmedAndEntryOp.java#L127

writeSet.recycle();
orderedEnsemble.recycle(); 

is not executed.
will this cause resource leak?

3. if requestComplete already set the buffer.retain(); here is redundant

[sijie]

@infodog good questions, comments inline.

Will this case cause problem to the application using dl as a replication service?

This will not cause any problems to the application using DL. Here we completed the request only when lac (last add confirmed) is advanced. it is better if there is an entry piggybacked, if there is no entry piggybacked, it is still good, because we received a valid advanced lac.

you might think we dropped a valid response. however the thought behind is to tell the client caller (which is DL library at this case) as soon as LAC is advanced, it can read entries till the new LAC. DL will react to the callback and know LAC is advanced and issue corresponding read requests.

How the application using the dl client shoud do to handle this situation?

You don't need to handle this situation. Since DL handles that.

Is there any retry mechanism embeded by the bookkeeper client?

The conversation between normal reads and long poll reads and knowing LAC advance are all happending in the dl library. applications don't have to worry about that.

will this cause resource leak?

This will not cause resource leak. The recycle there means putting back the objects to be reused. if recycle is not called, it doesn't mean resource leak, it only means the objects will not be put back to the object pool to be reused.

the recycle objects are different from bytebuf where releasing bytebuf should be done when the bytebuf is not reused anymore, otherwise it will causing memory can't be released.

if requestComplete already set the buffer.retain(), here is redundant

I am not sure what exactly you are asking. but I am guessing you are asking the boolean flag in the request. that boolean flag is needed, it is used for flagging whether the request is completed or not. the requestComplete is used for checking if the operation is completed (or callback is submitted or not). Those booleans have different meanings. It is not easy to tell the difference from first glance.

Hope this clarifies your questions.

[sijie]

@infodog if the comments make sense to you, it would be great if you can merge infodog#1 to your branch, so it can be showed up here. then we can merge this change once it passes other committers's review and CI checks.

[infodog]

@sijie Ok thanks very much for the explanation, I already merged to my branch.

[sijie]

@infodog thank you.

@jiazhai @yzang @eolivelli can you guys review this change?

[jiazhai]

+1 with [commit] (b2b4f22)

[sijie]

run bookkeeper-server bookie tests

[sijie]

rebuild java8

[eolivelli]

@sijie @infodog
are you assuming that here we are getting the same entry as above ?

[infodog]

@eolivelli
Yes I assuming that.

[eolivelli]

Is there any way to perform an assertion about this assumption ?
if that assumption is broken the test is not really useful.

I don't have a suggestion on how to capture the LedgerEntryImpl.

[sijie]

@eolivelli It is hard to capture the original entry. I mean it is possible, however that's going to make things a bit complicated, which I don't think it is worth doing that.

[eolivelli]

overall ok, just a question on the test

[sijie]

run bookkeeper-server bookie tests

[sijie]

rubuild java8

[eolivelli]

it is not worth to complicate the test. I assume that without the fix the test is failing.

+1 LGTM
awesome work @infodog and @sijie !

[sijie]

run bookkeeper-server bookie tests

[sijie]

run bookkeeper-server bookie tests

[sijie]

retest this please

[sijie]

(somehow the jenkins precommit checks are not running after rebased. trying to close and reopen)

[sijie]

run bookkeeper-server bookie tests

[sijie]

run bookkeeper-server bookie tests
run bookkeeper-server tls tests
run pr validation

[sijie]

I think "bookie tests" precommit check is flaky due to #1516 .

there was one successful run - https://builds.apache.org/job/bookkeeper_precommit_bookie_tests/61/

so going to ignore CI to merge this bug fix.

[sijie]

IGNORE CI

[sijie]

merged the changes. thank you @infodog !