[FLINK-13452] Ensure to fail global when exception happens during reseting tasks of regions

[Myasuka]

What is the purpose of the change

After FLINK-13060, we would run createResetAndRescheduleTasksCallback within another runnable resetAndRescheduleTasks. Unfortunately, any exception happened in createResetAndRescheduleTasksCallback would cause the thread terminated silently but record the exception in outcome of FutureTask. We should change the code back to previously that would failGlobal within the createResetAndRescheduleTasksCallback runnable.

Brief change log

• 59b1a6d5 :

  • Let runnable createResetAndRescheduleTasksCallback fail global if come across any exception.
  • Refine RegionFailoverITCase to mock the exception that checkpoint store would failed when recover from checkpoint for the 1st time.

• b732229 : Refactor interface of RestartStrategy#restart and add UT to verify failGlobalIfErrorOnResetTasks

• 073d815

  • Refactor the return value of RestartStrategy#restart to CompletableFuture
  • Refatcor return valud of method ExecutionGraph#allVerticesInTerminalState to align with new RestartStrategy#restart
  • Simplify AdaptedRestartPipelinedRegionStrategyNGFailoverTest with FailureMultiTimesRestartStrategy to throw exception directly
  • Refactor RegionFailoverITCase with FailureMultiTimesRestartStrategy
  • Add unit tests for FutureUtils#scheduleAsync

Verifying this change

This change added tests and can be verified as follows:

• Refine RegionFailoverITCase to mock the exception that checkpoint store would failed when recover from checkpoint for the 1st time.

Does this pull request potentially affect one of the following parts:

• Dependencies (does it add or upgrade a dependency): no
• The public API, i.e., is any changed class annotated with @Public(Evolving): no
• The serializers: no
• The runtime per-record code paths (performance sensitive): no
• Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Yarn/Mesos, ZooKeeper: no
• The S3 file system connector: no

Documentation

• Does this pull request introduce a new feature? no
• If yes, how is the feature documented? not applicable

[flinkbot]

Thanks a lot for your contribution to the Apache Flink project. I'm the @flinkbot. I help the community
to review your pull request. We will use this comment to track the progress of the review.

Automated Checks

Last check on commit 3c6363e (Wed Aug 07 13:19:15 UTC 2019)

Warnings:

• No documentation files were touched! Remember to keep the Flink docs up to date!

_{Mention the bot in a comment to re-run the automated checks.}

Review Progress

• ❓ 1. The [description] looks good.
• ❓ 2. There is [consensus] that the contribution should go into to Flink.
• ❓ 3. Needs [attention] from.
• ❓ 4. The change fits into the overall [architecture].
• ❓ 5. Overall code [quality] is good.

Please see the Pull Request Review Guide for a full explanation of the review process.

Details

The Bot is tracking the review progress through labels. Labels are applied according to the order of the review items. For consensus, approval by a Flink committer of PMC member is required

Bot commands

The @flinkbot bot supports the following commands:

• @flinkbot approve description to approve one or more aspects (aspects: description, consensus, architecture and quality)
• @flinkbot approve all to approve all aspects
• @flinkbot approve-until architecture to approve everything until architecture
• @flinkbot attention @username1 [@username2 ..] to require somebody's attention
• @flinkbot disapprove architecture to remove an approval you gave earlier

[flinkbot]

CI report:

• 59b1a6d : FAILURE Build
• b732229 : FAILURE Build
• 073d815 : CANCELED Build
• d7c1f12 : FAILURE Build
• 7afbb0b : FAILURE Build
• 8e791fd : FAILURE Build
• 704c4d8 : CANCELED Build
• 958e248 : SUCCESS Build
• 92cf36a : CANCELED Build
• 3c6363e : SUCCESS Build

[Myasuka]

CI failed due to FLINK-13488 and travis file cache not found.

[Myasuka]

This fix still has problem when failGlobal meet exception, close this PR first.

[Myasuka]

Reopen this wrt the comments from @zhuzhurk in FLINK-13452.

[zhuzhurk]

Thanks Yun for opening this PR. I have a few comments.

[zhuzhurk]

I think failure handling for the first part is still needed.

[zhuzhurk]

All exceptions should be handled.

[zhuzhurk]

This method is still needed for failure handling of the first part of failover process.

[zhuzhurk]

We can use FatalExitExceptionHandler to handle exceptions thrown from failGlobal directly.

[tillrohrmann]

Thanks for opening this PR @Myasuka. I think we cannot merge these changes because they change the handling of exceptionally completed cancel futures.

[tillrohrmann]

I think we should not change this logic since cancelTasks can return an exceptionally completed future which would now cause the process to terminate.

[Myasuka]

Agreed, I am refactoring this PR by changing the result of RestartStrategy#restart to a CompletableFuture<?>

[tillrohrmann]

I think it is better to let the exception handling happen where it has been. Usually it is a good idea to do the exception handling at the highest possible level.

[GJL]

I think that CompletableFuture<Void> would convey clearly that "nothing" is returned by the future.
Also, wildcards in return types should be avoided: https://stackoverflow.com/a/22815270

[GJL]

This method is not unit tested but I think it should be because it could be used outside of the restart strategies. See FutureUtilsTest

[GJL]

For unit testing the new behavior (i.e., failGlobal is invoked if an exception occurs while restarting), wouldn't it be enough to implement a RestartStrategy that returns an exceptionally completed future? I think it would be good enough because the exception doesn't have to be necessarily thrown while restoring checkpoints – in practice also an OOM can be thrown.

[Myasuka]

Agreed, combine testFailGlobalIfErrorOnResetTasks and previous testFailGlobalIfErrorOnRescheduleTasks into one unit test as testFailGlobalIfErrorOnRestartTasks with given RestartStrategy which would fail when restarting.

[GJL]

Is this change really necessary to resolve FLINK-13452, or can it be in a separate ticket?

[Myasuka]

If we want to let this integration test to include global failover scenario, this is necessary.

[GJL]

Interesting feature, didn't know about it before. However, I have two questions regarding this integration test:

1. As before, isn't it enough to use a RestartStrategy that returns an exceptionally completed future?
2. We already test that failGlobal is invoked from the unit tests. Does the integration test add coverage?

[Myasuka]

Previously, the RegionFailoverITCase did not catch bug of FLINK-13452 due to it did not involve global failover but only region failover. I prefer to add global failover in this integration test to verify the job could be restarted and result still correct.

[GJL]

Thank you for your contribution to Apache Flink @Myasuka. I think the PR is going in the right direction.

[Myasuka]

@GJL new commit content is updated in description.

UPDATED:
Confusion below have been fixed with new commit d7c1f12.

---

There is another question which might be out of the scope of this PR but confused me. If I set the failure times of FailureMultiTimesRestartStrategy as 2, which means the restartStrategy would failed twice when calling restart. During AdaptedRestartPipelinedRegionStrategyNG#restartTasks, job would first meet exception when restartStrategy.restart and then call failGlobalOnError. However, in the call stack of ExecutionGraph#failGlobal --> ExecutionGraph#allVerticesInTerminalState --> ExecutionGraph#tryRestartOrFail --> restartStrategy.restart, we would meet the 2nd exception and caught by FatalExitExceptionHandler, resulting in the process exited.
In other words, if we meet unchecked exception during ExecutionGraph#failGlobal, we would just let the whole process exit instead of trying to fail global again. Is this behavior expected?

[GJL]

Thanks for the update. I'll have a look.

[GJL]

All in all, the PR looks good. There are some minor things that require attention. If you want, I can apply the last changes myself. WDYT?

[GJL]

Can be made private again.

[GJL]

I would return Function<Object, CompletableFuture<Void>> here so that we can write:

FutureUtils.assertNoException(
			cancelTasks(verticesToRestart)
				.thenComposeAsync(resetAndRescheduleTasks(globalModVersion, vertexVersions), executionGraph.getJobMasterMainThreadExecutor())
				.handle(failGlobalOnError()));

This is consistent with the style before.

[GJL]

I would revert this change (adding empty line).

[GJL]

[GJL]

I think we should add the following overload:

	public static CompletableFuture<Void> scheduleWithDelay(
			final Runnable operation,
			final Time delay,
			final ScheduledExecutor scheduledExecutor) {
		Supplier<Void> operationSupplier = () -> {
			operation.run();
			return null;
		};
		return scheduleWithDelay(operationSupplier, delay, scheduledExecutor);
	}

This will reduce in the RestartStrategy implementations.

[GJL]

You can use return FutureUtils.completedExceptionally(new FlinkRuntimeException(...))

[GJL]

There some issues that I see here:

1. System.currentTimeMillis() is impacted by system clock changes – this may cuase test failures in conjunction with NTP. Therefore System.nanoTime() should be preferred.
2. Test will run at least 500ms which is on the slow side for unit tests. I think it's enough to use ManuallyTriggeredScheduledExecutor and see if the correct result is produced.
3. I don't think using AtomicInteger adds test coverage. Imo it's enough to assert on the value of result.

[GJL]

I don't think this assertion is needed because you already test if the future can be cancelled:

assertTrue(scheduledFuture.isCancelled());

This assertion will fail if the future is finished normally.

[GJL]

This conversion to Supplier is duplicated multiple times. See my other comment in FutureUtils.

[Myasuka]

Sorry for late reply.
@GJL , No problem, please go ahead to take over this PR to finish the rest part.

[GJL]

Please review @tillrohrmann

[tillrohrmann]

Thanks for this fix @Myasuka and @GJL. LGTM. +1 for merging.

[GJL]

Merging as soon as build is green.

[GJL]

Merged manually.