KAFKA-16452: Don't throw OOORE when converting the offset to metadata

[kamalcph]

Test Plan

Steps to reproduce the issue:

1. Create a topic with 1 partition and 2 RF
2. Send some messages to the topic, wait for the segments to roll over, and upload them to remote storage.
3. Ensure that the log-start-offset < local-log-start-offset
4. Stop all the nodes where the replica is placed.
5. Delete the replication-offset-checkpoint, recovery-point-offset-checkpoint, and kafka_cleanshutdown files on one node that is about to be started first.
6. Start the remaining nodes
7. The high-watermark will be set to log-start-offset and the leader will throw OFFSET_OUT_OF_RANGE errors for the follower fetch-requests and cannot accept the produce requests.

Commands:

 sh kafka-topics.sh --create --topic tieredTopic --partitions 1 --replication-factor 2 --bootstrap-server localhost:9092 \
    --config remote.storage.enable=true --config local.retention.ms=60000 --config retention.ms=7200000 \
    --config segment.bytes=104857600 --config file.delete.delay.ms=1000

sh kafka-producer-perf-test.sh --topic tieredTopic --num-records 120000 --record-size 1024 --throughput -1 --producer-props bootstrap.servers=localhost:9092

Committer Checklist (excluded from commit message)

• Verify design and implementation
• Verify test coverage and CI build status
• Verify documentation (including upgrade notes)

[junrao]

@kamalcph : Thanks for the PR. Left a few comments.

[kamalcph]

@junrao @satishd @chia7712 @showuon

Updated the test plan in the summary. Verified that the patch fixes the issue by running the trunk and patched build. With the fix, the high-watermark value gets updated to the valid offset. Please take a look when you get chance.

[showuon]

Thanks for the PR. One question: So when we temporarily set high-watermark as LogOffsetMetadata(0) for the leader, we're waiting for the high-watermark gets updated after followers fetch from the leader, right?

[showuon]

For case 1, it looks like we never throw OffsetOutOfRangeException now, doesn't it?

[kamalcph]

checkLogStartOffset will throw OffsetOutOfRangeException if the offset is lesser than the logStartOffset.

[kamalcph]

Should we avoid throwing the error and return message-only metadata when the offset is lesser than the log-start-offset?

While updating the UnifiedLog#updateLogStartOffset, the HWM also gets updated and it doesn't hit the fetchHighWatermarkMetadata (or) convertToOffsetMetadataOrThrow so the call will succeed even when current-log-start-offset > old-HWM.

[showuon]

Ah, OK. Thanks.

[showuon]

While updating the UnifiedLog#updateLogStartOffset, the HWM also gets updated and it doesn't hit the fetchHighWatermarkMetadata (or) convertToOffsetMetadataOrThrow so the call will succeed even when current-log-start-offset > old-HWM.

For UnifiedLog#updateLogStartOffset, I think it's safe we didn't throw exception when current-log-start-offset > old-HWM because it will be called when initialization or maybeIncrementLogStartOffset. In the latter, we've checked newLogStartOffset > logStartOffset already.

[junrao]

Good point. Since we change the logic such that it's ok not to have the metadata for an offset, we could just skip the call to checkLogStartOffset.

[kamalcph]

Removed the checkLogStartOffset from the convertToOffsetMetadataOrThrow method.

[showuon]

I can understand the endOffset.messageOffsetOnly() case since the leader's high watermark is still not updated. But when will fetchOffset be messageOffsetOnly?

[kamalcph]

fetchOffset can be message-only metadata when there is a diverging-epoch. If there is a diverged-epoch in the LogReadResults, then it won't enter the DelayedFetch. We can remove the check if it is not required.

[junrao]

fetchOffset typically shouldn't be message only. But it doesn't hurt to have the check.

[kamalcph]

Thanks for the PR. One question: So when we temporarily set high-watermark as LogOffsetMetadata(0) for the leader, we're waiting for the high-watermark gets updated after followers fetch from the leader, right?

yes, the call to maybeIncrementLeaderHW will succeed when the node becomes leader for the partition. Note that if the current node is the only alive replica, then the high-watermark gets updated to the leader-log-end-offset. The behavior is same for both normal and remote-storage enabled topic.

[kamalcph]

Test failures are unrelated.

[junrao]

@kamalcph : Thanks for the updated PR. Left a few more comments.

[junrao]

Good point. Since we change the logic such that it's ok not to have the metadata for an offset, we could just skip the call to checkLogStartOffset.

[junrao]

LocalLog.read() also calls convertToOffsetMetadataOrThrow.

      else if (startOffset > maxOffsetMetadata.messageOffset)
        emptyFetchDataInfo(convertToOffsetMetadataOrThrow(startOffset), includeAbortedTxns)

It seems this could lead to infinite recursion. To avoid that, we could change the above code to avoid calling convertToOffsetMetadataOrThrow and return a message-only LogOffsetMetadata instead to emptyFetchDataInfo.

[kamalcph]

This is a potential loop (not sure when it would be triggered), updated the logic to return the message-only metadata.

[kamalcph]

To solve the infinite loop, instead of returning the message-only LogOffsetMetadata when startOffset is beyond the maxOffsetMetadata. Can we retain the same behavior without the loop? Something like below:

def read(startOffset: Long,
           maxLength: Int,
           minOneMessage: Boolean,
           maxOffsetMetadata: LogOffsetMetadata,
           includeAbortedTxns: Boolean): FetchDataInfo = {
    maybeHandleIOException(s"Exception while reading from $topicPartition in dir ${dir.getParent}") {
      trace(s"Reading maximum $maxLength bytes at offset $startOffset from log with " +
        s"total length ${segments.sizeInBytes} bytes")

      val endOffsetMetadata = nextOffsetMetadata
      val endOffset = endOffsetMetadata.messageOffset
      val segmentOpt = segments.floorSegment(startOffset)

      // return error on attempt to read beyond the log end offset
      if (startOffset > endOffset || !segmentOpt.isPresent)
        throw new OffsetOutOfRangeException(s"Received request for offset $startOffset for partition $topicPartition, " +
          s"but we only have log segments upto $endOffset.")

      if (startOffset == maxOffsetMetadata.messageOffset) {
        emptyFetchDataInfo(maxOffsetMetadata, includeAbortedTxns)
      } else if (startOffset > maxOffsetMetadata.messageOffset) {
       // Updated code to avoid the loop:
        val tmpFetchDataInfo = readFetchDataInfo(segmentOpt.get, startOffset, maxLength = 1, minOneMessage = false, nextOffsetMetadata, includeAbortedTxns = false)
        emptyFetchDataInfo(tmpFetchDataInfo.fetchOffsetMetadata, includeAbortedTxns)
      } else {
        readFetchDataInfo(segmentOpt.get, startOffset, maxLength, minOneMessage, maxOffsetMetadata, includeAbortedTxns)
      }
    }
  }

  private def readFetchDataInfo(segment: LogSegment,
                                startOffset: Long,
                                maxLength: Int,
                                minOneMessage: Boolean,
                                maxOffsetMetadata: LogOffsetMetadata,
                                includeAbortedTxns: Boolean): FetchDataInfo = {
    // Do the read on the segment with a base offset less than the target offset
    // but if that segment doesn't contain any messages with an offset greater than that
    // continue to read from successive segments until we get some messages or we reach the end of the log
    var fetchDataInfo: FetchDataInfo = null
    var segmentOpt: Optional[LogSegment] = Optional.of(segment)
    while (fetchDataInfo == null && segmentOpt.isPresent) {
      val segment = segmentOpt.get
      val baseOffset = segment.baseOffset

      val maxPosition =
        // Use the max offset position if it is on this segment; otherwise, the segment size is the limit.
        if (maxOffsetMetadata.segmentBaseOffset == segment.baseOffset) maxOffsetMetadata.relativePositionInSegment
        else segment.size

      fetchDataInfo = segment.read(startOffset, maxLength, maxPosition, minOneMessage)
      if (fetchDataInfo != null) {
        if (includeAbortedTxns)
          fetchDataInfo = addAbortedTransactions(startOffset, segment, fetchDataInfo)
      } else segmentOpt = segments.higherSegment(baseOffset)
    }

    if (fetchDataInfo != null) fetchDataInfo
    else {
      // okay we are beyond the end of the last segment with no data fetched although the start offset is in range,
      // this can happen when all messages with offset larger than start offsets have been deleted.
      // In this case, we will return the empty set with log end offset metadata
      new FetchDataInfo(nextOffsetMetadata, MemoryRecords.EMPTY)
    }
  }

[junrao]

fetchOffset typically shouldn't be message only. But it doesn't hurt to have the check.

[kamalcph]

While going through the usages, it looks to me that the LogOffsetMetadata conversion happens in the KafkaMetadataLog is not correct. Could someone please double check?

org.apache.kafka.storage.internals.log.LogOffsetMetadata -> org.apache.kafka.raft.LogOffsetMetadata

https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/raft/KafkaMetadataLog.scala#L226

Question: Why do we make the org.apache.kafka.raft.LogOffsetMetadata#segmentPosition as empty when hwm.messageOffsetOnly is false?

[jsancio]

@kamalcph, looks like a bug to me. The predicate should be if (!hwm.messageOffsetOnly) or the if/else blocks should be swapped. I suspect that we haven't noticed this bug in the KRaft implementation (KafkaRaftClient) because kraft never looks at the segment and byte position for the HWM.

If you are going to fix this code, do you mind adding a test for this case? Since KafkaMetadataLog calls UnifiedLog.fetchOffsetSnapshot, hwm.messageOffsetOnly should always be false.

[junrao]

@kamalcph : Thanks for the updated PR. Left a few more comments.

[junrao]

We have the following code below.

            if (maxOffsetMetadata.segmentBaseOffset == segment.baseOffset) maxOffsetMetadata.relativePositionInSegment
            else segment.size

We need to be more careful there given maxOffsetMetadata may not have a corresponding relativePositionInSegment.

If maxOffsetMetadata.segmentBaseOffset is -1, we can return empty since maxOffsetMetadata.offset is not on local log segments.

If maxOffsetMetadata.segmentBaseOffset equals to segment.baseOffset, we can use maxOffsetMetadata.relativePositionInSegment.

If maxOffsetMetadata.segmentBaseOffset is larger than segment.baseOffset, we can use segment.size.

If maxOffsetMetadata.segmentBaseOffset is smaller than segment.baseOffset, we return empty.

[kamalcph]

Agree, this patch is getting tricky. We want to validate all the scenarios especially when there is no data to read from the server, the number of fetch requests rate from the clients should be almost the same.

To avoid/reduce the cases, Can we always resolve the maxOffsetMetadata to complete metadata?
#15825 (comment)

[junrao]

Hmm, I thought the design of this PR is to allow maxOffsetMetadata to be message-only in some of the rare cases, right?

[junrao]

This exposes an issue in delayedFetch. If HWM is less than fetchOffset, we haven't gained any bytes. So, we shouldn't complete the delayedFetch immediately.

[kamalcph]

In the test, the LogOffsetSnapshot contains message-only offset for logEndOffset, highWatermark, and lastStableOffset in DelayedFetchTest.java#207. So, the test passed with the newly added condition.

In real scenario, we expect the LogOffsetSnapshot to contain the complete metadata for all the offsets.

[junrao]

Yes, I understand that the test passes as it is. I am just saying that the logic in DelayedFetch is not consistent.

If the offset metadata is available, we accumulate bytes only if (fetchOffset.messageOffset < endOffset.messageOffset). To be consistent, we need to do the same if test if the offset metadata is not available.

[junrao]

It's more natural for UNKNOWN_OFFSET_METADATA to be message offset only.

[kamalcph]

we can take this one separately in the next PR.

[junrao]

Why are we changing to start from log.highWatermark + 1 instead of log.highWatermark?

[kamalcph]

since log.highWatermark contains the full-metadata, divided the check into 2 when reading at (or) beyond the high-watermark:

1. When the fetchOffset equals to the high-watermark, we return empty-records but with complete offset metadata
2. When the fetchOffset is beyond the high-watermark/max-offset-allowed-to-read, we return empty-records with message-only metadata.

We can reconsider the case whether to return message-only-offset metadata (or) complete-offset metadata when the fetch-offset is beyond the max-offset-allowed-to-read. (comment)

[junrao]

@kamalcph : Thanks for the updated PR. Added a couple of more comments.

[junrao]

Hmm, I thought the design of this PR is to allow maxOffsetMetadata to be message-only in some of the rare cases, right?

[junrao]

Yes, I understand that the test passes as it is. I am just saying that the logic in DelayedFetch is not consistent.

If the offset metadata is available, we accumulate bytes only if (fetchOffset.messageOffset < endOffset.messageOffset). To be consistent, we need to do the same if test if the offset metadata is not available.