KAFKA-7657: Fixing thread state change to instance state change

[guozhangwang]

While looking into KAFKA-7657, I found there are a few loopholes in this logic:

1. We kept a map of thread-name to thread-state and a global-thread state at the KafkaStreams instance-level, in addition to the instance state itself. stateLock is used when accessing the instance state, however when we are in the thread state change callback, we are accessing both the thread-states as well as the instance state at the same time in the callers of setState without a lock, which is vulnerable to concurrent multi-stream threads. The fix is a) introduce a threadStatesLock in addition to the stateLock, which should always be grabbed to modify the thread-states map before the stateLock for modifying the instance level; and we also defer the checking of the instance-level state inside the setState call.

2. When transiting to state.RUNNING, we check if all threads are either in RUNNING or DEAD state, this is because some threads maybe dead at the rebalance period but we should still proceed to RUNNING if the rest of threads are still transiting to RUNNING.

3. Added unit test for 2) above. Also simplified another test as a nit change.

Committer Checklist (excluded from commit message)

• Verify design and implementation
• Verify test coverage and CI build status
• Verify documentation (including upgrade notes)

[guozhangwang]

@mjsax @bbejeck @vvcephei

[guozhangwang]

There is no logic change: it is just a nit that I moved this function closer to its caller.

[guozhangwang]

This is for 1).

[mjsax]

I don't get why we need this? onChange() is synchronized, so how can a race condition happen?

[guozhangwang]

This is for 1), i.e. doe not check instance-level state here since any access to this should be lock protected.

[guozhangwang]

This is for 1) as well: we allow REBALANCE -> REBALANCE and RUNNING -> RUNNING because of the deferred check.

[mjsax]

Just looking at this, it seems we need to assign oldState = state after we go the lock?

[mjsax]

Also below, when calling stateListener.onChange(state, oldState); -- would we need to call stateListener.onChange(newState, oldState); instead? Otherwise, state could change before we do the callback because the lock is released already.

[mjsax]

I cannot follow here. Why would this happen? Similar for RUNNING?

[guozhangwang]

Re first two comments: good call, lgtm.

Re last comment: REBALANCING -> REBALANCING is quite normal, note that before this PR we check this before calling setState(State.REBALANCING); so this is prevented, but part of this fix is to move the logic that needs to access the state into a single place (here). Similarly RUNNING -> RUNNING is possible during starting up phase, where we first set the instance state to RUNNING directly to avoid it transit from CREATED -> REBALANCING, and then when threads are starting, it is possible that maybeSetRunning went through and hence calls setState(RUNNING) again.

[guozhangwang]

This one-liner is for 2).

[vvcephei]

Thanks for this fix!

Can you explain why we need the new threadStatesLock instead of just grabbing the stateLock as a precondition to updating the threadState map?

It seems like an optimization to prevent serializing each thread's state update during, eg a rebalance. I suppose this would be nice if there were a large number of threads per instance. Is that what you had in mind?

[vvcephei]

Preexisting, but should this be an error log? (seems to be implied by the text of the log)

[mjsax]

I agree. Error log level, seems to be more appropriate.

[guozhangwang]

Ack @vvcephei @mjsax

[vvcephei]

Does this mean that the state listener might be invoked out of order?
Eg:

1. RUNNING -> REBALANCING
2. CREATED -> RUNNING

Maybe this is already accounted for, and it's why we pass both the old and new state?

[guozhangwang]

Yes it is possible that user's callback maybe triggered out of ordering (in practice may be not very likely), this is not ideal but at that time we did not come up with a better idea how to enforce that we always have instance-level state to go CREATED -> RUNNING -> REBALANCING -> RUNNING at the starting up phase.

All ears if you have a better idea :)

[mjsax]

Why could we not fix this? The underlying issue seems to be the state transitions of StreamThread -- it allows to go from CREATED -> RUNNING -- if we change this, and we can only go to CREATED -> PARTITION REVOKED we should be able to tackle this issue? (Maybe a different PR to do this though.)

[guozhangwang]

It seems like an optimization to prevent serializing each thread's state update during, eg a rebalance. I suppose this would be nice if there were a large number of threads per instance. Is that what you had in mind?

Yes, the main purpose is to have finer granularity in locks (i.e. one for the threads map and global thread summary, and one for the instance-level state), since there are call paths that actually does not access or modify the threads map at all but directly jump on the state and modify it (e.g. transitFromCreatedToRunning).

[bbejeck]

Thanks for the fix @guozhangwang, LGTM

[mjsax]

Some questions. Not sure if I fully understand atm.

[mjsax]

Does it make sense to set the instance to RUNNING if all threads are DEAD ?

[guozhangwang]

Note this is triggered only when a thread transited to RUNNING.

When all threads are DEAD, by the time the last thread transited to DEAD the maybeSetError will proceed and the state will transit to ERROR.

[mjsax]

I agree. Error log level, seems to be more appropriate.

[mjsax]

Just looking at this, it seems we need to assign oldState = state after we go the lock?

[mjsax]

Also below, when calling stateListener.onChange(state, oldState); -- would we need to call stateListener.onChange(newState, oldState); instead? Otherwise, state could change before we do the callback because the lock is released already.

[mjsax]

Seems it might be better to get a lock here, too (ie, for the whole method)? Similar in setUncaughtExceptionHandler() and setGlobalStateRestoreListener()?

[mjsax]

Why could we not fix this? The underlying issue seems to be the state transitions of StreamThread -- it allows to go from CREATED -> RUNNING -- if we change this, and we can only go to CREATED -> PARTITION REVOKED we should be able to tackle this issue? (Maybe a different PR to do this though.)

[mjsax]

I cannot follow here. Why would this happen? Similar for RUNNING?

[mjsax]

I don't get why we need this? onChange() is synchronized, so how can a race condition happen?

[guozhangwang]

| Why could we not fix this? The underlying issue seems to be the state transitions of StreamThread -- it allows to go from CREATED -> RUNNING -- if we change this, and we can only go to CREATED -> PARTITION REVOKED we should be able to tackle this issue? (Maybe a different PR to do this though.)

Not sure I fully understand, could you elaborate?

[guozhangwang]

| I don't get why we need this? onChange() is synchronized, so how can a race condition happen?

There are possible concurrent access to the threadState and globalThreadState, and hence we need to synchronize on that. We can of course just put everything under synchronization of stateLock, but like I mentioned before:

the main purpose is to have finer granularity in locks (i.e. one for the threads map and global thread summary, and one for the instance-level state), since there are call paths that actually does not access or modify the threads map at all but directly jump on the state and modify it (e.g. transitFromCreatedToRunning).

[mjsax]

About state transitions. My comment was a little bit ambiguous. It was not about callback order, but about avoiding: CREATED -> RUNNING -> REBALANCING -> RUNNING at startup.

Currently, we have state transitions for StreamThread

     *                +-------------+
     *          +<--- | Created (0) |
     *          |     +-----+-------+
     *          |           |
     *          |           v
     *          |     +-----+-------+
     *          +<--- | Running (1) | <----+
     *          |     +-----+-------+      |
     *          |           |              |
     *          |           v              |
     *          |     +-----+-------+      |
     *          +<--- | Partitions  |      |
     *          |     | Revoked (2) | <----+
     *          |     +-----+-------+      |
     *          |           |              |
     *          |           v              |
     *          |     +-----+-------+      |
     *          |     | Partitions  |      |
     *          |     | Assigned (3)| ---->+
     *          |     +-----+-------+
     *          |           |
     *          |           v
     *          |     +-----+-------+
     *          +---> | Pending     |
     *                | Shutdown (4)|
     *                +-----+-------+
     *                      |
     *                      v
     *                +-----+-------+
     *                | Dead (5)    |
     *                +-------------+

Those lead to CREATED -> RUNNING -> REBALANCING -> RUNNING.

Why not change it to:

     *                +-------------+
     *          +<--- | Created (0) |
     *          |     +-----+-------+
     *          |           |
     *          |           v
     *          |     +-----+-------+
     *          +<--- | Partitions  | <-------+
     *          |     | Revoked (2) | <----+  |
     *          |     +-----+-------+      |  |
     *          |           |              |  |
     *          |           v              |  |
     *          |     +-----+-------+      |  |
     *          +<--- | Partitions  | ---->+  |
     *          |     | Assigned (3)|      |  |
     *          |     +-----+-------+      |  |
     *          |           |              |  |
     *          |           v              |  |
     *          |     +-----+-------+      |  |
     *          +<--- | Running (1) | <----+  |
     *          |     +-----+-------+         |
     *          |           |                 |
     *          |           +-----------------+
     *          |
     *          |     +-------------+
     *          +---> | Pending     |
     *                | Shutdown (4)|
     *                +-----+-------+
     *                      |
     *                      v
     *                +-----+-------+
     *                | Dead (5)    |
     *                +-------------+

This way, on startup we get CREATED -> REBALANCING -> RUNNING for KafkaStreams states.

[guozhangwang]

I see. So what I can do is:

1. on StreamThread.start, setState(PARTITION_REVOKED).
2. allow stream thread state PARTITION_REVOKED --> PARTITION_REVOKED itself. This is because we need to call setState(PARTITION_REVOKED) inside onPartitionRevoked callback still.
3. on KafkaStreams.start, remove setRunningFromCreated; just rely on stream thread to set it to REBALANCING instead.

• 4. still check stream instance state REBALANCING --> REBALANCING as did in the current PR.

Is that right?

I think it is doable, and CREATED -> REBALANCING -> RUNNING does look better. But since it changes the state transition a bit that would require the KIP. If people prefer this as well I can piggy-back this on a small proposal.

[guozhangwang]

This is the state transition diagram change: 359c95b cc @vvcephei @mjsax @bbejeck

[mjsax]

I would not set PARTITION_REVOKED on StreamThread.start, because we get this transition automatically in onPartitionRevoked.

Of course, this implies that we are in state CREATED a little longer, but this seems to be fine to me personally.

If we need a KIP, I think we should to a separate PR but not piggy-back to this PR.

[guozhangwang]

I would not set PARTITION_REVOKED on StreamThread.start, because we get this transition automatically in onPartitionRevoked.

The reason for immediate state transition is to disallow KafkaStreams.start() being called multiple times; we have a unit test in KafkaStreamsTest for this case specifically. Of course we can also add a waitOnState(REBALANCING) inside the start() function after kicking start the threads -- actually I've also implemented this along with this PR -- but the complexity and timing dependency seems even worse to me, and hence I remained in this approach.

If we need a KIP, I think we should to a separate PR but not piggy-back to this PR.

Thinking about this again, I'd agree with you. In fact I'd rather treat it as a minor bug and update the documentations on operations directly.

[mjsax]

What about adding one more state with transitions CREATED -> STARTED -> PARTITIONS_REVOKED on startup? (STARTING instead of STARTED)

[guozhangwang]

What about adding one more state with transitions CREATED -> STARTED -> PARTITIONS_REVOKED on startup? (STARTING instead of STARTED)

Are you referring to instance state or thread state?

[mjsax]

Thread state. Not sure if we need an additional state at the instance level.

[guozhangwang]

I see your point now. I've added the STARTING state to stream thread.

[mjsax]

Overall LGTM.

Some minor follow up questions.

[mjsax]

With the state transitions changes for StreamThread is this still possible?

[guozhangwang]

Good point, I can remove it here.

[mjsax]

Why do we need threadStateLock? Can't we use this?

[guozhangwang]

We can; but since we have a stateLock already I want to distinguish it with another dedicated object.

[mjsax]

If we want to encapsulate state handling at instance/thread level, maybe rewrite this to:

if (newState == GlobalStreamThread.State.DEAD) {
    setState(State.ERROR);
    log.error("Global thread has died. The instance will be in error state and should be closed.");
}

GlobalStreamThread would call this method only once anyway, and setState() should handle idempotent setState(State.ERROR) internally?

[guozhangwang]

I can do that, but I need to let State.ERROR transit to State.ERROR (currently it is not allowed, and hence will cause illegal state exception). Will do that.

[mjsax]

Not sure if this holds. Don't we need to block state transitions while we cleanup is running?

[guozhangwang]

stateDirectory.cleanRemovedTasks(cleanupDelay); itself have synchronization barriers as well, so we do not need to have the whole function in synchronized(stateLock); and in that case, just locking stateLock for reading its value does not bring any additional guarantees.

[mjsax]

Why do we want to disallow calling start() twice? Could be idempotent no-op, too.

[guozhangwang]

Good question.. this was added at the very beginning when we try to fix a few state transition bugs, and one of them as calling start() twice which may re-create threads etc. Arguably we can still allow calling it twice while making second / future calls no-op.

I'd suggest we leave it as a separate improvement.

[mjsax]

Should is be PARTITIONS_REVOKED(2, 3, 5) because it want to transit to itself?

[guozhangwang]

Okay, I can remove the check in setState and add it here.

EDIT: I've thought about it twice, and I felt it is better to not allow "transiting to itself" but just avoid it in the setState instead. The main reason is that otherwise, the stateListener.onChange will be called which may trigger user's listener and cause confusion (think: why my listener gets called again on error? it was triggered already).

[guozhangwang]

Reverted this one as I found it lacks a final commit in my local branch, sorry.

Re-created #6091.