ZOOKEEPER-4203: Leader swallows the ZooKeeperServer.State.ERROR from Leader.LearnerCnxAcceptor in some concurrency condition #1596
Conversation
…Leader.LearnerCnxAcceptor in some concurrency condition
|
I believe that in the CI server, multiple test cases fail due to the network connection binding issue, and the QuorumMainTest fails because the ZK snapshot is compromised by some test cases that have failed. Thus, I think this patch can be merge into master if the reviewers agree with my design. |
|
retest please |
1 similar comment
|
retest please |
|
@tisonkun I am sorry but the magic word does not work anymore. |
|
I have restarted the github actions job, but the Jenkins job is too old. |
There was a problem hiding this comment.
thank you @functioner for sharing your work.
I hope we will get the fix soon and see it merged to master branch
| synchronized (stateChangeMutex) { | ||
| if (this.state == State.ERROR) { | ||
| if (state == State.RUNNING || state == State.INITIAL) { | ||
| return; |
There was a problem hiding this comment.
we should add a relevant log in order to see if this case is happening.
Creating a test that reproduces the problem and demonstrates that this fix actually resolves the problem would be better
There was a problem hiding this comment.
To add the test, do we need to consider using a fault injection tool? See ZOOKEEPER-3601 and #1135. I have provided Byteman injection script in ZOOKEEPER-4203 so it can be somehow translated into a test.
There was a problem hiding this comment.
100% agree with @eolivelli on adding a LOG.warn (if not LOG.error).
For the test, I would suggest mocking and/or overriding some methods to explicitly generate the fault, if possible. I haven't tried doing so, but perhaps LearnerTest.java (which subclasses LearnerZooKeeperServer) can serve as inspiration?
There was a problem hiding this comment.
100% agree with @eolivelli on adding a
LOG.warn(if notLOG.error).
Okay, I will add the log later.
For the test, I would suggest mocking and/or overriding some methods to explicitly generate the fault, if possible. I haven't tried doing so, but perhaps
LearnerTest.java(which subclassesLearnerZooKeeperServer) can serve as inspiration?
Okay, I will take a try.
BTW, I think introducing a fault injection tool like #1135 may make it easier to write a test for it, and is helpful for the community. Another bug I propose (#1582) also require such tool to reproduce/test. I commented at #1135 but haven't got response. Do you have any suggestion or opinion? Thank you.
There was a problem hiding this comment.
Hi @functioner, I am very interested in this problem, I have written a test case, I don't konw if it can be used to test this problem.Maybe you can use it as a reference.
TestCase
Byteman btm script
There was a problem hiding this comment.
if you want to use stateChangeMutex to handle concurrent access to state you have to use it at every read/write access.
Using AtomicReference is better and easier to understand.
I suggest to switch to AtomicReference and drop stateChangeMutex
| @@ -189,9 +189,18 @@ public void dumpConf(PrintWriter pwriter) { | |||
| pwriter.print(self.getQuorumVerifier().toString()); | |||
| } | |||
|
|
|||
| private final Object stateChangeMutex = new Object(); | |||
|
|
|||
| @Override | |||
| protected void setState(State state) { | |||
There was a problem hiding this comment.
After a closer look I find that setState can be a single implementation in ZooKeeperServer. Just as is there. And you can apply this check as well as logging to verify as @eolivelli said.
There was a problem hiding this comment.
I agree with @eolivelli that setState() has to be "careful," because ZooKeeperServerListenerImpl.notifyStopping calls it from "random" threads.
But @Tison's point still holds; it seems to me that this could be simplified by making setState() a synchronized method. Do you have a specific reason of using a separate object?
(The parent setState() does not need to be synchronized because the field is volatile.)
There was a problem hiding this comment.
But @Tison's point still holds; it seems to me that this could be simplified by making
setState()asynchronizedmethod. Do you have a specific reason of using a separate object?(The parent
setState()does not need to besynchronizedbecause the field isvolatile.)
@ztzg The rationale for not making setState() a synchronized method is that if a thread is running another synchronized method of this ZooKeeperServer object for some time, it may block the setState() invoked by another thread, and this invocation may be critical.
There was a problem hiding this comment.
I agree with @eolivelli that
setState()has to be "careful," becauseZooKeeperServerListenerImpl.notifyStoppingcalls it from "random" threads.
Actually, the single-node ZooKeeperServer can handle this issue with the handler:
because it is registered at the very beginning:
This handling logic is:
and then
However, in the case of QuorumZooKeeperServer, including Leader, Follower, etc., the aforementioned logic is not used.
There was a problem hiding this comment.
Hi @functioner,
Thank you for the comprehensive report, and for the patch!
I could "manually" reproduce the problem, and can confirm that your proposed change prevents the system from getting stuck.
I have left a couple of comments on the current implementation.
One thing I am wondering (which was not introduced by your code) is why we catch and continue on SaslExceptions, but "crash" on other IOExceptions? Not a major point as the server will now recover, but perhaps we could just accept that accept can fail? @eolivelli, @symat?
| @@ -189,9 +189,18 @@ public void dumpConf(PrintWriter pwriter) { | |||
| pwriter.print(self.getQuorumVerifier().toString()); | |||
| } | |||
|
|
|||
| private final Object stateChangeMutex = new Object(); | |||
|
|
|||
| @Override | |||
| protected void setState(State state) { | |||
There was a problem hiding this comment.
I agree with @eolivelli that setState() has to be "careful," because ZooKeeperServerListenerImpl.notifyStopping calls it from "random" threads.
But @Tison's point still holds; it seems to me that this could be simplified by making setState() a synchronized method. Do you have a specific reason of using a separate object?
(The parent setState() does not need to be synchronized because the field is volatile.)
| synchronized (stateChangeMutex) { | ||
| if (this.state == State.ERROR) { | ||
| if (state == State.RUNNING || state == State.INITIAL) { | ||
| return; |
There was a problem hiding this comment.
100% agree with @eolivelli on adding a LOG.warn (if not LOG.error).
For the test, I would suggest mocking and/or overriding some methods to explicitly generate the fault, if possible. I haven't tried doing so, but perhaps LearnerTest.java (which subclasses LearnerZooKeeperServer) can serve as inspiration?
@ztzg I think it can be explained with: In the case of SaslException, the exception is not thrown again, then it will not be caught by:In this case, ZooKeeperServer.State.ERROR is not set, everything works well temporally, and the critical codefinishes, so, if there is any error later, it can be detect by: Then, the quorum can handle it well. However, if the IOException is not In this case, the ZooKeeperServer.State.ERROR may be set before the critical code:Then this error state is covered by the running state. The symptom described by this issue occurs. |
|
I think the exception in Leader.LearnerCnxAcceptor should not be handled by zkServer, but should be handled internally by Leader.Because Acceptor and zkServer are not closely related, both Acceptor and zkServer are used as internal components of Leader, and Leader combines them to complete the function of leader.
Follower can do the same. |
@lanicc, IMO, the root problem this issue exposes is that the exception caught by What do you think? @eolivelli @ztzg |
|
I've added |
|
@maoling Sorry to bother you. But the other guys might be busy recently. Can you help review my patch & test case? And approve the CI workflow? Thank you! |
| synchronized (stateChangeMutex) { | ||
| if (this.state == State.ERROR) { | ||
| if (state == State.RUNNING || state == State.INITIAL) { | ||
| return; |
There was a problem hiding this comment.
if you want to use stateChangeMutex to handle concurrent access to state you have to use it at every read/write access.
Using AtomicReference is better and easier to understand.
I suggest to switch to AtomicReference and drop stateChangeMutex
|
@eolivelli The state check & modification within |
![sonatype-lift[bot]](https://avatars.githubusercontent.com/in/9843?s=60&v=4){kind=small}
| @@ -457,7 +461,7 @@ public void run() { | |||
| CountDownLatch latch = new CountDownLatch(serverSockets.size()); | |||
|
|
|||
| serverSockets.forEach(serverSocket -> | |||
| executor.submit(new LearnerCnxAcceptorHandler(serverSocket, latch))); | |||
| executor.submit(createLearnerCnxAcceptorHandler(serverSocket, latch))); | |||
There was a problem hiding this comment.
FutureReturnValueIgnored: Return value of methods returning Future must be checked. Ignoring returned Futures suppresses exceptions thrown from the code that completes the Future. (details)
(at-me in a reply with help or ignore)
There was a problem hiding this comment.
I've recorded this as ignored for this pull request. If you change your mind, just comment @sonatype-lift unignore.
|
@eolivelli @ztzg I'm following up on whether we will merge or improve this patch soon? Thanks! |
The fix of ZOOKEEPER-4203 is implemented. In my local machine, it is able to pass all test cases.