Yield control if too many timers due #9249

pihme · 2022-04-28T13:56:01Z

Description

Adds a mechanism for the DueDateTimeChecker to yield control after some time. This is to stop it from iterating over an unknown number of due timer events and blocking execution while doing so.

Overall, this change should work well in cases where there is a huge backlog of timers. This backlog would then be reduced bit by bit.

The change is potentially bad for cases in which there is a constant and high load with many timers being created all the time. In this case, the change of this PR can lead to due timers continuously growing and the timers triggered will fall more and more behind real time.

Overall, this tradeoff was deemed advantageous. At least it removes that dangers that the iteration blocks the execution for so long that the node is marked as unhealthy. When this situation is reached there is currently no practical recovery possible.

Even before this point is reached, execution will be blocked for long stretches of time, and no progress can be made on that partition. So one faulty process can block all others from executing.

Both issues are addressed by this PR. With this PR it should be always possible to make some progress, albeit small. This would allow users to cancel or change any faulty process, or to reduce the load if needed.

Further work will be needed to figure out a way how to trigger timers without potentially falling further and further behind real time.

Review Hints

This PR has duplicate commits from #9237

Related issues

closes #9238

Definition of Done

Code changes:

The changes are backwards compatibility with previous versions
If it fixes a bug then PRs are created to backport the fix to the last two minor versions. You can trigger a backport by assigning labels (e.g. backport stable/1.3) to the PR, in case that fails you need to create backports manually.

Testing:

There are unit/integration tests that verify all acceptance criterias of the issue
New tests are written to ensure backwards compatibility with further versions
The behavior is tested manually to be done
The change has been verified by a QA run
The impact of the changes is verified by a benchmark

Documentation:

The documentation is updated (e.g. BPMN reference, configuration, examples, get-started guides, etc.)
New content is added to the release announcement
If the PR changes how BPMN processes are validated (e.g. support new BPMN element) then the Camunda modeling team should be informed to adjust the BPMN linting.

Please refer to our review guidelines.

saig0

@pihme LGTM 👍 I like the changes 🚀

There are two notes from the Code scanning. Please have a look.

pihme · 2022-04-29T13:09:41Z

Pending work:

look at code scanning warnings
rebase and replace faulty first commit
add feature flag to enable/disable the change.

will later become important in tests

pihme · 2022-05-02T12:35:11Z

@saig0 Please have another look. The last commit is new.

Regarding the code check warnings: Yes, the inner classes could be static. But if I make them static then code formatting moves them to the top of the class, which in my mind reduced readability of the tests. Happy to change it if you want.

saig0

@pihme looks good 👍

Please see my comment about enabling the feature by default.

saig0 · 2022-05-02T12:58:33Z

util/src/main/java/io/camunda/zeebe/util/FeatureFlags.java

   * Be careful with parameter order in constructor calls!
   */

  //  protected static final boolean FOO_DEFAULT = false;
-  //
+
+  private static final boolean YIELDING_DUE_DATE_CHECKER = false;


💭 Why do we not enable the yielding by default?

If enabled then it avoids that the partition is unhealthy. For me, it sounds more important that the partition is healthy than the timers are far behind.

If the feature is disabled then we don't get feedback if it is causing troubles.

@npepinpe This is one of the feature flags we want to test in dev/int and bring into production as soon as possible.

I agree with Philipp that setting it to on is probably the lesser of two evils. I wanted to err on the side of caution, though.
Also, my manual tests revealed that this change alone does not mitigate the issue that @Zelldon complained about.

I still think it's a step in the right direction, though.

pihme · 2022-05-02T14:52:29Z

bors merge

zeebe-bors-camunda · 2022-05-02T15:22:22Z

Build succeeded:

github-actions · 2022-05-02T15:23:16Z

Backport failed for stable/1.3, because it was unable to cherry-pick the commit(s).