Ensure retries are not interleaved even on multiple sequential calls

[npepinpe]

Description

By using ActorControl#submit in some of the retry strategies, we can create race conditions if the retry strategy is reused. Since the initial call uses run to prepend a retry attempt, and further retries use submit, it's possible for one run to retry (thus submitting the retry job to the end of the queue) and the next call to runWithRetry cause its state to be overwritten, causing issues when it comes to completing the future (as well as potential shared state by the operations).

Additionally, this PR fixes an issue where on retry, we were not resetting the writer, causing the same command to be written multiple times.

There is a regression test added which isn't perfect, and I'd like some suggestions on how to improve it. The integration test added to the ProcessingScheduleServiceTest is not amazing and likely to flaky, as it's hard to write controlled tests with our timers. Suggestions are welcomed 👍

Related issues

closes #10240

Definition of Done

Not all items need to be done depending on the issue and the pull request.

Code changes:

• The changes are backwards compatibility with previous versions
• If it fixes a bug then PRs are created to backport the fix to the last two minor versions. You can trigger a backport by assigning labels (e.g. backport stable/1.3) to the PR, in case that fails you need to create backports manually.

Testing:

• There are unit/integration tests that verify all acceptance criterias of the issue
• New tests are written to ensure backwards compatibility with further versions
• The behavior is tested manually
• The change has been verified by a QA run
• The impact of the changes is verified by a benchmark

Documentation:

• The documentation is updated (e.g. BPMN reference, configuration, examples, get-started guides, etc.)
• New content is added to the release announcement
• If the PR changes how BPMN processes are validated (e.g. support new BPMN element) then the Camunda modeling team should be informed to adjust the BPMN linting.

Please refer to our review guidelines.

[npepinpe]

One additional thing, we could potentially refactor the retry mechanism such that each retry operation is self contained and isolated from others, but I wasn't sure what that would mean in terms of semantic. To some extent, our retry operations should be sequenced between themselves, right? Perhaps we do need runUntilDone after all, or rather, the functionality:

• You can submit a task, and not allow any future tasks to be executed until it and any tasks it enqueues are completed
• Thread should be yielded in between executions

Right now, the fix relies on the fact that when we're executing a task, calling run will prepend the next task at the top of the queue, and while we're still executing the original task, nothing can prepend tasks to the queue, ensuring that whatever we prepend is executed first immediately after on that actor. That's easy to break in general, and makes reasoning about scheduling much harder.

I'm wondering if, in general, instead of using the retry strategies, we might not simply build retrying into the state machines that need them. Would that make things easier to understand? 🤔

[npepinpe]

If you revert the fix and use submit again, you will see this test fails (the first future is incomplete), and you will get the logs that the second future was completed twice.

[github-actions]

Test Results

   857 files  ±    0     857 suites  ±0   1h 38m 38s ⏱️ - 1m 16s
6 606 tests +247  6 595 ✔️ +246  11 💤 +1  0 ❌ ±0 
6 790 runs  +247  6 779 ✔️ +246  11 💤 +1  0 ❌ ±0 

Results for commit cc5b4d8. ± Comparison against base commit 2648f87.

♻️ This comment has been updated with latest results.

[deepthidevaki]

Thanks @npepinpe 🎉

The test looks good to me. It can reproduce the root cause of the bug.

🔧 As an integration test, may be you can also add a similar test in ProcessSchedulingServiceTest

[deepthidevaki]

🔧 Do we want to prevent interleaving the retries, and ensure that the ordering is preserved? Or just that two concurrently submitted tasks can be completed successfully even if they have to be retried? The test verifies the second behavior, which is acceptable. But just rename the method to reflect this.

[npepinpe]

Fair. I think we also guarantee the former, and it would be interesting to verify this, as I'm unsure if it's safe to ignore the ordering based on how consumers of the API are using it.

[npepinpe]

Ah, and regarding your comment about reusing the actor retry mechanism on the issue - I wasn't sure if this would have adverse effect. We can isolate the retry attempts by making sure they contain all their state, but then they might still be interleaved, and I'm not sure this is expected by users of this interface. So I went with the safe option right now. We could of course still isolate them AND also using run to make sure they aren't interleaved.

[npepinpe]

I'm sort of struggling with the integration tests, because our timers are non-deterministic. If I submit two timers one after the other, I'm not guaranteed that they will be executed in the order in which I submitted them, unless there is enough time in between them. I also cannot use a latch to coordinate both timer tasks, since with the fix, the second task shouldn't run anyway before the first one does...

I thought about scheduling the second task only once the first one runs (but before it writes), which works anyway with the fix. Without the fix, I cannot guarantee that it fails, because I would have to guarantee that the first task at least starts retrying before the second task is scheduled...A latch there would help (but I can't use it with the fix, as explained above).

[npepinpe]

OK, I wrote an integration test, and good thing! I found a second bug: we don't reset the batch writer in the retry, meaning on each retry we re-append the record :x

[npepinpe]

I also hit a weird bug (seldom), where one of the scheduled tasks just isn't called. Fun times.

[npepinpe]

I'm omitting anything about the issue with the timer tasks, I will open another issue for this.

[deepthidevaki]

OK, I wrote an integration test, and good thing! I found a second bug: we don't reset the batch writer in the retry, meaning on each retry we re-append the record :x

This might explain why, in the exception reported in the issue, it was trying to claim 20MB.

[deepthidevaki]

Ah, and regarding your comment about reusing the actor retry mechanism on the issue - I wasn't sure if this would have adverse effect. We can isolate the retry attempts by making sure they contain all their state, but then they might still be interleaved, and I'm not sure this is expected by users of this interface. So I went with the safe option right now. We could of course still isolate them AND also using run to make sure they aren't interleaved.

If the jobs have to be ordered, then there is not much value in isolating the retry attempts. So I'm ok to leave it as it is.

[npepinpe]

The test fail due to the timer not triggering 😄 I'm reluctant to merge it as it'll be flaky, but I'm now wondering if it's related to the other flaky test with timers 🤔

[npepinpe]

I'll omit the flaky test so we can merge, and I'll add it to the follow up issue #10306 as an action item so it can be added back (and used for reproduction) when that's root caused.

[npepinpe]

bors merge

[zeebe-bors-camunda]

Build failed (retrying...):

• Java checks

[zeebe-bors-camunda]

Build failed:

• Test summary

[npepinpe]

bors r+

[zeebe-bors-camunda]

Build failed (retrying...):

• Test summary

[zeebe-bors-camunda]

Build succeeded:

• Test summary
• Go linting
• Java checks