ReportRemoteError changes could hide data divergence #589
Description
I was worried about this problem when reviewing #552, but after thinking about it for some time I couldn't convince myself it was actually possible under an all-INSERT workload, so I didn't comment on it.
Basically my thought was that one writer could fail (due to connection) to write a PK value to node A, decide to mark it as inactive, then move on to node B.
Another writer could successfully connect to A (before it's marked as unhealthy), write the same PK value, then move onto node B and get a PK violation.
With the changes from #552, it would error out on the PK violation even though it wrote to node A. Perhaps there's a third placement on node C which should have been updated, but is now divergent from A.
Because I couldn't construct a scenario where A isn't already about to be marked as inactive by a concurrent writer, I didn't think much of this issue.
However, @anarazel points out that certain customers might be creating indexes themselves on shards (manually, on the workers, to e.g. use CONCURRENTLY).
In this case, it's possible one placement has an index created while another doesn't. We could write a duplicate row to one placement and move to another placement where duplicates are already disallowed. We'd error out, marking nothing as inactive. One placement would have an extra row not present on other placements.
Of course, you might say "wait, why is the user connecting to a node directly?" or "but then the index creation should fail, and they should mark the placement as inactive!"
I agree, but realistically we could (possibly) modify #552 slightly to address this: @anarazel suggested only throwing a (e.g. PK violation) error if we haven't written to any nodes yet. If we do have a successful modification, then fall back to the "old" method of warning-and-marking-inactive.
The code change here isn't too big, but we wanted to bring it up as an issue to ensure that e.g. Citus Cloud's error was addressed even with this modification.