kvclient: disallow savepoint rollback after most errors #47724
Merged
Commits on Apr 23, 2020
-
kvclient: remove duplicated assertion
An assertion was duplicating one a few lines above. Release note: None
-
The test was trying to inject a retriable error, but it wasn't doing it properly. It was injecting a TransactionRetryWithProtoRefreshError, but that error is supposed to be generated at a higher layer. It was inconsequential, but it's about to become consequential in the next commit when rolling back to a savepoint is no longer allowed after random errors. At that point, the TxnCoordSender will not recognize TransactionRetryWithProtoRefreshError. Release note: None
-
kvclient: further clarify DistSender ambiguity comments
Adding more words abouts the morass, after the previous rant in cockroachdb#47580. Release note: None
-
kvclient: disallow savepoint rollback after most errors
This patch changes the handling of ConditionFailedErrors (after failed CPuts). It used to be the case that a txn could not continue sending requests after such an error (like after any other error). It is now allowed for a transaction to continue sending requests after this particular error because, in particular, we want to allow rollback to savepoints after it (see below). More broadly, there's no particular reason to not allow the client to continue, as long as it knows what it's doing. In fact, it's long been debatable whether ConditionFailedErrors should be errors at all, rather than another type of result. One caveat is that clients chosing to swallow this error need to be cautious of mixed success conditions, if that's applicable to the batch they have sent. Note that at the SQL level, a CPut error will still cause connection to be in an error state until a ROLLBACK. This patch also disallows rolling back to savepoints after a request returned any other error but ConditionFailedError. It used to be the case that rolling back to a savepoint was allowed after most errors, on the argument that our rollback mechanism (the ignored seq nums) is powerful enough to undo any effects of requests evaluated since the savepoint. Unfortunately, it wasn't safe. The way in which we overwrite intents and update their timestamp in the process, coupled with the transaction coordinator not being aware that an intent's timestamp was updated after different ambiguous errors, can lead to partial commits. See cockroachdb#47587. We could more narrowly disallow rollbacks after ambiguous errors, but the ambiguous cases are not trivial to isolate. I also want to backport something, so this seems safer. Fixes cockroachdb#47587 Release note (sql change): ROLLBACK TO SAVEPOINT is no longer permitted after misc internal errors.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.