[ES-1934053] Detach result streaming from QueryContext cancellation#371
[ES-1934053] Detach result streaming from QueryContext cancellation#371msrathore-db wants to merge 1 commit into
Conversation
msrathore-db
force-pushed
the
fix/query-context-result-streaming
branch
from
a412542 to
fd65633
Compare
msrathore-db
changed the title
Code Review Squad — ReviewScore: 81/100 — MODERATE RISK This PR correctly fixes the streaming regression from #295: result-fetch RPCs are detached from Could not post inline comments for: F1, F2, F3, F4, F5 — see body below. (GitHub PR review comment API returned 403 for this repository; findings are included here instead.) Critical & High FindingsF1 — High: Row-count cap is applied to the inline Arrow path — risks silent data lossFile: [HIGH CONFIDENCE — flagged by devils-advocate + language, orchestrator-verified]
Medium FindingsF2 — Medium: Detachment is total — in-flight fetches and CloudFetch S3 downloads are no longer cancellableFile: [MODERATE CONFIDENCE — flagged by architecture + devils-advocate]
Consider deriving the results context from a F3 — Medium: Split-brain cancellation in GetArrowBatches/GetArrowIPCStreamsFile: [LOW CONFIDENCE — flagged by architecture, orchestrator-verified]
Decide explicitly: detach both halves (full "result handle outlives query" model), or document that this ctx governs downloads but not pagination. Low FindingsLow findings (4) — click to expandF4 — Low: O(n^2) offset re-summation + a second drift-prone offset source (local path)File: [HIGH CONFIDENCE — flagged by performance + maintainability + language + devils-advocate]
F5 — Low: Add doc comments on the row-count-capping contractFile: [LOW CONFIDENCE — flagged by maintainability]
F6 — Low: Cap integration only covered by env-gated e2e test[MODERATE CONFIDENCE — flagged by test + language] The |
| return nil, err | ||
| } | ||
| if expectedRows >= 0 { | ||
| records = limitArrowRecords(records, expectedRows) |
There was a problem hiding this comment.
[Code Review Squad — F1 · HIGH · flagged by devils-advocate + language, verified]
This row-count cap is applied to the inline/local Arrow path too, not just CloudFetch where Arrow padding is the real concern. batchIterator.Next type-asserts to positionedIPCStreamIterator (line 583), and both localIPCStreamIterator (NextWithMetadata returns ab.RowCount, line 162) and cloudIPCStreamIterator (line 196) implement it. On main the local path returned all decoded records and never trusted RowCount.
limitArrowRecords only short-circuits on expectedRows < 0 (line 634); the caller guard here is expectedRows >= 0, so expectedRows == 0 enters the cap, hits remaining <= 0 on the first record, and Release()s every record → empty batch, no error. Reproduced empirically: with 6 decoded rows, RowCount=4 drops 2 rows; RowCount=0 drops the entire batch — all silently. This is a correctness risk strictly worse than the over-reporting bug being fixed.
Suggested fix: scope the cap to the CloudFetch path only, OR cap only down when expectedRows < decoded and emit a warning (never silently); at minimum guard the unambiguously-wrong expectedRows == 0 && len(records) > 0 case.
| // status polling. Result handles can outlive that phase, especially for | ||
| // paginated CloudFetch streams, so detach server-side result RPCs from the | ||
| // caller's cancellation while preserving context values used for auth/logging. | ||
| resultsCtx := context2.WithoutCancel(ctx) |
There was a problem hiding this comment.
[Code Review Squad — F2 · MEDIUM · flagged by architecture + devils-advocate]
context.WithoutCancel nulls Done() entirely, so once NewRows returns there is no context path to abort an in-flight FetchResults or a stuck CloudFetch download. The Thrift client has a 900s ClientTimeout backstop, but CloudFetch S3 GETs use http.DefaultClient with no timeout unless cfg.HTTPClient is set — a hung S3 download can now hang indefinitely and uncancellably. A user calling cancel() to stop a runaway result stream will find it no longer works.
Consider deriving the results context from a context.WithCancel wired to rows.Close(), so the deadline that gates statement submission doesn't bleed into streaming but the handle remains abortable. (Partial precedent: the direct-results CloudFetch path already used context.Background() pre-PR, so this is arguably the intended end state — worth an explicit maintainer decision + a comment either way.)
| if bi.index < cnt { | ||
| ab := bi.batches[bi.index] | ||
| startRowOffset := bi.startRowOffset | ||
| for i := 0; i < bi.index; i++ { |
There was a problem hiding this comment.
[Code Review Squad — F4 · LOW · flagged by performance + maintainability + language + devils-advocate]
localIPCStreamIterator.NextWithMetadata re-sums all prior batches' RowCount on every call (O(n²) over the stream). Perf impact is negligible (local/small-result path only; CloudFetch reads offsets in O(1)). The subtler point: offsets now derive from RowCount rather than actual decoded rows, so any inexact inline RowCount would drift every subsequent batch's StartRowOffset. Carry a running consumed-rows field instead. Non-blocking.
| return batch, nil | ||
| } | ||
|
|
||
| func limitArrowRecords(records []SparkArrowRecord, expectedRows int64) []SparkArrowRecord { |
There was a problem hiding this comment.
[Code Review Squad — F6 · LOW · flagged by maintainability]
limitArrowRecords, the positionedIPCStreamIterator interface (line 34), and the -1 "unknown row count" sentinel have no doc comments explaining the row-count-capping contract — the part future maintainers are most likely to misread or mis-"simplify". One sentence on the function ("cap a batch's records to the server-declared row count, dropping/truncating padding rows") plus a note on the NewSlice(0, remaining) + NewDelimiter(start, ...) pairing (the slice index is record-relative, while start is the absolute stream offset) would prevent a future maintainer from mis-"fixing" the offset.
msrathore-db
force-pushed
the
fix/query-context-result-streaming
branch
from
05fd91d to
4334b29
Compare
msrathore-db
changed the title
|
Thanks for the thorough review @vikrantpuppala. I've restructured this PR and addressed all findings. Summary of what changed and where: This PR was split. It now contains only the context-detachment fix for the Sev1 truncation. The Arrow row-count cap moved to #372, because it fixes a separate bug (CloudFetch over-reporting) that's independent of the streaming truncation. I validated this empirically against a real warehouse:
Findings on the row-count cap (now in #372):
I also cross-checked the official JDBC driver: Findings on the context fix (this PR):
PTAL — happy to adjust the F3 semantics call if you'd prefer the iterator ctx to remain caller-cancellable instead. |
msrathore-db
force-pushed
the
fix/query-context-result-streaming
branch
from
4334b29 to
d6d2952
Compare
PR databricks#295 threaded the caller context into NewRows and the result page iterator, so FetchResults paging and CloseOperation inherited the caller's deadline. A short QueryContext timeout meant to gate only statement submission and status polling then fired mid-stream, silently truncating large CloudFetch results: a query expected to return 29,232,004 rows returned only 2,159,144. The ArrowBatchIterator surfaced io.EOF rather than the deadline error, so the truncation was silent. Detach the result context from the caller's cancellation via context.WithoutCancel (preserving its values for auth/logging), but wire it to a cancel func invoked from Rows.Close() so in-flight FetchResults and CloudFetch downloads are never left uncancellable. GetArrowBatches / GetArrowIPCStreams now build their iterator from this detached context so CloudFetch S3 downloads also survive the caller's deadline and remain abortable via Close — the previous behaviour cancelled downloads but not paging, a half-effective split. Adds unit tests for the detached-but-abortable contract and updates the e2e regression to pass the cancelled QueryContext into GetArrowBatches. Co-authored-by: Isaac Signed-off-by: Madhavendra Rathore <madhavendra.rathore@databricks.com>
msrathore-db
force-pushed
the
fix/query-context-result-streaming
branch
from
d6d2952 to
2e39c73
Compare
|
Closing in favor of #373. This PR was opened from a fork, so the required |
…373) > Supersedes #371 (which was opened from a fork and therefore could not run the required JFrog-dependent CI checks — forks don't receive the OIDC `id-token`). Same context-only fix, same-repo branch so CI can run. Review history and discussion are on #371. ## Summary Fixes the Sev1 result-streaming truncation in **ES-1934053**. Since #295, the caller `QueryContext` was threaded into `NewRows` → `ResultPageIterator`, so result paging (`FetchResults`) and `CloseOperation` inherited the caller's deadline. A short timeout meant to gate only statement submission + status polling then fired mid-stream and **silently truncated** large CloudFetch results (a query expected to return 29,232,004 rows returned only 2,159,144; the `ArrowBatchIterator` surfaced `io.EOF` rather than the deadline error). This PR is **context-fix-only**. The Arrow row-count cap that was originally bundled with this work is split into #372 (an independent *over-reporting* fix). ## What changed - Detach the result context from the caller's cancellation via `context.WithoutCancel`, preserving its values for auth/logging. - Wire the detached context to a cancel func invoked from `Rows.Close()`, so in-flight `FetchResults` and CloudFetch downloads are never left uncancellable (addresses review finding **F2**). - `GetArrowBatches`/`GetArrowIPCStreams` now build their iterator from the detached context, so CloudFetch S3 downloads also survive the caller's deadline and remain abortable via `Close` (addresses **F3** — previously paging was detached but downloads were not). ## Test plan - `go test ./internal/rows/...` — adds `TestNewRows_DetachesResultRPCContextFromQueryContextCancellation` and `TestNewRows_CloseAbortsDetachedResultContext`. - `go test ./...` — full suite green. - E2E against a real SQL warehouse: reproduced the regression (100,000-row stream truncated to **12,288** rows under a 2s mid-stream deadline) and confirmed the fix drains the full result. The e2e regression passes the **cancelled** `QueryContext` into `GetArrowBatches` (previously `context.Background()`, which masked the download path). This pull request and its description were written by Isaac. Signed-off-by: Madhavendra Rathore <madhavendra.rathore@databricks.com>
## Summary CloudFetch Arrow IPC files can contain **padding rows beyond the `RowCount` declared on each result link** (`TSparkArrowResultLink.RowCount`), which the driver surfaced as extra rows. Validated against a real warehouse, `SELECT * ... LIMIT 300000` decoded to **301,407 rows** (1,407 padding rows beyond the requested count). This PR caps each decoded CloudFetch batch to its link's `RowCount` and anchors batch offsets to the link's `StartRowOffset`. The cap is **scoped to the CloudFetch path only**, via a new `positionedIPCStreamIterator` interface implemented solely by `cloudIPCStreamIterator`. The inline/local Arrow path is intentionally left unchanged: those batches are returned verbatim with no padding, and their per-batch `RowCount` has historically been untrusted, so capping there could silently drop rows. A `RowCount <= 0` is treated as "unknown" and never drops rows. ## Why this matches the server contract The official **JDBC driver** does exactly this: `ArrowResultChunkIterator.hasNextRow()` stops once `rowsReadByIterator >= resultChunk.numRows`, where `numRows = TSparkArrowResultLink.RowCount`. It decodes the full Arrow file but never exposes more than the server-declared count, and cross-chunk row offsets are computed from `StartRowOffset + RowCount` (server values), not decoded counts. This PR mirrors that behavior for the Go driver. ## Relationship to #371 / ES-1934053 Split out of #371. #371 fixes the Sev1 **truncation** (result streaming detached from `QueryContext` cancellation — *under*-reporting). This PR fixes the independent **over-reporting** discovered during that validation. The two are orthogonal and can merge in any order. ## Test plan - `go test ./internal/rows/arrowbased/...` — new `TestBatchIterator_RowCountCap` covers cap-down, exact boundary, over-count, the `RowCount==0` safety case (no silent drop), and inline-never-capped. - `go test ./...` — full suite green. - E2E against a real SQL warehouse: `TestE2ECloudFetchExactRowCount` drains `SELECT id, repeat('x',64) FROM range(2000000)` over multiple CloudFetch link pages and asserts exactly **2,000,000** rows (over-reported without the cap). This pull request and its description were written by Isaac. Signed-off-by: Madhavendra Rathore <madhavendra.rathore@databricks.com>
2 participants
Summary
Fixes the Sev1 result-streaming truncation in ES-1934053. Since #295, the caller
QueryContextwas threaded intoNewRows→ResultPageIterator, so result paging (FetchResults) andCloseOperationinherited the caller's deadline. A short timeout meant to gate only statement submission + status polling then fired mid-stream and silently truncated large CloudFetch results (a query expected to return 29,232,004 rows returned only 2,159,144; theArrowBatchIteratorsurfacedio.EOFrather than the deadline error).What changed
context.WithoutCancel, preserving its values for auth/logging.Rows.Close(), so in-flightFetchResultsand CloudFetch downloads are never left uncancellable (addresses F2 — the prior total detachment).GetArrowBatches/GetArrowIPCStreamsnow build their iterator from the detached context, so CloudFetch S3 downloads also survive the caller's deadline and remain abortable viaClose(addresses F3 — previously paging was detached but downloads were not, a split-brain semantics).Test plan
go test ./internal/rows/...— addsTestNewRows_DetachesResultRPCContextFromQueryContextCancellationandTestNewRows_CloseAbortsDetachedResultContext(detached-but-abortable contract).go test ./...— full suite green.QueryContextintoGetArrowBatches(previously it usedcontext.Background(), which masked the download-path issue F3 flagged).This pull request and its description were written by Isaac.