Change filelock behaviour

[kderme]

#1903

[mrBliss]

That was quick.

Can you test this on Windows?

[mrBliss]

Quoting what you quoted in #1903 (comment):

[..], on Windows 'System.IO.openFile' for a lock file will fail when the lock is held

So this is wrong as it tries to open the lock file even if it's locked.

Question: does tryLockFile work when the file doesn't exist yet? If so, then that would be easier. Ah, see https://github.com/takano-akio/filelock/blob/9681ff960d2695cd67fe749edab0e2af06c6f829/System/FileLock/Internal/LockFileEx.hsc#L40

[dcoutts]

No, it's the content of the file that is locked, not the file as a whole. That's why the failure in the logs ocured on reading the file, not opening the file.

Note that the file locking functions in base only work on open files.

[mrBliss]

As I said in #1903 (comment), I wouldn't retry this until we know we need it.

UPDATE: I was mistaken, retries are needed.

[mrBliss]

Let's wait until we're sure: #1903 (comment)

[dcoutts]

If we use a timeout on a blocking lock acquire, we don't need retries.

[mrBliss]

This will go in light of my comment above it, but otherwise should have used dbLockFile here.

[mrBliss]

If we go for retries, let's use exponential backoff, not linear. Also we should document the behaviour: first wait x millisec, then ..., upto ..., etc. And we should indeed trace something, but this requires using a Tracer, and it's a bit annoying to have to add an extra tracer (cardano-node will have to be aware of it) just to trace one message.

[dcoutts]

It looks like the base package implementation of file locking on both posix, Linux and Windows will support the blocking lock acquite being interrupted by a timeout (async exception).

This would allow for a simple scheme:

res <- timeout 2000000 $ hLock lockfile ExclusiveLock

http://hackage.haskell.org/package/base-4.12.0.0/docs/GHC-IO-Handle-Lock.html

And if we're only blocking for up to one or two seconds, we don't need any new tracing I think.
#1903 (comment)

[dcoutts]

IMHO, there's nothing wrong with using the same file for the magic id and the file lock. But if you do, certainly you must open the lock file, lock it and hold it open for the duration. Only when it's opened and locked can you try to read the content.

But it's also ok to separate these into different files.

[coot]

What I recently learned (while working on ghc-tags-plugin, which is also using flock locking mechanism available in base) that one also needs to fsync (or fdatasync) before closing the file handle; In a highly concurrent setting, I've seen another thread (system thread / process) not reading the written but not fsync-ed content - I am not sure if this related in any way to ChainDB though.

[mrBliss]

Some systems may delete the empty file when all its handles are closed.

Does Windows do this?

[kderme]

No, I haven't seen it on windows or linux, but it's possible to happen.

[mrBliss]

There's some masking missing. The simplest approach is to write a acquireLock and a releaseLock function and use those in bracket, then bracket will take care of the masking for us.

[kderme]

@mrBliss what do you think should be masked?

[mrBliss]

What if an async exception is thrown after obtaining the lock and before finally? That's the thing with async exceptions, they can happen at any point.

[kderme]

I'm not sure if we should mask while waiting on a timeout. Let me check it..

[mrBliss]

This test is commented out

[kderme]

Yes, as I explain above the test This test succeeds, but may leave a forgotten lock to the file and this lock is only cleaned when all tests finish and the process dies. So probably we shouldn't include it?

[mrBliss]

Yes, as I explain above the test This test succeeds, but may leave a forgotten lock to the file and this lock is only cleaned when all tests finish and the process dies. So probably we shouldn't include it?

But now we are not even testing whether the locking actually works.

this lock is only cleaned when all tests finish and the process dies

That's fine, or what's wrong with that?

[kderme]

I tested flock from base, but I couldn't make it work properly. It just wouldn't lock the files effectively and I din't manage to get down to why exactly this happened. So I used the filelock package. Also I preferred to use a different file from the DBMarker, since filelock suggests against accessing the locked file for other purposes.

[mrBliss]

Suggested change

	-- avoid unresponsiveness to timeouts and ^C. So we use async and let a new
	-- avoid unresponsiveness to timeouts and ^C. So we use 'async' and let a new

[mrBliss]

Suggested change

	-- We shouldn't be tempted to use `withAsync`, which is usually mentioned
	-- We shouldn't be tempted to use 'withAsync', which is usually mentioned

[mrBliss]

Suggested change

	-- the whole point of using async. We try our best to clean resources, but
	-- the whole point of using 'async'. We try our best to clean up resources, but

[mrBliss]

This pattern match should be done in the acquisition of the lock so that we throw that exception in case of a timeout, instead of passing Nothing to the action, which ignores it. This also means that cleanup will be just unlockFile.

[kderme]

@mrBliss I'm not sure I understand. This pattern matches if we got a timeout or async returned succesfully. So it can't be performed by the async thread.

[mrBliss]

When waiting on the async that calls lockFile times out, Nothing is returned. This is Nothing is then passed to (\_ -> action) which ignores it. So even when we don't have the lock do we execute the action. After the action is done or when action throws an exception, we go to cleanup. cleanup then throws a DbLocked exception in case it got Nothing, which is too late, as we already executed the action.

What we should do is (untype-checked):

    createDirectoryIfMissing hasFS True root
    bracket acquireLock unLockFile (const action)
  where
    -- We want to avoid blocking ...
    acquireLock :: IO FileLock
    acquireLock = do
      lockFileAsync <- async (lockFile lockFilePath Exclusive)
      mbLock <- timeout (Time.secondsToDiffTime 2) $ wait lockFileAsync
      case mbLock of
        -- We timed out while waiting on the lock, the db is still locked
        Nothing   -> throwM $ DbLocked lockFilePath
        Just lock -> return lock

[kderme]

oh right, fixed

[mrBliss]

Suggested change

	-- before timeout. Some systems may delete the empty file when all its handles
	-- before timing out and throwing a 'DbLocked' exception. Some systems may delete the empty file when all its handles

[mrBliss]

Also I preferred to use a different file from the DBMarker, since filelock suggests against accessing the locked file for other purposes.

Yeah, I agree, that's a good reason.

[mrBliss]

(I have temporarily added the commits from #1851 to this branch to do a final check on Windows. I won't merge these commits, because building/testing everything on Windows is too slow because of the lack of caching.)

[mrBliss]

bors merge

[iohk-bors]

Build failed

• ci/hydra:Cardano:ouroboros-network:required

[mrBliss]

bors merge

[iohk-bors]

Build failed

• buildkite/ouroboros-network

[mrBliss]

bors merge

[iohk-bors]

Build failed

• buildkite/ouroboros-network

[edsko]

Nice, @kderme good work on the FFI analysis!

I also really like how the new property looks now.

[mrBliss]

bors merge

[iohk-bors]

Build succeeded

• ci/hydra:Cardano:ouroboros-network:required
• buildkite/ouroboros-network