Stale cleanup race condition #252
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Refactor of `S3::FileRepository` to avoid several closely-related race conditions: - prevent `get_factory()` from yielding a factory that was mid-deletion by the stale watcher, which could cause the plugin crash due to the file no longer existing on disk. This is solved by marking a factory's prefix wrapper as deleted while the stale watcher has exclusive access to it, and checking for deletion status before yielding exclusive access to a prefix wrapper's factory. - eliminates `get_factory()`'s non-atomic `Concurrent::Map#fetch_or_store`, which could cause multiple factories to be created for a single prefix, only one of which would be retained and bytes written to the other(s) would be lost. - introduce `each_factory`, which _avoids_ creating new factories or yielding deleted ones. - refactor `each_files` to use new `each_factory` to avoid yielding files whose factories have been deleted. Additionally, `S3#rotate_if_needed` was migrated to use the now-safer `S3::FileRepository#each_factory` that _avoids_ initializing new factories (and therefore avoids creating empty files on disk after the existing ones had been stale-reaped).
mashhurs
reviewed
Dec 22, 2022
| # for stale detection, marking it as deleted before releasing the lock | ||
| # and causing it to become deleted from the map. | ||
| prefixed_factory.with_lock do |_| | ||
| if prefixed_factory.stale? |
There was a problem hiding this comment.
we are trying to lock the prefixed_factory in stale? as well, isn't deadlock?
There was a problem hiding this comment.
We already have the (reentrant) lock, so incrementing our holds on it briefly won't ever have lock contention.
mashhurs
reviewed
Dec 22, 2022
| prefixed_factory.with_lock do |_| | ||
| if prefixed_factory.stale? | ||
| prefixed_factory.delete! # mark deleted to prevent reuse | ||
| nil # cause deletion |
There was a problem hiding this comment.
Can I know what is the purpose of returning value?
There was a problem hiding this comment.
It is a part of the Concurrent::Map#compute_if_present contract; the result of the block will be stored, or if nil will cause the value to be deleted.
| prefix_val&.with_lock do |factory| | ||
| # intentional local-jump to ensure deletion detection | ||
| # is done inside the exclusive access. | ||
| return yield(factory) unless prefix_val.deleted? |
There was a problem hiding this comment.
I was thinking to use global lock for the works case but I think this is better approach and eliminates the scenario you mentioned. Thanks!
yaauie
added a commit
to yaauie/logstash-integration-aws
that referenced
this pull request
Dec 23, 2022
This is largely a forward-port of logstash-plugins/logstash-output-s3#252 with some minor changes to deal with the integrated plugin's usage of the java-native `ConcurrentHashMap` in place of the stand-alone plugin's ruby-native `Concurrent::Map`. Refactor of `S3::FileRepository` to avoid several closely-related race conditions: - prevent `get_factory()` from yielding a factory that was mid-deletion by the stale watcher, which could cause the plugin crash due to the file no longer existing on disk. This is solved by marking a factory's prefix wrapper as deleted while the stale watcher has exclusive access to it, and checking for deletion status before yielding exclusive access to a prefix wrapper's factory. - introduce `each_factory`, which _avoids_ creating new factories or yielding deleted ones. - refactor `each_files` to use new `each_factory` to avoid yielding files whose factories have been deleted. - void-return methods now explicitly emit `nil` to prevent accidental leaks of synchronization-required resources. Additionally, `S3#rotate_if_needed` was migrated to use the now-safer `S3::FileRepository#each_factory` that _avoids_ initializing new factories (and therefore avoids creating empty files on disk after the existing ones had been stale-reaped).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Alternative to #251 that catches an additional race-condition
Concurrent::Map#fetch_or_storewith atomicConcurrent::Map#computeIfAbsent)FileRepository::PrefixedValueas deleted while we have exclusive access to it, and avoid using a marked-deletedFileRepository::PrefixedValuethroughout)FileRepository::PrefixedValue#with_lockuse reentrantMonitor)This will need to be forward-ported to the integrated version of this plugin ->
logstash-integration-aws