Row cache updates do not provide strong exception safety guarantees #15576

bhalevy · 2023-09-28T05:39:08Z

The row_cache update path uses an external_updater class with two api functions: prepare and execute.
The current design calls for:

prepare to create only temporary state, so if it fails, the failure is handled gracefully and the error is propagated to row_cache::update caller leaving no state changes behind (to the row cache nor to the updated table).
execute role is to apply the temporary state prepare left behind.

Currently (as of 5.4-dev 652153c), we let errors from execute escape row_cache::update, but there is no guarantee that the execute implementation provides strong exception safety gurantees, i.e. either succeed in whole or be exception safe leaving the state unchanged in case an exception is thrown.

See

scylladb/row_cache.hh

Lines 172 to 182 in 6d34f99

    
           // A function which adds new writes to the underlying mutation source. 
        
           // All invocations of external_updater on given cache instance are serialized internally. 
        
           // Must have strong exception guarantees. If throws, the underlying mutation source 
        
           // must be left in the state in which it was before the call. 
        
           class external_updater_impl { 
        
           public: 
        
               virtual ~external_updater_impl() {} 
        
               virtual future<> prepare() { return make_ready_future<>(); } 
        
               // FIXME: make execute() noexcept, that will require every updater to make execution exception safe, 
        
               // also change function signature. 
        
               virtual void execute() = 0;

See also #13937 (comment)

The text was updated successfully, but these errors were encountered:

…y Halevy Currently the cache updaters aren't exception safe yet they are intended to be. Instead of allowing exceptions from `external_updater::execute` escape `row_cache::update`, abort using `on_fatal_internal_error`. Future changes should harden all `execute` implementations to effectively make them `noexcept`, then the pure virtual definition can be made `noexcept` to cement that. Fixes #15576 Closes #15577 * github.com:scylladb/scylladb: row_cache: abort on exteral_updater::execute errors row_cache: do_update: simplify _prev_snapshot_pos setup

bhalevy · 2023-10-31T11:11:58Z

Backport should be applicable to all live versions

bhalevy · 2023-11-28T08:57:29Z

@scylladb/scylla-maint please backport

denesb · 2023-11-29T08:11:08Z

There are conflicts, please provide backport PRs. Actually, a single PR against branch-5.4 should be enough, I can try to cherr-pick that backport to the older branches too.

…y Halevy Currently the cache updaters aren't exception safe yet they are intended to be. Instead of allowing exceptions from `external_updater::execute` escape `row_cache::update`, abort using `on_fatal_internal_error`. Future changes should harden all `execute` implementations to effectively make them `noexcept`, then the pure virtual definition can be made `noexcept` to cement that. \Fixes scylladb#15576 \Closes scylladb#15577 * github.com:scylladb/scylladb: row_cache: abort on exteral_updater::execute errors row_cache: do_update: simplify _prev_snapshot_pos setup (cherry picked from commit 4a0f164)

…y Halevy Currently the cache updaters aren't exception safe yet they are intended to be. Instead of allowing exceptions from `external_updater::execute` escape `row_cache::update`, abort using `on_fatal_internal_error`. Future changes should harden all `execute` implementations to effectively make them `noexcept`, then the pure virtual definition can be made `noexcept` to cement that. \Fixes #15576 \Closes #15577 * github.com:scylladb/scylladb: row_cache: abort on exteral_updater::execute errors row_cache: do_update: simplify _prev_snapshot_pos setup (cherry picked from commit 4a0f164) Closes #16256

denesb · 2023-12-07T07:19:33Z

The 5.4 backport PR was good for 5.2 but it doesn't apply to 5.1.

mykaul · 2023-12-07T07:30:40Z

The 5.4 backport PR was good for 5.2 but it doesn't apply to 5.1.

Once 5.4 is released, we only support it and 5.2. There's no need for a 5.1 backport.

denesb · 2023-12-07T09:52:10Z

@bhalevy please provide a backport for enterprise, if needed.

bhalevy self-assigned this Sep 28, 2023

bhalevy mentioned this issue Sep 28, 2023

row_cache: abort on exteral_updater::execute errors #15577

Merged

scylladb-promoter closed this as completed in bec4894 Oct 31, 2023

scylladb-promoter added the Backport candidate label Oct 31, 2023

mykaul added backport/5.2 Issues that should be backported to 5.2 branch once they'll be fixed Requires-Backport-to-5.1 backport/5.4 Issues that should be backported to 5.4 branch once they'll be fixed labels Oct 31, 2023

bhalevy mentioned this issue Dec 1, 2023

[Backport 5.4] row cache: do_update: abort on execute error #16256

Closed

denesb removed backport/5.2 Issues that should be backported to 5.2 branch once they'll be fixed backport/5.4 Issues that should be backported to 5.4 branch once they'll be fixed labels Dec 7, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Row cache updates do not provide strong exception safety guarantees #15576

Row cache updates do not provide strong exception safety guarantees #15576

bhalevy commented Sep 28, 2023 •

edited

bhalevy commented Oct 31, 2023

bhalevy commented Nov 28, 2023

denesb commented Nov 29, 2023

denesb commented Dec 7, 2023

mykaul commented Dec 7, 2023 •

edited

denesb commented Dec 7, 2023

Row cache updates do not provide strong exception safety guarantees #15576

Row cache updates do not provide strong exception safety guarantees #15576

Comments

bhalevy commented Sep 28, 2023 • edited

bhalevy commented Oct 31, 2023

bhalevy commented Nov 28, 2023

denesb commented Nov 29, 2023

denesb commented Dec 7, 2023

mykaul commented Dec 7, 2023 • edited

denesb commented Dec 7, 2023

bhalevy commented Sep 28, 2023 •

edited

mykaul commented Dec 7, 2023 •

edited