Support out of band dumping of unrooted slots in AccountsDb

[carllin]

Problem

Follow-up to #17319.

Bad versions of duplicate blocks can be replayed, and thus need to be cleared from Accounts state before replaying the good version.

Summary of Changes

Support safe block dumping by:

1. Making sure cache flushes for the same block are not happening concurrently via the RemoveUnrootedSlots synchronization mechanism which keeps a list of slots being flushed from cache OR being removed by this new dumping path. This dumping path blocks until a flush is completed, whereas the cache flushing path will ignore requests to flush slots that are currently/about to be dumped.
2. Removing the slot completely from both the AccountsIndex and removing the storage entries by calling purge_slots_from_cache_and_store().

Follow-up PR:
Notifying relevant scans that their results may be outdated, and abort those results, noted here:

solana/runtime/src/accounts_db.rs

Line 3411 in 3d0cacc

// TODO: This is currently unsafe with scan because it can remove a slot in the middle

Fixes #

[codecov]

Codecov Report

Merging #17269 (f421084) into master (a0d721c) will decrease coverage by 0.0%.
The diff coverage is 76.2%.

@@            Coverage Diff            @@
##           master   #17269     +/-   ##
=========================================
- Coverage    82.7%    82.7%   -0.1%     
=========================================
  Files         428      430      +2     
  Lines      119963   120568    +605     
=========================================
+ Hits        99324    99796    +472     
- Misses      20639    20772    +133     

[jeffwashington]

What is your plan for this now? Does this unsafeness exist today and you're just calling it out here or does this PR add this unsafeness? Is the unsafeness worth whatever this is fixing? I'm missing some context.
I'm confused with 'currently'. Prior to your change, in master? Or, 'currently' because of your change?

I should have read the comment above better before commenting ;-) It was unsafe. It is still unsafe. Nothing to see here!

[carllin]

Yeah, this unsafeness does exist today, but luckily this function isn't called anywhere by the validator 😃

Yeah it's definitely worth fixing, and is addressed in this next PR here: #17471, a peek into the future if you will 👀

[brooksprumo]

OK! I made it through!

I'm still not at a point where I understand all the uses and places when flushes/purges/cleans/removals happen, so I'm not sure if there are other designs that would also work here. But this design looks good to me.

I had one question about a variable copy, but that's it. I can give an Approve after that's resolved.

Also, nice test; pretty gnarly!

[lijunwangs]

Just some questions.

[lijunwangs]

In the beginning of the loop, contended_cache_flush_slots contains the slots only found in contended_slots.
When it wakes up, how come the slot in contended_cache_flush_slots is not found in contended_slots? Who removes it? If the flush thread is removing it, then would not we risk on spinning on the same slots here if adding it back? Or am I missing something?

[carllin]

@lijunwangs,

When it wakes up, how come the slot in contended_cache_flush_slots is not found in contended_slots

The signal.wait(contended_slots).unwrap() above releases the contended_slots and then regrabs and returns the locked list when the condition variable gets a signal, see documentation here: https://doc.rust-lang.org/std/sync/struct.Condvar.html#method.wait. So in the meantime, the flush thread may have finished flushing and removed it from the list.

When it wakes up, how come the slot in contended_cache_flush_slots is not found in contended_slots

So the flush thread is the thread removing the slots from contended_slots, which is the shared variable under the lock.

The contended_cache_flush_slots is a local snapshot of the slots in contended_slots at the time we checked it at the beginning of the function, and is never added to again after we filter from it, so it's always shrinking after each iteration of the retain above. We only add a slot to the contended_slots throughcontended_slots.insert(*flushing_slot) after we've confirmed the retain will remove the slot because !is_being_flushed is true.

[lijunwangs]

Thanks explaining. Still have a question. In line 3445, contended_cache_flush_slots only has the slots which is in the also in contended_slots. Doesn't line 3471 re-add it again?

[carllin]

ha yeah it does, I don't think it's strictly necessary, but I wanted to uphold the invariant that any slot that is either undergoing flush or remove_unrooted_slots are both present in contended_slots, so we always have the working set of slots observable by any thread.

[lijunwangs]

This might be racy. In the above section lock was taken on slots_under_contention, and then dropped. Cannot the other thread running remove_unrooted_slots goes in and actually purge it?

[carllin]

so we held the lock until we inserted here: remove_unrooted_slots.insert(slot);, then we dropped the lock.

The thread running the remove_unrooted_slots() function will block/be stuck looping on the condition variable until this flush thread removes the slot from the contended_slots list: https://github.com/solana-labs/solana/pull/17269/files#diff-1090394420d51617f3233275c2b65ed706b35b53b115fe65f82c682af8134a6fR3468

[lijunwangs]

Got it. Maybe rename let mut remove_unrooted_slots to let mut slots_under_contention make it more clear.

[carllin]

yup, will do!

[lijunwangs]

Looks good to me. Thanks for answering my questions.

[brooksprumo]

Looks good! I think the doc comment updates would help future-Brooks too!

[brooksprumo]

Maybe some doc comment like this?

Suggested change

	/// Removing unrooted slots in Accounts Background Service needs to be synchronized with flushing slots from the Accounts Cache. This keeps track of those slots and the Mutex + Condvar for synchronization.

[carllin]

Updated, thanks!

[brooksprumo]

I love the comments. Could they be /// instead?

[carllin]

done!

Pull request has been modified.

[jeffwashington]

lgtm

[ryoqun]

nits:

assert!(rooted_slots.is_empty(), "Trying to remove accounts for rooted slots {:?}", rooted_slots);

[ryoqun]

maybe, this condition needs to be flipped?

i mean, we need to retain() elements of contended_cache_flush_slots which have yet to be flushed (i.e. is_being_flushed to re-evaluate its .empty()-ness later in this loop; slots that are still contain()-ed in contended_slots (and will be remove()-ed by the flusher thread later)?

[carllin]

Yeah, you're right, great catch.

It's bad the test didn't catch this, I'll have to fix that up as well to be more robust

[carllin]

So the test didn't catch this because the remove_unrooted_slots() thread will not wake up from waiting on the condition variable, until the flush thread has finished flushing and removed the slot from the contended slots, at which point the remove_unrooted_slots() thread will itself add the slot to the contended slots list, and then exit on the next iteration of the loop.

Updated the test to have an extra thread that simulates spurious wake up calls on the condition variable and the test now fails appropriately

[ryoqun]

perfect. :)

[ryoqun]

this exclusive control-flow logic assumes same (detected as duplicate) remove_slot won't be ever given to remove_unrooted_slots() from multiple replayingstage threads. Is this correct assumption? Maybe replayingstage always process a slot at each time? How about commenting about the underlying assumption somewhere?

[carllin]

Yeah, there is only one replay thread, and one version of the remove_slot needs to be removed before the next version can be replayed. Added a comment!

[ryoqun]

nit: how about this naming?:

remaining_contended_flush_slots.retain(|flush_slot|

• remaining_ is added to better describe this variable is retained() iteratively until .is_empty().
• flush_slot is used to be consistent with remove_slot for english grammar.

[ryoqun]

nits: rename to is_being_flushed to be consistent with https://github.com/solana-labs/solana/pull/17269/files#r641874795 (let is_being_flushed = contended_slots.contains(flushing_slot);) and better contrast with is_being_purged, too :)

imo, semantically same expression should result in same name unless there is good reason (like state transition between the occurences). In this case, I think its usage is same for both occurrences in that it's used to reserve slot with contended_slots for removal.

[ryoqun]

nits: rename to currently_contended_slots to indicate volatility or mutation of this variable via CondVar?

[ryoqun]

fyi, our first usage of Condvar in the codebase. :)

[jeffwashington]

I know. I keep running into situations where this has almost been the piece I needed. Glad to know it is there.

Pull request has been modified.

[ryoqun]

💯

[ryoqun]

lgtm; nice solid work!

I like the logically chunked series of prs towards the duplicate slot implementation. :)

Pull request has been modified.

[carllin]

lgtm; nice solid work!

I like the logically chunked series of prs towards the duplicate slot implementation. :)

Thanks for the review!