client: Fix cache corruption on loadBefore and prefetch #169
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
CI: py36 failed with: uvloop failed with I believe both failures are unrelated to my patch. The other 12 jobs passed ok. |
jmuchemb
reviewed
Apr 14, 2021
src/ZEO/asyncio/client.py
Outdated
| """ | ||
|
|
||
| cbv = None |
There was a problem hiding this comment.
Isn't Fut() usually followed by a call to add_done_callback ?
Then I'd replace with:
def __init__(self):
self.cbv = []remove the if self.cbv is None: clause in add_done_callback, and the if self.cbv: lines in set_*.
There was a problem hiding this comment.
Good idea. Thanks for the advice.
jmuchemb
reviewed
Apr 14, 2021
| if data: | ||
| data, start, end = data | ||
| self.cache.store(oid, start, end, data) | ||
| yield self.protocol.load_before(oid, tid) |
There was a problem hiding this comment.
Oh I missed that, thanks.
Is is tested ? I'm not asking about the race, but maybe not doing this change would break prefetch. Or would it just become dead code (i.e. data always false) ?
There was a problem hiding this comment.
You are welcome, and yes - prefetech is tested:
Lines 1071 to 1113 in 3d90ed4
What is removed is just a duplicate of cache update that is now living in protocol.load_before. It seems to be it would not be a bug to leave cache.store here because it would only store into the cache what was just stored into the cache by protocol.load_before itself. The wakup here seems to be immediate after switching load_before from asyncio.Future to Fut, so there is seemingly no race window with invalidations. At least I could not make a data corruption with reintroducing this block back and injecting prefetches into my zloadrace.
Anyway, since prefech is just semantically "call loadBefore, but do not wait for it to complete", and load_before_threadsafe - that is serving loadBefore now is not doing cache update and delegates cache update to protocol.load_before, this change should be correct.
navytux
added a commit
to navytux/ZEO
that referenced
this pull request
Apr 15, 2021
Correct Fut implemntation according to review feedback: zopefoundation#169 (comment)
|
( CI failure is just with uvloop "RuntimeError: uvloop requires Python 3.7 or greater" and unrelated to my patch ) |
navytux
added a commit
to navytux/ZEO
that referenced
this pull request
Apr 16, 2021
…neric _new_storage_client() This allows ZODB tests to recognize ZEO as client-server storage and so make "load vs external invalidate" test added in zopefoundation/ZODB#345 to reproduce data corruption problem reported at zopefoundation#155. For the reference: that problem should be fixed by zopefoundation#169. We drop # It's hard to find the actual address. # The rpc mgr addr attribute is a list. Each element in the # list is a socket domain (AF_INET, AF_UNIX, etc.) and an # address. note because at the time it was added (81f586c) it came with addr = self._storage._rpc_mgr.addr[0][1] but nowdays after 0386718 getting to server address is just by ClientStorage._addr.
navytux
added a commit
to navytux/ZODB
that referenced
this pull request
Apr 16, 2021
For ZEO this data corruption bug was reported at zopefoundation/ZEO#155 and fixed at zopefoundation/ZEO#169. Without that fix the failure shows e.g. as follows when running ZEO test suite: Failure in test check_race_load_vs_external_invalidate (ZEO.tests.testZEO.BlobAdaptedFileStorageTests) Traceback (most recent call last): File "/usr/lib/python2.7/unittest/case.py", line 329, in run testMethod() File "/home/kirr/src/wendelin/z/ZODB/src/ZODB/tests/BasicStorage.py", line 621, in check_race_load_vs_external_invalidate self.fail([_ for _ in failure if _]) File "/usr/lib/python2.7/unittest/case.py", line 410, in fail raise self.failureException(msg) AssertionError: ['T1: obj1.value (7) != obj2.value (8)'] Even if added test is somewhat similar to check_race_loadopen_vs_local_invalidate, it is added anew without trying to unify code. The reason here is that the probability to catch load vs external invalidation race is significantly reduced when there are only 1 modify and 1 verify workers. The unification with preserving both tests semantic would make test for "load vs local invalidate" harder to follow. Sometimes a little copying is better than trying to unify too much. For the test to work, test infrastructure is amended with ._new_storage_client() method that complements ._storage attribute: client-server storages like ZEO, NEO and RelStorage allow several storage clients to be connected to single storage server. For client-server storages test subclasses should implement _new_storage_client to return new storage client that is connected to the same storage server self._storage is connected to. For ZEO ._new_storage_client() is added by zopefoundation/ZEO#170 Other client-server storages can follow to implement ._new_storage_client() and this way automatically activate this "load vs external invalidation" test when their testsuite is run. Contrary to test for "load vs local invalidate" N is set to lower value (100), because with 8 workers the bug is usually reproduced at not-so-high iteration number (5-10-20). /cc @d-maurer, @jamadden, @jmuchemb
|
This fix now comes with corresponding test: see zopefoundation/ZODB#345 (comment) and #170. |
d-maurer
approved these changes
Apr 20, 2021
There was a problem hiding this comment.
The proposed fix lets the Travis tests for #167 (which formerly reliably revealed a race condition problem) succeed. Thus, it apparently resolves at least that problem.
I suggest to add a change log entry to document the fix.
|
See "24f4bb7" to resolve the |
|
Thanks, @d-maurer. I've added the changelog entry as you suggests. Note, that this fix now has correposponding test that should be coming in via #170 and zopefoundation/ZODB#345. If ok, let's merge all this bits. |
|
(and good to have that uvloop problem now fixed) |
|
Kirill Smelkov wrote at 2021-4-20 04:26 -0700:
CI is ok modulo uvloop. But uvloop fix is coming in separately. ***@***.***, btw, maybe it makes sense to cherry-pick your "fix uvloop" patch to master without waiting for #167 to be merged first.)
I would not mind.
|
navytux
added a commit
that referenced
this pull request
Apr 20, 2021
…neric _new_storage_client() (#170) This allows ZODB tests to recognize ZEO as client-server storage and so make "load vs external invalidate" test added in zopefoundation/ZODB#345 to reproduce data corruption problem reported at #155. For the reference: that problem should be fixed by #169. We drop # It's hard to find the actual address. # The rpc mgr addr attribute is a list. Each element in the # list is a socket domain (AF_INET, AF_UNIX, etc.) and an # address. note because at the time it was added (81f586c) it came with addr = self._storage._rpc_mgr.addr[0][1] but nowdays after 0386718 getting to server address is just by ClientStorage._addr. /reviewed-on #170 /reviewed-by @d-maurer
Currently loadBefore and prefetch spawn async protocol.load_before task, and, after waking up on its completion, populate the cache with received data. But in between the time when protocol.load_before handler is run and the time when protocol.load_before caller wakes up, there is a window in which event loop might be running some other code, including the code that handles invalidateTransaction messages from the server. This means that cache updates and cache invalidations can be processed on the client not in the order that server sent it. And such difference in the order can lead to data corruption if e.g server sent <- loadBefore oid serial=tid1 next_serial=None <- invalidateTransaction tid2 oid and client processed it as invalidateTransaction tid2 oid cache.store(oid, tid1, next_serial=None) because here the end effect is that invalidation for oid@tid2 is not applied to the cache. The fix is simple: perform cache updates right after loadBefore reply is received. Fixes: zopefoundation#155 The fix is based on analysis and initial patch by @jmuchemb: zopefoundation#155 (comment) A tests corresponding to the fix is coming coming through zopefoundation#170 and zopefoundation/ZODB#345 For the reference, my original ZEO-specific data corruption reproducer is here: zopefoundation#155 (comment) https://lab.nexedi.com/kirr/wendelin.core/blob/ecd0e7f0/zloadrace5.py /cc @jamadden, @dataflake, @jimfulton /reviewed-by @jmuchemb, @d-maurer /reviewed-on zopefoundation#169
|
|
I believe it's time to merge this fix. |
navytux
added a commit
to navytux/ZODB
that referenced
this pull request
Apr 21, 2021
For ZEO this data corruption bug was reported at zopefoundation/ZEO#155 and fixed at zopefoundation/ZEO#169. Without that fix the failure shows e.g. as follows when running ZEO test suite: Failure in test check_race_load_vs_external_invalidate (ZEO.tests.testZEO.BlobAdaptedFileStorageTests) Traceback (most recent call last): File "/usr/lib/python2.7/unittest/case.py", line 329, in run testMethod() File "/home/kirr/src/wendelin/z/ZODB/src/ZODB/tests/BasicStorage.py", line 621, in check_race_load_vs_external_invalidate self.fail([_ for _ in failure if _]) File "/usr/lib/python2.7/unittest/case.py", line 410, in fail raise self.failureException(msg) AssertionError: ['T1: obj1.value (7) != obj2.value (8)'] Even if added test is somewhat similar to check_race_loadopen_vs_local_invalidate, it is added anew without trying to unify code. The reason here is that the probability to catch load vs external invalidation race is significantly reduced when there are only 1 modify and 1 verify workers. The unification with preserving both tests semantic would make test for "load vs local invalidate" harder to follow. Sometimes a little copying is better than trying to unify too much. For the test to work, test infrastructure is amended with ._new_storage_client() method that complements ._storage attribute: client-server storages like ZEO, NEO and RelStorage allow several storage clients to be connected to single storage server. For client-server storages test subclasses should implement _new_storage_client to return new storage client that is connected to the same storage server self._storage is connected to. For ZEO ._new_storage_client() is added by zopefoundation/ZEO#170 Other client-server storages can follow to implement ._new_storage_client() and this way automatically activate this "load vs external invalidation" test when their testsuite is run. Contrary to test for "load vs local invalidate" N is set to lower value (100), because with 8 workers the bug is usually reproduced at not-so-high iteration number (5-10-20). /cc @d-maurer, @jamadden, @jmuchemb /reviewed-on zopefoundation#345
navytux
added a commit
to zopefoundation/ZODB
that referenced
this pull request
Apr 21, 2021
For ZEO this data corruption bug was reported at zopefoundation/ZEO#155 and fixed at zopefoundation/ZEO#169. Without that fix the failure shows e.g. as follows when running ZEO test suite: Failure in test check_race_load_vs_external_invalidate (ZEO.tests.testZEO.BlobAdaptedFileStorageTests) Traceback (most recent call last): File "/usr/lib/python2.7/unittest/case.py", line 329, in run testMethod() File "/home/kirr/src/wendelin/z/ZODB/src/ZODB/tests/BasicStorage.py", line 621, in check_race_load_vs_external_invalidate self.fail([_ for _ in failure if _]) File "/usr/lib/python2.7/unittest/case.py", line 410, in fail raise self.failureException(msg) AssertionError: ['T1: obj1.value (7) != obj2.value (8)'] Even if added test is somewhat similar to check_race_loadopen_vs_local_invalidate, it is added anew without trying to unify code. The reason here is that the probability to catch load vs external invalidation race is significantly reduced when there are only 1 modify and 1 verify workers. The unification with preserving both tests semantic would make test for "load vs local invalidate" harder to follow. Sometimes a little copying is better than trying to unify too much. For the test to work, test infrastructure is amended with ._new_storage_client() method that complements ._storage attribute: client-server storages like ZEO, NEO and RelStorage allow several storage clients to be connected to single storage server. For client-server storages test subclasses should implement _new_storage_client to return new storage client that is connected to the same storage server self._storage is connected to. For ZEO ._new_storage_client() is added by zopefoundation/ZEO#170 Other client-server storages can follow to implement ._new_storage_client() and this way automatically activate this "load vs external invalidation" test when their testsuite is run. Contrary to test for "load vs local invalidate" N is set to lower value (100), because with 8 workers the bug is usually reproduced at not-so-high iteration number (5-10-20). /cc @d-maurer, @jamadden, @jmuchemb /reviewed-on #345
|
This patch fixes data corruption. It was merged to master almost 4 months ago. Can we please make a new ZEO release to get this fix available out of the box? Thanks beforehand, /cc @jamadden, @icemac, @dataflake, @jugmac00 |
|
I'll create a release |
|
Thanks, @dataflake. |
|
ZEO 5.2.4 is now published |
|
oops, 5.2.3 I meant |
|
@dataflake, thanks again. I appreciate your help. |
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently loadBefore and prefetch spawn async protocol.load_before task,
and, after waking up on its completion, populate the cache with received
data. But in between the time when protocol.load_before handler is run
and the time when protocol.load_before caller wakes up, there is a
window in which event loop might be running some other code, including
the code that handles invalidateTransaction messages from the server.
This means that cache updates and cache invalidations can be processed on
the client not in the order that server sent it. And such difference in
the order can lead to data corruption if e.g server sent
and client processed it as
because here the end effect is that invalidation for oid@tid2 is not
applied to the cache.
The fix is simple: perform cache updates right after loadBefore reply is
received.
Fixes: #155
The fix is based on analysis and initial patch by @jmuchemb:
#155 (comment)
For tests, similarly to zopefoundation/ZODB#345,I wanted to include a general test for this issue into ZODB, so that all
storages - not just ZEO - are exercised for this race scenario. However
in ZODB test infrastructure there is currently no established general
way to open several client storage connections to one storage server.
This way the test for this issue currently lives in wendelin.core
repository (and exercises both NEO and ZEO there):
https://lab.nexedi.com/nexedi/wendelin.core/commit/c37a989dI understand there is a room for improvement. For the reference, myoriginal ZEO-specific data corruption reproducer is here:
#155 (comment)https://lab.nexedi.com/kirr/wendelin.core/blob/ecd0e7f0/zloadrace5.py
EDIT: this fix now has corresponding test that should be coming in via #170 and zopefoundation/ZODB#345.
/cc @d-maurer, @jamadden, @dataflake, @jimfulton