concurrency: mark some unreplicated locks as ineligible for export

[stevendanna]

Once a lock has been reported as missing via QueryIntent, it is
important that it stays missing. As described in #145458, if a lock
that has been previously reported as missing is somehow then found via
a subsequent QueryIntent request, this can result in a transaction
being erroneously committed by the transaction recovery process.

When unreplicated lock reliability is enabled, Lease and Merge use
ExportUnreplicatedLocks to move unreplicated locks from the lock table
into durable storage. However, these locks may include unreplicated
locks that "cover" a replicated lock that was previously reported as
missing, exactly what we must avoid.

Here, we solve that by extending QueryIntent's evaluation to mark any
locks it reports as missing as ineligible for export.

Fixes #145458

Release note: None

[cockroach-teamcity]

This change is 

[stevendanna]

@miraradeva @arulajmani I think we are leaning away from this towards a more fundamental fix. But, I figured I'd put this up in a slightly cleaner form just so we could consider it since, I think something like this might still be required along some of the implementation paths we've discussed.

[stevendanna]

Fixed up the race condition in the test here.

[miraradeva]

Looks good to me overall. But I wonder if it's possible for the marking-as-ineligible mechanism to race with the lock-export mechanism. E.g. QueryIntent finds a missing intent and is just about to mark the lock in the lock table, while a lease transfer kicks off a lock export. If it's not possible, we should mention it somewhere.

Reviewed 2 of 2 files at r1, 8 of 8 files at r2, 1 of 1 files at r3, all commit messages.
Reviewable status: complete! 0 of 0 LGTMs obtained (waiting on @arulajmani)

---

-- commits line 42 at r3:
I assume you'll squash this commit into one of the previous ones?

---

pkg/kv/kvserver/batcheval/cmd_query_intent.go line 162 at r3 (raw file):

	res := result.Result{}
	if !reply.FoundIntent && args.ErrorIfMissing {
		l := roachpb.MakeLockAcquisition(args.Txn, args.Key, lock.Replicated, args.Strength, args.IgnoredSeqNums)

It's a bit unintuitive why we're returning a replicated lock acquisition here, given that we'll use this response to mark unreplicated locks in the lock table. Wouldn't it make more sense for this acquisition to be lock.Intent?

---

pkg/kv/kvclient/kvcoord/dist_sender_server_test.go line 4791 at r2 (raw file):

				return err
			case 2:
				// My our second retry, txrecovery should have correctly aborted this

nit: "On our second retry ..."

---

pkg/kv/kvserver/concurrency/concurrency_control.go line 706 at r2 (raw file):

	// MarkIneligibleForExport marks any locks held by this transaction on the
	// same key at greater or equal strength as ineligible for exported from the

nit: "ineligible for export"

---

pkg/kv/kvclient/kvcoord/dist_sender_server_test.go line 4707 at r1 (raw file):

						getReq, ok := fArgs.Req.Requests[0].GetInner().(*kvpb.GetRequest)
						// Only fail replication on the first retry.
						if ok && getReq.KeyLockingDurability == lock.Replicated && retryNum.Load() == 1 {

Is there a reason we need to keep track of these retries separately? Wouldn't the txn epoch tell us that?

---

pkg/kv/kvclient/kvcoord/dist_sender_server_test.go line 4733 at r1 (raw file):

		tc.TransferRangeLeaseOrFatal(t, desc, tc.Target(idx))
	}
	// Make a db with transaction heartbeating disabled. This ensures that we

Is it important that heartbeating is disabled only for this db? If it was ok to disable it in general, we could just do this, right?

kvcoord.TxnHeartbeatInterval.Override(ctx, &s.ClusterSettings().SV, -1)

---

pkg/kv/kvclient/kvcoord/dist_sender_server_test.go line 4786 at r1 (raw file):

				err = txn.Commit(ctx)
				require.Error(t, err)
				//require.ErrorContains(t, err, "IntentMissingError")

Seems like we should be able to uncomment this?

[stevendanna]

But I wonder if it's possible for the marking-as-ineligible mechanism to race with the lock-export mechanism. E.g. QueryIntent finds a missing intent and is just about to mark the lock in the lock table, while a lease transfer kicks off a lock export. If it's not possible, we should mention it somewhere.

Good question. What I think makes this safe is that both a lease transfer and subsume acquire non-MVCC write latches over the entire range's span, so when they run they really are running alone.

I wonder if we could even assert that this is the case somewhere?

[miraradeva]

But I wonder if it's possible for the marking-as-ineligible mechanism to race with the lock-export mechanism. E.g. QueryIntent finds a missing intent and is just about to mark the lock in the lock table, while a lease transfer kicks off a lock export. If it's not possible, we should mention it somewhere.

Good question. What I think makes this safe is that both a lease transfer and subsume acquire non-MVCC write latches over the entire range's span, so when they run they really are running alone.

I wonder if we could even assert that this is the case somewhere?

Yeah, I see. And QueryIntent, which kicks off the marking-as-ineligible mechanism, declares non-MVCC keys on the intents it's querying. It seems safe.

[stevendanna]

TFTR!

Reviewable status: complete! 0 of 0 LGTMs obtained (waiting on @arulajmani and @miraradeva)

---

-- commits line 42 at r3:

Previously, miraradeva (Mira Radeva) wrote…

I assume you'll squash this commit into one of the previous ones?

Yeah, I'll squash everything into a single commit after review.

---

pkg/kv/kvserver/batcheval/cmd_query_intent.go line 162 at r3 (raw file):

Previously, miraradeva (Mira Radeva) wrote…

It's a bit unintuitive why we're returning a replicated lock acquisition here, given that we'll use this response to mark unreplicated locks in the lock table. Wouldn't it make more sense for this acquisition to be lock.Intent?

This represents the missing lock which only could have been replicated. The missing lock might not be an intent, it could be a shared or exclusive lock as well.

---

pkg/kv/kvclient/kvcoord/dist_sender_server_test.go line 4707 at r1 (raw file):

Previously, miraradeva (Mira Radeva) wrote…

Is there a reason we need to keep track of these retries separately? Wouldn't the txn epoch tell us that?

Good call. Done. I think this was probably originally done because when the txn gets correctly aborted then on retry you are actually on a new txn, but this easily detected via the changed txnID.

---

pkg/kv/kvclient/kvcoord/dist_sender_server_test.go line 4733 at r1 (raw file):

Previously, miraradeva (Mira Radeva) wrote…

Is it important that heartbeating is disabled only for this db? If it was ok to disable it in general, we could just do this, right?

kvcoord.TxnHeartbeatInterval.Override(ctx, &s.ClusterSettings().SV, -1)

I suppose without heartbeating gnerally, if this test ends up running for a long time somehow, some internal transactions could be aborted. Everything should handle that correctly (since it can presumably happen in production) but it could cause log noise that would complicated debugging.

---

pkg/kv/kvclient/kvcoord/dist_sender_server_test.go line 4786 at r1 (raw file):

Previously, miraradeva (Mira Radeva) wrote…

Seems like we should be able to uncomment this?

Done.

[miraradeva]

Reviewed 3 of 3 files at r4, 1 of 1 files at r5, all commit messages.
Reviewable status: complete! 1 of 0 LGTMs obtained (waiting on @arulajmani and @stevendanna)

---

pkg/kv/kvserver/batcheval/cmd_query_intent.go line 162 at r3 (raw file):

Previously, stevendanna (Steven Danna) wrote…

This represents the missing lock which only could have been replicated. The missing lock might not be an intent, it could be a shared or exclusive lock as well.

Got it.

---

pkg/kv/kvclient/kvcoord/dist_sender_server_test.go line 4733 at r1 (raw file):

Previously, stevendanna (Steven Danna) wrote…

I suppose without heartbeating gnerally, if this test ends up running for a long time somehow, some internal transactions could be aborted. Everything should handle that correctly (since it can presumably happen in production) but it could cause log noise that would complicated debugging.

Makes sense.

[stevendanna]

@arulajmani Not sure if you wanted a second look at this. But I'll probably merge this after a rebase tomorrow. If you do spot any follow-ups post merge, let me know.

[stevendanna]

bors r=miraradeva

[craig]

Build failed:

• local_roachtest

[stevendanna]

The extended CI failure is: #148582
The roachtest failure is: #148586

bors retry

[craig]

Build failed:

• local_roachtest

[stevendanna]

The universe doesn't want this fix. And in some sense, the universe is correct.

Internal build system failure:

ERROR: The Build Event Protocol upload failed: All 8 retry attempts failed. INTERNAL: INTERNAL: Invocation [tenant_name=default invocation_id=751d3de7-b36f-4ac8-a48e-b5bd813ea02d]: failed to write batch 1

bors retry

[craig]

Build succeeded:

• unit_tests
• lint
• acceptance
• examples_orms
• linux_amd64_fips_build
• local_roachtest_fips
• linux_amd64_build
• docker_image_amd64
• local_roachtest
• check_generated_code