compute,storage: avoid lost wakeups when stepping timely

[benesch]

This is an alternative to #13972 that avoids hardcoding the 1s timeout.
As described there:

This addresses a race that appears in storaged where the LocalClient
will wake worker threads that have inbound messages to read, but the
wake-ups are (or appear to be) eaten by various non-Timely sleepy
moments in the code. If these wake-ups are quietly eaten, and then
Timely is entered with a None timeout and nothing to do, it will
sleep forever.

Would close #13972 if merged.

Motivation

• This PR fixes a recognized bug.

Checklist

• This PR has adequate test coverage / QA involvement has been duly considered.

• This PR evolves an existing $T ⇔ Proto$T mapping (possibly in a backwards-incompatible way) and therefore is tagged with a T-protobuf label.

• This PR includes the following user-facing behavior changes:

  • n/a

[frankmcsherry]

Looks good to me, especially if you also don't see the hangs. I tried something similar, putting the command draining (but not processing) right before the timely step and it still hung. I'm testing this now in case you haven't, and will report back!

[frankmcsherry]

Just passed the tests that were consistently failing for me, so seems good from my point of view.

[benesch]

I finally know exactly what's going on. Here's what happens when the hang occurs:

1. The storaged process starts a worker, which blocks on self.client_rx.recv(). This calls std::thread::park internally.
2. The controller initiates a connection to the storaged process.
3. The controller sends StorageCommand::IngestSources([]), StorageCommand::ExportSinks([]), StorageCommand::InitializationComplete, and StorageCommand::IngestSources([<SOURCE>]).
4. The connection from the controller arrives at the gRPC server.
5. The gRPC server builds a new LocalClient for the storaged worker. It sends the receiver for this client to the worker. Sending on the channel triggers a call to Thread::unpark.
6. The gRPC server sends the four storage commands over the LocalClient because they are immediately available. This triggers four calls to Thread::unpark which are no-ops, because the worker thread has already been unparked.
7. The worker, which was parked inside of self.client_rx.recv(), wakes up and calls self.run_client. This performs reconciliation (which is a no-op) and then calls into self.timely_worker.step_or_park(None).
8. Timely sees that there is nothing to do and parks.
9. The park lasts forever, because the unpark token was consumed by self.client_rx.recv().

This fits the fact pattern perfectly:

• We didn't see this issue before storage: factor out initialization of storage hosts #13924 because the order in which commands appeared hid the problem. The controller would send StorageCommand::IngestSources([<SOURCE>]), StorageCommand::ExportSinks([]), StorageCommand::InitializationComplete. So the source would get installed during reconciliation, which happened unconditionally. By the time we got to the first call to self.timely_worker.step_or_park, there was work to do, so timely wouldn't park.
• This hazard has only existed for about two weeks (storage,compute: rethink reconciliation [PART 1] #13680), when we introduced Worker::client_rx. Before that, worker threads never called recv on a crossbeam channel, so there was nothing besides that would consume the unpark tokens.

I'm now 100% on this being the right fix. Since there are things besides Timely that can consume unpark tokens, we need to check that the unpark condition is false before we allow Timely to park. This approach should be robust against other things that might park in the future, like calls to tokio::runtime::Handle::block_on in dataflow construction.

[benesch]

Edited this PR to adjust the code comment for the new understanding of the issue, and marked for automerge!