KAFKA-5886: Introduce delivery.timeout.ms producer config (KIP-91)

[yuyang08]

This change is based on @sutambe 's change #3849 earlier.

primary changes in this pr:

1. In RecordAccumulator.java, use inFlightBatches to track the in-flight batches, instead of using soonToExpireInFlightsBatches to only track the soon-to-expire batches. With this change, in RecordAccumulator.expiredBatches, we check both inFlightBatches and batches to find the expired batches.

2. Fixed the test failures in SenderTest.java and RecordAccumulatorTest.java.

[yuyang08]

@apurvam, @becketqin, @guozhangwang, @ijuma could you help to review this change?

[guozhangwang]

Thanks @yuyang08 , we will take a look at this PR asap.

[yuyang08]

@guozhangwang , @ijuma , @apurvam , @becketqin friendly ping ... your feedback will help us to iterate faster

[hachikuji]

Left a few initial comments. Still making my way through the full PR.

[hachikuji]

This check is a little weird to me. It seems arbitrary to check only lingerMs in the case of overflow. Wouldn't it make more sense to use Integer.MAX_VALUE?

[yuyang08]

updated the sanity checking logic. changed lingerMs and deliveryTimeoutMs to integer type. with that, we convert them to long for addition and do not need to worry about the overflow.

[hachikuji]

I'm wondering if we should set this value automatically if the value is not overridden. It would be annoying to get this config error after an upgrade if I have overridden the request timeout. Maybe we could use the max of the default delivery timeout and the sum of requestTimeoutMs and lingerMs?

[yuyang08]

my concern is that setting the value automatically may hide some issues from the user, and it also requires more explanation. It might be better to keep it simple. The issue that the users can run into an upgrade is that they override requestTimeoutMs with a large value, and that violates the required variant deliveryTimeout > requestTimeoutMs + lingerMs. In that case, the user will be notify the error during producer initialization, and it shall not take much effort to fix it.

[hachikuji]

Yeah, I appreciate the concern. However, there is already some precedent for redefining defaults based on provided configurations. For example, when idempotence is enabled, we override retries if it has not been explicitly provided by the user. We log an info message so that the user knows the default has been adjusted.

In general, I think we should try to avoid compatibility issues even in configuration as long as it is safe to do so. By using a larger request timeout, the user has already declared willingness to await for the request timeout to receive a produce acknowledgement, so redefining the default delivery timeout seems reasonable and saves an annoying config update.

[ijuma]

A reason for the error is that a longer request timeout is not unlikely to have been done as a workaround for the issue that delivery timeout is fixing. So, it might provide the user with an opportunity to fix that. A warning might be a less heavy handed way to achieve this though.

[yuyang08]

updated the change to use requestTimeoutMs + lingerMs if it is larger than deliveryTimeoutMs setting, and log a warning message.

[hachikuji]

The latter half here may not be very clear to users since it's a bit low level. Is there actually a lower bound for the timeout or can it be arbitrarily small depending on how long the batch remains open?

[yuyang08]

updated the doc string on the lower bound explanation.

[hachikuji]

Can you mention this default change in the upgrade notes?

[yuyang08]

updated the upgrade doc on this.

[hachikuji]

Maybe helpful to mention the baseOffset in this message?

[yuyang08]

added baseOffset info in the log message

[hachikuji]

nit: this is unused

[yuyang08]

removed

[hachikuji]

Can we explain in this comment why we use this order? Intuitively, I would expect that we'd expire the oldest stuff first so that the callbacks are invoked in the order of sending.

[yuyang08]

this is a comment that was in #3849. updated the comment.

[hachikuji]

Hmm.. Shouldn't we be expiring the batch in the else case? Otherwise it seems like we may lose track of the batch.

[yuyang08]

good catch. expire the batch in else branch.

[hachikuji]

Unless I'm missing something, we only remove from the inFlightBatches collection when we reenqueue and when we encounter a delivery timeout. Don't we need to remove on completion or failure as well?

[apurvam]

Good catch. This would have to be called from Sender.failBatch and Sender.completeBatch as well, similar to how the transactionManager.removeInflightBatch is called in those methods.

[yuyang08]

good catch! updated the code to call maybeRemoveFromInflightBatches from Sender.failBatch and Sender.completeBatch.

[hachikuji]

nit: unintentional?

[yuyang08]

restored the space

[apurvam]

Thanks for the patch @yuyang08 .. I made a pass over the core logic and left some comments. The logic is looking good.

I still need to go over the tests and make a second pass over the core code.

[apurvam]

In what scenario will batch.createdMs + deliveryTimeoutMs be negative? batch.createdMs is the wall clock time when the batch is created, and should always be positive. The config def for deliveryTimeoutMs enforces the value is atleast(0). So then how could the sum of the two be negative? Are you accounting for wrap around?

[yuyang08]

yes, this is to guard us against potential overflow due to setting a large value for deliveryTimeoutMs.

[apurvam]

Ok. It would be good mention this in a comment. It is very non obvious.

[yuyang08]

update the code to use if ... statement and add the comment

[apurvam]

I am assuming this method and drainBatchesForOneNode is just a refactor? Was any logic changed here? It is hard to tell from the diff and the logic is super intricate so subtle changes are easy to miss. I assume nothing should have to change in this portion of the code since it is totally orthogonal to expiring batches.

[yuyang08]

yes, this is a refactoring. otherwise, the method RecordAccumulator.drain fails in style checking due to too many possible paths in one method. comparing with the previous code, the change is to add the following lines on updating inflightBatches

               // put this batch in the infligh list
                List<ProducerBatch> inflightBatchList = inFlightBatches.get(batch.topicPartition);
                if (inflightBatchList == null) {
                    inflightBatchList = new LinkedList<>();
                    inFlightBatches.put(tp, inflightBatchList);
                }
                inflightBatchList.add(batch);

[apurvam]

here and elsewhere, the code style for kafka requires that there be braces even around single line if statements like this.

[yuyang08]

restored the curly braces.

[apurvam]

The preceding comment needs to be updated to account for this new logic.

[yuyang08]

good point. updated the comment

[apurvam]

This seems not to be used.

[yuyang08]

good catch. removed the unused code.

[apurvam]

Good catch. This would have to be called from Sender.failBatch and Sender.completeBatch as well, similar to how the transactionManager.removeInflightBatch is called in those methods.

[apurvam]

Hi @yuyang08 , thanks for the updates.

It is looking good. I left some comments, but I think the larger point is that we should add some checks that the inflight batches tracked in the accumulator are actually cleared.

I added some suggestions for adding checks for when batches expire.

But we should also add checks that the accumulator has no inflight batches when batches complete successfully and when they fail.

[apurvam]

nit: move this to a helper named markBatchInflight or something similar.

[yuyang08]

updated the code to capture this in markBatchInflight method

[apurvam]

We should log a warning if we have overflowed and are hence not updating the next batch expiry time.

[yuyang08]

good point. added the logging here.

[apurvam]

We should add some sort of accumulator.hasInflightBatches method, and then check that it returns false here. This would check that expired batches are not reenqueued, which is logic added in this patch.

[yuyang08]

added the method public List<ProducerBatch> inFlightBatches(TopicPartition tp) in RecordAccumulator, and updated the test with two assertions:

   line 1912: assertEquals("Expect one in-flight batch in accumulator", 1, accumulator.inFlightBatches(tp0).size());
    .....
   line 1920: assertEquals("Expect zero in-flight batch in accumulator", 0, accumulator.inFlightBatches(tp0).size());

[apurvam]

How is this different from the test testExpiryOfFirstBatchShouldNotCauseUnresolvedSequencesIfFutureBatchesSucceed?

[yuyang08]

testExpiryOfFirstBatchShouldNotCauseUnresolvedSequencesIfFutureBatchesSucceed initialize sender with guaranteeMessageOrder = false, while testWhenFirstBatchExpireNoSendSecondBatchIfGuaranteeOrder initialize sender with guaranteeMessageOrder = true. The inflightBatches size is different when we set the parameter to true/false.

[apurvam]

THis should be dropped, or be log.debug.

[yuyang08]

good catch. removed this debugging line.

[apurvam]

If we had accumulator.hasInflightRequests we could assert false here.

[apurvam]

How is this testing that we don't double deallocate. Ideally, we would expire the inflight batch, then get a response, and then check that the batch is not deallocated twice. In this case, it would de allocate only once, unless I am missing something.

[yuyang08]

updated the test a bit to add another sender.run(time.milliseconds()); call after the batch expiry. Not sure if that fits expire the inflight batch, then get a response.

my expectation was that if there is double deallocation, we would get an IllegalStateException exception from MatchingBufferPool.deallocate.

[yuyang08]

@hachikuji, @apurvam I've updated SenderTest.java with checks to ensure that the inflight batches tracked in the accumulator are cleared properly, and addressed your comments. could you check again?

[yuyang08]

@hachikuji , @apurvam friendly ping ... could you help to review the updated change to allow us iterate faster? thanks!

[hachikuji]

Thanks for the updates. Left a few more comments.

[hachikuji]

To clarify, I think we should only override the default value. If the user has explicitly provided an inconsistent value, then we should throw an exception. We can check this using config.originals().

[yuyang08]

updated

[hachikuji]

nit: createdMs for consistency?

By the way, we have a function below createdTimeMs which is currently unused and seems incorrect anyway. Can you remove it?

[yuyang08]

updated to createdMs, and removed the unused method.

[hachikuji]

nit: "Ignores" -> "Ignored"?

[yuyang08]

updated

[hachikuji]

It seems tryFinalState can only be SUCCEEDED or FAILED, so one of these transitions is not possible anyway.

[yuyang08]

ProducerBatcn.finalState can also be updated to FinalState.ABORTED through Sender.run() --> RecordAccumulator.abortIncompleteBatches() or abortUndrainedBatches() --> ... -> ProducerBatch.abort() .

[hachikuji]

My point is that tryFinalState can only be SUCCEEDED or FAILED.

final FinalState tryFinalState = (exception == null) ? FinalState.SUCCEEDED : FinalState.FAILED;

So the only possibilities are FAILED -> FAILED and ABORTED -> FAILED.

[yuyang08]

i see. misunderstood your comment earlier. updated the change

[hachikuji]

Are the order of the first two arguments backwards? I think tryFinalState is the state we're trying to transition to.

[yuyang08]

good catch! fixed the arguments order.

[hachikuji]

nit: add back the newline

[yuyang08]

added it back

[hachikuji]

nit: unneeded newline

[yuyang08]

removed the new line

[hachikuji]

nit: topic-partition as we did above?

[yuyang08]

updated

[hachikuji]

nit: realign

[yuyang08]

updated

[hachikuji]

Aren't both bounds inclusive? The inconsistency is a little annoying and this is a private constructor anyway. I think mentioning this in the javadoc below is good enough.

[yuyang08]

added java doc comments and changed the parameter name to max

[hachikuji]

Can you mention that this is for the producer? For example:

The default value for the producer's retries config was changed to INT.MAX_VALUE ...

Might also be worthwhile including a link to KIP-91

[yuyang08]

updated to include KIP-91 link

[yuyang08]

@hachikuji @apurvam @ijuma have updated the change to address your comments. could you take a look again? thanks!

[yuyang08]

@hachikuji , @apurvam friendly ping... mind to take another look? thanks!

[hachikuji]

Thanks, left a few more comments.

[hachikuji]

I'm not sure this is sufficient to solve the issue mentioned above. If we do not reenqueue because the timeout has been reached, then who is responsible for completing the batch? I think I would probably suggest that we skip the check for delivery timeout and just reenqueue. We will detect the expiration the next time we iterate the deque.

[apurvam]

I think the only issue with reenqueing unconditionally is that the batch will then be drained even if it is expired, since accumulator.drain is called before accumulator.expiredBatches in the background thread. This could violate the contract.

That said, we need to complete the batch and deallocate it over here, otherwise it seems to be dropped on the flor.

[yuyang08]

update to check whether a batch has reached deliveryTimeoutMs or not in Sender.canRetry. With this change, we do not need to check whether a batch has timeout or not in RecordAccumuator.reenqueue, and cleaning up of timed-out batches is handled by Sender.failBatch.

   private boolean canRetry(ProducerBatch batch, ProduceResponse.PartitionResponse response, long now) {
        return !batch.hasReachedDeliveryTimeout(accumulator.getDeliveryTimeoutMs(), now) 
                && ...

[hachikuji]

Is this call necessary for in-flight batches? Presumably we have already closed the append stream since the batch was already sent once.

[yuyang08]

good point. removed this line.

[hachikuji]

If it is an expected invariant, I would suggest we raise an exception if it does not hold. Otherwise, bugs will go undetected since we don't have a way to verify logging output when running tests.

[apurvam]

+1. Better to fail with an exception if the invariant is violated.

[yuyang08]

updated the change to throw IllegalBatchFinalStateException when the invariant is violated.

[hachikuji]

nit: introduces -> introduced

[yuyang08]

fixed the typo.

[tedyu]

Why changing linger to int ?

[yuyang08]

we have request.timeout.ms and delivery.timeout.ms of int type. this is to make the type of linger.ms be consistent with other timeout related settings.

[tedyu]

Should this be of type long ?
With long, there is no overflow on line 478

In ProducerBatch, deliveryTimeoutMs is long in hasReachedDeliveryTimeout

[yuyang08]

ProducerBatch.hasReachedDeliveryTimeout is called by RecordAccumulator. In RecordAccumulator's construct, we have had using long type for lingerMs, and retryBackoffMs. It will be inconsistent to use int for deliveryTimeoutMs. And it will require changes at many places (especially in the test cases) if we use int type for lingerMs and retryBackoffMs. I thought that it would be better to have another PR for data type related changes for lingerMs etc.

    public RecordAccumulator(LogContext logContext,
                             int batchSize,
                             CompressionType compression,
                             long lingerMs,
                             long retryBackoffMs,
                             ...

[tedyu]

Doesn't need to be warn.
Can be info since there is no action from user

[yuyang08]

This is try to get the user's attention as we are overriding the default delivery.timeout.ms setting. Previously the user may set a long request.timeout.ms as a work around. The user may want to explicitly set delivery.timeout.ms and give a smaller value for request.timeout.ms.

[apurvam]

Sorry for the delayed response @yuyang08 . The week of july 4 was extremely short, and last week we had a company event and multi-day off site, which took a lot of cycles.

I left a few more comments, the biggest one around synchronization of inFlightBatches.

[apurvam]

It seems to me that we need to synchronize on accesses to the contained List<ProducerBatch>. This list is updated in maybeRemoveFromInflightBatches, which called both from the sender background thread and from the network client threads. This unsafe access can corrupt the list in the present patch.

[yuyang08]

I am not fully convinced that there is concurrent access to List<ProducerBatch> inFlightBatches. In KafkaProducer, there is only one background I/O thread (Sender) that turns the records into requests and transmit them to the cluster. inFlightBatches is only being modified by RecordAccumulator methods that are called by Sender thread. Sender.run(long now) --> NetworkClient.poll --> NetworkClient.handle... --> Sender.handleProduceResponse --> Sender.completeBatch --> Sender.reenqueueBatch --> RecordAccumulator.reenque --> RecordAccumulator.maybeRemoveFromInflightBatches is the call stack. NetworkClient uses Selector for non-blocking i/o multiplexing, but it is not a thread.

We need to synchronize access on Deque<ProducerBatch> deque = entry.getValue(); as both the producer thread and the sender thread can concurrently access deque at the same time.

[hachikuji]

I couldn't find the concurrent access either, so it may be ok. It actually makes me wonder why we are using a ConcurrentMap? To be honest, it would be more intuitive for the inflight batches to be tracked inside Sender. I'd suggest doing that if it's straightforward, but I'm fine leaving it here if it takes a lot of work.

[apurvam]

Yea. I think I was mistaken. If the callbacks from the network client are happening in the context of the sender thread, then there is no concurrent access on inflightBatches.

[yuyang08]

good point on tracking the inflight batches in Sender. updated the change to move inFlightBatches to Sender, and changed its type from ConcurrentMap to Map.

[apurvam]

+1. Better to fail with an exception if the invariant is violated.

[apurvam]

typo: "created".

[yuyang08]

fixed the typo

[apurvam]

As mentioned above, we should synchronize on this list while iterating, and then synchronize again in maybeRemoveFromInflightBatches

[yuyang08]

As I mentioned earlier, i might miss something, but it seems to me that there is no concurrent access to inFlightBatches, and we do not need synchronize qualifier for it.

[apurvam]

I think the only issue with reenqueing unconditionally is that the batch will then be drained even if it is expired, since accumulator.drain is called before accumulator.expiredBatches in the background thread. This could violate the contract.

That said, we need to complete the batch and deallocate it over here, otherwise it seems to be dropped on the flor.

[apurvam]

Why did those tests fail if you leave the isMuted in there?

[asfgit]

FAILURE
4401 tests run, 1 skipped, 1 failed.
--none--

[yuyang08]

@hachikuji , @apurvam, @tedyu thanks for your review! I've address all of your comments. The change also passed the tests. could you take a look again?

[hachikuji]

@yuyang08 Thanks for the updates. I think we're pretty close. I had a few more small comments.

[hachikuji]

I'm not sure we need a new exception type for an error that should not happen. Maybe we can just use IllegalStateException?

[yuyang08]

updated to use IllegalStateException

[hachikuji]

nit: can we use ArrayList? https://twitter.com/joshbloch/status/583813919019573248

[yuyang08]

updated to use ArrayList

[hachikuji]

We're not using the keys, so can we just iterate the values?

[yuyang08]

update to iterate through batches.values()

[hachikuji]

nit: extra space before method name

[yuyang08]

removed the extra space

[hachikuji]

Can you clarify why use this for the iteration? I would have expected we would iterate over the entry set of inFlightBatches.

[yuyang08]

this is really not needed. updated to iterate through inFlightBatches directly.

[hachikuji]

nit: this is unused

[yuyang08]

removed this unused method

[hachikuji]

This message needs to be updated.

[yuyang08]

updated the comment:

                    // expireBatches is called in Sender.sendProducerData, before client.poll.
                    // The batch.finalState() == null invariant should always hold. An IllegalStateException
                    // exception will be thrown if the invariant is violated.

[hachikuji]

If batches is empty, should we remove the list from inFlightBatches?

[yuyang08]

updated the change to remove the list from inFlightBatches when it is empty.

[hachikuji]

retest this please

[apurvam]

Thanks for the patch @yuyang08 and for the patience during the review!

I went over the core flow and the tests once more, and it has been simplified quite nicely and LGTM!

[hachikuji]

LGTM, merging to trunk. Thanks for the patch!

[hachikuji]

Note that I removed an unused method and made some tweaks to the upgrade notes.

[ijuma]

@yuyang08 Thanks for picking up this important improvement. And thanks @sutambe for submitting the original PR.

[likan999]

(deliveryTimeoutMs < lingerMs + requestTimeoutMs) implies (deliveryTimeoutMs < Integer.MAX_VALUE), why do we need to check (deliveryTimeoutMs < Integer.MAX_VALUE), logically it can be removed.