kv: reads rolled back by savepoints are not refreshed

[miraradeva]

Describe the problem

When a read occurs between a SAVEPOINT x and a ROLLBACK TO SAVEPOINT x, the read is first added to the set of refresh spans for the txn, and then removed from that set when the savepoint is rolled back. If the txn's read and write timestamps diverge, this read will not be refreshed, which can be seen as a serializability violation.

Going back to the commit that introduced this change, it seems like there was a reason for having this behavior. In short, if the client encounters a serializability error after creating a savepoint, they should be able to roll back to it and retry only a small amount of work, instead of retrying the entire txn. Currently, the only errors that can be recovered from by a savepoint rollback are ConditionFailedError and LockConflictError; in particular, recovering from a serializability error is not allowed. So the vision of the initial implementation didn't really come to life.

Moreover, the current behavior doesn't match the corresponding postgres behavior, which ensures the rolled back reads can be serialized.

To Reproduce
A simple write skew example with and without a savepoint can illustrate the issue.

create table kv (k int primary key, v int);
insert into kv values (1, 1);
insert into kv values (2, 2);

-- session 1
begin;
select * from kv where k = 1;

-- session 2
begin;
-- savepoint a;
select * from kv where k = 2;
-- rollback to savepoint a;

-- session 1
update kv set v = v+1 where k = 2;

-- session 2
update kv set v = v+1 where k = 1;

-- session 1
commit;

-- session 2
commit;
ERROR: restart transaction: TransactionRetryWithProtoRefreshError: TransactionRetryError: retry txn (RETRY_SERIALIZABLE - failed preemptive refresh due to encountered recently written committed value /Tenant/2/Table/112/1/2/0

Without the two savepoint lines in session 2, committing the second transaction results in a serializability error. But with the savepoint and rollback added, both txns commit successfully.

In postgres, this example returns a serializability error with or without savepoints.

Additional context
This issue came out of the work to add savepoint support in kvnemesis. With sufficiently high probabilities for savepoint operations, kvnemesis encounters cases of non-serializable reads within a few hundred runs.

It's not clear if this has any impact on customer workloads, or if it's represented in any of the test workloads we run.

Jira issue: CRDB-31829

[miraradeva]

The failing CI tests point to an experimental feature (enforce_home_region_follower_reads_enabled) that actually depends on savepoint rollbacks removing the accumulated refresh spans. Part of the "enforce home region" feature uses savepoints and follower reads to dynamically find the home region of a select statement. In particular, it depends on the original read (to the non-home region) being rolled back and removed from the read span of the client txn, to ensure that we can use AOST in the same transaction later.

Nathan, Mark, and I discussed that this is not ideal behavior and is somewhat fragile because it depends on manually changing the state of the txn (i.e. its timestamp). It also prevents us from enforcing the correct savepoint behavior described above. Finally, the dynamic home region identification works only for the first select statement in a query (because any previous reads/writes disallow the subsequent use of AOST).

We concluded that the feature should be reworked to not depend on this savepoint behavior and, if possible, apply more generally, not just for the first select statement. Mark had tried to run the dynamic follower reads in a separate txn, but that was tricky because a lot of the txn state and query planning of the original txn are needed (e.g. any limit clauses that inform us how many results to expect, and any previous read-your-own writes).

If reworking the feature doesn't seem easy, we agreed that we can check session metrics if it's being used at all, and if not, we can turn it off.

cc @yuzefovich

[yuzefovich]

If reworking the feature doesn't seem easy, we agreed that we can check session metrics if it's being used at all, and if not, we can turn it off.

Do you mean looking at the telemetry to see whether users in the wild utilize this feature?

[miraradeva]

Yes, I think so, though I've never done it before, so I'm not really sure where that data is.

[yuzefovich]

Hm, telemetry provides an incomplete picture (if a cluster is behind a firewall or has diagnostics disabled, then we won't know anything about that cluster). To me it seems that Queries team won't have bandwidth to rework this feature in the medium term. Perhaps introducing a session variable that controls the behavior here at the KV level could be good (or maybe if enforce_home_region is true, then the old behavior is preserved - i.e. reuse existing session variable).

This feature was advocated for by @andy-kimball, so let's see what he thinks about the disabling the feature and consulting the telemetry to see the impact.

[miraradeva]

To be clear, the enforce_home_region feature doesn't depend on the old savepoint behavior. It's only the experimental enforce_home_region_follower_reads_enabled feature that's causing issues.

[miraradeva]

@yuzefovich and @andy-kimball any thoughts on disabling just the experimental enforce_home_region_follower_reads_enabled feature?

[yuzefovich]

I'm not right person to make this determination. cc @mgartner @michae2 @DingDLu