kv: concurrent use of client.Txn can cause unintended data to be committed in the face of retryable errors

[andreimatei]

I believe the following scenario is possible:

• two RETURNING NOTHING statements, A and B use the same client.Txn, and continuously send write batches on it.
• one of the batches sent by A encounters TransactionRestartError. The proto attached to that error has an updated epoch.
• client.Txn.send() updates the local proto to that incremented epoch.
• A gets the error and stops sending requests.
• however, nobody tells B anything - it continues executing and sending batches. Except now the batches it sends are using the incremented epoch.
• after B eventually finishes, the sql Executor will drain the parallel stmt execution queue and find out about A's retryable error. At that point, it'll tell the client to restart the sql txn.
• the client restarts, expecting that everything that has been previously written to be discarded.
• but surprise, the last batches sent by B before the restart will be committed.

This looks to me to be a consequence of adding support for concurrency to the client.Txn internals without adapting its API to multiple threads. The assumption of client.Txn.send() is that clients respond immediately to errors and stop sending requests - except that's not what happens with our concurrent use of the txn by multiple sql statements.

I think I'll fix it by adding a multithreaded flavor to the client.Txn API whereby clients get "locked" to an epoch. Once locked, requests are not sent if the txn has been advanced to a different epoch. When a response is received (success or error), it should also not update the txn proto if the epoch has been incremented since the time it was sent (I'm not sure if this is strictly required given how Transaction.Update() only ratchets up epochs and timestamps, but it seems like a sane thing to do to me). The Executor would do this "locking of the epoch" of the KV txn every time it restarts a SQL transaction.
I'm not sure who should implement this API, though. Should it be implemented by a wrapper (or "handle") on top of a client.Txn - say, client.TxnHandle - and then should clients be able to use either a client.Txnor a client.TxnHandle (by extracting a common interface)?

cc @cockroachdb/core @nvanbenschoten @tschottdorf @bdarnell

[andreimatei]

Talked with Ben and Tobi and Peter. It seems that a better idea might be to restore client.Txn to be single-threaded and add a way to "merge" Transaction proto updates outside of it (i.e. in the parallelizeQueue). The argument is that, with DistSQL doing writes in the future, we'll need a way to do such merges conceptually anyway - i.e. reconcile Transaction updates that different nodes became aware of.
So, the proposal is to have the parallelizeQueue (or perhaps the Session) keep a pristine Transaction proto; each parallelized statement would use their own client.Txn created based on a copy of that pristine proto; the queue would keep track of all these Txns. At the synchronization point (queue.Wait()), all the protos would be merged back into one.
As an optimization, we should update the master proto as often as possible (e.g. for the ObserverdTimestamp) as long as the transaction id and epoch stayed the same.

There might be a problem due to the fact that all the forked client.Txns go through the same TxnCoordSender, which might do cross-updates of all the protos. The answer there is to get rid of the TxnCoordSender, which I wanna do.

@nvanbenschoten you've been volunteered. Welcome back bud!

[andreimatei]

One thing to pay attention to is that the Transaction has a Writing field. I don't know how it's used, but some thought should be put into whether it makes sense in a world with forked protos.

[tbg]

It's used to make sure that we don't send BeginTransaction when we've already done so before. You're right that it's a concern here -- if we fork a non-writing proto and then two users independently start writing, they're both going to send BeginTransaction and the second one will fail. Even more problematic is that unless txn.Key is set ahead of time, both users may anchor the txn independently at different keys. Looks like you've made the rabbit hole deeper, @andreimatei!

[tbg]

Note that the double-writing problem should happen today already and that the writing flag has had a history of being annoying but somehow necessary. I'll have to page the details back in; hopefully there's a good comment on the proto field! 🤞

[andreimatei]

That's the thing with rabbit holes.
I became aware of some of these facts myself. I refrained from writing more here, but I think we'll need to have more of a conversation about how coordination happens between different clients (local first, then remote) when it comes to anchoring and heartbeating.

[tbg]

#17250 lists some concerns that would need to be addressed if we were to introduce outside merging of protos. We may not be able to go that route in the first place. It would be good to be more principled here and to make the current state (which was likely achieved by just "fixing" test failures as they came up) more palatable.

[andreimatei]

One idea for patching around this is to temporarily hack a real rollback in case of a retryable error when parallel statements have been used and a rollback to savepoint is issued.

[nvb]

As @andreimatei pointed out in #17299, part of this issue includes specifying error propagation behavior in cases where multiple transaction handles concurrent observe errors. This is expected to happen in cases where one handle gets a retryable error and aborts the current incarnation of the txn, which in turn causes all other handles to observe errors. All handles should have access to the error that caused the abort.