GC of Transaction table

[tbg]

this is the missing part of #1873 .

GC of proto.Transaction

A Transaction record can be removed if its last heartbeat is sufficiently
old (say, > 4*HeartbeatInterval) and if no intents which should be visible
remain (i.e. only if it's committed do we need to ensure that).
If no heartbeat timestamp is present,the Transaction timestamp is used instead.
Those are HLC timestamps, but on the time scales involved, this is of no concern.

The GC queue is in charge of periodically grooming the Transaction table.
It can't ever GC a successfully committed Transaction which lists possibly-
unresolved intents, though. Encountering one of those requires prior intent
resolution. It will be easiest if the queue just gives those intents to the range
to handle then asynchronously as skipped intents, which should render
the Transaction GCable in the next pass.

Any successful ResolveIntent (or collection thereof) should be followed by
an invocation of a new RPC ResolveTransaction (or overload EndTransaction
for this purpose) which updates the Transaction record, removing
the resolved intents from the list stored within the Transaction.

PushTxn

When executing against an absent on-disk record, the Transaction is
considered ABORTED if the intent's Transaction timestamp is older than
< 2*HeartbeatInterval, and no new entry is written in that case.

The choice of {2,4}*HeartbeatInterval above makes sure that PushTxn
will always find the Transaction record or decide correctly that it's ABORTED
without the need to write a new one.

successful EndTransaction

Resolve local intents right away. If that includes all intents, we can remove
the record entirely. Otherwise, add the remainder to the Transaction record and return them for asynchronous resolution.

failed EndTransaction

this fails either because of regression errors (these amount to bugs), or,
more interestingly, because the Transaction was aborted by a concurrent
writer.

Prime objective is removing the intents as soon as possible, but we can't
write on error. So we leave the Transaction record and resolve all intents
asynchronously.

Note that that can leave a Transaction in PENDING state so that it'll
likely never commit (it can be aborted due to timeout at some point) in
the case of regression errors (which amount to bugs).

[spencerkimball]

I think you should also remove the transaction record even if there are non-local intents. You'd just do it after successful asynchronous resolution of intents, assuming the EndTransaction was called with all intents.

[tbg]

yes, the RPC which updates the intents list will kill the entry when the new list is empty.

[bdarnell]

I'm worried about the timing dependence here. I think we need some extra safeguards: HeartbeatTxn and EndTransaction should refuse to write a transaction record that could have been GC'd previously. I think this means that each such command must include the previous heartbeat timestamp, and if it at least 2*HeartbeatInterval old by the time the command is applied it becomes a noop.

The first sentence is unclear; I would separate the committed and uncommitted case explicitly:

A committed Transaction record can be deleted iff all of its intents are resolved. A pending or aborted Transaction record can be deleted if its last heartbeat time was at least 4*HeartbeatInterval ago (since a transaction this old will not be allowed to commit).

I'm unconvinced by "Those are HLC timestamps, but on the time scales involved, this is of no concern." We should always be explicit about which clocks are being used for any comparison. GC decisions are (presumably) made outside of raft and can see the real time, but HeartbeatTxn (and other raft commands) see only a timestamp which was captured before the command was submitted to raft. I think we need to make sure that the GC queue only makes a preliminary decision about whether a txn is GCable, and the real work is done inside a new raft command which repeats the time check (to make sure it is well-ordered with respect to any concurrent commands in the raft pipeline). In fact, if we do this I'm not sure if we even need the 2* vs 4* distinction.

[tbg]

I'm worried about the timing dependence here. I think we need some extra safeguards: HeartbeatTxn and EndTransaction should refuse to write a transaction record that could have been GC'd previously. I think this means that each such command must include the previous heartbeat timestamp, and if it at least 2*HeartbeatInterval old by the time the command is applied it becomes a noop.

I think we can rely on the GC metadata here. That contains a timestamp from the HLC clock which is basically the Now() used for all GC decisions, and it is persisted along with the execution of the GC request (which actually clears keys from the engine and goes through Raft normally).

Consequently, if you're heartbeating/pushing/committing and there isn't an entry, you get the persisted GC metadata from the engine. If that timestamp minus the GC threshold is higher than what you're operating at, then the entry might have been GCed. Then for a Push you succeed (telling the pusher the Pushee has been aborted, but without writing a new entry), and for a Heartbeat or EndTransaction, you return an error. To make it easier, if there isn't a catch and we can do this, we should probably put some more info into the metadata (i.e. the threshold timestamps which were used for that GC cycle) so that the above code needs less time arithmetic.

[spencerkimball]

There are benefits to leaving the current compaction-based GC of transaction records in place. This mechanism relies on getting a cluster-wide low water mark on oldest extant intent and allowing the normal compaction to clean up any straggling transaction records.

• Compaction is already implemented
• Not as dicey on the timing related stuff, though I think what you're proposing will work--it's just harder to puzzle out
• Don't need to store or update intents on committed transaction records

[tbg]

re @spencerkimball's comment in #2111:

How can an actor which encounters an intent and is able to push the attached txn distinguish between the txn having been auto-committed (meaning the intent will have been concurrently cleaned up) vs. still pending (in which case the txn record should be written as either ABORTED or with a pushed timestamp)?

It's a an annoying edge case. At the point at which the reader tries the push and doesn't find the entry in the table, there isn't an intent any more (it's been removed synchronously with the commit).
If you knew that was what was happening, logically the Push should fail (after all, if there were an entry, it would read COMMITTED). But without the info of whether there actually is an intent (which you don't have at that point because you don't want to send the intent along with the Push) of course you can't distinguish the case in which the Pushee just hasn't written to the Txn table.

But the current behavior should be fine: The entry is recreated as PENDING or ABORTED. Of course nobody's going to ever touch that entry again, so it'll get GC'ed eventually. The Pusher will either retry or try to resolve the intent (which should work, because there isn't an intent) and only when writing again it'll find that the value is in fact there, tough luck, and will have to deal with it.

The alternative to the above is to only remove the Txn entry if the transaction committed in a single round-trip (after we've introduced the Batch handling on Replica) because that means that nobody else can ever see any intents.

[tbg]

There are benefits to leaving the current compaction-based GC of transaction records in place. This mechanism relies on getting a cluster-wide low water mark on oldest extant intent and allowing the normal compaction to clean up any straggling transaction records.

I've thought about this some more. My major discomfort with this was that it's a centralized system, but I'm getting more comfortable with it and think it might be the better solution. I'm 70% through the changes proposed above, but I'm going to freeze that until we've reached a decision. Let me outline my understanding of how I think it would work, please add in anything I missed.

• each leader Replica periodically updates its RangeTree entry to include its oldest intent (after each GC run).
• one replica set (probably the one which has the root) is in charge of periodically combing through the RangeTree and collecting the global oldest intent's timestamp. That is then added to Gossip (with infinite lifetime and, for diagnostics, the Range reporting it - the danger of this system is that a single Range can stop this GC globally if its lowest timestamp remains the same).
• when a Replica runs GC, it gets this timestamp from Gossip (if there's nothing: ZeroTimestamp, i.e. no GC for txn records). It can then kill off all Txn records which are older than that with the issued GC command, unless they're still being heartbeat. The GC scan also gets the oldest timestamp among all intents found locally (potentially trying to resolve synchronously, and taking into account only those that couldn't be resolved) - it's already mostly doing this - to perform step one above.

Assuming the RangeTree stuff is on solid ground, I think this could work nicely.

I'm still a little concerned about the RangeTree though. With many ranges, it will constantly be in flux, rotating around etc. Have we checked that it can actually keep up with the txn contention on that scale? I had the impression that every mutation on the tree requires, more or less, exclusive access because there's a lot of walking around the tree involved. Since it needs to be update synchronously with splits/merges/rebalances, that thing really needs to work smoothly and not have a lot of Txn restarts.
For the oldest intent age, well, doesn't matter too much, because we can read the tree at a past timestamp. For updating the oldest intent age as well, that's just a CPut on a single node. It's really more generally about how expensive the upkeep is.

I've looked at the RangeTree code and there's a lot of work to be done on it, including the Txn handling (currently it just takes a client.Txn, so a restart kills us). I'll take some time to think things through. @BramGruneir, probably going to bother you with a thing or two :-)

[petermattis]

I'm a little worried about the RangeTree stuff as well. It feels like a solution in search of a problem. I'm not sure it is the right solution for doing mapreduce operations over tables (e.g. for backfilling a newly created index). I haven't thought enough about the tracking of the oldest intent to decide if it is overkill there or not.