CmdIDs and cross-range requests

[tbg]

I don't think we currently handle request idempotency correctly when operations cross ranges. The following could happen:

• client sets CmdID for a scan [a,z).
• ranges [a-q), [q-z) merge, but DistSender keeps a stale cache entry.
• the request gets split into two according to the stale descriptors and sent individually^***
• responses are combined and a single response sent out, but there's a connection issue
• client retries, and by now DistSender has the stale entries removed so only one request is sent (with the client's CmdID).
• that request hits the response cache, but the entry cached is only the first of the two prior scans.

the problem is in ^***: For the second request we're sending, which CmdID do we use? Currently, it's the same for both requests - that of the client. But that's obviously wrong because the range handling both requests is the same in the above example, so the second request will get the first cached reply. If instead we create a new ID deterministically from the original one, we're still in trouble because it's not deterministic how many ranges the data is spread out over; in the above example the client's retry will hit the response cache, returning only half of its desired reply ([a-q)).

This looks like it's going to get complicated because even adding the key range to each response cache entry means there's a lot of subtlety involved because we'll have to recombine results from various cache entries for sub-keyranges.

One thing working in our favor is that (at least currently) we don't have many non-idempotent types of requests. Only CPut, Inc and EndTransaction actually need replay protection (at least in a Txn, which is always the case when DistSender thinks ranges are spanned). These are all point requests, so they're easier to handle. We still need to be careful about which CmdID to use for them: Due to the non-determinism of range descriptor lookup across retries we really have to use the original CmdID for all ranges, so the only discriminant is the key.

[spencerkimball]

I realized a similar sort of problem recently for splits:

• client sets CmdID for a delete range [a,z).
• the request returns with result of having deleted 10 rows.
• range [a-z) splits into [a-q), [q-z).
• the client retries and gets identical (cached) results back from each of the two ranges.
• the combined results report having deleted 20 ranges, instead of just 10.

We're going to need to fix this, but for now, I recommend we ignore it. It's going to require either a very clever or potentially complicated fix, despite being a relatively minor priority issue.

[tbg]

It's actually happening in my batch wip. I have a hack in there which
circumvents it for now, but this happening is very real.
On Sep 8, 2015 18:20, "Spencer Kimball" notifications@github.com wrote:

I realized a similar sort of problem recently for splits:

• client sets CmdID for a delete range [a,z).
• the request returns with result of having deleted 10 rows.
• range [a-z) splits into [a-q), [q-z).
• the client retries and gets identical (cached) results back from
  each of the two ranges.
• the combined results report having deleted 20 ranges, instead of
  just 10.

We're going to need to fix this, but for now, I recommend we ignore it.
It's going to require either a very clever or potentially complicated fix,
despite being a relatively minor priority issue.

—
Reply to this email directly or view it on GitHub
#2297 (comment)
.

[tbg]

I have a change in mind that could deal with the issue by moving the response
cache's data out of the individual ranges. Consider the following:

Instead of the current encoding /rspcache/<rangeid>/<cmdid> we switch the
response cache to /rspcache/<cmdid>[/<from_key>/<to_key>], where the [...]
exists only for range requests (which still write a sentinel value). That works
fine for all point requests: whichever Range they are executed on, the entry is
always found. Immediate upshot: No data gets copied/duplicated around
needlessly on a Merge or Split. I'll have to look at the GC story, but it's
probably going to stay about the same as well.

For range-spanning requests (we're really talking about DeleteRange only;
ResolveIntentRange and GC, the other two writing range commands, don't
benefit from replay protection - but the proposal extends freely): those use
the top-level key .../<cmdid> as a sentinel only and write responses in
.../<cmdid>/<from_key>/<to_key> (we don't really need to to_key). When
reading an entry, the sentinel is used to check for a cache hit. On a hit, the
range .../<cmdid>/<desc_{start,end}_key> is scanned and all responses
combined and returned (if none found, an empty reply is the result). This has
the effect that if a cached request later spans multiple Ranges, only the first
range returns it; if multiple responses get merged into a single range, that
range will return a combined response. Also, the work is done on a cache hit or
when writing a DeleteRange only; everything else is as efficient as now.

Now let's to through the scenarios for hitting the cache after a split/merge:

• in Spencer's scenario, let's assume the original range deletion is on [a,c]
  and the split at b happens. We'll have a response cache sentinel at
  .../<cmdid> and the single response at .../<cmdid>/a/c.
  When the same request hits the two ranges after the split, they each find
  the sentinel and then scan .../<cmdid>/<desc_{start,end}_key>.
  This means that only the first range sees the entry and returns it, the second
  one finds nothing, so it returns an empty reply (i.e. zero deleted entries).
• in the merge scenario, we get the sentinel and two entries .../<cmdid>/{a/b,b/c}.
  After the merge, the same request checks the sentinel
  and scans from .../<cmdid>/<desc_{start,end}_key>, finding both replies.
  We already have standard functionality for combining responses, so the
  combined reply is returned.
• a more complicated one: ranges [KeyMin, c) and [c,ca) could wind up with
  the following response cache entries (written prior to merges and splits):
  <cmdid>/a/b, <cmdid>/b/c, <cmdid>/c/d. The first Range would scan
  <cmdid>/KeyMin to <cmdid>/c finding /a/b and /b/c which are combined
  and returned; the other Range finds only /c/d and returns that. The range
  beginning at ca returns an empty response.

[bdarnell]

The response cache needs to be transferred during replication (raft snapshots) too. This is the main reason that the response cache is currently partitioned by range ID. We can't just make the cmdID the primary key of the cache entry, but maybe we could organize it by the keys affected (even for point lookups) and extract the necessary subset of the cache that way.

[tbg]

if we organize by /<start_key>/<cmdid> collecting the snapshot will be workable, but response cache lookups need to go through the whole cache: after a merge, the original entry is after <desc_end_key> and after a split, the second range must realize that there is an entry, just not in its jurisdiction (so that it returns an empty result to be combined in DistSender).

Additionally, I forgot above that since we're dealing with batches, there isn't really "only" DeleteRange: any batch that has a write in it effectively turns into a range request (Scan[a,b) + Del(x) is naively going to turn into a request on [a,x.Next()) (though we should look into more granularity there anyways due to the timestamp cache and command queue).