kv: some concurrent reads through a Txn can miss to see their own writes

[andreimatei]

There's a problem with concurrent uses of a client.Txn: if a request receives a TransactionAbortedError, the proto inside the Txn will be transparently switched to a new one (new transaction ID). From this moment on, future operations on the transaction succeed. This makes sense for what we generally want to do on retriable errors - start over. But it is a problem for concurrent uses of the Txn - every user but the one that got the error can do reads and writes hunky-dory ignoring the fact that it operates in a new transaction. Presumably there's a synchronization point somewhere for all concurrent users of a Txn, and above that point the fact that there was a error will take effect, but in the meantime some reads might have missed to see their writes, which was generally considered a no-no in several other situations.

This is a sister issue to #17197, which complains about possible committing of unintended data in the face of concurrent writes and retriable errors. This one is about reads through, which we do more of concurrently than writes.

One way to see this clearly in action is by putting the following patch at the end of TestTxnCoordSenderHeartbeatFailurePostSplit

	log.Infof(context.TODO(), "!!! test doing one more read")
	if res, err := txn.Get(context.TODO(), keyA); err != nil {
		t.Fatal(err)
	} else {
		log.Infof(context.TODO(), "!!! res: %+v", res)
	}

@nvanbenschoten, @bdarnell what do you think we should do about this, if anything? I think we really need to prioritize rethinking the Txn API for concurrent use.

Jira issue: CRDB-5720

[tbg]

Definitely need to do something here. Each concurrent user of the client.Txn should be tied to the epoch present when it started and this must be compared to the proto used on each operation. On mismatch, synthesize a restart/abort error. One way to do this is have a method usableTxn := txn.NewHandle() which basically gives you a struct{ *client.Txn, epoch int32 } back and makes sure that the epoch is checked against client.Txn.Proto.Epoch on each operation (and in turn the operations are not available on the vanilla client.Txn). In other words, *client.Txn would become a thin wrapper around the proto and the actual client.Txn would only be created when you supply an epoch at which you think you're acting.

[bdarnell]

+1 to moving most of the operations from client.Txn to a new TxnAttempt type that binds all operations to an epoch.

[tbg]

@andreimatei moving to 2.2 under the assumption that nothing else will happen here until then. Can you update on the state of the art until then?

[andreimatei]

Yeah, nothing will happen here in the very near term, although I still want to work on this.
We've done a lot of work in shuffling code from client.Txn to TxnCoorSender so that all client interactions with a transaction now happen under one lock. This should allow us to now design a sane, concurrency-oriented txn API.

On the other hand, @nvanbenschoten has voiced an opinion that maybe we shouldn't support concurrent use of a txn. For example, he said he wants to get rid of the parallel execution queue now that we have writes pipelining. I don't think I agree. Particularly for reads, I think we should allow concurrent use. We definitely do morally use a txn concurrently in DistSQL flows, but those are their own beasts and for the most part they use different client.Txn objects on different nodes. They update the root one in parallel (e.g. the accumulation of refresh spans) so some concurrency definitely needs to be supported at the very least. And then, with a DistSQL flow on a single node, in theory that can have processors that do whatever they want concurrently, although I think currently everything executes serially.
Anyway, the point is that there's probably a need for an RFC and some broad discussion here.