kv: make BeginTxn optional proposal

[andreimatei]

If a transaction sends a batch that touches multiple ranges, and if the sub-batch for the anchor range succeeds, but another one fails, we are now in a situation where the txn record has been written, but the client.Txn is not aware of that fact so it will attempt to send another BeginTxn with the next batch.
So, if the client choses to ignore the error (say, it's an expected ConditionFailedError on an InitPut), and send another batch, that batch will have an BeginTxn which fails with RETRY_POSSIBLE_REPLAY because the txn record already exists. If you're inside a db.Txn function, for example, you'll retry endlessly.

On the other hand, if we don't send the BeginTxn again then, in case it does exist, it would fail (because of its replay protection via the timestamp cache).

Discussing this with @tschottdorf, this is the proposal. We're moving towards a world with best-effort BeginTxn and idempotent EndTxn.

• We'll have client.Txn never send more than one BeginTxn. Once a BeginTxn has been sent, regardless of whether it succeeded or not (or if it's unclear whether it did), there's no second BeginTxn. This way there's no failure when continuing to write in a transaction whose BeginTxn batch has previously failed. (*)
• We'll make EndTxn succeed if it doesn't find a transaction record. In this case, the EndTxn will simply write the transaction record and declare success. The txn record might not exist because it was never written, or it might not exist because this is a replay and it had already been cleaned up. Either case is fine.
• We'll make it so that the TxnCoordSender never sends more than one EndTxn. This ensures that a commit doesn't race with a rollback such that the rollback succeeds and then the commit also succeeds.
• EndTxn will continue to populate the timestamp cache, as it currently does, and BeginTxn will continue to consult it. This way, we continue to be protected against a replayed BeginTxn recreating a phantom txn record after the corresponding EndTxn.

(*) This also simplifies the logic in client.Txn a bunch, which currently uses a combination of TxnProto.Writing and writingTxnRecord to figure out whether a BeginTxn/EndTxn needs to be sent. Beside being complex, this logic is also broken because it's not in sync with the logic used by the TxnCoordSender when starting the hearbeat loop. It's currently possible for the TCS to think that there might be intents laid down and so there's a heartbeat loop, but for the client.Txn to think that the transaction is read-only and so an EndTxn does not need to be sent (in which case nobody stops the heartbeat loop). Attempting to fix these things led to finding this current bug.

cc @tschottdorf @nvanbenschoten @bdarnell

[andreimatei]

gist for a test demonstrating the issue:
https://gist.github.com/andreimatei/39a88ba19b11d4877dcb9ddbf688eb19

[andreimatei]

Update the proposal above.

[bdarnell]

So, if the client choses to ignore the error (say, it's an expected ConditionFailedError on an InitPut),

Note that we do not yet support continuing after an error like this, and whenever this comes up we usually decide we'd rather add an option to turn ConditionFailedError into a non-error return value instead of supporting continuing after an error.

We'll make EndTxn succeed if it doesn't find a transaction record

This is a big change from the current semantics. A missing txn record is currently equivalent to an aborted one. I'll need a lot more convincing that "either case is fine". Is the transaction state machine just obsolete because it predates our current uses of the timestamp cache and abort span?

EndTxn will continue to populate the timestamp cache, as it currently does, and BeginTxn will continue to consult it. This way, we continue to be protected against a replayed BeginTxn recreating a phantom txn record after the corresponding EndTxn.

What about repeated EndTxns without BeginTxn? EndTxn doesn't consult the timestamp cache.

If we can (sometimes) succeed without a BeginTxn, why would we ever send one? Is BeginTxn now simply the first HeartbeatTxn?

[andreimatei]

Tobi, Ben and I discussed this offline. Saying that "one can't continue with a txn after a non-retriable error" seems indeed good for now, so that takes away the pressure from doing anything here.

However the proposal generally seemed like a good idea.

What about repeated EndTxns without BeginTxn? EndTxn doesn't consult the timestamp cache.

I think the answer is that, if there's any writes in the EndTxn batch, then there'll be a WriteTooOldError. Otherwise, the EndTxn will succeed but it will be inconsequential. This relies on the fact that a client never sends a Rollback while it's waiting for the results of a Commit - otherwise declaring success on a EndTxn(commit=true) that doesn't find a record could be bad.

If we can (sometimes) succeed without a BeginTxn, why would we ever send one? Is BeginTxn now simply the first HeartbeatTxn?

Indeed, the BeginTxn would not be strictly needed, but it seems like a good idea to send it early in order to stave of would-be pushers.

[bdarnell]

I think the answer is that, if there's any writes in the EndTxn batch, then there'll be a WriteTooOldError. Otherwise, the EndTxn will succeed but it will be inconsequential.

Why would it be inconsequential? Note that EndTxn is normally sent in a batch by itself for any non-1PC transaction.

This relies on the fact that a client never sends a Rollback while it's waiting for the results of a Commit - otherwise declaring success on a EndTxn(commit=true) that doesn't find a record could be bad.

Are you sure about that? Today there's tryAsyncAbort, which can happen at any time, and I think even then we could attempt a commit and then abort while the commit is in an ambiguous state.

[andreimatei]

Are you sure about that? Today there's tryAsyncAbort, which can happen at any time, and I think even then we could attempt a commit and then abort while the commit is in an ambiguous state.

I'm currently getting rid of tryAsyncAbort.
Attempting a rollback when the commit state is ambiguous I think would be OK as long as:
a) we're no longer waiting for the result of the commit / the client has been informed that it's ambiguous
b) no conclusion is drawn from the success of the rollback - i.e. we don't tell the client that we rolled back when in fact we might have committed.
Attempting rollbacks for cleanup should be permissible.

Does this answer your concern?

[bdarnell]

Yes, I think so.